WAZUH Detecting and removing malware – Virus Total integration

VirusTotal is an online portal, owned by Google, that uses many antivirus engines to check for viruses and malware. It provides an API service that Wazuh uses to scan file hashes, domain names, IP addresses, or URLs. For this integration we use the wazuh-integratord component that runs on the Wazuh manager. Check our VirusTotal documentation for more information about this integration.

In this use case, we monitor a directory in real time and do a VirusTotal scan to every new or recently modified file. If a file is classified as malicious, an active response is triggered and the file is removed.

Configuring VirusTotal integration

Insert your API key and enable the VirusTotal integration on the Wazuh manager by adding the following configuration in /var/ossec/etc/ossec.conf.

<ossec_config>
  <integration>
    <name>virustotal</name>
    <api_key>${your_virustotal_api_key}</api_key>
    <rule_id>100200,100201</rule_id>
    <alert_format>json</alert_format>
  </integration>
</ossec_config

In this example, we limit the scanning to new or recently modified files in /root directory due to limitations in queries per minute when using a free app account. To do so, we create custom rules to monitor the /root directory and use them to trigger the VirusTotal integration.

Add the following custom rules to /var/ossec/etc/rules/local_rules.xml.

<group name="syscheck,pci_dss_11.5,nist_800_53_SI.7,">
    <!-- Rules for Linux systems -->
    <rule id="100200" level="7">
        <if_sid>550</if_sid>
        <field name="file">/root</field>
        <description>File modified in /root directory.</description>
    </rule>
        <rule id="100201" level="7">
        <if_sid>554</if_sid>
        <field name="file">/root</field>
        <description>File added to /root directory.</description>
    </rule>
</group>

Configuring Active Response to remove malicious files

Once VirusTotal identifies a file as a threat, Wazuh will trigger an active response to remove the file from the system

Configuring the Wazuh manager

Append the following blocks to the Wazuh manager /var/ossec/etc/ossec.conf file.

<ossec_config>

    <command>
        <name>remove-threat</name>
        <executable>remove-threat.sh</executable>
        <timeout_allowed>no</timeout_allowed>
    </command>

    <active-response>
        <disabled>no</disabled>
        <command>remove-threat</command>
        <location>local</location>
        <rules_id>87105</rules_id>
    </active-response>

</ossec_config>

Active response is triggered by rule 87105 that is tripped when VirusTotal identifies a file as malicious.

Add the following custom rules in /var/ossec/etc/rules/local_rules.xml.

<group name="virustotal,">
  <rule id="100092" level="12">
    <if_sid>657</if_sid>
    <match>Successfully removed threat</match>
    <description>$(parameters.program) removed threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>

  <rule id="100093" level="12">
    <if_sid>657</if_sid>
    <match>Error removing threat</match>
    <description>Error removing threat located at $(parameters.alert.data.virustotal.source.file)</description>
  </rule>
</group>

These rules trigger when a malicious file is removed by active response or if an error occurred removing the file.

Restart Wazuh manager to apply configuration changes.

systemctl restart wazuh-manager

Configuring the Wazuh agent for VirusTotal

Change the file integrity monitoring settings in /var/ossec/etc/ossec.conf to monitor /root in real time.

<syscheck>
  <directories whodata="yes">/root</directories>
</syscheck>

Add the following active response script at /var/ossec/active-response/bin/remove-threat.sh.

#!/bin/bash

LOCAL=`dirname $0`;
cd $LOCAL
cd ../

PWD=`pwd`

read INPUT_JSON
FILENAME=$(echo $INPUT_JSON | jq -r .parameters.alert.data.virustotal.source.file)
COMMAND=$(echo $INPUT_JSON | jq -r .command)
LOG_FILE="${PWD}/../logs/active-responses.log"

#------------------------ Analyze command -------------------------#
if [ ${COMMAND} = "add" ]
then
 # Send control message to execd
 printf '{"version":1,"origin":{"name":"remove-threat","module":"active-response"},"command":"check_keys", "parameters":{"keys":[]}}\n'

 read RESPONSE
 COMMAND2=$(echo $RESPONSE | jq -r .command)
 if [ ${COMMAND2} != "continue" ]
 then
   echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Remove threat active response aborted" >> ${LOG_FILE}
   exit 0;
 fi
fi

# Removing file
rm -f $FILENAME
if [ $? -eq 0 ]; then
 echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Successfully removed threat" >> ${LOG_FILE}
else
 echo "`date '+%Y/%m/%d %H:%M:%S'` $0: $INPUT_JSON Error removing threat" >> ${LOG_FILE}
fi

exit 0;

This script receives the malicious file information from the alert generated by VirusTotal (87105), removes the file, and writes the active response log.

Change /var/ossec/active-response/bin/remove-threat.sh owner and permissions.

chmod 750 /var/ossec/active-response/bin/remove-threat.sh
chown root:ossec /var/ossec/active-response/bin/remove-threat.sh

Restart Wazuh agent to apply configuration changes.

systemctl restart wazuh-agent

Generate an alert

When a file is modified under the monitored directory /root, it triggers a VirusTotal scan and generates an alert if detected as malicious. Active response is configured to remove the threat automatically.

To test that everything is working correctly, generate an alert using the EICAR test. The expected outcome is that the file is detected as malicious and removed automatically by active response

cd /root
curl -LO http://www.eicar.org/download/eicar.com