Target version	Related issue	Related PR
4.4.0	https://github.com/wazuh/wazuh/issues/15327	https://github.com/wazuh/wazuh/pull/15404

Description

This problem aims to do a complete test both with a package that is signed (all its libraries and the wazuh binary itself) and one that is not.

Both should be functional, but with the characteristic that if the package is signed (dlls and executable), and one of its libraries is not, it causes the main wazuh process to stop.

Proposed checks

[x] Test correct functionality in all windows OS supported.
[x] Test feature if any dll not is signed.

Steps to reproduce

Install signed package.
echo 1 >> dbsync.dll
Start Wazuh

Expected results

That wazuh doesn't work if the package is signed and some module not signed is loaded.
That wazuh work if the package NOT is signed and some module not signed is loaded.

The main purpose of this is so that malicious code does not reside under the wazuh process.

Review data

Tester	PR commit
@fedepacher	https://github.com/wazuh/wazuh/pull/15404/commits/b5bcf3ec6f6edca7fe700dca207e0ec6f9bac2a0

Testing environment

OS	OS version	Deployment	Notes
Windows	XP	Vagrant box	dvgamerr/win-xp-sp3
Windows	Vista	Vagrant box	danimaetrix/windows-vista-sp2
Windows	7	Vagrant box	opensky/windows-7-professional-sp1-x64
Windows	8	Vagrant box	universalvishwa/windows-8-professional-x64
Windows	2003	ISO	Link
Windows	2008	Vagrant box	jborean93/WindowsServer2008-x86
Windows	2012	AWS-EC2	ami-03bca45832bdfb291
Windows	2016	AWS-EC2	ami-0ce166ca1b447f229
Windows	2019	AWS-EC2	ami-06371c9f2ad704460
Windows	2022	AWS-EC2	ami-047e29beecff33db0
Windows	10	Vagrant box	gusztavvargadr/windows-10
Windows	11	Vagrant box	gusztavvargadr/windows-11

Tested packages

`wazuh-manager`	`wazuh-agent`
deb	msi

Status

[x] In progress
[x] Pending Review
[ ] QA team manager approved (@jmv74211)
[x] DEV team leader approved (@Dwordcito)

Conclusion

OS version	Upgrade	Fresh install	Verify Signature `dbsync.dll` after Upgrad	Verify Signature `dbsync.dll` after Fresh install
XP	:red_circle:	:red_circle:	:black_circle:	:black_circle:
Vista	:red_circle:	:green_circle:	:red_circle:	:green_circle:
7	:red_circle:	:green_circle:	:red_circle:	:green_circle:
8	:red_circle:	:yellow_circle:	:red_circle:	:green_circle:
2003	:red_circle:	:red_circle:	:black_circle:	:black_circle:
2008	:red_circle:	:green_circle:	:red_circle:	:green_circle:
2012	:red_circle:	:yellow_circle:	:red_circle:	:green_circle:
2016	:red_circle:	:green_circle:	:red_circle:	:green_circle:
2019	:red_circle:	:yellow_circle:	:red_circle:	:green_circle:
2022	:red_circle:	:yellow_circle:	:red_circle:	:green_circle:
10	:red_circle:	:green_circle:	:red_circle:	:green_circle:
11	:red_circle:	:green_circle:	:red_circle:	:green_circle:

:black_circle: It could not verify the signature :red_circle: File not signed :green_circle: File signed

If the library dbsync.dll is not signed, after the upgrade to the fix package, the dbsync.dll still remains not signed.

Testing results :red_circle:

Windows XP :red_circle:

### Unfixed

Install unfixed signed/not signed package

1. Install `wazuh-agent v4.3.10` package 2. configure wazuh-agent ossec.conf file: ``` C:\Users\vagrant\Documents\test.txt syslog ``` 3. Insert log in monitored file `test.txt` ``` Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2 ``` 4. Check `alerts.json` in wazuh-manager

alerts.json

``` {"timestamp":"2022-11-23T12:48:39.321+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":3,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"ris-64b91a2c1fc","ip":"169.254.63.150"},"manager":{"name":"ip-172-31-4-96"},"id":"1669207719.597249","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\Documents\\test.txt"} ```

5. Check `ossec.log` file for error, warning and critical logs No error, warning, or critical messages were found. 6. Modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file for error, warning, and critical logs No error, warning, or critical messages were found. 8. Insert log in monitored file `test.txt` ``` Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2 ``` 9. Check `alerts.json` in wazuh-manager

alerts.json

``` {"timestamp":"2022-11-23T12:51:35.053+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":4,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"ris-64b91a2c1fc","ip":"169.254.63.150"},"manager":{"name":"ip-172-31-4-96"},"id":"1669207895.598419","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\Documents\\test.txt"} ```

### Upgrade

Upgrade signed package :red_circle:

1. Upgrate to `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning, and critical logs :red_circle: ``` 2022/11/23 13:03:08 wazuh-agent: ERROR: WinVerifyTrust returned 800B0109 GetLastError returned 800B0109 2022/11/23 13:03:08 wazuh-agent: CRITICAL: The file 'C:\Program Files\ossec-agent\wazuh-agent.exe' is not signed or its signature is invalid. ```

### Fresh install

Fresh install signed package:red_circle:

1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning, and critical logs :red_circle: ``` 2022/11/23 13:03:08 wazuh-agent: ERROR: WinVerifyTrust returned 800B0109 GetLastError returned 800B0109 2022/11/23 13:03:08 wazuh-agent: CRITICAL: The file 'C:\Program Files\ossec-agent\wazuh-agent.exe' is not signed or its signature is invalid. ```

Windows Vista :red_circle:

### Unfixed

Install unfixed signed/not signed package

1. Install `wazuh-agent v4.3.10` package 2. configure wazuh-agent ossec.conf file: ``` C:\Users\vagrant\test.txt syslog ``` 3. Insert log in monitored file `test.txt` ``` Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2 ``` 4. Check `alerts.json` in wazuh-manager

alerts.json

``` {"timestamp":"2022-11-23T19:51:33.159+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":6,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"020","name":"danimaetrix-w7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-4-96"},"id":"1669233093.19000692","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\test.txt"} ```

5. Check `ossec.log` file for error, warning and critical logs No error, warning or critical messages were found. 6. Modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs No error, warning or critical messages were found. 8. Insert log in monitored file `test.txt` ``` Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2 ``` 9. Check `alerts.json` in wazuh-manager

alerts.json

``` {"timestamp":"2022-11-23T19:53:33.441+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":7,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"020","name":"danimaetrix-w7","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-4-96"},"id":"1669233213.19002165","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\test.txt"} ```

### Upgrade

Upgrade signed package :red_circle:

1. Upgrate to `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :red_circle: ``` 2022/11/23 19:54:09 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

### Fresh install

Fresh install signed package :green_circle:

1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Insert log in monitored file `test.txt` :green_circle: ``` Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2 ``` 3. Check `alerts.json` in wazuh-manager :green_circle:

alerts.json

``` {"timestamp":"2022-11-23T20:02:31.934+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"021","name":"danimaetrix-w7","ip":"FE80:0000:0000:0000:A50D:8CAB:50D4:B3F2"},"manager":{"name":"ip-172-31-4-96"},"id":"1669233751.19007248","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\vagrant\\test.txt"} ```

4. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning or critical messages were found. ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error and warning logs :green_circle: ``` 2022/11/23 20:03:12 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

Windows 7 :red_circle:

### Unfixed

Install unfixed signed/not signed package

alerts.json

``` {"timestamp":"2022-11-24T12:29:18.845+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"vagrant-pc","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-10-130"},"id":"1669292958.590303","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\test.txt"} ```

alerts.json

``` {"timestamp":"2022-11-24T12:34:54.247+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"vagrant-pc","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-10-130"},"id":"1669293294.591438","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\test.txt"} ```

### Upgrade

Upgrade signed package :red_circle:

1. Upgrate to `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :red_circle: ``` 2022/11/24 04:36:22 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

### Fresh install

Fresh install signed package :green_circle:

alerts.json

``` {"timestamp":"2022-11-24T12:48:08.217+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":3,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"vagrant-pc","ip":"FE80:0000:0000:0000:ED7B:3230:3E6B:022F"},"manager":{"name":"ip-172-31-10-130"},"id":"1669294088.628356","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\vagrant\\test.txt"} ```

4. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning or critical messages were found. ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error and warning logs :green_circle: ``` 2022/11/24 04:49:09 wazuh-agent: ERROR: WinVerifyTrust returned 80096010 GetLastError returned 80096010 2022/11/24 04:49:09 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

Windows 8 :red_circle:

### Unfixed

Install unfixed signed/not signed package

alerts.json

``` {"timestamp":"2022-11-24T16:20:46.081+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"011","name":"win-8-pro-x64","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-10-130"},"id":"1669306846.11876544","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\test.txt"} ```

alerts.json

``` {"timestamp":"2022-11-24T16:24:05.107+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"011","name":"win-8-pro-x64","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-10-130"},"id":"1669307045.11882660","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\test.txt"} ```

### Upgrade

Upgrade signed package :red_circle:

1. Upgrate to `wazuh-agent v4.4.0` package :green_circle: 2. Insert log in monitored file `test.txt` :green_circle: ``` Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2 ``` 3. Check `alerts.json` in wazuh-manager :green_circle:

alerts.json

``` {"timestamp":"2022-11-24T16:26:42.322+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":3,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"011","name":"win-8-pro-x64","ip":"FE80:0000:0000:0000:258D:CC9C:F356:4E6E"},"manager":{"name":"ip-172-31-10-130"},"id":"1669307202.11900476","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\vagrant\\test.txt"} ```

4. Check `ossec.log` file for error, warning and critical logs :yellow_circle: ``` 2022/11/24 16:24:38 wazuh-modulesd:syscollector: ERROR: Can't load syscollector. ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` To do so, it was not necessary to stop the agent as in the others OS. 6. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :green_circle: ``` 2022/11/24 16:28:18 wazuh-agent: ERROR: WinVerifyTrust returned 800B0101 GetLastError returned 800B0101 ``` Agent has started :red_circle:

### Fresh install

Fresh install signed package :yellow_circle:

alerts.json

