In this lab, I will build off the agent from the previous lab and add VirusTotal to detect malware in real-time. Detecting and eliminating malware is crucial to maintaining system functionality and preventing illegal access, data breaches, and monetary losses. VirusTotal helps scan any suspicious file against hundreds of Antivirus engines. Wazuh has the capability to integrate VirusTotal for real-time malware detection.
My first step was learning how to integrate external APIs into Wazuh through reading documentation. Wazuh uses an integrator daemon allowing it to connect to alerting tools like VirusTotal and others. The steps went as follows:
- Get my API key from my VirusTotal account page
- Edit the ossec.conf file in the Wazuh server and add the integration configuration block seen below, using the API key
- Restart the Wazuh Manager to apply changes
- Enable the File Integrity module to monitor directory changes by adding an entry to within the <syscheck> block. For this lab, I will move a malware sample into the ‘Documents’ folder
- Restart the Wazuh agent on Windows
Use Case
In this use case, I am testing a suspicious file using VirusTotal. I used an ‘eicar’ file from their website https://www.eicar.org/download-anti-malware-testfile/.
Next, was move the file into the ‘Documents’ folder I set to track. After that, I headed to the Wazuh manager to see if the alerts were generated.
First alert says a new file has been added.
Second alert shows the VirusTotal engine detection.
This lab showed that you can use VirusTotal and Wazuh together for live malware detection. Integrating VirusTotal with the Wazuh platform was very simple.
Thanks for following along.