wazuh triggering allert to whatsup that is not even installed on windows server

[Mefisto Evil]

hello i regularry having alerts about whatsapp vulnerabilty but this is not even installed on this machine. why this happen and how should troubleshhot what triggering this?

json alert:

{ "_index": "wazuh-alerts-4.x-2025.12.16", "_id": "wSI9JZsBuxWx2Oepd-wI", "_version": 1, "_score": null, "_source": { "input": { "type": "log" }, "agent": { "ip": "192.168.114.14", "name": "srv-xyz", "id": "008" }, "manager": { "name": "srv-wazuh" }, "data": { "vulnerability": { "severity": "Critical", "package": { "condition": "Package less than 2.2146", "name": "WhatsApp", "source": " ", "version": "2.2144.11", "architecture": " " }, "assigner": "facebook", "cwe_reference": "CWE-122", "published": "2022-01-04T19:15:14Z", "classification": "CVSS", "title": "CVE-2021-24042 affects WhatsApp", "type": "Packages", "rationale": "The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor.", "reference": "https://www.whatsapp.com/security/advisories/2021/", "score": { "version": "3.1", "base": "9.800000" }, "cve": "CVE-2021-24042", "scanner": { "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2021-24042" }, "enumeration": "CVE", "cvss": { "cvss3": { "base_score": "9.800000", "vector": { "user_interaction": "NONE", "integrity_impact": "HIGH", "scope": "UNCHANGED", "availability": "HIGH", "confidentiality_impact": "HIGH", "attack_vector": "NETWORK", "privileges_required": "NONE" } } }, "updated": "2025-05-22T19:15:23Z", "status": "Active" } }, "rule": { "firedtimes": 1, "mail": true, "level": 13, "pci_dss": [ "11.2.1", "11.2.3" ], "tsc": [ "CC7.1", "CC7.2" ], "description": "CVE-2021-24042 affects WhatsApp", "groups": [ "vulnerability-detector" ], "id": "23506", "gdpr": [ "IV_35.7.d" ] }, "location": "vulnerability-detector", "decoder": { "name": "json" }, "id": "1765856339.61997456", "timestamp": "2025-12-16T08:38:59.315+0500" }, "fields": { "data.vulnerability.published": [ "2022-01-04T19:15:14.000Z" ], "data.vulnerability.updated": [ "2025-05-22T19:15:23.000Z" ], "timestamp": [ "2025-12-16T03:38:59.315Z" ] }, "highlight": { "manager.name": [ "@opensearch-dashboards-highlighted-field@srv-wazuh@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1765856339315 ] }

[Maximiliano Ibarra]

Hi. I don't understand why this could be if you say it's not installed. But we could check the logs to see if they give any indication of what it might be.
   Agent logs: /var/ossec/logs/ossec.log
   Manager logs: /var/ossec/logs/vulnerabilities.log
The vulnerabilities logs have the keyword "vulnerability". I imagine you've already checked if the agent is the same one that appears in the alert.

[Mefisto Evil]

hello i dont have vulnerabilities.log file on wazuh manager somehow 
cat: /var/ossec/logs/vulnerabilities.log: No such file or directory

on agent its windows i also dint find anything about whatsapp.. and vulnerabilities also, just a couple of errors
 ERROR: (1216): Unable to connect to '[192.168.101.20]:1514/tcp

[Maximiliano Ibarra]

Hello. From what you mention, the error that appears in the logs is not related to WhatsApp events. Have you been able to verify if the agent that appears in the log that you added in the thread corresponds to the agent in which you checked if it has WhatsApp installed? If this is the case and you have access to the agent, you would have to check its logs to see if anything related to WhatsApp appears. The agent logs are also in /var/ossec/logs/ossec.log