2

I use the Suricata as IDS on the local network that it doesn't the internet. It logged a few alerts from some clients that said A Network Trojan was detected. All log's properties are in the following:

Protocol: 006
Source: Client IP
Destination: Server IP
Signature: ET POLICY SMB2 NT Create AndX Request For an Executable File in a Temp Directory.
Signature ID: 1:2025703:2
Category: A Network Trojan was detected

I have Kaspersky antivirus that updated and also I have Malwarebytes that updated too, however, they hadn't detected any trojans.

Question:

Is this a false positive or maybe a real trojan that the antimalware can't detect it?

Server OS: Windows server 2012.
Client OS: Windows 7 and 10.
I use the Suricata default rule.

AlirezaK
  • 316
  • 3
  • 20
  • 2
    There is not enough information to give an answer - it's very possible that it could be a real trojan. – Ashley Primo Jan 17 '19 at 22:14
  • it's everything that Suricata has logged. Do you know, How can I provide more info? – AlirezaK Jan 19 '19 at 06:13
  • Go on client IP, and scan it to see what cause the request, it's the first step to find what it's. – yagmoth555 Jan 21 '19 at 13:02
  • Thanks, So I'm going to install Wireshark on the client and see what caused the request and I will return to feedback. – AlirezaK Jan 22 '19 at 06:04
  • I checked some clients with the Wireshark and I thought the office telemetry caused this log. My network has been having office telemetry to log the Microsoft office activity. So, was that a false positive? – AlirezaK Jan 23 '19 at 06:22

0 Answers0