Trojaned version of file detected.

168 views
Skip to first unread message

Todor Dimitrov

unread,
Nov 22, 2024, 4:32:56 AM11/22/24
to Wazuh | Mailing List
Hello, 

I opened the Malware Detection monitor today and saw this message: 

Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).

What can i do in this case to remove this false positive? I assume it is a false positive because i read that this problem currently exists for other user as well. Thank you for your time. 

Regards, 

Todor

Md. Nazmur Sakib

unread,
Nov 22, 2024, 4:59:25 AM11/22/24
to Wazuh | Mailing List

Hi Todor,

This seems to be a false positive match for rootcheck.


You can check this discussion for more information

https://github.com/ossec/ossec-hids/issues/2020

Check this document to learn more about how rootcheck works.

https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/rootkits-behavior-detection.html

Can you check your rootkit check script

cat /var/ossec/etc/shared/default/rootkit_trojans.txt | grep diff



You can update your rootkit_trojans.txt  at  /var/ossec/etc/shared/default/

with this file.

 https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/rootkit_trojans.txt


 Further, you can silence this by using a custom rule.


  <rule id="730004" level="0">

    <if_sid>510</if_sid>

    <match>bin/mail$|bin/diff$</match>

    <description>False-positive match for rootcheck regex</description>

  </rule>


Check this document to learn more about custom rules.

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html


Let me know if this solves your issue or if you need any further help.

Todor Dimitrov

unread,
Nov 22, 2024, 8:09:59 AM11/22/24
to Wazuh | Mailing List
Hi Nazmur, 

Thank you for the quick response. I have seen the discussion that you sent me and that is why i assumed it's a false positive. I have copied the contents of the rootkit_trojans.txt from the link that you sent me and replaced the contents of the my rootkit_trojans.txt file and i will keep an eye if it still shows false positives. I don't really want to silence it because if there is an actual problem i would to be able to see an event or indication for it. Thank you again for the useful information and if i see more false positives after the weekend i will let you know, otherwise i will leave it at that. Just one last question - Is there going to be a fix for this problem in the future or would i have to do the same thing for my other deployments so it doesn't show any false positives? Have a great weekend and thank you for your time. 

Regards, 

Todor

Md. Nazmur Sakib

unread,
Nov 25, 2024, 7:45:15 AM11/25/24
to Wazuh | Mailing List

It will be resolved in a future release, to be more specific in 4.10.0

https://github.com/wazuh/wazuh/issues/26137



At the end of the document, you will see the instruction given how to Ignoring false positives
https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/rootkits-behavior-detection.html#ignoring-false-positives



I hope you find this informations useful.

Reply all
Reply to author
Forward
0 new messages