Lot of false postives with trojan binaries

[C. L. Martinez]

Hi all,

I am seeing a high increment of alerts about trojanized binaries in FreeBSD platforms, like for example:

Trojaned version of file '/bin/kill' detected. Signature used: '/dev/[ab,d-k,m-z]|/dev/[F-Z]|/dev/[A-D]|/dev/[0-9]|proc\.h|bash|tmp' (Generic).

It is a false positive, because this server was updated yesterday from official updates ... It is strange, because this only happens with FreeBSD servers and not with my OpenBSD servers ... Any to tip to debug this?

Thanks
--
Greetings,
C. L. Martinez

[Santiago Bassett]

Most likely one of the strings in the file matches the signature. You could use the command "strings /bin/kill" and see if that is the case. I don't have a FreeBSD around, but is "/bin/kill" a compiled binary file or a shell script? (try running "file /bin/kill")

I hope it helps,

Santiago

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/20180728120535.dht6ke7tgqgr3qne%40metallica.
For more options, visit https://groups.google.com/d/optout.