Ignore Temp Office files in wazuh FIM

[oliveiralive]

|Wazuh version|Component|Install type|Install method|Platform| |4.2.3--------------|---|---|-----------------------------------------|-| | X.Y.Z-rev | Wazuh component | Manager/Agent | Packages/Sources | OS version | | Centos8 | I want know if is possible ignore temp files on File Integrity Monitoring

When the user edit a office file, the office make a new temp file in the folder like bellow

and the wazuh FIM register the information with creat and delet

I try to put this temp file with exception in the wazuh agent config file like below but not work

anyone know with do this?

[nmkoremblum]

Hi @oliveiralive,

Unfortunately, at the moment, FIM only supports sregex expressions, given its quickness. With this type of expressions, it is not possible to filter every file, which names start with "~$", as it is not that flexible.

You can find more information regarding Wazuh's regex types on the following link: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

Also here is the documentation of the FIM's ignore label where it says that only sregex is supported: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#ignore. Currently, the only possible option is to explicitly ignore these files.

This kind of community question is becoming frequent, so I will be opening a feature request asking for FIM to accept the other regex types, such as pcre2 and os_regex. After doing so, I will be linking the issues, so please stay tuned.

Best Regards,

Mariano Koremblum

[shanelynn321]

Bump. After hours of trying things, I came across this article and discovered that even now, those office temp files will constantly trigger alerts on each save. In my case, it is the .lnk files created in the %appdata%\Roaming\Microsoft\Office\Recent folder.