All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trojan Downloader Detected - CIS Critical Security Controls

kent_farries
Path Finder
‎08-05-2016 07:48 AM

Windows Defender or SCEP detects the CIS Critical Security Controls application as a Trojan called TrojanDownloader:JS/Nemucod.

https://splunkbase.splunk.com/app/3064/

Can the owner of the application verify this for us?

Windows Defender Version Details
Antimalware Client Version: 4.10.14393.0
Engine Version: 1.1.12902.0
Antivirus definition: 1.225.3072.0
Antispyware definition: 1.225.3072.0
Network Inspection System Engine Version: 2.1.12706.0
Network Inspection System Definition Version: 116.18.0.0

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aperez_splunk
Splunk Employee
Splunk Employee
‎08-05-2016 10:19 AM

Hi kent_farries,

App author here - thank you very much for the outreach on this.

Based on your question above, I submitted a freshly-downloaded (and SHA-256 verified) copy of the app to VirusTotal for analysis and received the attached report.

In short, this appears to be a false positive detection from Microsoft and CAT-QuickHeal. 51 other AV scanners report the app to be benign.

VirusTotal_CISapp_results.pdf

Hope this helps and thanks again for your outreach,
AP

View solution in original post

Preview file
65 KB
Reply
Solved! Jump to solution

kent_farries
Path Finder
‎08-05-2016 10:26 AM

Thank you for checking this for us and we will proceed with the installation by disabling our AV during the download and install process.

If possible could you reach out to Microsoft? I have submitted a request to Microsoft a few weeks back when you released the application but it seems like they did not take any action.

Once again, thanks for the quick reply.

0 Karma
Reply
Solved! Jump to solution

aperez_splunk
Splunk Employee
Splunk Employee
‎08-05-2016 10:29 AM

Hi again kent_farries,

I'd be happy to forward it to Microsoft and flag the false positive detection. I can't promise that they'll prioritize it, but will push it over later this afternoon.

Good luck with the install and have a great weekend!
AP

0 Karma
Reply
Solved! Jump to solution
Solution

aperez_splunk
Splunk Employee
Splunk Employee
‎08-05-2016 10:19 AM

Hi kent_farries,

App author here - thank you very much for the outreach on this.

Based on your question above, I submitted a freshly-downloaded (and SHA-256 verified) copy of the app to VirusTotal for analysis and received the attached report.

In short, this appears to be a false positive detection from Microsoft and CAT-QuickHeal. 51 other AV scanners report the app to be benign.

VirusTotal_CISapp_results.pdf

Hope this helps and thanks again for your outreach,
AP

Preview file
65 KB
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...