Wazuh agent + Kaspersky endpoint
1,042 views
Skip to first unread message
Massimiliano De Falco
Jan 6, 2023, 5:55:20 AM1/6/23
to Wazuh mailing list
Good morning to all,
I have a problem about the vulnerability report on some PC. The agent installed is the v.4.3.10 on WIN10 client machine.
I have discovered that this problem only occurs in PCs where the Kaspersky Endpoint Security is installed (keswin_11.11.0.452_es-MX_aes256.exe).
In this PCs the vulnerability report is empty: 0 vulnerabilities; Summary: no results.
The other modules work fine.
How can I solve this problem?
--
Massimiliano De Falco
Massimiliano De Falco
Jan 6, 2023, 4:55:05 PM1/6/23
to Wazuh mailing list
My log of PC 011 agent is
but the vulnerability report is:
Marcel Kemp
Jan 10, 2023, 7:36:39 AM1/10/23
to Wazuh mailing list
Hi Massimiliano,
Even so, to find out what is happening, let's check the information that Wazuh is obtaining about the system to make sure that Kaspersky is not blocking any communication with the server or with the data collected by Syscollector.
Currently, we are not aware of any issues related to Vulnerability Detector on a Windows 10 machine with Kaspersky Endpoint Security installed.
However, we know that if the Windows agent is up-to-date with the latest system patches, it is normal that it does not have any vulnerabilities.
However, we know that if the Windows agent is up-to-date with the latest system patches, it is normal that it does not have any vulnerabilities.
Even so, to find out what is happening, let's check the information that Wazuh is obtaining about the system to make sure that Kaspersky is not blocking any communication with the server or with the data collected by Syscollector.
- The agent's update patch list.
- The agent's package list.
To get the list of update patches and packages, you can get the information directly from the API, using the following queries:
(for example, from the WUI you can use the following tool to run the queries: Modules -> tools -> API console)
(for example, from the WUI you can use the following tool to run the queries: Modules -> tools -> API console)
GET /syscollector/{agent_id}/hotfixes
GET /syscollector/{agent_id}/packages
- And in case the output does not return any information, then I would need you to enable debug mode and share the manager logs.
Please hide any sensitive information.
Also remember, once you get the necessary data, remove the debug line and restart again the manager to avoid disk space problems.
Also remember, once you get the necessary data, remove the debug line and restart again the manager to avoid disk space problems.
I look forward to your response.
Massimiliano De Falco
Jan 10, 2023, 9:28:35 AM1/10/23
to Marcel Kemp, Wazuh mailing list
Hi all, thanks for your answer.
"affected_items": [
{
"scan_time": "2022-12-27T11:40:03Z",
"hotfix": "KB2468871",
"scan_id": 0,
"agent_id": "011"
},
{
"scan_time": "2022-12-27T11:40:03Z",
"hotfix": "KB2478063",
"scan_id": 0,
"agent_id": "011"
Yes the two command in API console, works well:
GET /syscollector/011/hotfixes
{
"data": {"affected_items": [
{
"scan_time": "2022-12-27T11:40:03Z",
"hotfix": "KB2468871",
"scan_id": 0,
"agent_id": "011"
},
{
"scan_time": "2022-12-27T11:40:03Z",
"hotfix": "KB2478063",
"scan_id": 0,
"agent_id": "011"
...
],
"total_affected_items": 36,
"total_failed_items": 0,
"failed_items": []
},
"message": "All specified syscollector information was returned",
"error": 0
}
"total_affected_items": 36,
"total_failed_items": 0,
"failed_items": []
},
"message": "All specified syscollector information was returned",
"error": 0
}
and the command GET /syscollector/011/packages works well too:
{
"data": {
"affected_items": [
{
"scan": {
"id": 0,
"time": "2022-12-27T11:40:03Z"
},
"format": "win",
"install_time": "20221219",
"vendor": "Microsoft Corporation",
"size": 0,
"version": "16.0.10393.20026",
"name": "Office 16 Click-to-Run Localization Component",
"architecture": "x86_64",
"agent_id": "011"
"data": {
"affected_items": [
{
"scan": {
"id": 0,
"time": "2022-12-27T11:40:03Z"
},
"format": "win",
"install_time": "20221219",
"vendor": "Microsoft Corporation",
"size": 0,
"version": "16.0.10393.20026",
"name": "Office 16 Click-to-Run Localization Component",
"architecture": "x86_64",
"agent_id": "011"
...
],
"total_affected_items": 16,
"total_failed_items": 0,
"failed_items": []
},
"message": "All specified syscollector information was returned",
"error": 0
}
"total_affected_items": 16,
"total_failed_items": 0,
"failed_items": []
},
"message": "All specified syscollector information was returned",
"error": 0
}
but for me it's very strange that the Vulnerabilities summary shows "No results".
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/749519c8-a206-421e-9a7c-2f712d4b9c47n%40googlegroups.com.
Massimiliano De Falco
Marcel Kemp
Jan 11, 2023, 11:20:03 AM1/11/23
to Wazuh mailing list
Hi again Massimiliano,
- On one hand, to check for vulnerabilities in the system, we make use of the vulnerabilities and the patches that fix the problem with our MSU (which gets the information from the official MSRC and Catalog sources).
Then, thanks to the hotfixes that we collect with Syscollector, we can find the vulnerabilities of the system if the agent does not have any patch that is related to any vulnerability.
However, as Windows has cumulative patches, if the agent is fully updated, then it should not be vulnerable.
I understand that it is strange to see that an agent has no vulnerabilities, but in the case of the Vulnerability Detector scan for a Windows agent we perform the following two checks:
- On one hand, to check for vulnerabilities in the system, we make use of the vulnerabilities and the patches that fix the problem with our MSU (which gets the information from the official MSRC and Catalog sources).
Then, thanks to the hotfixes that we collect with Syscollector, we can find the vulnerabilities of the system if the agent does not have any patch that is related to any vulnerability.
However, as Windows has cumulative patches, if the agent is fully updated, then it should not be vulnerable.
Example: CVE-2023-21776 affects Windows 10 agents if they do not have the KB5022282 patch or any of its supersedence.
- On the other hand, concerning package vulnerabilities, it should be noted that they are limited to translations done in the CPE Helper, as Windows packages are not standardized
Then, in the case of any package that is installed in the agent, but that is not in the cpe_helper.json dictionary, it won't be able to check the vulnerabilities, and therefore it won't appear in the inventory.
- On the other hand, concerning package vulnerabilities, it should be noted that they are limited to translations done in the CPE Helper, as Windows packages are not standardized
Then, in the case of any package that is installed in the agent, but that is not in the cpe_helper.json dictionary, it won't be able to check the vulnerabilities, and therefore it won't appear in the inventory.
Although, all the packages that have a translation in the cpe_helper.json will be analysed and will get the vulnerabilities correctly.
Also, there is the possibility to manually modify the dictionary to add translations of new packages to get their vulnerabilities, as described in the documentation: CPE Helper.
Therefore, it can be normal that a Windows agent does not have any vulnerability.
I hope this helps.
Also, there is the possibility to manually modify the dictionary to add translations of new packages to get their vulnerabilities, as described in the documentation: CPE Helper.
Therefore, it can be normal that a Windows agent does not have any vulnerability.
I hope this helps.
Reply all
Reply to author
Forward
0 new messages