Troubleshooting Wazuh VirusTotal Integration on Windows Agents
225 views
Skip to first unread message
Joshua Strickland
Aug 12, 2024, 12:08:26 AM8/12/24
to Wazuh | Mailing List
I'm currently facing an issue with the Wazuh agent configuration on Windows where the VirusTotal integration is checking all files across various directories, including the registry and other unnecessary areas. With a limited API call rate of 4 calls per minute, this is unsustainable.
What I've Tried:
- I’ve set up the agent.conf file from the Wazuh Dashboard to monitor specific directories like Desktop, Downloads, and Documents using the <directories> tag under <syscheck>.
- <agent_config>
<!-- Sysmon Log Monitoring Configuration -->
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
<syscheck>
<!-- Monitor Desktop with real-time monitoring -->
<directories realtime="yes" report_changes="yes" check_sum="yes" check_perm="yes">"C:\Users\*\Desktop"</directories>
<!-- Monitor Downloads with real-time monitoring -->
<directories realtime="yes" report_changes="yes" check_sha256sum="yes" check_owner="yes">"C:\Users\*\Downloads"</directories>
<!-- Monitor Documents with real-time monitoring -->
<directories realtime="yes" report_changes="yes" check_md5sum="yes" check_group="yes">"C:\Users\*\Documents"</directories>
<!-- Additional directory for system-wide monitoring (example) -->
<directories check_all="yes" diff_size_limit="100MB">"C:\SystemLogs"</directories>
</syscheck>
</agent_config>
- <agent_config>
- Attempted to create custom rules in the Wazuh manager (local_rules.xml) to limit the VirusTotal checks to these specific directories, but it didn't seem to do anything:
- <group name="virustotal,">
<rule id="100092" level="12">
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
<rule id="100093" level="12">
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
</rule>
</group>
<group name="ossec,syscheck,">
<rule id="120000" level="0">
<if_group>syscheck</if_group>
<field name="file">ossec-agent</field>
<description>Ossec-agent syscheck excluded</description>
</rule>
</group>
<group name="virustotal,syscheck">
<!-- Rule for Desktop -->
<rule id="100001" level="10">
<decoded_as>ossec</decoded_as>
<field name="location">syscheck</field>
<field name="full_log">"C:\\Users\\[^\\]+\\Desktop\\.*"</field>
<description>VirusTotal check for Desktop files</description>
</rule>
<!-- Rule for Downloads -->
<rule id="100002" level="10">
<decoded_as>ossec</decoded_as>
<field name="location">syscheck</field>
<field name="full_log">"C:\\Users\\[^\\]+\\Downloads\\.*"</field>
<description>VirusTotal check for Downloads</description>
</rule>
<!-- Rule for Documents -->
<rule id="100003" level="10">
<decoded_as>ossec</decoded_as>
<field name="location">syscheck</field>
<field name="full_log">"C:\\Users\\[^\\]+\\Documents\\.*"</field>
<description>VirusTotal check for Documents</description>
</rule>
</group>
- <group name="virustotal,">
What I'm Trying to Accomplish:
- My goal is to restrict VirusTotal checks to only certain critical directories, such as Desktop, Downloads, and Documents, while keeping syscheck active across the entire system. This way, I can efficiently manage the API rate limit while ensuring only the most relevant files are scanned by VirusTotal.
Any help is much appreciated!
Lamya Imam
Aug 12, 2024, 12:55:46 AM8/12/24
to Wazuh | Mailing List
Hello Joshua Strickland,
Custom rules are a good start, but you need to ensure they are properly structured to filter VirusTotal checks.
You can try writing the custom rules like this:
<group name="test,">
<rule id="100001" level="7">
<if_sid>550</if_sid>
<field name="file">c:\\users\\\.+\\downloads\\\.+</field>
<description>File modified at Downloads directory.</description>
</rule>
<rule id="100002" level="7">
<if_sid>554</if_sid>
<field name="file">c:\\users\\\.+\\downloads\\\.+</field>
<description>File added to Downloads directory.</description>
</rule>
</group>
Then you need to edit the <integration> block of the Wazuh server's ossec.conf file like this:
<ossec_config>
<integration>
<name>virustotal</name>
<api_key>KEY</api_key> <!-- Replace with your VirusTotal API key -->
<rule_id>100100,100101</rule_id>
<alert_format>json</alert_format>
</integration>
</ossec_config>
Restart the Wazuh manager:
systemctl restart wazuh-manager
Mentioning the updated custom rules in the VirusTotal configuration will allow it to check the paths defined in the custom rules instead of all syscheck paths, while keeping syscheck active across the entire system.
