Kibana 8.11.1 - ClamAV Infected file -> security_detection_engine-8.11.1.zip

RafaelE · November 24, 2023, 3:16pm

Hello everyone,

I'm creating this topic to report a situation where the antivirus ClamAV have identified a possible infected file on your Debian package

ClamAV report

/usr/share/kibana/node_modules/@kbn/fleet-plugin/target/bundled_packages/security_detection_engine-8.11.1.zip: Win.Tool.UACBypass-5474404-0 FOUND
traverse_rename: Failed to rename: /usr/share/kibana/node_modules/@kbn/fleet-plugin/target/bundled_packages/security_detection_engine-8.11.1.zip
	to: /var/lib/clamscan/quarantine/security_detection_engine-8.11.1.zip
Error:Invalid cross-device link
/usr/share/kibana/node_modules/@kbn/fleet-plugin/target/bundled_packages/security_detection_engine-8.11.1.zip: moved to '/var/lib/clamscan/quarantine/security_detection_engine-8.11.1.zip'

----------- SCAN SUMMARY -----------
Known viruses: 8679245
Engine version: 0.103.9
Scanned directories: 33527
Scanned files: 171637
Infected files: 1
Data scanned: 10114.00 MB
Data read: 476599.20 MB (ratio 0.02:1)
Time: 2274.860 sec (37 m 54 s)
Start Date: 2023:11:24 02:00:01
End Date:   2023:11:24 02:37:56

Although we assume this is a false positive, after a quick scan on Virus Total, we can see two other vendors (Google, Varist) that also flagged the file as potentially being malicious. (Screenshot bellow)

Appreciate your insight on this topic.

Best regards,
Rafael

azasypkin · December 2, 2023, 7:08am

Hey @RafaelE ,

Thanks for posting! Would you mind sending an email to security@elastic.co?

Best,
Oleg

RafaelE · December 4, 2023, 11:46am

Hello @azasypkin,

Email sent to security@elastic.co as requested.

Best regards,
Rafael

azasypkin · December 4, 2023, 12:49pm

Thank you @RafaelE !

system · January 1, 2024, 12:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.