Prisma Cloud Compute: Crypto-minor false positive detection
0
Created On 07/27/21 20:53 PM - Last Modified 04/18/24 18:56 PM
Symptom
The customer is getting the following debug messages in the logs:
pubsub_defender.go:1593 Runtime audit /usr/bin/dpkg created /usr/lib/x86_64-linux-gnu/libdcerpc-server.so.0.0.1,
which is identified as a crypto miner xmrig. MD5: ea0fb6794d7bfc766c2ccc481b45add2. Command: /usr/bin/dpkg --status-fd 12 --no-triggers --unpack
--auto-deconfigure /var/cache/apt/archives/python-samba_2%3a4.7.6+dfsg~ubuntu-0ubuntu2.23_amd64.deb
/var/cache/apt/archives/samba-common-bin_2%3a4.7.6+dfsg~ubuntu-0ubuntu2.23_amd64.deb
/var/cache/apt/archives/samba-common_2%3a4.7.6+dfsg~ubuntu-0ubuntu2.23_all.deb /var/cache/apt/archives/samba-libs_2%3a4.7.6+dfsg~ubuntu-0ubuntu2.23_amd64.deb
/var/cache/apt/archives/libwbclient0_2%3a4.7.6+dfsg~ubuntu-0ubuntu2.23_amd64.deb. Attack type: crypto miner process,
Environment
- Prisma Cloud Compute Saas version
- Self-Hosted version 20.12 and later
Cause
The cause of this crypto alert is because of the python-samba package.
Resolution
This is indeed a false positive which its resolution is already being taken care of.
Currently a fix is scheduled for the Iverson release.
In the meantime, a workaround for this is to add the following to allowed processes.
- Go to Compute > Defend > Runtime > Host Policy
- Add the following path in the "Allowed processes"
/usr/bin/dpkg
- Click Save.
Additional Information
If after the security research, you determine that this is a false positive then going forward you should consider to disable the Crypto-minor detection feature if there are too many false positive alerts.
The fix for the crypto-minor false positive is implemented in the Iverson release.