Automated Malware Removal with Wazuh Active Response
Building on the foundational Wazuh SEIM setup, this guide shows you how to take your lab to the next level by automatically detecting and neutralizing malicious files in real time. We’ll integrate VirusTotal with Wazuh and deploy a Python script to automatically remove flagged files, creating a robust automated defense chain.
Prerequisites and Setup
Before starting, make sure you have a Wazuh manager and agent already installed and running, along with the File Integrity Monitoring (FIM) setup completed. You'll also need a VirusTotal API key; free accounts allow 4 lookups per minute and 500 requests per day.
Step 1: Configure File Integrity Monitoring
To monitor a directory for new files, configure FIM on your agent. For this tutorial, we'll use a demonstration directory, but you should choose a production directory with restrictive permissions for safety.
mkdir -p /tmp/malware
chmod 777 /tmp/malware
Configure the agent centrally in Wazuh to monitor this directory by enabling FIM for Linux, setting the directory path, and ensuring real_time=yes and check_all=yes are enabled.
Integrating Threat Intelligence
Step 2: Integrate VirusTotal
Enabling VirusTotal integration provides real-time file reputation checks. Open your Wazuh configuration file (/etc/ossec.conf), paste the VirusTotal integration syntax from the documentation, and replace the placeholder API key with your own. After saving the file, restart the Wazuh manager.
To test the integration, download the EICAR test file:
curl https://secure.icar.org/icar.com -o /tmp/malware/EICAR
Check your Wazuh alerts; the alert should show detection details, including the number of engines that flagged the file and links to VirusTotal.
Automating the Response
Step 3: Deploy the Active Response Script
The Active Response feature in Wazuh enables automated actions based on alerts, providing real-time cybersecurity defenses beyond simple notifications. We'll create a script to delete malicious files.
First, install jq, which is required for the script:
apt install jq
Next, navigate to the active response scripts directory and create remove-threat.sh with the provided script, then set the correct permissions:
cd /var/ossec/active-response/bin
nano remove-threat.sh
chmod 750 remove-threat.sh
chown Wazuh:Wazuh remove-threat.sh
Step 4: Configure Active Response
Enable the active response module in /etc/ossec.conf by adding a new command that references your script. Set disabled=no, configure the command to run locally on the agent, and set the rules_id to the rule ID for malicious files (e.g., 87105). Finally, save the configuration and restart the Wazuh manager.
Testing the Automated Workflow
Step 5: Test the Automated Workflow
Download the EICAR test file again to trigger the full workflow:
curl https://secure.icar.org/icar.com -o /tmp/malware/EICAR
You should see the file briefly appear in the /tmp/malware directory before the active response script immediately deletes it. Wazuh will show alerts with both the VirusTotal detection and the corresponding active response logs.
Common Pitfalls
- Misconfigured FIM: Improper configuration can prevent malicious files from being detected in real-time. Always double-check your directory paths and permissions.
- Script Permission Issues: Incorrect permissions on the active response script can prevent it from executing. Ensure the
chownandchmodcommands are run correctly.
Key Takeaways
By setting up this workflow, you now have a fully automated malware removal system using Wazuh SEIM, VirusTotal, and active response scripts. This setup allows instant neutralization of malicious files and can be adapted for other automated defensive actions, such as blocking IPs or disabling accounts. This provides a strong foundation for building a comprehensive automated cybersecurity environment.
Additional Resources
Want to see this setup in action? Watch the accompanying YouTube tutorial for a full step-by-step walkthrough.