Hi Wazuh Support Team,
I am facing an issue with the Windows Software Policy / Application Whitelisting Active Response after upgrading our Wazuh environment to v4.14.5.
We have implemented the application whitelisting solution based on the following repository and documentation:
The implementation was working correctly before the upgrade. After upgrading to Wazuh v4.14.5, the detection rule still triggers successfully, but the Active Response no longer suspends or terminates the unauthorized application.
EnvironmentSysmon is installed and configured to generate Event ID 1 (Process Create) events.
2. Wazuh RulesThe Software Policy rules are configured as described in the repository. Unauthorized applications correctly trigger Rule ID 100500, and alerts are generated in the Wazuh Dashboard.
3. Active Response ConfigurationThe following Active Response configuration is present in the agent configuration:
The pssuspend.cmd (PowerShell) script provided in the repository is configured to:
This exact configuration worked as expected before upgrading to Wazuh v4.14.5. No changes were made to the Active Response configuration or the PowerShell script. The only change in the environment was the Wazuh upgrade.
Could you please confirm whether there were any changes in Wazuh v4.14.x related to:
If there are any required changes to make this solution compatible with Wazuh v4.14.5, kindly provide the recommended approach or updated documentation.
We appreciate your assistance in resolving this issue.
Thank you.
Regards,
Diwahar S V