gen_anydesk_compromised_cert_feb23 is bullshit in case of older binary

Neo23x0 / signature-base

YARA signature and IOC database for my scanners and tools

Other

2.49k stars 605 forks source link

gen_anydesk_compromised_cert_feb23 is bullshit in case of older binary #325

Closed lhpitn closed 2 months ago

lhpitn commented 2 months ago

you should refine your rule, signed after date of incident not warn for any anydesk that is older then the hack, i use on my systems good old 7.1.12 for exactly that reason that i dont trust any later versions after that security case, so please refine that binary so that it only happies to stuff signed with this cert after a certain date to be determend but mid april 2021 is good

lhpitn commented 2 months ago

Neo23x0 commented 2 months ago

so please refine that binary

No.

lhpitn commented 2 months ago

thajks for looking into it anyway

lhpitn commented 2 months ago

youre right, i remebered you can fake sign time by changing cmos time and switching off ntp

lhpitn commented 2 months ago

maybe whitelist certain sha sum pe files?

lhpitn commented 2 months ago

so please refine that binary

sorry i guess i meant "please redefine the binary match rule " or sth. like that, its to hot here, my brain feels like it's liquifying...