Windows defender flagging RESPONSE-955-WEB-SHELLS.conf as malware Backdoor:PHP/Dirtelti.MTJ #3603
Comments
ouhwebteam
changed the title
|
Is there a "not" missing in the sentence with Sophos? The file is cool, but I'm not surprised that one of the webshell patterns is flagged as backdoor ... |
|
@ouhwebteam Hi. Thanks for reporting this but this is normal behavior. Files It is safe to use it. I recommend to whitelist that file in Windows Defender (or other antivirus software). |
|
I doubt there is something we can do. What you could try to help us is to play around with the patterns in question and tell you which string exactly triggers the alert. |
indeed apologies. I'll edit the issue |
I'll see what I can do. We've cleared all the files from the server, but I'll see if server team have kept the alert message that came through. |
Thanks for replying, I'll see what the cyber team say, they might allow that. |
@ouhwebteam It was probably one of these patterns: |
|
I've emailed the central team to see if they have access to any more detail on the alert and to see if we can look into whitelisting the file
I've emailed the central team to see if they have access to any more detail on the alert and to see if we can look into whitelisting the file |
|
@ouhwebteam Any news? Thanks. |
Apologies for not updating this thread. The National Cyber Security Operation Centre (CSOC). They agree that this is appears to be a false positive and have replied with some possibilities about setting up exclusions, but, given the infrastructure, they don't look simple, so I've referred the email onto out cyber team for comment. At the moment we will not be able to upgrade the ruleset, but I'm hopeful this might change in the future. |
|
@ouhwebteam Would be it possible to get more information about which pattern was detected by antivirus software? We will probably be able to modify it so it's not doing such problems. Thanks. |
|
Good day, I also receive malware response from Windows Defender: Backdoor:PHP/Remoteshell.B Backdoor:PHP/Chopper.B!dha Backdoor:PHP/Dirtelti.MTJ using latest 4.2.0 version |
|
@yshupletsov Can you try it with this file? https://raw.githubusercontent.com/azurit/coreruleset/WebShells/rules/RESPONSE-955-WEB-SHELLS.conf |
|
@azurit , no problems with that file |
|
Honestly, I'm surprised we do not get more reports like this. There is little we can do outside of trying to work around the detection by changing our patterns so the engine will no longer detect our payload. Sounds a bit too familiar to me. But I also think this is a futile endeavor since we would be running after the malware detection engines with our patterns. I think it's better they create exclusions for CRS. Either way, I suggest we close this. |
|
Will be closed automatically after merging #3687. |
|
Good day, any updates on this task? |
|
We still haven't managed to configure our security measures to whitelist the files yet due to complications this end. As far as I am concerned, everything has been answered here so this can be closed, unless someone feels the need to keep it open. |
|
@ouhwebteam Thanks for reporting back. This will be closed automatically probably today (after fix is merged). |
I use the ruleset on mod_security IIS. I just tried to upload the latest ruleset to our web server and Windows Defender flagged the file RESPONSE-955-WEB-SHELLS.conf as containing Backdoor:PHP/Dirtelti.MTJ.
I scanned the file with Sophos locally before uploading and it did not alert. I've subsequently run the file through A number of vendors and the only one alerting is Microsoft. Are to able to confirm this is a false positive.
For now I'll continue to run V3.3.5.
Thanks
The text was updated successfully, but these errors were encountered: