signature-base icon indicating copy to clipboard operation
signature-base copied to clipboard

Published 20 hours ago verified publisher icon Neo23x0

Update/increase max filesize in Suspicious_Size_explorer_exe rule?

Open khalavak opened this issue 2 years ago • 1 comments

Hello, Got some hits on this rule when testing on a Windows 10 desktop. C:\Windows\Explorer.exe seems to be 5007KB in Windows 10...should the max filesize be increased a bit to take this into account and remove FPs for explorer on Windows 10?

rule Suspicious_Size_explorer_exe {
    meta:
        description = "Detects uncommon file size of explorer.exe"
        license = "https://creativecommons.org/licenses/by-nc/4.0/"
        author = "Florian Roth"
        score = 60
        date = "2015-12-21"
        noarchivescan = 1
    condition:
        uint16(0) == 0x5a4d
        and filename == "explorer.exe"
        and not filepath contains "teamviewer"
        and ( filesize < 800KB or filesize > 5000KB )
}

khalavak avatar Jul 28 '22 08:07 khalavak

Thanks for the feedback, I will have an update for the rule shortly. See PR #206

phantinuss avatar Jul 28 '22 08:07 phantinuss

Should be resolved by now. If not, please reopen the issue.

phantinuss avatar Oct 10 '22 09:10 phantinuss