where did the removed virus go? where will he be quarantined? Your class is amazing, I hope you open a class on a platform like udemy , surely your class will be very popular

hi, why still can't act the proses of remove virus package when already finish a download...? but log already started on wazuh no error

Hey man! Love your videos. Do you have a video or have one planned that covers active response for windows systems? Everything out there seems to be geared towards Linux.

@taylorwalton_socfortress

2 жыл бұрын

Hey there, yes looking to bring more active response with windows soon. However, in the below video, I used active response with wazuh to call a powershell script and could help as an example: kzread.info/dash/bejne/lnp8yKqYlpedfdY.html

Superb will this script work on windows? What will be changes needed?

how i can do the same thing for windows agent?

Thanks for the guide, been following your entire guide on Wazuh and it has been going great. However, for this section, VirusTotal found a malicious file and triggered Rule 87105. However, there still appears to be no deletion of the file or any signs of the bash script running. Any suggestions on what I could change?

@taylorwalton_socfortress

3 жыл бұрын

Hey Peinrpple, have you made sure to add the active response block within the ossec.conf file? Let me know and thanks for watching!

@shijieteosj

3 жыл бұрын

@@taylorwalton_socfortress Yep, have added the active response block at ossec.conf already. Active response for blocking attackers like in video #7 works, but not for this.

@taylorwalton_socfortress

3 жыл бұрын

@@shijieteosj Do you see any entries on the wazuh agent within the /var/ossec/logs/active-responses.log....if not, are permissions and ownership for the bash scripts set correctly on the wazuh manager and wazuh agent?

@shijieteosj

3 жыл бұрын

@@taylorwalton_socfortress The active responses log on the agent is unfortunately empty. As for the bash scripts, they have been set to +x permissions, with owners being root:ossec

Thanks for doing these videos but I am not getting this to work. I have done the full instructions step by step with no success. I am not even getting alerts when the file is downloaded. Would the latest version change the information you have in the video?

@taylorwalton_socfortress

2 жыл бұрын

Hey there, did you make sure the real time monitoring was enabled on the directory you are downloading the file to? Below is an example of the "opt" directory: /opt

Hi OpenSecure, I am able to detect the Virus downloaded from the site but active response isnt working. Are we able to setup a slack sometime to go through?

@taylorwalton_socfortress

2 жыл бұрын

Hey Watchkeeper, I do not have slack but you can join the discord server and get assistance there: discord.gg/MzkFP9yE9V

@OpenSecure Sir, i followed each and every step but i did not get active response

@taylorwalton_socfortress

2 жыл бұрын

Hey Saket, Do you see active response attempt to run? Have a look at the /var/ossec/logs/activeresponse.log file on the manager and the agent and let me know what entries are within those files. For faster help, join us on our Discord server and hopefully us and the community can help you out! discord.gg/MzkFP9yE9V Thanks for watching

Great work. I have done all the steps accordingly but in my case active response is not working.

@taylorwalton_socfortress

2 жыл бұрын

Hey Waleed, are you seeing the positive virustotal alert?

@waleedjamali8372

2 жыл бұрын

@@taylorwalton_socfortress yes I can see the file added and then the positive alert from virustotal but the rest is not working

this sounds great, but what about the performance?

@taylorwalton_socfortress

3 жыл бұрын

Hey Neo, while this is a great addition there are a few catches. First we are depending on VirusTotal's API service to be running and accessible from our Wazuh Manager. A break in internet connectivity would cause a timeout error or a break within our wazuh-manager would allow the malicious software, script, etc to run. Second VirusTotal has the ability to limit the number of API request you make per day. You can pay for the ability to submit more requests as you need but if you exceed your per day limit, they will deny future requests. Third, although the API calls are fast, depending on the actions of the malicious file, exe, bin, etc., it could still have time to execute before the Wazuh-Manager has made the request to Virustotal, gotten back the response, determined the file is malicious, and sends the active response command to the agent. By no means does this replace a dedicated antivirus solution but is a great other defense tactic we can implement. I plan an exploring dedicated opensource antivirus solutions in future videos so please stay tuned. Thanks for watching :)

Thanks for uploading. I followed your steps but it does not work for me. the virustotal found file malicious successfully but not deleting it. I don't know where is the problem?

@taylorwalton_socfortress

3 жыл бұрын

Hey Zubair, what does your active response settings look like? You may need to include the Active Response tag.

@thezubairrahim

3 жыл бұрын

@@taylorwalton_socfortress I already did that which wazuh version you are using?

@taylorwalton_socfortress

3 жыл бұрын

@@thezubairrahim 4.1.5. If you run the the remove.sh by itself what is the output you get?

@SimoneScanavini

3 жыл бұрын

@@taylorwalton_socfortress Hi, same problem here, it says: ossec-integratord: ERROR: Couldn't execute command (/var/ossec/integrations/custom-remove-threat /tmp/custom-remove-threat-1626733235--779629725.alert > /dev/null 2>&1). Check file and permissions. But permissions are set to root:ossec

@taylorwalton_socfortress

3 жыл бұрын

@@SimoneScanavini Hey Simone, is the remove-threat script also an executable? This is done with the "chmod +x /var/ossec/integrations/custom-remove-threat" command

Hello, I am getting logs from VirusTotal but the active response is not working

@taylorwalton_socfortress

3 жыл бұрын

Hey Karl, what rule ID do you have setup for active response? Are you seeing any output from the /var/ossec/logs/activeresponse.log?

@karlmaamary8181

3 жыл бұрын

@@taylorwalton_socfortress This is my config: custom-remove-threat 87105 json remove-threat remove-threat.sh filename no no remove-threat local I also tried to add the in the active response tag but it did not make any difference. I followed all your steps and made all the configuration needed on the agent too. I'm having trouble trying to figure out where is the problem. Is there something I need to do to activate the active response? As for the outputs from the /var/ossec/logs/active-responses.log, I'm only getting the restart.sh

@taylorwalton_socfortress

3 жыл бұрын

Hey Karl, apologies for the late reply. One thing to verify is working correctly is the VirusTotal integration. This needs to be working because rule id 87105 will only trigger once VirusTotal responds back to our API request that the file we uploaded has a positive match. Without that rule id being triggered, our custom-remove-threat process will not be triggered. Once you can ensure the Virustotal calls are working as expected, we can troubleshoot further. Looking forward to your response.

@karlmaamary8181

3 жыл бұрын

@@taylorwalton_socfortress The rule id 87105 triggers when I download a malicious file but sometimes the rule id 87104 is the one that triggers. I don't know if that is normal.

@taylorwalton_socfortress

3 жыл бұрын

@@karlmaamary8181 Hey Karl, I expect that to be normal. What OS is your wazuh-agent? Do you see any errors if you run the /var/ossec/active-response/bin/remove-threat.sh on the agent side?