``` {"timestamp":"2022-11-24T16:45:06.399+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":4,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"012","name":"win-8-pro-x64","ip":"FE80:0000:0000:0000:258D:CC9C:F356:4E6E"},"manager":{"name":"ip-172-31-10-130"},"id":"1669308306.11959433","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\vagrant\\test.txt"} ```

4. Check `ossec.log` file for error, warning and critical logs :yellow_circle: ``` 2022/11/24 16:33:12 wazuh-agent: ERROR: WinVerifyTrust returned 800B0101 GetLastError returned 800B0101 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error and warning logs :green_circle: ``` 2022/11/24 16:45:57 wazuh-agent: ERROR: CryptCATAdminCalcHashFromFileHandle failed with error 2147942593 2022/11/24 16:45:57 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

Windows 2003 :red_circle:

### Unfixed

Install unfixed signed/not signed package

alerts.json

``` {"timestamp":"2022-11-24T15:36:45.860+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"009","name":"wazuh-15dd34c3c","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-10-130"},"id":"1669304205.11766772","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\test.txt"} ```

5. Check `ossec.log` file for error, warning and critical logs ``` 2022/11/24 07:30:46 wazuh-agent: ERROR: GetSecurityInfo error = 0 2022/11/24 07:30:46 wazuh-agent: ERROR: GetSecurityInfo error = 183 ``` 6. Modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs No error, warning or critical messages were found. 8. Insert log in monitored file `test.txt` ``` Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2 ``` 9. Check `alerts.json` in wazuh-manager

alerts.json

``` {"timestamp":"2022-11-24T15:42:09.407+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"009","name":"wazuh-15dd34c3c","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-10-130"},"id":"1669304529.11768618","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\test.txt"} ```

### Upgrade

Upgrade signed package :red_circle:

1. Upgrate to `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :red_circle: ``` 2022/11/24 07:43:20 wazuh-agent: ERROR: WinVerifyTrust returned 80096004 GetLastError returned 80096004 2022/11/24 07:43:20 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\wazuh-agent.exe' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

### Fresh install

Fresh install signed package :red_circle:

1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :red_circle: ``` 2022/11/24 07:53:45 wazuh-agent: ERROR: WinVerifyTrust returned 80096004 GetLastError returned 80096004 2022/11/24 07:53:45 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\wazuh-agent.exe' is not signed or its signature is invalid. ``` Agent has not started :red_circle:

Windows 2008 :red_circle:

### Unfixed

Install unfixed signed/not signed package

alerts.json

``` {"timestamp":"2022-11-18T18:21:39.193+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"VAGRANT-1ZLBA0X","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-7-101"},"id":"1668795699.11767598","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\Documents\\test.txt"} ```

5. Check `ossec.log` file for error, warning, and critical logs No error, warning or critical messages were found. 6. Modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file for error, warning, and critical logs No error, warning or critical messages were found. 8. Insert log in monitored file `test.txt` ``` Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2 ``` 9. Check `alerts.json` in wazuh-manager

alerts.json

``` {"timestamp":"2022-11-18T18:42:27.215+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"003","name":"VAGRANT-1ZLBA0X","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-7-101"},"id":"1668796947.11768430","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\Documents\\test.txt"} ```

### Upgrade

Upgrade signed package :red_circle:

1. Upgrate to `wazuh-agent v4.4.0` package :green_circle: 2. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :red_circle: ``` 2022/11/23 11:51:23 wazuh-agent: CRITICAL: The file 'C:\Program Files\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :red_circle:

### Fresh install

Fresh install signed package:green_circle:

alerts.json

``` {"timestamp":"2022-11-23T11:48:50.236+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"001","name":"VAGRANT-1ZLBA0X","ip":"FE80:0000:0000:0000:CCD9:D162:CA53:DEF9"},"manager":{"name":"ip-172-31-4-96"},"id":"1669204130.585344","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\vagrant\\Documents\\test.txt"} ```

4. Check `ossec.log` file for error, warning, and critical logs :green_circle: No error, warning or critical messages were found. 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error and warning logs :green_circle: ``` 2022/11/23 11:51:23 wazuh-agent: CRITICAL: The file 'C:\Program Files\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

Windows 2012 :red_circle:

### Unfixed

Install unfixed signed/not signed package

1. Install `wazuh-agent v4.3.10` package 2. configure wazuh-agent ossec.conf file: ``` C:\Users\Administrator\test.txt syslog ``` 3. Insert log in monitored file `test.txt` ``` Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2 ``` 4. Check `alerts.json` in wazuh-manager

alerts.json

``` {"timestamp":"2022-11-23T14:03:27.820+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"006","name":"WIN-6APBH67I1UH","ip":"172.31.81.38"},"manager":{"name":"ip-172-31-4-96"},"id":"1669212207.1570633","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\Administrator\\test.txt"} ```

5. Check `ossec.log` file for error, warning, and critical logs No error, warning or critical messages were found. 6. Modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs No error, warning or critical messages were found. 8. Insert log in monitored file `test.txt` ``` Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2 ``` 9. Check `alerts.json` in wazuh-manager

alerts.json

``` {"timestamp":"2022-11-23T14:08:36.563+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"006","name":"WIN-6APBH67I1UH","ip":"172.31.81.38"},"manager":{"name":"ip-172-31-4-96"},"id":"1669212516.1581007","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\Administrator\\test.txt"} ```

### Upgrade

Upgrade signed package :red_circle:

alerts.json

``` {"timestamp":"2022-11-23T15:08:12.699+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":3,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"009","name":"WIN-6APBH67I1UH","ip":"FE80:0000:0000:0000:792A:C938:EC5E:427B"},"manager":{"name":"ip-172-31-4-96"},"id":"1669216092.7400646","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\Administrator\\test.txt"} ```

4. Check `ossec.log` file for error, warning, and critical logs :yellow_circle: ``` 2022/11/23 15:07:39 wazuh-modulesd:syscollector: ERROR: Can't load syscollector. 2022/11/23 15:07:39 wazuh-agent: ERROR: WinVerifyTrust returned 800B0101 GetLastError returned 800B0101 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error, warning, and critical logs :red_circle: ``` No new error, warning, or critical log ``` Agent has started correctly :red_circle:

### Fresh install

Fresh install signed package:yellow_circle:

alerts.json

``` {"timestamp":"2022-11-23T14:26:49.259+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":4,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"007","name":"WIN-6APBH67I1UH","ip":"FE80:0000:0000:0000:792A:C938:EC5E:427B"},"manager":{"name":"ip-172-31-4-96"},"id":"1669213609.3512650","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\Administrator\\test.txt"} ```

4. Check `ossec.log` file for error, warning, and critical logs :yellow_circle: ``` 2022/11/23 14:22:21 wazuh-agent: ERROR: WinVerifyTrust returned 800B0101 GetLastError returned 800B0101 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error and warning logs :green_circle: ``` 2022/11/23 14:29:20 wazuh-agent: ERROR: CryptCATAdminCalcHashFromFileHandle failed with error 2147942593 2022/11/23 14:29:20 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

Windows 2016 :red_circle:

### Unfixed

Install unfixed signed/not signed package

alerts.json

``` {"timestamp":"2022-11-23T17:16:46.515+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"011","name":"EC2AMAZ-2BV3AJS","ip":"172.31.15.86"},"manager":{"name":"ip-172-31-4-96"},"id":"1669223806.9429203","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\Administrator\\test.txt"} ```

alerts.json

``` {"timestamp":"2022-11-23T17:19:19.609+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"011","name":"EC2AMAZ-2BV3AJS","ip":"172.31.15.86"},"manager":{"name":"ip-172-31-4-96"},"id":"1669223959.9431798","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\Administrator\\test.txt"} ```

### Upgrade

Upgrade signed package :red_circle:

alerts.json

``` {"timestamp":"2022-11-23T17:29:12.765+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"011","name":"EC2AMAZ-2BV3AJS","ip":"FE80:0000:0000:0000:45A8:9168:4642:BA4F"},"manager":{"name":"ip-172-31-4-96"},"id":"1669224552.10509840","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\Administrator\\test.txt"} ```

4. Check `ossec.log` file for error, warning and critical logs :yellow_circle: ``` 2022/11/23 17:23:45 wazuh-modulesd:syscollector: ERROR: Can't load syscollector. ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :green_circle: ``` No new error, warning, or critical log ``` Agent has started :red_circle:

### Fresh install

Fresh install signed package :green_circle:

alerts.json

``` {"timestamp":"2022-11-23T17:38:33.608+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"012","name":"EC2AMAZ-2BV3AJS","ip":"FE80:0000:0000:0000:45A8:9168:4642:BA4F"},"manager":{"name":"ip-172-31-4-96"},"id":"1669225113.11579369","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\Administrator\\test.txt"} ```

4. Check `ossec.log` file for error, warning and critical logs :green_circle: No error, warning or critical messages were found. 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error and warning logs :green_circle: ``` 2022/11/23 17:39:46 wazuh-agent: ERROR: CryptCATAdminCalcHashFromFileHandle failed with error 2147942593 2022/11/23 17:39:46 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

Windows 2019 :red_circle:

### Unfixed

Install unfixed signed/not signed package

alerts.json

``` {"timestamp":"2022-11-23T18:58:11.454+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"016","name":"EC2AMAZ-CBT50V3","ip":"172.31.29.28"},"manager":{"name":"ip-172-31-4-96"},"id":"1669229891.12645739","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\Administrator\\test.txt"} ```

alerts.json

``` {"timestamp":"2022-11-23T19:00:00.485+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"016","name":"EC2AMAZ-CBT50V3","ip":"172.31.29.28"},"manager":{"name":"ip-172-31-4-96"},"id":"1669230000.12646911","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\Administrator\\test.txt"} ```

### Upgrade

Upgrade signed package :red_circle:

alerts.json

``` {"timestamp":"2022-11-23T19:02:35.643+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"016","name":"EC2AMAZ-CBT50V3","ip":"FE80:0000:0000:0000:1523:29A6:938D:ABA2"},"manager":{"name":"ip-172-31-4-96"},"id":"1669230155.13725933","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\Administrator\\test.txt"} ```

4. Check `ossec.log` file for error, warning and critical logs :yellow_circle: ``` 2022/11/23 19:00:33 wazuh-modulesd:syscollector: ERROR: Can't load syscollector. ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :green_circle: ``` 2022/11/23 19:03:41 wazuh-agent: ERROR: WinVerifyTrust returned 800B0101 GetLastError returned 800B0101 ``` Agent has started :red_circle:

### Fresh install

Fresh install signed package :yellow_circle:

alerts.json

4. Check `ossec.log` file for error, warning and critical logs :yellow_circle: ``` 2022/11/23 19:07:28 wazuh-agent: ERROR: WinVerifyTrust returned 800B0101 GetLastError returned 800B0101 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error and warning logs :green_circle: ``` 2022/11/23 19:11:32 wazuh-agent: ERROR: CryptCATAdminCalcHashFromFileHandle failed with error 2147942593 2022/11/23 19:11:32 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

Windows 2022 :red_circle:

### Unfixed

Install unfixed signed/not signed package

alerts.json

``` {"timestamp":"2022-11-23T19:31:53.848+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":5,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"019","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:88D0:2676:2043:19AC"},"manager":{"name":"ip-172-31-4-96"},"id":"1669231913.18988325","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\Administrator\\test.txt"} ```

alerts.json

``` {"timestamp":"2022-11-23T19:21:26.378+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":3,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"018","name":"EC2AMAZ-N9OLJ1L","ip":"172.31.5.155"},"manager":{"name":"ip-172-31-4-96"},"id":"1669231286.16185622","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\Administrator\\test.txt"} ```

### Upgrade

Upgrade signed package :red_circle:

alerts.json

``` {"timestamp":"2022-11-23T19:24:23.301+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":4,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"018","name":"EC2AMAZ-N9OLJ1L","ip":"FE80:0000:0000:0000:88D0:2676:2043:19AC"},"manager":{"name":"ip-172-31-4-96"},"id":"1669231463.17593130","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\Administrator\\test.txt"} ```

4. Check `ossec.log` file for error, warning and critical logs :yellow_circle: ``` 2022/11/23 19:21:59 wazuh-modulesd:syscollector: ERROR: Can't load syscollector. ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, or critical messages were found. ``` Agent has started :red_circle:

### Fresh install

Fresh install signed package :yellow_circle:

alerts.json

4. Check `ossec.log` file for error, warning and critical logs :yellow_circle: ``` 2022/11/23 19:30:37 wazuh-agent: ERROR: WinVerifyTrust returned 800B0101 GetLastError returned 800B0101 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error and warning logs :green_circle: ``` 2022/11/23 19:35:07 wazuh-agent: ERROR: CryptCATAdminCalcHashFromFileHandle failed with error 2147942593 2022/11/23 19:35:07 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid ``` Agent has not started :green_circle:

Windows 10 :red_circle:

### Unfixed

Install unfixed signed/not signed package

alerts.json

``` {"timestamp":"2022-11-24T13:07:26.148+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"DESKTOP-BPO8RRU","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-10-130"},"id":"1669295246.2187030","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\test.txt"} ```

alerts.json

``` {"timestamp":"2022-11-24T13:09:46.269+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"DESKTOP-BPO8RRU","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-10-130"},"id":"1669295386.2188193","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\test.txt"} ```

### Upgrade

Upgrade signed package :red_circle:

alerts.json

``` {"timestamp":"2022-11-24T13:12:37.144+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":3,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"004","name":"DESKTOP-BPO8RRU","ip":"FE80:0000:0000:0000:55C6:185C:0C59:4588"},"manager":{"name":"ip-172-31-10-130"},"id":"1669295557.3749933","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\vagrant\\test.txt"} ```

4. Check `ossec.log` file for error, warning and critical logs :yellow_circle: ``` 2022/11/24 13:10:33 wazuh-modulesd:syscollector: ERROR: Can't load syscollector. ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :green_circle: ``` No new error, warning, or critical log ``` Agent has started :red_circle:

### Fresh install

Fresh install signed package :green_circle:

alerts.json

``` {"timestamp":"2022-11-24T13:20:10.916+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":4,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"005","name":"DESKTOP-BPO8RRU","ip":"FE80:0000:0000:0000:55C6:185C:0C59:4588"},"manager":{"name":"ip-172-31-10-130"},"id":"1669296010.5305701","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\vagrant\\test.txt"} ```

4. Check `ossec.log` file for error, warning and critical logs :green_circle: No error, warning or critical messages were found. 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error and warning logs :green_circle: ``` 2022/11/24 13:21:11 wazuh-agent: ERROR: CryptCATAdminCalcHashFromFileHandle failed with error 2147942593 2022/11/24 13:21:11 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

Windows 11 :red_circle:

### Unfixed

Install unfixed signed/not signed package

alerts.json

``` {"timestamp":"2022-11-24T14:17:37.713+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":1,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"006","name":"DESKTOP-SKVSPAI","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-10-130"},"id":"1669299457.6975265","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\test.txt"} ```

alerts.json

``` {"timestamp":"2022-11-24T14:28:52.945+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":2,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"006","name":"DESKTOP-SKVSPAI","ip":"10.0.2.15"},"manager":{"name":"ip-172-31-10-130"},"id":"1669300132.7016440","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"\\Users\\vagrant\\test.txt"} ```

### Upgrade

Upgrade signed package :red_circle:

alerts.json

``` {"timestamp":"2022-11-24T14:37:30.135+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":3,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"006","name":"DESKTOP-SKVSPAI","ip":"FE80:0000:0000:0000:4B3F:5D4F:17A6:1BD1"},"manager":{"name":"ip-172-31-10-130"},"id":"1669300650.8616314","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\vagrant\\test.txt"} ```

4. Check `ossec.log` file for error, warning and critical logs :yellow_circle: ``` 2022/11/24 14:33:19 wazuh-modulesd:syscollector: ERROR: Can't load syscollector. 2022/11/24 14:33:19 wazuh-agent: ERROR: WinVerifyTrust returned 800B0101 GetLastError returned 800B0101 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` To do so, it was not necessary to stop the agent as in the others OS. 6. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :green_circle: ``` No new error, warning, or critical log ``` Agent has started :red_circle:

### Fresh install

Fresh install signed package :green_circle:

alerts.json

``` {"timestamp":"2022-11-24T14:45:55.492+0000","rule":{"level":5,"description":"sshd: authentication failed.","id":"5716","mitre":{"id":["T1110"],"tactic":["Credential Access"],"technique":["Brute Force"]},"firedtimes":4,"mail":false,"groups":["syslog","sshd","authentication_failed"],"gdpr":["IV_35.7.d","IV_32.2"],"gpg13":["7.1"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"pci_dss":["10.2.4","10.2.5"],"tsc":["CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"007","name":"DESKTOP-SKVSPAI","ip":"FE80:0000:0000:0000:4B3F:5D4F:17A6:1BD1"},"manager":{"name":"ip-172-31-10-130"},"id":"1669301155.10170401","full_log":"Dec 10 01:02:02 host sshd[1234]: Failed none for root from 192.168.56.15 port 1066 ssh2","predecoder":{"program_name":"sshd","timestamp":"Dec 10 01:02:02","hostname":"host"},"decoder":{"parent":"sshd","name":"sshd"},"data":{"srcip":"192.168.56.15","srcport":"1066","dstuser":"root"},"location":"C:\\Users\\vagrant\\test.txt"} ```

4. Check `ossec.log` file for error, warning and critical logs :green_circle: No error, warning or critical messages were found. 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error and warning logs :green_circle: ``` 2022/11/24 14:46:59 wazuh-agent: ERROR: CryptCATAdminCalcHashFromFileHandle failed with error 2147942593 2022/11/24 14:46:59 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

Note: In the upgrade tab, the :red_circle: means that the agent has not started because the dbsync.dll has not been replaced (still unsigned) or in some cases the agent started even though the dbsync.dll was modified.

Update - 24/11/2022

Perform proposed checks for WVista, W7, W2003, W8, W10 and W11

Hi @fedepacher !

Tough work here, kudos for that!

Result analisys

After checking the results, I have the next observations:

Can't load syscollector message is unexpected and should not happen. This might indicate some problem that could lead to other errors. Could you please validate that this error does not happen after breaking dbsync with the echo?
Stating has not started because the dbsync.dll has not been replaced (still unsigned) is quite critical. This conclusion is based on wazuh agent saying so, but we are trying to validate this feature and it can contain a bug. The right way to validate this is
- Checking the hash of the file dbsync.dll after/before upgrade
- Checking the signature existence of the file dbsync.dll after/before upgrade
By the other hand, please double-check that after a fresh installation every exe and dll were signed. This will be step 0 to guarantee the other tests will be taken into account.

Next validation during testing will be really helpful (on wazuh agent install dir and with powershell)

Check signature files

Get-AuthenticodeSignature *.dll
Get-AuthenticodeSignature *.exe

Check sha256 of files

Get-FileHash *.dll | Format-List
Get-FileHash *.exe | Format-List

Extra validations

I was not able to reproduce this case because the used MSI package was removed and could not execute its generation again. But using a signed v4.4 installer, I was able to

Upgrade from v4.3.10 to v4.4
- Files (dlls and exe) were updated (validated with hashes)
- Files that were signed are still signed
- Files that were not signed and were part of wazuh/wazuh#12752 (wazuh developed dlls), are now signed
- Files that were not signed and were part of changes of wazuh/wazuh#15404 (wazuh third-party dlls), are still not signed because this packages not contain such changes
Fresh install v4.4
- Exe files are signed
- wazuh/wazuh#12752 (wazuh developed dlls) are signed
- wazuh/wazuh#15404 (wazuh third-party dlls), are not signed because this packages not contain such changes

Based on what we have been discussing with @jnasselle, we will perform a new test to validate the feature.

The previous test steps were:

Install production package 4.3.10 (msi)
Break the dbsync.dll with an echo 1 >> dbsync.dll
Upgrade the package to 4.4
Check that the broken dll has not been replaced
Check agent status and log messages

For this case, we have noticed that when a dll file is modified, when the upgrade process is been carried out the modified files were not replaced by the new ones belonging to the new version.

As this seems to be a package bug the new test will be performed:

Install production package 4.3.10 (msi)
Upgrade the package to 4.4
Break the dbsync.dll with an echo 1 >> dbsync.dll
Check agent status and log messages

Note: The new test will break the dll after upgrading package.

New testing results :red_circle:

Windows XP :red_circle:

### Upgrade

Upgrade signed package :red_circle:

1. Before upgrading - Check DLL signature ``` Start → Programs → Accessories → System Tools → System Information → Tools menu → File Signature Verification Utility ``` ![Screenshot from 2022-11-25 16-03-49](https://user-images.githubusercontent.com/28990973/204044127-2eece982-084a-4230-becd-df51224d6d6a.png) 2. Upgrate from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :red_circle: 3. Check `ossec.log` file for error, warning and critical logs :red_circle: ``` 2022/11/25 19:08:46 wazuh-agent: ERROR: WinVerifyTrust returned 800B010A GetLastError returned 800B010A 2022/11/25 19:08:46 wazuh-agent: CRITICAL: The file 'C:\Program Files\ossec-agent\wazuh-agent.exe' is not signed or its signature is invalid. ``` 4. Check DLL signature :red_circle: ![Screenshot from 2022-11-25 16-10-25](https://user-images.githubusercontent.com/28990973/204044193-323147f1-56dc-4d69-96f3-03a7629ae859.png) Agent has not started :red_circle:

### Fresh install

Fresh install signed package :red_circle:

1. Install `wazuh-agent v4.4.0` package :red_circle: 2. Check `ossec.log` file for error, warning and critical logs :red_circle: ``` 2022/11/25 19:15:37 wazuh-agent: ERROR: WinVerifyTrust returned 800B0109 GetLastError returned 800B0109 2022/11/25 19:15:38 wazuh-agent: CRITICAL: The file 'C:\Program Files\ossec-agent\wazuh-agent.exe' is not signed or its signature is invalid. ``` 3. Check DLL signature :red_circle: ![Screenshot from 2022-11-25 16-10-25](https://user-images.githubusercontent.com/28990973/204045829-0ffe822c-0974-4539-8d3a-151df96f3627.png) Agent has not started :red_circle:

Windows Vista :green_circle:
### Upgrade
Upgrade signed package :green_circle:
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll SHA256 ``` ``` SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrate from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA256 hash of file .\dbsync.dll: 45 8d 5d 6e e7 8b 06 f9 99 0e 69 f0 3c c8 df e3 1d 67 12 ce 93 27 f3 6a c1 d6 04 77 62 95 05 ad ``` 6. Modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :green_circle: ``` 2022/11/25 13:28:21 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:
### Fresh install
Fresh install signed package :green_circle:
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA256 hash of file .\dbsync.dll: 45 8d 5d 6e e7 8b 06 f9 99 0e 69 f0 3c c8 df e3 1d 67 12 ce 93 27 f3 6a c1 d6 04 77 62 95 05 ad ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :green_circle: ``` 2022/11/25 13:31:34 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

Windows 8 :red_circle:
### Upgrade
Upgrade signed package :red_circle:
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll SHA256 ``` ``` SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrate from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :red_circle: ``` 2022/11/25 17:50:25 wazuh-agent: ERROR: WinVerifyTrust returned 800B0101 GetLastError returned 800B0101 ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA256 hash of file .\dbsync.dll: 45 8d 5d 6e e7 8b 06 f9 99 0e 69 f0 3c c8 df e3 1d 67 12 ce 93 27 f3 6a c1 d6 04 77 62 95 05 ad ``` 6. Modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :green_circle: ``` 2022/11/25 17:53:28 wazuh-agent: ERROR: CryptCATAdminCalcHashFromFileHandle failed with error 2147942593 2022/11/25 17:53:28 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:
### Fresh install
Fresh install signed package :red_circle:
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :red_circle: ``` 2022/11/25 17:56:31 wazuh-agent: ERROR: WinVerifyTrust returned 800B0101 GetLastError returned 800B0101 ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA256 hash of file .\dbsync.dll: 45 8d 5d 6e e7 8b 06 f9 99 0e 69 f0 3c c8 df e3 1d 67 12 ce 93 27 f3 6a c1 d6 04 77 62 95 05 ad ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :green_circle: ``` 2022/11/25 17:58:52 wazuh-agent: ERROR: CryptCATAdminCalcHashFromFileHandle failed with error 2147942593 2022/11/25 17:58:52 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

Windows 10 :green_circle:
### Upgrade
Upgrade signed package :green_circle:
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll SHA256 ``` ``` SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrate from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA256 hash of file .\dbsync.dll: 45 8d 5d 6e e7 8b 06 f9 99 0e 69 f0 3c c8 df e3 1d 67 12 ce 93 27 f3 6a c1 d6 04 77 62 95 05 ad ``` 6. Modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :green_circle: ``` 2022/11/25 18:42:21 wazuh-agent: ERROR: CryptCATAdminCalcHashFromFileHandle failed with error 2147942593 2022/11/25 18:42:21 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:
### Fresh install
Fresh install signed package :green_circle:
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA256 hash of file .\dbsync.dll: 45 8d 5d 6e e7 8b 06 f9 99 0e 69 f0 3c c8 df e3 1d 67 12 ce 93 27 f3 6a c1 d6 04 77 62 95 05 ad ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for error, warning and critical logs :green_circle: ``` 2022/11/25 18:47:34 wazuh-agent: ERROR: CryptCATAdminCalcHashFromFileHandle failed with error 2147942593 2022/11/25 18:47:34 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent has not started :green_circle:

Note: In this second set of tests, it has just tested some Windows OS in order to verify that the feature works. As the feature failed It has decided to stop the manual testing and review the fix.

After the latest tests performed in https://github.com/wazuh/wazuh-qa/issues/3612#issuecomment-1327756942, it has been found that the new changes break Windows XP and that for example in Windows 8 the following error message is displayed:

wazuh-agent: ERROR: WinVerifyTrust returned 800B0101 GetLastError returned 800B0101

Note: No progress has been made with testing of other OS's, because bugs have been reported and have to be fixed first.

This has been reported and the development team is trying to come up with a new partial approach to avoid these problems. Until such resolution, this issue remains blocked.

Review data

Tester	PR commit
@BelenValdivia	https://github.com/wazuh/wazuh/pull/15404/commits/bf4c69897083b90db4ebcfbcb84a3a2a42bafffb

Testing environment

OS	OS version	Deployment	Notes
Windows	XP	Vagrant box	dvgamerr/win-xp-sp3
Windows	Vista	Vagrant box	danimaetrix/windows-vista-sp2
Windows	7	Vagrant box	opensky/windows-7-professional-sp1-x64
Windows	8	Vagrant box	universalvishwa/windows-8-professional-x64
Windows	2003	ISO	Link
Windows	2008	Vagrant box	charris/windows-2008-r2-x64
Windows	2012	AWS EC-2	ami-0a7732d66244fa923
Windows	2016	AWS EC-2	ami-0ce166ca1b447f229
Windows	2019	AWS EC-2	ami-0c4af4610ab22c4f4
Windows	2022	AWS EC-2	ami-047e29beecff33db0
Windows	10	ISO
Windows	11	Vagrant box	gusztavvargadr/windows-11

Tested packages

`wazuh-manager`	`wazuh-agent`
rpm	msi-flag1 msi-flag2

Status

[x] In progress
[x] Pending Review
[x] QA team manager approved (@damarisg )
[x] DEV team leader approved (@Dwordcito)

Conclusion

The proposed tests were carried out successfully, both in packages with the flag IMAGE_TRUST_CHECK flag=1 and IMAGE_TRUST_CHECK flag=2.

Enhacement found for Windows XP and Windows Server 2003 The signature validation log should show the certificate name - Already solved and tested

OS version	Upgrade	Fresh install	Verify Signature `dbsync.dll` after Upgrade	Verify Signature `dbsync.dll` after Fresh install
XP	🟢	🟢	⚫	⚫
Vista	🟢	🟢	🟢	🟢
7	🟢	🟢	🟢	🟢
8	🟢	🟢	🟢	🟢
2003	🟢	🟢	⚫	⚫
2008	🟢	🟢	🟢	🟢
2012	🟢	🟢	🟢	🟢
2016	🟢	🟢	🟢	🟢
2019	🟢	🟢	🟢	🟢
2022	🟢	🟢	🟢	🟢
10	🟢	🟢	🟢	🟢
11	🟢	🟢	🟢	🟢

:black_circle: It could not verify the signature :green_circle: File signed

Testing results

Package with IMAGE_TRUST_CHECK=1

Windows XP 🔴

### Upgrade

Upgrade from 4.3.10 to core-branch signed package

### Fresh install

Fresh install core-branch package

1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the warning logs 🔴 ![image](https://user-images.githubusercontent.com/26927338/210352746-57988ddc-f248-4d6c-8881-da2e546b40f5.png) **The log should show the certificate name** 3. Check DLL signature 🟢 ![image](https://user-images.githubusercontent.com/26927338/210353426-5262f48f-52b8-42a5-b616-e135eff88782.png) The agent has started correctly

