Malware Detection - False Positive? test_upx.exe

[jdonovan1013]

Version

2.4.60

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

other (please provide detail below)

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

8

Storage for /

100

Storage for /nsm

60

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Just a generic question regarding a file that was detected by our malware solution. It looks like the ISO file itself was scanned and a file was determine to be potentially malicious via a heuristic check. I saw in the documentation that this can happen, however, this particular file was not listed in the indicated Strelka rules directory, so I wanted to proactively ask about it since my security team will want as much information as possible, and I couldn't actually find the file in the ISO.

The file detected was called "test_upx.exe", and the path is listed as "securityonion-2.4.60-20240320.iso\REGISTRY.TAR;1\data\data\test_upx.exe". This path does not appear to exist on the mounted ISO, so I am thinking that the scanner was confused while trying to scan the ISO, likely because it was a Windows-based scanner.

That being said, this test_upx.exe file - Is anyone able to confirm what this file is, what it does, and whether it is known/legitimate? Given the "Registry.tar" in the path I assume it is related to one of the Docker images? I couldn't find it to try to extract any information.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[dougburks]

test_upx.exe is part of the Docker image for Strelka:

find / -name test_upx.exe
/var/lib/docker/overlay2/de691cd3ad63ce7c3118aa7774adadaf1535a6094b19a158ca2c1b42b4599374/diff/strelka/strelka/tests/fixtures/test_upx.exe
/var/lib/docker/overlay2/5a14f89ee4fbedd01e5309cd4087e160bda2faec951caa06296af2acaa85c5ff/diff/strelka/strelka/tests/fixtures/test_upx.exe

Here's the relevant sentence from https://docs.securityonion.net/en/2.4/download.html:

In some cases, the alert may be for a sample EXE that is included in Strelka but again a false positive.

[jdonovan1013]

Ah, I missed that part. Thanks Doug!