Malware removal with python script and virustotal

525 views
Skip to first unread message

radun

unread,
Jun 13, 2023, 6:13:10 PM6/13/23
to Wazuh mailing list
I followed the guide on virustotal integration. I made the script and all but how do i know if it properly works? Do i have to turn of virus detection on windows to see an alert? How do i know if remove-malware.exe was executed? I also wonder whether the eicar test file is safe . Hopefully someone can assist me.

Jose Camargo

unread,
Jun 13, 2023, 6:44:19 PM6/13/23
to Wazuh mailing list
Hi Radun,

To verify if the script properly works, you can check the logs in Wazuh manager (/var/ossec/logs/ossec.log) or Wazuh Dashboard for any alerts related to the virus detection or the Virustotal integration trigger. For example:
VirusTotal1.jpgVirusTotal2.jpg

You will probably need to disable your antivirus, as it might catch the file first before the remove-malware script is executed. If the remove-malware.exe was executed, you can check the logs for any successful execution.

Regarding the eicar test file, it is safe to use as it is a harmless file used for testing antivirus software (as shown in the example).

If you have any further questions or concerns, please let us know.

Regards,
Jose Camargo

radun

unread,
Jun 16, 2023, 2:56:43 PM6/16/23
to Wazuh mailing list
well i did switch off the antivirus but the virustotal module is not detecting the eicar.txt file at all. Screenshot below shows no malicious file detected. I have the free public key so maybe the lookups is slow but i've given it almost an hour and it hasn't detected it.  There's another screenshot showing that nothing above rule 7 to 12 relating to virustotal was fired. Is there an error or maybe should i get the premium key?
security events for malware.png
virustotal screenshot.png

Jose Camargo

unread,
Jun 16, 2023, 4:51:10 PM6/16/23
to Wazuh mailing list
Hi Radun,

For the integration to work you don't need a premium key. You have to have the following setting in your manager's ossec.conf:

<integration>
    <name>virustotal</name>
    <api_key>your_key</api_key>
    <group>syscheck</group>
    <alert_format>json</alert_format>
  </integration>

  <command>
    <name>remove-threat</name>
    <executable>remove-threat.exe</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>remove-threat</command>
    <location>local</location>
    <rules_id>87105</rules_id>
  </active-response>

Previously having run this process to create the remove-threat.exe script: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html

Besides that, you also have to set <syscheck> to monitor the directory you'll be downloading the files into. For example, I'm using my Downloads folder:
<agent_config>
    <syscheck>
      <directories check_all="yes" realtime="yes">C:\Users\*\Downloads</directories>
    </syscheck>
  </agent_config>

And I'm getting these alerts (previously disabling my antivirus):
VirusTotal4.jpg

VirusTotal5.jpg


Please check the /var/ossec/active-response/active-response.log file for possible reasons for failing and attach them here.

I'll be waiting for your comments.

Regards,
Jose Camargo

radun

unread,
Jun 20, 2023, 1:41:46 PM6/20/23
to Wazuh mailing list
Yeah  my active response is not activated, ossec logs also show up empty.
ossec log failed virustotal.png
virustotal screenshot 2.png
active response log.png

radun

unread,
Jun 21, 2023, 11:44:21 AM6/21/23
to Wazuh mailing list
Is there more I should've screenshotted? 

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/iUIDiKSJh4o/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9da80065-b53e-4683-8f80-bf6c02ae5dd6n%40googlegroups.com.

Jose Camargo

unread,
Jun 21, 2023, 3:05:50 PM6/21/23
to Wazuh mailing list
Hi Radun,

I do see the Virus Total integration is working. Can you please attach a copy of your manager's and agent's ossec.conf, and also the agent's agent.conf (if used)? Please be aware of removing sensitive/private information.

Please also try enabling the wazuh_modules.debug=2 debug in your agent's internal_options.conf file and check if you see any specific errors regarding the integration in the ossec.log file.

Finally, please also let me know which Wazuh version you're in, and in which OS are you running the tests.

Regards,
Jose Camargo

radun

unread,
Jun 21, 2023, 8:31:38 PM6/21/23
to Wazuh mailing list
No problem sir. I just made a new agent, it works now
successfull malware file deletion.png
successfull malware detection.png

Jose Camargo

unread,
Jun 22, 2023, 1:58:22 PM6/22/23
to Wazuh mailing list
Hi Radun,

That's great! Please do not hesitate in contacting us again if you need help with anything else.

Regards,
Jose Camargo

Reply all
Reply to author
Forward
0 new messages