File integrity monitoring not detecting png and jpg files

Jorge Martins

unread,

May 20, 2019, 2:04:29 PM5/20/19

to Wazuh mailing list

Hi

While testing realtime our whodata file monitoring in a Windows Host I noticed that .png and .jpg files where never reported.

Tried testing with .bmp, .gif, and .tif and theses files where correctly reported.

The files where all create the same way using microsoft paint.

Configuration:

<directories check_all="yes" realtime="yes">C:\TopSecret</directories>

<directories check_all="yes" whodata="yes" report_changes="yes">C:\Important</directories>

Thanks

Jorge Martins

unread,

May 20, 2019, 2:12:31 PM5/20/19

to Wazuh mailing list

btw i'm currently using Wazuh 3.8.2

David Vidriales

unread,

May 21, 2019, 3:08:28 AM5/21/19

to Wazuh mailing list

Hi Jorge,

This is probably because in Windows, by default, these kinds of files are ignored. This is indicated in the syscheck section (in ossec.conf) in the following line:

<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

If you only want these kinds of files to be reported, modify that line the following way:

<ignore type="sregex">.log$|.htm$|.chm$|.pnf$|.evtx$</ignore>

If you need any further help, please don't hesitate to contact us. I hope this helped.