Addressing a few comments

raulgarciamsft · raulgarciamsft · commit ef0d3720a101 · 2021-02-10T13:39:24.000-08:00
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>This query checks for data flow from a file's last modification date and a condition statement that controls code execution. A malicious actor could have implanted code that triggers after a certain time, leading to a "time bomb".</p>
+    <p>This query detects situations in which an offset to a last file modification time is used to conditionally execute a particular block of code. This is a common pattern in backdoors, where the file's modification timestamp is the time at which the backdoor was planted, and the time offset is used as a time bomb before a particular code block is executed.</p>
   </overview>
 
   <recommendation>
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>In Solorigate, the malicious code tried to evade various security detection software by comparing hashes of the process names against an embedded list of values. The malicious code included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by a literal after computing the FNV-1A.</p>
+    <p>In Solorigate, the malicious code tried to evade various security detection software by comparing hashes of the process names against an embedded list of values. The malicious code used in the SolarWinds attack included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by a literal after computing the FNV-1A.</p>
     <p>This query detects FNV-like hash calculations where there is an additional XOR (with any static value) after the hash calculation loop.</p>
   </overview>
 
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql
@@ -1,6 +1,6 @@
 /**
  * @name Number of Solorigate-related command names in enum is above the threshold
- * @description The enum contains several values that look similar to command and control command names, which may indicate that the code may have been tampered by an external agent.
+ * @description The enum contains several values that look similar to command and control command names, which may indicate that the code may have been tampered with by an external agent.
  *      It is recommended to review the code and verify that there is no unexpected code in this project.
  * @kind problem
  * @tags security
