IT security team rejected Tabular Editor

[TonyRitter-Beacon]

My IT security team rejected Tabular Editor with the following concern.

Here is additional information regarding the rejection of your Software Request RITM0140368: \"2 matches for rule Suspicious MsiExec Directory by Florian Roth from Sigma Integrated Rule Set (GitHub). There are 4 IPs that it contacts, one of which contacted a known source for malware. \"

any ideas or thoughts on these concerns?

[otykier]

Here is a list of URL's that are present in the source code:

• https://docs.microsoft.com/en-us/azure/analysis-services/analysis-services-data-providers
• https://docs.tabulareditor.com/Importing-Tables.html?highlight=import#power-query-data-sources
• https://docs.tabulareditor.com/Advanced-Scripting.html#compiling-with-roslyn
• https://docs.tabulareditor.com/Custom-Actions.html
• https://docs.tabulareditor.com/FormatDax.html
• https://dax.guide/{0}/?utm_source=tabular-editor
• https://raw.githubusercontent.com/otykier/TabularEditor/master/TabularEditor/version.txt
• https://github.com/otykier/TabularEditor/releases/latest
• https://www.daxformatter.com/api/daxformatter/daxtextformat
• https://www.daxformatter.com/api/daxformatter/daxtextformatmulti

In addition, the Best Practice Analyzer may fetch a rule definition file (JSON) from any URL, if so specified within a model.

I have no idea what the concern is referring to. Perhaps the github.com domain is a "known source for malware". Make of it what you will.

[matt40k]

@TonyRitter-Beacon They able to explain the rejection? Looks like they've just rejected because of a rule without understanding it. Rule looks like it's something to do with the fact its hosted on GitHub?

The MsiExec makes me think its something to do installer - are they happy with the portal version?

[otykier]

@TonyRitter-Beacon is there an update on this? Can we close this issue?

[cooslaz]

SecOps had found several contacted IP which was linked to the Cloudflare hosted provider has been found with malicious url usaged by some of the hosters. Contacted IP: 104.18.20.226 <-- Flagged 104.18.21.226 <-- Flagged 104.18.38.233 <-- Flagged 172.64.149.23 <-- Flagged 8.8.8.8 <-- Flagged

References: https://www.virustotal.com/gui/file/bba2b06fd95f3cc16afdf0625d9ef6c1986d825b5aeb7db946eaf7cccd373273 https://www.virustotal.com/gui/ip-address/172.64.149.23/details https://www.abuseipdb.com/check/104.18.20.226 https://otx.alienvault.com/indicator/ip/104.18.20.226

During a preliminary security check, SecOps identified that several IP addresses contacted by the software were linked to hosting provider Cloudflare. Despite these IPs being associated with a provider known to host malicious URLs used by some of its clients, the initial assessment considered this situation as not immediately alarming. This SecOps viewpoint is based on the understanding that Cloudflare is a widely used hosting service, and its infrastructure is commonly leveraged by a vast array of users which including both legitimate entities and malicious actors. Given Cloudflare's extensive client base, encountering IPs associated with their service that have links to malicious activities does not necessarily indicate a direct threat or compromise of security. It reflects the reality of the modern internet ecosystem where the services of major hosting providers are utilised by a wide spectrum of users. This underscores the importance of more nuanced security evaluations that can differentiate between mere association with a broadly used service and specific actions or connections that constitute a genuine security threat.