diff --git a/apps/zui/CHANGELOG.md b/apps/zui/CHANGELOG.md
index 0d663d6106..f117418763 100644
--- a/apps/zui/CHANGELOG.md
+++ b/apps/zui/CHANGELOG.md
@@ -1,3 +1,6 @@
+## v1.3.1
+- Due to malware false positives, Windows releases no longer include a full initial set of Suricata rules (as always, up-to-date rules will be downloaded on first Internet-connected launch of Zui) (#2858)
+
 ## v1.3.0
 - Update Zed to [v1.10.0](https://github.com/brimdata/zed/releases/tag/v1.10.0)
 - Update Brimcap to [v1.5.2](https://github.com/brimdata/brimcap/releases/tag/v1.5.2)
diff --git a/apps/zui/package.json b/apps/zui/package.json
index 03e5c2367e..36f2f65873 100644
--- a/apps/zui/package.json
+++ b/apps/zui/package.json
@@ -5,7 +5,7 @@
   "description": "Zed User Interface",
   "repository": "https://github.com/brimdata/zui",
   "license": "BSD-3-Clause",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "main": "dist/main.js",
   "author": "Brim Data <support@brimdata.io> (http://www.brimdata.io)",
   "lake": {
diff --git a/apps/zui/scripts/download-zdeps/index.js b/apps/zui/scripts/download-zdeps/index.js
index bfe48ffdcd..fb0577f7b3 100644
--- a/apps/zui/scripts/download-zdeps/index.js
+++ b/apps/zui/scripts/download-zdeps/index.js
@@ -111,11 +111,24 @@ async function zedDevBuild(destPath) {
   }
 }
 
+// Suricata rules are dropped from the Windows build to fix a false positive
+// malware flagging. See https://github.com/brimdata/zui/issues/2857.
+const filterBrimcapZdeps = (src, dest) => {
+  if (process.platform == "win32" &&
+      (/suricata\.rules$/.test(src) || /emerging\.rules\.tar\.gz$/.test(src)) &&
+      fs.statSync(src).isFile()) {
+    return false
+  } else {
+    return true
+  }
+}
+
 async function main() {
   try {
     fs.copySync(
       path.resolve("..", "..", "node_modules", "brimcap", "build", "dist"),
-      zdepsPath
+      zdepsPath,
+      { filter: filterBrimcapZdeps }
     )
     const brimcapVersion = child_process
       .execSync(path.join(zdepsPath, "brimcap") + " -version")