Announcement

Collapse
No announcement yet.

Lost in creating notifications

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Lost in creating notifications

    I'm starting from scratch here - I've been trying to learn how I can create a script and a hook to notify me when a scan returns any malware.

    Pretty much all the websites and help pages (dozens of them) are over my head - please don't just point me to those same places that I don't fully understand.

    I finally figured out how to use Windows PowerShell to SSH, then got help from my host to log in when it kept giving me errors.

    I eventually figured out how to create a folder off of the root and named it "hooks". So I'm out of the root now.

    I think I can figure out how to create a file and add a path to it in the Notifications hosting interface, but I'm not a coder in any language and I'm not sure whether the example I found is even what I want:

    Code:
    !/bin/bashdata=$(cat)
    event=$(jq -r '.event' <<< ${data})
    subtype=$(jq -r '.subtype' <<< ${data})case ${event} in
    malware-detected)
    case ${subtype} in
    critical)
    path=$(jq -r '.params.path' <<< ${data})
    total_malicious=$(jq -r '.params.total_malicious' <<< ${data})
    echo "The path $path was scanned and there are $total_malicious malicious files were found" | mail -s malware-detected-dda my.email.com
    ;;
    esac
    esac
    If I enable User Scan: Malware Detected, and enter /root/hooks/[filename], I assume it will trigger an email to me following the daily scan I have set up in the General settings for daily at 6 AM.

    Is the script right for what I want to do?

    When I name it, do I have to give it an extension?

    I'm using ImunifyAV+
    DirectAdmin is the platform I'm using
    I have root access (reseller account).

    Thank you,
    Ernie

  • #2
    Hello Ernie,
    Hope you are doing well,

    Thank you for your contact and for bringing us excellent questions.

    I'm starting from scratch here - I've been trying to learn how I can create a script and a hook to notify me when a scan returns any malware.

    Cool. This mechanism is really powerful for such integrations with external scripts, Bash, Python, Golang, or whatever language you use the code just needs to expect the proper input and handle it accordingly.

    If I enable User Scan: Malware Detected, and enter /root/hooks/[filename], I assume it will trigger an email to me following the daily scan I have set up in the General settings for daily at 6 AM.

    By design, the imunify-notifier daemon drops privileges to the _imunify user to avoid any kind of escalation to root in case of security issues with insecure custom scripts, so it runs over a very limited user, _imunify.

    I have noticed you have placed the script into the directory /root/hooks/[filename]. So it won't work, because it won't be called since _imunify user is limited and can ascend to /root directory.

    I could suggest you add the script to the directory /etc/imunify360, it's enough and should work, since the IMAV process can access this directory. Something like:

    Code:
    mkdir /home/hooks
    chown _imunify: /home/hooks
    Also, additionally, you need to make sure of checking if the script has the "x" bit allowing execution for the _imunify user/group:

    Code:
    chmod +x /home/hooks/[script-filename]
    Is the script right for what I want to do?

    We have written a straight-to-the-point article that shows well how it works. There we have pointed out a generic useful script you can use.



    When I name it, do I have to give it an extension?
    It's not needed, you can use any extension. Just to make sure to turn it executable by "chmod +x" and that it has the correct shebangs, I mean if it uses an interpreter you need to add the first line accordingly. Eg:
    • #!/bin/bash
    • #!/usr/bin/env python3
    • etc

    I'm using ImunifyAV+

    Cool! It works like a charm :-) The only difference from IM360 is that IMAV+ has fewer hook events, refer to Only Imunify360 as a highlight:
    • USER_SCAN_FINISHED – occurs immediately after the user scanning has finished, regardless the malware has been found or not;
    • USER_SCAN_MALWARE_FOUND – occurs when the malware scanning process of a user account has finished and malware is found;
    • USER_SCAN_STARTED – occurs immediately after the user scanning has started;
    • CUSTOM_SCAN_STARTED – occurs immediately after on-demand (manual) scanning has started;
    • CUSTOM_SCAN_FINISHED – occurs immediately after on-demand (manual) scanning has finished, regardless the malware has been found or not;
    • CUSTOM_SCAN_MALWARE_FOUND – occurs when the on-demand scanning process has finished and malware is found;
    • REALTIME_MALWARE_FOUND – occurs when malware is detected during real-time scanning. (Only Imunify360);
    • SCRIPT_BLOCKED – occurs when the Proactive Defense has blocked the malicious script. (Only Imunify360).

    All the events above will work on malware scanning, except the SCRIPT_BLOCKED that is related to Proactive Defense and it's triggered upon an event of script blocking, it's an advanced mechanism that protects against 0days besides the malware scan.

    Other than that, works pretty well like for what you are looking for, but If you still have trouble enabling it, please address a ticket to the 24/7 support team through https://www.cloudlinux.com/contact/

    It will be a pleasure to us manage and assist your case closely step by step until it will be working for you :-)
    Have a great day,

    Comment


    • #3
      Wow! Thank you for the detailed response!

      I had a little trouble figuring out how to navigate to /etc/imunify360/, but I'm there now.

      I had not created or uploaded the script yet - I'm still not sure how. I removed the folder "hooks" that I created off of the root directory.

      Quite a bit of what you explained remains over my head:

      I'm not sure what _imunify user is - is it a default user I can assign to myself? And if so, would it email me the scan report without the need to create a script at all?

      The generic script link seems to indicate that there is already a script - hook-script.sh - that I just need to edit and save in order to use - is that correct?

      Thank you again for the detailed explanation.

      My hosting company offers the upgrade to Immunify360 for an additional $23/month. That's a little high for my current use case, but may be worth it if it automates a lot of the scanning and reporting hoops I'm trying to jump through - I'm much more comfortable working with the web interface than messing with PowerShell, scripts, and hooks.

      Ernie

      Comment


      • #4
        Hello Ernie,
        Thank you for your reply!
        Wow! Thank you for the detailed response!
        Cool! Glad to know you like it.

        I had a little trouble figuring out how to navigate to /etc/imunify360/, but I'm there now.
        I had not created or uploaded the script yet - I'm still not sure how. I removed the folder "hooks" that I created off of the root directory.
        Great. I think It will do the trick, yes, use a directory other than the /root and set the proper permissions, see further details below.

        Quite a bit of what you explained remains over my head:
        I'm not sure what _imunify user is - is it a default user I can assign to myself? And if so, would it email me the scan report without the need to create a script at all?
        No. Actually, the _imunify user is a system-user, which means It is used by the IM360 notifier process to run the underlying code coming from the scripts. When the IM360 notifier process starts, it drops privileges to _imunify user, by design. It's a secure-programming approach that leads the operating system to run the process as an unprivileged user (_imunify), not as root, therefore if one script got compromised It won't be able to have root privileges so it will decrease the attack vector. It refers to IM360 internal routines, particularly the way it runs unprivileged and interacts with another process by using a restricted set of IPC calls, but don't worry, you don't need to care about it, we are just explaining the reason for the existence of the _imunify user at all. :-)

        The generic script link seems to indicate that there is already a script - hook-script.sh - that I just need to edit and save in order to use - is that correct?
        Exactly. Check further instructions on editing the script and change variables at:


        Thank you again for the detailed explanation.
        No problem, It's our obligation to deliver the best support experience for you. You are special to us!

        My hosting company offers the upgrade to Immunify360 for an additional $23/month. That's a little high for my current use case, but may be worth it if it automates a lot of the scanning and reporting hoops I'm trying to jump through - I'm much more comfortable working with the web interface than messing with PowerShell, scripts, and hooks.
        Sure thing! We recommend contacting our support 24x7, our staff will check your environment and suggest the best product and set of tools for you.
        Additionally taking this opportunity, We deliver besides Imunify360 other products like CloudLinuxOS, KernelCare, TuxCare, It would be great if can take a look at them: https://www.cloudlinux.com | https://www.tuxcare.com | https://www.kernelcare.com | https://imunify360.com

        Also, Our company is driven by the OpenSource spirit, we are responsible for the AlmaLinux, https://almalinux.org, the best CentOS replacement alternative.
        Yes, you are in the right place

        Do not hesitate to contact us, https://www.cloudlinux.com/contact/
        Have an excellent day,

        Comment


        • #5
          After a few days of messing around not being able to connect with FileZilla, my hosting company copied the hook-script.sh file to \home\admin. I used the DirectAdmin file manager to make a copy and name it hook-script-notify.sh and edited the file per the instructions in the link you provided.

          Once edited, the hosting company gave me the exact commands to enter into my Windows PowerShell session:

          chmod +x /home/admin/hook_script_notify.sh

          and

          chown _imunify: /home/admin/hook_script_notify.sh

          I was not able to convince them that I would have preferred that the file is in the etc/imunify360 folder, so I hope this works.

          I didn't do the test step in the instructions because I wasn't sure about that URL eicar.org - does it contain live malware? Is it safe to use?

          Will doing the test cause the script to send me an email?

          If doing the test step will generate the email, then I'll do it. But if it doesn't return anything that tells me that it worked, I'd rather skip it.

          Thank you again for all your help,
          Ernie

          Comment


          • #6
            Hello Ernie,
            After a few days of messing around not being able to connect with FileZilla, my hosting company copied the hook-script.sh file to \home\admin. I used the DirectAdmin file manager to make a copy and name it hook-script-notify.sh and edited the file per the instructions in the link you provided.
            Cool! It's great!
            Once edited, the hosting company gave me the exact commands to enter into my Windows PowerShell session:
            chmod +x /home/admin/hook_script_notify.sh
            and
            chown _imunify: /home/admin/hook_script_notify.sh
            I was not able to convince them that I would have preferred that the file is in the etc/imunify360 folder, so I hope this works.
            The /etc/imunify360 is just one alternative we have recommended, but you can place the script in any directory, nonetheless make sure of
            checking the permission of the directory, if the _imunify can access it.
            Code:
            # chown :_imunify
            # chmod g+x /home/admin
            Or if you prefer to loosen up:
            Code:
            # chmod o+x /home/admin
            I didn't do the test step in the instructions because I wasn't sure about that URL eicar.org - does it contain live malware? Is it safe to use?
            It's safe to use since It's not malware, it's just a harmless file created for testing purposes.
            Will doing the test cause the script to send me an email?
            Yes, but make sure of enabling it into the script.
            Change the following two lines of the script to enable sending an e-mail:
            Code:
            MAIL_ENABLE=yes # default no, change to "yes" for enabling
            
            MAIL_TO="your-email@domain" # for multiple email addresses, use commas
            And, enable the hook event to trigger the script upon one event:
            Code:
            # imunify-antivirus notifications-config update '{"rules": {"CUSTOM_SCAN_MALWARE_FOUND":
            {"SCRIPT": {"scripts": ["/home/admin/hook_script.sh"], "enabled":
            true}}}}'
            
            # imunify-antivirus notifications-config update '{"rules": {"USER_SCAN_MALWARE_FOUND":
            {"SCRIPT": {"scripts": ["/home/admin/hook_script.sh"], "enabled":
            true}}}}'
            If doing the test step will generate the email, then I'll do it. But if it doesn't return anything that tells me that it worked, I'd rather skip it.
            It will work like a charm, do not give up, once you learn it by practicing the next try will be straightforward,
            Let's pull that off with joint work, do not hesitate to ask us for further assistance.

            Have a great day,

            I have also to admit that replies were provided by Gleydson, an Imunify360 specialist. Feel free to open a ticket if you would like to get the issue resolved faster.

            Comment

            Working...
            X