Getting false positives in signatures

[MU-03]

About accounts on capesandbox.com

• Issues isn't the way to ask for account activation. Ping capesandbox in Twitter with your username

This is open source and you are getting free support so be friendly!

Prerequisites

Please answer the following questions for yourself before submitting an issue.

• [Y] I am running the latest version
• [Y] I did read the README!
• [Y] I checked the documentation and found no answer
• [Y] I checked to make sure that this issue has not already been filed
• [Y] I'm reporting the issue to the correct repository (for multi-repository projects)
• [Y] I have read and checked all configs (with all optional parts)

Expected Behavior

Getting low/appropriate signatures for legit files

Current Behavior

Getting 10 malscore for every file im analyzing , including the legitimate/safe ones, with signatures that shouldn't be there as the file is not a malware, its happening with every file type including xls, word, exe etc

Failure Information (for bugs)

Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.

Steps to Reproduce

Please provide detailed steps for reproducing the issue.

1. Submit a safe file
2. Observe the signatures

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).

Question	Answer
Git commit	Type $ git log \| head -n1 to find out
OS version	Ubuntu 22.04

Failure Logs

Please include any relevant log snippets or files here.

[doomedraven]

cape is done to analyze malware, if you see FP signature you are welcome to fix those, they are in community repo, but if legit binary does something that malware does too, we can't do nothing.

• please start provide more rich details about issues, is boring to have ask for what is wrong, saying something without proofs is useless, like what signature what binary etc etc

[kevoreilly]

malscore is not enabled by default in cape - for good reason.

[kevoreilly]

Also like doomed says the level of detail in this issue is ridiculous. Not even an example!

[MU-03]

For example this signatures appears to be in every single file analyzed , it appears to be from suricata after a bit digging

[doomedraven]

Well we can't control it

[doomedraven]

so i have found literally nothing by googling "udp scan by nmap terdeteksi!". i never saw this signature(nmap) in my sandbox. I have feeling that you have a bad windows configuration. but once against the quality of details of the issue is bad. instead of this or as extra you could from network tab then suricata and where you have all the details about that match so we could see what generates that match. but quality of issue details == quality of response