โ
Case #402
general.YARA Detection in Memory
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
YARA Detection in Memory - Windows_Trojan_Generic_9997489c
low
Rule: general.YARA Detection in Memory
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: YARA_DETECTION
Confidence: 94% ยท Verdict: false positive
Event Data:
PROCESS:
{'BASE_ADDRESS': 140702246764544, 'COMMAND_LINE': '"C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe" "settings/services/configs/bdshieldsrv_config.json"', 'FILE_PATH': 'C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe', 'MEMORY_USAGE': 2067017728, 'PARENT_PROCESS_ID': 1680, 'PROCESS_ID': 6096, 'THREADS': 278, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PROCESS_ID:
6096
RULE_NAME:
Windows_Trojan_Generic_9997489c
IOCs:
C:\Program Files\Bitdefender\Bitdefender Security\bdservicehost.exe
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "YARA Detection in Memory - Windows_Trojan_Generic_9997489c",
"detect": {
"event": {
"PROCESS": {
"BASE_ADDRESS": 140702246764544,
"COMMAND_LINE": "\"C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe\" \"settings/services/configs/bdshieldsrv_config.json\"",
"FILE_PATH": "C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe",
"MEMORY_USAGE": 2067017728,
"PARENT_PROCESS_ID": 1680,
"PROCESS_ID": 6096,
"THREADS": 278,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PROCESS_ID": 6096,
"RULE_NAME": "Windows_Trojan_Generic_9997489c"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "ac1bd264-ee9e-4b9c-b675-0d903cc5db95",
"event_time": 1773939299836,
"event_type": "YARA_DETECTION",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 135,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e216ebc38526920dcc17e5a69b2ef6f",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "f821446f9c2436931358610569bc2a63"
}
},
"detect_id": "89aaa0b9-afa5-4802-a0ed-352969bc2a63",
"gen_time": 1773939299972,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1773939299\u0026selected=f821446f9c2436931358610569bc2a63",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "ac1bd264-ee9e-4b9c-b675-0d903cc5db95",
"event_time": 1773939299836,
"event_type": "YARA_DETECTION",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 135,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e216ebc38526920dcc17e5a69b2ef6f",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_memory"
],
"this": "f821446f9c2436931358610569bc2a63"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.YARA Detection in Memory",
"ts": 1773939301000
}
๐ค Triage JSON
{
"confidence": 0.943,
"false_positive_reason": "Security software process (Antivirus/EDR) flagged by a generic signature while performing legitimate protection activities.",
"investigation_questions": [
"Does this specific YARA rule (\u0027Windows_Trojan_Generic_9997489c\u0027) have a history of false positives with other security software?",
"Were there any other suspicious events on this host at the time of the memory scan?"
],
"ioc_analysis": "The file path \u0027C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe\u0027 is the standard and expected location for Bitdefender. The process is running as \u0027NT AUTHORITY\\SYSTEM\u0027 with a command line pointing to legitimate configuration files, which is consistent with normal operation.",
"iocs_extracted": [
"C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe"
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Exclude \u0027bdservicehost.exe\u0027 from this specific YARA memory scanning rule to prevent further noise.",
"Verify the digital signature of the binary on the host to confirm it is signed by Bitdefender."
],
"risk_score": 10,
"severity": "low",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.98\nThe detection flagged \u0027bdservicehost.exe\u0027, which is the legitimate core service process for Bitdefender Security. Generic YARA detections in the memory of security products are common false positives, often occurring when the antivirus engine is processing malware signatures or scanning malicious buffers.\n\n**IOC Analysis:** The file path \u0027C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe\u0027 is the standard and expected location for Bitdefender. The process is running as \u0027NT AUTHORITY\\SYSTEM\u0027 with a command line pointing to legitimate configuration files, which is consistent with normal operation.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged Bitdefender\u0027s bdservicehost.exe as a Windows Trojan based on memory analysis, but the process is running from its expected location in Program Files and is signed by a known vendor.\n\n**IOC Analysis:** The process path C:\\Program Files\\Bitdefender\\Bitdefender Security\\bdservicehost.exe matches legitimate software installation locations. Bitdefender is a well-known antivirus vendor, and bdservicehost.exe is a standard component of their security suite responsible for shield services configuration.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detected process is bdservicehost.exe from Bitdefender, a legitimate antivirus service, and the YARA detection is likely a false positive due to generic rule matching.\n\n**IOC Analysis:** The FILE_PATH is located in C:\\Program Files\\, a standard directory for legitimate software, and Bitdefender is a trusted vendor. No malicious indicators were found, and the process is expected to be benign as it is part of antivirus functionality.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (low, 98% confidence)",
"qwen3.5:4b: false_positive (low, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.98,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (4)
๐ค FusionSOC AI
2026-03-21T02:51
๐ค FusionSOC AI
2026-03-21T02:51
๐ค FusionSOC AI
2026-03-21T02:51
๐ค FusionSOC AI
2026-03-21T02:51
๐ Timeline
2026-03-21T02:51:42
analyst
Status changed: triaging โ closed
2026-03-21T02:51:39
analyst
Analyst classified as False Positive (FP)
2026-03-21T02:51:16
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-21T02:51:16
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Verify the digital signature of the binary on the host to confirm it is signed b...
2026-03-21T02:51:15
FusionSOC
Response action queued: recommended on Verify the digital signature of the binary on the host to confirm it is signed by Bitdefender.
2026-03-21T02:51:15
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-21T02:51:15
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Exclude 'bdservicehost.exe' from this specific YARA memory scanning rule to prev...
2026-03-21T02:51:15
FusionSOC
Response action queued: recommended on Exclude 'bdservicehost.exe' from this specific YARA memory scanning rule to prevent further noise.
2026-03-21T02:51:15
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-21T02:51:15
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-21T02:51:15
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-21T02:51:15
FusionSOC
Action tag โ executed: Tag applied
2026-03-21T02:51:15
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-21T02:51:14
FusionSOC AI
Detection 89aaa0b9-afa5-4802-a0ed-352969bc2a63 triaged as false_positive (low severity, confidence: 94%)
2026-03-21T02:51:14
FusionSOC AI
Case created from detection: general.YARA Detection in Memory