Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Release-1.30] - Executables from k3s get flagged as malware by Azure Defender for Linux #10333

Closed
Slowdive-Aideron opened this issue Jun 7, 2024 · 1 comment
Closed

[Release-1.30] - Executables from k3s get flagged as malware by Azure Defender for Linux #10333

Slowdive-Aideron opened this issue Jun 7, 2024 · 1 comment

Comments

@Slowdive-Aideron
Copy link

Slowdive-Aideron commented Jun 7, 2024
edited
Loading

Environmental Info:
K3s Version:

k3s version v1.30.0+k3s1 (14549535)
go version go1.22.2

Node(s) CPU architecture, OS, and Version:
Azure VMs, RHEL 8.9 (Ootpa)
Linux app-01 4.18.0-513.24.1.el8_9.x86_64 #1 SMP Thu Mar 14 14:20:09 EDT 2024 x86_64 x86_64 x86_64 GNU/Linux

Cluster Configuration:
Test environment with 3 Servers, one of them control-plane,master

Describe the bug:
Microsoft Defender flags surten binaries in the data-dir "/var/lib/rancher/k3s/data" as Malware "Multiverze"
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan:Linux/Multiverze
The binaries i could find until now :
busybox
slirp4netns
nsenter 

Busybox : https://www.virustotal.com/gui/file/4a9bac462189db56189764f5b56033fc94c90a781706ddb109e41931dfb8887d
SHA256: 4a9bac462189db56189764f5b56033fc94c90a781706ddb109e41931dfb8887d

slirp4netns : https://www.virustotal.com/gui/file/e2759e6c759a5f6977f3e14e2bf4c156cbe8e2914a38143ca3050ddba94a5bb8
SHA256 : e2759e6c759a5f6977f3e14e2bf4c156cbe8e2914a38143ca3050ddba94a5bb8

nsenter : https://www.virustotal.com/gui/file/3d4d8a8b835ff29fdf40994690afb428d78e286ff5553452f50dad36345c0de1
SHA256: 3d4d8a8b835ff29fdf40994690afb428d78e286ff5553452f50dad36345c0de1

Steps To Reproduce:

  • Installed K3s: Via ansible playbook , installation method doesn't really matter here, just unpack the binaries that are in the airgaped image

Expected behavior:

No findings

Actual behavior:

Azure Defender quarantines the files
Additional context / logs:

Microsoft MDATP Version 101.24042.0002
@Slowdive-Aideron Slowdive-Aideron changed the title [Release-1.30] - Executables from k3s get flagged as malware by Defender Antvirus for Linux [Release-1.30] - Executables from k3s get flagged as malware by Azure Defender for Linux Jun 7, 2024
@brandond
Copy link
Member

brandond commented Jun 7, 2024
edited
Loading

Duplicate of #9738

Please report these false positives to your AV vendor. We have no leverage to address these issues.

@brandond brandond marked this as a duplicate of #9738 Jun 7, 2024
@brandond brandond closed this as completed Jun 7, 2024
@github-project-automation github-project-automation bot moved this from New to Done Issue in K3s Development Jun 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
K3s Development
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brandond @Slowdive-Aideron