Quarantine Malware with Wazuh + YARA 

Hi Taylor! I work in the health care system in Canada and thanks to you I'm building an pretty solid Wazuh PoC to show higher management in order to steer them away from Microsoft Defender as a potential EDR on the Linux servers my devops team and I manage. You have no idea how valuable your videos are. Thank you so much my dude!

Great Video !

Great cyber security project for beginners!

Thank you for your videos Taylor! I noticed since your quarantined folder resides within /tmp, /tmp is flushed every 10 days by default. So your scanning script may want to check if /tmp/quarantine exists before moving the file, and if it doesn't exist it could create it. Just another conditional if/then. But once again, thank you! I just subscribed.

This is fantastic. I didn't realize Wazuh had this capability. Taking this to the next logical step, you can replace the simple yara scanning with more in-depth scanning such as with with VirusTotal hash checking, multi-AV scanning frameworks like IRMA or possibly going further with AssemblyLine4 which could send files directly to CAPE sandbox which can do behavioral analysis along with a dozen other scanning tools. This is assuming that your setup is OK with waiting 6-10 minutes for analysis for scanning an executable file. Can Wazuh do any type of pre-filtering prior to sending files for scanning? For example, say you wanted to scan every file a user downloads and filter it based on filetype, file extension, or filesize. PS. I don't think I've ever heard anyone refer to Florian Roth's (one of the creators of SIGMA) repo as Neo23x0 and it made me smile.

Just wanted to ask why u didnt do this with Wazuh elasticsearch and Kibana and the thing is that i really need it !

Can you implement a sandbox as well?

Where are you running u r cloud? can u explain me or make a video of cuckoo sandbox on 'aws' (any cloud u prefer) for running dynamic malware testing. i dont know how to do a complete setup nor can we run malware test on aws cloud. could be please clear me this

Hi Taylor~ If the agent is Windows, how does YARA determine the Windows user profile name variable? I can only set a fixed username to make it work. If I use %userprofile% I cannot capture the path.

'promosm' 🙄

hi bro i would like to implement the yara rules but i have a problem in the compilation when i execute the yara_update_rules.sh i get this error "error: rule "PUA_VULN_Renamed_Driver_Avastsoftware_Aswarpotsys_Avastantivirus_4DA0" in /usr/local/signature-base/yara/yara-rules_vuln_drivers_strict_renamed.yar(6830): undefined identifier "filename"" and many other lines like that

Hello Taylor, I follow ur instruction but there's been an error /usr/share/yara/yara-4.2.3/yarac Where is the yarac ? I cant seem to find it in the yara-4.2.3 dir