All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert Manager Enterprise - Malware Detection vsw.exe

daniel333
Builder
3 weeks ago

All, 

Our SentinelOne EDR started detecting Alert Manager Enterprise's vsw.exe as Malware https://www.virustotal.com/gui/file/1cb09276e415c198137a87ba17fd05d0425d0c6f1f8c5afef81bac4fede84f6a....

Anyone else run into this before I start digging into this? Is there a proper course of action Splunkbase would like if this ends up being positive? 

thanks

-Daniel

Labels (1)
Labels
Reply

mborner
Explorer
3 weeks ago

The binary is used for verifying the signature of the license key. We have already contacted all vendors listed on VirusTotal. Only the Windows version is affected.

If you do not utilize Windows, you can safely remove the binary. Furthermore, if you are a customer of SentinelOne or another vendor, kindly contact them to flag the binary as safe.

0 Karma
Reply

Austinkline
Engager
3 weeks ago

We're also seeing similar results in our Organization. Got flagged for the same binary yesterday. No mention of the binaries or their usage in the AME documentation, but it is used for license validation in the product. You can see the python script here where they are referenced and license validation occurs. 

alert_manager_enterprise\lib\ame\utilities\LicenseValidatorUtility.py

I'm not entirely sure where else the binaries are being referenced at this time but without access to the source code of the binaries (vsl & vsw) we are choosing to take it on face value that they are potentially malicious and acting accordingly. I uploaded vsl to VirusTotal as well but it appears to be coming back clean, for now. 

We are working to determine if we want to remove only vsw.exe from our app deployment or remove the app entirely.  I have reached out to the developers via the contact information on their website and will report back what they have to say about it.

This is disheartening because I'm a long time fan of the Alert Manager, and now Alert Manger Enterprise application. I'll continue to monitor this thread for suggested recommendations as the situation evolves. 

 

Tags (3)
0 Karma
Reply
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...
Top