Cisco endpoint security reports Trojan

[networklord]

Hi I have verified iso with gpg key. Also based on question it is most likely false positive, but lets make sure

Malicious activity detected (D:\SecurityOnion\agrules\detect-sigma\rulesets\sigma_all_rules.zip)[Trojan.Generic.35749819].
Malicious activity detected (D:\SecurityOnion\agrules\detect-sigma\rulesets\sigma_core++.zip)[Trojan.Generic.35749819].

BR,
Surba

[defensivedepth]

From: https://docs.securityonion.net/en/2.4/download.html

If you download our ISO image and then scan it with antivirus software, it is possible that one or more of the files included in the ISO image may generate false positives. If you look at the antivirus scan details, it will most likely tell you that it alerted on a file in SecurityOnion\agrules\. This is part of [Strelka](https://docs.securityonion.net/en/2.4/strelka.html#strelka) and it is being incorrectly flagged as a backdoor when it is really just a Yara ruleset that looks for backdoors. In some cases, the alert may be for a sample EXE that is included in [Strelka](https://docs.securityonion.net/en/2.4/strelka.html#strelka) but again a false positive.

[networklord]

I have read that one and Nobody mentions sigma rules

[defensivedepth]

We updated the documentation:

If you download our ISO image and then scan it with antivirus software, it is possible that one or more of the files included in the ISO image may generate false positives. If you look at the antivirus scan details, it will most likely tell you that it alerted on a file in SecurityOnion\agrules\.