wazuh-documentation
wazuh-documentation copied to clipboard
wazuh
Improve guide for PoC Detecting and removing malware using VirusTotal integration
| Related issue |
|---|
| https://github.com/wazuh/wazuh/issues/13995 |
| Wazuh version | Component | Install type | Platform |
|---|---|---|---|
| 4.3 | Active Response | Manager/Agent | any |
Description
Perfoming E2E UX tests for Release 4.3.5 - Release Candidate 1 - Active Response #13995 for PoC 'Detecting and removing malware using VirusTotal integration' we found that this guide coud be improved in the following ways:
- Add installation and configuration steps for different OSs besides Ubuntu (Manager: RHEL, Centos. Agent: RHEL, CentOS, macOS, Windows). For instance it should mention that the
whodataoption is not supported on MacOS. - Include a prerequisites section. It should mention that VirusTotal key is required.
- The configuration steps may be clearer if they are separated in different sections for manager and agent.
- The configuration in the agent shows a complete syscheck block but it isn't clear that we only need to add an entry:
<syscheck>
<directories whodata="yes">/root</directories>
</syscheck>
In the documentation it mentions that the alerts are in /var/ossec/logs/alerts.log, but both the alert.json and alert.log are inside the /var/ossec/logs/alerts folder. These paths should be reviewed.
In the documentation it mentions that the alerts are in /var/ossec/logs/alerts.log, but both the alert.json and alert.log are inside the /var/ossec/logs/alerts folder. These paths should be reviewed.
This will be fixed on https://github.com/wazuh/wazuh-documentation/issues/6649
From v4.8.0-alpha2 tests it doesn't seem to be an issue any longer. Closing this issue should be considered now.
