From 4a351edc6d1460887a90cdfff09e97c129845941 Mon Sep 17 00:00:00 2001
From: Evan Gibler <20933572+egibs@users.noreply.github.com>
Date: Mon, 30 Dec 2024 12:23:31 -0600
Subject: [PATCH] Add malware disclaimer (#728)

* Add malware disclaimer

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Improve list delineation

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Address PR comments

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

* Add missing period

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

---------

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>
---
 README.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.md b/README.md
index d47d23acd..4e0fb7c7c 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,16 @@ malcontent has 3 modes of operation:
 
 malcontent is at its best analyzing programs that run on Linux. Still, it also performs admirably for programs designed for other UNIX platforms such as macOS and, to a lesser extent, Windows.
 
+## ⚠️ Malware Disclaimer ⚠️
+
+Due to how malcontent operates, other malware scanners can detect malcontent as malicious.
+
+Programs that leverage Yara rules will often see other programs that also use Yara rules as malicious due to the strings looking for problematic behavior(s).
+
+For example, Elastic's agent has historically detected malcontent because of this: https://github.com/chainguard-dev/malcontent/issues/78*.
+
+>  \*Additional scanner findings can be seen in [this](https://www.virustotal.com/gui/file/b6f90aa5b9e7f3a5729a82f3ea35f96439691e150e0558c577a8541d3a187ba4/detection) VirusTotal scan.
+
 ## Features
 
 * 14,500+ [YARA](YARA) detection rules