create directory to group native samples

[hcnpeiris]

Summary

• Added a separate directory for PMA Labs.
• Plan to add directories for benign and malware samples.
• Considering using the VirusTotal API in a Python script to automatically classify files.

Question

• Is using VirusTotal API the best approach, or is there a better way to classify files?

Related Issue

• Fixes capa#1787

Thank you!

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[williballenthin]

tbh, i'm not sure there are any benign files in test-files, except perhaps things like al-khaser and mimikatz. so i'm not sure it's worth the effort of scripting this, unless you'd like to try for experience.

[hcnpeiris]

create directory to group native samples

Fixes capa#1787

To improve the organization of test files, three new directories have been added:

• /benign: Contains benign test binaries.
• /malware: Stores malware test samples.
• /pma_labs: Includes PMA test binaries.

Relevant test files have been moved to these new directories.

Pytest File Updates & Issue

Since this change modifies the test file structure, pytest file paths have been updated accordingly. A PR will be submitted to the capa repository to reflect these changes.

However, one expected failure test (xfailed) unexpectedly passed.
I ran pytest on the latest master branch, and it produced the same result.

Pytest Results After Updating File Paths

Pytest Results for latest master branch

Request for Feedback

Can I get feedback on resolving this issue?

Checklist

• No CHANGELOG update needed

• No new tests needed

• No documentation update needed

[mr-tz]

I'd advise against benign/malware labels and would suggest to just use native (vs dotnet or sandbox results). It could be a headache to verify for each sample if it's benign or malicious without much benefit.

[hcnpeiris]

@mr-tz
Oops,I misunderstood it as needing to categorize as malware and benign. Just to clarify, all I need to do is create two separate directories for pma_labs and native , and move the native test binaries to the respective directory?

[hcnpeiris]

@mr-tz
Files have been moved as mentioned above. However, the pytest file needs to be updated for the new file paths. I will update it soon.

[hcnpeiris]

@mr-tz
I added a PR mandiant/capa#2623 with the updated pytest files. Can I get feedback on it?