Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows defender possible false positive #503

Open
okleinschmidt opened this issue Jan 16, 2025 · 2 comments
Open

Windows defender possible false positive #503

okleinschmidt opened this issue Jan 16, 2025 · 2 comments
Assignees
@vikman90
Labels
reporter/community Issue reported by the community

Comments

@okleinschmidt
Copy link

Wazuh version Component Install type Install method Platform
4.9.2 wazuh-agent Agent Packages Windows 10

Hello,

Windows 10 Agents are experiencing an issue where Windows Defender is blocking the Agent installation due to a trojan detection. We believe this is a false positive.

The trojan, Script/Phonzy.A!ml, will be detected during the decompression process in sysmon_eid_1.ini.

thanks;
Ole
@vikman90 vikman90 self-assigned this Jan 16, 2025
@vikman90 vikman90 added the reporter/community Issue reported by the community label Jan 16, 2025
@vikman90
Copy link
Member

Dear Ole,

Thank you for reaching out to us. Regarding the issue you've reported, are you referring to the following installer?

We are currently analyzing the installer. Here is what we have verified so far:

  1. Antivirus Scanning: We have scanned the installer using 61 antivirus engines, including Microsoft Defender, on VirusTotal. No detections were reported:
    https://www.virustotal.com/gui/file/88b40d63185d308c898dc237b0d5ba0ee1ca2ab41e6b38db28d1d6b3b20a616d.
  2. Package Signing: Both the MSI package and the executable files (.exe and .dll) included within are signed. This signature should enhance trust with antimalware solutions.
  3. File sysmon_eid_1.ini: The file you mentioned is part of the source code repository, used as testing support for the Wazuh Manager. It is neither installed on the agent nor included in the MSI package.

Could you please confirm:

  • How you obtained the installer?
  • Whether you followed any procedure different from the one described in the official documentation?

Thank you again for your report. Looking forward to your response to assist you further.

Best regards,
Vikman

@okleinschmidt
Copy link
Author

Dear Ole,

Thank you for reaching out to us. Regarding the issue you've reported, are you referring to the following installer?

We are currently analyzing the installer. Here is what we have verified so far:

  1. Antivirus Scanning: We have scanned the installer using 61 antivirus engines, including Microsoft Defender, on VirusTotal. No detections were reported:
    https://www.virustotal.com/gui/file/88b40d63185d308c898dc237b0d5ba0ee1ca2ab41e6b38db28d1d6b3b20a616d.
  2. Package Signing: Both the MSI package and the executable files (.exe and .dll) included within are signed. This signature should enhance trust with antimalware solutions.
  3. File sysmon_eid_1.ini: The file you mentioned is part of the source code repository, used as testing support for the Wazuh Manager. It is neither installed on the agent nor included in the MSI package.

Could you please confirm:

  • How you obtained the installer?
  • Whether you followed any procedure different from the one described in the official documentation?

Thank you again for your report. Looking forward to your response to assist you further.

Best regards, Vikman

Hi Vikman,

Thank you so much for your quick reply. Sorry for the long wait. I am still waiting for answers from my colleague. :-(

Best regards,
Ole

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vikman90 vikman90

Labels
reporter/community Issue reported by the community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@okleinschmidt @vikman90