diff --git a/remove positive virustotal threats b/remove positive virustotal threats
new file mode 100644
index 0000000..cbeb2a4
--- /dev/null
+++ b/remove positive virustotal threats
@@ -0,0 +1,174 @@
+Manager side
+Append the following decoder to /var/ossec/etc/decoders/local_decoder.xml
+
+
+
+ ar_log
+ ^(\S+) Removed positive threat located in (\S+)
+ script_name, path
+
+
+
+Append the following rule to /var/ossec/etc/rules/local_rules.xml
+
+
+ 607
+ Removed positive
+ $(script_name) Removed positive threat located in $(path)
+
+
+
+
+Place this custom-remove-threat script in /var/ossec/integrations
+
+
+#!/usr/bin/env python
+# Copyright (C) 2017 Wazuh Inc.
+# October 29, 2019.
+#
+# This program is a free software; you can redistribute it
+# and/or modify it under the terms of the GNU General Public
+# License (version 2) as published by the FSF - Free Software
+# Foundation.
+# Wazuh, Inc
+import json
+import sys
+import time
+import os
+from socket import socket, AF_UNIX, SOCK_DGRAM
+# ossec.conf configuration:
+#
+# remove-threat
+# remove-threat.sh
+# filename
+# no
+#
+#
+# no
+# remove-threat
+# local
+#
+#
+# custom-remove-threat
+# 87105
+# json
+#
+# Global vars
+debug_enabled = True
+pwd = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
+json_alert = {}
+now = time.strftime("%a %b %d %H:%M:%S %Z %Y")
+# Set paths
+log_file = '{0}/logs/integrations.log'.format(pwd)
+socket_addr = '{0}/queue/alerts/ar'.format(pwd)
+def main(args):
+ debug("# Starting")
+ # Read args
+ alert_file_location = args[1]
+ debug("# File location")
+ debug(alert_file_location)
+ # Load alert. Parse JSON object.
+ with open(alert_file_location) as alert_file:
+ json_alert = json.load(alert_file)
+ debug("# Processing alert")
+ debug(json_alert)
+ # Send event to AR socket
+ msg = "(msg_to_agent) [] NNS {0} remove-threat0 - {1}".format(json_alert["agent"]["id"], json_alert["data"]["virustotal"]["source"]["file"])
+ send_event(msg)
+def debug(msg):
+ if debug_enabled:
+ msg = "{0}: {1}\n".format(now, msg)
+ print(msg)
+ f = open(log_file,"a")
+ f.write(msg)
+ f.close()
+def send_event(msg):
+ sock = socket(AF_UNIX, SOCK_DGRAM)
+ sock.connect(socket_addr)
+ sock.send(msg.encode())
+ sock.close()
+if __name__ == "__main__":
+ try:
+ # Read arguments
+ bad_arguments = False
+ if len(sys.argv) >= 2:
+ alertfile=sys.argv[1]
+ msg = '{0} {1} {2} {3}'.format(now, sys.argv[1], sys.argv[2], sys.argv[3])
+ else:
+ msg = '{0} Wrong arguments'.format(now)
+ bad_arguments = True
+ # Logging the call
+ f = open(log_file, 'a')
+ f.write(msg +'\n')
+ f.close()
+ if bad_arguments:
+ debug("# Exiting: Bad arguments.")
+ sys.exit(0)
+ # Main function
+ main(sys.argv)
+ except Exception as e:
+ debug('Error:' + str(e))
+ raise
+
+
+Set permissions to the custom-remove-threat
+change ownership to root:ossec /var/ossec/integrations/custom-remove-threat
+chmod +x /var/ossec/integrations/custom-remove-threat
+
+
+Manager ossec.conf
+
+
+ remove-threat
+ remove-threat.sh
+ filename
+ no
+
+
+
+ no
+ remove-threat
+ local
+
+
+
+ custom-remove-threat
+ 87105
+ json
+
+
+Systemctl restart wazuh-manager
+
+Agents side
+Place this remove-threat.sh script in /var/ossec/active-response/bin/
+
+#!/bin/bash
+
+# Checking user arguments
+if [ "x$1" == "xdelete" ]; then
+ exit 0;
+fi
+
+LOCAL=`dirname $0`;
+cd $LOCAL
+cd ../
+
+PWD=`pwd`
+
+# Removing file
+rm -f $3
+if [ $? -eq 0 ]; then
+ echo "`date` $0 Removed positive threat located in $3" >> ${PWD}/../logs/active-responses.log
+else
+ echo "`date` $0 Error removing positive threat located in $3" >> ${PWD}/../logs/active-responses.log
+fi
+
+exit 0;
+
+
+Set permissions to the remove-threat.sh
+change ownership to root:ossec /var/ossec/active-response/bin/remove-threat.sh
+chmod +x /var/ossec/active-response/bin/remove-threat.sh
+
+
+Systemctl restart wazuh-agent