Skip to content

Fix: S8 text-signature false positives in iccPawgReport (#1271)#1274

Merged
ChrisCoxArt merged 1 commit into
masterfrom
reland-1271-textsig
Jun 8, 2026
Merged

Fix: S8 text-signature false positives in iccPawgReport (#1271)#1274
ChrisCoxArt merged 1 commit into
masterfrom
reland-1271-textsig

Conversation

@colourbill-ctrl

@colourbill-ctrl colourbill-ctrl commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Closes #1271. Supersedes #1273 (which was opened from a fork and is blocked by the Fork PR Maintainer Automation Gate because it touches .github/scripts/; this one is from an upstream branch, same as #1270).

Re-lands the text-signature fix onto master. It was approved and merged as #1272, but #1272's base was issue-1269; since #1270 was squash-merged to master, #1272's content landed on issue-1269 and never reached master. Same single commit on top of current master.

Problem

ScanMalwareRange's case-insensitive TextSig table (<script, <html, <?php, javascript:, invoke-expression, iex(, cmd.exe, /bin/sh, …), matched by HasAsciiSignatureCaseInsensitive, did no context validation, so a coincidental hit in high-entropy CLUT data fired S8 — e.g. the PowerShell expression invocation (iex() on SWOP2013C3_CRPC5.icc that #1270 unmasked.

Fix

HasAsciiSignatureCaseInsensitive now requires printable bytes (tab/newline/0x200x7e) adjacent to the match summing to ≥ 16; a binary-context coincidence is rejected, a real embedded payload still fires. Signature-local, no dependency, detail strings unchanged.

Regression coverage

Standard-tag true-negative / true-positive cases added to iccdev-pawg-report-regression-tests.sh (CTest iccdev.pawg-report-regressions, ASAN+UBSAN). Verified on master base: 18/18 pass; the text-sig true-negative FAILs on the pre-fix binary, confirming the guard.

Approach signed off by @xsscx on #1271; previously approved by @xsscx and @ChrisCoxArt on #1272.

🤖 Generated with Claude Code

@colourbill-ctrl colourbill-ctrl mentioned this pull request Jun 8, 2026
Closed
@github-actions github-actions Bot added Tools Command-line tool or GUI tool changes Testing CTest, regression, or test coverage Source C or C++ source code changes Scripts Shell, PowerShell, or repository automation scripts Unix Linux, macOS, Bash, or POSIX shell scope failed One or more CI checks failed labels Jun 8, 2026
@colourbill-ctrl @claude
iccPawgReport: corroborate S8 text signatures with printable context
4774b77 
The case-insensitive TextSig table (<script, <html, <?php, javascript:,
invoke-expression, iex(, cmd.exe, /bin/sh, ...) matched by
HasAsciiSignatureCaseInsensitive performed no context validation, so a
coincidental match inside high-entropy CLUT data fired S8 -- e.g. the
"PowerShell expression invocation" (iex() false positive on
SWOP2013C3_CRPC5.icc that #1270 unmasked once the ELF hit was corroborated
away.

These signatures are dangerous only as text, so a genuine hit sits inside
printable content. HasAsciiSignatureCaseInsensitive now requires printable
bytes (tab/newline/0x20-0x7e) adjacent to the match, summing to at least 16;
a match with little or no printable context (binary CLUT bytes on both
sides) is rejected, while a real embedded script/markup payload still fires.

Adds standard-tag true-negative / true-positive regression cases to
iccdev-pawg-report-regression-tests.sh (generated in-script). Verified:
18/18 pass on the patched binary; the text-sig true-negative FAILs on the
pre-fix binary, confirming it guards the gate. Corpus: the lone text-sig
false positive (SWOP2013C3_CRPC5) clears with no true positive lost.

Refs #1271.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions github-actions Bot added pending CI checks still running and removed failed One or more CI checks failed labels Jun 8, 2026
xsscx
xsscx approved these changes Jun 8, 2026
View reviewed changes

@xsscx xsscx left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2026-06-08 19:53:34 UTC

@github-actions github-actions Bot added passed All CI checks passed Merge Ready Approved, mergeable, and all CI checks passed and removed pending CI checks still running labels Jun 8, 2026
@ChrisCoxArt ChrisCoxArt merged commit 97a30b5 into master Jun 8, 2026
24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xsscx xsscx xsscx approved these changes

@dwtza dwtza Awaiting requested review from dwtza dwtza is a code owner

@ChrisCoxArt ChrisCoxArt Awaiting requested review from ChrisCoxArt ChrisCoxArt is a code owner

Assignees

@colourbill-ctrl colourbill-ctrl

Labels

Merge Ready Approved, mergeable, and all CI checks passed passed All CI checks passed Scripts Shell, PowerShell, or repository automation scripts Source C or C++ source code changes Testing CTest, regression, or test coverage Tools Command-line tool or GUI tool changes Unix Linux, macOS, Bash, or POSIX shell scope

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix: S8 text-signature false positives in iccPawgReport (script/HTML/PowerShell/shell strings)

3 participants

@colourbill-ctrl @xsscx @ChrisCoxArt