Vulnerability scan with Pro version of windows
241 views
Skip to first unread message
Pascal THILINGUIRIAN
Nov 25, 2023, 1:22:15 PM11/25/23
to Wazuh | Mailing List
Hello
I'm having an issue with the scan of vulnerabilities with Wazuh for Windows pro clients. I thought it was link the new issue discover link to the MSU file where the Version was with a v in minor case instead of uppercase but this is not link.
When I check in the cve.db I don't see any product named like what I have.
in the msu table if I search for windows 11 this is what I find:
My computer product are the following : Microsoft Windows 11 Pro 10.0.22621.2428
I don't see any equivalent product in the MSU table so may it be the reason that the vulnerability scan is ok but always empty without any vulnerability found ?
If I select data in hotfixes for this agent:
I do confirm that I have one windows server and another windows client displaying vulnerabilities correctly.
I already delete several agent db file to make sure that they regenerate from scratch the one I took as an example was one of them and scan did run perfectly
Am I in the right direction thinking that my issue is link to the product name coming from the agent that do not match any MSU entry ?
My 32 windows 11 pro and Windows 10 pro do not bring back any vuln.
Logs of server do not show any problem even if debug set at value 2:
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector INFO (5431): Starting vulnerability scan.
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector DEBUG (5439): A partial scan will be run on agent '000'
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector DEBUG (5437): Collecting agent '000' software.
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector INFO (5450): Analyzing agent '000' vulnerabilities.
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector INFO (5471): Finished vulnerability assessment for agent '000'
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector DEBUG (5470): It took '0' seconds to 'scan' vulnerabilities in agent '000'
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector DEBUG (5439): A partial scan will be run on agent '013'
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector DEBUG (5437): Collecting agent '013' software.
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector INFO (5450): Analyzing agent '013' vulnerabilities.
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector INFO (5471): Finished vulnerability assessment for agent '013'
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector DEBUG (5470): It took '0' seconds to 'scan' vulnerabilities in agent '013'
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector DEBUG (5439): A partial scan will be run on agent '022'
Nov 25, 2023 @ 19:17:34.000 wazuh-modulesd:vulnerability-detector DEBUG (5437): Collecting agent '022' software.
I 'm taking any good idea from the group
Thank you
Pascal
Stuti Gupta
Nov 26, 2023, 11:43:16 PM11/26/23
to Wazuh | Mailing List
Hi Pascal, Hope you are doing well and thank you for using wazuh. Can you please share the following details Please lets us konw the current version of wazuh that you are using and the os details. Please share the infromation of your enviorment? What is the specific version of your Windows 11? If you have 22H2 there's an issue explained here #15160 that causes many false positives. That issue is already addressed and we have an implementation in review to fix that behavior #17178 On the other hand the cve.db can't be empty or it will avoid the scan to run. If you have vulnerabilities reported cve.db should be populated because is the source of CVEs the scan uses to correlate the vulnerabilities for each agent. Hope this helps. Waiting for your response. Regards!
Pascal THILINGUIRIAN
Nov 27, 2023, 1:44:36 AM11/27/23
to Wazuh | Mailing List
Hello
My computer product are the following : Microsoft Windows 11 Pro 10.0.22621.2428
We are running the last version of Wazuh on a Linux Ubuntu server.
The client on which we have issue are Windows 10 and 11 pro. Other client of windows server version are giving the right information regarding vulnerabilities and conf file for agents are manage centrally.
You ask me for the specific version of windows I have issue with: this is what I put in my opening message => What I present here is the extract of Os_Info table from one of the agent where we have the issue. All clients equipped with either Windows 10 pro or Windows 11 pro are failing to display vulnerabilities despite the fact that As shown Hotfixes table info are well retrieve on the server side.
My computer product are the following : Microsoft Windows 11 Pro 10.0.22621.2428
Like you I thought it was link to the discovered issue that you share in your message but this is not the case.
Regards
Stuti Gupta
Nov 27, 2023, 4:58:25 AM11/27/23
to Wazuh | Mailing List
Pascal THILINGUIRIAN
Nov 27, 2023, 6:13:42 AM11/27/23
to Stuti Gupta, Wazuh | Mailing List
Hello
Sorry but my problem it's the opposite meaning that I have no vulnerability detected.
I saw this open incident but this one drove to false positives in my case as presented in the screen capture. It's definitely the opposite that happens. I have 0 vulnerabilities discovered I would love to see at least false positive
Second comment that I would say is that if I'm not wrong when I look at the code of Wazuh you are not just checking the 22H2 but also the name am'I wrong ?
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/v7QmuZykAaU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4b1e7acf-cc9e-4945-bda1-f83b82020d2en%40googlegroups.com.
Pascal Thilinguirian
Stuti Gupta
Nov 28, 2023, 12:30:57 AM11/28/23
to Wazuh | Mailing List
Hi again,
Sorry for misunderstanding
Can you please provide the below details:
Please provide the ossec.log of the manager and the ossec.log of the agent
Please verify that you are getting other alerts from the wazuh-agent for which the vulnerability scan is not working.
Please let us know if you are receiving alerts in the wazuh vulnerability dashboard before deleting the agent db
You can also upgrade to 4.7.0 https://documentation.wazuh.com/current/upgrade-guide/upgrading-central-components.html
Hope this helps
Sorry for misunderstanding
Can you please provide the below details:
Please provide the ossec.log of the manager and the ossec.log of the agent
Please verify that you are getting other alerts from the wazuh-agent for which the vulnerability scan is not working.
Please let us know if you are receiving alerts in the wazuh vulnerability dashboard before deleting the agent db
You can also upgrade to 4.7.0 https://documentation.wazuh.com/current/upgrade-guide/upgrading-central-components.html
Hope this helps
Pascal THILINGUIRIAN
Dec 1, 2023, 3:34:51 PM12/1/23
to Stuti Gupta, Wazuh | Mailing List
Hello I did follow your advice and MIgration to 4.7.0 did solve the issue.
Thank you
Pascal
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f0b5a31d-5f4d-4ae0-945f-1d28a498530en%40googlegroups.com.
Pascal Thilinguirian
Reply all
Reply to author
Forward
0 new messages