Windows Vista 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature 🟢 ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash 🟢 ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/03 07:24:20 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/03 07:24:20 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to get the hash size with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/03 07:24:20 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/03 08:19:43 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/03 08:19:43 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to get the hash size with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/03 08:19:43 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 7 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature 🟢 ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash 🟢 ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/03 19:33:41 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/03 19:33:41 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/03 19:33:41 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/03 19:42:55 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/03 19:42:55 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/03 19:42:55 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 2003 🔴
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature 🟢 ``` Start → Programs → Accessories → System Tools → System Information → Tools menu → File Signature Verification Utility ``` ![image](https://user-images.githubusercontent.com/26927338/210549767-e4cb8e02-c92e-4c7a-af26-2004f685f032.png) 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package 🟢 3. Check `ossec.log` file for warning logs 🔴 ![image](https://user-images.githubusercontent.com/26927338/210551745-e2eb86c7-4a3a-4767-9a1f-151b5f83d047.png) **The log should show the name of the certificate** 4. Check DLL signature 🟢 ![image](https://user-images.githubusercontent.com/26927338/210551876-7e512c1b-d9c2-43b6-9199-e44065532164.png) Agent still running
### Fresh install
Fresh install core-branch package
1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the warning logs 🔴 ![image](https://user-images.githubusercontent.com/26927338/210553831-41bcb2f7-4dee-4a8c-a17b-291444c59402.png) **The log should show the name of the certificate** 3. Check DLL signature 🟢 ![image](https://user-images.githubusercontent.com/26927338/210554884-0bf979a1-e194-4ec0-9cc5-693d25f6a9f1.png) The agent has started correctly 🟢 4. Install the certificate DigiCert High Assurance EV Root CA (https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Start the agent 🔴

Windows 8 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/04 14:47:12 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/04 14:47:13 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/04 15:03:21 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/04 15:03:21 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 10 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/04 16:48:53 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/04 16:48:53 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/04 16:48:53 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/04 16:56:39 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/04 16:56:39 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/04 16:56:39 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 2012 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/05 12:30:45 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 12:30:45 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 12:30:45 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/05 12:39:09 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 12:39:09 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 12:39:09 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 2016 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/05 14:25:47 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 14:25:47 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 14:25:47 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/05 14:31:46 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 14:31:46 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 14:31:46 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 2019 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/05 15:14:49 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 15:14:49 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 15:14:49 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/05 15:18:33 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 15:18:33 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 15:18:33 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'. 2023/01/05 15:18:33 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 2022 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/05 16:51:57 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 16:51:57 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 16:51:57 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/05 16:56:21 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 16:56:21 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 16:56:21 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 11 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/05 11:06:53 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 11:06:53 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 11:06:53 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/05 11:06:53 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 11:06:53 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 11:06:53 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 2008 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/06 15:38:52 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/06 15:38:52 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/06 15:38:52 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/06 15:52:19 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/06 15:52:19 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/06 15:52:19 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Testing results

Package with IMAGE_TRUST_CHECK=2

Windows XP 🔴

### Upgrade

Upgrade from 4.3.10 to core-branch signed package

### Fresh install

Fresh install core-branch package

1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the critical log 🔴 ``` 2023/01/03 18:31:36 wazuh-agent: CRITICAL: The dynamic signature validation is not available because the CA name is not available. 2023/01/03 18:31:36 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/03 18:31:36 wazuh-agent: INFO: Set pending exit signal. ``` **The log should show the certificate name** Agent stopped 🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Start the agent 🔴

Windows Vista 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 ``` 8. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 9. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/03 11:33:42 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/03 11:33:42 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to get the hash size with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/03 11:33:42 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/03 11:33:42 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/03 11:33:42 wazuh-agent: INFO: Set pending exit signal. 2023/01/03 11:33:42 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2023/01/03 11:33:42 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. 2023/01/03 11:33:42 wazuh-agent: INFO: Exit completed successfully. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210410799-2e447bb4-68b5-4eb8-aa85-cae9a0840053.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/03 11:44:08 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/03 11:44:08 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to get the hash size with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/03 11:44:08 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/03 11:44:08 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/03 11:44:08 wazuh-agent: INFO: Set pending exit signal. 2023/01/03 11:44:08 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2023/01/03 11:44:08 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. 2023/01/03 11:44:08 wazuh-agent: INFO: Exit completed successfully. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210412772-129ec11a-f88c-4566-8655-3c4a48186dad.png)

Windows 7 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 8. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/03 20:17:23 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/03 20:17:23 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/03 20:17:23 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/03 20:17:23 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/03 20:17:23 wazuh-agent: INFO: Set pending exit signal. 2023/01/03 20:17:23 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2023/01/03 20:17:23 wazuh-agent: INFO: Exit completed successfully. 2023/01/03 20:17:23 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210435022-a857a2dc-52fa-4065-9633-fa4f9f0feb1e.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/03 20:26:48 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/03 20:26:48 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/03 20:26:48 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/03 20:26:48 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/03 20:26:48 wazuh-agent: INFO: Set pending exit signal. 2023/01/03 20:26:48 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2023/01/03 20:26:48 wazuh-agent: INFO: Exit completed successfully. 2023/01/03 20:26:48 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210436207-90101860-40cb-478e-8281-281caf478603.png)

Windows 2003 🔴
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature 🟢 ``` Start → Programs → Accessories → System Tools → System Information → Tools menu → File Signature Verification Utility ``` ![image](https://user-images.githubusercontent.com/26927338/210559560-c6b5f9cc-d73f-48f3-920a-7a99b66a165d.png) 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package 🟢 3. Check `ossec.log` file for critical logs 🔴 ``` 2023/01/04 04:56:43 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. 2023/01/04 04:56:44 wazuh-agent: CRITICAL: The dynamic signature validation is not available because the CA name is not available. 2023/01/04 04:56:44 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/04 04:56:44 wazuh-agent: INFO: Set pending exit signal. ``` **The log should show the certificate name** 4. Agent stopped 🟢 ![image](https://user-images.githubusercontent.com/26927338/210560916-714dc31f-c2a3-4c82-90c8-6434ab655e89.png) 5. Install the certificate DigiCert High Assurance EV Root CA (https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt) 6. Start the agent 🔴
### Fresh install
Fresh install core-branch package
1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the critical log 🟢 ``` 2023/01/04 05:12:03 wazuh-agent: CRITICAL: The dynamic signature validation is not available because the CA name is not available. 2023/01/04 05:12:03 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/04 05:12:03 wazuh-agent: INFO: Set pending exit signal. ``` 3. Agent not running 🟢

Windows 8 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 9. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/04 08:24:25 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/04 08:24:25 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/04 08:24:25 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210602529-4b66130f-c8fc-4e10-80b5-43d0927675e8.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/03 20:26:48 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/03 20:26:48 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/03 20:26:48 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/03 20:26:48 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/03 20:26:48 wazuh-agent: INFO: Set pending exit signal. 2023/01/03 20:26:48 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2023/01/03 20:26:48 wazuh-agent: INFO: Exit completed successfully. 2023/01/03 20:26:48 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210436207-90101860-40cb-478e-8281-281caf478603.png)

Windows 10 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/05 08:49:25 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 08:49:25 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows 10 Home [Ver: 10.0.17763.1577] - Wazuh v4.4.0). 2023/01/05 08:49:25 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2023/01/05 08:49:25 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'. 2023/01/05 08:49:25 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 08:49:25 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'. 2023/01/05 08:49:25 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210774295-68aa9a9f-8043-4336-8380-4ee26713ea0f.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/05 08:57:52 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 08:57:52 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 08:57:52 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210775563-4ad3ef3e-ddc3-4b04-a8cc-2d03f76d4a29.png)

