Exercise: EICAR Malware - Fooster171/Wazuh-SEIM-Home-Lab GitHub Wiki

EICAR Malware File

If you're unfamiliar, EICAR is a benign malware test file that is used to test various anti-virus programs. It can be found as either a text file that can be saved or through the link below with a few different formats to download: https://www.eicar.org/download-anti-malware-testfile/

Windows Defender Malware Test

For a quick exercise to generate an alert within Wazuh, we're going to use EICAR and view the results within the Wazuh server. After logging into the Windows user machine, navigate to the link above.

Using the first zip file, Microsoft edge will likely flag it as unsafe. Through the web browser you can tell Edge to keep the file.

After attempting to unzip the file, you should see a pop-up from Windows defender mentioning threats being found. Pulling up windows defender we can see the EICAR file being caught:

If we pull up the Wazuh Server and go to the Agents -> Windows User Machine -> Security Events page we can see a few events that have been generated now:

Switching to the "Events" page we can see all three entries where our Windows Defender logs about the malware were sent to the server. This confirms that everything is working.

VirusTotal Integration Test

Since we have confirmed that Windows defender is sending logs to Wazuh, lets test the Virus total integration. We can use the same EICAR test file but first we need to disabled Windows defender in order to let the Virus total integration do its magic.

First go to Windows Defender and select the option to manage "Virus & Protection" settings. Turn off real-time protection:

Now go back to our EICAR page and re-attempt the download. After unzipping the file, we should begin to see some results listed in the Virustotal integration. Go to Modules -> VirusTotal which should be listed under the Threat Detection section. Make sure the date range filter is set correctly so you can see the results:

These events can also be viewed within the Security events section for each agent: