False positive #728
Comments
|
Hello, First of all, it is safe to assume that there will be a lot of false positive when you're using pandora. The reason is that the primary use-case for the end-user is to see the content of the file and then (most of the time) move on with their life once they saw what's in there. There will also be a lot of false negative, the first one that comes in mind if you submit a phishing email, pandora cannot tell, but an end user will be able to see the attachments and take an educated decision on the next steps without having to open them on their computer. To get back to your case, if someone got that file, sent it to pandora, and saw it is a text file containing |
|
Hello Rafiot, Thanks for these details and your quick answer. "We also cannot just consider as safe any text file, because depending on the extension of the file, and the environment of the submitter, it may be open in a specific tool and trigger a script for example" The size of the file and signature are not taken into account for a deeper analysis? Including a payload into a txt file means more data, it impacts the size. |
|
Then we start to go into the weeds on what is safe and what isn't without having much of the context we're in. The size isn't a reliable indicator (besides empty file): you can have something malicious in very few characters. And then, when the hash of a file is considered malicious by 3rd parties, we'd need to manually maintain allow lists (it is possible, but the lists need to be maintained by the administrator, not by the project itself). |
|
Ok, I see. Thanks ;) |
Hello,
I've seen a false positive when I upload a txt file newly created with just "test" inside, it's flagged as malicious. Didn't happen with another string like "tarte* or something else.
The text was updated successfully, but these errors were encountered: