Unable to get Wazuh Vulnerability Scanner to work for Windows clients
Jacob Larsen
I installed a linux client which seems to be working perfectly, including vulnerability scanning. However, my windows client (windows 11) is not working. Wazuh is able to detect installed software, just doesn't show any information for vulnerabilities.
Steps to reproduce:
On Ubuntu 22.04 server install sqlite3, then follow quick start instructions to install Wazuh 4.10.
Follow the offline update instructions to provide the cves.
On Windows 11 install agent through deploy agent instructions from the Wazuh web interface, deploying agent version 4.10.
Wait to ensure endpoint had sufficient time to be evaluated.
Open Vulnerability Detection > Dashboard or Vulnerability Detection > Inventory. Nothing will show.
I have attempted to debug following threads:
https://www.reddit.com/r/Wazuh/comments/xwu52i/vulnerabilities_section_is_not_showing_any_results/
https://www.reddit.com/r/Wazuh/comments/1597jqw/new_to_wazuh_trying_to_get_vulnerabilities_scan/ (seems outdated as of 4.8)
As well as various discussions here including "Vulnerability Detector not working properly"
Additionally, no events are showing for either the windows or linux agents. Is this because of issue 24290? Or is this fixed and I should expect to see events populating?
please find attached the /var/ossec/etc/ossec.conf file. and the windows agent's ossec.conf file.
Thank you in advance!
Jacob
Md. Nazmur Sakib
Hi Jacob,
Please share the output of these commands.
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
cat /var/ossec/logs/ossec.log | grep -i -E "vulnerability|indexer-connector"
To identify what is happening in your specific case, I would like to ask you for the following information: List of hotfixes, and information about the installed packages,
You can obtain this information using the API as follows (for example, from the WUI you can use the following tool to run the queries: Modules -> tools -> API console):
Hotfixes: GET /syscollector/{agent_id}/hotfixes
Packages: GET /syscollector/{agent_id}/packages
With this information, we can analyze what might be happening.
I am guessing you have updated the patch of OS and up-to-date packages of software
If you do not get any vulnerability with the 3rd command, You can further download an old version of the package and validate if it was detected by the Wazuh vulnerability scan.
https://www.videolan.org/vlc/releases/2.0.0.html
You can install the older version of VLC and wait for the next two scans and let me know if vulnerabilities are detected.
Let me know the update on the issue.
Jacob Larsen
2025/01/30 16:15:57 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh.
2025/01/30 16:15:58 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started.
I apologize, I don't see Modules -> Tools -> API console, but I assume you intend Server Management -> Dev Tools
The results of GET /syscollector/{agent_id}/hotfixes is attached as hotfixes.jsonand the results of GET /syscollector/{agent_id}/packages is attached as packages.json.
It was able to detect that vulnerability, however, I installed another vulnerable package which didn't show in the scan - Remote Mouse 3.008 from CVE-2021-35448. I found a thread that seems to mention that some packages are incorrectly labeled in the CVE databases preventing detection.
Is it normal for some packages to require manual evaluation?
Is it also normal for no events to be recorded?
If so, then I think this is resolved...
Thank you again!
