Vulnerability module issue

[German DiCasas]

Hi team,

I understand that before placing active vulnerabilities, the agent together with the server generates a series of events, but how can it be that they are not generated? How can there be an inventory of vulnerabilities if there are no events in which the server compares and generates a result. Please let me know what the correct process is from when the agent collects the packages and hotfixes from the agent. All the other events are visible but not related to vulnerabilities over this specifict Server.

The status of the health index is green, all agents are configured in the same way and correspond to the same version of Windows Server. The other agents report correctly less this one.

I have also checked other agents and found that some vulnerabilities on VD inventory do not exist on events. That is, a CVE indicated on inventory VD does not exist in any Threat Hunting Events event of that server, why?  

Let me know 

[Gabriel Emanuel Valenzuela]

Hi German, how are you?

I assume you are working with a 4.8.x or 4.9.x version of VD. In such case, the module works in the following way: When an agent is connected to the manager and sent its report of the installed packages (syscollector) that information is sent to the VD module too if enabled, and the first scan (i.e the first time that agent connects with the manager) doesn't generate any events. The successive modifications, installing or removing a new package, that make a change on VD (Adding or solving a vulnerability) will create an event and you can see them on the 'Events' tab of your dashboard.

Here is a graphical representation that it's available on our documentation

Which can be found here: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html

Please, let me know if this helps you to clarify your issue, and feel free to ask any dubs you have

Nice day!

[German DiCasas]

Gabriel,

Thanks for the reply.  So on its instalation of the agent and sync with the manager will not generate any event, ok. So why do I have active vulnerabilities in VD without events?

From what you tell me, it would not generate absolutely anything, neither events nor data on vulnerability inventory. How is it possible that the vulnerability inventory has information after first install? All the package.name over inventory VD are Google Chrome package.version  127.0.6533.89 for example. How can be possible fill that without events? No instalation was done after agent.

Also , how can I force to do a full stan again to the agent.

Thanks..

German

[Gabriel Emanuel Valenzuela]

Hi German!

When an agent connects to the manager for the first time, and if Vulnerability Detection (VD) is active, the agent's installed packages (reported via syscollector) will be scanned for vulnerabilities. Suppose a vulnerability is found in any package. In that case, this information is recorded in the Inventory using an index in the wazuh-indexer to keep track of all vulnerabilities and a local database (inventory database) on the manager.

Regarding your question about what gets generated during the first scan: the initial scan doesn't create alerts or vulnerability events. Subsequent scans, triggered by the syscollector scan configuration, will generate alerts if an installation or removal of a package results in a change in the vulnerability inventory.

Here are a couple of other factors that affect alert generation:

• Cluster environment: If an agent switches to a different node, its inventory syncs with the new node, but no alerts are generated during this initial sync.

• Content update: When content changes, all agents are re-scanned to ensure results are up to date, but no alerts are generated during this initial sync.

Regarding your query on forcing a full scan again for an agent, every time the vulnerability feed is updated, a rescan is automatically triggered across all agents. This ensures that the latest vulnerability data is always used to assess the security posture of the managed devices.

If you need more detailed guidance or further assistance, please feel free to ask! 😊

[German DiCasas]

Gabriel, good to know that. So, after the install of the agent  the packages reported via syscollector are compared to the feeds and will be on Inventory of VD on that moment. And I can see that but will not generate any alerts or events. Only after a change , install or uninstall, I willbe able to see events and alerts? correct?

So, will report any all the vulnerabilities related to the packages but not the events.  correct?

Regards

German