I ran the 4.15.1 update on a Windows dev server and received the following security alert from Sophos’s MDR team. I’ve been running updates for around 1 year without any AV warnings. I figured I should let ProofGeist know their most recent update is causing security alerts for at least one AV vendor. I’ve also run this 4.15.1 update on Linux without any alerts.
// Analysis:
On Frbruary 4, 2026, the MDR team was alerted to ‘WIN-EXF-PRC-RCLONE-CREATE-CONFIG-1’ activity on host -removed-. This alert is triggered when Sophos AV identifies when Rclone or renamed Rclone creates a config file for potential data exfiltration. Adversaries can use rclone and any of its 40+ cloud provider integrations to exfiltrate data.
In this case, the alert was triggered by the command line noted in the technical details. This command runs rclone to read and output (“dump”) the contents of its configuration file (rclone.conf). Upon investigating the process tree, we observed Windows Services launching OttoFMS as a background service via NSSM, which then executed rclone to read its configuration, all running under the SYSTEM account. The files rclone.exe and ottofms-win-x64.exe had creation times of 2026-02-04 22:35:48 UTC and 2026-02-04 22:35:40 UTC, respectively.
Further investigation revealed that the user “-removed-” executed the OttoFMS installer (OttoFMS-4.15.1-windows-x64-installer.exe) in unattended mode from the Temp directory using PowerShell. Additional analysis of open sockets and login events did not reveal any suspicious activity.
OttoFMS is an automation and management service used to support FileMaker Server operations such as deployments, backups, and integrations.
Persistence mechanisms were also reviewed, and a service named com.proofgeist.ottofms was observed running on the host with the path C:\PROGRA~1\OttoFMS\bin\nssm\nssm.exe. At this time, we have the following recommendations…
// Technical Details:
Command line:
- “C:\Program Files\OttoFMS\bin\rclone.exe” config --config “C:\Program Files\OttoFMS\config\rclone.conf” dump
- “C:\PROGRA~1\OttoFMS\bin\nssm\nssm.exe” install com.proofgeist.ottofms “C:\Program Files/OttoFMS\bin\ottofms-win-x64.exe”
- “C:\Users-removed-\AppData\Local\Temp\Extracted\OttoFMS-4.15.1-windows-x64-installer\OttoFMS-4.15.1-windows-x64-installer.exe” --mode unattended
Service:
Name: com.proofgeist.ottofms
Path: C:\PROGRA~1\OttoFMS\bin\nssm\nssm.exe
Process Tree:
◄◄◄ services.exe C:\Windows\system32\services.exe
◄◄ nssm.exe C:\PROGRA~1\OttoFMS\bin\nssm\nssm.exe
◄ ottofms-win-x64.exe “C:\Program Files/OttoFMS\bin\ottofms-win-x64.exe”
rclone.exe “C:\Program Files\OttoFMS\bin\rclone.exe” config --config “C:\Program Files\OttoFMS\config\rclone.conf” dump
► conhost.exe ??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1