capa icon indicating copy to clipboard operation
capa copied to clipboard

Published 20 hours ago verified publisher icon mandiant

sigs folder missing from package installation dir

Open Antelox opened this issue 4 years ago • 3 comments

Description

With version 2.0.0 (installed via pip) when running capa with no signatures argument it reports an error and exit. The issue seems to be in get_default_signatures method which tries to get the sigs folder from the package installation dir but which is missing.

Steps to Reproduce

1 . Run capa with no -s argument

Expected behavior:

Run with the default signatures and continue without exiting.

Actual behavior:

It runs, report the error below and exit.

ERROR:capa:signatures path %REDACTED%/env/lib/python3.9/site-packages/capa/../sigs does not exist or cannot be accessed

Versions

2.0.0

Antelox avatar Jul 22 '21 12:07 Antelox

Yes, this is definitely not the most user-friendly behavior but when installing via pip no rules or signatures are installed.

For now you'll have to provide the sigs directory manually.

See the note here https://github.com/fireeye/capa/blob/master/doc/installation.md#note

mr-tz avatar Jul 22 '21 13:07 mr-tz

I see, perhaps if no sigs, just continue and don't use them rather exit? Does this make sense?

Antelox avatar Jul 22 '21 13:07 Antelox

thats a good idea.

we should also try to detect when installed via pip and show a warning and explain how to fix the situation.

williballenthin avatar Jul 22 '21 13:07 williballenthin

Should we package the signatures like done in https://github.com/mandiant/flare-floss/pull/578?

mr-tz avatar Jan 06 '23 15:01 mr-tz