Skip to content

chore: reduce FPs in decode-and-execute by removing file write and network connection sinks #1237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 18, 2025
Merged

chore: reduce FPs in decode-and-execute by removing file write and network connection sinks #1237

merged 1 commit into from
Nov 18, 2025

Conversation

@art1f1c3R
Copy link
Member

@art1f1c3R art1f1c3R commented Nov 17, 2025
edited
Loading

Summary

Many false positives were being observed from decoded base64 data flowing through to file writes and network connections, both sinks in the obfuscation_decode-and-execute rule. This PR removes these sinks and finds little-to-no detection capability is lost and false positives are reduced.

Description of changes

File writes and network connection sinks are removed from obfuscation_decode-and-execute, and the tests are updated accordingly. This change was run on a set of malicious and trusted packages, and in comparison found 0 detections (0 false positives) for trusted packages, and only 2 less detections on the malicious packages.

Checklist

  • I have reviewed the contribution guide.
  • My PR title and commits follow the Conventional Commits convention.
  • My commits include the "Signed-off-by" line.
  • I have signed my commits following the instructions provided by GitHub. Note that we run GitHub's commit verification tool to check the commit signatures. A green verified label should appear next to all of your commits on GitHub.
  • I have updated the relevant documentation, if applicable.
  • I have tested my changes and verified they work as expected.

@art1f1c3R art1f1c3R requested a review from behnazh-w as a code owner November 17, 2025 06:02
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Nov 17, 2025
@art1f1c3R art1f1c3R self-assigned this Nov 17, 2025
@art1f1c3R
chore: reduce FPs in decode-and-execute by removing file write and ne…
73c5d36 
…twork connection sinks

Signed-off-by: Carl Flottmann <carl.flottmann@oracle.com>
@art1f1c3R art1f1c3R force-pushed the art1f1c3R/decode-and-execute-fps branch from 5b1b9f0 to 73c5d36 Compare November 17, 2025 23:16
@art1f1c3R art1f1c3R merged commit b7caca8 into main Nov 18, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@behnazh-w behnazh-w behnazh-w approved these changes

Assignees

@art1f1c3R art1f1c3R

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@art1f1c3R @behnazh-w