Why did Windows Defender issue alerts regarding the "ntoskrnl.exe" file and certain files in the /arz directory on a remote client partition?

Windows Defender issued alerts because the “ntoskrnl.exe” file and specific files in the /arz directory were flagged as backdoors. However, these files are temporary and generated by rsync during synchronization, serving to playback recorded sessions on senhasegura.

The Windows Defender alert is a false positive, as the files contain commands and packets sent to the endpoint during session recording.