Active Response integration with VirusTotal not working as it should

Sameer Khan

unread,

Jan 8, 2024, 3:32:25 PM1/8/24

to Wazuh | Mailing List

Hi all,

I'm currently trying to set up a Wazuh instance for my environment. I've got two test agents enrolled and a "TestGroup" created.

At the moment I'm running into an issue where despite following the blogs and videos online I cannot seem to get my Active Response "remove-threat" scripts to work alongside VirusTotal. I can see files being run against VirusTotals database but they do not get removed. The Active Response section shows them as disabled even though I've set them up to be enabled.

Also, I saw online that I can move a file to the shared folder under any given group from the Wazuh manager. I want to use that option to transfer my scripts to various agents but It hasn't worked so far. I have to manually copy the scripts to the agents. Could I please get some guidance on setting this up as well?

Attached are a few screenshots and my ossec.conf. Please let me know if any other files are needed and I'll be sure to provide them.

Thanks in advance,

Samir

ossec.conf

Screenshot 2024-01-08 155259.png

Screenshot 2024-01-08 155704.png

Mauricio Aguilar

unread,

Jan 8, 2024, 4:31:55 PM1/8/24

to Wazuh | Mailing List

Hi Sameer,

Please allow me a moment to analyze it.

What version of Wazuh are you using?

In the meantime, I leave you some general links:

https://documentation.wazuh.com/current/user-manual/capabilities/active-response/index.html

https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-to-configure.html

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/active-response.html

https://documentation.wazuh.com/current/user-manual/capabilities/active-response/ar-use-cases/index.html

https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/virus-total-integration.html

Regards

Sameer Khan

unread,

Jan 11, 2024, 9:21:14 AM1/11/24

to Wazuh | Mailing List

Hey Mauricio,

Thanks for the links - I've come across those in my search to fix the issue but alas haven't been able to yet.

My current running version is v4.7.0 which was the latest version of Wazuh I could find during setup.

Regards,

Sameer

Mauricio Aguilar

unread,

Jan 15, 2024, 9:38:40 AM1/15/24

to Wazuh | Mailing List

Hi Sameer,

Sorry for the delay. I was checking your configuration and it seems to be ok. I am asking the team for help. I will write soon.

Best regards,

Mauricio.

Sameer Khan

unread,

Jan 15, 2024, 11:43:50 AM1/15/24

to Wazuh | Mailing List

Hey Mauricio,

Appreciate the update. I'll wait for the team to get back on this.

Thank you,

Sameer

Mauricio Aguilar

unread,

Jan 15, 2024, 12:14:40 PM1/15/24

to Wazuh | Mailing List

Hi again,

The team suggest:

* Remember restart the service when the change is done, in order to apply it.

* Check Response of this request: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.manager_controller.get_manager_config_ondemand

Anyway, it seems like it could be a dashboard bug. The team is checking this.

Regarding sharing the scripts, so far I understand that only the configuration can be shared:

https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html

Regards,

Mauricio.

Mauricio Aguilar

unread,

Jan 26, 2024, 2:00:33 PM1/26/24

to Wazuh | Mailing List

Hi Sameer,

Your issue will be fixed: https://github.com/wazuh/wazuh/issues/21585

Thanks for your feedback.

Regards

Reply all

Reply to author

Forward