False Positive
krypt0x opened this issue · 4 comments
Hi there,
Why is our software being flagged as malware?
Matches rule skip20_sqllang_hook
by Mathieu Tartare <mathieu.tartare@eset.com>
from ruleset skip20_sqllang_hook
at https://github.com/eset/malware-ioc
YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
https://github.com/ConcealNetwork/conceal-desktop
Could you please assist?
Thank you
I can confirm that it's a false positive. Would be great if it could be solved.
This YARA rule is not meant to detect malware, but the legitimate sqllang.dll from MSSQL. It is based on the patterns used by the skip-2.0 malware family to hook certain functions.
This mean skip-2.0 could theoretically change the behavior of Conceal Desktop if it was injected into it. But that scenario should never happen...
As a general rule, YARA rules in this repository should be used for malware or file classification, not detections. We do make an effort to avoid false positive (thus better classification) but it is not the main goal when writing our YARA rule.
Let us know if a system is using these rules for detection and that is causing you troubles, we can work together on finding a solution if need be.
Some AV software providers are using this rule and flag our software as malware. We will study this issue and try to do some changes in our software to not trigger this rule. Thank you very much for your promptly feedback.
Some AV software providers
I'd be curious to know what software is using these rules it their product. The license does permit them to used and distributed, but it's always nice to know when they are.
Thank you very much for your promptly feedback.
You're very welcome. I'll close the issue but don't hesitate to reopen it if needed.
Cheers,
M-E