False Positive: MSOffice/PDF Documents Spawn Orphaned explorer.exe Processes

[para0x0dise]

Problem Description

When analyzing MS Office documents (Word, Excel, PowerPoint) or PDFs, CAPE incorrectly monitors explorer.exe processes that appear as orphaned/dummy processes with incorrect parent process IDs. These processes don't show the actual MS Office or Adobe Acrobat applications as their parent, leading to false positive detections.

Impact

• False Positive Signatures: Orphaned explorer.exe processes trigger suspicious signatures (related to normal behavior)
• Incorrect Process Trees: Process relationships are not accurately represented
• Analysis Noise: Legitimate MS Office/PDFs behavior appears suspicious

Proposed Solution

We can try to validate whether the created process has a valid PPID of the main analyzed process, and then we can inject the DLLs to monitor it inside analyzer.py _handle_process

  def _handle_process(self, data):
  ...
  ...

        # Get actual PPID and validate relationship
        ppid = proc.get_parent_pid()

        if not in_protected_path(filename) and ppid in self.analyzer.process_list.pids:
            log.info("Announced %s process name: %s pid: %d", "64-bit" if is_64bit else "32-bit", filename, process_id)
            _ = proc.inject(interest)
            self.analyzer.LASTINJECT_TIME = timeit.default_timer()
            self.analyzer.NUM_INJECTED += 1
        proc.close()