"NTFS Alternate data stream found" Exception handling failed

273 views
Skip to first unread message

Ethan Thompson

unread,
Mar 27, 2023, 3:47:01 AM3/27/23
to Wazuh mailing list
Hi Team,
When applied as follows in /shadred/agent.conf of the Windows OS agent, exceptions are not handled.
I'd like some help with this.

event summary)
rule.id: 510
data.title: NTFS Alternate data stream found: 'C:\Program Files\Git:Win32App_1'.
decoder.name: rootcheck
full_log: NTFS Alternate data stream found: 'C:\Program Files\Git:Win32App_1'. Possible hidden content.

agent.conf settings)
<agent_config>
   <!-- Shared agent configuration here -->
   <rootcheck>
     <ignore type="sregex">%Program Files%</ignore>
     <ignore type="sregex">^%Program Files%</ignore>
     <ignore type="sregex">Git</ignore>
     <ignore type="sregex">Redis</ignore>
   </rootcheck>
</agent_config>

Juan Nicolás Asselle (Nico Asselle)

unread,
Mar 27, 2023, 7:56:04 AM3/27/23
to Wazuh mailing list

Hi Ethan,

I’m currently checking rootcheck source code to figure out why this is happening since the documentation allows using ignore option on check_sys.

In the meantime, a possible workaround is to silence these alerts from Wazuh Manager side by creating a custom rule.

I’ll be back ASAP with root cause analysis conclusions.
Regards,
Nicolas

Ethan Thompson

unread,
Mar 27, 2023, 9:42:46 PM3/27/23
to Wazuh mailing list
Hi Nicolas
Thank you for answer.
Until the patch, I will manage the issue through "custom rule".

I hope the patch comes soon.
Regards,
Ethan
2023년 3월 27일 월요일 오후 8시 56분 4초 UTC+9에 Juan Nicolás Asselle (Nico Asselle)님이 작성:
Reply all
Reply to author
Forward
0 new messages