mvt
mvt copied to clipboard
False positive IOC detection in mvt.ios.modules.backup.manifest
During a backup I checked with mvt-ios I noticed a warning Found mention of domain "example.com" in a backup file with path: example/example.commercial.file
[domain changed for privacy reasons]
It seems to me the domains aren't parsed but the IOCs are just checked using string comparison. An improvement could be to actually parse domain names to produce less false positives.
hi! Can you share the name of the ioc that was supposedly matched? :) If it's a long unique domain it makes an accidental match less likely for example.
Also I'm not sure what you mean by "parsing domain names", I think it's the other way around, the backup file might not be parsed and it's just searching for substrings on the whole file.
I could maybe share the IOC with mvt developers, but I cant post it publicly on the Internet, sorry.
Thanks for reporting. I am aware of this issue, but I need to do some more testing to check whether there are meaningful ways to reduce FPs while maintaining the ability to search for the existence of certain files.
This should be now fixed. You can try if this is solved now by running off of git, if you wish to.
This should be now fixed. You can try if this is solved now by running off of git, if you wish to.
I just ran a test with the same backup and the version from git. This fixed the issue for me. Thank you very much.