search

Graylog2 / collector-sidecar

Manage log collectors through Graylog
https://www.graylog.org/
Other
268 stars 56 forks source link

Malware flagged on Latest Windows Binary #408

Closed alvinckenba closed 2 years ago

alvinckenba commented 3 years ago

Problem description

Detected:

PUA:Win32/Presenoker With Microsoft Defender

on downloaded windows binary: graylog_sidecar_installer_1.1.0-1.exe

Steps to reproduce the problem

  1. Download Windows Binary

Environment

malcyon commented 3 years ago

My first impression is that this is a false positive. It's probably catching it because the Sidecar allows the Graylog server to update config files on the machine.

Related to #360

boosty commented 2 years ago

Related community post: https://community.graylog.org/t/sidecar-signed-windows-binary/21890

malcyon commented 2 years ago

@boosty Can I assume that getting the binary signed is an important first step to getting the malware flagging issue fixed? That does sort of make sense, but I'm just making sure.

I installed signtool on a Windows VM, and it's definitely not signed.

image

We build this on Linux, though. This tool might be a good option for signing:

https://github.com/mtrojnar/osslsigncode

boosty commented 2 years ago

Hi @malcyon,

I don't have experience with this, but based on the following post, signing the file seems to be the fastest (not the only) way to let Microsoft trust it: https://stackoverflow.com/a/66582477

But I think a bit more research would be good. For a start, you could probably submit the file to Microsoft to see the current result: https://www.microsoft.com/en-us/wdsi/filesubmission

FWIW, VirusTotal does not report the current version as malicious: https://www.virustotal.com/gui/file/55693ad815021985d8ecc733e918e285dc892233035b6dcac9c11b480bf1af42/details

And while VirusTotal shows the missing signature, the impact on the detection is unclear to me:

Screenshot 2022-01-03 at 11 55 42
malcyon commented 2 years ago

@boosty I think for signing the binary, we need a Code Signing certificate:

https://www.globalsign.com/en/code-signing-certificate

I am not sure if we already have one.

malcyon commented 2 years ago

FYI I submitted the installer to the Microsoft site for Defender, and it shows "No malware detected" for definition 1.355.1515.0.

boosty commented 2 years ago

@malcyon Cool! Then I think we should close this. We can reopen if someone still gets the warning on Windows.

And let's handle the code signing as a separate topic (as discussed).