0

This question is similar with this one:

OSSEC capabilities for handle a virus that already spread into the deepest system

But it didnt roughly answer how could i do that exactly. I have tried Wazuh app for maybe 5 months in a row, as far as i know, wazuh unable to delete the virus/malicious software that have been found. Like they just tell us there are some rootkit or virus but i couldnt find how to delete that malware using some of wazuh features like active-response even though the malware have already detected.

Did wazuh have capabilities for delete or disable a malware that have been found ?

gagantous
  • 193
  • 12

1 Answers1

1

Wazuh engineer here.

I wonder how Virus are being detected in the first place. If you have some kind of AntiVirus solution, then you can do an integration and have Wazuh process AV alerts (triggering active response to remove malicious files or stop malicious processes).

Having said that, Wazuh can also detect malware looking for IOCs (rootchecks), detecting anomalies (hidden files or processes), and monitoring the file system (syscheck).

Something that works really well to detect malware is the integration with VirusTotal. This way, when a binary file is changed or created, Wazuh will check against VirusTotal and learn if it is detected by AV engines. If so, you can trigger an active response to eliminate it.

In addition Wazuh has done integrations with AVs like ClamAV or Karspersky to do that exact same thing.

Santiago Bassett
  • 66
  • 2
  • My apologize, i forgot to mention rootkit... that can be categorized as malware/virus(?). I have already seen some of wazuh ruleset and found many rules that have function to detect some virus or ootkit. Ihave did some demonstration to detect rootkit that was made by metasploit using rootcheck. It did detect that file( aka rootkit) (without virus total integration) but there is no active reaponse script that will delete "those" files when we detect that kind of behaviouslr, or even block that software. Is it possible to used only active response script to delete that file? – gagantous Aug 23 '18 at 09:47
  • Where could i find that k8nd of active response ? I have read the doc https://documentation.wazuh.com/current/user-manual/capabilities/active-response/how-it-works.html and found that none of this active reaponse that have capability to delete or block software. – gagantous Aug 23 '18 at 09:56