can please advise why alerts on Security onion written by emerging threat does not trigger alerts on other platforms such as AV and malware byte
as when i receive alerts on Security Onion, i trigger scanners from the other platforms to the node identified by Security onion but no malware signature is picked up by these platforms…
is there something that i am missing in validation and verification of Malware signatures from Emerging threats…
Antivirus runs and looks for anomalies in application running on your computer but some applications can evade antivirus applications.
The Emerging Threats signatures look at the network traffic on the network and detect on patterns in that traffic. Sometimes these signatures/patterns are mis identified and result in a false positive. This means that the content on the network matches our signature but the application or source of the traffic is not what we think it is from the signature perspective.
In this case, the signature that is firing was created in 2010 for a backdoor that was used quite a bit back then. However, as far as I can tell that rootkit doesn’t work on current Windows operating systems.
In this case you would have to find a tool that can specifically detect hackerdefender and see if that finds anything to provide confirmation of an infection on the system.
given your insight it would than make sense to change my approach to understanding malware evasive detection…
yes it would make sense to find specific malware detectors for specific signatures
perhaps a 2nd IPS platform would give some level of assurance. and scanning hosts with specific malware signature detectors could provide more assurance