To test it, you can try out the attack simulation from the documentation and check if it is working:
https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html#id2
Hope this information was helpful!
Custom rules are a good start, but you need to ensure they are properly structured to filter VirusTotal checks.
You can try writing the custom rules like this:
<group name="test,">
<rule id="100001" level="7">
<if_sid>550</if_sid>
<field name="file">c:\\users\\\.+\\downloads\\\.+</field>
<description>File modified at Downloads directory.</description>
</rule>
<rule id="100002" level="7">
<if_sid>554</if_sid>
<field name="file">c:\\users\\\.+\\downloads\\\.+</field>
<description>File added to Downloads directory.</description>
</rule>
</group>
Then you need to edit the <integration> block of the Wazuh server's ossec.conf file like this:
<ossec_config>
<integration>
<name>virustotal</name>
<api_key>KEY</api_key> <!-- Replace with your VirusTotal API key -->
<rule_id>100100,100101</rule_id>
<alert_format>json</alert_format>
</integration>
</ossec_config>
Restart the Wazuh manager:
systemctl restart wazuh-manager
Mentioning the updated custom rules in the VirusTotal configuration will allow it to check the paths defined in the custom rules instead of all syscheck paths, while keeping syscheck active across the entire system.
To test it, you can try out the attack simulation from the documentation and check if it is working:
https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html#id2
Hope this information was helpful!
Lamya Imam
Aug 12, 2024, 6:37:24 AM8/12/24
to Wazuh | Mailing List
Hello Joshua Strickland,
Firstly, I wanted to mention something regarding our email communications to help streamline our conversations. When making or replying to queries, I would request you to please use "Reply All". This approach helps ensure that other users in the community can also benefit from the shared information and any responses that follow.
As your agents are centrally configured make sure the remote commands for Agent Modules is enabled at /var/ossec/etc/local_internal_options.conf.
Reference: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html#centralized-configuration-agent-conf
I would suggest removing the quotation marks from the path specified for the FIM configuration and keep it like this:
<directories realtime="yes" report_changes="yes" check_sum="yes" check_perm="yes">C:\Users\*\Downloads</directories>
You can also monitor the FIM logs from ossec.log using the command:
cat /var/ossec/logs/ossec.log
cat /var/ossec/logs/ossec.log | grep FIM
cat /var/ossec/logs/ossec.log | grep "File integrity monitoring"
Let me know if this works!
Firstly, I wanted to mention something regarding our email communications to help streamline our conversations. When making or replying to queries, I would request you to please use "Reply All". This approach helps ensure that other users in the community can also benefit from the shared information and any responses that follow.
As your agents are centrally configured make sure the remote commands for Agent Modules is enabled at /var/ossec/etc/local_internal_options.conf.
Reference: https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html#centralized-configuration-agent-conf
I would suggest removing the quotation marks from the path specified for the FIM configuration and keep it like this:
<directories realtime="yes" report_changes="yes" check_sum="yes" check_perm="yes">C:\Users\*\Downloads</directories>
You can also monitor the FIM logs from ossec.log using the command:
cat /var/ossec/logs/ossec.log
cat /var/ossec/logs/ossec.log | grep FIM
cat /var/ossec/logs/ossec.log | grep "File integrity monitoring"
Let me know if this works!
Joshua Strickland
Aug 31, 2024, 4:38:05 AM8/31/24
to Wazuh | Mailing List
Thank you so much! That did work. It turned out I hadn't enabled remote commands for agent modules in
/var/ossec/etc/local_internal_options.conf.
That resolved the issue.
Reply all
Reply to author
Forward
0 new messages