Malware Detection - False Positive? test_upx.exe #12950
-
Version2.4.60 Installation MethodSecurity Onion ISO image Descriptionother (please provide detail below) Installation Typeother (please provide detail below) Locationon-prem with Internet access Hardware SpecsMeets minimum requirements CPU4 RAM8 Storage for /100 Storage for /nsm60 Network Traffic Collectionother (please provide detail below) Network Traffic Speeds1Gbps to 10Gbps StatusYes, all services on all nodes are running OK Salt StatusNo, there are no failures LogsNo, there are no additional clues DetailJust a generic question regarding a file that was detected by our malware solution. It looks like the ISO file itself was scanned and a file was determine to be potentially malicious via a heuristic check. I saw in the documentation that this can happen, however, this particular file was not listed in the indicated Strelka rules directory, so I wanted to proactively ask about it since my security team will want as much information as possible, and I couldn't actually find the file in the ISO. The file detected was called "test_upx.exe", and the path is listed as "securityonion-2.4.60-20240320.iso\REGISTRY.TAR;1\data\data\test_upx.exe". This path does not appear to exist on the mounted ISO, so I am thinking that the scanner was confused while trying to scan the ISO, likely because it was a Windows-based scanner. That being said, this test_upx.exe file - Is anyone able to confirm what this file is, what it does, and whether it is known/legitimate? Given the "Registry.tar" in the path I assume it is related to one of the Docker images? I couldn't find it to try to extract any information. Guidelines
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
Here's the relevant sentence from https://docs.securityonion.net/en/2.4/download.html:
|
Beta Was this translation helpful? Give feedback.
test_upx.exe
is part of the Docker image for Strelka:Here's the relevant sentence from https://docs.securityonion.net/en/2.4/download.html: