YARA Integration on Windows Endpoints
47 views
Skip to first unread message
Hein Khant Shane
Sep 13, 2025, 3:20:12 PM (7 days ago) Sep 13
to Wazuh | Mailing List
Hello Team,
I have integrated Wazuh with YARA on Windows endpoints by following the official Wazuh documentation. However, I am not seeing any alerts being triggered from the YARA rules. The Wazuh agent and manager are running without errors, and YARA is installed properly, but the rules do not seem to generate alerts in Wazuh.
Could you please guide me on how to properly configure and validate the integration so that YARA rules will trigger alerts from Windows endpoints?
Thank you for your support.
hasitha.u...@wazuh.com
Sep 14, 2025, 1:15:59 AM (7 days ago) Sep 14
to Wazuh | Mailing List
Hi Hein,
2025/09/14 10:19:23 wazuh-agent: WARNING: (6955): Ignoring file 'c:\users\hasit\downloads\agent connections - wazuh server cluster wazuh documentation_files' due to unsupported name (non-UTF8).
Regarding this error, we have an open GitHub issue still in progress, you can check here: https://github.com/wazuh/wazuh/issues/24379
Check the Wazuh agent ossec.log to identify the same issue you have faced. If yes, create a new folder and configure that path in the agent's ossec.conf file.
C:\Program Files (x86)\ossec-agent\ossec.log
So then I have changed the syscheck config to a different path, like below.
<directories realtime="yes">D:\test</directories>
Restart the agent to apply changes.
Restart-Service -Name wazuh
Then you need to modify the 100303 and 100304 rules as follows, If you plan to change the monitoring path.
Then restart the manager to apply changes.
systemctl restart wazuh-manager
If you need further assistance on this, please share the agent and Wazuh manager ossec.log to check further.
Agent: C:\Program Files (x86)\ossec-agent\ossec.log
Manager: cat /var/ossec/etc/ossec.conf | grep -i -E "error|warn"
Ref: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html
Let me know if you need further assistance on this.
I’ve tested this issue on my side, and it’s working fine here.
However, I used a different path since the Downloads folder contains unsupported names. After configuring it, the alerts didn’t appear on the dashboard. Then I changed the FIM configuration to a different path and updated the rules.
2025/09/14 10:19:23 wazuh-agent: WARNING: (6955): Ignoring file 'c:\users\hasit\downloads\agent connections - wazuh server cluster wazuh documentation.html' due to unsupported name (non-UTF8).2025/09/14 10:19:23 wazuh-agent: WARNING: (6955): Ignoring file 'c:\users\hasit\downloads\agent connections - wazuh server cluster wazuh documentation_files' due to unsupported name (non-UTF8).
Regarding this error, we have an open GitHub issue still in progress, you can check here: https://github.com/wazuh/wazuh/issues/24379
Check the Wazuh agent ossec.log to identify the same issue you have faced. If yes, create a new folder and configure that path in the agent's ossec.conf file.
C:\Program Files (x86)\ossec-agent\ossec.log
So then I have changed the syscheck config to a different path, like below.
<directories realtime="yes">D:\test</directories>
Restart the agent to apply changes.
Restart-Service -Name wazuh
Then you need to modify the 100303 and 100304 rules as follows, If you plan to change the monitoring path.
- <group name="syscheck,">
- <rule id="100303" level="7">
- <if_sid>550</if_sid>
- <field name="file">D:\\test</field>
- <description>File modified in D:\test directory.</description>
- </rule>
- <rule id="100304" level="7">
- <if_sid>554</if_sid>
- <field name="file">D:\\test</field>
- <description>File added to D:\test directory.</description>
- </rule>
- </group>
- <group name="yara,">
- <rule id="108000" level="0">
- <decoded_as>yara_decoder</decoded_as>
- <description>Yara grouping rule</description>
- </rule>
- <rule id="108001" level="12">
- <if_sid>108000</if_sid>
- <match>wazuh-yara: INFO - Scan result: </match>
- <description>File "$(yara_scanned_file)" is a positive match. Yara rule: $(yara_rule)</description>
- </rule>
- </group>
Then restart the manager to apply changes.
systemctl restart wazuh-manager
If you need further assistance on this, please share the agent and Wazuh manager ossec.log to check further.
Agent: C:\Program Files (x86)\ossec-agent\ossec.log
Manager: cat /var/ossec/etc/ossec.conf | grep -i -E "error|warn"
Ref: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html
Let me know if you need further assistance on this.
Hein Khant Shane
Sep 14, 2025, 3:49:02 PM (6 days ago) Sep 14
to Wazuh | Mailing List
sir, pls kindly check what i need to adjust there is no yara alert:((
hasitha.u...@wazuh.com
Sep 17, 2025, 7:23:46 AM (4 days ago) Sep 17
to Wazuh | Mailing List
Hi Hein,
I successfully configured the Yara integration for Windows by following the documentation. However, we can troubleshoot this issue further.
You can test the alerts showing in the dashboard by following these steps.
Make sure to turn off the Microsoft Virus and threat protection.
Search in the search bar Windows Security -> Virus & threat protection -> click Manage settings in Virus & threat protection settings -> Switch off Real-time protection.
If you have any other EDR solution or AV, please disable it temporarily.
After that, try the steps below to check the detection.
Download a malware sample on the monitored Windows endpoint:
Download the EICAR zip file:
Invoke-WebRequest -Uri https://secure.eicar.org/eicar_com.zip -OutFile eicar.zip
Unzip it:
Expand-Archive .\eicar.zip
Additionally, check if anything is blocking the eicar.com file.
Copy the EICAR file to the monitored directory:
cp .\eicar\eicar.com C:\Users\<USER_NAME>\Downloads
Finally, check the dashboard to see if you can find the alerts.
The issue still persists. Please share the ossec.log of the agent to check further.
C:\Program Files (x86)\ossec-agent\ossec.log
Ref: https://documentation.wazuh.com/current/proof-of-concept-guide/detect-malware-yara-integration.html
Let me know the update on this.
I successfully configured the Yara integration for Windows by following the documentation. However, we can troubleshoot this issue further.
You can test the alerts showing in the dashboard by following these steps.
Make sure to turn off the Microsoft Virus and threat protection.
Search in the search bar Windows Security -> Virus & threat protection -> click Manage settings in Virus & threat protection settings -> Switch off Real-time protection.
If you have any other EDR solution or AV, please disable it temporarily.
After that, try the steps below to check the detection.
Download a malware sample on the monitored Windows endpoint:
Download the EICAR zip file:
Invoke-WebRequest -Uri https://secure.eicar.org/eicar_com.zip -OutFile eicar.zip
Unzip it:
Expand-Archive .\eicar.zip
Additionally, check if anything is blocking the eicar.com file.
Copy the EICAR file to the monitored directory:
cp .\eicar\eicar.com C:\Users\<USER_NAME>\Downloads
Finally, check the dashboard to see if you can find the alerts.
The issue still persists. Please share the ossec.log of the agent to check further.
C:\Program Files (x86)\ossec-agent\ossec.log
Let me know the update on this.
Reply all
Reply to author
Forward
0 new messages