SOC119 โ Proxy Alert: Malicious Executable File Detected (False Positive)
by
๐ง Summary
This investigation was triggered by a SOC119 โ Proxy: Malicious Executable File Detected alert involving a request to download a file from win-rar.com.
At first glance, the alert appeared suspicious due to executable file download behavior. However, detailed analysis confirmed that the activity was legitimate and related to a normal user-initiated download from the official WinRAR website.
All supporting evidence, including process execution, network activity, and threat intelligence results, confirmed this as a false positive alert.
๐จ Alert Overview
- Event ID: 83
- Rule: SOC119 โ Proxy: Malicious Executable File Detected
- Severity: Medium
- Source Host: SusieHost
- Source IP: 172.16.17.5
- User: Susie
- Destination IP: 51.195.68.163
- Destination Domain: win-rar.com
- Request URL: https://www.win-rar.com/postdownload.html?&L=0&Version=32bit
- Action: Allowed
๐ฅ๏ธ Endpoint Information
- Hostname: SusieHost
- Operating System: Windows Environment
- User Activity: Browser-based download
๐ Log Analysis
| Attribute | Value |
|---|---|
| Process | chrome.exe |
| Parent Process | explorer.exe |
| Request Method | GET |
| Action | Allowed |
๐ง Analysis
- Request originated from Chrome browser
- Parent process
explorer.exeโ normal user activity - Indicates manual user download, not malware execution
๐ URL Analysis
๐ VirusTotal (URL)
| Result | Value |
|---|---|
| Detection Ratio | 0 / 95 |
| Verdict | Clean |
- Official domain:
win-rar.com - No malicious indicators detected
๐ IP Analysis
๐ VirusTotal (IP: 51.195.68.163)
| Result | Value |
|---|---|
| Detection Ratio | 0 / 94 |
| ASN | OVH SAS |
| Country | France |
๐ Domain Lookup
๐ง Analysis
- Hosting provider: OVH (legitimate cloud provider)
- No malicious reputation
- Common for hosting legitimate services
๐ Behavioral Analysis
| Check | Result |
|---|---|
| Suspicious Process | โ None |
| Malware Execution | โ None |
| Network Anomalies | โ None |
| CLI Activity | โ None |
| Browser History | โ Legitimate download |
| Endpoint Agent | โ ๏ธ Agent Down (Visibility Gap) |
โ ๏ธ Key Observation
- Alert triggered due to:
- Executable file download detection
- However:
- No malicious payload confirmed
- No suspicious behavior observed
๐งพ Investigation Steps
- Reviewed alert metadata and proxy logs
- Analyzed request URL and domain reputation
- Verified process chain (chrome.exe โ explorer.exe)
- Checked endpoint telemetry (process, CLI, network)
- Investigated URL in VirusTotal
- Investigated destination IP reputation
- Correlated all findings with user activity
๐ Final Verdict
| Category | Result |
|---|---|
| File Source | Legitimate |
| Malware Presence | Not Detected |
| User Activity | Normal |
| Alert Classification | False Positive |
| Incident Severity | Informational |
๐ Conclusion
This alert was triggered due to detection of an executable file download via proxy logs.
However, the request was made to the official WinRAR website and initiated by a legitimate browser process.
No indicators of compromise, malicious execution, or abnormal behavior were identified.
This activity is classified as a false positive, representing normal user download behavior.
tags: