From d3d71f97c87d8c3d261d2ccb32a5cfa8bd5f5c40 Mon Sep 17 00:00:00 2001
From: Mike Hunhoff <mike.hunhoff@gmail.com>
Date: Mon, 24 Feb 2025 14:14:05 -0700
Subject: [PATCH] vmray: only verify process OS and monitor ID match (#2613)

---
 CHANGELOG.md                               |  1 +
 capa/features/extractors/vmray/__init__.py | 11 +++++------
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cd4fd228..1c3cec7f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@
 ### Bug Fixes
 - only parse CAPE fields required for analysis @mike-hunhoff #2607
 - main: render result document without needing associated rules @williballenthin #2610
+- vmray: only verify process OS and monitor IDs match @mike-hunhoff #2613
 
 ### capa Explorer Web
 
diff --git a/capa/features/extractors/vmray/__init__.py b/capa/features/extractors/vmray/__init__.py
index cc67c34c..94c31633 100644
--- a/capa/features/extractors/vmray/__init__.py
+++ b/capa/features/extractors/vmray/__init__.py
@@ -223,16 +223,15 @@ class VMRayAnalysis:
                 # we expect monitor processes recorded in both SummaryV2.json and flog.xml to equal
                 # to ensure this, we compare the pid, monitor_id, and origin_monitor_id
                 # for the other fields we've observed cases with slight deviations, e.g.,
-                # the ppid for a process in flog.xml is not set correctly, all other data is equal
+                # the ppid, origin monitor id, etc. for a process in flog.xml is not set correctly, all other
+                # data is equal
                 sv2p = self.monitor_processes[monitor_process.process_id]
                 if self.monitor_processes[monitor_process.process_id] != vmray_monitor_process:
                     logger.debug("processes differ: %s (sv2) vs. %s (flog)", sv2p, vmray_monitor_process)
 
-                assert (sv2p.pid, sv2p.monitor_id, sv2p.origin_monitor_id) == (
-                    vmray_monitor_process.pid,
-                    vmray_monitor_process.monitor_id,
-                    vmray_monitor_process.origin_monitor_id,
-                )
+                # we need, at a minimum, for the process id and monitor id to match, otherwise there is likely a bug
+                # in the way that VMRay tracked one of the processes
+                assert (sv2p.pid, sv2p.monitor_id) == (vmray_monitor_process.pid, vmray_monitor_process.monitor_id)
 
     def _compute_monitor_threads(self):
         for monitor_thread in self.flog.analysis.monitor_threads: