A lot of rootcheck alerts in Windows server
Carlos Lopez
Hi all,
I'm seeing some strange behavior on Windows 2019 servers since I’ve upgraded to version 3.11.2. The rootcheck module continuously shows alerts like:
** Alert 1579952673.18459: - ossec,rootcheck,gdpr_IV_35.7.d,
2020 Jan 25 11:44:33 (winsrv.local.domain) any->rootcheck
agent.group: windows
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Anomaly detected in file 'C:\WINDOWS\DfsrAdmin.exe'. File size doesn't match what we found. Possible kernel level rootkit.
title: Anomaly detected in file 'C:\WINDOWS\DfsrAdmin.exe'.
** Alert 1579952673.18861: - ossec,rootcheck,gdpr_IV_35.7.d,
2020 Jan 25 11:44:33 (winsrv.local.domain) any->rootcheck
agent.group: windows
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Anomaly detected in file 'C:\WINDOWS\DfsrAdmin.exe.config'. File size doesn't match what we found. Possible kernel level rootkit.
title: Anomaly detected in file 'C:\WINDOWS\DfsrAdmin.exe.config'.
** Alert 1579952673.19277: - ossec,rootcheck,gdpr_IV_35.7.d,
2020 Jan 25 11:44:33 (winsrv.local.domain) any->rootcheck
agent.group: windows
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Anomaly detected in file 'C:\WINDOWS\DtcInstall.log'. File size doesn't match what we found. Possible kernel level rootkit.
title: Anomaly detected in file 'C:\WINDOWS\DtcInstall.log'.
** Alert 1579952673.19681: - ossec,rootcheck,gdpr_IV_35.7.d,
2020 Jan 25 11:44:33 (winsrv.local.domain) any->rootcheck
agent.group: windows
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Anomaly detected in file 'C:\WINDOWS\explorer.exe'. File size doesn't match what we found. Possible kernel level rootkit.
title: Anomaly detected in file 'C:\WINDOWS\explorer.exe'.
** Alert 1579952673.20081: - ossec,rootcheck,gdpr_IV_35.7.d,
2020 Jan 25 11:44:33 (winsrv.local.domain) any->rootcheck
agent.group: windows
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Anomaly detected in file 'C:\WINDOWS\HelpPane.exe'. File size doesn't match what we found. Possible kernel level rootkit.
title: Anomaly detected in file 'C:\WINDOWS\HelpPane.exe'.
** Alert 1579952673.20481: - ossec,rootcheck,gdpr_IV_35.7.d,
2020 Jan 25 11:44:33 (winsrv.local.domain) any->rootcheck
agent.group: windows
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Anomaly detected in file 'C:\WINDOWS\hh.exe'. File size doesn't match what we found. Possible kernel level rootkit.
title: Anomaly detected in file 'C:\WINDOWS\hh.exe'.
** Alert 1579952673.20869: - ossec,rootcheck,gdpr_IV_35.7.d,
2020 Jan 25 11:44:33 (winsrv.local.domain) any->rootcheck
agent.group: windows
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Anomaly detected in file 'C:\WINDOWS\mib.bin'. File size doesn't match what we found. Possible kernel level rootkit.
title: Anomaly detected in file 'C:\WINDOWS\mib.bin'.
None of these servers have been updated and are not exposed to the Internet or internal networks. In fact they can only access to controlled sites and can only be accessed from administrative stations.
I am using centralized configuration and rootcheck’s config for these agents is:
<rootcheck>
<disabled>no</disabled>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
Maybe file win_applications_rcl.txt is completely outdated?
Reasons for these alerts?
--
Regards,
C. L. Martinez
Victor Fernandez
<agent_config os="Windows"> <rootcheck> <check_sys>no</check_sys> </rootcheck> </agent_config>
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4E411DC5-10EE-4084-B2BA-EFF8B5EB311B%40outlook.com.
Carlos Lopez
Regards,
C. L. Martinez
________________________________________
From: Victor Fernandez <vic...@wazuh.com>
Sent: 25 January 2020 23:57
To: Carlos Lopez
Cc: wa...@googlegroups.com
Subject: Re: A lot of rootcheck alerts in Windows server
Hi Carlos,
Sorry to read this. We're aware of this issue (#4492<https://github.com/wazuh/wazuh/issues/4492>). It seems that some changes in the latest version (#4415<https://github.com/wazuh/wazuh/pull/4415> and #4477<https://github.com/wazuh/wazuh/pull/4477>) are making Rootcheck perform a scan on Windows that previous versions didn't.
Explanation
Rootcheck checks a series of directories (see documentation<https://documentation.wazuh.com/3.11/user-manual/capabilities/anomalies-detection/how-it-works.html#check-hidden-files-using-system-calls>) and their files. It compares the size of each file's metadata with the number of bytes that the agent can read from it. These values should always match, except if the file is affected by a rootkit. However, Windows maps the standard newline notation (\r\n, carriage return + line feed) to a single line feed byte. This makes the check fail on text-based files, and that is producing the false positive alerts.
We're working on a fix for this problem right now, and will release a new version as soon as possible.
In the meantime, you can silence these alerts disabling the scan for system files in your agents running on Windows:
<agent_config os="Windows">
<rootcheck>
<check_sys>no</check_sys>
</rootcheck>
</agent_config>
Sorry about this problem. We will keep you posted.
Kind regards,
[https://s3.amazonaws.com/wazuh.com/wp-content/uploads/wazuh_logo.png]<https://wazuh.com/>
Victor M. Fernandez-Castro
Core engineer | vic...@wazuh.com<mailto:vic...@wazuh.com>
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4E411DC5-10EE-4084-B2BA-EFF8B5EB311B%40outlook.com<https://groups.google.com/d/msgid/wazuh/4E411DC5-10EE-4084-B2BA-EFF8B5EB311B%40outlook.com?utm_medium=email&utm_source=footer>.
Victor Fernandez
Core engineer | vic...@wazuh.com
Victor Fernandez
Core engineer | vic...@wazuh.com
Carlos Lopez
Many thanks to resolve this issue.
Regards,
C. L. Martinez
________________________________________
From: Victor Fernandez <vic...@wazuh.com>
Sent: 27 January 2020 22:14
To: Carlos Lopez
Cc: wa...@googlegroups.com
Subject: Re: A lot of rootcheck alerts in Windows server
Hi Carlos,
Just for your information, we've just merged PR #4493<https://github.com/wazuh/wazuh/pull/4493> that fixes this bug in Rootcheck, and we've preparing a release.
Thank you for your feedback again.
Best,
[https://s3.amazonaws.com/wazuh.com/wp-content/uploads/wazuh_logo.png]<https://wazuh.com/>
Victor M. Fernandez-Castro
Core engineer | vic...@wazuh.com<mailto:vic...@wazuh.com>
On Mon, Jan 27, 2020 at 2:44 PM Victor Fernandez <vic...@wazuh.com<mailto:vic...@wazuh.com>> wrote:
Hi Carlos,
That's correct. Unfortunately, this bug has been introduced by a fix in 3.11.2, so 3.11.1 is not affected. There is a PR (#4493<https://github.com/wazuh/wazuh/pull/4493>) to fix it, we're testing and reviewing it.
Regards,
[https://s3.amazonaws.com/wazuh.com/wp-content/uploads/wazuh_logo.png]<https://wazuh.com/>
Victor M. Fernandez-Castro
Core engineer | vic...@wazuh.com<mailto:vic...@wazuh.com>
On Mon, Jan 27, 2020 at 9:04 AM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>> wrote:
Many thanks Victor. I see that the problem only lies in versions 3.11.2, right? I have a Windows 2019 agent in version 3.11.1 and this behavior is not appreciated.
Regards,
C. L. Martinez
________________________________________
From: Victor Fernandez <vic...@wazuh.com<mailto:vic...@wazuh.com>>
Sent: 25 January 2020 23:57
To: Carlos Lopez
Cc: wa...@googlegroups.com<mailto:wa...@googlegroups.com>
Subject: Re: A lot of rootcheck alerts in Windows server
Hi Carlos,
Sorry to read this. We're aware of this issue (#4492<https://github.com/wazuh/wazuh/issues/4492>). It seems that some changes in the latest version (#4415<https://github.com/wazuh/wazuh/pull/4415> and #4477<https://github.com/wazuh/wazuh/pull/4477>) are making Rootcheck perform a scan on Windows that previous versions didn't.
Explanation
Rootcheck checks a series of directories (see documentation<https://documentation.wazuh.com/3.11/user-manual/capabilities/anomalies-detection/how-it-works.html#check-hidden-files-using-system-calls>) and their files. It compares the size of each file's metadata with the number of bytes that the agent can read from it. These values should always match, except if the file is affected by a rootkit. However, Windows maps the standard newline notation (\r\n, carriage return + line feed) to a single line feed byte. This makes the check fail on text-based files, and that is producing the false positive alerts.
We're working on a fix for this problem right now, and will release a new version as soon as possible.
In the meantime, you can silence these alerts disabling the scan for system files in your agents running on Windows:
<agent_config os="Windows">
<rootcheck>
<check_sys>no</check_sys>
</rootcheck>
</agent_config>
Sorry about this problem. We will keep you posted.
Kind regards,
[https://s3.amazonaws.com/wazuh.com/wp-content/uploads/wazuh_logo.png]<https://wazuh.com/>
Victor M. Fernandez-Castro
Core engineer | vic...@wazuh.com<mailto:vic...@wazuh.com><mailto:vic...@wazuh.com<mailto:vic...@wazuh.com>>
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com><mailto:wazuh+un...@googlegroups.com<mailto:wazuh%2Bunsu...@googlegroups.com>>.