Listing malicious files by scanid

beepmode replied

02-28-2024, 02:54 PM
Just to confirm that works!

Many thanks for you reply.
Leave a comment:

alevchenko replied

02-28-2024, 10:01 AM

Hello,

We have a CLI argument `--by-scan-id BY_SCAN_ID` for getting scan results by scan ID: https://docs.imunify360.com/imunifyav/cli/#malware

Here is from my lab server, uploaded a test file:

HTML Code:

 ~]# imunify360-agent malware on-demand list --json | jq '.items'
[
{
"total_resources": 14,
"path": "/home/idtest",
"scanid": "72552b2b54e64195a47ff1e186447811",
"started": 1709114233,
"completed": 1709114243,
"error": null,
"total_malicious": 1,
"scan_type": "user",
"resource_type": "file",
"scan_status": "stopped",
"duration": 10,
"total": 14,
"created": 1709114233
},

-------------------------------------------------------------------

 ~]# imunify360-agent malware malicious list --by-scan-id 72552b2b54e64195a47ff1e186447811 --json | jq '.items'
[
{
"id": 2,
"username": "idtest",
"file": "/home/idtest/public_html/id-test.com/test-scan/testing.php",
"created": 1709114233,
"scan_id": "72552b2b54e64195a47ff1e186447811",
"scan_type": "user",
"resource_type": "file",
"type": "SMW-BLKH-SA-CLOUDAV-eicar.tst-05057-2",
"hash": "131f95c51cc819465fa1797f6ccacf9d494aaaff46fa3eac7 3ae63ffbdfd8267",
"size": "69",
"malicious": true,
"status": "found",
"cleaned_at": null,
"extra_data": {},
"db_name": null,
"app_name": null,
"db_host": null,
"db_port": null
}
]

Leave a comment:

beepmode started a topic Listing malicious files by scanid

02-27-2024, 01:59 PM
Listing malicious files by scanid
I'm using the free Imunify version and have been looking for a way to list malicious files for an individual scan. I haven't configured any users (all domains on the server are owned by the same user) and I'm simply scanning paths.

To illustrate, this is one of the scans:

Code:

# imunify-antivirus malware on-demand list --json | jq '.items' [ { "total_resources": 13767, "path": "/var/www/example.com/public_html/", "scanid": "f51850a361484eca919a0dcd0314cc2c", "started": 1709035139, "completed": 1709035156, "error": null, "total_malicious": 97, "scan_type": "on-demand", "resource_type": "file", "scan_status": "stopped", "duration": 17, "total": 13767, "created": 1709035139 } ]

As far as I can tell it's not possible to list files by scanid. The only option seems to be to use the "started" and "completed" dates; I can use the timestamps to limit the output of [CODE][malware history list/CODE] to the files I'm interested in:

Code:

# ts_start=$(imunify-antivirus malware on-demand list --json | jq '.items[] | select(.scanid == "f51850a361484eca919a0dcd0314cc2c").started') # ts_end=$(imunify-antivirus malware on-demand list --json | jq '.items[] | select(.scanid == "f51850a361484eca919a0dcd0314cc2c").completed') # ts_end=$((ts_end+1)) # imunify-antivirus malware history list --limit 1000 --json | jq '.items[]'

As an aside, the reason I add a second to the "completed" timestamp is that 84 of the 97 malicious files have 1709035157 as the "ctime" value in the output of [CODE][malware history list/CODE]. That's one second after the "completed" timestamp (so it looks like the "completed" timestamp is wrong, maybe because of a rounding error?):

Code:

# imunify-antivirus malware history list --limit 1000 --json | jq '.items[] | select(.ctime == 1709035157).id' | wc -l 84

In any case, I suspect there is an easier way to get malicious files for a particular scan? Is there a way to list malicious files by scanid?
Tags: None

Announcement

Leave a comment: