MISP files detected as malware backdoor trojan by Defender for endpoint

[1holygrail]

Hi All,

I have recently downloaded MISP using the instructions provided in this forum on a Linux box

Before switching on the docker compose I thought of running a AV scan on the box using Defender

Below files have been flagged by Defender as malware which got installed along with the MISP app:

• /var/lib/docker/overlay2/{file_id}/diff/var/www/MISP/PyMISP/tests/email_testfiles/mail_1.msg [Nemucod malware detected]
• misp_stix-2.4.172-py3-none-any.whl [Backdoor PHP detected]
• var/lib/docker/overlay2/{file_id}/diff/var/www/MISP/venv/lib/python3.8/site-packages/misp_stix_converter/data/cti/enterprise-attack/relationship/relationship--2{GUID}.json
• /var/lib/docker/overlay2/{filed_id}/diff/var/www/MISP/PyMISP/tests/viper-test-files/test_files/Douglas-Resume.doc
• 'Adnel' malware detected

Has anyone else ran a AV scan on their Linux box with MISP installed? And have you come across this? If so, any tips would be appreciated.

If the files are malicious, can someone in the community please check and see why they are there in the first place?

The file Douglas resume is in test folder which is understandable, but still would be good to get some concrete verification that these files are legit and required for MISP functionality

Many thanks

[1holygrail]

Update on this

Created a new MISP install and below are all the threats found in /var/lib/docker/overlay2/{folder_names}/diff/{folder_names}:

Id: "f703ca65-0433-40a9-95d0-2e0f65bfef14"
Name: Backdoor:PHP/Remoteshell.B
Type: "backdoor"
Status: "infected"

Id: "6802e112-f8c1-4c65-a7cc-1e00db8d46fc"
Name: Backdoor:PHP/Remoteshell.B
Type: "backdoor"
Status: "infected"

Id: "29988540-6155-4b00-b253-9cc4fa8a1582"
Name: TrojanDownloader:JS/Nemucod!rfn
Type: "trojan_downloader"
Status: "disinfected"

Id: "f518a473-c660-4f8e-8c70-16cd993f3619"
Name: TrojanDownloader:JS/Nemucod!rfn
Type: "trojan_downloader"
Status: "disinfected"

Id: "7b6b3171-a015-4b1d-980c-437b18825cb7"
Name: TrojanDownloader:JS/Nemucod!rfn
Type: "trojan_downloader"
Status: "infected"

Id: "11b6a4ae-eb70-45d9-a54e-59b1dc811405"
Name: TrojanDownloader:X97M/Adnel
Type: "trojan_downloader"
Status: "infected"

Id: "f159ee8a-bbbc-4cae-b6ee-c79baf5b9ea1"
Name: TrojanDownloader:O97M/Donoff!MSR
Type: "trojan_downloader"
Status: "infected"

Id: "eabb5a92-469a-4688-bc5a-81abd2f97857"
Name: Backdoor:PHP/Remoteshell.B
Type: "backdoor"
Status: "infected"

Id: "1d113160-2846-4320-9c36-72cf9df46d60"
Name: Backdoor:PHP/Remoteshell.B
Type: "backdoor"
Status: "infected"

Does anyone know if their folders for MISP mentioned above is also showing up with these threats?

Many thanks

[1holygrail]

And to be even more specific these are all the files and locations of these files which were flagged by Defender as malicious or suspicious and were quarantined:

/var/lib/docker/overlay2/puntpvg2kyxcjkyp0v5ua4akw/diff/root/MISP.tgz

/var/lib/docker/overlay2/w4k5ekcuu60arvbjj9mptm7u7/diff/var/www/MISP/PyMISP/tests/viper-test-files/test_files/9afa90370cfd217ae1ec36e752a393537878a2f3b5f9159f61690e7790904b0d

/var/lib/docker/overlay2/w4k5ekcuu60arvbjj9mptm7u7/diff/var/www/MISP/PyMISP/tests/viper-test-files/test_files/9afa90370cfd217ae1ec36e752a393537878a2f3b5f9159f61690e7790904b0d

/var/lib/docker/overlay2/w4k5ekcuu60arvbjj9mptm7u7/diff/var/www/.cache/pip/wheels/b2/b6/fd/89b702cb285c586b0b3090d1ae26d2230c25c0d33ffa635a66/misp_stix-2.4.172-py3-none-any.whl

/var/lib/docker/overlay2/w4k5ekcuu60arvbjj9mptm7u7/diff/var/www/MISP/app/files/scripts/misp-stix/misp_stix_converter/data/cti/enterprise-attack/relationship/relationship--2610bdef-0b08-46a8-94f5-cf253f11e5fc.json

/var/lib/docker/overlay2/w4k5ekcuu60arvbjj9mptm7u7/diff/var/www/MISP/venv/lib/python3.8/site-packages/misp_stix_converter/data/cti/enterprise-attack/relationship/relationship--2610bdef-0b08-46a8-94f5-cf253f11e5fc.json