search

ditekshen / detection

Detection in the form of Yara, Snort and ClamAV signatures.
Other
201 stars 38 forks source link

False positive rule: INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets #10

Closed ipetrovic11 closed 1 year ago

ipetrovic11 commented 1 year ago

After scanning our Electron based application on virus total, we got that it's matching this crowdsourced rule: INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets

The issue here is huge since many regular applications like Slack, Figma, etc. are based on Electron as well, so this rule should exclude $app35 = "Electron" nocase ascii wide since it is not the same as the next line ElectrumLTC which actually is Litecoin client: https://electrum-ltc.org/

ditekshen commented 1 year ago

Can you provide a hash or file? Should make life easier to troubleshoot.

ipetrovic11 commented 1 year ago

https://www.virustotal.com/gui/file/0c13da0547c022a3f1e4c3b7568782998ea84ceb079daeb4f450258e5679c4b8

Screen Shot 2022-09-27 at 8 42 06 PM
McAlm commented 1 year ago

I have the same issue with this hash: https://www.virustotal.com/gui/file/3c45b7cd83ea3e3216f7dc6b3d422bdeaf87b70c80ff38ab94a070cd7fc26937 The scanned application is open source based on Electron, too: https://github.com/camunda/camunda-modeler

inikishev commented 1 year ago

I had this with trillium, joplin

Aemony commented 1 year ago

This is also a problem for most apps that interfaces or otherwise make use of gaming related platforms due to the inclusion of gaming platforms for some reason among the ruleset:

        $app26 = "Riot Games\\" nocase ascii wide
        $app28 = "Battle.net\\" nocase ascii wide
        $app29 = "Steam\\" nocase ascii wide
        $app30 = "Valve\\Steam\\" nocase ascii wide

Any application that has functionality related to one of the above gaming platforms matches the rule -- even Valve's own Steam client itself: https://www.virustotal.com/gui/file/73fe99caf7f49a20b6319b1fd0212dd105650bad2dd03101bc28a90edeb14b38

In our case, https://special-k.info/, we provide a game launcher feature that populates installed Steam games and shows when they're running or closed -- which requires reading Steam's local VDF files or registry key as that's where data is stored in...

I am not sure what the purpose of these patters are intended for, as they have nothing to do with the stated reason of identifying cryptocurrency mining wallets or apps as neither Riot Games' launcher, Battle.net, nor Steam is used for either.

GorlikItsMe commented 1 year ago 
        $app34 = "DigitalCoin" nocase ascii wide
        $app35 = "Electron" nocase ascii wide
        $app36 = "ElectrumLTC" nocase ascii wide

Why is there Electron? Because of it my electron-based app is flagged.

ditekshen commented 1 year ago

Rules has been disabled until further review. Thanks.