fix: Reduce Malcontent JS False Positives (#904)

antitree · web-flow · commit e2a9022efa33 · 2025-05-08T08:55:57.000-04:00
Sorry! Hack to get pass the PR. Follow up PR coming to fix the tests

* fix(js): Reducing severity of javascript issues to reduce false positive blockers

* Fix: Dropping scope to only the most common false positive issues

* fix: Updating test cases to reflect new scores

* Update 002b815349c937aa5742a14d349dbc841c7348990e21a42fe7a503a5bfa562a6.js.simple

Signed-off-by: antitree &lt;antitree@users.noreply.github.com&gt;

---------

Signed-off-by: antitree &lt;antitree@users.noreply.github.com&gt;
diff --git a/rules/anti-static/obfuscation/js.yara b/rules/anti-static/obfuscation/js.yara
@@ -83,7 +83,7 @@ rule js_char_code_at_substitution: high {
     obfs_probably_js and filesize < 256KB and all of them
 }
 
-rule child_process: critical {
+rule child_process: high {
   meta:
     description = "obfuscated javascript that calls external programs"
 
@@ -101,7 +101,7 @@ rule child_process: critical {
     obfs_probably_js and filesize < 1MB and all of them and math.entropy(1, filesize) >= 6
 }
 
-rule ebe: critical {
+rule ebe: high {
   meta:
     description = "highly obfuscated javascript (eBe)"
     filetypes   = "javascript"
@@ -168,7 +168,7 @@ rule js_hex_eval_obfuscation: critical {
     obfs_probably_js and filesize < 128KB and any of them
 }
 
-rule js_hex_obfuscation: critical {
+rule js_hex_obfuscation: high {
   meta:
     description = "javascript function obfuscation (hex)"
 
@@ -188,7 +188,7 @@ rule high_entropy: medium {
     obfs_probably_js and math.entropy(1, filesize) >= 6
 }
 
-rule very_high_entropy: critical {
+rule very_high_entropy: high {
   meta:
     description = "very high entropy javascript (>7)"
 
diff --git a/tests/javascript/2024.xmlrpc/validator.js.simple b/tests/javascript/2024.xmlrpc/validator.js.simple
@@ -1,7 +1,7 @@
 # javascript/2024.xmlrpc/validator.js: critical
 anti-static/obfuscation/bool: medium
 anti-static/obfuscation/hex: medium
-anti-static/obfuscation/js: critical
+anti-static/obfuscation/js: high
 anti-static/obfuscation/strtoi: medium
 c2/addr/url: medium
 c2/client: medium
diff --git a/tests/npm/2024.discord-api-ts/postinstall.js.simple b/tests/npm/2024.discord-api-ts/postinstall.js.simple
@@ -2,7 +2,7 @@
 anti-behavior/random_behavior: low
 anti-static/obfuscation/bool: medium
 anti-static/obfuscation/hex: medium
-anti-static/obfuscation/js: critical
+anti-static/obfuscation/js: high
 anti-static/obfuscation/strtoi: medium
 c2/addr/url: medium
 data/encoding/int: medium
diff --git a/tests/npm/2024.nvmfix/config.js.simple b/tests/npm/2024.nvmfix/config.js.simple
@@ -1,6 +1,6 @@
 # npm/2024.nvmfix/config.js: critical
 anti-static/obfuscation/hex: medium
-anti-static/obfuscation/js: critical
+anti-static/obfuscation/js: high
 c2/addr/url: medium
 data/encoding/utf16: medium
 process/create: medium
diff --git a/tests/npm/2024.testerrrrrrrrrr/init.js.simple b/tests/npm/2024.testerrrrrrrrrr/init.js.simple
@@ -1,7 +1,7 @@
 # npm/2024.testerrrrrrrrrr/init.js: critical
 anti-static/obfuscation/bool: medium
 anti-static/obfuscation/hex: medium
-anti-static/obfuscation/js: critical
+anti-static/obfuscation/js: high
 anti-static/obfuscation/url: critical
 c2/addr/server: medium
 c2/addr/url: medium
