Loki gets false negatives

Question

Loki gets false negatives

narfdf999 opened this issue 4 years ago · 5 comments

To test loki I have created several files with hashes, IPs and domains of APT 28 (8b92fe86c5b7a9e34f433a6fbac8bc3a, poczta.mon.q0v.pl, 185.100.84.134) arround the system and I have run loki in several directories and root directory where I put those files but at the end ,loki said that the system seems to be clean. I have search for that IP and loki knew it. Im using Centos8 and Kali linux and loki's 2d4d version. What could be causing this bug and how could I fix it?

Answer 1 · 2021-02-28T10:05:55.000Z

did these files have normal extensions? or did you use --intense? (by default loki scans only files with relevant extensions so if you put the files there with names like 8b92fe86c5b7a9e34f433a6fbac8bc3a.sample, they wouldn't be scanned)

Answer 2 · 2021-03-01T09:54:24.000Z

This are normal txt files that contains several malicious IP's, domains, ... I thought that in addition to detecting malicious files, loki read all the files it found looking for IOC's

Answer 3 · 2021-03-21T15:28:43.000Z

loki finds web-shell (\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence) in sophos AV. this file is not malicious.

Answer 4 · 2021-03-21T18:11:52.000Z

loki finds web-shell (\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence) in sophos AV. this file is not malicious.

Could you send the line of lokis log?

Answer 5 · 2021-03-22T09:12:31.000Z

Rgds, P. Arnold Am So., 21. März 2021 um 19:12 Uhr schrieb Arnim Rupp < ***@***.***>:

…

loki finds web-shell (\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence) in sophos AV. this file is not malicious. Could you send the line of lokis log? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#165 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AH4IWDGTQYOTRB5WMQLM7GTTEYZHNANCNFSM4X2MQI7A> .