Occasional Advisor, Founder
OJ
Posts: 7
Registered: 19-12-2011
Accepted Solution

Manual scanning and e-mail alert

12-01-2012 10:52 AM

Using latest Linux Security on RHEL6 with command line only -interface. Manual scan is done by

 

fsav /my/path/here

 

and the results would be nice to be emailed at given address. It this possible? And of course we do not need "All OK" -information, but the email if something suspicious is found.

Report Inappropriate Content
Message 1 of 7 (5,454 Views)
Reply
0 Kudos
Honored Contributor, Founder
MJ-perComp
Posts: 641
Registered: 30-05-2011

Re: Manual scanning and e-mail alert

12-01-2012 01:32 PM

Hi,

 

you are ona linux box. you can script anything you like.

create a report, check the returncode and mail the report...

 

BR

 

Matthias
----------
perComp is a Gold Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de
Report Inappropriate Content
Message 2 of 7 (675 Views)
Reply
0 Kudos
Occasional Advisor, Founder
OJ
Posts: 7
Registered: 19-12-2011

Re: Manual scanning and e-mail alert

12-01-2012 02:21 PM

yes, fsav takes parameter --virus-action1=report, so that was my first idea to send that further. But:

 

            report = synonym to none

 

So how to get the status or more importantly the real alerts out of there to be processed to be sent be email?

Report Inappropriate Content
Message 3 of 7 (673 Views)
Reply
0 Kudos
Honored Contributor, Founder
MJ-perComp
Posts: 641
Registered: 30-05-2011

Re: Manual scanning and e-mail alert

12-01-2012 02:35 PM

action= report is is not to create a report, but to force the scanned only to report and block the file instead of  disinfectiong it.

 

Just pipe the output to a file and decide (based on the returncode) what to do with the report....

 

BR

Matthias
----------
perComp is a Gold Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de
Report Inappropriate Content
Message 4 of 7 (666 Views)
Reply
0 Kudos
Occasional Advisor, Founder
OJ
Posts: 7
Registered: 19-12-2011

Re: Manual scanning and e-mail alert

16-01-2012 09:31 AM

Ok, our Script Kid Department did a great job and wrote fsav_scan.sh for this and all the future needs too. It also includes automatic report generation and removal after 30 days, and email alert is sent if needed.

Report Inappropriate Content
Message 5 of 7 (637 Views)
Reply
0 Kudos
Honored Contributor, Founder
MJ-perComp
Posts: 641
Registered: 30-05-2011

Re: Manual scanning and e-mail alert

16-01-2012 09:47 AM

Hi,

great!

 

Would you mind to offer the solution to the community?

 

Best Regards

Matthias
----------
perComp is a Gold Partner of F-Secure since 1994. Any advice or help given by me in this forum is voluntarily and to my best knowledge based on working with the products since 1997. Direct contact for customers please check our homepage http://www.percomp.de
Report Inappropriate Content
Message 6 of 7 (633 Views)
Reply
0 Kudos
Occasional Advisor, Founder
OJ
Posts: 7
Registered: 19-12-2011

Re: Manual scanning and e-mail alert

16-01-2012 02:26 PM

fsav_scan.sh:

 

#!/bin/bash -x
#
# This tool is used for reporting possible scanning alerts
# from F-Secure AV Scanner. Reports are generated to the report directory.
# Reports that are older than 30 days are removed automatically.
#
# Changelog:
#
# * Author, 12.1.2012
#   - Initial revision.

##############
### Config ###
##############

HOSTNAME="$(/bin/hostname --fqdn)"
DATETIME="$(/bin/date +%d-%m-%Y-%H:%M)"

REPORT_DIR="/opt/fsav_report/reports"
REPORT_FILE="fsav_report-$DATETIME"
REPORT_OUTPUT="$REPORT_DIR/$REPORT_FILE"
REPORT_TARGET="your@address.here.com"
REPORT_SUBJECT="FSAV Scanner Alert From $HOSTNAME"

FSAV_BIN="/usr/bin/fsav"
FSAV_TARGET="/path/to/be/scanned//"
SCAN_CMD="$FSAV_BIN $FSAV_TARGET"

#############
# Functions #
#############

# Check the return code and send an alert if the error code
# was something else than a zero.
function check_error() {
    RETURN_CODE="$1"
    ARG=""
    if [ -n "$2" ]; then
        ARG="$2"
    fi
    if [ $RETURN_CODE -ne 0 ]; then
        send_alert "$ARG"
    exit $RETURN_CODE
    else
        return 0
    fi
}

# Send an alert to $REPORT_TARGET.
function send_alert() {
    CUSTOM_ERROR="$1"
    MAIL_BIN="/bin/mail"
    if [ -z "$CUSTOM_ERROR" ]; then
        $MAIL_BIN -s "$REPORT_SUBJECT" $REPORT_TARGET < $REPORT_OUTPUT
    else
    echo "$CUSTOM_ERROR" | $MAIL_BIN -s "$REPORT_SUBJECT" $REPORT_TARGET
    fi
}

# Delete reports older than 30 days.
function cleanup_reports() {
    if [ -n "$REPORT_DIR" ]; then
    find $REPORT_DIR -type f -mtime +30 -exec rm -vf {} \;
    fi
}

########
# Main #
########

# Check that the directory exists. If it doesn't, create it.
# If the directory exists, clean it up before proceeding.
if [ ! -d "$REPORT_DIR" ]; then
    mkdir -p $REPORT_DIR
    check_error $? "Error creating report directory."
else
    cleanup_reports
fi

# Run the scan. If the return code indicates an error, send
# the output to $REPORT_TARGET via e-mail.
$SCAN_CMD >& $REPORT_OUTPUT
check_error $?

Report Inappropriate Content
Message 7 of 7 (618 Views)
Reply