CAPEv2
CAPEv2 copied to clipboard
kevoreilly
potential signature confidence issue
About accounts on capesandbox.com
- Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
- [x] I am running the latest version
- [x] I did read the README!
- [x] I checked the documentation and found no answer
- [x] I checked to make sure that this issue has not already been filed
- [x] I'm reporting the issue to the correct repository (for multi-repository projects)
- [x] I have read and checked all configs (with all optional parts)
Expected Behavior
I would expect certain signatures to have a lower confidence, for example queries_keyboard_layout and antivm_checks_available_memory. This causes the signature to be treated as a malicious category rather than a suspicious category when calculating the malscore. To me this would be a suspicious category unless I misunderstand the purpose of the confidence value.
Current Behavior
Signatures that don't explicitly specify a confidence value are defaulted to 100, for example the queries_keyboard_layout signature does not specify confidence, and the result is a malscore of 10 for all office files, among other types.
I believe this is caused by the base Signature class having a confidence value of 100.
from the report:
{
"name": "queries_keyboard_layout",
"description": "Queries the keyboard layout",
"categories": ["location_discovery"],
"severity": 1,
"weight": 1,
"confidence": 100,
"references": [],
"data": [
{ "type": "call", "pid": 4184, "cid": 1083 },
{ "type": "call", "pid": 8580, "cid": 4347 },
{ "type": "call", "pid": 8580, "cid": 4383 }
],
"new_data": [],
"alert": false,
"families": []
}
