Secomea Release 11.1 False Positive
- 29 Nov 2023
- 1 Minute to read
- Contributors
- Print
- DarkLight
- PDF
Secomea Release 11.1 False Positive
- Updated on 29 Nov 2023
- 1 Minute to read
- Contributors
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
False Positive in Virustotal.
During the security check of our LinkManager .exe file, we discovered a false positive.
We're currently working closely with VirusTotal to fix the issue.
The false positive is on one of the files (nsExec.dll) that are part of the NSIS installer. It is part of a 3rd party tool Secomea uses to generate the installer.
Our LinkManager Installer is flagged in VirusTotal on the list of open-source community Sigma rules that match the sysmon events recorded via execution of the file under scrutiny in a sandbox.
It Matches rule Oilrig by Ariel Millahuel at SOC Prime Threat Detection Marketplace
OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets
To demonstrate and verify that VirusTotal flags the product due to the file naming, we created two .zip files with the exact same content. The nsExec.dll file is renamed in the nsExecRenamed.zip file.
In these links, the original filename triggers the "OilRig" Sigma Rule, while the renamed one doesn't:
https://www.virustotal.com/gui/file/969d5dd606df6a138f22a3c48dda471c7c6d0d587384277265de1e0909d62d82/behavior
If you have any questions to this, please contact Secomea support: support@secomea.com
Was this article helpful?
