Open EqBCA opened 2 years ago
sempervictus
commented
2 years ago Are you running 32bit ossec on 64bit windows? What you're showing there isn't an OSSEC thing, its a Windows registry access override to prevent 32b programs from reading 64b values (QWORDs) from the registry since they can only deal with half of that value at a time.
EqBCA
commented
2 years ago Thanks for your feedback,
Indeed having access it seems that has a 32bit version of the agent, it is this scenario that I encounter with a 64bit Windows system. I have come to this conclusion but without official confirmation.
I see that this echoes with another issue that addresses the same issue. https://github.com/ossec/ossec-hids/issues/301
This means that you need a 64-bit version of the agent (to be compiled or developed if possible), except I see that it is not planned for the moment.
If this issue is indeed a duplicate I would refer to the first existing one.
Many greetings
Hi there,
I think this post will probably be yet another duplicate but I'll try my luck.
On a Windows 64bit OS, the OSSEC client does not analyze the correct registry keys and is redirected to another branch.
This problem seems to be linked to symbolic links present in the Windows registers but OSSEC shows me the right path without really analyzing it but this principle of redirection interferes with the desired result.
Ex: Defines in file: HKLM/Software/Test Analyzed by OSSEC: HKLM/Software/Wow6432/Test
I have not found for the moment any explanation on this behavior, nor how to solve it (this problem seems known).
After several attempts to analyze the problem and change the settings, it seems that the OSSEC application is encountering difficulties with the symbolic links or similar present in the Windows registry databases.
I have analyzed the existing documentations without finding any explanation or clue for this behavior.
Is this an unresolved malfunction, is there a solution or could this be due to a setting that I have not identified?
Thanks to all for support