Windows 2012 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/05 13:15:40 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 13:15:40 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 13:15:40 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210788846-5de8c3fa-deab-425e-8e96-6a017c73035e.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/05 13:04:56 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 13:04:56 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 13:04:56 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210787815-bb6a2717-4959-464a-aa2a-82e028dc70f7.png)

Windows 2016 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/05 14:42:04 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 14:42:04 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 14:42:04 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210806437-187eb8bd-58df-435d-a806-72607a963bb1.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/05 14:55:53 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 14:55:53 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 14:55:53 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210809770-601bd5a0-cf56-4edb-a238-088beae4a26f.png)

Windows 2019 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/05 15:34:49 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 15:34:49 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 15:34:49 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/05 15:34:49 wazuh-agent: INFO: Received exit signal. Starting exit process. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210819540-fb04e212-f0d3-49b4-b07c-67c3361b3875.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/05 15:39:17 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 15:39:17 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 15:39:17 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210820755-b52eaa8a-4009-4cd1-bdbc-f5f10f28757c.png)

Windows 2022 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/05 17:17:09 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 17:17:09 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 17:17:09 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210841724-c01d0bcd-bf68-4ed3-894a-3b3f1f21b7b6.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/05 17:23:27 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 17:23:27 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 17:23:27 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/05 17:23:27 wazuh-agent: INFO: Received exit signal. Starting exit process. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210842774-85c6faaa-1443-46e7-aa2c-85194b5f6950.png)

Windows 11 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/05 11:55:21 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 11:55:21 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 11:55:21 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped 🟢 ![windows 11 package 2 updrade stopped](https://user-images.githubusercontent.com/26927338/211034020-e76b9024-f03d-4fea-86af-9e838ab295af.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/05 11:43:50 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 11:43:50 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 11:43:50 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped :green_circle:

Windows 2008 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/06 16:03:11 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/06 16:03:11 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/06 16:03:11 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped 🟢 ![image](https://user-images.githubusercontent.com/26927338/211050594-041a4042-43a4-40f2-bdfb-b58ca952d060.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/06 16:10:37 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/06 16:10:37 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/06 16:10:37 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/211051880-571b7c96-3095-4d22-aa46-aea3e06f39c9.png) 7. Delete the change in dbsync.dll 10. Start wazuh 🟢

Update 03/01/2023

Generated package with flag IMAGE_TRUST_CHECK=2
Tested in Windows XP with IMAGE_TRUST_CHECK=2 and IMAGE_TRUST_CHECK=1
Tested in Windows Vista with IMAGE_TRUST_CHECK=2 and IMAGE_TRUST_CHECK=1
Tested in WIndows 7 with IMAGE_TRUST_CHECK=2 and IMAGE_TRUST_CHECK=1

Update 04/01/2023

Tested in Windows 2003 with IMAGE_TRUST_CHECK=2 and IMAGE_TRUST_CHECK=1
Tested in Windows 8 with IMAGE_TRUST_CHECK=2 and IMAGE_TRUST_CHECK=1
Tested in Windows 10 with IMAGE_TRUST_CHECK=1
Tested Windows XP and Windows Server 2003 with flag = 2 and installed the certificate but the Wazuh agent does not start

Update 05/01/2023

Tested in Windows 2012 with IMAGE_TRUST_CHECK=2 and IMAGE_TRUST_CHECK=1
Tested in Windows 2016 with IMAGE_TRUST_CHECK=2 and IMAGE_TRUST_CHECK=1
Tested in Windows 2019 with IMAGE_TRUST_CHECK=2 and IMAGE_TRUST_CHECK=1
Tested in Windows 2022 with IMAGE_TRUST_CHECK=2 and IMAGE_TRUST_CHECK=1
Tested in Windows 10 with IMAGE_TRUST_CHECK=2
Downloading windows 11 box

Update 06/01/2023

Tested in Windows 11 with IMAGE_TRUST_CHECK=2 and IMAGE_TRUST_CHECK=1
Tested in Windows 2008 with IMAGE_TRUST_CHECK=2 and IMAGE_TRUST_CHECK=1
Search for VM windows 2008

Update 09/01/2023

Tested Windows XP and Windows Server 2003 with new package

New testing results

Package with IMAGE_TRUST_CHECK=2

Windows XP 🟡

### Upgrade

Upgrade from 4.3.10 to core-branch signed package

1. Before upgrading - Check DLL signature 🟢 ``` Start → Programs → Accessories → System Tools → System Information → Tools menu → File Signature Verification Utility ``` ![image](https://user-images.githubusercontent.com/26927338/210415591-142b11b7-05d2-42cb-b047-431b7c152849.png) 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package 🟢 3. Check `ossec.log` file for the critical log 🟡 ``` 2023/01/09 18:12:59 wazuh-agent: CRITICAL: The dynamic signature validation is not available because the CA name is not available. ``` **The log should show the certificate name** Agent stopped 🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): - Go to Start - Search for MMC - Select the Snap-in 'Certificates' - Select 'Add' - Select 'Computer account' and click 'Next' - Select 'Local computer' then click 'Finish' - Close the Snap-in screen by clicking 'OK' at the bottom right of the screen - Expand the 'Trusted Root Certification Authorities' followed by 'Certificates' - Right click on the intended certification store –> 'All Tasks' –> 'Import...' - Click 'Next' –> (select DigiCert High Assurance EV Root CA) -> 'Next' -> 'Finish' 5. Check ossec.log 🟢 ``` 2023/01/09 13:28:27 wazuh-agent: CRITICAL: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```

### Fresh install

Fresh install core-branch package

1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the critical log 🟡 ``` 2023/01/09 14:16:36 wazuh-agent: CRITICAL: The dynamic signature validation is not available because the CA name is not available. ``` **The log should show the certificate name** Agent stopped 🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🟢 ``` 2023/01/09 14:18:07 wazuh-agent: CRITICAL: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```

Windows 2003 🔴
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature 🟢 ``` Start → Programs → Accessories → System Tools → System Information → Tools menu → File Signature Verification Utility ``` ![image](https://user-images.githubusercontent.com/26927338/210415591-142b11b7-05d2-42cb-b047-431b7c152849.png) 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package 🟢 3. Check `ossec.log` file for the critical log ``` 2023/01/09 10:15:31 wazuh-agent: CRITICAL: The dynamic signature validation is not available because the CA name is not available. ``` **The log should show the certificate name** Agent stopped 🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🔴 ``` 2023/01/09 10:17:54 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The signature of the certificate can not be verified for file 'C:\Program Files (x86)\ossec-agent\wazuh-agent.exe'. 2023/01/09 10:17:54 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\wazuh-agent.exe': Element not found. 2023/01/09 10:17:54 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\wazuh-agent.exe' is not signed or its signature is invalid. ```
### Fresh install
Fresh install core-branch package
1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the critical log ``` 2023/01/09 07:12:10 wazuh-agent: CRITICAL: The dynamic signature validation is not available because the CA name is not available. ``` **The log should show the certificate name** Agent stopped 🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🔴 ``` 2023/01/09 07:05:47 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The signature of the certificate can not be verified for file 'C:\Program Files (x86)\ossec-agent\wazuh-agent.exe'. 2023/01/09 07:05:47 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\wazuh-agent.exe': Element not found. 2023/01/09 07:05:47 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\wazuh-agent.exe' is not signed or its signature is invalid. ```

Package with IMAGE_TRUST_CHECK=1

Windows 2003 🟡
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature 🟢 ``` Start → Programs → Accessories → System Tools → System Information → Tools menu → File Signature Verification Utility ``` ![image](https://user-images.githubusercontent.com/26927338/210415591-142b11b7-05d2-42cb-b047-431b7c152849.png) 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package 🟢 3. Check `ossec.log` file for the Warning log 🟡 ``` 2023/01/09 08:13:40 wazuh-agent: WARNING: The dynamic signature validation is not available because the CA name is not available. ``` **The log should show the certificate name** Agent running🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🟢 ``` 2023/01/09 08:15:52 wazuh-agent: WARNING: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```
### Fresh install
Fresh install core-branch package
1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the warning log ``` 2023/01/09 08:29:31 wazuh-agent: WARNING: The dynamic signature validation is not available because the CA name is not available. ``` **The log should show the certificate name** Agent running🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🟢 ``` 2023/01/09 08:34:21 wazuh-agent: WARNING: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```

Windows XP 🟡
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature 🟢 ``` Start → Programs → Accessories → System Tools → System Information → Tools menu → File Signature Verification Utility ``` ![image](https://user-images.githubusercontent.com/26927338/210415591-142b11b7-05d2-42cb-b047-431b7c152849.png) 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package 🟢 3. Check `ossec.log` file for the warning log 🟡 ``` 2023/01/09 16:01:20 wazuh-agent: CRITICAL: The dynamic signature validation is not available because the CA name is not available. ``` **The log should show the certificate name** Agent running🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🟢 ``` 2023/01/09 16:14:09 wazuh-agent: WARNING: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```
### Fresh install
Fresh install core-branch package
1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the warning log 🟡 ``` 2023/01/09 16:21:17 wazuh-agent: WARNING: The dynamic signature validation is not available because the CA name is not available. ``` **The log should show the certificate name** Agent running🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🟢 ``` 2023/01/09 16:24:13 wazuh-agent: WARNING: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```

Blocked until Windows 2003 error is analyzed by Core

Windows Server 2003: 1- After install the certificate DigiCert High Assurance EV Root CA (package with IMAGE_TRUST_CHECK=2), the log in ossec.log is wrong:

2023/01/09 10:17:54 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\wazuh-agent.exe' is not signed or 
its signature is invalid.

The log should be:

2023/01/09 13:28:27 wazuh-agent: CRITICAL: The dynamic signature validation is not available for this system. Error 127: The 
specified procedure could not be found.

Hi @BelenValdivia The problem involved in W2003, is that this OS does not support natively SHA256 on this version, and the operating system is not updated (the needed patch have 8 years).

Official patch.

https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/secu/2015/06/windowsserver2003-kb3072630-x64-enu_e4e5d7c372ddb9474fba3947d45a62cad7051a35.exe

New testing results

Package with IMAGE_TRUST_CHECK=2

Windows 2003 🟢

### Upgrade

Upgrade from 4.3.10 to core-branch signed package

