Windows Defender Catching Security Onion ISO as Containing Backdoor

[c9845]

Windows Defender is throwing up a "Severe" warning about the Security Onion ISO file. Defender is saying the ISO contains a backdoor and notes the file securityonion-2.3.50.iso->SecurityOnion\agrules\strelka\yara\thor-webshells.yar.

Not sure if this is expected but there aren't any notes, at least that I could find, on the Security Onion pages that the ISO might cause Windows Defender to throw warnings. If this is expected, it may be worthwhile to add a warning added to the VERIFY_ISO.md page with a link to another file/page listing files within the ISO that may cause Windows Defender to throw alerts.

I verified the ISO via SHA256 sum (matches) and via GPG key (received "Good signature...").

Environmental Details:

• Security Onion 2.3.50 ISO.
• Windows 10 Build (20H2 19042.985).
• Windows Defender Details:
  • Antimalware Client Version 4.18.2104.14.
  • Engine Version 1.1.18100.6.
  • Antivirus Version: 1.339.895.0.
  • Antispyware Version: 1.339.895.0.
• GPG Primary Key Fingerprint: C804 A93D 36BE 0C73 3EA1 9644 7C10 60B7 FE50 7013.

[dougburks]

SecurityOnion\agrules\strelka\yara\thor-webshells.yar is not a backdoor. It is a yara ruleset that looks for backdoors. You can review the file here:
https://github.com/Neo23x0/signature-base/blob/master/yara/thor-webshells.yar

I've updated the Download page in our documentation to include a warning about this:
https://docs.securityonion.net/en/2.3/download.html

[jefferymcaron]

Has this finding been registered and confirmed with DISA?

Thanks!

[c9845]

@dougburks
Thanks for the quick reply. I figured this wasn't an issue but it did stand out since it wasn't noted anywhere. I appreciate updating the docs to note this.

[willemdh]

Backdoor:PHP/Dirtelti.CKB is indeed supposedly found in thor-webshells.yar by Defender. But the documentation mentions this nicely.