-
Notifications
You must be signed in to change notification settings - Fork 565
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add note on potential capa FP detection to documentation #2028
Comments
Seeing as I was the one to raise the concern it's only fair that I at least try to contribute to the issue's suggestion; Insofar as ensuring end-user peace of mind I think it might be worth explaining how a false positive might come about in laypersons' terms, how to verify personally that it is not harmful using an external validation service (such as VirusTotal) and - arguably most important, though admittedly outside of this project's scope - how to actually access VirusTotal's analysis correctly as opposed to just looking at its first page. With the help of your community I've convinced myself beyond reasonable concern that capa is a safe program at this time, based on the information that VT and this issue tracker provides, but a brief boilerplate in the description that summarizes this can sidestep this issue being raised a fourth time. I admit that I don't have much experience actually using github, I'm ultimately a hobbyist, but my attempt for what its worth would read as follows: ----------[start]---------- Why does capa trigger my antivirus? Is it safe?
How can I be certain that capa is behaving correctly?
Understanding the VirusTotal output
The basics of what to look for when analysing and verifying capa as an end-user.
----------[end]---------- I would say that my main goals here are to address the same concerns that led up to me submitting Issue #2025, but I of course welcome any changes that would make this more appropriate for your documentation. Rather than submit it directly to the repository I want to put it up for discussion here first; you all don't need me ruining this much hard work with clumsy additions. It may be valuable to continue the second-to-last section (what to look for) by explaining how each part of the false detection happens if capa does anything peculiar that is picked up that is not part of false-detection of its rulesets, like process virtualisation or somesuch. VT is not exactly kind to capa when analysing it, giving some on-the-face concerning Mitre ATT&CK characteristics like defense evasion and so on. I know that the purpose of this "(somewhat) FAQ (singular)" page is to give a brief crash course on why it's safe to an inexperienced user such as myself, but actually reading how capa works might be a little dense for some. Halfway down the page it's made abundantly clear to a user with cursory experience that it disassembles and analyses control flow, but to someone just getting into the field this might be a novel concept. I mean, for the purposes of this discussion you should probably be inclined to assume I showed up on earth yesterday like some barely-tech-savvy Mr. Bean, but anything has to be better than nothing. Even if the final form of this documentation looks nothing like what's been offered above I'll at least be comfortable knowing I tried to contribute to a program that has very literally protected by own home workstation more than once in ways that other providers have not. |
Wow, great! Thanks for the extensive proposal and consideration! |
Originally posted by @RionEV in #2025 (comment)
The text was updated successfully, but these errors were encountered: