Skip to content

Commit

Permalink
Add faq (#2032)
Browse files Browse the repository at this point in the history
* Create faq.md

---------

Co-authored-by: Vasco Schiavo <[email protected]>
  • Loading branch information
mr-tz and VascoSch92 authored Mar 20, 2024
1 parent 0eb4291 commit cbadab8
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
### New Features

- add function in capa/helpers to load plain and compressed JSON reports #1883 @Rohit1123
- document Antivirus warnings and VirusTotal false positive detections #2028 @RionEV @mr-tz

### Breaking Changes

Expand Down
13 changes: 13 additions & 0 deletions doc/faq.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Frequently Asked Questions
## Why does capa trigger my Antivirus? Is the tool safe to use?
The purpose of `capa` is to analyse the capabilities of a potentially malicious application or file. To achieve this, it needs to include portions of the data it is designed to detect as a basis for comparison.
The release version of capa comes with embedded rules designed to detect common malware functionality. These rules possess similar features to malware and may trigger alerts.
Additionally, Antivirus and Endpoint Detection and Response (EDR) products may alert on the way capa is packaged using PyInstaller.

## How can I ensure that capa is a benign program?
We recommend downloading releases only from this repository's Release page. Alternatively, you can build capa yourself or use other Python installation methods. This project is open-source, ensuring transparency for everyone involved.
For additional peace of mind, you can utilize VirusTotal to analyze unknown files against numerous antivirus products, sandboxes, and other analysis tools. It's worth noting that capa itself operates within VirusTotal.

### Understanding VirusTotal output
VirusTotal tests files against a large number of Antivirus engines and sandboxes. There's often little insight into Antivirus detections, but you can further inspect dynamic analysis results produced by sandboxes.
These details can be used to double-check alerts and understand detections.

0 comments on commit cbadab8

Please sign in to comment.