Identifying Malware with VirusTotal and Wazuh - Let's Deploy a Host Intrusion Detection System #6 

Hey Rizky, have you made sure the virustotal configuration (where you put your api key) has been added to the ossec.conf on the wazuh manager correctly? virustotal API_KEY syscheck json You can also tail the /var/ossec/logs/integrations.log to see if the virustotal integration is being triggered correctly. Hope that helps and thanks for watching!

“infected” Thanks for watching!

Is your integration block setup correctly to send file additions to virustotal? Is virustotal authenticating your api key?

@@taylorwalton_socfortress The VirusTotal consumption usage says 0 but the integration logs seem to be fine i think

it would be The Dude Mikotik.

@@marciolima174 Hey Marcio, I am not familiar with The Dude...how does it output its logs? If they are a JSON output, we could probably add the .json file to the location path so that the wazuh-agent can forward it to the wazuh-manager. However, we probably wont be able to add them to the Wazuh App plugin within Kibana, but we could create a Dashboard with Kibana that would display these logs.

@@taylorwalton_socfortress In the general context is a server that already has Wauzuh agent installed, that server receives data from symantec antivirus for each hosts. In case you can only integrate with wazuh, if you have the output of the JSON logs?

Hey Karl, make sure that the directory that you stored the malware on is being monitored by the config. A common mistake I have seen is that the directory is not being monitored by wazuh. Another setting you can make is to have the directory to be monitored in real time, otherwise the wazuh-agent will wait to scan the directory for any new files/changes until the frequency timeframe is reached. By default the frequency is once every 12 hours. For testing, you could follow the below config example to scan a malware file that was added to the /opt/ directory in real time. /opt make sure that is within the block of the ossec.conf file. Also make sure that is added on the Wazuh Agent's ossec.conf file and not the managers. Hope that helps and thanks for watching!

@@taylorwalton_socfortress Thank you so much that's exactly the part I overlooked! Some directories are being monitored while other are not. Is there an efficient way to enable the monitoring on all directories of the agent Or do I need to add every directory manually? Thank you for your detailled answer I really appreciate it!

@@karlmaamary8181 hey Karl, you could add all directories with just a “/etc”, “/var”, “/bin” , etc. but take into account that it could consume cpu and memory that is needed for other software running on the server. It is also a good move to add “ignore” tags on directories that are constantly changing, such as log. I suggest slowly rolling out within your environment until you have a good baseline. Hope this helps!

Hey there, did you make sure the real time monitoring was enabled on the directory you are downloading the file to? Below is an example of the "opt" directory: /opt

@@taylorwalton_socfortress thank you for the response. Is there a way to monitore the whole system? or we only can monitore 1 direcotry? Thank you!

@@amix2315 You can monitor the whole filesystem if you like: documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#fim-examples However, be aware that wazuh will have to consume extra resources such as CPU and memory to do so.

@@taylorwalton_socfortress Thank you for everything, I appreciate.

@@taylorwalton_socfortress i m facing the same issue, i have enabled realtime reporting in ossec.conf, but still wazuh manager is not reporting the malware detection, pls help check_all="yes" realtime="yes" report_changes="yes">/home/malware-test

What results do you get if you run a "/var/ossec/bin/wazuh-logtest" and input the full log of the rule?

@@taylorwalton_socfortress I found the bin file, but don't know how to use it. Not intuitive enough. I am thinking instead, monitor for sysmon event 11 and then send the hash to VT using a home grown script via Active Response. Your last vidoe showed me how to ingest the json! Nice job. Keep it up! You have a great presentation style!

Hey I am getting an Error 80004005 from Windows whenever I try unzipping the downloaded the malware. Do you know how to get around this? I've already tried disabling all antivirus and security features. Just downloading the zipped malware file doesn't trigger any alerts in my Wazuh Server. I only have agents installed on Windows endpoints. Thanks @@taylorwalton_socfortress

Hey Zubair, I will look into that and see what I can do. Thanks for the recommendation!

@@taylorwalton_socfortress ok thanks I will be waiting for it.

Hey Zubair, check out my latest video where I cover this very topic! ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-WsdMmNdhl_4.html&ab_channel=OpenSecureOpenSecure Thanks for the recommendation!

@@taylorwalton_socfortress Thanks

Hey there, I cannot share my API key as that is unique to me and is something that should be kept private. However you can sign up for one here: www.virustotal.com/gui/join-us

What directory did you put the eicar file in?

@@taylorwalton_socfortress I have the same issue and it is placed in the location that FIM is monitoring.