1. Before upgrading - Check DLL signature 🟢 ``` Start → Programs → Accessories → System Tools → System Information → Tools menu → File Signature Verification Utility ``` ![image](https://user-images.githubusercontent.com/26927338/212060442-a712a48f-2a87-4ba5-8c4a-074cdf0ddff2.png) 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package 🟢 3. Check DLL signature 🟢 ![image](https://user-images.githubusercontent.com/26927338/212061805-2e194855-c4ee-4696-8115-ec1bb0878acd.png) 5. Check `ossec.log` file for the critical log 🟢 ![image](https://user-images.githubusercontent.com/26927338/212120756-597c1009-b30b-4e5e-afe5-d703c868f8e3.png) Agent stopped 🟢 6. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): - Go to Start - Search for MMC - Select the Snap-in 'Certificates' - Select 'Add' - Select 'Computer account' and click 'Next' - Select 'Local computer' then click 'Finish' - Close the Snap-in screen by clicking 'OK' at the bottom right of the screen - Expand the 'Trusted Root Certification Authorities' followed by 'Certificates' - Right click on the intended certification store –> 'All Tasks' –> 'Import...' - Click 'Next' –> (select DigiCert High Assurance EV Root CA) -> 'Next' -> 'Finish' 7. Check ossec.log 🟢 ``` 2023/01/12 04:07:05 wazuh-agent: CRITICAL: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. 2023/01/12 04:07:05 wazuh-agent: INFO: Received exit signal. Starting exit process. ```

### Fresh install

Fresh install core-branch package

1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the critical log 🟢 ![image](https://user-images.githubusercontent.com/26927338/212121126-7152ba9e-db5a-4463-b12a-cbf2fd0902fc.png) Agent stopped 🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🟢 ``` 2023/01/12 03:38:16 wazuh-agent: CRITICAL: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. 2023/01/12 03:38:16 wazuh-agent: INFO: Received exit signal. Starting exit process. ```

Package with IMAGE_TRUST_CHECK=1

Windows 2003 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature 🟢 ``` Start → Programs → Accessories → System Tools → System Information → Tools menu → File Signature Verification Utility ``` ![image](https://user-images.githubusercontent.com/26927338/212064762-5ab9b854-3324-4282-b943-df79749f245b.png) 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package 🟢 3. Check DLL signature after upgarde 🟢 ![image](https://user-images.githubusercontent.com/26927338/212066330-41b7590e-640f-4c9c-94fe-867a7b7ebc5c.png) 4. Check `ossec.log` file for the Warning log 🟢 ![image](https://user-images.githubusercontent.com/26927338/212122276-572f3989-d39a-4113-80af-df7637ebe414.png) Agent running🟢 6. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 7. Check ossec.log 🟢 ``` 2023/01/12 04:30:52 wazuh-agent: WARNING: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```
### Fresh install
Fresh install core-branch package
1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the warning log 🟢 ![image](https://user-images.githubusercontent.com/26927338/212122549-1dd0031b-a881-4d28-947a-30cb22f393bf.png) Agent running🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🟢 ``` 2023/01/12 04:48:37 wazuh-agent: WARNING: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```

Final testing results

Package with IMAGE_TRUST_CHECK=1

Windows XP 🟢

### Upgrade

Upgrade from 4.3.10 to core-branch signed package

### Fresh install

Fresh install core-branch package

1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the warning log 🟢 Agent running🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🟢 ``` 2023/01/09 16:24:13 wazuh-agent: WARNING: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```

Windows 2003 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature 🟢 ``` Start → Programs → Accessories → System Tools → System Information → Tools menu → File Signature Verification Utility ``` ![image](https://user-images.githubusercontent.com/26927338/212064762-5ab9b854-3324-4282-b943-df79749f245b.png) 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package 🟢 3. Check DLL signature after upgarde 🟢 ![image](https://user-images.githubusercontent.com/26927338/212066330-41b7590e-640f-4c9c-94fe-867a7b7ebc5c.png) 4. Check `ossec.log` file for the Warning log 🟢 Agent running🟢 6. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 7. Check ossec.log 🟢 ``` 2023/01/12 04:30:52 wazuh-agent: WARNING: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```
### Fresh install
Fresh install core-branch package
1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the warning log 🟢 Agent running🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🟢 ``` 2023/01/12 04:48:37 wazuh-agent: WARNING: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```

Windows Vista 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature 🟢 ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash 🟢 ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/03 07:24:20 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/03 07:24:20 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to get the hash size with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/03 07:24:20 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/03 08:19:43 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/03 08:19:43 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to get the hash size with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/03 08:19:43 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 7 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature 🟢 ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash 🟢 ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/03 19:33:41 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/03 19:33:41 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/03 19:33:41 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/03 19:42:55 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/03 19:42:55 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/03 19:42:55 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 8 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/04 14:47:12 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/04 14:47:13 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/04 15:03:21 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/04 15:03:21 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 10 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/04 16:48:53 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/04 16:48:53 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/04 16:48:53 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/04 16:56:39 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/04 16:56:39 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/04 16:56:39 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 2012 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/05 12:30:45 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 12:30:45 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 12:30:45 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/05 12:39:09 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 12:39:09 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 12:39:09 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 2016 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/05 14:25:47 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 14:25:47 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 14:25:47 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/05 14:31:46 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 14:31:46 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 14:31:46 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 2019 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/05 15:14:49 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 15:14:49 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 15:14:49 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/05 15:18:33 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 15:18:33 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 15:18:33 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'. 2023/01/05 15:18:33 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 2022 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/05 16:51:57 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 16:51:57 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 16:51:57 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/05 16:56:21 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 16:56:21 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 16:56:21 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 11 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/05 11:06:53 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 11:06:53 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 11:06:53 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/05 11:06:53 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 11:06:53 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 11:06:53 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Windows 2008 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the warning log ``` 2023/01/06 15:38:52 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/06 15:38:52 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/06 15:38:52 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started 🟢
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: a7 fd 9a fa 59 9a 47 6e 3a 08 2b aa 07 00 07 a3 45 a7 6c 3a SHA256 hash of file .\dbsync.dll: 5f b8 d9 c2 bf 33 5d db 6b ff 97 45 69 43 61 7a a6 fa 07 b5 0d 1e e7 c4 e7 c6 66 54 a7 b0 59 bd ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the warning log ``` 2023/01/06 15:52:19 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/06 15:52:19 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/06 15:52:19 wazuh-agent: WARNING: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent started :green_circle:

Final testing results

Package with IMAGE_TRUST_CHECK=2

Windows XP 🟢

### Upgrade

Upgrade from 4.3.10 to core-branch signed package

1. Before upgrading - Check DLL signature 🟢 ``` Start → Programs → Accessories → System Tools → System Information → Tools menu → File Signature Verification Utility ``` ![image](https://user-images.githubusercontent.com/26927338/210415591-142b11b7-05d2-42cb-b047-431b7c152849.png) 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package 🟢 3. Check `ossec.log` file for the critical log 🟢 Agent stopped 🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): - Go to Start - Search for MMC - Select the Snap-in 'Certificates' - Select 'Add' - Select 'Computer account' and click 'Next' - Select 'Local computer' then click 'Finish' - Close the Snap-in screen by clicking 'OK' at the bottom right of the screen - Expand the 'Trusted Root Certification Authorities' followed by 'Certificates' - Right click on the intended certification store –> 'All Tasks' –> 'Import...' - Click 'Next' –> (select DigiCert High Assurance EV Root CA) -> 'Next' -> 'Finish' 5. Check ossec.log 🟢 ``` 2023/01/09 13:28:27 wazuh-agent: CRITICAL: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```

### Fresh install

Fresh install core-branch package

1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the critical log 🟢 ![image](https://user-images.githubusercontent.com/26927338/212124355-11bdab92-214a-4802-ab4b-eb75f1d80fd4.png) Agent stopped 🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🟢 ``` 2023/01/09 14:18:07 wazuh-agent: CRITICAL: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. ```

Windows 2003 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature 🟢 ``` Start → Programs → Accessories → System Tools → System Information → Tools menu → File Signature Verification Utility ``` ![image](https://user-images.githubusercontent.com/26927338/212060442-a712a48f-2a87-4ba5-8c4a-074cdf0ddff2.png) 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package 🟢 3. Check DLL signature 🟢 ![image](https://user-images.githubusercontent.com/26927338/212061805-2e194855-c4ee-4696-8115-ec1bb0878acd.png) 5. Check `ossec.log` file for the critical log 🟢 Agent stopped 🟢 6. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): - Go to Start - Search for MMC - Select the Snap-in 'Certificates' - Select 'Add' - Select 'Computer account' and click 'Next' - Select 'Local computer' then click 'Finish' - Close the Snap-in screen by clicking 'OK' at the bottom right of the screen - Expand the 'Trusted Root Certification Authorities' followed by 'Certificates' - Right click on the intended certification store –> 'All Tasks' –> 'Import...' - Click 'Next' –> (select DigiCert High Assurance EV Root CA) -> 'Next' -> 'Finish' 7. Check ossec.log 🟢 ``` 2023/01/12 04:07:05 wazuh-agent: CRITICAL: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. 2023/01/12 04:07:05 wazuh-agent: INFO: Received exit signal. Starting exit process. ```
### Fresh install
Fresh install core-branch package
1. Install `wazuh-agent v4.4.0` package 🟢 2. Check `ossec.log` file for the critical log 🟢 Agent stopped 🟢 4. Install the certificate DigiCert High Assurance EV Root CA https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt): 5. Check ossec.log 🟢 ``` 2023/01/12 03:38:16 wazuh-agent: CRITICAL: The dynamic signature validation is not available for this system. Error 127: The specified procedure could not be found. 2023/01/12 03:38:16 wazuh-agent: INFO: Received exit signal. Starting exit process. ```

