Major ** Note that this is a public ticket, please refrain from adding any sensitive data. **
Description of Problem
Normally, the malware scanning works great for Insights-Client. But it can happen that due to some reason, malware scan has been executed twice on the same system around a similar timeframe and that ends up resulting in false-postive malware matches of /var/lib/insights/malware-detection_yara_rules* files.
How reproducible
Always
Steps to Reproduce
- Install a rhel system and configure it for insights malware scanning
- open two ssh session to the system
- execute "insights-client --collector malware-detection" almost at the same time on both the sessions
- wait for the scan to complete
Actual Behavior
Each scan downloads the Yara rules in /var/lib/insights to check other files against those signatures, but they end up detecting files related to each other and show false-positive matches
...
Scan time for /usr: 762 seconds
Scanning specified files in /var ...
Matched rule XFTI_AcidRain in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Babuk_NAS in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Babuk_Strings in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_BlackCat_Ransom_Note in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_DarkAngel_RansomNote in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_DarkRadiation_downloader in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Darkside_Config in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Defray911_Ransom_Note in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Defray_Decryptor_Win in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_RansomExx2 in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_DefrayX_Developer_Strings in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Doki in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_ElectroRAT in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_FinSpy in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_GuardianInstaller in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_IPStorm in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_KeyPlug_Unpacked in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Kinsing_downloader in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Ladvix_Infected in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_LightningDownloader in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_LightningCore in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Lucifer in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_NotRobin in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_PGMiner in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_PGMiner_Unpacked in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Sysrv_Linux in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_XZBackdoor_Build_File in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_XZBackdoor_Stage1_Decoder_Scripts in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_XZBackdoor_Stage2_Decoder_Scripts in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Xorddos in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Xorddos_Stripped in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_EICAR_AV_Test in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_WICAR_Javascript_Test in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_PEASS_Dropper_Linux in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_PEASS_Script_Windows in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Punk in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_tool_Stowaway_Admin in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_tool_Stowaway_Agent in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Dnscat in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_Sshscanner in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Matched rule XFTI_XScanner in file /var/lib/insights/malware-detection_yara_rules.3uo7tas0
Scan time for /var: 140 seconds
...
Expected Behavior
- Either /var/lib/insights/ should be excluded by default from malware scanning
- Or, There should be some sort of PID locking present, not allowing two or more executions of malware scanning at once
Business Impact / Additional info
False-positive results causing confusion for the end-user and increasing the security concerns