Zui v1.3.0 flagged by some vendors as containing malware

[philrz]

A community user sent the following to support@brimdata.io:

Hello Support,

I was surprised when I updated from BRIM to ZUI and my anti-malware program issued a warning. Virustotal confirmed this warning, which is probably due to the same hash that the anti-malware program vendors use.

Is this related to the installer?

Indeed, the VirusTotal entry for Zui-Setup-1.3.0.exe shows 16 out of 69 vendors flagging it in some way. Here's a partial screenshot of that VirusTotal entry:

The Community tab also shows flagging by some sandboxes.

I spent some time reproducing the Recorded Future Triage result.

When digging into these findings, the tl;dr seems to be that the Suricata rules that ship with Zui (as part of Brimcap) that are used to detect signs of malware are, themselves, being flagged as signs of malware. To test this theory, I manually created a build based on the same code as Zui v1.3.0 but with the Suricata rules dropped. Running that artifact through VirusTotal, the report now shows zero vendors flagging it.

[philrz]

GA Zui release v1.3.1 was published today that includes the fix in linked PR #2858. The VirusTotal report for its Windows installer is available at and shows none of the vendors now flag is as containing evidence of malware.