poshdeob.py detected as malicious (VirusTotal)

dod-cyber-crime-center / DC3-MWCP

DC3 Malware Configuration Parser (DC3-MWCP) is a framework for parsing configuration information from malware. The information extracted from malware includes items such as addresses, passwords, filenames, and mutex names.

Other

300 stars 59 forks source link

poshdeob.py detected as malicious (VirusTotal) #32

Closed foxalfabravo closed 2 years ago

foxalfabravo commented 2 years ago

On VT today, Kaspersky: HEUR:Trojan.PowerShell.Generic Bkav Pro: ASP.Webshell https://www.virustotal.com/gui/file/c044aa7e5851f152a734265e00677bd667dca5cad37a80335c4433d92b74b17b

dc3-tsd commented 2 years ago

Thank you for letting us know about this. The Kaspersky finding is a false positive associated with examples within docstrings so we are going to see if there is a clean way to resolve this without making the internal documentation worse. Bkav Pro is a false positive based on a list of lookup terms that can't be changed.

dc3-tsd commented 2 years ago

The 3.5.0 release has resolved the finding from Kaspersky, but the false positive is still present from Bkav Pro. This issue is being closed as making a change to address the false positive would reduce MWCP's functionality.