"NTFS Alternate data stream found" Exception handling failed

[Ethan Thompson]

Hi Team,

When applied as follows in /shadred/agent.conf of the Windows OS agent, exceptions are not handled.
I'd like some help with this.

event summary)
rule.id: 510
data.title: NTFS Alternate data stream found: 'C:\Program Files\Git:Win32App_1'.
decoder.name: rootcheck
full_log: NTFS Alternate data stream found: 'C:\Program Files\Git:Win32App_1'. Possible hidden content.

agent.conf settings)
<agent_config>
   <!-- Shared agent configuration here -->
   <rootcheck>
     <ignore type="sregex">%Program Files%</ignore>
     <ignore type="sregex">^%Program Files%</ignore>
     <ignore type="sregex">Git</ignore>
     <ignore type="sregex">Redis</ignore>
   </rootcheck>
</agent_config>

[Juan Nicolás Asselle (Nico Asselle)]

Hi Ethan,

I’m currently checking rootcheck source code to figure out why this is happening since the documentation allows using ignore option on check_sys.

In the meantime, a possible workaround is to silence these alerts from Wazuh Manager side by creating a custom rule.

I’ll be back ASAP with root cause analysis conclusions.
Regards,
Nicolas

​

[Ethan Thompson]

Hi Nicolas

Thank you for answer.
Until the patch, I will manage the issue through "custom rule".

I hope the patch comes soon.
Regards,

Ethan

2023년 3월 27일 월요일 오후 8시 56분 4초 UTC+9에 Juan Nicolás Asselle (Nico Asselle)님이 작성: