Announcement

**mchernyavsky** · 10-19-2022, 09:00 AM

Hello Nader1,

Thank you for your interest in our products and for your suggestions! You asked:

Pass a single file to it on the command-line and ImunifyAV scans it to see if it's listed and outputs the results right there on the command line.

Unfortunately, ImunifyAV doesn't provide such functionality yet. As you rightfully mentioned the solution is aimed at hosters, so that scans are often queued and results are stored in the internal Database. For example, when you pass files to the scan queue:

Code:

imunify-antivirus malware on-demand start --scan-file --verbose --path /home/imav/eicar.com.txt

The result can later be acquired from the Database as per:

Code:

imunify360-agent malware history list --limit 10000 --search /home/imav/eicar.com.txt

GUI is not strictly necessary, but provides a convenient way to apply filters, also grouping the results data without a need to query manually, for example as follows:

Code:

echo "select * from malware_scans limit 1000;" | /opt/alt/sqlite/usr/bin/sqlite3 /var/imunify360/imunify360.db

The output should be as per:

Code:

12c667061ded4ad2bcd97311af160914|1666168011|166616 8016|on-demand|/home/imav/eicar.com.txt|0||0|file
385edbd89cbd42c5876cc3445327276b|1666168173|166616 8180|on-demand|/home/imav/eicar.com.txt|1||1|file

Instead of viewing this product as a one-size-fits-all, which I'm sure benefits a lot of hosting companies, it would be nice if the product could just be used as a tool for administrators to weld how they see fit.

Nonetheless, you can use the scan engine commands directly, and it will generate the report to a file, for example:

Code:

/opt/ai-bolit/wrapper /opt/ai-bolit/ai-bolit-hoster.php --smart --deobfuscate --avdb/var/imunify360/files/sigs/v1/aibolit/ai-bolit-hoster-full.db --no-html --memory 2048M --progress $(pwd)/aibolit_progress_$(date +%s) --use-filters --path /home/imav/eicar.com.txt --skip-system-owner --ignore-quarantine --use-template-in-path --skip-imunify360-storage --with-suspicious --size 1048576 --cloudscan-size 10485760 --csv_report $(pwd)/report_$(date +%s).csv

The output will contain a summary and the report which may look like this:

Code:

Start scanning '/home/imav/eicar.com.txt'.

0.0% [/home/imav/eicar.com.txt] 1 of 0.
Loaded 114419 known files from /opt/ai-bolit/AIBOLIT-WHITELIST.db

Building report [ mode = 2 ]

Report written to '/root/report_1666170386.csv'.

Code:

cat report_1666170386.csv
p,/home/imav/eicar.com.txt," @!!!>X5O!P%AP[4PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H",1666170375,1666170375,68,1666170387,id_ e172d1f3,3395856ce81f2b7382dee72602f798b642f14140, SMW-SA-05057-eicar.tst-2,275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2 c4538aabf651fd0f

Could you please verify the above commands and answer whether the above is still not quite what you wanted? So we may pass your feedback to our developers. Thanks!

**nader1** · 10-19-2022, 11:07 AM

What user does /opt/ai-bolit/wrapper run as?

When I run that command I get a

Cannot create '/root/report_...

error. And it doesn't look like /opt/ai-bolit/ai-bolit-hoster.php is actually reading the file specified in --path

**nader1** · 10-19-2022, 11:41 AM

I changed --csv_report to --json-stdout --json_report=. and was able to get a report.

However - this command does not report any malware for a specific file. But for that same file, the Imunify GUI report shows it infected with SMW-BLKH-1528530-php.bkdr

It would seem that Imunify is still checking against a list that /opt/ai-bolit/ai-bolit-hoster.php is not.

**mchernyavsky** · 10-19-2022, 04:51 PM

You asked:

What user does /opt/ai-bolit/wrapper run as?

If I understood the question correctly, Imunify should work under the root user.

However - this command does not report any malware for a specific file.

Within a discussion with our malware analysts, it was confirmed that Black Hashes is a part of Cloudbased mechanisms. The malware scanner is not only an ai-bolit PHP script but it is a combined complex mechanism and Black Hashes are checked on the Imunify server's side, so by design, only an on-demand scan launched with Imunify agent or UI covers it.

it doesn't look like /opt/ai-bolit/ai-bolit-hoster.php is actually reading the file specified in --path

The engine that can be triggered from CLI wasn't designed to run it directly. For example, path templates work differently.

Overall, running the scan engine as a PHP script is the closest we can get to "simple command line execution". We can recommend running scans through imunify360-agent CLI and also checking the results using the agent. The agent commands are going to be supported as described in Documentations. Nonetheless, our developers were notified of such a feature request and might consider implementing this in the future.

Thank you for your feedback! I will be glad to ask any of your questions and hope you will find these responses useful.

Announcement

Simple Command Line execution

Simple Command Line execution

Comment

Comment

Comment

Comment