Skip to content

Redline <-> reline mapping problems #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
RazviOverflow wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Redline <-> reline mapping problems #48

RazviOverflow wants to merge 1 commit into from

Conversation

@RazviOverflow
Copy link

@RazviOverflow RazviOverflow commented Jun 25, 2025
edited
Loading

Hi everyone,

We've been using AVClass for a while and noticed that it consistently labels the "Redline" family as "Reline" (missing the 'd'). After comparing results with other labeling tools, we realized this issue is specific to AVClass.

Looking into the code, we found that AVClass maps "redline" (and its variants) to "reline" (though it's unclear why). Let's consider the following example. The attached samples.json file contains the VT results of the following three samples:

Attached file: samples.json

At the moment of this writing, a quick search for "reline" has no matches in any of these VT entries' vendors results, whereas "redline" has at least 4 occurrences.

avclass produces the following output

$ avclass -f samples.json 
[-] Using tagging rules in [REDACTED]/avclass/data/default.tagging
[-] Using taxonomy in [REDACTED]/avclass/data/default.taxonomy
[-] Using expansion tags in [REDACTED]/avclass/data/default.expansion
[-] Processing input file samples.json (lb)
2a4706a20c2b6353cc65a2e21925d733	reline
e2b0397ba16e285829a1bb100995b7fb	reline
5c144e82b30fe477e725744585804dfc	reline
[-] 3 reports read
[-] Samples: 3 NoScans: 0 NoTags: 0 GroundTruth: 0

What is more, "redline" has a dedicated Malepdia entry, while "reline" does not.

Furthermore, a quick Google search produces the following results as of today:

  • "redline" malware -> about 235K results
  • "reline" malware -> about 2.9K results and the use of "redline" is suggested

In summary, I think the mapping of redline* -> reline should be the other way around.

With the proposed changes I find the output more accurate:

[-] Processing input file samples.json (lb)
2a4706a20c2b6353cc65a2e21925d733	redline
e2b0397ba16e285829a1bb100995b7fb	redline
5c144e82b30fe477e725744585804dfc	redline
[-] 3 reports read
[-] Samples: 3 NoScans: 0 NoTags: 0 GroundTruth: 0

@RazviOverflow RazviOverflow changed the title Fixing redline <-> reline mapping problems Redline <-> reline mapping problems Jun 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@RazviOverflow