Wazuh Agent Antivirus Exclusions

[Damned Damned]

Hi everyone, my question is about antivirus exclusions for the wazuh agent: at least for better performance is it recommended to put the exe, the forlder, some other things or nothing?

[Mauricio Ruben Santillan]

Hello team!

Thanks for using Wazuh!

In case your trying to exclude the Wazuh Agent of being analyzed by your antivirus, then you should add next exclusions to your antivirus:
For Windows: "C:\Program Files (x86)\ossec-agent"

For Linux: /var/ossec

In case you're trying to exclude your antivirus of being logged by Wazuh, then I assume it's logging into Windows events. For this you could set a filter in the Agent's configuration. Prior to this you'll need to figure out the Event ID from Windows using the Windows Event Viewer.

Once you have all the IDs you need to filter, you can set the filter inside your current <localfile> module for Windows events as follows:

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and

      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and

      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and

      EventID != 5152 and EventID != 5157 and EventID != EVENT_ID_TO_FILTER  and EventID !=  EVENT_ID_TO_FILTER]</query>

  </localfile>

This is how the default configuration looks after adding 2 additional filters for Windows events. In this sample, you would need to replace each  "EVENT_ID_TO_FILTER" with a proper Windows event ID.

Hope this information is useful for you.

Please let us know if you need further assistance! We'll be glad to help you.

[Damned Damned]

Thanks a lot, very helpful!