All Apps and Add-ons

Trojan Downloader Detected - CIS Critical Security Controls

kent_farries
Path Finder

Windows Defender or SCEP detects the CIS Critical Security Controls application as a Trojan called TrojanDownloader:JS/Nemucod.

https://splunkbase.splunk.com/app/3064/

Can the owner of the application verify this for us?

Windows Defender Version Details
Antimalware Client Version: 4.10.14393.0
Engine Version: 1.1.12902.0
Antivirus definition: 1.225.3072.0
Antispyware definition: 1.225.3072.0
Network Inspection System Engine Version: 2.1.12706.0
Network Inspection System Definition Version: 116.18.0.0

Tags (1)
0 Karma
1 Solution

aperez_splunk
Splunk Employee
Splunk Employee

Hi kent_farries,

App author here - thank you very much for the outreach on this.

Based on your question above, I submitted a freshly-downloaded (and SHA-256 verified) copy of the app to VirusTotal for analysis and received the attached report.

In short, this appears to be a false positive detection from Microsoft and CAT-QuickHeal. 51 other AV scanners report the app to be benign.

VirusTotal_CISapp_results.pdf

Hope this helps and thanks again for your outreach,
AP

View solution in original post

kent_farries
Path Finder

Thank you for checking this for us and we will proceed with the installation by disabling our AV during the download and install process.

If possible could you reach out to Microsoft? I have submitted a request to Microsoft a few weeks back when you released the application but it seems like they did not take any action.

Once again, thanks for the quick reply.

0 Karma

aperez_splunk
Splunk Employee
Splunk Employee

Hi again kent_farries,

I'd be happy to forward it to Microsoft and flag the false positive detection. I can't promise that they'll prioritize it, but will push it over later this afternoon.

Good luck with the install and have a great weekend!
AP

0 Karma

aperez_splunk
Splunk Employee
Splunk Employee

Hi kent_farries,

App author here - thank you very much for the outreach on this.

Based on your question above, I submitted a freshly-downloaded (and SHA-256 verified) copy of the app to VirusTotal for analysis and received the attached report.

In short, this appears to be a false positive detection from Microsoft and CAT-QuickHeal. 51 other AV scanners report the app to be benign.

VirusTotal_CISapp_results.pdf

Hope this helps and thanks again for your outreach,
AP

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...