Virustotal is flagging an executable we created, due to this rule:
rule INDICATOR_KB_CERT_033ed5eda065d1b8c91dfcf92a6c9bd8 {
meta:
author = "ditekSHen"
description = "Detects executables signed with stolen, revoked or invalid certificate"
thumbprint = "c91dcecb3a92a17b063059200b20f5ce251b5a95"
condition:
uint16(0) == 0x5a4d and
for any i in (0..pe.number_of_signatures): (
pe.signatures[i].subject contains "Python Software Foundation" and
pe.signatures[i].serial == "03:3e:d5:ed:a0:65:d1:b8:c9:1d:fc:f9:2a:6c:9b:d8"
)
}
There seems to be no indication as to the reason that the PSF certificate 033ed5eda065d1b8c91dfcf92a6c9bd8 is declared to be "stolen, revoked or invalid".... (I also can't find anywhere else reporting it to be such).
ditekshen
commented
2 years ago
Virustotal is flagging an executable we created, due to this rule:
There seems to be no indication as to the reason that the PSF certificate 033ed5eda065d1b8c91dfcf92a6c9bd8 is declared to be "stolen, revoked or invalid".... (I also can't find anywhere else reporting it to be such).
Is this detection rule correct?