v1.7.1

Tool Improvements

• Split up archive.go into type-specific files; add wider zlib support by @egibs in #723

Full Changelog: v1.7.0...v1.7.1

v1.7.0

Tool Improvements

• Fix non-tar bz2 extractions by @egibs in #702
• Improve handling of nonexistent symlinks for extractions + programkind by @egibs in #709
• Fix prefix validation edge-case when extracting by @egibs in #715
• Add zlib support to extractGzip by @egibs in #713

Rule Improvements

• Update third-party rules as of 2024-12-12 by @octo-sts in #699
• Improve FontOnLake rule targetting by @tstromberg in #700
• Update third-party rules as of 2024-12-13 by @octo-sts in #703
• Update third-party rules as of 2024-12-16 by @octo-sts in #706
• Add more specific SVG rule by @egibs in #704
• Leverage yr scan --profile to tune slowest rules by @egibs in #708
• ELF malware detection improvements based on Wolfsbane analysis by @tstromberg in #680
• Tune HIGH/CRITICAL findings + disallow "clean" samples from matching by @tstromberg in #712
• Reduce Python CRITICAL false positives (setuptools, keylogger) by @tstromberg in #717
• Address CRITICAL ELF false-positives in trino, rust, and eza by @tstromberg in #718
• Address Sonarqube SonarAnalyzer.CSharp.dll finding by @tstromberg in #719
• Fix false-positives in http_parser.rb-0.8.0/ext/ruby_http_parser/vendor/http-parser/test.c by @tstromberg in #720

Developer Improvements

• Demote additional logs from Info to Debug by @egibs in #701
• Allow find-missing-metadata to be run from other directories by @tstromberg in #710
• Improve extracted archive file clean up by @egibs in #714
• build: reduce binary size by adding -s -w to ldflags by @chenrui333 in #716

New Contributors

• @chenrui333 made their first contribution in #716

Full Changelog: v1.6.0...v1.7.0

v1.6.0

Tool Improvements

• Correctly calculate statistics when running scans by @egibs in #649
• Fix scanning of files compressed directly via xz (as opposed to tar -J) by @egibs in #650
• Update relative path check when extracting tar archives by @egibs in #656
• Add support for .deb and .rpm files by @egibs in #668
• Ignore symlinks that point to nonexistent targets by @egibs in #669
• Improve legibility of terminal diff output by @tstromberg in #670
• Ignore JSON files, except for NPM package.json files by @tstromberg in #674
• Add new BubbleTea TUI renderer by @egibs in #665
• move "skipping: data file or empty" log message to Debug by @imjasonh in #692
• include full warning in warning log by @imjasonh in #693

Rule Improvements

• remove mantic mentions by @tstromberg in #653
• Improve Ruby detection abilities by @tstromberg in #652
• Update third-party rules as of 2024-11-25 by @octo-sts in #658
• Improve results for Javascript (xmlrpc) and Python (aiocpa) samples by @tstromberg in #664
• Update third-party rules as of 2024-12-01 by @octo-sts in #671
• Minor YARA rule tuning based on upcoming talk by @tstromberg in #673
• Enrich NodeJS detection for supply-chain attacks similar to Solana web3 v1.95.7 by @tstromberg in #678
• Initial Java support (particularly credential stealers) by @tstromberg in #679
• Improve detection of supply-chain attacks similar to Ultralytics by @tstromberg in #681
• Update third-party rules as of 2024-12-09 by @octo-sts in #684
• Update third-party rules as of 2024-12-10 by @octo-sts in #688
• Fix slow query warnings, update testdata by @tstromberg in #690
• Update third-party rules as of 2024-12-11 by @octo-sts in #695
• Address recent, non-data file false positives by @egibs in #694

Developer Improvements

• Use CachedRules in tests similarly to refresh by @egibs in #647
• Add script to find missing testdata by @tstromberg in #651
• Fix benchmarks by @egibs in #661
• Reframe README around the concept of differential analysis by @tstromberg in #663
• Replace pkg-config with pkgconf, add zypper invocation to command-line by @tstromberg in #677

New Contributors

• @imjasonh made their first contribution in #692

Full Changelog: v1.5.1...v1.6.0

v1.5.1

Rule Improvements

• Remove 'threat_hunting' ruleset by @tstromberg in #645

Full Changelog: v1.5.0...v1.5.1

v1.5.0

Tool Improvements

• Display scan results as soon as results are generated by @egibs in #617
• Properly render hits and misses by @egibs in #624
• Better handling of diffs between archives by @egibs in #626
• Make diff behave like diff(1); report consistent behaviors by @egibs in #628

Rule Improvements

• Consolidate language-specific obfuscation rules by @tstromberg in #607
• Improve results scanning for Linux malware by @tstromberg in #608
• Update third-party rules as of 2024-11-11 by @octo-sts in #614
• Improve Linux binary detection, particularly for rootkits by @tstromberg in #615
• Improve MalwareBazaar coverage (elf, python, javascript) by @tstromberg in #616
• Update third-party rules as of 2024-11-14 by @octo-sts in #621
  Rule tuning based on initial Melofee analysis by @tstromberg in #622
• remove hashes from rules by @tstromberg in #625
• Add overrides for buildah, Kibana, pydevd, and tileserver-gl by @egibs in #629
• Improve detection of machO backdoors & stealers by @tstromberg in #631
• Improve Python detection for EvilDojo666 attack by @tstromberg in #635
• Update third-party rules as of 2024-11-18 by @octo-sts in #641
• Address yara-x compile findings by @egibs in #640
• Teach malcontent about more Python maliciousness by @tstromberg in #639

Developer Improvements

• Bump Go to 1.23.3; update Go packages + golangci-lint by @egibs in #610
• More coverage improvements for MalwareBazaar by @tstromberg in #618
• Use 8-core runners for tests and updating third-party rules by @egibs in #633
• Refresh sample test data via new refresh command by @egibs in #634
• Don't consider .mdiff or .sdiff files in discoverTestData by @egibs in #637

Full Changelog: v1.4.0...v1.5.0

v1.4.0

Tool Improvements

• Modernize terminal output by @tstromberg in #564
• brief: highlight evidence by @tstromberg in #566
• fix over-indenting in diff mode by @tstromberg in #568
• Don't store an empty file report for err-first-hit/miss findings by @egibs in #579
• Fix inconsistent path behaviors when running diffs by @egibs in #581
• Fix 'none' severity findings breaking tests by @egibs in #586
• Allow --err-first-miss to continue for skipped files by @tstromberg in #591
• Improve --err-first-hit handling by @tstromberg in #596
• Log an error if an override rule has no underlying, overridden rule by @egibs in #597
• terminal: improve color matching, diff readability by @tstromberg in #600
• scan: fix missing newline, make less noisy by @tstromberg in #601
• showError: Remove unwrap for ErrMatchedCondition by @tstromberg in #604

Rule Improvements

• Add override rule for py3-hatch package by @egibs in #545
• Improve findings for Mirai, vncjew, alfa, custom RAT by @tstromberg in #541
• Reorganize rule filenames around the MalwareBehaviorCatalog standard by @tstromberg in #549
• Add compromised lottie-player test data by @egibs in #552
• Update YARAforge to 20241027 by @tstromberg in #556
• MalwareBehaviorCatalog follow-up: less naming stutter, less slashes by @tstromberg in #558
• Improve detection of Golang/Linux backdoors by @tstromberg in #567
• Update third-party rules as of 2024-11-03 by @octo-sts in #571
• Improve malicious Javascript detection by @tstromberg in #572
• Remove overriden behaviors that fall below minScore by @egibs in #580
• Improve Python detection based on the PyPI malregistry by @tstromberg in #584
• Update third-party rules as of 2024-11-06 by @octo-sts in #590
• Improve detection of "Beast" and other Linux ransomware by @tstromberg in #589
• Improve detection of malicious RubyGems by @tstromberg in #588
• Improve rule coverage for timb-machine/linux-malware by @tstromberg in #592
• Add Kibana overrides by @egibs in #594
• Rule tuning to decrease false-positives on Fedora by @tstromberg in #598
• Add Kibana security detection engine rule overrides by @egibs in #602
• Fedora: Address remaining false-positives within /usr by @tstromberg in #603
• Improve coverage for objective-see/Malware by @tstromberg in #605
• Add override rules for findings from latest full scan of Wolfi packages by @egibs in #606

Developer Improvements

• Format rule files with yara-x and add Workflow Check by @egibs in #546
• Add yara-x fmt to make lint by @egibs in #547
• Create scorecard.yml by @tstromberg in #551
• README: Clarify our focus on supply-chain and UNIX-like operating systems by @tstromberg in #550
• Address token and security policy OpenSSF findings by @egibs in #554
• Add Workflow to update third-party rules and PR the changes by @egibs in #557
• Install yara in third-party rule update Workflow by @egibs in #559
• Cleanly handle no-op third-party rule Workflow runs by @egibs in #560
• Simplify commit and PR steps for third-party Workflow by @egibs in #561
• remove reviewdog/woke style actions by @tstromberg in #562
• README: aim for subtleness, not paranoia by @tstromberg in #563
• README: updates screenshots, lean into what makes malcontent special by @tstromberg in #569
• Re-add GH_TOKEN to commit/PR step for third-party rule updates by @egibs in #570
• Makefile: Add Linux support for yara-x linter by @tstromberg in #583
• re-organize samples + integration tests to improve caching by @tstromberg in #593

Full Changelog: v1.3.0...v1.4.0

v1.3.0

Release v1.3.0

Tool Improvements

• Address two instances of CWE-22 by @egibs in #526
• error if an invalid value is passed to --min-*risk by @tstromberg in #531
• scan: include match strings (truncated) by @tstromberg in #537
• walk: log error instead of returning an error by @tstromberg in #538

Rule Improvements

• Improve macOS detection, particularly for AMOS/Poseidon and Cobaltstrike by @tstromberg in #524
• Add mlflow pypi_package_index override rule, allow for multiple rules per override by @egibs in #527
• improve detection of cipherbcryptors by @tstromberg in #519
• linux: alert tuning for k4spreader, injector, medusa, Sliver by @tstromberg in #517
• Decrease false-positives across Ubuntu 24.04, add more OS-specific tagging by @tstromberg in #530
• Update rancher pull-scripts rule by @egibs in #528
• Add override for filebeat misp_sample.ndjson.log by @egibs in #534
• Improve results when scanning Linux include files by @tstromberg in #535
• Remove HIGH findings from /etc on Ubuntu 24.04 by @tstromberg in #539
• Add additional Wolfi false positve overrides by @egibs in #540

Developer Improvements

• programkind: quietly skip non-file files by @tstromberg in #529

Full Changelog: v1.2.0...v1.3.0

v1.2.0

Release v1.2.0

Tool Improvements

• Better handling of overrides after all fr.Behaviors are added by @egibs in #487
• Add new renderer to display string matches for rules by @egibs in #488
• Delay rule compilation and cache the results by @tstromberg in #490
• process: make non-existent paths non-fatal, sort scan paths by @tstromberg in #493
• scan: wolfictl inspired output presentation by @tstromberg in #492
• processes: improve results on Linux by @tstromberg in #499
• programkind: return MIME type & file extension, swap magic library by @tstromberg in #507
• Remove errant nil check in switch statement by @egibs in #513
• Add --file-risk-change and --file-risk-increase flags by @egibs in #514
• Add risk levels to simple output by @egibs in #516
• Fix --min-risk behavior re: overrides by @egibs in #523
• programkind: be quiet if EOF reached by @tstromberg in #518

Rule Improvements

• Reduce some random Linux false positives by @tstromberg in #501
• New false positive rules by @egibs in #502
• Add jaraco py_dropper_chmod override by @egibs in #509
• rule tuning: make severities more appropriate by @tstromberg in #510
• Add filesize condition to linux_multi_persist rule by @egibs in #515

Developer Improvements

• Turn on prealloc linting rule, implement suggestions by @egibs in #491
• README tuning: left-justify logo, boost scan placement, update images by @tstromberg in #504
• Update samples commit, refresh test data, fix refresh-test-data on macOS by @egibs in #508
• makefile: fail if xz is missing by @tstromberg in #511

Full Changelog: v1.1.1...v1.2.0

v1.1.1

Rule Improvements

• Fix bad RookeryCapital testdata by @tstromberg in #484

Full Changelog: v1.1.0...v1.1.1

v1.1.0

Release v1.1.0

Tool Improvements

• Add --processes flag to scan active process commands by @egibs in #469
• Allow for multiple scan path inputs for analyze and scan by @egibs in #480
• Small archive extraction fixes; support bzip2 archives by @egibs in #479
• Allow for rule severity overrides; add default ignore tags by @egibs in #481

Rule Improvements

• Increase coverage of recent MalwareBazaar / MalShare samples by @tstromberg in #474
• Address false positives seen with argocd, grafana, jupyterhub, and reflex by @egibs in #475
• Update YARAForge rules, refresh testdata by @tstromberg in #482

Developer Improvements

• Bump actions/checkout from 4.1.7 to 4.2.0 in the all group by @dependabot in #472
• Check if frs sync.Map is nil within handleArchive by @egibs in #476
• malcontent branding: rewrite README, new go install target by @tstromberg in #477

Full Changelog: v1.0.1...v1.1.0