Peekaboo accidentally thinks cuckoo produced some errors if there aren't about peekabooav HOT 9 CLOSED

@Clevero: https://github.com/michaelweiser/PeekabooAV/tree/ruleset now contains code that allows message matching of rule cuckoo_analysis_failed to be configured. With this you can declare some other messages in your report success indicators and prevent the rule from failing your analyses. See ruleset.conf.sample for docs.

However, looking at your report I see message ``end of analysis reached!` which according to the Cuckoo source means that the analysis not only ran beyond the timeout but refused to be shut down by the agent and ran into the critical timeout as well at which point Cuckoo just shut down the VM. This IMO is a clear indicator of failure because analysis did indeed not finish and had to be aborted. Therefore no conclusions about the malevolence of the sample can reliably be made based on this. So I'd recommend to let these continue to fail and handle failed scans in AMaViS as outlined above or look into why this analysis gets stuck so badly.

But, with the new config option it's up to you to decide. If you don't have any objections I'd merge the code to master and close this issue here. Okay?

from peekabooav.

👍

Will investigate. Thought that is normal behavior since a process is running that is not stopping by itself (Word for example), so cuckoo does not know if there is coming any harmful routine and waits for the timeout of the machine. Oversaw that the cuckoo agent refused to shut down the VM within a certain amount of time. Thanks for the feedback

Currently rebuilding my instance inside a vApp on vSphere

from peekabooav.

Retested it with my last version installed, should be scVENUS/PeekabooAV-Installer@c0167da

Also this behavior. Strange... Will see where my configuration is wrong and report back

from peekabooav.

Your cuckoo logs indeed look good. report.json sectiondebug/cuckoo actually does contain the success indicator.

Can you provide the Peekaboo log for the analysis in question?

from peekabooav.

Sorry, gave you the wrong exported report. I've noticed that while searching for the peekaboo log of that analysis.

Correct report: 143.zip
Peekaboo log excerpt: f.peekaboo.log.txt

from peekabooav.

I created a fresh instance of peekaboo in a new 18.04 VM with the latest installer and the error persists.
VM's, Postfix and AmaVis (in a separate VM) stayed the same

Will need to modify my local PeekabooAV/peekaboo/toolbox/cuckoo.py until version 1.7

from peekabooav.

@Clevero: I've been working to make Peekaboo correctly report failed analyses as failed instead as bad. If you like, you can check out https://github.com/michaelweiser/PeekabooAV/tree/ruleset to see if that solves your problem.

from peekabooav.

FWIW: All the changes referenced here are now merged to master.

from peekabooav.

Thanks for pointing out the problem with end of analysis reached! :)

Could resolve it
I switched my VM's from Windows 7 x86 to x64 (should have followed the recommendations from the cuckoo project for OS versions...)
It seems to me that the agent crashed at some point and did not received the command to shutdown

While debugging I found also out that the new Agent version 0.9 has some issues with my installation

from peekabooav.