False positive IOC detection in mvt.ios.modules.backup.manifest

[besendorf]

During a backup I checked with mvt-ios I noticed a warning Found mention of domain "example.com" in a backup file with path: example/example.commercial.file [domain changed for privacy reasons] It seems to me the domains aren't parsed but the IOCs are just checked using string comparison. An improvement could be to actually parse domain names to produce less false positives.

[kpcyrd]

hi! Can you share the name of the ioc that was supposedly matched? :) If it's a long unique domain it makes an accidental match less likely for example.

Also I'm not sure what you mean by "parsing domain names", I think it's the other way around, the backup file might not be parsed and it's just searching for substrings on the whole file.

[besendorf]

I could maybe share the IOC with mvt developers, but I cant post it publicly on the Internet, sorry.

[botherder]

Thanks for reporting. I am aware of this issue, but I need to do some more testing to check whether there are meaningful ways to reduce FPs while maintaining the ability to search for the existence of certain files.

[botherder]

This should be now fixed. You can try if this is solved now by running off of git, if you wish to.

[besendorf]

This should be now fixed. You can try if this is solved now by running off of git, if you wish to.

I just ran a test with the same backup and the version from git. This fixed the issue for me. Thank you very much.