Scribd
Upload
37 views14 pages

Virus Total Integration

Uploaded by

Fazlee Kan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
37 views14 pages

Virus Total Integration

Uploaded by

Fazlee Kan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

“Detecting and Mitigating Malware Using Wazuh SIEM and

VirusTotal Integration”

Documented By: Kamran Bader

AUGUST 2, 2025
https://www.linkedin.com/in/kamran-bader-5a8590286/
Executive Summary
This lab demonstrates how to configure Wazuh SIEM to detect and mitigate malware
threats by integrating with VirusTotal. The process involves installing Python and
PyInstaller, creating an automated malware removal script, and configuring Wazuh
to leverage VirusTotal’s API for real-time malware detection. A controlled test is
performed by downloading and executing a known malicious file after disabling
Windows Defender. Wazuh successfully detects the malicious activity and reports it
in the dashboard, showcasing its ability to automate malware analysis, detection, and
response.
Furthermore, the integration highlights the value of external threat intelligence in
strengthening endpoint security. It proves that automated workflows can
significantly reduce manual intervention during incident handling. Overall, this
approach enhances organizational readiness against advanced malware attacks.
Table of Contents
Executive Summary ............................................................................................ 1
Pre-Lab Requirements ........................................................................................ 3
Objective ............................................................................................................ 3
Step 1: Configure Real-time Monitoring .......................................................... 4
Step 2: Install Python ....................................................................................... 5
Step 3: Install PyInstaller ................................................................................. 5
Step 4: Create Malware Removal Script .......................................................... 6
Step 5: Convert Script to Executable ............................................................... 6
Step 6: Move Script to Wazuh Active-Response Folder................................... 7
Step 7: Configure VirusTotal Integration ......................................................... 9
Step 8: Simulate Malware Infection ............................................................... 10
Step 9: Analyze Logs in Wazuh Dashboard................................................. 11
Conclusion ........................................................................................................ 13
Pre-Lab Requirements
Before starting the lab, ensure the following prerequisites are met:

1. Windows VM with administrator access.


2. Ubuntu VM (Wazuh server) with Wazuh all-in-one installed.
3. Python installed with “Add to PATH” enabled for all users.
4. PyInstaller package installed.
5. Wazuh Agent installed on the Windows VM.
6. Access to VirusTotal API key (requires an account).
7. Administrative rights to edit Wazuh configuration files.

Objective
The objective of this lab is to:

 Demonstrate how to integrate Wazuh SIEM with VirusTotal for malware


detection.
 Automate malware removal using custom PowerShell/Python scripts.
 Test Wazuh’s ability to log, detect, and respond to malicious files in real
time.
 Validate the effectiveness of Wazuh as an endpoint malware analysis
solution.
Step 1: Configure Real-time Monitoring

 Add monitoring for downloads directory in ossec.conf:

 <directories realtime="yes">C:\User\kamra\Downloads</directories>
 This ensures that any file added to the Downloads folder is automatically scanned.
Step 2: Install Python

 Run the Python installer.


 Choose custom installation.
 Enable “Install for all users” and “Add to PATH”.

Step 3: Install PyInstaller

 Open PowerShell as Administrator.


 Run:
 pip install pyinstaller
 Verify the installation by checking the PyInstaller version.

Step 4: Create Malware Removal Script

 Download the reference script from Wazuh documentation:


Wazuh Remove Threat Script

 Save it as remove-threat.py on Desktop (ensure “Save as type: All files”).

Step 5: Convert Script to Executable

 In PowerShell, navigate to Desktop.


 Run:
 pyinstaller -F remove-threat.py
 This creates a standalone executable.

Step 6: Move Script to Wazuh Active-Response Folder

 Copy the generated file into:


 C:\Program Files (x86)\ossec-agent\active-response\bin
 Restart the Wazuh Agent for changes to take effect.
Step 7: Configure VirusTotal Integration

 Create a VirusTotal account.


 Obtain the API key.

 On the Wazuh server, add the API key into ossec.conf.


 Restart Wazuh Manager.
Step 8: Simulate Malware Infection

 Disable Windows Defender on the Windows VM.


 Download a test malware sample from a known source.

 Copy the malware into the Remove Threat folder.


 Extract and execute the file (ignore warning prompt).
 Restart Wazuh Agent.

Step 9: Analyze Logs in Wazuh Dashboard

 Open the Wazuh Dashboard.


 Navigate to Settings → Modules → VirusTotal Module and enable it.
 Observe the VirusTotal alerts triggered by the malicious file.
 Review detection logs for malware classification details.
Conclusion
This lab successfully showcased the integration of Wazuh SIEM with VirusTotal to
automate malware detection and response. By creating an active response script and
monitoring directories in real time, Wazuh effectively identified and reported
malicious files. The lab demonstrated how SIEM platforms, when combined with
third-party threat intelligence (like VirusTotal), can serve as powerful tools for
automated malware analysis and mitigation.

You might also like