EDR Flags Tools in PacketFence – Need Clarification on Legitimacy #8804
Description
Our endpoint detection / EDR solution (SOne) is flagging a number of files installed by PacketFence. We are unsure whether this is a false positive or if there’s a legitimate issue with these files being flagged. These files are part of the legitimate PacketFence install, but they are generating alerts in production. Has this issue been reported before? Are there any planned solutions or guidance to clarify the legitimacy of these files and prevent these detections?
Environment
- PacketFence version: 14.1
- Distro: Rocky Linux
- Python version: 3.6
- EDR vendor: SOne
Files being flagged
/usr/lib/python3.6/site-packages/impacket/krb5/crypto.py
/usr/bin/wmiquery-3.6
/usr/bin/wmipersist-3.6
/usr/bin/ticketer-3.6
/usr/bin/ticketConverter-3.6
/usr/bin/split-3.6
/usr/bin/sniffer-3.6
/usr/bin/sniff-3.6
/usr/bin/smbserver-3.6
/usr/bin/smbexec-3.6
/usr/bin/services-3.6
/usr/bin/samrdump-3.6
/usr/bin/sambaPipe-3.6
/usr/bin/rpcmap-3.6
/usr/bin/rpcdump-3.6
/usr/bin/registry-read-3.6
/usr/bin/rdp_check-3.6
/usr/bin/ping6-3.6
/usr/bin/ping-3.6
/usr/bin/ntlmrelayx-3.6
/usr/bin/ntfs-read-3.6
/usr/bin/netview-3.6
/usr/bin/mssqlinstance-3.6
/usr/bin/mssqlclient-3.6
/usr/bin/mqtt_check-3.6
/usr/bin/machine_role-3.6
/usr/bin/lookupsid-3.6
/usr/bin/kintercept-3.6
/usr/bin/keylistattack-3.6
/usr/bin/goldenPac-3.6
/usr/bin/findDelegation-3.6
/usr/bin/exchanger-3.6
/usr/bin/dpapi-3.6
/usr/bin/dcomexec-3.6
/usr/bin/atexec-3.6
/usr/bin/GetNPUsers-3.6
/usr/bin/Get-GPPPassword-3.6