To integrate Wazuh with VirusTotal, enable FIM to monitor key directories, add the integration with your VirusTotal API key in ossec.conf, and Wazuh will automatically send the hash of every new or modified file to VirusTotal's 70+ antivirus engines.
How does the Wazuh FIM and VirusTotal integration work?
FIM (File Integrity Monitoring) detects new or modified files, but it doesn't know whether they are malicious. VirusTotal analyzes hashes against more than 70 antivirus engines. By integrating them, Wazuh automatically sends each suspicious file to VirusTotal and you get alerts directly in the dashboard.
Video: VirusTotal integration
10 minutes - Full setup and EICAR test
Discover our Wazuh serviceLearn more about our managed Wazuh service
Free API limits
Before configuring anything, get to know the limits because they determine which directories to watch:
- 4 requests/minute
- 500 requests/day
If you watch too many busy directories, you'll burn through the limit in hours. The fix: be surgical about which directories send files to VirusTotal using the report_changes attribute.
Premium API: Since October 2025, the Lite plan starts at $5,000/year. For labs and mid-sized environments, the free API is enough when properly configured.
Step 1: Get the API key
- Go to virustotal.com
- Create a free account if you don't have one
- Click your avatar → API key
- Copy the key
Step 2: Configure the integration on the Manager
Edit the Wazuh server configuration file:
nano /var/ossec/etc/ossec.conf
Add this block before the closing </ossec_config> tag:
<integration>
<name>virustotal</name>
<api_key>TU_API_KEY_AQUI</api_key>
<rule_id>550,554</rule_id>
<alert_format>json</alert_format>
</integration>Explanation:
rule_id 550: New file detected by FIMrule_id 554: Modified file- Whenever FIM detects something in a watched directory, it sends the SHA256 hash to VirusTotal
Restart the manager:
systemctl restart wazuh-manager
systemctl status wazuh-managerCheck the integrations log:
tail -f /var/ossec/logs/integrations.logStep 3: Configure FIM on the Agent
On the agent, edit /var/ossec/etc/ossec.conf and set which directories FIM watches. Only directories with report_changes="yes" will send hashes to VirusTotal:
<syscheck>
<!-- Full scan once a day -->
<frequency>86400</frequency>
<scan_on_start>yes</scan_on_start>
<!-- HIGH-RISK directories: watched WITH VirusTotal -->
<directories realtime="yes" check_all="yes" report_changes="yes">/tmp</directories>
<directories realtime="yes" check_all="yes" report_changes="yes">/root</directories>
</syscheck>Rationale:
/tmp,/root: Where malware typically lands → yes, VirusTotal/etc,/bin: System changes, not malware → regular FIM, no VirusTotal
Restart the agent:
systemctl restart wazuh-agentStep 4: Test with an EICAR file
The EICAR test file is a standard for testing antivirus without real malware. Every engine intentionally flags it as malicious.
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/eicar_test.txtFIM detects the new file → triggers rule 550 → sends the hash to VirusTotal → you get an alert.
Within 30-60 seconds, go to the dashboard: Endpoint Security → Malware Detection
You'll see:
- Rule ID: 87105 (VirusTotal: Alert)
- File: /tmp/eicar_test.txt
- Positives: Number of engines that flagged it
- Permalink: Direct link to the analysis on virustotal.com
Clean up after the test:
rm /tmp/eicar_test.txtSummary
| Component | Configuration |
| Manager | <integration> with API key and rule_id 550,554 |
| Agent FIM | report_changes="yes" only on high-risk directories |
| API limits | 4 req/min, 500 req/day (free tier) |
| Alert | Rule ID 87105 in Malware Detection |
Next steps
We cover more integrations like Slack, TheHive, and automated active responses as part of our managed Wazuh service. Discover our Wazuh service.