darf :BlobhajMlem:@darfplatypus@infosec.exchange
I don't understand why sandbox companies haven found a nice way to shut up benign update/check-in/telemetry bullshit. The amount of analysts I've had to talk off the ledge after they chased a chrome updated traffic for an hour is too damn high.
grey@grey@infosec.exchange
@darfplatypus@infosec.exchange Yeah it's pretty bad. Afaik JBX does some filtering, crowdstrike does none, and neither does VT. I teach new analysts to run calc.exe or other similar binaries in their sandbox of choice to see what "normal" looks like first. Same goes for "what network traffic is normal when opening a benign PDF"