Reduce AV false-positives for the jar file (no plaintext rule)

[MalwareHunt3r]

Summary

Since early this month, the package opensearch-security-analytics-2.19.1.0.jar (bundled from Wazuh Indexer tarball) is being flagged by multiple AV vendors (also on VirusTotal). The detections appear to be false positives triggered by rule/signature content embedded in the JAR, not by malicious behavior.

Known SHA-256 hashes observed:
14e27e5c5dc14227c229c25ac34291e7cffee6a5c8f99accd87c293e3a4504da (from Wazuh)
96e9dd6fffba878c6fc4cea5639a38dba33f395895d4d1df6b32090b34ab53e7 (from Wazuh)
f471fc62a5a8f39617dd3da295c791c085def0598193e07a3a4f8337424a713c (zip of this repo)

Impact
Security controls quarantine the artifact.

Request
Would you consider alternative packaging to make the artifact AV-friendlier? For example:

• At-rest encoding of rule content inside the JAR (e.g., base64 or gzip); decode at runtime before use.
• Password-protected container for the rules (e.g, ZIP-with-password stored as a resource) and in-memory extraction at start.

[andrross]

Catch All Triage - 1 2 3 4

This will be addressed in 2.19.4.