Introduction

Detecting malicious files is super important for keeping your computer safe. If we don't catch
these bad files, they can mess with our data and even let hackers into our systems! That's why
it's crucial to have good malware detection.

Malware detection helps us find and get rid of these bad files before they can do any harm. It
keeps our data safe and our systems running smoothly. Plus, it helps us stay one step ahead of
cyber threats.

In this blog, we'll learn about a method called CDB list with active response that helps us
detect and remove malware. This method works on both Windows and Linux computers.

Here's how it works: We keep an eye on our computer's directories, looking for any
suspicious changes. When we find a bad file, we use an active response to remove it and keep
our system safe.

Understanding CDB Lists

1.What are CDB Lists?
 CDB stand for constant databases are like special lists that help Wazuh keep our
systems safe from cyber threats. They store important information like usernames, file
hash, IP addresses.
 When Wazuh is checking our system for any suspicious activity, it also checks these
CDB lists. If it finds a match, it can trigger specific rules to keep our system safe.
 For example, if Wazuh finds a file that matches a bad file hash listed in the CDB list,
it knows there's a problem and can take action to keep our system safe.

2. Structure and Format of CDB Lists

 The structure and format of CDB lists in Wazuh are quite straightforward. A CDB list
is a plain text file where each line represents a unique key-value pair, separated by a
colon :.
 Here’s the general structure:
 Keys: Must be unique for each entry.
 Values: Can be repeated and are optional.
 Colon :: Used as a separator between key and value.
 Example of a CDB List Entry:
 key1:value1 :
 key2:value2 :
 key3:value2 :
3. Setting Up CDB Lists in Wazuh
Step 1:

Create a CDB list malware-hashes of known malware hashes and save it to the
/var/ossec/etc/lists directory on the Wazuh server.

Command: vi /var/ossec/etc/lists/malware-hashes

Step 2:

To add the hash of malware to the CDB list, you can download the hash value from the
VirusShare database. This database provides a comprehensive collection of hash values for
various malware samples. You can access the hash values by visiting the VirusShare Hash
Database at this link: VirusShare Hash Database.

Step 3:

To address the issue of missing colons at the end of each hash value obtained from the
website, a Python script is utilized to automatically append the colon to each hash. This step
ensures that the hash values are formatted correctly for inclusion in the CDB list used by
Wazuh for malware detection.

Python Script

with open('<path_to_downloaded_hashes_list>', 'r') as istr:

with open('malware-hashes', 'w') as ostr:
for i, line in enumerate(istr):
if i > 5:
line = line.rstrip('\n')
line += ':'
print(line, file=ostr)

Step 4:

After creating the CDB list, we add it to the manager's configuration file (ossec.conf) so that
it can be used in rules. To do this, we specify the path to the list within the <ruleset> block in
the ossec.conf file.

<rulest>
<list>etc/lists/malware-hashes</list>
</ruleset>
Step 5:

On the agent, we can watch a folder for any changes in files. To do this, we add a <directories>
block in the agent's configuration file and specify the folder we want to monitor. After
making this change, we need to restart the agent for the new configuration to take effect.

<ossec_config>
<syscheck>
<disabled>no</disabled>
<directories check_all="yes"
realtime="yes">MONITORED_DIRECTORY_PATH</directories>
</syscheck>
</ossec_config>

Then restart the Agent

linux: systemctl restart wazuh-agent

windows: net stop wazuh-agent && net start wazuh-agent

Step 6:

Next, we create a custom rule in the file /var/ossec/etc/rules/local_rules.xml. This rule will trigger
an alert whenever the hash of a downloaded file matches any hash in the malware blacklist.

<group name="local,malware,">
<rule id="100002" level="5">
<if_sid>554</if_sid>
<list field="md5" lookup="match_key">etc/lists/malware-hashes</list>
<description>A file - $(file) - in the malware blacklist was added to the
system.</description>
</rule>
<rule id="100003" level="5">
<if_sid>100002</if_sid>
<field name="file" type="pcre2">(?i)[c-z]:</field>
<description>A file - $(file) - in the malware blacklist was added to the
system.</description>
</rule>
</group>

Note : After creating the rule. restart the wazuh manager

command: systemctl restart wazuh-manager
Step 7:

To make sure our detection rule is working, we download a test file called eicar.com (you can
find it here) into the folder that our system is keeping an eye on. When we do this, we get an
alert telling us that the file we downloaded is on the malware blacklist. This shows us that our
system is working and keeping us safe from harmful files.

Active Response in Wazuh

1. What is Active Response?

Active Response in Wazuh is like having a security guard for your computer. When Wazuh
detects something bad, Active Response steps in and takes action right away to stop it.

For example, if Wazuh finds a harmful file on your computer, Active Response can
automatically delete it to keep your system safe. It's like having a superhero that protects your
computer from attacker!

2. Configuring Active Response to React to Threats

1. Windows EndPoint

Step 1:

The remove.py Python script is responsible for removing malware when Active Response is
triggered. To ensure it works properly, we need to add the remove.py file to the following
directory: C:\Program Files (x86)\ossec-agent\active-response\.

Step 2: add the following code into the remove.py

#!/usr/bin/python3
# Copyright (C) 2015-2022, Wazuh Inc.
# All rights reserved.

import os
import sys
import json
import datetime

if os.name == 'nt':
LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
else:
LOG_FILE = "/var/ossec/logs/active-responses.log"

ADD_COMMAND = 0
DELETE_COMMAND = 1
CONTINUE_COMMAND = 2
ABORT_COMMAND = 3

OS_SUCCESS = 0
OS_INVALID = -1

class message:
def __init__(self):
self.alert = ""
self.command = 0

def write_debug_file(ar_name, msg):

with open(LOG_FILE, mode="a") as log_file:
log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " +
msg +"\n")

def setup_and_check_message(argv):

# get alert from stdin

input_str = ""
for line in sys.stdin:
input_str = line
break

try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
message.command = OS_INVALID
return message

message.alert = data

command = data.get("command")

if command == "add":
message.command = ADD_COMMAND
elif command == "delete":
message.command = DELETE_COMMAND
else:
message.command = OS_INVALID
write_debug_file(argv[0], 'Not valid command: ' + command)

return message

def send_keys_and_check_message(argv, keys):

# build and send message with keys

 keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-
response"},"command":"check_keys","parameters":{"keys":keys}})

write_debug_file(argv[0], keys_msg)

print(keys_msg)
sys.stdout.flush()

# read the response of previous message

input_str = ""
while True:
line = sys.stdin.readline()
if line:
input_str = line
break

# write_debug_file(argv[0], input_str)

try:
data = json.loads(input_str)
except ValueError:
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
return message

action = data.get("command")

if "continue" == action:
ret = CONTINUE_COMMAND
elif "abort" == action:
ret = ABORT_COMMAND
else:
ret = OS_INVALID
write_debug_file(argv[0], "Invalid value of 'command'")

return ret

def main(argv):

write_debug_file(argv[0], "Started")

# validate json and get command

msg = setup_and_check_message(argv)

if msg.command < 0:
sys.exit(OS_INVALID)

if msg.command == ADD_COMMAND:
alert = msg.alert["parameters"]["alert"]
keys = [alert["rule"]["id"]]
action = send_keys_and_check_message(argv, keys)

# if necessary, abort execution

if action != CONTINUE_COMMAND:

if action == ABORT_COMMAND:
write_debug_file(argv[0], "Aborted")
sys.exit(OS_SUCCESS)
else:
write_debug_file(argv[0], "Invalid command")
sys.exit(OS_INVALID)
 try:
os.remove(msg.alert["parameters"]["alert"]["syscheck"]["path"])
write_debug_file(argv[0], json.dumps(msg.alert) + " Successfully removed threat")
except OSError as error:
write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")

else:
write_debug_file(argv[0], "Invalid command")

write_debug_file(argv[0], "Ended")

sys.exit(OS_SUCCESS)

if __name__ == "__main__":
main(sys.argv)

Step 3:

To make sure the Python script can run on all Windows agents, even if they don't have
Python installed, we need to create an executable file from the script. We can do this by using
a tool called pyinstaller, which converts the script into an executable file.

Command : pyinstaller -F remove-threat.py

Step 4: We copy the built executable to C:\Program Files (x86)\ossec-agent\active-response\bin

2. Linux Endpoint
Step1:

The remove-threat Python script is responsible for removing malware when Active Response
is triggered. To ensure it works properly, we need to add the remove-threat file to the
following directory: /var/ossec/active-response/bin/

step 2:

copy the python code from the Above and append into the remove-threat

Step 3:

Change the file owner and group to root:wazuh, then give the script execution permissions.

chmod 750 /var/ossec/active-response/bin/remove-threat

chown root:wazuh /var/ossec/active-response/bin/remove-threat

3.configure in the manager

Now that we've placed the active response executable in the bin folder on the agent, we
configure the manager to trigger an active response when the malware blacklist detection rule
is triggered. In the manager configuration file, we add the following block inside the
<ossec_config> block:

Step 1: windows and linux

<!—Windows -->
<command>
<name>remove-threat-windows</name>
<executable>remove-threat.exe</executable>
<timeout_allowed>no</timeout_allowed>
</command>

<active-response>
<disabled>no</disabled>
<command>remove-threat-windows</command>
<location>local</location>
<rules_id>100003</rules_id>
</active-response>

<!-- Linux -->

<command>
<name>remove-threat-Linux</name>
<executable>remove-threat</executable>
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<disabled>no</disabled>
<command>remove-threat-Linux</command>
<location>local</location>
<rules_id>100002</rules_id>
</active-response>

4. Crete a rule for the Active response log

We can set up rules to alert us when the active response file removal is successful or fails. To do this,
we add the following rule to the /var/ossec/etc/rules/local_rules.xml file on the manager and then restart
it.
<rule id="100004" level="7">
<if_sid>657</if_sid>
<match>Successfully removed threat</match>
<description>$(parameters.program): Successfully removed threat $
(parameters.alert.syscheck.path) whose MD5 hash appears in a malware
blacklist.</description>
</rule>
<rule id="100005" level="7">
<if_sid>657</if_sid>
<match>Error removing threat</match>
<description>$(parameters.program): Error removing threat $
(parameters.alert.syscheck.path) whose MD5 hash appears in a malware
blacklist.</description>
</rule>

Conclusion
In this blog, we've learned about the importance of malware detection and how it helps us
keep our systems safe from cyber threats. By using CDB lists in Wazuh, we can proactively
detect and remove malware by monitoring our system for any suspicious changes. We've also
explored Active Response, which automatically takes action to stop security threats as soon
as they are detected. By setting up Active Response to remove malware when it is detected,
we can ensure that our systems stay safe from cyber threats