search

cuckoosandbox / cuckoo

Cuckoo Sandbox is an automated dynamic malware analysis system
http://www.cuckoosandbox.org
Other
5.54k stars 1.7k forks source link

file_type variable is not used for all types of packages in automagical detection #2504

Open reox opened 6 years ago

reox commented 6 years ago
My question is:

the analysis module chooses the analysis package based on some rules, if no package is specified: https://github.com/cuckoosandbox/cuckoo/blob/c41c7c5cb09416b7cfc6159811792679e20762f2/cuckoo/data/analyzer/windows/lib/core/packages.py#L20

But only for certain type, the file_type variable is used. The majority of files, for example .jar are only judged by their file extension.

Is there a reason not to use file_type for the other formats as well? If files are submitted with obscured or no extension, usually the generic profile is chosen, even if the package could have been found by the file_type variable.

thanks in advance!

My Cuckoo version and operating system are:

2.0.6

RicoVZ commented 6 years ago

Hi reox,

Thanks for posting an issue. :smile:

There is no real reason it is not used for some types. Rewriting and improving package selection is something that is on our short term todo list.