Added isaerp.com.br to clean cybercapture class, meaning all files should be classified as clean when they go to cybercapture
Hmmm... That shouldn't be a final solution as it is an open door for anything wrong/malicious that get into the site.
Am I wrong?
It is not as strong as I (might have) made it sound, which is why I also said that it might only prevent "some" of the FPs and that digsig is still the preferred way.
Firstly, this rule I made could only trigger on files that go to cybercapture. This means that it must be a PE file that is downloaded from a certain domain, and the user who downloads it must be the very first person in the world (with Avast) to execute it, and there must be no detection on the file yet. If the file is non-PE (HTML, JS, PDF), or if it is known (prevalence > 1), or if the file is similar to other malware (so the detections, such as trojangens or evogens would trigger), it would not go to cybercapture at all.
Secondly, even within cybercapture there are many (what we call) boxes, which each tests one thing. One might check the URL, one might run the sample in sandbox, one might check similarity to other files, you get the idea. These boxes all produce results (clean, unknown, malware) and based on these results, Decision Maker decides. Even with some boxes reporting "clean", cybercapture might still say "do not allow this program to run".
I hope I made myself clear that there is very little security risk when I add the URL to clean class
If not, I will be happy to elaborate, ask away!