Opened 10 months ago

Last modified 10 months ago

#69187 new defect

Updated from version 2.8.1 to 2.9 Crowdstrike altert from IT — at Version 2

Reported by: eraldtroja Owned by:
Priority: Normal Milestone:
Component: base Version: 2.9.0
Keywords: crowdstrike alerts, data dump Cc: jmroot (Joshua Root)
Port:

Description (last modified by ryandesign (Ryan Carsten Schmidt))

I can provide more details as I get them from IT but in a nutshell this has occurred and I need some guidance.

I was at version 2.8.1 as of yesterday morning. I fired up the following commands to update my ports:

sudo port selfupdate
sudo port upgrade outdated
sudo port uninstall inactive

I'm running MacOS Sonoma 14.3. The system is managed by my IT department.

Within minutes of performing the update I received calls from IT stating that Crowdstrike had alerted them of a data dump, hence my machine would need to be brought in for a complete wipe.

I think this might be a case of a false positive, and I'll provide more details if needed, but I need to get some guidance of what an update from 2.8.1 to 2.9 does in order to possible categorize it as a false positive when it comes to a "data dump"

Thank you.

Change History (2)

comment:1 Changed 10 months ago by jmroot (Joshua Root)

Cc: jmroot added
Component: portsbase

Selfupdate involves downloading the latest tarballs of MacPorts base and the ports tree with rsync, then installing base if outdated, which is essentially just a typical ./configure && make && make install. I don't know what Crowdstrike considers a "data dump" so it's hard to say what might have triggered it. There was another ticket about Crowdstrike, where it didn't like the installer script examining and updating the macports unprivileged user account that we use for running builds: #66878

Last edited 10 months ago by jmroot (Joshua Root) (previous) (diff)

comment:2 Changed 10 months ago by ryandesign (Ryan Carsten Schmidt)

Description: modified (diff)
Note: See TracTickets for help on using tickets.