Two False Positive Alerts
Q7ak5 opened this issue · 1 comments
Q7ak5 commented
Two alerts with score 100 are certainly false positives:
521cb9865a2ae7c486b08c1f55a9a8cd,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\REINER SCT cyberJack\Support.url,100
521cb9865a2ae7c486b08c1f55a9a8cd,C:............\AppData\Roaming\Microsoft\Windows\Recent\Support.url,100
A bad Yara rule seems to be the culprit.
Neo23x0 commented
Which rules?
Score 100 often indicates a false positive in hash list as hash matches
always get score 100 by default. I rarely publish YARA rules with score
100.
On Wed 18. Dec 2019 at 23:07, Q7ak5 ***@***.***> wrote:
Two alerts with score 100 are certainly false positives:
521cb9865a2ae7c486b08c1f55a9a8cd,C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\REINER SCT cyberJack\Support.url,100
521cb9865a2ae7c486b08c1f55a9a8cd,C:............\AppData\Roaming\Microsoft\Windows\Recent\Support.url,100
A bad Yara rule seems to be the culprit.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#138?email_source=notifications&email_token=AAVYFJFBUQORHYWWX5P6E43QZKNJVA5CNFSM4J4TD7L2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IBO77JA>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAVYFJBWUWCCTUDPOTCTRSTQZKNJVANCNFSM4J4TD7LQ>
.
--
Florian Roth
Key material (Keybase, S/MIME, PGP, Threema):
https://keybase.pub/johngalt/