New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reporting false positive: Synology Drive Client #214
Comments
This is not the full alert message. Can you provide the full events including the match-strings? Do the rules match reproducibly? The match is in-memory on the process. Maybe some clear-text IOCs are synced and the process had them in-memory at the time. Is that possible? |
I'm pretty sure that the service somehow copied the contents of clear text YARA rules into his own memory. (e.g. to sync the signature files of LOKI to the Synology drive) If that's the case, it is expected behaviour. |
Reporting false positive: Synology Drive Client
Alert: MODULE: ProcessScan MESSAGE: Yara Rule MATCH: EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1 PID: 10680 NAME: cloud-drive-daemon.exe OWNER: Admin CMD: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe C:/Users/Admin/AppData/Local/SynologyDrive/data/config/client.conf 50016 PATH: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe
Alert: MODULE: ProcessScan MESSAGE: Yara Rule MATCH: LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1 PID: 10680 NAME: cloud-drive-daemon.exe OWNER: Admin CMD: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe C:/Users/Admin/AppData/Local/SynologyDrive/data/config/client.conf 50016 PATH: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe
Alert: MODULE: ProcessScan MESSAGE: Yara Rule MATCH: WiltedTulip_ReflectiveLoader PID: 10680 NAME: cloud-drive-daemon.exe OWNER: Admin CMD: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe C:/Users/Admin/AppData/Local/SynologyDrive/data/config/client.conf 50016 PATH: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe
Alert: MODULE: ProcessScan MESSAGE: Yara Rule MATCH: PowerShell_ISESteroids_Obfuscation PID: 10680 NAME: cloud-drive-daemon.exe OWNER: Admin CMD: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe C:/Users/Admin/AppData/Local/SynologyDrive/data/config/client.conf 50016 PATH: C:\Users\Admin\AppData\Local\SynologyDrive\SynologyDrive.app\bin\cloud-drive-daemon.exe
The text was updated successfully, but these errors were encountered: