False Positive: MSOffice/PDF Documents Spawn Orphaned explorer.exe Processes #2608
Description
Problem Description
When analyzing MS Office documents (Word, Excel, PowerPoint) or PDFs, CAPE incorrectly monitors explorer.exe processes that appear as orphaned/dummy processes with incorrect parent process IDs. These processes don't show the actual MS Office or Adobe Acrobat applications as their parent, leading to false positive detections.
Impact
- False Positive Signatures: Orphaned
explorer.exeprocesses trigger suspicious signatures (related to normal behavior) - Incorrect Process Trees: Process relationships are not accurately represented
- Analysis Noise: Legitimate MS Office/PDFs behavior appears suspicious
Proposed Solution
We can try to validate whether the created process has a valid PPID of the main analyzed process, and then we can inject the DLLs to monitor it inside analyzer.py _handle_process
def _handle_process(self, data):
...
...
# Get actual PPID and validate relationship
ppid = proc.get_parent_pid()
if not in_protected_path(filename) and ppid in self.analyzer.process_list.pids:
log.info("Announced %s process name: %s pid: %d", "64-bit" if is_64bit else "32-bit", filename, process_id)
_ = proc.inject(interest)
self.analyzer.LASTINJECT_TIME = timeit.default_timer()
self.analyzer.NUM_INJECTED += 1
proc.close()