False positive -> Rootkit 'ZK' detected
614 views
Skip to first unread message
M G
Feb 13, 2023, 7:30:13 AM2/13/23
to Wazuh mailing list
Hello,
I found some problem with Wazuh and rule 510 (maybe bug?)
I have many alerts "Rootkit 'ZK' detected by the presence of file
'/etc/sysconfig/console/load.zk'." and this is a false positive.
When in /etc/sysonfig exist a file 'console' then Wazuh reports this alert.
If in this path exist a folder 'console', then everything it's ok.
In my opinion, Wazuh knows from datebase than in this path can hide a rootkit so it tries to check contents of 'console'. It canot do this (this is a file, not folder) so for Wazuh this is suspicious.
Regards
Mateusz
Juan Nicolás Asselle (Nico Asselle)
Feb 13, 2023, 9:57:56 AM2/13/23
to Wazuh mailing list
Hi Mateusz,
I'm going to investigate this deeper, since there is an open issue (https://github.com/wazuh/wazuh/issues/15168) but without a RCA.
In the meantime, could you please confirm that your agent is also running on SuSE?
I'm going to investigate this deeper, since there is an open issue (https://github.com/wazuh/wazuh/issues/15168) but without a RCA.
In the meantime, could you please confirm that your agent is also running on SuSE?
M G
Feb 13, 2023, 10:25:54 AM2/13/23
to Wazuh mailing list
Hi Juan,
For the test I created a empty file on Rocky OS (cat > console), and from this moment i have this alert too
Mateusz
Juan Nicolás Asselle (Nico Asselle)
Feb 13, 2023, 6:38:58 PM2/13/23
to Wazuh mailing list
Hi Mateusz,
After a deeper investigation, it was found that this is happening due to a problem with rootcheck code. More information can be found in this comment
Regards,
Nico
After a deeper investigation, it was found that this is happening due to a problem with rootcheck code. More information can be found in this comment
Regards,
Nico
Reply all
Reply to author
Forward
0 new messages