Getting false positives in signatures
Closed this issue · 6 comments
About accounts on capesandbox.com
- Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
- [Y] I am running the latest version
- [Y] I did read the README!
- [Y] I checked the documentation and found no answer
- [Y] I checked to make sure that this issue has not already been filed
- [Y] I'm reporting the issue to the correct repository (for multi-repository projects)
- [Y] I have read and checked all configs (with all optional parts)
Expected Behavior
Getting low/appropriate signatures for legit files
Current Behavior
Getting 10 malscore for every file im analyzing , including the legitimate/safe ones, with signatures that shouldn't be there as the file is not a malware, its happening with every file type including xls, word, exe etc
Failure Information (for bugs)
Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
- Submit a safe file
- Observe the signatures
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).
| Question | Answer |
|---|---|
| Git commit | Type $ git log | head -n1 to find out |
| OS version | Ubuntu 22.04 |
Failure Logs
Please include any relevant log snippets or files here.
cape is done to analyze malware, if you see FP signature you are welcome to fix those, they are in community repo, but if legit binary does something that malware does too, we can't do nothing.
- please start provide more rich details about issues, is boring to have ask for what is wrong, saying something without proofs is useless, like what signature what binary etc etc
malscore is not enabled by default in cape - for good reason.
Also like doomed says the level of detail in this issue is ridiculous. Not even an example!
For example this signatures appears to be in every single file analyzed , it appears to be from suricata after a bit digging
Well we can't control it
so i have found literally nothing by googling "udp scan by nmap terdeteksi!". i never saw this signature(nmap) in my sandbox. I have feeling that you have a bad windows configuration. but once against the quality of details of the issue is bad. instead of this or as extra you could from network tab then suricata and where you have all the details about that match so we could see what generates that match. but quality of issue details == quality of response