Active Response | Working in Older version | Not Working in Newer Version

22 views
Skip to first unread message

DIWAHAR RAHAWID

unread,
Jul 1, 2026, 8:49:43 AM (2 days ago) Jul 1
to Wazuh | Mailing List

Hi Wazuh Support Team,

I am facing an issue with the Windows Software Policy / Application Whitelisting Active Response after upgrading our Wazuh environment to v4.14.5.

We have implemented the application whitelisting solution based on the following repository and documentation:

The implementation was working correctly before the upgrade. After upgrading to Wazuh v4.14.5, the detection rule still triggers successfully, but the Active Response no longer suspends or terminates the unauthorized application.

Environment
  • Wazuh Manager: v4.14.5
  • Wazuh Windows Agent: v4.14.5
  • Sysmon: v15.14
  • Windows Servers
Configuration Implemented 1. Sysmon

Sysmon is installed and configured to generate Event ID 1 (Process Create) events.

2. Wazuh Rules

The Software Policy rules are configured as described in the repository. Unauthorized applications correctly trigger Rule ID 100500, and alerts are generated in the Wazuh Dashboard.

3. Active Response Configuration

The following Active Response configuration is present in the agent configuration:

<command>
<name>pssuspend</name>
<executable>pssuspend.cmd</executable>
<timeout_allowed>no</timeout_allowed>
</command>

<active-response>
<disabled>no</disabled>
<level>10</level>
<command>pssuspend</command>
<location>local</location>
<rules_group>software_policy</rules_group>
</active-response>
4. Active Response Script

The pssuspend.cmd (PowerShell) script provided in the repository is configured to:

  • Receive the Wazuh Active Response alert JSON.
  • Extract the Process ID and Image Path from the Sysmon event.
  • Verify that the running process matches the alert.
  • Display a notification to the logged-in user.
  • Suspend the process using PsSuspend.
  • Wait for 3 seconds.
  • Terminate the process using PsKill.
Current Behavior
  • Sysmon Event ID 1 is generated.
  • Wazuh detects the event.
  • Rule 100500 is triggered.
  • Alerts are visible in the Wazuh Dashboard.
  • The Active Response does not suspend or terminate the application.
  • The unauthorized application continues to run.
Issue Observed

This exact configuration worked as expected before upgrading to Wazuh v4.14.5. No changes were made to the Active Response configuration or the PowerShell script. The only change in the environment was the Wazuh upgrade.

Could you please confirm whether there were any changes in Wazuh v4.14.x related to:

  • Active Response execution on Windows agents
  • Active Response JSON format
  • Rule group handling
  • Active Response command execution
  • Windows agent behavior or permissions
  • Any known issues affecting the wazuh-windows-software-policy implementation

If there are any required changes to make this solution compatible with Wazuh v4.14.5, kindly provide the recommended approach or updated documentation.

We appreciate your assistance in resolving this issue.

Thank you.

Regards,
Diwahar S V


DIWAHAR RAHAWID

unread,
Jul 2, 2026, 10:11:07 AM (16 hours ago) Jul 2
to Wazuh | Mailing List
Hi Team, 

Please someone help me on this issue!

Regards
Diwahar

Reply all
Reply to author
Forward
0 new messages