Detecting and removing malware using VirusTotal integration

[Abdulrazack Shabani]

Hello Team,

I have correctly configure wazuh to detect and remove malware for both my windows and Linux agent.

The problem is it seems like wazuh  execute only the first block on '/var/ossec/etc/ossec.conf' means If I start with the linux block it will successfully detect and remove malware for linux  agents and fail for windows agents  and vice-versa. Is there a way to arrange this blocks so that it can detect and remove malware for both agents at the same time?

[Md. Nazmur Sakib]

Hi Abdulrazack,

The issue is that you have used remove-threat for two different commands and they have two different scripts so when the remove-threat command is called the first one it finds in the config file works.


You can change the command name to make it work.

Ex:

<ossec_config>

  <command>

    <name>remove-threat-linux</name>

    <executable>remove-threat.sh</executable>

    <timeout_allowed>no</timeout_allowed>

  </command>

  <active-response>

    <disabled>no</disabled>

    <command>remove-threat-linux</command>

    <location>local</location>

    <rules_id>87105</rules_id>

  </active-response>

</ossec_config>

<ossec_config>

  <command>

    <name>remove-threat-win</name>

    <executable>remove-threat.exe</executable>

    <timeout_allowed>no</timeout_allowed>

  </command>

  <active-response>

    <disabled>no</disabled>

    <command>remove-threat-win</command>

    <location>local</location>

    <rules_id>87105</rules_id>

  </active-response>

</ossec_config>

Ref: https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-to-configure.html#configuring-the-wazuh-server


Let me know if this works for you.

[Abdulrazack Shabani]

Hi Md. Nazmur,

Thank you for support. It worked.

This was my final setup.

<ossec_config>
  <integration>
    <name>virustotal</name>
    <api_key>REDACTED</api_key> <!-- Replace with your VirusTotal API key -->
    <group>syscheck</group>
    <rule_id>100200,100201</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config>

<ossec_config>
  <command>
    <name>remove-threat-linux</name>
    <executable>remove-threat.sh</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>
    <command>remove-threat-linux</command>
    <location>local</location>
    <rules_id>87105</rules_id>
  </active-response>
</ossec_config>


<ossec_config>
  <command>

    <name>remove-threat-windows</name>

    <executable>remove-threat.exe</executable>
    <timeout_allowed>no</timeout_allowed>
  </command>

  <active-response>
    <disabled>no</disabled>

    <command>remove-threat-windows</command>

    <location>local</location>
    <rules_id>87105</rules_id>
  </active-response>
</ossec_config>

[Abdulrazack Shabani]

Hello Team,

I have another question, how to monitor every download forlders for all my users on windows agent.

EX.

1. <directories realtime="yes">C:\Users\<USER_NAME>\Downloads</directories> //With this I can only monitor one user, Is it possible to monitor Download directory for all users?
   

[Md. Nazmur Sakib]

Wildcard characters (? and *) can be used to monitor paths that fulfill the given pattern

Ex:

<directories realtime="yes">C:\Users\*\Downloads</directories>

Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories

Let me know if this works for you.