wazuh agent triggering sophos AV
275 views
Skip to first unread message
Robert H
Sep 20, 2017, 2:35:57 PM9/20/17
to Wazuh mailing list
Hi Wazuh,
We been working with the Wazuh manager and agent, version 2.0.1 for weeks, but yesterday the agent exe was copied to a cloud storage drive and our infrastructure team was alerted to it. They very the MD5 is the same as on the wazuh website. Our questions are, is Wazuh aware of this and what, if anything, could be done so that when deployed in the field, the agent doesn't trigger AV software?
Please let me know if you would like more information. I'm not sure if the screenshots will be full sized and clear.
This is for the new 2.1 agent which does not set off our Sophos AV, but some others flag it
Regards,
Robert
Polkan Garcia
Sep 20, 2017, 2:45:40 PM9/20/17
to Wazuh mailing list, Robert H
Robert,
Some antivirus detects Wazuh based on certain conditions that seem to fulfill our binaries (and not as a result of a source code infection). We are working to fix this as soon as possible.
Sorry for the inconvenience.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8fef6c1c-2f57-4c7d-a052-55242483c762%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jose Luis Ruiz
Sep 20, 2017, 3:26:09 PM9/20/17
to Polkan Garcia, Robert H, Wazuh mailing list
Hello all,
As you can see in screenshot attached to this mail, we are working hard to fix all this False positives, this is the report for the new version wazuh 2.1.1 from today.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cc80c022-9c63-4b57-9772-c082a90d11f1%40Spark.
Robert H
Sep 20, 2017, 4:38:28 PM9/20/17
to Wazuh mailing list
Thanks for the update Jose! Glad to know it's being worked on. For our situation, we are using the 2.0.1-1 agent. We haven't upgraded to 2.1.x yet. Could you provide an update on the progress of the 2.0.x agent?
Regards,
Robert
Jose Luis Ruiz
Sep 20, 2017, 8:54:10 PM9/20/17
to Wazuh mailing list, Robert H
Hi Robert,
The process is very easy, you can download the package from :
Then you only need to install over the old one, that should works.
Anyway my recommendation is a backup the files client.keys and ossec.conf located in your installation folder, by default c:\Program Files (x86)\ossec-agent\
Our actual stable version is 2.1.0, but we are expecting a new release very very soon... so if you can wait a few... (hours? days?...)
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e8de6928-ed08-4d18-929f-acf2fd460fd4%40googlegroups.com.
Robert H
Sep 20, 2017, 11:21:27 PM9/20/17
to Wazuh mailing list
Those Jose,
To clarify a little, we will be running the 2.0.1 manager for some time before upgrading it at some point in the future. In this situation then, can we run the 2.1.0 (or newer agent) with the 2.0.1 manager without problem?
Regards,
Robert
Alberto Marín
Sep 21, 2017, 5:20:14 AM9/21/17
to Wazuh mailing list
Hi Robert,
You can run 2.1.0 agents with the 2.0.1 manager without problems. But you will not get the new events sent by the agent, for example the anti flooding protection events.
Regards.
You can run 2.1.0 agents with the 2.0.1 manager without problems. But you will not get the new events sent by the agent, for example the anti flooding protection events.
Regards.
Polkan Garcia
Sep 21, 2017, 11:57:16 AM9/21/17
to Wazuh mailing list, Robert H
Robert,
Sophos Inc confirmed to me that the agent's binary is whitelisted after executing the Sophos Update Manager.
Please try again and tell us to close the issue.
Thank you so much!
Polkan Garcia / Security Engineer
pol...@wazuh.com
Webex Personal Room
Wazuh Inc
http://wazuh.com/
--
yol...@saitechnology.com
Sep 21, 2017, 2:47:50 PM9/21/17
to Polkan Garcia, Wazuh mailing list, Robert H
Hi team,
I finally received today a regulatory compliance Report.
How get a regulatory compliance Report with more details. I include
<showlogs> tag but still doenst said too many details.
I will like:
add more information
and receive it daily.
How can I accomplish that?
Please advise.
Thanks! and Regards
Yolanda
On 2017-09-15 13:55, yol...@saitechnology.com wrote:
Thanks for your quick answer.
The rule for the PNPdevices and and emails work perfectly!!!
The issue I have is the rule to receive daily the regulatory
complaince reports ,( and another Auth reports ) based on these rules
in /var/ossec/etc/ossec.conf I added:
_<OSSEC_CONFIG>_
_ <REPORTS>_
_ <CATEGORY>PCI_DSS_11.4</CATEGORY>_
_ <TITLE>DAILY REGULATORY COMPLIANCE REPORT: PCIDSS 11.4_
_ REQUERIMENT</TITLE>_
_ <EMAIL_TO>YOL...@SAITECHNOLOGY.COM</EMAIL_TO>_
_ </REPORTS>_
_ <REPORTS>_
_ <GROUP>AUTHENTICATION_FAILED,</GROUP>_
_ <SRCIP>192.168..X.X</SRCIP>_
_ <TITLE>AUTH_REPORT</TITLE>_
_ <EMAIL_TO>YOL...@SAITECHNOLOGY.COM</EMAIL_TO>_
_ <SHOWLOGS>YES</SHOWLOGS>_
_ </REPORTS>_
_ </OSSEC_CONFIG>_
I would need configure something else in another(s) file(s)?
Please advise
Regards
I finally received today a regulatory compliance Report.
How get a regulatory compliance Report with more details. I include
<showlogs> tag but still doenst said too many details.
I will like:
add more information
and receive it daily.
How can I accomplish that?
Please advise.
Thanks! and Regards
Yolanda
On 2017-09-15 13:55, yol...@saitechnology.com wrote:
Thanks for your quick answer.
The rule for the PNPdevices and and emails work perfectly!!!
The issue I have is the rule to receive daily the regulatory
complaince reports ,( and another Auth reports ) based on these rules
in /var/ossec/etc/ossec.conf I added:
_<OSSEC_CONFIG>_
_ <REPORTS>_
_ <CATEGORY>PCI_DSS_11.4</CATEGORY>_
_ <TITLE>DAILY REGULATORY COMPLIANCE REPORT: PCIDSS 11.4_
_ REQUERIMENT</TITLE>_
_ <EMAIL_TO>YOL...@SAITECHNOLOGY.COM</EMAIL_TO>_
_ </REPORTS>_
_ <REPORTS>_
_ <GROUP>AUTHENTICATION_FAILED,</GROUP>_
_ <SRCIP>192.168..X.X</SRCIP>_
_ <TITLE>AUTH_REPORT</TITLE>_
_ <EMAIL_TO>YOL...@SAITECHNOLOGY.COM</EMAIL_TO>_
_ <SHOWLOGS>YES</SHOWLOGS>_
_ </REPORTS>_
_ </OSSEC_CONFIG>_
I would need configure something else in another(s) file(s)?
Please advise
Regards
Jonathan Narvaez
Sep 21, 2017, 3:52:17 PM9/21/17
to yol...@saitechnology.com, Polkan Garcia, Wazuh mailing list
Hi Yolanda,
Currently the reports only offer summaries, but do not generate detailed reports, for a future version will improve the report feature.
Perhaps as an alternative you can consider the idea of using https://github.com/sirensolutions/sentinl which is a kibana module which provides a feature of reports based on the logging of events stored in elasticsearch.
You can find more information about the SENTINL installation here: https://github.com/sirensolutions/sentinl/wiki
On Thu, Sep 21, 2017 at 1:47 PM, <yol...@saitechnology.com> wrote:
Hi team,
I finally received today a regulatory compliance Report.
How get a regulatory compliance Report with more details. I include <showlogs> tag but still doenst said too many details.
I will like:
add more information
and receive it daily.
How can I accomplish that?
Please advise.
Thanks! and Regards
Yolanda
On 2017-09-15 13:55, yol...@saitechnology.com wrote:
Thanks for your quick answer.
The rule for the PNPdevices and and emails work perfectly!!!
The issue I have is the rule to receive daily the regulatory
complaince reports ,( and another Auth reports ) based on these rules
in /var/ossec/etc/ossec.conf I added:
_<OSSEC_CONFIG>_
_ <REPORTS>_
_ <CATEGORY>PCI_DSS_11.4</CATEGORY>_
_ <TITLE>DAILY REGULATORY COMPLIANCE REPORT: PCIDSS 11.4_
_ REQUERIMENT</TITLE>_
_ <EMAIL_TO>YOLANDA@SAITECHNOLOGY.COM</EMAIL_TO>_
_ </REPORTS>_
_ <REPORTS>_
_ <GROUP>AUTHENTICATION_FAILED,</GROUP>_
_ <SRCIP>192.168..X.X</SRCIP>_
_ <TITLE>AUTH_REPORT</TITLE>_
_ <EMAIL_TO>YOLANDA@SAITECHNOLOGY.COM</EMAIL_TO>_
_ <SHOWLOGS>YES</SHOWLOGS>_
_ </REPORTS>_
_ </OSSEC_CONFIG>_
I would need configure something else in another(s) file(s)?
Please advise
Regards
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4769254864ce2bc517578d131519e4ae%40saitechnology.com.
For more options, visit https://groups.google.com/d/optout.
yol...@saitechnology.com
Sep 21, 2017, 5:02:36 PM9/21/17
to Jonathan Narvaez, Polkan Garcia, Wazuh mailing list
Hi Jonathan
Thanks very much for your advise.
I will try this SENTINL solution.
Regards
Yolanda
On 2017-09-21 13:51, Jonathan Narvaez wrote:
> Hi Yolanda,
>
> Currently the reports only offer summaries, but do not generate
> detailed reports, for a future version will improve the report
> feature.
>
> Perhaps as an alternative you can consider the idea of using
> https://github.com/sirensolutions/sentinl which is a kibana module
> which provides a feature of reports based on the logging of events
> stored in elasticsearch.
>
> You can find more information about the SENTINL installation here:
> https://github.com/sirensolutions/sentinl/wiki
>
> Regards
>
> [4] Sent with Mailtrack [5]
>> For more options, visit https://groups.google.com/d/optout [3].
> Links:
> ------
> [1] https://groups.google.com/group/wazuh
> [2]
> https://groups.google.com/d/msgid/wazuh/4769254864ce2bc517578d131519e4ae%40saitechnology.com
> [3] https://groups.google.com/d/optout
> [4] https://mailtrack.io/
> [5]
> https://mailtrack.io/install?source=signature&lang=en&referral=jona...@wazuh.com&idSignature=22
Thanks very much for your advise.
I will try this SENTINL solution.
Regards
Yolanda
On 2017-09-21 13:51, Jonathan Narvaez wrote:
> Hi Yolanda,
>
> Currently the reports only offer summaries, but do not generate
> detailed reports, for a future version will improve the report
> feature.
>
> Perhaps as an alternative you can consider the idea of using
> https://github.com/sirensolutions/sentinl which is a kibana module
> which provides a feature of reports based on the logging of events
> stored in elasticsearch.
>
> You can find more information about the SENTINL installation here:
> https://github.com/sirensolutions/sentinl/wiki
>
> Regards
>
>
> On Thu, Sep 21, 2017 at 1:47 PM, <yol...@saitechnology.com> wrote:
>
>> Hi team,
>>
>> I finally received today a regulatory compliance Report.
>>
>> How get a regulatory compliance Report with more details. I include
>> <showlogs> tag but still doenst said too many details.
>>
>> I will like:
>>
>> add more information
>>
>> and receive it daily.
>>
>> How can I accomplish that?
>>
>> Please advise.
>>
>> Thanks! and Regards
>> Yolanda
>>
>> On 2017-09-15 13:55, yol...@saitechnology.com wrote:
>>
>> Thanks for your quick answer.
>> The rule for the PNPdevices and and emails work perfectly!!!
>>
>> The issue I have is the rule to receive daily the regulatory
>> complaince reports ,( and another Auth reports ) based on these
>> rules
>> in /var/ossec/etc/ossec.conf I added:
>>
>> _<OSSEC_CONFIG>_
>> _ <REPORTS>_
>> _ <CATEGORY>PCI_DSS_11.4</CATEGORY>_
>> _ <TITLE>DAILY REGULATORY COMPLIANCE REPORT: PCIDSS 11.4_
>> _ REQUERIMENT</TITLE>_
>> _ <EMAIL_TO>YOL...@SAITECHNOLOGY.COM</EMAIL_TO>_
> On Thu, Sep 21, 2017 at 1:47 PM, <yol...@saitechnology.com> wrote:
>
>> Hi team,
>>
>> I finally received today a regulatory compliance Report.
>>
>> How get a regulatory compliance Report with more details. I include
>> <showlogs> tag but still doenst said too many details.
>>
>> I will like:
>>
>> add more information
>>
>> and receive it daily.
>>
>> How can I accomplish that?
>>
>> Please advise.
>>
>> Thanks! and Regards
>> Yolanda
>>
>> On 2017-09-15 13:55, yol...@saitechnology.com wrote:
>>
>> Thanks for your quick answer.
>> The rule for the PNPdevices and and emails work perfectly!!!
>>
>> The issue I have is the rule to receive daily the regulatory
>> complaince reports ,( and another Auth reports ) based on these
>> rules
>> in /var/ossec/etc/ossec.conf I added:
>>
>> _<OSSEC_CONFIG>_
>> _ <REPORTS>_
>> _ <CATEGORY>PCI_DSS_11.4</CATEGORY>_
>> _ <TITLE>DAILY REGULATORY COMPLIANCE REPORT: PCIDSS 11.4_
>> _ REQUERIMENT</TITLE>_
>> _ </REPORTS>_
>>
>> _ <REPORTS>_
>> _ <GROUP>AUTHENTICATION_FAILED,</GROUP>_
>> _ <SRCIP>192.168..X.X</SRCIP>_
>> _ <TITLE>AUTH_REPORT</TITLE>_
>> _ <EMAIL_TO>YOL...@SAITECHNOLOGY.COM</EMAIL_TO>_
>>
>> _ <REPORTS>_
>> _ <GROUP>AUTHENTICATION_FAILED,</GROUP>_
>> _ <SRCIP>192.168..X.X</SRCIP>_
>> _ <TITLE>AUTH_REPORT</TITLE>_
>> _ <SHOWLOGS>YES</SHOWLOGS>_
>> _ </REPORTS>_
>> _ </OSSEC_CONFIG>_
>>
>> I would need configure something else in another(s) file(s)?
>>
>> Please advise
>> Regards
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Wazuh mailing list" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> send an email to wazuh+un...@googlegroups.com.
>> _ </REPORTS>_
>> _ </OSSEC_CONFIG>_
>>
>> I would need configure something else in another(s) file(s)?
>>
>> Please advise
>> Regards
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Wazuh mailing list" group.
>> To unsubscribe from this group and stop receiving emails from it,
>> To post to this group, send email to wa...@googlegroups.com.
>> Visit this group at https://groups.google.com/group/wazuh [1].
>> To view this discussion on the web visit
>>
> https://groups.google.com/d/msgid/wazuh/4769254864ce2bc517578d131519e4ae%40saitechnology.com
>> [2].
>>
> https://groups.google.com/d/msgid/wazuh/4769254864ce2bc517578d131519e4ae%40saitechnology.com
>> For more options, visit https://groups.google.com/d/optout [3].
> Links:
> ------
> [1] https://groups.google.com/group/wazuh
> [2]
> https://groups.google.com/d/msgid/wazuh/4769254864ce2bc517578d131519e4ae%40saitechnology.com
> [3] https://groups.google.com/d/optout
> [4] https://mailtrack.io/
> [5]
> https://mailtrack.io/install?source=signature&lang=en&referral=jona...@wazuh.com&idSignature=22
Robert H
Sep 21, 2017, 7:27:27 PM9/21/17
to Wazuh mailing list
Thanks PG,
It never failed locally, just had a few online scanners indicate issues.
I am able to download it. I scanned the file and no issues presented from Sophos.
Regards,
Robert
Reply all
Reply to author
Forward
0 new messages