Add AntiSandbox Windows Activation signature#585
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces a new Cuckoo signature, AntiSandboxWindowsActivation, designed to detect malware querying Windows licensing, activation, or genuine status to evade analysis. The review feedback highlights critical Python 2.7 compatibility issues: the use of f-strings will cause syntax errors, strict isinstance(..., str) checks will fail for unicode objects, and calling str() on registry paths can trigger UnicodeEncodeError crashes. The reviewer provides actionable suggestions to replace f-strings with .format() and to remove or adjust the type checks for robust Python 2.7 compatibility.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Reduced severity level from 3 to 2 for the AntiSandboxWindowsActivation signature.
Increased severity level from 2 to 3 for the AntiSandboxWindowsActivation signature.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Some sandboxes wont be activated due to isolation or because they download the free trials. Malware could use this to check if possibly a sandbox because most users will use genuine windows and certainly within enterprise networks.