[Check_mk (english)] Trojan in check-mk-enterprise-1.4.0p18-el6-65.x86_64.rpm\nowin.exe?

Hi.

Downloaded the RPM check-mk-enterprise-1.4.0p18-el6-65.x86_64.rpm Wednesday with the idea of installing it in the next couple of days.

When I got to work this morning, I had an email from our internal enterprise security to inform me that the nowin.exe file inside the RPM triggered a McAfee alert on the RDN/Generic.grp signature.

I looked at the previous versions of the file and the file size did change in 1.4.0p18 but I did not see anything that could explain this in the GIT repository after a really quick search (but the Windows agent binaries
were updated on 2017/11/04).

-rwxr-xr-x 1 root root 103760 Sep 8 09:32 /opt/omd/versions/1.4.0p11.cee/share/check_mk/agents/windows/nowin.exe
-rwxr-xr-x 1 root root 361000 Nov 13 04:08 /opt/omd/versions/1.4.0p18.cee/share/check_mk/agents/windows/nowin.exe
-rwxr-xr-x 1 root root 103760 Jul 5 08:53 /opt/omd/versions/1.4.0p8.cee/share/check_mk/agents/windows/nowin.exe

So, anyone here with the same warning? Any info on the subject would be appreciated.

In the meantime, we’ll dig into it to see if it’s a real problem or false positive.

Thanks.

Hi René,

i had also from time to time this false positive alerts from some different antivirus scanners.

As the “nowin.exe” is not needed anywhere, removing this file would be the easiest way to solve the problem

If i remember the GIT commits right, the “nowin.exe” was removed from the agent some days/weeks before.

This will only result in the distribution packages in the next major release version.

br

Andreas