-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VirusTotal integration - Unable to run integration if the file name doesn’t start with a BOM #13825
Comments
This fix was applied in branch Test on WindowsReproduce Test Case on masterPackage detailsTest information
Reproduce failure in Virus total integration 🟢
Reproduce Test Case on Branch
|
Wazuh version | Wazuh revision | Component | Install type | Install method | Platform |
---|---|---|---|---|---|
4.4.0 | 40400 | virustotal-scan | Manager | Packages | CentOS-8 |
4.4.0 | 40400 | virustotal-scan | Agent | Packages | Windows |
Test Virus total integration 🟢
-
Edit the
/var/ossec/etc/ossec.conf
configuration on manager adding:<integration> <name>virustotal</name> <api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key --> <group>syscheck</group> <alert_format>json</alert_format> </integration>
-
Edit the
C:\Program Files (x86)\ossec-agent\ossec.conf
configuration on agent - Using FIM to monitor a directory:<directories check_all="yes" realtime="yes">DIRECTORY_TO_MONITOR</directories>
-
Restart the agent and manager in order to apply the changes
-
Create a file with a name that does not contain UTF-8 characters in the folder under scanning.
Example name: tésting.txt
-
We can see the below log in
/var/ossec/logs/integrations.log
:Wed Jun 15 15:50:18 UTC 2022 /tmp/virustotal-1655308218--1043570507.alert df80e208b8628e60266c375f95936c55bf11c5ccc1336e229ef406883cd6eb60 > /dev/null 2>&1
-
We can see the below alert in
/var/ossec/logs/alerts/alerts.log
** Alert 1655308563.1857299: - virustotal, 2022 Jun 15 15:56:03 (WIN-JLGVA4CR4VI) FE80:0000:0000:0000:B1E6:42AF:E199:1398->virustotal Rule: 87104 (level 3) -> 'VirusTotal: Alert - c:\users\vagrant\desktop\testing\tsting.txt - No positives found' {"virustotal": {"found": 1, "malicious": 0, "source": {"alert_id": "1655308562.1856042", "file": "c:\\users\\vagrant\\desktop\\testing\\tsting.txt", "md5": "7215ee9c7d9dc229d2921a40e899ec5f", "sha1": "b858cb282617fb0956d960215c8e84d1ccf909c6"}, "sha1": "b858cb282617fb0956d960215c8e84d1ccf909c6", "scan_date": "2022-06-14 12:10:08", "positives": 0, "total": 56, "permalink": "https://www.virustotal.com/gui/file/36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068/detection/f-36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068-1655208608"}, "integration": "virustotal"} virustotal.found: 1 virustotal.malicious: 0 virustotal.source.alert_id: 1655308562.1856042 virustotal.source.file: c:\users\vagrant\desktop\testing\tsting.txt virustotal.source.md5: 7215ee9c7d9dc229d2921a40e899ec5f virustotal.source.sha1: b858cb282617fb0956d960215c8e84d1ccf909c6 virustotal.sha1: b858cb282617fb0956d960215c8e84d1ccf909c6 virustotal.scan_date: 2022-06-14 12:10:08 virustotal.positives: 0 virustotal.total: 56 virustotal.permalink: https://www.virustotal.com/gui/file/36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068/detection/f-36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068-1655208608 integration: virustotal
Note: Please note that the alert suppress character with non UTF-8 - Reported in Issue
'VirusTotal: Alert - c:\users\vagrant\desktop\testing\tsting.txt - No positives found'
Description
The virustotal.py script for the integration component is failing when the file name to be processed doesn’t start with a BOM.
Evidences
Steps to reproduce
Current Result: Unable to run integration for VirusTotal
Expected Result: Run integration for VirusTotal
The text was updated successfully, but these errors were encountered: