capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

FPs encrypt-data-using-rc4-ksa.yml

Open htnhan opened this issue 3 years ago • 0 comments

Summary

False positive on RC4 KSA rule

Examples

  • 8333822ed41d9f2b302cf8e21b126efc:0x40646a

Possible improvements

  • modulo key length rule could be inside a basic block that is also a tight loop and also checks for 0x100 and/or 0xFF instead of checking against the whole function?

htnhan avatar Mar 11 '22 08:03 htnhan