False Positives about mvt HOT 3 CLOSED

do you think its possible to document verified detections vs. false positives or offer some training for MVT? Seems like this would have been an easy catch for someone more versed in the software even if not a technical expert

We're looking at introducing confidence levels in detections in future - some early work around this in #431.

It looks like this ClevGuard indicator originated from https://github.com/AssoEchap/stalkerware-indicators. In this case it's detecting a visit to a stalkerware related domain name - an expert should review among other things the MVT output, the possible matching indicator and the context of other events on the forensic timeline to determine whether an infection actually occurred.

At this time the Security Lab can only provide forensic support to members of civil society. If you fulfil this category and have a concern in future please do reach out again via https://securitylab.amnesty.org/get-help/ and we'll do our best to help. In terms of partnership proposals please reach out to share [ AT symbol] amnesty.tech. Due to the volume of requests, we may be unable to respond to requests which are not clearly from civil society.

from mvt.

Hey @L0laL33tz thanks for opening an issue.

Re:

MVT seems to make no distinctions between websites visited and software installed

could you give more details on the false positive you encountered, e.g. which modules are involved?

We've recently added some clearer messaging around non-expert use, particularly if detections are found:

NOTE: Detected indicators of compromise. Only expert review can confirm if the detected indicators are signs of an attack.
Please seek reputable expert help if you have serious concerns about a possible spyware attack. Such support is available to human rights defenders and civil society through Amnesty International's Security Lab at https://securitylab.amnesty.org/get-help/?c=mvt

from mvt.

Sure, here's the detection it threw:

I did reach out to amnesty techlab but never heard back. I understand that it's probably overwhelming to answer every request, so re:

Only expert review can confirm if the detected indicators are signs of an attack

do you think its possible to document verified detections vs. false positives or offer some training for MVT? Seems like this would have been an easy catch for someone more versed in the software even if not a technical expert

from mvt.