Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

potential signature confidence issue #2132

Open
6 tasks done
mjbradford89 opened this issue May 22, 2024 · 2 comments
Open
6 tasks done

potential signature confidence issue #2132

mjbradford89 opened this issue May 22, 2024 · 2 comments

Comments

@mjbradford89
Copy link

mjbradford89 commented May 22, 2024
edited
Loading

About accounts on capesandbox.com

  • Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

  • I am running the latest version
  • I did read the README!
  • I checked the documentation and found no answer
  • I checked to make sure that this issue has not already been filed
  • I'm reporting the issue to the correct repository (for multi-repository projects)
  • I have read and checked all configs (with all optional parts)

Expected Behavior

I would expect certain signatures to have a lower confidence, for example queries_keyboard_layout and antivm_checks_available_memory. This causes the signature to be treated as a malicious category rather than a suspicious category when calculating the malscore. To me this would be a suspicious category unless I misunderstand the purpose of the confidence value.

Current Behavior

Signatures that don't explicitly specify a confidence value are defaulted to 100, for example the queries_keyboard_layout signature does not specify confidence, and the result is a malscore of 10 for all office files, among other types.

I believe this is caused by the base Signature class having a confidence value of 100.

from the report:

{
      "name": "queries_keyboard_layout",
      "description": "Queries the keyboard layout",
      "categories": ["location_discovery"],
      "severity": 1,
      "weight": 1,
      "confidence": 100,
      "references": [],
      "data": [
        { "type": "call", "pid": 4184, "cid": 1083 },
        { "type": "call", "pid": 8580, "cid": 4347 },
        { "type": "call", "pid": 8580, "cid": 4383 }
      ],
      "new_data": [],
      "alert": false,
      "families": []
    }
@mjbradford89
Copy link
Author

After reading #2086 I now have more context. I plan to try and improve some of these signatures confidence values and will open some PRs to the community repo. I'll leave this open for now for discussion.

@doomedraven
Copy link
Collaborator

any improvements are more than welcome

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@doomedraven @mjbradford89