Hi m,
Could you specify the version of the manager again? I will assume that you have version 4.2.0, if not, and it is an old version, I recommend that you update the manager, since the vulnerability detector has been greatly improved and can prevent many false positives.
If it is a recent version of Wazuh, then it is possible that the MSU database is not updated or, the agent does not have a hotfix that fixes these vulnerabilities.
And as long as you don't get vulnerabilities from
21H1 agents, it's a known
issue that happens on the latest versions of Windows with version '
H', ex:
20H2,
21H1, etc.
The good news is that it has already been fixed in the following PR and will be available when the next version of Wazuh
v4.3 is released:
https://github.com/wazuh/wazuh/pull/10168Even so, to verify it and to be able to help you better, I would need you to share the following information:
- What version of the OS does Wazuh collect on the Windows agent?
- To check that syscollector has synchronized correctly or missing some hotfix, could you show me the list of patches that the agent contains?
- Finally, activate debug mode to get more information about the problem.
To get the patch list and OS version, you can get the information directly from the manager with the following commands (where 001.db is the Windows agent in question):
sqlite3 /var/ossec/queue/db/001.db "select * from sys_hotfixes;"
sqlite3 /var/ossec/queue/db/001.db "select * from sys_osinfo;"
Or you can get them from the WUI, heading to the section: Agents -> Select Windows Agent -> Inventory Data.
Where you will find at the beginning information about the agent (from there I need the OS field, as in the following example: OS: Microsoft Windows Server 2019 Datacenter 10.0.17763) and below a list in the Windows updates section with all the patches installed on the agent.
To activate debug mode, open the file /var/ossec/etc/local_internal_options.conf and add the line wazuh_modules.debug = 2 (or use the next command: echo "wazuh_modules.debug=2" >> /var/ossec/etc/local_internal_options.conf ).
Once done, restart wazuh -> /var/ossec/bin/wazuh-control restart, then wait for a full scan to run for Windows agent and finally check the log (ossec.log) again to see the new information.
And to see only the log referring to vulnerability-detector, you can use:
cat /var/ossec/logs/ossec.log | grep vuln
Remember once you get the necessary data, remove the debug line and restart again the manager to avoid disk space problems.
If you have any questions, don't hesitate to ask.