False Positive on Windows server with office runtimes installed

101 views
Skip to first unread message

Mark Pearson

unread,
Mar 4, 2022, 6:20:43 AM3/4/22
to Wazuh mailing list
Im new to Wazuh and most of the information from it is brilliant, except for a few false positive im seeing for some of my agents.

Ive got an agent with Office 2016 runtimes for access running on it.  Im seeing hundreds of logs showing High impact vulnerability saying certain KB's for office are not installed, however, they most certainly are..  Id like to either fix this false positive detection or mute them completely for the affected hosts - is this possible?

Ariel Ivan Ojeda

unread,
Mar 4, 2022, 6:12:20 PM3/4/22
to Wazuh mailing list

Hi,
I hope you are doing well today. Wazuh receives the packages from the agent and compares those to a database, matching the software version to the KB’s, hotfixes and cumulative patches reported in the database. If they don’t match, it generates an alert, which is what is happening here. The matching process may be against a specific package or an accumulative patch. You should check your endpoint to verify the reported vulnerability is in fact, a false positive. You can do this with Powershell by running the following command:

wmic qfe list brief /format:table

This will list the KBs installed and you can check here if the one reported on the alert is in fact installed.

You can find more information about Vulnerability Detection in Wazuh here:

                   Vulnerability Detection with Wazuh

How to get updates for Windows: 

                   How to get updates for Windows

And Office: 

                   How to install Office updates

Best regards

Ariel Ojeda

Mark Pearson

unread,
Mar 5, 2022, 3:46:37 AM3/5/22
to Wazuh mailing list
Thanks for the response - the problem is that even when we completely remove office and the access runtimes from the server the event still triggers - also trying to install the KB that Wazuh claims to be missing,  i see a message saying it does not apply to system
Message has been deleted

Ariel Ivan Ojeda

unread,
Mar 8, 2022, 8:47:20 AM3/8/22
to Wazuh mailing list

Hi,

     The event that was created for this will not disappear if you uninstall Office, as it was created before that, but the system should not trigger a new alert for this after you do this. Sometimes the runtimes are being used by other components of the system, and because of this they are not removed when you uninstall the application. Also, the registry entry (Wazuh gets information from here) might still be there.

     Would you be so kind to share a sample of the events you are getting for this?

Thanks in advance.

Ariel Ojeda

Reply all
Reply to author
Forward
0 new messages