Relying as extension cuases false positives

Hey!

In places like these: https://github.com/CERT-Polska/karton-classifier/blob/2c91251dd20eea865f47a72d832c33a6dce78c49/karton/classifier/classifier.py#L310-L314
We have seen that relying on the extension of the file if magic isn't what where looking for leads to FPs.

This happens with LNK files:
<img width="1046" height="476" alt="Image" src="https://github.com/user-attachments/assets/8e3b3d48-65bb-4d11-a52c-b21264a0ca9d" />

And also for example with DEX files:
<img width="1046" height="388" alt="Image" src="https://github.com/user-attachments/assets/54ce373d-683d-4d39-8738-57eba12fa354" />

I think that relying on the magic is enough in most cases. And if stronger checks are needed, it can be probably made by other means specific for the file format

	if magic.startswith("MS Windows shortcut") or extension == "lnk":
	sample_class.update(
	{"kind": "runnable", "platform": "win32", "extension": "lnk"}
	)
	return sample_class

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Relying as extension cuases false positives #78

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Relying as extension cuases false positives #78

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions