According to the signature 3136.3, The regular expression that looks for netsky.p is
When this translated to ASCII it is
Is there an internet reference for the use of this string to capture Netsky.p.
How can I trust that the signature events are not false positive?
Solved! Go to Solution.
I'm afraid I'm not aware of any internet reference for the use of this string.
Our "virus signatures" such as this one are based on virus sample we receive from our partner Trend Micro.
If you feel this signature could trigger false positive, please provide some additional details.
Keep in mind that we are evaulating the binary network data, so a binary string is not unreasonable. I don't think you should expect to be able to "parse" the string in every case.
Thank you for you reply,
I know that we are evaluating binary data but I was perhaps just looking for some substantial evidence that would enhance my evaluation of the signature.
When writing about an attack, one of the sections requires that you normally explain the signature. Motivating for more stringent security checking in our products and solutions with regard to network security is often a difficult task. This task is made easier with proper explanations for how these checks are made and I was wondering about the choice of regular expression in this signature.
What makes or excludes the signature from triggering falsely?
Why that choice of string to look for in the network data?