From cbadab85219a3b4cf5a950d70df95b559baf9e62 Mon Sep 17 00:00:00 2001 From: Moritz Date: Wed, 20 Mar 2024 14:59:02 +0100 Subject: [PATCH] Add faq (#2032) * Create faq.md --------- Co-authored-by: Vasco Schiavo <115561717+VascoSch92@users.noreply.github.com> --- CHANGELOG.md | 1 + doc/faq.md | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 doc/faq.md diff --git a/CHANGELOG.md b/CHANGELOG.md index 9729e9b0..3c25aaf1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ ### New Features - add function in capa/helpers to load plain and compressed JSON reports #1883 @Rohit1123 +- document Antivirus warnings and VirusTotal false positive detections #2028 @RionEV @mr-tz ### Breaking Changes diff --git a/doc/faq.md b/doc/faq.md new file mode 100644 index 00000000..5ce131ae --- /dev/null +++ b/doc/faq.md @@ -0,0 +1,13 @@ +# Frequently Asked Questions +## Why does capa trigger my Antivirus? Is the tool safe to use? +The purpose of `capa` is to analyse the capabilities of a potentially malicious application or file. To achieve this, it needs to include portions of the data it is designed to detect as a basis for comparison. +The release version of capa comes with embedded rules designed to detect common malware functionality. These rules possess similar features to malware and may trigger alerts. +Additionally, Antivirus and Endpoint Detection and Response (EDR) products may alert on the way capa is packaged using PyInstaller. + +## How can I ensure that capa is a benign program? +We recommend downloading releases only from this repository's Release page. Alternatively, you can build capa yourself or use other Python installation methods. This project is open-source, ensuring transparency for everyone involved. +For additional peace of mind, you can utilize VirusTotal to analyze unknown files against numerous antivirus products, sandboxes, and other analysis tools. It's worth noting that capa itself operates within VirusTotal. + +### Understanding VirusTotal output +VirusTotal tests files against a large number of Antivirus engines and sandboxes. There's often little insight into Antivirus detections, but you can further inspect dynamic analysis results produced by sandboxes. +These details can be used to double-check alerts and understand detections.