Active Response on Windows
73 views
Skip to first unread message
Jhon Salazar
May 7, 2025, 12:34:31 PM5/7/25
to Wazuh | Mailing List
Hello everyone,
I'm very new to using and configuring Wazuh. I've been using it for a month now, and I've understood almost everything from the official Wazuh documentation. All the basics have worked perfectly on Linux, and the same on Windows, except for the active response.
I can't find an example of rules to activate the default .exe files, and the only example, which is creating a remove-threat script, is that I've done it step by step perfectly, with Virus Total integration, and yet, when I download the virus test, Wazuh reports it in the monitored directory and VirusTotal raises alerts, but the active response doesn't do anything. It doesn't appear in the logs as if it had been started or anything. I've repeated the same steps in the documentation and nothing, even in Windows 10 and 11.
I don't know if I'm doing something wrong or if I should do something else, but I don't know how to make the active response .exe files work in my Windows agent, and I also don't know why the remove-threat test in the documentation isn't working for me.
Any help or recommendations, I would totally appreciate it, please and thank you.
I'm very new to using and configuring Wazuh. I've been using it for a month now, and I've understood almost everything from the official Wazuh documentation. All the basics have worked perfectly on Linux, and the same on Windows, except for the active response.
I can't find an example of rules to activate the default .exe files, and the only example, which is creating a remove-threat script, is that I've done it step by step perfectly, with Virus Total integration, and yet, when I download the virus test, Wazuh reports it in the monitored directory and VirusTotal raises alerts, but the active response doesn't do anything. It doesn't appear in the logs as if it had been started or anything. I've repeated the same steps in the documentation and nothing, even in Windows 10 and 11.
I don't know if I'm doing something wrong or if I should do something else, but I don't know how to make the active response .exe files work in my Windows agent, and I also don't know why the remove-threat test in the documentation isn't working for me.
Any help or recommendations, I would totally appreciate it, please and thank you.
Nicolas Agustin Guevara Pihen
May 8, 2025, 9:49:42 AM5/8/25
to Wazuh | Mailing List
Hello Jhon,
I will help you to solve this issue.
From what I understand, you already integrated Wazuh with Virustotal successfully, and can see alerts related to that when you download the malicious file, is that correct?
In that case, are you seeing the 100093 alert? (that number is the one listed in the documentation, but may be different if you used another one).
Apart from that, can do a test:
I will help you to solve this issue.
From what I understand, you already integrated Wazuh with Virustotal successfully, and can see alerts related to that when you download the malicious file, is that correct?
In that case, are you seeing the 100093 alert? (that number is the one listed in the documentation, but may be different if you used another one).
Apart from that, can do a test:
- In your manager, add the line execd.debug=1 to your manager's /var/ossec/etc/local_internal_options.conf and restart the manager.
- Simulate the event (download the malicious file)
- Look in your manager's
/var/ossec/logs/ossec.log
to see if there's any log that may be related to that. It should give us information if there's any problem running the Active response.
I will be looking forward to your answer!
Regards,
Regards,
Jhon Salazar
May 9, 2025, 5:29:10 AM5/9/25
to Nicolas Agustin Guevara Pihen, Wazuh | Mailing List
Hello, thank you so much for your help and willingness to assist with this matter. I've done what you told me, and still nothing. Let me show you a document showing how I have everything set up and what you told me to do. Just to see if there's anything I'm not doing right or missing. I would appreciate any help. Thanks again, and here's the document below.
I will be looking forward to your answer!
Regards,
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/wukndpVvMKQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/5446710d-dc6a-47d3-8b18-03fdc7809b72n%40googlegroups.com.
Message has been deleted
Nicolas Agustin Guevara Pihen
May 9, 2025, 10:08:03 AM5/9/25
to Wazuh | Mailing List
Thank you for the detailed information.
I think that 2 images overlapped in the section where you show the ossec.conf . Could you confirm that you have both the command and the active-response sections?
<command>
<name>remove-threat</name>
<executable>remove-threat.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>remove-threat</command>
<location>local</location>
<rules_id>87105</rules_id>
</active-response>Please note that the executable is different from the linux version, being remove-threat.exe instead of remove-threat.sh.
I think that 2 images overlapped in the section where you show the ossec.conf . Could you confirm that you have both the command and the active-response sections?
<command>
<name>remove-threat</name>
<executable>remove-threat.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>remove-threat</command>
<location>local</location>
<rules_id>87105</rules_id>
</active-response>Please note that the executable is different from the linux version, being remove-threat.exe instead of remove-threat.sh.
Reply all
Reply to author
Forward
0 new messages