Secomea Release 11.1 False Positive
  • 29 Nov 2023
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  • PDF

Secomea Release 11.1 False Positive

  • Dark
    Light
  • PDF

Article Summary

False Positive in Virustotal.

During the security check of our LinkManager .exe file, we discovered a false positive.
We're currently working closely with VirusTotal to fix the issue.

The false positive is on one of the files (nsExec.dll) that are part of the NSIS installer. It is part of a 3rd party tool Secomea uses to generate the installer.

Our LinkManager Installer is flagged in VirusTotal on the list of open-source community Sigma rules that match the sysmon events recorded via execution of the file under scrutiny in a sandbox.

It Matches rule Oilrig by Ariel Millahuel at SOC Prime Threat Detection Marketplace
OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets


To demonstrate and verify that VirusTotal flags the product due to the file naming, we created two .zip files with the exact same content. The nsExec.dll file is renamed in the nsExecRenamed.zip file.

nsExec.zip

nsExecRenamed.zip

In these links, the original filename triggers the "OilRig" Sigma Rule, while the renamed one doesn't:
https://www.virustotal.com/gui/file/969d5dd606df6a138f22a3c48dda471c7c6d0d587384277265de1e0909d62d82/behavior

https://www.virustotal.com/gui/file/55e5b75cb88bf17497d518a0504f6d9ef8743d562eaf157ba20bbf6dbbd3922f/behavior


If you have any questions to this, please contact Secomea support: support@secomea.com


Was this article helpful?