False Positives for Office 2016

111 views
Skip to first unread message

Henry Bateup

unread,
Nov 29, 2022, 9:21:13 PM11/29/22
to Wazuh mailing list
Hi there,

Is there anyway to fix the issue where there are multiple false positives in the Vulnerability Detector for Office 2016 Components, we have checked and the software is updated to the latest update.

Juan Cabrera

unread,
Nov 30, 2022, 5:42:45 AM11/30/22
to Wazuh mailing list

Hello Henry,

What version of windows agent are you running? this problem was detected and fixed in the following PR: https://github.com/wazuh/wazuh/pull/10259

So you should correctly get the cumulative patches belonging to the Microsoft Office 2016 package. So if it is not being obtained, it is expected that the vulnerability appears, since Vulnerability Detector works with the hotfixes it collects with Syscollector, but I tell you that in this case it should be fixed. Syscollector collects the list of hotfixes by regexing the Windows registries, so it’s always possible that we are not looking at some registry needed for a specific OS version (if it has been modified).

If the agent is not on the latest version at the time these vulnerability alerts appeared in the Office 2016 package, then this is normal, as the version in which the change of #10259 was added, was v4.3.0, as can be seen in the changelog: https://github.com/wazuh/wazuh/blob/master

Syscollector has been extended to collect missing Microsoft product hotfixes. (#10259)

So if you upgrade the agent to v4.3.4 and it re-syncs Syscollector with the manager, then the newly detected hotfixes should have been added, so the vulnerability should be mitigated.

Regards!

Henry Bateup

unread,
Nov 30, 2022, 8:29:19 PM11/30/22
to Wazuh mailing list
Hi there,

We're running 4.3.10, the package in inventory data states that the Office version is 16.0.4266.1001 but it is actually 16.0.5369.1000, I am unaware why it is doing this. Any help would be appreciated.

Juan Cabrera

unread,
Dec 12, 2022, 4:50:17 AM12/12/22
to Wazuh mailing list

Hello Henry,

Let’s check what’s going on. To do so, I need more information from the agent.

Could you paste me the output of the following command executed on the agent side? The command would be /var/ossec/bin/wazuh-control info.

On the other hand, I would need more information from the affected agent to compare data and see if there is any problem.

I need the following information from the API:

  • List of vulnerabilities of the affected agent.
  • List of packages and hotfixes of the same agent.

To get the vulnerabilities, package, and hotfixes, you can get the information directly from the API, using the following queries:
(for example from the WUI you can use the following tool to run the queries: Modules -> tools -> Api console)

GET /vulnerability/{agent_id}
GET /syscollector/{agent_id}/packages
GET /syscollector/{agent_id}/hotfixes

Regards,
Juan Cabrera

Reply all
Reply to author
Forward
0 new messages