Active Response for Windows Defender Real Time
18 views
Skip to first unread message
Yogi Valentino
Nov 20, 2025, 5:03:45 AM (3 days ago) Nov 20
to Wazuh | Mailing List
I was trying to make a windows defender enable real time Active response but the active response didn't execute my exe file. Can you help me?
wazuh manager ossec.conf command and active response
<command>
<name>enable_defender</name>
<executable>enable_defender.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>enable_defender</command>
<location>any</location>
<rules_id>62152</rules_id>
</active-response>
The Rules Wazuh
<!-- Event ID 5001 -->
<rule id="62152" level="5">
<if_sid>62100</if_sid>
<field name="win.system.eventID">^5001$</field>
<description>Windows Defender: Antivirus real-time protection is disabled</description>
<options>no_full_log</options>
<group>pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_SI.3,nist_800_53_AU.14,nist_800_53_AU.5,nist_800_53_AU.6,tsc_A1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
This is my C:\Program Files (x86)\ossec-agent\ossec.conf , i put it here as txt so you guys can see it
Wazuh can log my rules but the active response didn't execute my exe
I'm using enable_defender.py and then pyinstaller it to .exe
Any ideas why does my wazuh AR didn't execute my enable_defender.exe?
wazuh manager ossec.conf command and active response
<command>
<name>enable_defender</name>
<executable>enable_defender.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>enable_defender</command>
<location>any</location>
<rules_id>62152</rules_id>
</active-response>
The Rules Wazuh
<!-- Event ID 5001 -->
<rule id="62152" level="5">
<if_sid>62100</if_sid>
<field name="win.system.eventID">^5001$</field>
<description>Windows Defender: Antivirus real-time protection is disabled</description>
<options>no_full_log</options>
<group>pci_dss_5.1,pci_dss_10.2.6,pci_dss_10.6.1,gpg13_4.14,gpg13_10.1,gdpr_IV_35.7.d,hipaa_164.312.b,nist_800_53_SI.3,nist_800_53_AU.14,nist_800_53_AU.5,nist_800_53_AU.6,tsc_A1.2,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
</rule>
This is my C:\Program Files (x86)\ossec-agent\ossec.conf , i put it here as txt so you guys can see it
Wazuh can log my rules but the active response didn't execute my exe
I'm using enable_defender.py and then pyinstaller it to .exe
Any ideas why does my wazuh AR didn't execute my enable_defender.exe?
Miguel Casares
Nov 20, 2025, 5:39:57 AM (3 days ago) Nov 20
to Wazuh | Mailing List
Hi,
We would need more information to help you troubleshoot it.
Let's first check the active response logs on the Agent side
C:\Program Files (x86)\ossec-agent\active-response\active-response.log. If the file is empty, it could be a configuration issue.
Make sure, you placed the enable_defender.exe is located exactly here on the Agent: C:\Program Files (x86)\ossec-agent\active-response\bin\.
Make sure, you placed the enable_defender.exe is located exactly here on the Agent: C:\Program Files (x86)\ossec-agent\active-response\bin\.
Additionally, change the location to local:
<active-response>
<disabled>no</disabled>
<command>enable_defender</command>
<disabled>no</disabled>
<command>enable_defender</command>
<location>local</location>
<rules_id>62152</rules_id>
</active-response>
<rules_id>62152</rules_id>
</active-response>
Bear in mind if you are in a cluster environment, all the nodes must have the same Active Reponse configuration. Restart the server, force the rule and share with us the active-response.log of the agent.
Reply all
Reply to author
Forward
0 new messages