Merge pull request #94 from CybercentreCanada/AL-3096-tweak-intezer-g…

…ene-count-threshold Al 3096 tweak intezer gene count threshold [dev]
CybercentreCanada · Jun 13, 2024 · f9b11fd · f9b11fd
2 parents d9912d0 + 1a28d72
commit f9b11fd
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -38,6 +38,7 @@ If you are using Intezer's Dynamic Execution module, then set the service timeou
 * **download_subfiles**: This is a flag used for indicating if we want to download sub files. Users may want to set this to `false` because extracted [files that are downloaded count against your quota](https://support.intezer.com/hc/en-us/articles/360021366619-How-is-Your-Analysis-Quota-Calculated-).
 * **min_malware_genes**: This is the minimum number of "malware" genes found in the "Family Details" for us to set the verdict of the analysis to malicious.
 * **score_administration_tools**: This is a flag used for indicating if we want to score files marked as "administration tools" as suspicious. If set to `false`, then no file with this designation will score based on this.
+* **use_black_box_verdicts**: This is a flag used for indicating if we want to use the verdict that the Intezer assigns an analysis based on their proprietary algorithm for verdicts. If not, we will rely on gene counts.
 
 ### Submission Parameters
 * **analysis_id**: This is the analysis ID of an analysis that is already on the system. The cloud API counts retrieving the analysis by file hash as a "File Scan" which counts towards an account's monthly quota. We can circumvent this by submitting the analysis ID of an analysis. That being said, this will ignore the file that you submit to Assemblyline.

diff --git a/intezer.py b/intezer.py
@@ -128,6 +128,12 @@ class Verdicts(Enum):
     NEUTRAL = "neutral"
     NEUTRAL_VERDICTS = [NEUTRAL]
 
+    # Testing
+    # A verdict that is only used within the service code and never reported. This sample was given the verdict of
+    # "malicious" according to Intezer's proprietary algorithm for rendering verdicts.
+    TESTING = "testing"
+    TESTING_VERDICTS = [TESTING]
+
     INTERESTING_VERDICTS = MALICIOUS_VERDICTS + SUSPICIOUS_VERDICTS + FAMILY_TYPE_OF_INTEREST_VERDICTS
     UNINTERESTING_VERDICTS = NEUTRAL_VERDICTS + NOT_SUPPORTED_VERDICTS + UNKNOWN_VERDICTS + TRUSTED_VERDICTS
 
@@ -547,6 +553,10 @@ def execute(self, request: ServiceRequest) -> None:
         if not verdict:
             return
 
+        # Do we want to generate our own verdicts based our own gene metric?
+        if not self.config.get("use_black_box_verdicts", True) and verdict in Verdicts.MALICIOUS_VERDICTS.value:
+            verdict = Verdicts.TESTING.value
+
         analysis_id = main_api_result["analysis_id"]
 
         # Setup the main result section
@@ -570,7 +580,7 @@ def execute(self, request: ServiceRequest) -> None:
         # Setting heuristic here to avoid FPs. An analysis should not require sub_analyses to get a heuristic
         # assigned. A caveat to this is that the parent analysis has an unknown verdict but the sub-analysis of the
         # same file hash yields a different verdict.
-        if verdict == "unknown" and file_verdict_map.get(sha256, "unknown") != "unknown":
+        if verdict in [Verdicts.UNKNOWN.value, Verdicts.TESTING.value] and file_verdict_map.get(sha256, Verdicts.UNKNOWN.value) not in [Verdicts.UNKNOWN.value, Verdicts.TESTING.value]:
             verdict = file_verdict_map[sha256]
         self._set_heuristic_by_verdict(main_kv_section, verdict)
 
@@ -756,7 +766,11 @@ def _process_iocs(
 
         if file_iocs:
             for file in file_iocs:
-                file_verdict_map[file["sha256"]] = file["verdict"]
+                # Do we want to generate our own verdicts based our own gene metric?
+                if not self.config.get("use_black_box_verdicts", True) and file["verdict"] in Verdicts.MALICIOUS_VERDICTS.value:
+                    file_verdict_map[file["sha256"]] = Verdicts.TESTING.value
+                else:
+                    file_verdict_map[file["sha256"]] = file["verdict"]
 
         if network_iocs:
             network_section = ResultTextSection("Network Communication Observed")
@@ -1036,7 +1050,7 @@ def _process_families(
                 and family_name not in SAFE_FAMILIES[family_type]
                 and (
                     sub_sha256 not in file_verdict_map
-                    or file_verdict_map[sub_sha256] not in Verdicts.MALICIOUS_VERDICTS.value
+                    or file_verdict_map[sub_sha256] not in Verdicts.MALICIOUS_VERDICTS.value + [Verdicts.TESTING.value]
                 )
             ):
                 file_verdict_map[sub_sha256] = Verdicts.FAMILY_TYPE_OF_INTEREST.value

diff --git a/service_manifest.yml b/service_manifest.yml
@@ -32,6 +32,7 @@ config:
   download_subfiles: true
   min_malware_genes: 5
   score_administration_tools: true
+  use_black_box_verdicts: true
 
 submission_params:
   - default: true