vulnerability updates not showing

[Lennart Steyn]

Hi, 

could anyone shed some light on my issue? 

I'm trying to get a vulnerability scan to work on my win10 computers, I've checked all the settings, tried reinstalling agents, reading all the documentation, reinstalled the whole thing... but its not working, i think. 

On my test win10, i've installed a old java version, and i know there are pending windows updates.. so i should be seeing something right? when i check the regular inventory list, i do see all the applications and system specs, so the collector is working. 

I've added the hotfix line in the agent config on the client, i've turned on the vulnerability detector on the server.. but nothing. I see the NVD is getting downloaded without errors. 

attached are the log snippets and screenshot for anyone feeling brave to help me out!

thanks in advance! and regards and merry xmas !

L

[Lennart Steyn]

Ok, i've added more different windows 10 clients and now i got some more CVE info in the inventory... so i guess its working.

Op donderdag 23 december 2021 om 22:05:27 UTC+1 schreef Lennart Steyn:

[Marcel Kemp]

Hoi Lennart,

Apparently, the configuration was configured correctly, so as it happened, it should work correctly once the synchronization with syscollector between the manager and the agent is finished.

When the manager has the information on patches and packages from the Windows agent, the time at which the vulnerability-detector module is configured must be taken into account (configuration fields: <interval> and <ignore_time>). 

The <interval> option will perform a partial scan of the agent once the configured time expires (this means that if it detects new packages, it will analyze them, but if there is nothing new, it will continue with the next agent). 

If the partial scan does not detect any vulnerability, then you have to wait for <ignore_time> to perform a full scan, so it will analyze all the packages and patches that it detects in the agent, and after finishing, it will report them if everything works correctly.

Also, there is a known issue for the recently updated Windows 10 agents, which has been fixed in the following PR, but will not be available until Wazuh version v4.3 is released:
https://github.com/wazuh/wazuh/pull/10168

This problem, as you can see in the issue, occurs in the new versions 20H2, 21H1, etc. Where this version is not detected correctly, and therefore it does not find any vulnerability of the system.

To check if the manager has the Windows agent packages and hotfixes, you can get the information directly from the manager with the following commands (where 001.db is the Windows agent in question):

sqlite3 /var/ossec/queue/db/001.db "select * from sys_hotfixes;"

sqlite3 /var/ossec/queue/db/001.db "select * from sys_programs;"

And to check if the version problem of the new Windows 10 affects you, you can execute the following command and check that the detected os_release is equal to 2009 (instead of 21H1 or similar):

sqlite3 /var/ossec/queue/db/001.db "select * from sys_osinfo;"

Or you can get them from the WUI, heading to the section: Agents -> Select Windows Agent -> Inventory Data.
Where you will find all the information that the manager has about the Windows agent.

I hope this helps you. If you don't understand something or have any questions, don't hesitate to ask.

[Kenneth Shibaba]

Hi

I updated my windows 10 22H2 and after that I noticed my vulnerability scans show nothing. I have been dealing with this and still no luck.