ImunifyAV for cPanel and DirectAdmin

Note

This ImunifyAV documentation is applicable for cPanel and DirectAdmin control panels only.

  • You can find documentation for ImunifyAV for Plesk here
  • You can find documentation for ImunifyAV for ISPmanager here
  • You can find documentation for stand-alone (no-panel) version of ImunifyAV here

ImunifyAV provides malware scanning features for cPanel and DirectAdmin control panels.

Installation Guide

Requirements

Operating systems

  • CentOS/RHEL 6 and 7
  • CloudLinux OS 6 and 7
  • Ubuntu 16.04 (LTS only) and 18.04 in stand-alone mode
  • CentOS 8 with Plesk
  • CentOS 8 with DirectAdmin
  • CentOS 8 in stand-alone mode
  • CloudLinux OS 8 with DirectAdmin
  • CloudLinux OS 8 in sstand-alone mode

Virtualization

  • OpenVZ - Works for Virtuozzo 7

Hardware

  • RAM: 512 Mb
  • HDD: 20 Gb available disk space

Supported hosting panels

Required browsers

  • Safari version 9.1 or later
  • Chrome version 39 or later
  • Firefox version 28 or later
  • Edge version 17 or later
  • Internet Explorer version 11 or later

Installation Instructions

Warning

On DirectAdmin, Imunify UI requires the proc_open PHP function to be enabled. If you are unable to open the Imunify UI, you might see a related message in the errror.log of the web-server. If so, please remove it from the disable_functions list in php.ini.

To install ImunifyAV proceed the following steps:

  1. Log in with root privileges to the server where ImunifyAV should be installed.

  2. Go to your home directory and run the commands:

wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh
bash imav-deploy.sh

To install ImunifyAV beta version add argument --beta. For example:

bash imav-deploy.sh --beta

If you already have ImunifyAV+ license key you can use it during installation:

wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh
bash imav-deploy.sh --key YOUR_KEY

where YOUR_KEY is your license key. Replace YOUR_KEY with the actual key purchased at https://www.imunify360.com/.

If you have an IP-based license for ImunifyAV+, use IPL as license key:

wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh
bash imav-deploy.sh --key IPL

To view available options for installation script run:

bash imav-deploy.sh -h

In a case of registration key is passed later, then you can register an activation key via the imunify-antivirus command:

imunify-antivirus register YOUR_KEY

Where YOUR_KEY is your activation key or IPL in case of IP-based license.

Update Instructions

To upgrade ImunifyAV run the command:

yum update imunify-antivirus

To update ImunifyAV beta version run the command:

yum update imunify-antivirus --enablerepo=imunify360-testing

To update ImunifyAV on Ubuntu run the command:

apt-get update
apt-get install --only-upgrade imunify-antivirus

To update ImunifyAV beta on Ubuntu 16.04 LTS run the command:

echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/16.04/ xenial main'  > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify-antivirus

To update ImunifyAV beta on Ubuntu 18.04 run the command:

echo 'deb https://repo.imunify360.cloudlinux.com/imunify360/ubuntu-testing/18.04/ bionic main'  > /etc/apt/sources.list.d/imunify360-testing.list
apt-get update
apt-get install --only-upgrade imunify-antivirus

If you do not want to receive updates from beta, remove beta repository:

rm /etc/apt/sources.list.d/imunify360-testing.list
apt-get update

Gradual roll-out

New stable ImunifyAV versions are scheduled for the gradual roll-out from our production repository and are available for all customers in about two weeks or less from the release.

If you do not want to wait for the gradual roll-out, you can update ImunifyAV to the latest version by running the following commands:

wget https://repo.imunify360.cloudlinux.com/defence360/imunify-force-update.sh
bash imunify-force-update.sh

Uninstall

How to uninstall ImunifyAV

To uninstall ImunifyAV, run the command:

bash imav-deploy.sh --uninstall

If you have already removed imav-deploy.sh then download it by running:

wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh

And proceed to the directory with the script.

How to stop ImunifyAV

For CentOS/CloudLinux OS 6, run the following command:

service imunify-antivirus stop

For all other operating systems, run the following command:

systemctl stop imunify-antivirus

Localization

ImunifyAV supports the following languages in addition to default (en-US):

  • de-DE
  • es-ES
  • fr-FR
  • ja-JP
  • it-IT
  • tr-TR
  • nl-NL
  • ru-RU
  • pt-BR
  • zh-CN

How to perform a translation to your own language using our language file

Hoster Interface

Click ImunifyAV in the main menu. There are following tabs in ImunifyAV hoster interface:

Users

Go to ImunifyAV → Users tab. Here, there is a table with a list of users on the server, except users with root privileges.

ImunifyAV → Users tab
ImunifyAV → Users tab

The table has the following columns:

  • User name — displays a user name.
  • Home directory — a path to a user home directory starting from the root.
  • Infection status — a current status depending on the last action made:
    • On-Demand scanning — scanning is in progress.
    • Cleaning up — user's files are now cleaning up.
    • Number of threats — a number of infected files detected after scanning. Click to go to the Files tab where you can see all malicious files.
    • No malware found — no malware was found during scanning.
    • Malware cleaned – click a link to go to the History tab and see details.
  • Actions:
    • Scan for malware — click Scan icon to start scanning files for a particular user.
    • View report — click View Report icon to go to the Files tab and display the results of the last scan.
    • CleanupAV+ — click Cleanup to start cleaning up infected files for a user.
    • Restore originalAV+ — click Restore original to restore the original file after cleaning up if a backup is available. To perform a bulk action, tick required users and click the corresponding button above the table.

Note

Cleaning up all files of all users and scanning all files is available in ImunifyAV+. To upgrade to ImunifyAV+, click Upgrade to ImunifyAV+ , you will be redirected to the ImunifyAV+ upgrade page. Or click Cleanup all button, you will be redirected to the ImunifyAV+ upgrade page.

The badge in the History tab shows the number of missed events in the Malware Scanner’s History.

The following filters are available:

Items per page displayed — click the number at the table bottom.

The table can be sorted by User name and Infection status (by the date of the last action).

Files

Go to ImunifyAV → Files tab. Here, there is a table with a list of infected files within all domains and user accounts.

ImunifyAV → Files tab
ImunifyAV → Files tab

The table has the following columns:

  • Scan date — displays the exact time the scanning process has started.
  • Username — displays a file owner name.
  • File — a path where a file is located starting with root
  • Reason — describes the signature which was detected during the scanning process. Names in this column depend on the signature vendor. You can derive some information from the signature ID itself. SMW-SA-05155-wshll – in this Signature ID:
    • The first section can be either SMW or CMW. SMW stands for Server Malware and CMW stands for Client Malware
    • The second section of ID can be either INJ or SA. INJ stands for Injection (means Malware is Injected to some legitimate file) and SA stands for StandAlone (means File is Completely Malicious)
    • The third section is 05155. This is simply an identification number for the signature.
    • The fourth section wshll/mlw.wp/etc explains the category and class of malware identified. Here, wshll stands for web shell (mlw stands for malware).
    • The fifth section is 0, which provides the version number of the signature.
  • Status — displays the file status:
    • Infected — threat was detected after scanning. If a file was not cleaned after cleanup, the info icon is displayed. Hover mouse over info icon to display the reason.
    • Cleaned —  infected file is cleaned up.
    • Content removed — a file content was removed after cleanup.
    • Cleanup queuedAV+ — infected file is queued for cleanup. Actions:
  • Add to Ignore List — add file to the Ignore List and remove it from the Malicious files list. Note that if a file is added to the Ignore List, ImunifyAV will no longer scan this file.
  • Delete permanently — remove the file from the server and from the list of Malicious files.
  • View file — click eye icon in the file line and the file content will be displayed in the pop-up. Only the first 100Kb of the file content will be shown in case if a file has bigger size.
  • Restore original — restore an initial infected file.
  • Cleanup fileAV+ — click Clean up to clean up all infected files within the account.

To perform a bulk action, tick required users and click the corresponding button above the table.

Note

Cleaning up all files of all users is available in the ImunifyAV+. To upgrade to the ImunifyAV+, click Upgrade to ImunifyAV+, you will be redirected to ImunifyAV+ upgrade page. Or click Cleanup all button, you will be redirected to the ImunifyAV+ upgrade page.

The following filters are available:

  • Scan date — displays the results filtered by chosen period or date.
  • Result — displays the results filtered by chosen status.
  • Total files – displays the results with descending/ascending filtering.
  • Items per page displayed — click the number at the table bottom.

The table can be sorted by detection date (detected), user name, file path (file), reason, and status.

Scan

Malware scanner allows users to scan a specific directory or file for malware. Go to ImunifyAV → Scan tab. Then proceed the following steps:

  1. Type a folder name to scan in the Folder to scan field. Start typing with the slash /. It is possible to use Advanced settings:
  • Filename mask allows to set file type for scanning (for example, *.php - all the files with the extension php). The default setting is * which means all files without restriction.
  • Ignore mask allows to set file type to ignore (for example, *.html will ignore all files with the extension html).
  • CPU consumption. Defines the CPU consumption for scanning without decreasing efficiency: from Low to High.
  • I/O consumption. Defines the I/O consumption for scanning without decreasing efficiency: from Low to High.
  • Follow symlinks. Follow all symlinks within the folder to scan.

Note

If ImunifyAV is running on CloudLinux OS, LVE is used to manage scan intensity. If it is running on other operating systems, “nice” is used to control CPU and “ionice” is used when the I/O scheduler is CFQ.

  1. Click Start.
ImunifyAV → Scan tab

At the top right corner scanning progress and status are displayed:

  • Scanner is stopped means that there is no scanning process running.
  • Scanning…% means that the scanner is working at the moment. A percentage displays the scanning progress. You can also see the scanning status beneath the Mask or Advanced options.
Imunify Scan
ImunifyAV → Scan tab

When scanning is completed, the results are shown in the table below with the following information:

  • Date — scan date;
  • Path — scanned folder path;
  • Total files — total number of scanned files;
  • Result — displays a number of threats and a number of files detected as suspicious during scanning;
  • Action:
    • View report — click View Report icon to go to the Files tab and display the results of the last scan.
ImunifyAV → Scan table

The following filters are available:

Timeframe — displays the results filtered by chosen period or date. To review and manage suspicious files go to the Files tab.

The table can be sorted by Date, Path, Total files, and Result.

Scan Filter
Scan table → Filter

History

The History tab contains data of all actions for all files. Go to ImunifyAV → History tab. Here, there is a table with a list of files within all domains.

ImunifyAV → History tab

The table has the following columns:

  • Date — action timestamp.
  • Path to File — path to the file starting from the root.
  • Cause — displays the way malicious file was found:
    • Manual — scanning or cleaning was manually processed by a user.
    • On-demand — scanning or cleaning was initiated/made by a user.
    • Real time — scanning or cleaning was automatically processed by the system.
  • Owner — displays a user name of a file owner.
  • Initiator — displays the name of a user who was initiated the action. For system actions the name is System.
  • Event — displays the action with the file:
    • Detected as malicious — after scanning the file was detected as infected;
    • Cleaned — the file is cleaned up.
    • Failed to clean up — there was a problem during cleanup. Hover mouse over the info icon to read more.
    • Added to Ignore List — the file was added to the Ignore List. ImunifyAV will not scan it.
    • Restored original — file content was restored as not malicious.
    • Cleanup removed content — a file content was removed after cleanup.
    • Deleted from Ignore List — the file was removed from the Ignore List. ImunifyAV will scan it.
    • Deleted — the file was deleted.
    • Submitted for analysis — the file was submitted to the Imunify team for analysis.
    • Failed to delete — there was a problem during removal. Hover mouse over the info icon to read more.
    • Failed to ignore — there was a problem during adding to the Ignore List. Hover mouse over the info icon to read more.
    • Failed to delete from ignore — there was a problem during removal from the Ignore List. Hover mouse over the info icon to read more.

The table can be sorted by Date, Path to File, Cause, and Owner.

Ignore List

The Ignore List tab contains the list of files that are excluded from Malware Scanner scanning. Go to ImunifyAV → Ignore List tab. Here, there is a table with a list of files within all domains.

ImunifyAV → Ignore list tab

The table has the following columns:

  • Added — the date when the file was added to the Ignore list.
  • Path — path to the file starting from the root.
  • Actions:
    • Remove from Ignore List — click Bin icon to remove the file from the Ignore list and start scanning.
    • Add new file or directory — click Plus icon to add a new file or directory to the Ignore list. To perform a bulk action, tick the required files and click the corresponding button above the table.

The following filters are available:

Timeframe — displays the results filtered by chosen period or date. Items per page displayed — click the number at the table bottom. Path – displays the results filtered by a path in a direct or reverse alphabetical order.

The table can be sorted by Added and Path. By default, it is sorted from newest to oldest.

Features Management AV

Features Management tab allows to enable or disable ImunifyAV features for each customer. Go to ImunifyAV → Features Management tab.

ImunifyAV → Features Management tab

To enable Malware Cleanup feature for new users by default, move the Malware Cleanup slider.

The table has the following columns:

  • Name — user name
  • Domains — user domain name
  • Malware Cleanup — allows to enable or disable Malware Cleanup feature for selected user by moving the slider.

To perform a bulk action, tick required users and move the Malware Cleanup slider at the table header. Confirm the action on the confirmation popup.

Reputation Management AV+

Note

Reputation Management is available in ImunifyAV+ only.

Reputation Management is an analyzing and notifying tool intended to inform about websites blocking and blacklisting.

Choose Reputation Management in the main menu of the ImunifyAV+ user interface to get to the Reputation Management page.

Reputation Management allows to check if a domain registered on your server is safe or not based on the following reputation engines:

How does it work:

  • We get a list of domains periodically (via crontab)
  • Send it to the central Imunify server
  • Get results from it
  • Add bad domains to the list of Reputation Management

If a domain or an IP is blocked, then this information will be available in the table below. If a user’s website appears in this table, then it would be useful to send this link to the user. This instruction can help to solve problems with the domain.

At the top of the page (also in the main menu near Reputation Management item), ImunifyAV+ shows the number of affected domains. This number is a quantity of affected domains that exist on the server.

The table shows:

  • ID – domain owner username
  • URL – the affected domain link
  • Type – read more about types on the link (we still do not support THREAT_TYPE_UNSPECIFIED and POTENTIALLY_HARMFUL_APPLICATION).
  • Detection time – exact time when the Reputation Management has detected the domain
ImunifyAV → Reputation Management

Click link icon in the Action column to copy the URL to the clipboard.

Note

Reputation Management online and browser look may differ. This is because Google Safe Browsing has an issue described on github.

Settings

Go to ImunifyAV → Settings tab to set up the behaviour of ImunifyAV scanner. Here you can configure the following: Resource consumption General Background Scanning Malware Cleanup Error reporting

Go to ImunifyAV → Settings tab to set up the behaviour of ImunifyAV scanner. Here you can configure the following:

Resource consumption

ImunifyAV → Settings → Resource consumption
ImunifyAV → Settings → Resource consumption
  • CPU consumption – enables to set a level of CPU usage by Malware Scanner.

    Note

    Low CPU usage means low scanning speed

  • I/O consumption – enables to set a level of I/O usage by Malware Scanner.

    Note

    Low I/O usage means low scanning speed

    Note

    If ImunifyAV is running on CloudLinux OS, LVE is used to manage scan intensity. If it is running on other operating systems, “nice” is used to control CPU and “ionice” is used when the I/O scheduler is CFQ.

General

ImunifyAV → Settings → General
ImunifyAV → Settings → General
  • Automatically send suspicious and malicious files for analysis – malicious and suspicious files will be sent to the ImunifyAV Team for analysis automatically.
  • RapidScan – dramatically speeds up repeated scans based on smart re-scan approach, local result caching and cloud-assisted scan. When you first enable the RapidScan feature, the first scan will run as before. But subsequent scans will see a dramatic speed improvement, anywhere between 5 to 20 times faster. You can find the details here: https://docs.imunify360.com/features/#rapidscan)
  • Binary (ELF) malware detection – this option allows to scans user home directories for malware.

Tick required checkboxes and click the Save changes button.

Background Scanning

Allows to set up automatic, scheduled, background scanning of user accounts.

  • Run scanning — select the desired period:
    • Never
    • Daily*
    • Weekly*
    • Monthly

Note

The Daily and Weekly options are available for ImunifyAV+ and Imunify360 only.

SettingsBackgroundScanning1
ImunifyAV → Settings → Background Scanning
ImunifyAV → Settings → Background Scanning
ImunifyAV → Settings → Background Scanning

Depending on the selected period, precise settings.

  • If Run scanning is set to Daily, choose the exact time at the Run at dropdown.
  • If Run scanning is set to Weekly, choose the day of the week at the Run on the dropdown and the exact time at the Run at dropdown.
  • If Run scanning is set to Monthly, choose the day of the month at the Day of month to run dropdown and the exact time at the Run at dropdown.

Malware Cleanup

  • Trim file instead of removal — do not remove infected file during cleanup but make the file zero-size (for malwares like web-shells);
  • Keep original files for … days — the original infected file is available for restore within the defined period. Default is 14 days.
Malware Cleanup
ImunifyAV → Settings → Malware Cleanup

Error reporting

Tick the Enable Sentry error reporting checkbox to send reports to ImunifyAV error reports server.

Error Reporting
ImunifyAV → Settings → Error reporting

Upgrade AV

To upgrade to ImunifyAV+ click Upgrade Imunify button, upgrade page opens.

To upgrade, click Buy Now button, you will be redirected to the purchase page. Or activate the product using an activation key if you already have one.

End User Interface

The user side is hidden by default and can be enabled by executing the following command:

/opt/alt/python35/share/imunify360/scripts/av-userside-plugin.sh

To disable it back, run:

/opt/alt/python35/share/imunify360/scripts/av-userside-plugin.sh -r

Click ImunifyAV in the main menu. There are following tabs in ImunifyAV end user interface:

Files

Go to ImunifyAV → Files tab. Here, there is a table with a list of infected files.

ImunifyAV Hoster UI → Files tab
ImunifyAV Hoster UI → Files tab

The table has the following columns:

  • Detected — displays the exact time when a file was detected as malicious
  • File — the path where the file is located starting with root
  • Reason — describes the signature which was detected during the scanning process. Names in this column depend on the signature vendor. You can derive some information from the signature ID itself. SMW-SA-05155-wshll – in this Signature ID:
    • The first section can be either SMW or CMW. SMW stands for Server Malware and CMW stands for Client Malware
    • The second section of ID can be either INJ or SA. INJ stands for Injection (means Malware is Injected to some legitimate file) and SA stands for StandAlone (means File is Completely Malicious)
    • The third section is 05155. This is simply an identification number for the signature.
    • The fourth section wshll/mlw.wp/etc explains the category and class of malware identified. Here, wshll stands for web shell (mlw stands for malware).
    • The fifth section is 0, which provides the version number of the signature.
  • Status — displays the file status:
    • Infected — threat was detected after scanning. If a file was not cleaned after cleanup, the info icon is displayed. Hover mouse over info icon to display the reason
    • Cleaned — infected file is cleaned up
    • Content removed — a file content was removed after cleanup
    • Cleanup queued AV+ — infected file is queued for cleanup. Actions:
  • Add to Ignore List — add file to Ignore List and remove it from the Malicious files list. Note that if a file is added to Ignore List, ImunifyAV will no longer scan this file
  • View file — click eye icon in the file line and the file content will be displayed in the popup. Only the first 100Kb of the file content will be shown in case if a file has bigger size
  • Cleanup AV+ — click to cleanup the file.
  • Delete AV+ — remove the file from the server and from the list of Malicious files.
  • Restore original AV+ — click Restore original to restore original file after cleaning up if backup is available.

To perform a bulk action, tick required users and click the corresponding button above the table.

If a user is allowed by the administrator to run a scan at any time on his own, he can see the Start scanning button.

The following filters are available:

  • Timeframe — displays the results filtered by chosen period or date.
  • Status — displays the results filtered by chosen status.
  • Items per page displayed — click the number at the table bottom.

The table can be sorted by detection date (Detected), file path (File), Reason, and Status.

ImunifyAV+ End User UI → Files tab
ImunifyAV+ End User UI → Files tab

If a user is allowed by an administrator to scan his files, he can see the Start scanning button. See also: How to enable/disable the "Start scanning" button for ImunifyAV\AV+.

History

History tab contains data of all actions for all files. Go to ImunifyAV → History tab. Here, there is a table with a list of files.

The table has the following columns:

  • Date — action timestamp.
  • Path to File — path to the file starting from the root.
  • Cause — displays the way malicious file was found:
    • Manual — scanning or cleaning was manually processed by a user.
    • On-demand — scanning or cleaning was initiated/made by a user;
    • Real time — scanning or cleaning was automatically processed by the system.
  • Owner — displays a user name of file owner.
  • Initiator — displays the name of a user who was initiated the action. For system actions the name is System.
  • Event — displays the action with the file:
    • Detected as malicious — after scanning the file was detected as infected;
    • Cleaned — the file is cleaned up.
    • Failed to clean up — there was a problem during cleanup. Hover mouse over the info icon to read more.
    • Added to Ignore List — the file was added to Ignore List. ImunifyAV will not scan it.
    • Restored original — file content was restored as not malicious.
    • Cleanup removed content — file contend was removed after cleanup.
    • Deleted from Ignore List — the file was removed from Ignore List. ImunifyAV will scan it.
    • Deleted — the file was deleted.
    • Submitted for analysis — the file was submitted to Imunify team for analysis.
    • Failed to delete — there was a problem during removal. Hover mouse over the info icon to read more.
    • Failed to ignore — there was a problem during adding to Ignore List. Hover mouse over the info icon to read more.
    • Failed to delete from ignore — there was a problem during removal from Ignore List. Hover mouse over the info icon to read more.

The table can be sorted by Date, Path to File, Cause, and Owner.

The table has the following columns:

Ignore List

Ignore List tab contains the list of files that are excluded from Malware Scanner scanning. Go to ImunifyAV → Ignore List tab. Here, there is a table with a list of files.

The table has the following columns:

  • Added — the date when the file was added to Ignore List.
  • Path — path to the file starting from the root.
  • Actions:
    • Remove from Ignore List — click Bin icon to remove the file from the Ignore List and start scanning.
    • Add new file or directory — click Plus icon to add a new file or directory to Ignore List. To perform a bulk action, tick required files and click the corresponding button above the table.

The following filters are available:

  • Timeframe — displays the results filtered by chosen period or date.
  • Items per page displayed — click the number at the table bottom.

The table can be sorted by Added and Path. By default, it is sorted from newest to oldest.

Hooks

Overview

Hooks are introduced as a script-based interface for various application events. This is a simple and effective way to automate ImunifyAV alerts and event processing. For example, an administrator can have ImunifyAV calling his own script when malicious files are detected or misconfigurations are detected and perform a custom processing or specific actions, for example, create a ticket. Hooks are available only via CLI.

Requirements

  • You can use any programming language to create a hook script
  • A hook script should be executable
  • For Native hooks, you should use Python 3.5 only

How to start using hooks

Start using hooks with three simple steps:

  1. Create a script to handle an event (a hook handler):
  1. Register your hook handler in ImunifyAV agent - use registration command:
imunify-antivirus hook add --event <event name> --path </path/to/hook_script>
  1. Once the event added - check results and the log file (see below)

Available events and their parameters

  • agent

    • subtype ( started | misconfig )
      • started - the event is generated each time the Imunify agent is started/restarted
        • params[]
          • version / string / version of agent
      • misconfig - the event is generated when the agent detects agent misconfiguration / broken settings / etc.
        • params[]
          • error / string / error message where / what type of misconfiguration was detected and some details
  • malware-scanning

    • subtype ( started | finished )
      • started - the event is generated when the malware scanning process is started (for on-demand and background scans only, yet not the ftp / waf / inotify)
        • params[]
          • scan_id / string / identifier of running scan
          • path / string / path that’s scanning
          • type / string / type of scanning (“on-demand”, “background”, “ftp”)
          • scan_params[] / initial scanning params
            • file_mask / string / file mask to scan
            • follow_symlinks / boolean / shall scanner follow symlinks
            • ignore_mask / string / file mask to ignore
            • intensity / string / intensity type selected (“low”, “moderate”, “high”)
{
"scan_id":"dc3c6061c572410a83be19d153809df1",
"home":"/home/a/abdhf/",
"user":"abdhf",
"type":"background",
"scan_params": {"file_mask":"*", "follow_symlinks":"true", "ignore_mask":"", "intensity":"low"}
}
      • finished - the event is generated when the malware scanning process is finished (for on-demand and background scans only, yet not the ftp / waf / inotify)
        • params[]
          • scan_id / string / identifier of running scan
          • path / string / path that’s scanned
          • users[] / string array/ user that’s scanned
          • started / int / unixtime when scan started
          • total_files / int / total number of files that were scanned
          • total_malicious / int / number of detected malicious files
          • errors[] / string / error message if any occurred during scanning
          • status / string / status of scan (“ok”, “has_errors”, “failed”)
          • scan_params[] / initial scanning params
            • file_mask / string / file mask to scan
            • follow_symlinks / boolean / shall scanner follow symlinks
            • ignore_mask / string / file mask to ignore
            • intensity / string / intensity type selected (“low”, “moderate”, “high”)
{
"scan_id":"dc3c6061c572410a83be19d153809df1",
"home":"/home/a/abdhf/",
"user":"abdhf",
"started":1587365282,
"total_files":873535,
"total_malicious":345,
"errors":[],
"status":"ok",
"type":"background",
"scan_params": {"file_mask":"*", "follow_symlinks":"true", "ignore_mask":"", "intensity":"low"}
}
  • malware-detected
    • subtype ( critical )
      • critical
        • params[]
          • scan_id / string / unique id of the scan
          • errors[] / string / error strings that happened during the last scan
          • started / int / unixtime when the scan was started
          • path / string / path that was scanned
          • users[] / string array / users that have been scanned (if any)
          • total_files / int / number of files checked within the last scanning
          • total_malicious / int / number of detected malicious files
          • tmp_filename / string / path to a temporary file with a list of detected threads. The list of threads is in the format of the following command: imunify-antivirus malware malicious list --by-scan-id=... --json
{

"scan_id":"dc3c6061c572410a83be19d153809df1",
"path":"/home/a/abdhf/",
"username":["imunify"],
"started":1587365282,
"total_files":873535,
"total_malicious":345,
"errors":[],
"files":[
{
  "username":"imunify",
  "hash":"17c1dd3659578126a32701bb5eaccecc2a6d8307d8e392f5381b7273bfb8a89d",
  "size":"182",
  "cleaned_at":1553762878.6882641,
  "extra_data":{


  },
  "malicious":true,
  "id":32,
  "status":"cleanup_removed",
  "file":"/home/imunify/public_html/01102018_2.php",
  "type":"SMW-INJ-04174-bkdr",
  "scan_type":"on-demand",
  "Created":1553002672
},
{
  "username":"imunify",
  "hash":"04425f71ae6c3cd04f8a7f156aee57096dd658ce6321c92619a07e122d33bd32",
  "size":"12523",
  "cleaned_at":1553762878.6882641,
  "extra_data":{


  },
  "malicious":true,
  "id":33,
  "status":"cleanup_done",
  "file":"/home/imunify/public_html/22.js",
  "type":"SMW-INJ-04346-js.inj",
  "scan_type":"on-demand",
  "Created":1553002672
},
...

}

Note

All results can be saved in a temporary file before handler invocation and then remove the file after the event is being processed

  • malware-cleanup
    • subtype ( started | finished )
      • started - the event is generated when the malware cleanup process is started (for on-demand and background cleanup only, background auto-cleanup will be implemented later)
        • params[]
          • cleanup_id / string / unique id of the cleanup
          • started / int / unixtime when the cleanup was started
          • tmp_filename / string / path to a temporary file with a scanning report. The list is in the format of the following command: imunify-antivirus malware malicious list --by-scan-id=... --json . See malware-detected hook section for details.
          • total_files / int / number of files that were sent for cleanup
      • finished - the event is generated when the malware scanning process is finished (for on-demand and background cleanup only, background auto-cleanup will be implemented later)
        • params[]
          • cleanup_id / string / identifier of running cleanup
          • started / int / unixtime when cleanup started
          • total_files / int / number of files that were sent for cleanup
          • total_cleaned / int / number of files that were successfully cleaned
          • tmp_filename / string / path to a temporary file with a list of results.
          • errors[] / string / error messages if any occurred during cleanup
          • errors[] / string / error messages if any occurred during cleanup
{
"scan_id":"dc3c6061c572410a83be19d153809df1",
"started":1587365282,
"total_files":873535,
"total_cleaned":872835,
"tmp_filename":”/var/imunify/tmp/hooks/tmp_02q648234692834698456728439587245.json”,
"errors":[],
"status":"ok"
}

Hooks CLI

The following CLI command is used to manage hooks:

imunify-antivirus hook [command] --event [event_name|all] [--path </path/to/hook_script>]

The following commands are supported:

  • add - register a new event handler
  • delete - unregister existing event handler
  • list - show existing event handlers
  • add-native - register a new native event handler

The third parameter event_name defines a particular event that invokes a registered handler as opposed to all keyword.
The fourth parameter /path/to/hook_script shall contain a valid path to a handler of the event, it shall be any executable or Python Native event handlers that agent will run upon a registered event.

Native

Native hook is a script written on Python 3.5 and allows to quickly process events. The Python file should contain only one method that customer would implement:

def im_hook(dict_param):
	….
	pass

where dict_param would hold the same data as JSON that non-Native hook will gate.

Log File

You can see all hook data in the log file. It is located at /var/log/imunify360/hook.log . When the event comes, the data is recorded to the log file in the following format:

timestamp event : id : started [native:] name :  subtype : script_path
  • native is prepended for the Native hook implementation
  • id is a unique ID for each event

Once the listener is done, the data is recorded to the log file in the following format:

timestamp event : id : done [native:] script_path [OK|ERROR:code]

In case of an error, you can see the error code you have specified.

Structure and examples of a hook script

Regular (non-native) hook:

#!/bin/bash

data=$(cat)

event=$(jq -r '.event' <<< ${data})
subtype=$(jq -r '.subtype' <<< ${data})

case ${event} in
    malware-scanning)
        case ${subtype} in
            started)
                # do stuff here
            ;;
            *)
                echo "Unhandled subtype: ${subtype}" 1>&2
                exit 1
        esac
        ;;
    *)
        echo "Unhandled event: ${event}/${subtype}" 1>&2
        exit 2
esac

Native hook:

def im_hook(dict_param):
   event = dict_param['event']
   subtype = dict_param['subtype']

   if event == 'malware-scanning':
       if subtype == 'started':
           # do stuff here
           pass
       elif subtype == 'finished':
           # do other stuff here
           pass
       else:
           raise Exception('Unhandled subtype {}'.format(subtype))
   else:
       raise Exception('Unhandled event {}'.format(event))