Open SummaCumWilly opened 3 years ago
The normal cause of false positives like this is that some malware makes use of a library, and the AV vendor has just blindly added every single file.
Most of the heavy lifting is done using secrets and hashlib... does your shell get killed if you just fire up a repl and do something like:
import hashlib
import string
import secrets
foo = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(10))
print(hashlib.sha1(foo.encode('utf-8')).digest().hex())
Surprisingly (to me, at least) this does not kill it.
From Sentinel they said this was a false positive. The alert was flagged for this: THREAT INDCATOR(S) Evasion • Attempt to evade monitoring using the Process hollowing technique. • MITRE : Privilege Escalation [T1055.012] • MITRE : Defense Evasion [T1055.012]
I don't know if other folks have/will run into this or not, but I just want to mark it down.
When I call this library inside my WSL2 Debian box, my WSL session gets killed by SentinelOne due to a
windows.penetration
event in the detection engine with a "Malware detected!" alert.SentinelOne is looking into it for further details. I'll update this if I get any meaningful further information.