CAPE icon indicating copy to clipboard operation
CAPE copied to clipboard

Published 20 hours ago verified publisher icon ctxis

High severity signatures firing during benign URL analysis in IE 7

Open seanthegeek opened this issue 6 years ago • 2 comments
trafficstars

When analyzing various benign URLS in IE on Windows 7:

  • example.com
  • google.com

The following high severity signatures fired, which raised the MalScore to malicious levels:

  • creates_largekey regkeyval: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache
  • stack_pivot process: explorer.exe:1288

Ideally, the MalScore should be in the benign range.

seanthegeek avatar Jan 20 '19 03:01 seanthegeek

Perhaps this could be resolved by updating the signatures with an exclusion list of process names or similar to get it to ignore IE?

kevoreilly avatar Aug 22 '19 10:08 kevoreilly

Can the signatures get the full path of the process instead of the process name? That would be safer.

That could also solve the PDF false positive.

seanthegeek avatar Aug 22 '19 11:08 seanthegeek