Backdoor.Sunburst reported for file SOLARWINDS.ORION.CORE.BUSINESSLAYER.DLL

[BSguy]

This dll is being detected by Malwarebytes and Windows Defender. It's the file in question but from an earlier version of the Solarwinds Software than noted in the reports. Is this legit or a false positive? The file was digitally signed Oct 10, 2019 and bundled with product version 2019.4.5200.8890

File: 1
Backdoor.Sunburst, E:\DOWNLOADS\SOLARWINDS.ORION.CORE.BUSINESSLAYER.DLL, No Action By User, 16804, 889737, 1.0.34465, , ame, , E18A6A21EB44E77CA8D739A72209C370, A25CADD48D70F6EA0C4A241D99C5241269E6FACCB4054E62D16784640F8E53BC

[miekiemoes]

Hi,

Above one is also listed as vulnerable, as stated per:

Customer Guidance on Recent Nation-State Cyber Attacks – Microsoft Security Response Center

SunBurst: the next level of stealth (reversinglabs.com)

"While the first version to contain the malicious backdoor code was 2019.4.5200.9083, as outlined by the FireEye blog, there was a previous version that was tampered with by the attackers: version 2019.4.5200.8890, from October 2019, and this version had only been slightly modified. While it doesn’t contain the malicious backdoor code, it does contain the .NET class that will host it in the future."

So this isn't a real FP, although it doesn't contain malicious code, but it's vulnerable, so I suggest to apply the hotfix

[BSguy]

Thank you for this explanation. I guess it does make sense then that it gets flagged. I appreciate the quick response.