Hello Ernie,
Hope you are doing well,

Thank you for your contact and for bringing us excellent questions.


Cool. This mechanism is really powerful for such integrations with external scripts, Bash, Python, Golang, or whatever language you use the code just needs to expect the proper input and handle it accordingly.


By design, the imunify-notifier daemon drops privileges to the _imunify user to avoid any kind of escalation to root in case of security issues with insecure custom scripts, so it runs over a very limited user, _imunify.

I have noticed you have placed the script into the directory /root/hooks/[filename]. So it won't work, because it won't be called since _imunify user is limited and can ascend to /root directory.

I could suggest you add the script to the directory /etc/imunify360, it's enough and should work, since the IMAV process can access this directory. Something like:

Also, additionally, you need to make sure of checking if the script has the "x" bit allowing execution for the _imunify user/group:


We have written a straight-to-the-point article that shows well how it works. There we have pointed out a generic useful script you can use.



It's not needed, you can use any extension. Just to make sure to turn it executable by "chmod +x" and that it has the correct shebangs, I mean if it uses an interpreter you need to add the first line accordingly. Eg:

• #!/bin/bash
• #!/usr/bin/env python3
• etc

Cool! It works like a charm :-) The only difference from IM360 is that IMAV+ has fewer hook events, refer to Only Imunify360 as a highlight:

• USER_SCAN_FINISHED – occurs immediately after the user scanning has finished, regardless the malware has been found or not;
• USER_SCAN_MALWARE_FOUND – occurs when the malware scanning process of a user account has finished and malware is found;
• USER_SCAN_STARTED – occurs immediately after the user scanning has started;
• CUSTOM_SCAN_STARTED – occurs immediately after on-demand (manual) scanning has started;
• CUSTOM_SCAN_FINISHED – occurs immediately after on-demand (manual) scanning has finished, regardless the malware has been found or not;
• CUSTOM_SCAN_MALWARE_FOUND – occurs when the on-demand scanning process has finished and malware is found;
• REALTIME_MALWARE_FOUND – occurs when malware is detected during real-time scanning. (Only Imunify360);
• SCRIPT_BLOCKED – occurs when the Proactive Defense has blocked the malicious script. (Only Imunify360).

All the events above will work on malware scanning, except the SCRIPT_BLOCKED that is related to Proactive Defense and it's triggered upon an event of script blocking, it's an advanced mechanism that protects against 0days besides the malware scan.

Other than that, works pretty well like for what you are looking for, but If you still have trouble enabling it, please address a ticket to the 24/7 support team through https://www.cloudlinux.com/contact/

It will be a pleasure to us manage and assist your case closely step by step until it will be working for you :-)
Have a great day,

Wow! Thank you for the detailed response!

I had a little trouble figuring out how to navigate to /etc/imunify360/, but I'm there now.

I had not created or uploaded the script yet - I'm still not sure how. I removed the folder "hooks" that I created off of the root directory.

Quite a bit of what you explained remains over my head:

I'm not sure what _imunify user is - is it a default user I can assign to myself? And if so, would it email me the scan report without the need to create a script at all?

The generic script link seems to indicate that there is already a script - hook-script.sh - that I just need to edit and save in order to use - is that correct?

Thank you again for the detailed explanation.

My hosting company offers the upgrade to Immunify360 for an additional $23/month. That's a little high for my current use case, but may be worth it if it automates a lot of the scanning and reporting hoops I'm trying to jump through - I'm much more comfortable working with the web interface than messing with PowerShell, scripts, and hooks.

Ernie

Hello Ernie,
Thank you for your reply!
Cool! Glad to know you like it.

Great. I think It will do the trick, yes, use a directory other than the /root and set the proper permissions, see further details below.

No. Actually, the _imunify user is a system-user, which means It is used by the IM360 notifier process to run the underlying code coming from the scripts. When the IM360 notifier process starts, it drops privileges to _imunify user, by design. It's a secure-programming approach that leads the operating system to run the process as an unprivileged user (_imunify), not as root, therefore if one script got compromised It won't be able to have root privileges so it will decrease the attack vector. It refers to IM360 internal routines, particularly the way it runs unprivileged and interacts with another process by using a restricted set of IPC calls, but don't worry, you don't need to care about it, we are just explaining the reason for the existence of the _imunify user at all. :-)

Exactly. Check further instructions on editing the script and change variables at:


No problem, It's our obligation to deliver the best support experience for you. You are special to us!

Sure thing! We recommend contacting our support 24x7, our staff will check your environment and suggest the best product and set of tools for you.
Additionally taking this opportunity, We deliver besides Imunify360 other products like CloudLinuxOS, KernelCare, TuxCare, It would be great if can take a look at them: https://www.cloudlinux.com | https://www.tuxcare.com | https://www.kernelcare.com | https://imunify360.com

Also, Our company is driven by the OpenSource spirit, we are responsible for the AlmaLinux, https://almalinux.org, the best CentOS replacement alternative.
Yes, you are in the right place

Do not hesitate to contact us, https://www.cloudlinux.com/contact/
Have an excellent day,

After a few days of messing around not being able to connect with FileZilla, my hosting company copied the hook-script.sh file to \home\admin. I used the DirectAdmin file manager to make a copy and name it hook-script-notify.sh and edited the file per the instructions in the link you provided.

Once edited, the hosting company gave me the exact commands to enter into my Windows PowerShell session:

chmod +x /home/admin/hook_script_notify.sh

and

chown _imunify: /home/admin/hook_script_notify.sh

I was not able to convince them that I would have preferred that the file is in the etc/imunify360 folder, so I hope this works.

I didn't do the test step in the instructions because I wasn't sure about that URL eicar.org - does it contain live malware? Is it safe to use?

Will doing the test cause the script to send me an email?

If doing the test step will generate the email, then I'll do it. But if it doesn't return anything that tells me that it worked, I'd rather skip it.

Thank you again for all your help,
Ernie

Hello Ernie,
Cool! It's great!
The /etc/imunify360 is just one alternative we have recommended, but you can place the script in any directory, nonetheless make sure of
checking the permission of the directory, if the _imunify can access it.
Or if you prefer to loosen up:
It's safe to use since It's not malware, it's just a harmless file created for testing purposes.
Yes, but make sure of enabling it into the script.
Change the following two lines of the script to enable sending an e-mail:
And, enable the hook event to trigger the script upon one event:
It will work like a charm, do not give up, once you learn it by practicing the next try will be straightforward,
Let's pull that off with joint work, do not hesitate to ask us for further assistance.

Have a great day,

I have also to admit that replies were provided by Gleydson, an Imunify360 specialist. Feel free to open a ticket if you would like to get the issue resolved faster.