Include a virustotal-remove-threat.exe
active response script out-of-the-box to delete malicious files in Windows endpoints using VirusTotal events.
#16647
Labels
feed/active response
Active response scripts (not the module)
level/task
module/active response
type/enhancement/usability
Description
This issue aims to have a unified
virustotal-remove-threat.exe
script that can be used to delete file on Windows endpoints after being flagged as malicious by VirusTotal . This out-of-the-box script will remove the need for users to write their own scripts to remove malicious files which may not be very effective for a wide range of events.Sample script
This is a sample of a
virustotal-remove-threat.py
script that can be improved and included out-of-the-box.Expected configuration
To use this script, add the following configuration to the Wazuh server
/var/ossec/etc/ossec.conf
file:Reference: Using the VirusTotal integration and FIM
Expected execution flow
The steps for the execution of this active response script
virustotal-remove-threat.exe
will be:Detection alert samples
Expected outcome: The file in
data.virustotal.source.file
is deleted.Fields of interest:
data.virustotal.source.file
.Alert generation guide: [Using the VirusTotal integration and FIM](https://documentation.wazuh.com/current/proof-of-concept-guide/detect-remove-malware-virustotal.html).
General notes
The text was updated successfully, but these errors were encountered: