Kibana Knowledge Base Files being detected as Malware after update to 8.16

[tammytankian]

Kibana version:
8.16.1

Elasticsearch version:
8.16.1

Server OS version:
Debian 12.8

Original install method (e.g. download page, yum, from source, etc.):
Elastic repositories

Describe the bug:
After update to latest version, Kibana knowledge base files on /usr/share/kibana/node_modules/@kbn/elastic-assistant-plugin/server/knowledge_base have been detected as malware by defender.

Steps to reproduce:

1. Install Kibana on Azure on Debian
2. Let defender for cloud scan server
3. receive lots of alerts

Expected behavior:
Not to have any alerts

Screenshots (if relevant):

[elasticmachine]

Pinging @elastic/kibana-operations (Team:Operations)

[jsanz]

Not 100% sure this is for Operations team but they'll know better if this is for another team.

[daniel-rutten-businessfundamentals-nl]

We’re encountering the same issue described here and would like to know if there’s been any progress or updates on this. The problem is impacting our workflow, and we’re eager to understand the current status or any planned fixes.

[Ikuni17]

This package is owned by @elastic/security-generative-ai. Don't know how much Operations can help with this, but feel free to ping us if something comes up.

[tammytankian]

Any news? We had to remove the directory to stop the amount of alerts, but next update it will be back and the issue will start all over again.

[henjoh75]

Got this when trying to download 8.16.1:

[oldefortran]

Facing a similar situation to @tammytankian - a large enterprise customer is requesting an "official" bulletin from Elastic prior to accepting this as a false positive. This appears to only be a problem with Defender...

[patrykkopycinski]

cc @peluja1012 @jamesspi

[peluja1012]

Hi @oldefortran, the Elastic security team confirms that this is a false positive. The identified files (under /usr/share/kibana/node_modules/@kbn/elastic-assistant-plugin/server/knowledge_base) are simple plaintext markdown files that can include content that may be flagged by AV software as potentially harmful; however, these are not executable nor malicious. These files are used to enhance the knowledge of the AI Assistant with recent and relevant security research from Elastic Security Labs.

[oldefortran]

Much appreciated @peluja1012 - thank you!

[sheikharsalanelastic]

Team @peluja1012 Does the latest Kibana 8.17.0 fix the false positive issue?

[sheikharsalanelastic]

Customer done a virus scan on version 8.17.0 this morning and the anti-virus software identified the same two files are problematic.

[peluja1012]

Hi @sheikharsalanelastic, we expect the issue to still be present in 8.17.0, unfortunately. We are working on a potential fix and will prioritize it but we don't currently have a target release date that we can share.

[sheikharsalanelastic]

Thanks

[sheikharsalanelastic]

Thanks. Is there a timeline of when the fix will be available for, I assume 8.17.1?

[sheikharsalanelastic]

@peluja1012 Thanks. Is there a timeline of when the fix will be available for, I assume 8.17.1?

[hnviradiya]

Same. Virus Detected. Unable to download.

[jamesspi]

Hi all, we will most likely target a fix for our 8.18 release.

[jbudz]

Also may be related to https://discuss.elastic.co/t/error-upgrading-kibana-to-newer-version-8-17-0/372577/4.

dpkg: error processing archive kibana-8.17.0-amd64.deb (--install):
 error setting timestamps of '/usr/share/kibana/node_modules/@kbn/elastic-assistant-plugin/server/knowledge_base/security_labs/siestagraph_new_implant_uncovered_in_asean_member_foreign_ministry.md.dpkg-new': No such file or directory
dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
Errors were encountered while processing:
 kibana-8.17.0-amd64.deb

[evakichi]

I encountered such like same Issue. In my case is use following OS and ESET,

$ cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.5 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.5"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.5 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
VENDOR_NAME="RESF"
VENDOR_URL="https://resf.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.5"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.5"

$ rpm -qi efs
Name        : efs
Version     : 11.0.228.0
Release     : 1
Architecture: x86_64
Install Date: Sat 16 Nov 2024 07:09:43 PM JST
Group       : Security
Size        : 219045844
License     : unknown
Signature   : (none)
Source RPM  : efs-11.0.228.0-1.src.rpm
Build Date  : Fri 26 Jul 2024 05:26:39 PM JST
Build Host  : ba-linux-apps-build01.hq.eset.com
Relocations : /
Packager    : ESET, spol. s r.o.
Vendor      : ESET, spol. s r.o.
URL         : www.eset.com
Summary     : ESET Server Security
Description :
ESET Server Security

$ rpm -qi kibana
Name        : kibana
Version     : 8.17.0
Release     : 1
Architecture: x86_64
Install Date: Mon 06 Jan 2025 10:11:46 AM JST
Group       : default
Size        : 1037075746
License     : Elastic License
Signature   : RSA/SHA512, Wed 11 Dec 2024 11:06:56 PM JST, Key ID d27d666cd88e42b4
Source RPM  : kibana-8.17.0-1.src.rpm
Build Date  : Wed 11 Dec 2024 08:39:22 PM JST
Build Host  : bk-agent-prod-gcp-1733915334026925075.c.elastic-ci-prod.internal
Relocations : /
Packager    : Kibana Team <[email protected]>
Vendor      : Elasticsearch, Inc.
URL         : https://www.elastic.co
Summary     : Explore and visualize your Elasticsearch data
Description :
Explore and visualize your Elasticsearch data

My machine which has above OS and ESET and Kibana(this Kibane could be installed when ESET stopped.).

The ESET detects it as Win32/Filecoder.Cuba ASP/Webshell.CX when Kibana installation.

Is Its Kibana safe?
By the way I have stopped this machine until I make sure that this Kibana is safe.