Include a virustotal-remove-threat.(sh|py)
active response script to delete malicious files in Linux/Unix endpoints out-of-the-box using VirusTotal events
#16646
Labels
feed/active response
Active response scripts (not the module)
level/task
module/active response
type/enhancement/usability
Description
This issue aims to have a unified
virustotal-remove-threat.sh
or virustotal-remove-threat.py script that can be used to delete file on Linux/Unix endpoints after being flagged as malicious by VirusTotal . This out-of-the-box script will remove the need for users to write their own scripts to remove malicious files which may not be very effective for a wide range of events.Sample scripts
This is a sample of a
virustotal-remove-threat.sh
script that can be improved and included out-of-the-box.This is a sample of a
virustotal-remove-threat.py
script that can be improved and included out-of-the-box.Expected configuration
To use this script, add the following configuration to the Wazuh server
/var/ossec/etc/ossec.conf
file:Reference: Using the VirusTotal integration and FIM
Expected execution flow
The steps for the execution of this active response script
virustotal-remove-threat.sh
will be:Detection alert samples (Retrieved from Ubuntu 22.04)
Expected outcome: The file is deleted.
Fields of interest:
data.virustotal.source.file
.Alert generation guide: [Using the VirusTotal integration and FIM](https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html).
General notes
The text was updated successfully, but these errors were encountered: