Wazuh level 11 rootkit alert

[tismofied]

Hi @MacRimi,

First — thank you for the tool! The terminal menu is excellent.

The web monitor part however triggers high-severity rootkit alerts on my security scanner (Wazuh rule 521, rkhunter, chkrootkit, etc.) because it extracts the AppImage into a hidden /tmp/.mount_XXXXXXXX directory that is intentionally concealed from lstat() and normal readdir scans — the exact same behavior that real kernel-level rootkits use.
I had a scare this morning from this alert and grok made things worse. Lol
I came to the conclusion after a lot of scans and AI help it was false positive so I disabled it for now until I find a way to suppress the wazuh alerts.

This is the alert I got.

Wazuh Notification.
2025 Nov 24 04:13:22

Received From: (proxmox) any->rootcheck
Rule: 521 fired (level 11) -> "Possible kernel level rootkit"
Portion of the log(s):

Anomaly detected in file '/tmp/.mount_ProxMeSBS9mc'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.
title: Anomaly detected in file '/tmp/.mount_ProxMeSBS9mc'.

[MacRimi]

Hi, thank you very much for pointing this out and for taking the time to investigate what was happening.
I will review this AppImage behavior to improve compatibility with security systems like Wazuh and prevent this type of false positive in future versions.
I really appreciate you detecting this and sharing it.

[huberten9111]

just wanted to note this is still happening
Anomaly detected in file '/tmp/.mount_ProxMeyxsS5N'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.

[MacRimi]

I just released the new Beta 1.2.1.1 version, which changes the way the service is mounted and deployed.

The /tmp/... is no longer there.
It is now mounted directly in the /usr/local/share/proxmenux folder.

This way, it will no longer be detected as a false positive.

[huberten9111]

Cool will update soon :) thanks for a nice tool
Great ui overview of the host all in one place!

[MacRimi]

This beta phase will not take long to finish and possibly move to the final version by the end of the month.

It has security improvements, performance enhancements, and new features in the storage and settings section.