Active Response not terminating process on FIM event (Wazuh 4.14)

27 views
Skip to first unread message

chao lee

unread,
Apr 3, 2026, 3:32:14 AM (4 days ago) Apr 3
to Wazuh | Mailing List
First, let me describe my environment: I am running Wazuh version 4.14 with a Windows 10 agent. The Scenario:
I manually created a file named password.txt on the agent's D: drive. My goal is to use File Integrity Monitoring (FIM) to detect changes to this file and trigger an active response to kill the process responsible for the modification. The Test Method:
I open password.txt with Notepad, modify the content, and save it (without closing Notepad). The Expected Result:
The Notepad window should be automatically closed (killed) immediately after saving. The Issue:
I have tested this multiple times. While I can see the file change alerts in the management dashboard, the active response does not seem to trigger, and the Notepad window remains open.
Has anyone successfully implemented this? Any guidance would be greatly appreciated. Thank you

hasitha.u...@wazuh.com

unread,
Apr 3, 2026, 11:39:04 PM (3 days ago) Apr 3
to Wazuh | Mailing List
Hi chao lee,

Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.

hasitha.u...@wazuh.com

unread,
Apr 4, 2026, 1:12:44 AM (3 days ago) Apr 4
to Wazuh | Mailing List
Hi chao,

I created an Active Response script that kills the Notepad process whenever FIM detects a file change.

To avoid triggering on every normal file change, I also created a custom rule so you can limit it to a specific path if needed.

First, download the test.exe file from this link ,and move it to the agent at: 

C:\Program Files (x86)\ossec-agent\active-response\bin

Then follow these steps.

Option 1: Kill Notepad for any file change detected by rule 550

On the manager, edit:

/var/ossec/etc/ossec.conf

Add:

  1. <command>
  2. <name>test</name>
  3. <executable>test.exe</executable>
  4. <timeout_allowed>yes</timeout_allowed>
  5. </command>
  6.  
  7. <active-response>
  8. <disabled>no</disabled>
  9. <command>test</command>
  10. <location>local</location>
  11. <rules_id>550</rules_id>
  12. <timeout>180</timeout>
  13. </active-response>

This will trigger the script for file change alerts matched by rule 550.

Option 2: Kill Notepad only for changes in a specific path

If you only want this to happen for a specific folder, for example C:\test, create a custom rule like this:

  1. <group name="kill_notepad">
  2.  
  3. <rule id="200300" level="3">
  4. <if_sid>550</if_sid>
  5. <field name="file">c:\\test\\.+</field>
  6. <description>Suspicious file changes detected.</description>
  7. </rule>
  8.  
  9. </group>

This rule will match file changes under C:\test.

Then update the Active Response in ossec.conf to use your custom rule ID:

  1. <active-response>
  2. <disabled>no</disabled>
  3. <command>test</command>
  4. <location>local</location>
  5. <rules_id>200300</rules_id>
  6. <timeout>180</timeout>
  7. </active-response>

Final step

After updating the manager configuration, restart the Wazuh manager:
systemctl restart wazuh-manager

Please let me know how it goes or if you want help adjusting the rule for a different file path.

Reply all
Reply to author
Forward
0 new messages