Hoi Lennart,
Apparently, the configuration was configured correctly, so as it happened, it should work correctly once the synchronization with
syscollector between the manager and the agent is finished.
When the manager has the information on patches and packages from the Windows agent, the time at which the
vulnerability-detector module is configured must be taken into account (
configuration fields: <interval> and <ignore_time>).
The <interval> option will perform a partial scan of the agent once the configured time expires (this means that if it detects new packages, it will analyze them, but if there is nothing new, it will continue with the next agent).
If the partial scan does not detect any vulnerability, then you have to wait for
<ignore_time> to perform a full scan, so it will analyze all the packages and patches that it detects in the agent, and after finishing, it will report them if everything works correctly.
Also, there is a known issue for the recently updated
Windows 10 agents, which has been fixed in the following PR, but will not be available until Wazuh version
v4.3 is released:
https://github.com/wazuh/wazuh/pull/10168This problem, as you can see in the issue, occurs in the new versions
20H2,
21H1, etc. Where this version is not detected correctly, and therefore it does not find any vulnerability of the system.
To check if the manager has the Windows agent packages and hotfixes, you can get the information directly from the manager with the following commands (where
001.db is the Windows agent in question):
sqlite3 /var/ossec/queue/db/001.db "select * from sys_hotfixes;"
sqlite3 /var/ossec/queue/db/001.db "select * from sys_programs;"
And to check if the version problem of the new Windows 10 affects you, you can execute the following command and check that the detected os_release is equal to 2009 (instead of 21H1 or similar):
sqlite3 /var/ossec/queue/db/001.db "select * from sys_osinfo;"
Or you can get them from the WUI, heading to the section: Agents -> Select Windows Agent -> Inventory Data.
Where you will find all the information that the manager has about the Windows agent.
I hope this helps you.
If you don't understand something or have any questions, don't hesitate to ask.