How to use wazuh as XDR
896 views
Skip to first unread message
Nakova Technologies
Nov 10, 2022, 7:26:12 AM11/10/22
to Wazuh mailing list
Hi,
We have followed the above link and we downloaded a new virus but it does not detect any virus from fim. Once we turn on windows defender it automatically detect and delet that virus.
So, How can we find and delete malware/virus without using windows defender.
Christian Bassey
Nov 10, 2022, 8:23:56 AM11/10/22
to Wazuh mailing list
Hi Nakovatechnologies,
Thank you for using Wazuh!
It is possible that the hash of the malware you downloaded may not be in your malware hash CDB list.
- You can create a CDB list with all the hashes in VirusShare using this command:
for i in {000..425}; do curl -s https://virusshare.com/hashfiles/VirusShare_00$i.md5 | grep -v '^#' | sed 's/$/:/g' >> /var/ossec/etc/lists/malware-hashes; done
This takes a while, but it produces a hefty 1.2GB file with approximately 38 million hashes.
- Restart the manager for the CDB list to compile:
systemctl restart wazuh-manager
Thank you for using Wazuh!
It is possible that the hash of the malware you downloaded may not be in your malware hash CDB list.
- You can create a CDB list with all the hashes in VirusShare using this command:
for i in {000..425}; do curl -s https://virusshare.com/hashfiles/VirusShare_00$i.md5 | grep -v '^#' | sed 's/$/:/g' >> /var/ossec/etc/lists/malware-hashes; done
This takes a while, but it produces a hefty 1.2GB file with approximately 38 million hashes.
- Restart the manager for the CDB list to compile:
systemctl restart wazuh-manager
After "compiling" the .cdb list weighs 2.0GB.
Following the blog post (https://wazuh.com/blog/detecting-and-responding-to-malicious-files-using-cdb-lists-and-active-response/) makes a deletion of a file on Windows that takes around 1 second.
In addition, you can also use our virustotal detection and response integration here for malware detection and removal.
Please let me know if this helps. Best.
Following the blog post (https://wazuh.com/blog/detecting-and-responding-to-malicious-files-using-cdb-lists-and-active-response/) makes a deletion of a file on Windows that takes around 1 second.
In addition, you can also use our virustotal detection and response integration here for malware detection and removal.
Please let me know if this helps. Best.
Christian Bassey
Nov 11, 2022, 12:52:45 AM11/11/22
to Wazuh mailing list
Hi
Nakovatechnologies,
To confirm that the configuration works, did you follow the steps in the blog post and test with the eicar test file?
To confirm that the configuration works, did you follow the steps in the blog post and test with the eicar test file?
Henry Jesus Lastimosa Jr.
Nov 11, 2022, 8:00:46 PM11/11/22
to Christian Bassey, Wazuh mailing list
Hi Christian,
I tested the same thing as what Nakovatechnologies is doing but it is not detecting and reflecting on the logs
local_rules.xml file
<group name="local,malware,">
<rule id="100002" level="5">
<if_sid>554</if_sid>
<list field="md5" lookup="match_key">etc/lists/malware-hashes</list>
<description>A file - $(file) - in the malware blacklist was added to the system.</description>
</rule>
<rule id="100003" level="5">
<if_sid>100002</if_sid>
<field name="file" type="pcre2">(?i)[c-z]:</field>
<description>A file - $(file) - in the malware blacklist was added to the system.</description>
</rule>
</group>
<rule id="100002" level="5">
<if_sid>554</if_sid>
<list field="md5" lookup="match_key">etc/lists/malware-hashes</list>
<description>A file - $(file) - in the malware blacklist was added to the system.</description>
</rule>
<rule id="100003" level="5">
<if_sid>100002</if_sid>
<field name="file" type="pcre2">(?i)[c-z]:</field>
<description>A file - $(file) - in the malware blacklist was added to the system.</description>
</rule>
</group>
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/67eee8f4-3cea-4a9a-bd26-9c75964c3bean%40googlegroups.com.
Christian Bassey
Nov 14, 2022, 6:07:53 AM11/14/22
to Wazuh mailing list
Hi Henry,
Thank you for using Wazuh!
We recommend that all questions be opened in a new thread to keep the threads clean. This is because the solution to one problem might not be the solution to the second problem.
To clarify, when you download the eicar test file (https://secure.eicar.org/eicar.com), you do not receive any alerts?
The file has to be downloaded to a directory that is being monitored by the FIM module.
Additionally, ensure the Wazuh agent is restarted after making any configuration changes on the agent side. You also need to restart the Wazuh manager when you make configuration changes on the manager side too.
Thank you for using Wazuh!
To clarify, when you download the eicar test file (https://secure.eicar.org/eicar.com), you do not receive any alerts?
The file has to be downloaded to a directory that is being monitored by the FIM module.
Additionally, ensure the Wazuh agent is restarted after making any configuration changes on the agent side. You also need to restart the Wazuh manager when you make configuration changes on the manager side too.
Reply all
Reply to author
Forward
0 new messages