Skip to content

Commit 5eedaaa

Browse files
egibsegibs
committed
Address PR comments
Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
1 parent cfc3b6b commit 5eedaaa

File tree

1 file changed

+7
-19
lines changed

1 file changed

+7
-19
lines changed

README.md

Lines changed: 7 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -37,25 +37,13 @@ malcontent is at its best analyzing programs that run on Linux. Still, it also p
3737

3838
## ⚠️ Malware Disclaimer ⚠️
3939

40-
Due to how malcontent operates, other malware scanners can detect malcontent as malicious. As a general rule of thumb, programs that leverage Yara rules will match other programs that use the same rules due to their strings looking for problematic behaviors.
41-
42-
While not exhaustive, here's an example list of how other scanners see malcontent (based on [this](https://www.virustotal.com/gui/file/b6f90aa5b9e7f3a5729a82f3ea35f96439691e150e0558c577a8541d3a187ba4/detection) VirusTotal scan:
43-
- Avast: `MacOS:Joker-B [Trj]`
44-
- AVG: `MacOS:Joker-B [Trj]`
45-
- Avira (no cloud): `OSX/GM.Joker.DS`
46-
- ClamAV: `Legacy.Trojan.Agent-37025`
47-
- Cynet: `Malicious (score: 99)`
48-
- Google: `Detected`
49-
- Kaspersky: `HEUR:Trojan-PSW.OSX.Amos.n`
50-
- MaxSecure: `Trojan.Malware.121218.susgen`
51-
- Rising: `Backdoor.JokerSpy/OSX!1.E753 (CLASSIC)`
52-
- Sangfor `Engine Zero: HackTool.Win32.Template_Py_v3_3_to_v4_x.uwccg`
53-
- SentinelOne (Static ML): `Static AI - Malicious Mach-O`
54-
- WithSecure: `Malware.OSX/GM.Joker.DS`
55-
56-
Elastic's Agent has also historically detected malcontent because of this: https://github.com/chainguard-dev/malcontent/issues/78
57-
58-
While not a permanent solution, running malcontent with `--third-party=false` can reduce these false positives. Writing more targeted rules can also help.
40+
Due to how malcontent operates, other malware scanners can detect malcontent as malicious.
41+
42+
Programs that leverage Yara rules will often see other programs that also use Yara rules as malicious due to the strings looking for problematic behavior(s).
43+
44+
For example, Elastic's agent has historically detected malcontent because of this: https://github.com/chainguard-dev/malcontent/issues/78*
45+
46+
> \*Additional scanner findings can be seen in [this](https://www.virustotal.com/gui/file/b6f90aa5b9e7f3a5729a82f3ea35f96439691e150e0558c577a8541d3a187ba4/detection) VirusTotal scan.
5947
6048
## Features
6149

0 commit comments

Comments
 (0)