Michael Lazin via plug on 23 Jun 2022 02:20:46 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Strange behavior in the EPEL repository

I work with Fortigates and I noticed that they were sandboxing this file from the EPEL repository:


I downloaded a sample from here and uploaded it to Virustotal



Everything says it is clean but it meets a Yara rule for a malicious Windows API.  I tested this by downloading it on a Windows machine that was protected with Sentinelone and Sentinelone sandboxed it too, but for behavior. 

Since it is an XML file it can contain bad _javascript_, scripting can be embedded in XML.  I have not examined the code yet, I am simply reporting what I found because it may be of interest.  I think this is important because this is the only repository you can use to install Clamav and Rkhunter in RedHat type Linux distros.  This may be a false positive because I have examined no code, but I did see Sentinelone sandbox it when I unpacked it on Windows. 


Michael Lazin

.. τὸ γὰρ αὐτὸ νοεῖν ἐστίν τε καὶ εἶναι.
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug