Announcement

Collapse
No announcement yet.

How to use scanner ignore mask

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    How to use scanner ignore mask

    Hello,

    I cant figure out how to use the scanner ignore mask feature.

    I want to run on-demand scans and ignore these paths:

    Code:
    /home*/*/mail/

/home*/*/.trash/
    Syntax for several complex paths isnt clearly documented, but in the WHM plugin we get an example if we hover over the "i." So I understand the syntax should look something like the following, correct?

    Code:
    /usr/bin/imunify360-agent malware on-demand start --ignore-mask /home*/*/mail/,/home*/*/.trash/ --intensity low --path /home*/* --no-follow-symlinks
    Unfortunately /home*/*/.trash/ is still getting scanned with these options.

    To troubleshoot I made a simple test case, placing 2 copies of a known malware sample as follows:

    Code:
    /root/abuse/scantest/

/root/abuse/scantest/.trash

/root/abuse/scantest/.trash/zoom.php

/root/abuse/scantest/subdir

/root/abuse/scantest/subdir/zoom.php
    Ive tried lots of variations of the on-demand scan, without using wildcards or several ignore mask directories, to make this as simple as possible, for example the following:

    Code:
    /usr/bin/imunify360-agent malware on-demand start --path /root/abuse/scantest --ignore-mask /root/abuse/scantest/.trash --intensity=high --no-follow-symlinks

/usr/bin/imunify360-agent malware on-demand start --path /root/abuse/scantest --ignore-mask /root/abuse/scantest/subdir --intensity=high --no-follow-symlinks
    Ive also tried the same scans in the WHM plugin, using ignore mask in the advanced options.

    In every case, both files are detected as malicious.

    Am I doing something wrong, or is the ignore mask feature not working correctly?

    Thanks in advance.
    Tags: None
  • #2
    Hello John!
    We have to admit that

    Code:
    --ignore-mask
    The arguments format is not straightforward. It has to be a mask that matches all of the files you want to ignore. We have tested it the following way:
    We used a wildcard for the path that matches 3 users on my machine and tried to exclude 2 of them using said argument. The following did not work:

    Code:
    $ imunify360-agent malware on-demand start --path=/var/www/vhosts/d* --ignore-mask=/var/www/vhosts/dixon.com,/var/www/vhosts/dunn.com
    Code:
    $ imunify360-agent malware on-demand list

CREATED     ERROR  PATH                                              SCAN_STATUS  SCANID                            STARTED     TOTAL  TOTAL_FILES  TOTAL_MALICIOUS

1561969069  None   /var/www/vhosts/d*                                stopped      73c52bb4a0b145b0a932a420b94bf6af  1561969069  84     84           2
    But adding a `*` to the end of each mask did the trick:

    Code:
    $ imunify360-agent malware on-demand start --path=/var/www/vhosts/d* --ignore-mask=/var/www/vhosts/[URL]http://dixon.com[/URL]/*,/var/www/vhosts/dunn.com/*
    Code:
    $ imunify360-agent malware on-demand start --path=/var/www/vhosts/d* --ignore-mask=/var/www/vhosts/[URL]http://dixon.com[/URL]/*,/var/www/vhosts/dunn.com/*

1561968922  None   /var/www/vhosts/d*                                stopped      7fc87a489ec743a28a1a4ec5a126be4f  1561968922  27     27           0

1561968821  None   /var/www/vhosts/d*                                stopped      cd1f60f2c56f4d24bf721a132ebc5f7f  1561968821  84     84           2

    Comment

    • #3
      Thanks for your help on this. I can confirm this works as you explained it.

      Comment

      • #4
        Hello John!
        Happy to hear it and thanks for following up!

        Comment

        Previous template Next
        Working...
        X