Where are you including the configuration? That should go in the file: /var/ossec/etc/shared/win_malware_rcl.txt
Please paste the contents of that file. Thank you On Mon, Mar 14, 2016 at 11:12 PM, 林威任 <m0361...@gm.ncue.edu.tw> wrote: > sorry,this email is google apps for education. > About my email,I use hnagouts to send you, is it ok? > And,This is my agent's log file: > 016/03/15 14:07:44 ossec-agent: INFO: Started (pid: 3760). > 2016/03/15 14:07:45 ossec-agent(4102): INFO: Connected to the server ( > 192.168.164.142:1514 > <http://l.facebook.com/l.php?u=http%3A%2F%2F192.168.164.142%3A1514&h=1AQGx6-qC> > ). > 2016/03/15 14:07:45 ossec-agent: INFO: System is Vista or newer (Microsoft > Windows 7 Ultimate Edition Professional Service Pack 1 (Build 7601) - OSSEC > HIDS v2.8.3). > 2016/03/15 14:07:45 ossec-agent(1951): INFO: Analyzing event log: > 'Application'. > 2016/03/15 14:07:45 ossec-agent(1951): INFO: Analyzing event log: > 'Security'. > 2016/03/15 14:07:45 ossec-agent(1951): INFO: Analyzing event log: 'System'. > 2016/03/15 14:07:45 ossec-agent: INFO: Started (pid: 3760). > 2016/03/15 14:08:44 ossec-agent: INFO: Starting syscheck scan (forwarding > database). > 2016/03/15 14:08:44 ossec-agent: INFO: Starting syscheck database > (pre-scan). > 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: > 'C:\boot.ini': No such file or directory > 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/CONFIG.NT': No such file or directory > 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/AUTOEXEC.NT': No such file or directory > 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/debug.exe': No such file or directory > 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/drwatson.exe': No such file or directory > 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/drwtsn32.exe': No such file or directory > 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/edlin.exe': No such file or directory > 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/eventtriggers.exe': No such file or directory > 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rcp.exe': No such file or directory > 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rexec.exe': No such file or directory > 2016/03/15 14:08:44 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/rsh.exe': No such file or directory > 2016/03/15 14:08:46 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/telnet.exe': No such file or directory > 2016/03/15 14:08:46 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/tftp.exe': No such file or directory > 2016/03/15 14:08:46 ossec-agent: WARN: Error opening directory: > 'C:\Windows/System32/tlntsvr.exe': No such file or directory > 2016/03/15 14:08:46 ossec-agent: INFO: Initializing real time file > monitoring (not started). > 2016/03/15 14:08:46 ossec-agent: WARN: Error opening directory: > 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup': No such > file or directory > 2016/03/15 14:08:46 ossec-agent: INFO: Real time file monitoring started. > 2016/03/15 14:08:46 ossec-agent: INFO: Finished creating syscheck database > (pre-scan completed). > 2016/03/15 14:08:56 ossec-agent: INFO: Ending syscheck scan (forwarding > database). > 2016/03/15 14:09:16 ossec-agent: INFO: Starting rootcheck scan. > 2016/03/15 14:09:16 ossec-agent(1252): ERROR: Invalid rk configuration > value: '[Trojan Dropper] [all] [0A37D49E798F50C8F1010D5CFDE0E851] '. > 2016/03/15 14:09:22 ossec-agent: INFO: Ending rootcheck scan. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