Windows Vista 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 ``` 8. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 9. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/03 11:33:42 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/03 11:33:42 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to get the hash size with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/03 11:33:42 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/03 11:33:42 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/03 11:33:42 wazuh-agent: INFO: Set pending exit signal. 2023/01/03 11:33:42 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2023/01/03 11:33:42 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. 2023/01/03 11:33:42 wazuh-agent: INFO: Exit completed successfully. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210410799-2e447bb4-68b5-4eb8-aa85-cae9a0840053.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/03 11:44:08 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/03 11:44:08 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to get the hash size with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/03 11:44:08 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/03 11:44:08 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/03 11:44:08 wazuh-agent: INFO: Set pending exit signal. 2023/01/03 11:44:08 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2023/01/03 11:44:08 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. 2023/01/03 11:44:08 wazuh-agent: INFO: Exit completed successfully. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210412772-129ec11a-f88c-4566-8655-3c4a48186dad.png)

Windows 7 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 8. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/03 20:17:23 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/03 20:17:23 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/03 20:17:23 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/03 20:17:23 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/03 20:17:23 wazuh-agent: INFO: Set pending exit signal. 2023/01/03 20:17:23 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2023/01/03 20:17:23 wazuh-agent: INFO: Exit completed successfully. 2023/01/03 20:17:23 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210435022-a857a2dc-52fa-4065-9633-fa4f9f0feb1e.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/03 20:26:48 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/03 20:26:48 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/03 20:26:48 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/03 20:26:48 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/03 20:26:48 wazuh-agent: INFO: Set pending exit signal. 2023/01/03 20:26:48 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2023/01/03 20:26:48 wazuh-agent: INFO: Exit completed successfully. 2023/01/03 20:26:48 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210436207-90101860-40cb-478e-8281-281caf478603.png)

Windows 8 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 9. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/04 08:24:25 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/04 08:24:25 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/04 08:24:25 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210602529-4b66130f-c8fc-4e10-80b5-43d0927675e8.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/03 20:26:48 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/03 20:26:48 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/03 20:26:48 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/03 20:26:48 wazuh-agent: INFO: Received exit signal. Starting exit process. 2023/01/03 20:26:48 wazuh-agent: INFO: Set pending exit signal. 2023/01/03 20:26:48 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector. 2023/01/03 20:26:48 wazuh-agent: INFO: Exit completed successfully. 2023/01/03 20:26:48 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210436207-90101860-40cb-478e-8281-281caf478603.png)

Windows 10 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/05 08:49:25 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 08:49:25 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows 10 Home [Ver: 10.0.17763.1577] - Wazuh v4.4.0). 2023/01/05 08:49:25 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2023/01/05 08:49:25 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'. 2023/01/05 08:49:25 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 08:49:25 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'. 2023/01/05 08:49:25 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210774295-68aa9a9f-8043-4336-8380-4ee26713ea0f.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/05 08:57:52 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 08:57:52 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 08:57:52 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210775563-4ad3ef3e-ddc3-4b04-a8cc-2d03f76d4a29.png)

Windows 2012 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/05 13:15:40 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 13:15:40 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 13:15:40 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210788846-5de8c3fa-deab-425e-8e96-6a017c73035e.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/05 13:04:56 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 13:04:56 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 13:04:56 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210787815-bb6a2717-4959-464a-aa2a-82e028dc70f7.png)

Windows 2016 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/05 14:42:04 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 14:42:04 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 14:42:04 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210806437-187eb8bd-58df-435d-a806-72607a963bb1.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/05 14:55:53 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 14:55:53 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 14:55:53 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210809770-601bd5a0-cf56-4edb-a238-088beae4a26f.png)

Windows 2019 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/05 15:34:49 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 15:34:49 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 15:34:49 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/05 15:34:49 wazuh-agent: INFO: Received exit signal. Starting exit process. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210819540-fb04e212-f0d3-49b4-b07c-67c3361b3875.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/05 15:39:17 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 15:39:17 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 15:39:17 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210820755-b52eaa8a-4009-4cd1-bdbc-f5f10f28757c.png)

Windows 2022 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/05 17:17:09 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 17:17:09 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 17:17:09 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped: 🟢 ![image](https://user-images.githubusercontent.com/26927338/210841724-c01d0bcd-bf68-4ed3-894a-3b3f1f21b7b6.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/05 17:23:27 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 17:23:27 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 17:23:27 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. 2023/01/05 17:23:27 wazuh-agent: INFO: Received exit signal. Starting exit process. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/210842774-85c6faaa-1443-46e7-aa2c-85194b5f6950.png)

Windows 11 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/05 11:55:21 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 11:55:21 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 11:55:21 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped 🟢 ![windows 11 package 2 updrade stopped](https://user-images.githubusercontent.com/26927338/211034020-e76b9024-f03d-4fea-86af-9e838ab295af.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/05 11:43:50 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. No signature found for 'C:\Program Files (x86)\ossec-agent\dbsync.dll'. 2023/01/05 11:43:50 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminCalcHashFromFileHandle failed trying to calculate hash with error 2147942593 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': %1 is not a valid Win32 application. 2023/01/05 11:43:50 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped :green_circle:

Windows 2008 🟢
### Upgrade
Upgrade from 4.3.10 to core-branch signed package
1. Before upgrading - Check DLL signature ``` Get-AuthenticodeSignature *.dll ``` ``` SignerCertificate Status Path ----------------- ------ ---- NotSigned dbsync.dll NotSigned libgcc_s_sjlj-1.dll NotSigned libwazuhext.dll NotSigned libwazuhshared.dll NotSigned libwinpthread-1.dll NotSigned rsync.dll NotSigned syscollector.dll NotSigned sysinfo.dll ``` - Check `dbsync.dll` hash ``` certutil.exe -hashfile .\dbsync.dll ``` ``` SHA-1 hash of file .\dbsync.dll: 4c 37 79 3f d4 8f 0a 74 46 5d a7 5a 8f 9b eb fd 9a 3c 97 a4 SHA256 hash of file .\dbsync.dll: fa 1c 0f 6a 3e 71 c8 65 39 79 66 29 ea ec fc 79 84 5b bb 98 4c f1 5a c6 40 2c c6 70 ac b0 30 c2 ``` 2. Upgrade from `wazuh-agent v4.3.10` to `wazuh-agent v4.4.0` package :green_circle: 3. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. Agent still running. ``` 4. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 5. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 6. Stop `wazuh-agent` and modify DLL library ``` echo 1 >> dbsync.dll ``` 7. Start `wazuh-agent` and check `ossec.log` file the critical log 🟢 ``` 2023/01/06 16:03:11 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/06 16:03:11 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/06 16:03:11 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped 🟢 ![image](https://user-images.githubusercontent.com/26927338/211050594-041a4042-43a4-40f2-bdfb-b58ca952d060.png)
### Fresh install
Fresh install core-branch signed package
1. Install `wazuh-agent v4.4.0` package :green_circle: 2. Check `ossec.log` file for error, warning and critical logs :green_circle: ``` No error, warning, nor critical were found. ``` 3. Check DLL signature :green_circle: ``` SignerCertificate Status Path ----------------- ------ ---- 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid dbsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libgcc_s_dw2-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libstdc++-6.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhext.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwazuhshared.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid libwinpthread-1.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid rsync.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid syscollector.dll 813D2BC44ED00C20DA20AE680684E09A9B82FBF9 Valid sysinfo.dll ``` 4. Check `dbsync.dll` hash :green_circle: ``` SHA-1 hash of file .\dbsync.dll: 2e 14 5a 1b 90 6b 9f 21 6c 9a 92 dd 64 e3 17 82 57 4c 04 63 SHA256 hash of file .\dbsync.dll: fe 74 b7 b5 ed e5 cd 26 82 23 fd fb 6b 4a 63 95 c8 b7 06 cf cd e9 68 1a 65 73 cd c8 4f 72 b6 08 ``` 5. Modify DLL library ``` echo 1 >> dbsync.dll ``` 6. Start `wazuh-agent` and check `ossec.log` file for the critical log 🟢 ``` 2023/01/06 16:10:37 wazuh-agent: INFO: Trust verification of a module failed by using the signature method. The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' or its signature is corrupt. 2023/01/06 16:10:37 wazuh-agent: INFO: Trust verification of a module failed by using the hash method. CryptCATAdminEnumCatalogFromHash failed with error 1168 for 'C:\Program Files (x86)\ossec-agent\dbsync.dll': Element not found. 2023/01/06 16:10:37 wazuh-agent: CRITICAL: The file 'C:\Program Files (x86)\ossec-agent\dbsync.dll' is not signed or its signature is invalid. ``` Agent stopped :green_circle: ![image](https://user-images.githubusercontent.com/26927338/211051880-571b7c96-3095-4d22-aa46-aea3e06f39c9.png) 7. Delete the change in dbsync.dll 10. Start wazuh 🟢

QA review

Type: Manual Testing
Status: Approved 🟢
Comments: Everything seems to work correctly.

wazuh / wazuh-qa

Test DLL side load protection #3612

Description

Proposed checks

Steps to reproduce

Expected results

Review data

Testing environment

Tested packages

Status

Conclusion

Testing results :red_circle:

Result analisys

Extra validations

New testing results :red_circle:

Review data

Testing environment

Tested packages

Status

Conclusion

Testing results

Package with IMAGE_TRUST_CHECK=1

Testing results

Package with IMAGE_TRUST_CHECK=2

Update 03/01/2023

Update 04/01/2023

Update 05/01/2023

Update 06/01/2023

Update 09/01/2023

New testing results

Package with IMAGE_TRUST_CHECK=2

Package with IMAGE_TRUST_CHECK=1

New testing results

Package with IMAGE_TRUST_CHECK=2

Package with IMAGE_TRUST_CHECK=1

Final testing results

Package with IMAGE_TRUST_CHECK=1

Final testing results

Package with IMAGE_TRUST_CHECK=2

QA review