-
-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: prevent detection of web shells rules as malware by Windows Defender (955260 PL1) #3687
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks ok, but we don't yet have tests for this rule. Could you add one or two?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Use |
This is for creating a request but i need to create a response. |
We don't yet have a facility to mock responses. However, because responses are reflected we can use the request to inject at least part of the response. I quickly tested the test you wrote and the response does contain the newlines you sent in the request (pass |
But test haven't pass, so something is wrong. Maybe it outputed |
There are two problems:
We need to have a built-in facility in go-ftw for this, unfortunately. |
So, is it currently possible to write a test for that rule? |
No, it currently isn't possible. I would still like to keep your test. Just set |
@theseion Thank you! |
Glad this made the cut. |
Windows Defender is detecting pattern
<title>Ru24PostWebShell -
asBackdoor:PHP/Dirtelti.MTJ
. This PR prevents it by removing-
from the end of the pattern.Fixes #3603.