yara and virustotal not working

[Jagadeswar K]

Hello Team

iam doing yara detection and virustotal auto remove threat integration

i followed the docs of wazuh it worked but i need to do in production which has to scan all files if i mention all files and remove this path /tmp/yara/malware and add /root/home like its not scanning any path and for 

virustotal is working fine with wazuh server but in agent its not working and auto remove is not working 

[Roman Luna]

Hi,

You could check the ossec.log from the agent to see what could be happening with the integration, remember that you need to properly install yara to get it working: https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/fim-yara.html#linux-endpoint-configuration

Test that YARA is running properly.

yara

Expected output:

yara: wrong number of arguments Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID Try `--help` for more options

You could also set in debug mode the agent by modifying the internal_options.conf of the agent: https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#integrator and set it to level 2, restart the agent to apply the changes. With this, we could get more information about the step by step that is doing and any information could be helpful, as at the moment, we don't have any error to start with.

Regards.