Is this a false positive from wazuh-agent 3.1.0-1 on Windows 7?
497 views
Skip to first unread message
Michael McCarn
Jan 29, 2018, 7:29:48 AM1/29/18
to Wazuh mailing list
I get 1 - 3 malware reports per day from a Windows 7 system saying that "svchost.exe" is running outside c:\windows\system32 -- but the accompanying log data seems to show that it *is* running in c:\windows\system32.
Is this a false positive (am I reading the log entry correctly)?
Or is this something else (actual malware)?
Is this a false positive (am I reading the log entry correctly)?
Or is this something else (actual malware)?
{"_index": "wazuh-alerts-3.x-2018.01.29","_type": "wazuh","_id": "BzgjQGEBLKqaiyQC9zmD","_version": 1,"_score": null,"_source": {"rule": {"mail": false,"level": 9,"description": "Windows malware detected.","firedtimes": 1,"pci_dss": ["11.4"],"groups": ["ossec","rootcheck","gpg13_4.2"],"id": "513"},"full_log": "Windows Malware: Possible Malware - Svchost running outside system32 {PCI_DSS: 11.4}. Process: C:\\Windows\\system32\\svchost.exe.","path": "/var/ossec/logs/alerts/alerts.json","data": {"title": "Windows Malware: Possible Malware - Svchost running outside system32"},"agent": {"name": "vWin7-32","id": "011"},"decoder": {"name": "rootcheck"},"host": "wazuh-server","location": "rootcheck","@timestamp": "2018-01-29T04:19:13.000Z","manager": {"name": "wazuh-server"},"id": "1517199553.140529"},"fields": {"@timestamp": ["2018-01-29T04:19:13.000Z"]},"highlight": {"manager.name": ["@kibana-highlighted-field@wazuh-server@/kibana-highlighted-field@"],"rule.pci_dss": ["@kibana-highlighted-field@11.4@/kibana-highlighted-field@"],"agent.name": ["@kibana-highlighted-field@vWin7-32@/kibana-highlighted-field@"],"full_log": ["Windows Malware: Possible Malware - Svchost running outside @kibana-highlighted-field@system32@/kibana-highlighted-field@ {PCI_DSS: 11.4}.","Process: C:\\Windows\\@kibana-highlighted-field@system32@/kibana-highlighted-field@\\svchost.exe."]},"sort": [1517199553000]}
Santiago Bassett
Jan 30, 2018, 12:39:22 AM1/30/18
to Michael McCarn, Wazuh mailing list
Hi Michael,
this looks like a false positive triggered by the following check (in /var/ossec/etc/shared/default/win_malware_rcl.txt):
[Possible Malware - Svchost running outside system32 {PCI_DSS: 11.4}] [all] []
p:r:svchost.exe && !%WINDIR%\Sysnative\svchost.exe;
f:!%WINDIR%\SysWOW64;
There are two conditions that need to be met here. First one (line starting by 'p') is referred to the process found. Second one (line starting by 'f') is referred to the file system.
I believe what happens is that rule conditions are always met on 32-bit architectures. This is because Sysnative and SysWOW64 are folders that only exist on 64-bit operating systems (notice the '!' after the 'f', meaning that it is expecting that the file does not exist).
We will fix this, most likely by suppressing the check, in future releases. In the meanwhile feel free to get rid of it by deleting those lines in the file mentioned above.
Best regards,
Santiago.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ce7402bb-401d-40bb-b3d1-319911854fe5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Santiago Bassett
Jan 30, 2018, 12:41:22 AM1/30/18
to Michael McCarn, Wazuh mailing list
Btw, I've noticed another check experiencing the same issue:
[Possible Malware - Inetinfo running outside system32\inetsrv {PCI_DSS: 11.4}] [all] []
p:r:inetinfo.exe && !%WINDIR%\Sysnative\inetsrv\inetinfo.exe;
f:!%WINDIR%\SysWOW64;
Do you also get alerts on this one?
Thanks,
Santiago.
Michael McCarn
Jan 30, 2018, 6:55:03 AM1/30/18
to Wazuh mailing list
inetinfo.exe
I am not getting any alerts on inetinfo.exe -- but then, the file doesn't exist on my system (c:\windows\system32\inetsrv is empty).
svchost.exe
I see two rules looking for "svchost.exe" - one uses "sysnative" and "syswow64", but the other uses "system32", then still uses "syswow64".
I've changed the rule that specifies "c:\windows\system32\svchost.exe" to use "f:!%WINDIR%\system32" instead of "f:!%WINDIR%\SysWOW64" (bold below), and restarted "wazuh-manager"; I'll report back tomorrow on whether that helps or just moves the error over to my Windows 10 systems.
I am not getting any alerts on inetinfo.exe -- but then, the file doesn't exist on my system (c:\windows\system32\inetsrv is empty).
svchost.exe
I see two rules looking for "svchost.exe" - one uses "sysnative" and "syswow64", but the other uses "system32", then still uses "syswow64".
I've changed the rule that specifies "c:\windows\system32\svchost.exe" to use "f:!%WINDIR%\system32" instead of "f:!%WINDIR%\SysWOW64" (bold below), and restarted "wazuh-manager"; I'll report back tomorrow on whether that helps or just moves the error over to my Windows 10 systems.
[Possible Malware - Svchost running outside system32 {PCI_DSS: 11.4}] [all] []
p:r:svchost.exe && !%WINDIR%\System32\svchost.exe;
f:!%WINDIR%\System32;
[Possible Malware - Svchost running outside system32 {PCI_DSS: 11.4}] [all] []
p:r:svchost.exe && !%WINDIR%\Sysnative\svchost.exe;
f:!%WINDIR%\SysWOW64;Enter code here...
Michael McCarn
Jan 30, 2018, 7:32:25 AM1/30/18
to Wazuh mailing list
In case the windows agent performs malware scans at boot up I rebooted
one 32-bit windows 7 system (vWin7-32) and one 64-bit windows 10 system
(vWin10-64) after making the change I described in my last entry to var/ossec/etc/shared/default/win_malware_rcl.txt on the system running wazuh-manager.
I have so far (~25 minutes) received no malware reports from either system
Victor Fernandez
Jan 30, 2018, 11:38:32 AM1/30/18
to Michael McCarn, Wazuh mailing list
Hi Michael and Santiago,
thank you for your detailed description. This false positive was produced when extending the rules support to 64-bit platforms. The check looked for svchost.exe processes outside C:\Windows\SysNative on 32-bit platforms. Since legitimate svchost.exe processes run at C:\Windows\System32, Rootcheck triggered the alert.
There is an added problem: 32-bit programs —like the Wazuh Agent— can't find the complete path of a running process, it only gets the name of the process. So, as Santiago said, we have removed the troubling check (commit b30a1f1) and will give priority to develop a 64-bit version of the Wazuh Agent.
This change has been applied to the Master branch and will be available in the next release.
Thank you for your feedback!
Best regards,
Victor M Fernandez-Castro
IT Engineer — Wazuh, Inc.
IT Engineer — Wazuh, Inc.
On Tue, Jan 30, 2018 at 1:32 PM, Michael McCarn <m.mc...@aicr.org> wrote:
In case the windows agent performs malware scans at boot up I rebooted one 32-bit windows 7 system (vWin7-32) and one 64-bit windows 10 system (vWin10-64) after making the change I described in my last entry to var/ossec/etc/shared/default/win_malware_rcl.txt on the system running wazuh-manager.I have so far (~25 minutes) received no malware reports from either system
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/384947d9-9b92-429c-9005-f5508a080ebb%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages