Directory Opus seen as dangerous and ransomware by Sentinel security software

Hi,

I recently got a brand new laptop for my work.
I installed Directory opus on it and could not install it

We use Sentinel securiy software and filed a issu with our ICT department because i am full admin on my laptop as a service engineer

So i asked for whitelisting DOPUS on my laptop but the did not with the folliwing notifications.
Sentinel sees DOPUS as dangerous.

I am not ready with this yet so i will post all of the text they send my right into this forum and hope that the developers of DOPUS can explain why security software goes bananas about this excellent program

line are under here

.

[image]

General

  • Detected by the Static Engine
  • A process created a NTFS mount point
  • User logged on
  • MITRE : Persistence [T1078]
  • MITRE : Defense Evasion [T1078]
  • MITRE : Privilege Escalation [T1078]
  • MITRE : Initial Access [T1078]
  • Process started from shortcut file
  • MITRE : Execution [T1204]
  • Logon process registered with the security subsystem
  • MITRE : Credential Access [T1003][T1003.005]

Ransomware

  • Suspicious file manipulation behavior - possibly Ransomware
  • MITRE : Impact [T1485][T1486]

Infostealer

  • Keylogger Installation
  • MITRE : Credential Access [T1056.001]
  • MITRE : Collection [T1056.001]
  • Detected possible infostealing attempts from two or more applications
  • MITRE : Credential Access [T1555]

Evasion

  • Suspicious registry key was created
  • MITRE : Defense Evasion [T1112][T1027][T1564.005][T1480.001]
  • An obfuscated PowerShell command was detected
  • MITRE : Defense Evasion [T1027][T1140][T1480.001]
  • Process executed with non-standard resource type
  • MITRE : Command and Control [T1132]
  • MITRE : Defense Evasion [T1027][T1480.001]
  • Process wrote to a hidden file section
  • MITRE : Defense Evasion [T1564.004][T1027][T1480.001]
  • Indirect command was executed
  • MITRE : Defense Evasion [T1218][T1202]
  • Process executed with PE file embedded in recource
  • MITRE : Command and Control [T1132]
  • MITRE : Defense Evasion [T1027][T1480.001]

Privilege Escalation

  • Process created with different token by non-system process
  • MITRE : Privilege Escalation [T1134.002][T1078]
  • MITRE : Defense Evasion [T1134.002][T1078]
  • MITRE : Persistence [T1078]
  • MITRE : Initial Access [T1078]

Injection

  • Explorer loaded suspicious shell extension
  • MITRE : Defense Evasion [T1574.002]
  • MITRE : Privilege Escalation [T1574.002]
  • MITRE : Persistence [T1574.002]
  • A library owned by one process was loaded to other process
  • MITRE : Defense Evasion [T1574.001]
  • MITRE : Privilege Escalation [T1574.001]
  • MITRE : Persistence [T1574.001]
  • Library was injected to a remote process
  • MITRE : Defense Evasion [T1055]
  • MITRE : Privilege Escalation [T1055]

Discovery

  • Identified attempt to access a raw volume
  • MITRE : Discovery [T1082]

Persistence

  • Application registered itself to become persistent via an autorun
  • MITRE : Persistence [T1547.001][T1546]
  • MITRE : Privilege Escalation [T1547.001]
  • Startup file was created or modified
  • MITRE : Persistence [T1547.001][T1037.001][T1546]
  • MITRE : Privilege Escalation [T1547.001][T1037.001]
  • A process registered a custom extension that spawns a suspicious executable
  • MITRE : Persistence [T1546.001][T1547.001]
  • MITRE : Privilege Escalation [T1547.001][T1546.001]
  • Application registered itself to become persistent via COM object
  • MITRE : Persistence [T1546.015]
  • MITRE : Privilege Escalation [T1546.015]

Packer

  • Process suspicious as packed
  • MITRE : Defense Evasion [T1027][T1480.001]

there was a screenshot also but can nou put that in here
How can this program be defended to whitelist it , is Sentinel giving false postives?

Best regards
Ronald,

ITidiots in full galore. Just give morons an example of a benign DO action/feature for each of these detections. Depending on how stupid they are, this may be enough to get an exception.

1 Like

Yes aggree but i affraid need i little bit more explnation fron the DOPUS developers on this
It nuts i know.

The explanation is that your antivirus software is trash.

5 Likes

aggree

Told them that DOPUS is a commercial and good working peace of software use it for years now.
When i am back from my vacation i will rattle the cage at the ICT department that Sentinel One is false flasgging based on nothing

This is not "antivirus", this is enterprise threat detection software - something similar but working on a different level and scale.With possibly the same effect.

Enterprise-level trash. Whatever they're paying for it, they're being ripped off :slight_smile:

2 Likes

they're just upset they can't inject TV commercials into dopus. LOL :rofl: