Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create exceptions for certain applications #135

Open
migmam opened this issue Nov 23, 2023 · 1 comment
Open

Create exceptions for certain applications #135

migmam opened this issue Nov 23, 2023 · 1 comment

Comments

@migmam
Copy link

migmam commented Nov 23, 2023

With Raccine installed, when I launch "Omen Gaming Hub" there is a false positive with the following content:

Yara matches:
Rule file: C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar
YARA Output: ransomware_command_lines C:\Users\User1\AppData\Local\Temp\RaccineUserContext\Rac1971.tmp

Raccine Context:
ChildName="powershell.exe"
ChildExecutablePath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
ChildCommandLine="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -Version 5.1 -s -NoLogo -NoProfile"
ChildTimeSinceExeCreation=778
ChildPid=9660
ParentName="OmenCommandCenterBackground.exe"
ParentExecutablePath="C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2311.2.0_x64__v10z8vjag6ke6\OmenCommandCenterApp\OmenCommandCenterBackground.exe"
ParentCommandLine="'C:\Program Files\WindowsApps\AD2F1837.OMENCommandCenter_1101.2311.2.0_x64__v10z8vjag6ke6\OmenCommandCenterApp\OmenCommandCenterBackground.exe'"
ParentTimeSinceExeCreation=0
ParentPid=7572
GrandParentName="(unavailable)"
GrandParentExecutablePath=""
GrandParentCommandLine=""
GrandParentTimeSinceExeCreation=0
GrandParentPid=8420

Is there any way to create an exception in the gen_ransomware_command_lines.yar to allow the execution of that application?
@Permanently
Copy link

Permanently commented Feb 16, 2024
edited
Loading

Having the same issue with Heroic Launcher, where the following happens:

16/02/2024 12:49:31
Raccine detected malicious activity:
powershell Start-Process "`"C:\Users\User\AppData\Local\Programs\heroic\resources\app.asar.unpacked\build\bin\win32\legendary`"" -Wait -ArgumentList "`"--version`"" -NoNewWindow 

Yara matches:
Rule file: C:\Program Files\Raccine\yara\gen_ransomware_command_lines.yar
YARA Output: ransomware_command_lines C:\Users\User\AppData\Local\Temp\RaccineUserContext\RacB843.tmp

We need to have some kind of documentation that describes how to put down exemptions. Otherwise, it's one or the other, really. There's the workaround for issue #131, where commit 3b05c1e was put on, but doing that for every program triggering FPs seems impractical.

Edit: Temporary workaround for now is to go to C:\Program Files\Raccine\yara, find the matching .yar file to the false positive, and whack in the false positive paths. In my case:

        $fp2a = "ParentName=\"legendary.exe\""
        $fp2b = "ParentExecutablePath=\"C:\\Users\\"

        ...[at the end of "condition:"]...

        and not all of ($fp*)

This isn't practical either, but like I said, it's a workaround. They're not supposed to be practical. Hopefully a proper fix is put in soon, given that false positives have happened multiple times (albeit, rarely).

Edit: it's starting to interfere with some games I have now, not even including Heroic Launcher which I mentioned above. This is getting ridiculous now. We need an exclusion mechanism in place, or at least a way to disable Raccine for a specific amount of time. Like, "turn off for X minutes/hours", or "disable until I turn it back on".

Edit 2: One thing I forgot to mention is that disabling Raccine's rule update task in Task Scheduler means you won't have to keep updating the files again and again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Permanently @migmam