Skip to content

Error and Skip Handling in Heuristic Malware Analysis #1052

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
art1f1c3R opened this issue Apr 14, 2025 · 0 comments
Open

Error and Skip Handling in Heuristic Malware Analysis #1052

art1f1c3R opened this issue Apr 14, 2025 · 0 comments
Labels
enhancement Enhancement of a feature malware analysis The issues related to malware analysis

Comments

@art1f1c3R
Copy link
Member

The use of the SKIP result for heuristics is not clear. It is used in some places for when errors occur, and for some places where the heuristic does not apply. Separating the SKIP result from error handling will make results clearer.

Proposed definition of a SKIP result: a heuristic should return HeuristicResult.SKIP when this heuristic analysis is not applicable to the package. An example would be when the SUSPICIOUS_SETUP heuristic is run on a package with no setup.py file. In this case, SKIP is an appropriate result as this heuristic is not applicable to the package, but the package information is not malformed.

Identified appropriate and inappropriate uses of the SKIP result currently in the codebase are listed below:
Appropriate uses:

  • anomalous_version.py: returns a SKIP if the version cannot be interpreted as per PEP 440. This is fine as the package is not malformed, the heuristic does not apply here.
  • suspicious_setup.py: returns a SKIP if there is no setup.py, which is appropriate as the heuristic does not apply in this case. This does need to be refactored to error when setup.py is found, but there is a problem trying to analyse it.

Inappropriate uses:

  • closer_release_join_date.py: SKIP is returned if there are no maintainers or no latest release information. This would be a result of a malformed metadata file, or a problem in parsing the HTML page, and is such an error. Release and maintainer information must exist.
  • high_release_frequency.py: SKIP is returned if there are no releases or if there is only one release. If there are no releases, then this is malformed metadata. If there is 1 release, then this heuristic should not have been run. These both constitute errors.
  • one_release.py: SKIP is returned if there are no releases. If there are no releases, then this is malformed metadata, implying an error has occurred.
  • unchanged_release.py: SKIP is returned if there are no digests. This would occur if there are no releases, or if there are no digest fields in the releases. In both cases, this would be malformed metadata, so an error has occurred.
@art1f1c3R art1f1c3R added enhancement Enhancement of a feature malware analysis The issues related to malware analysis labels Apr 14, 2025
@art1f1c3R art1f1c3R mentioned this issue May 15, 2025
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Enhancement of a feature malware analysis The issues related to malware analysis
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@art1f1c3R