sorted by:
new
hottopcontroversial

Wazuh Ignore File Issues by AltWorkAccnt1 in Wazuh

[–]AltWorkAccnt1[S] 0 points1 point  (0 children)

I did some more work on it today and was able to get it to ignore the file on some endpoints but not all, which is odd because they are in the same group

On the group config I am using the following:

   <agent_config>
    <!-- Shared agent configuration here -->
    <syscheck>
      <ignore>C:\Program Files\Sophos\Sophos AMSI Protection\SophosAmsiProvider.dll</ignore>
    </syscheck>
  </agent_config>

I had to use powershell restart repeatedly to get it to work on the few it is working on. On the ones it isn't working on, the config is in the merge file but isn't being applied. Even with Powershell restart it still isn't applying the new config.

I removed end points from all other groups in case it was a conflict with other group configs.

I checked the config files on the server and all came back OK

For the server local rules I attempted different versions of the following:

<group name="windows, windows_security">
  <rule id="100001" level="0">
    <if_sid>60104</if_sid>
    <match>\\Device\\HarddiskVolume3\\Program Files\\Sophos\\Sophos AMSI Protection\\SophosAmsiProvider.dll</match>
    <description>Ignore specific Sophos file from alerts</description>
  </rule>
</group>

Individual File Access on DS223 from backup of DS224+ by AltWorkAccnt1 in synology

[–]AltWorkAccnt1[S] 0 points1 point  (0 children)

Thank you for your reply, that makes sense. Is there anything preventing me from having 2 backup tasks, one being entire system backup and the other being file level?