Managing False Positives in Wazuh Scan Results

[Erbil Suli]

Hi

I have installed Wazuh 4.9.0 and RedHat 4.9, and updated RedHat with the latest patches.

However, when I run "yum update" or "dnf update," RedHat reports that there are no new updates available.

Yet, after installing the Wazuh agent and performing a vulnerability scan, the results show numerous critical and high vulnerabilities, which makes me question the credibility of the scan.

Below are the results, showing the number of critical and high vulnerabilities detected.

Is there any way to remove false positive results or mute them from appearing in the dashboard or reports?

Regards

[Aditya Sharma]

Hi Team,To detect vulnerabilities, Wazuh agents collect a list of installed applications from monitored endpoints and send it periodically to the Wazuh server. Local SQLite databases in the Wazuh server store this list. Within the Wazuh server, the Vulnerability Detection module correlates the software inventory data with vulnerability content documents to detect vulnerable software on the monitored endpoint. These documents are Common Vulnerabilities and Exposures (CVE) records that are available in our Cyber Threat Intelligence (CTI) platform.You can learn more about the vulnerability scan process in our following document: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.htmlThe picture you shared is not visible can you please share the details again of which vulnerabilities showing and the output of the following command?

cat /etc/os-release

Waiting for your response soon.