wazuh-integratord ERROR While running virustotal -> integrations. Output

[Lucas Veríssimo]

hi, what would this error be? what would this error be?

 Aug 19, 2024 @ 15:21:36.000 wazuh-integratord ERROR While running virustotal -> integrations. Output: UnicodeDecodeError: 'utf-8' codec can't decode byte 0xed in position 1518: invalid continuation byte

Aug 19, 2024 @ 15:21:36.000 wazuh-integratord ERROR Exit status was: 4

[Md. Nazmur Sakib]

Hi Lucas Veríssimo,

Exit code 4 indicates ERR_NO_RESPONSE_VT.

I recommend you check this documentation about virustotal integration working with FIM:
https://documentation.wazuh.com/current/user-manual/capabilities/virustotal-scan/integration.html?highlight=virustotal#use-case-scanning-a-file

The integration is triggered when some file is added/removed/edited in the directories monitored by syscheck. You will see in alerts.json a syscheck alert and then a virustotal alert. Can you check these conditions?

Have you checked that the alerts configured to trigger the integration appear in /var/ossec/logs/alerts/alerts.json


Can you send me the same alert from the alerts.json file? Because the integration reads the alerts.json file to trigger the integration script. Maybe there is some character there that causes the problem!


Also, share the following information.

What is the version of your Wazuh Manager?

Can you share your Virustotal configuration from ossec.conf, hiding your private API key.?

Have you made any changes to the Virustotal script?

Please share the Virustotal script from the following file
/var/ossec/integrations/virustotal.py


Looking forward to your update on the issue.