ross-spencer
commented
4 years ago Thanks David. Yeah, I've observed something like this in the past. This is a useful ticket to have to inform others.
There's not a whole lot to tweak there! But I hope your investigation goes well. The {m-n} and {n} matching are configurable in Skeleton Suite currently, I think I output zeroes for clarity at the moment, but have a random byte mode in there too I think (and/or custom filler byte).
Rather oddly, fmt/640 and fmt/649 skeleton files are both getting picked up as 'trojans' by McAfee as https://nvd.nist.gov/vuln/detail/CVE-2011-4259 these are MPEG-2 Elementary Stream and MPEG-1 Elementary Stream respectively. Signatures are 000001B3{8-256}000001B5{6-256}000001B8 and
000001B3{8}000001B8
Not sure what to do about it, but it was causing issues with local DROID builds so we're currently having to exclude them from our tests. I've yet to tinker with skeleton files to find a byte pattern McAfee will ignore but will update if I get the chance.
cc @sparkhi @jcharlet