False positives in vulnerability detector for windows

[subhrajyoti Behera]

Hello, we have Wazuh deployed on 4 machines for testing purpose.

For the windows agents I see vulnerabilities at affects windows 11 build 10.0.22621 which is the latest windows 11 patch from Microsoft.

Wazuh says that some patches are not installed on the system which leads to this behavior. But when I checked Microsoft does not provide those patches though windows updates.

I also tried to download and manually install the patch updates which did not work. (The installer says this update is not applicable for this computer).

I have the latest Wazuh central components as well as agents.I need your help to resolve the same.

Thanks, 

Subhrajyoti Behera

[Miguel Angel Cazajous]

Hi subhrajyoti,

Talking to the team, there is already an issue reported about false positives on Windows 11 22H2. Currently, we get information on Windows vulnerabilities from the Microsoft Security Response Service and the Microsoft Catalog, and for the latest version of Windows, there is a lack of information between the relationship between the new and old patches, which causes those old vulnerabilities to affect this version (22H2).
We are waiting for Microsoft to establish this patch relation on its sources.

Could you share the patches that are reported not being installed and the output of the following API request to check we are talking about the same issue?

• GET /syscollector/{agent_id}/hotfixes
• GET /syscollector/{agent_id}/os

this is the issue that we already have been tracked https://github.com/wazuh/wazuh/issues/15160

Regards!

[Jansen Holanda - TI]

Hi there!

I have the same problem!

has the microsoft fixed this problem yet?

Regards,

[Miguel Angel Cazajous]

Hi Jansen,

I'm afraid that the issue is still under investigation.

[BS Negi]

Hi ,

I am also facing the same issue.

[Miguel Angel Cazajous]

Hi all,

This issue was fixed https://github.com/wazuh/wazuh/pull/17178 and released as part of 4.4.4.

Regards!

[T. Keith Keating]

I have version 4.4.5 of Wazuh and released  of 4.4.4 apparently was not or is not carried over as I still have a whole list that is related to MS Office Pro Plus 2016 and a couple for Python 3.8.10.

Thank

Keith 

[Md Sohaib]

Tik Tok video I come in chair

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/33c356d4-3f35-473b-a35d-63abb5e4475fn%40googlegroups.com.

[Krzysztof Gmyr]

In version 4.5.1 false positive alerts for Office 2016 still exist.

Full patched Office 2016 generates 97 High Severity alerts, 22 Medium and 1 Low.

In "condition" field, I see "KBxxxxxxxx patch is not installed". But installation of these patches isn't possible - these patches are parts of cumulative patches or were replaced by newer KB.