How to use scanner ignore mask
Forum
  1. Forums
  2. Imunify360
  3. Imunify360 and Imunify Sensor
  1. John Carpenter
  2. Friday, 28 June 2019
  3.  Subscribe via email
Hello,

I can't figure out how to use the scanner ignore mask feature.

I want to run on-demand scans and ignore these paths:

/home*/*/mail/
/home*/*/.trash/


Syntax for several complex paths isn't clearly documented, but in the WHM plugin we get an example if we hover over the "i." So I understand the syntax should look something like the following, correct?

/usr/bin/imunify360-agent malware on-demand start --ignore-mask '/home*/*/mail/,/home*/*/.trash/' --intensity low --path '/home*/*' --no-follow-symlinks


Unfortunately /home*/*/.trash/ is still getting scanned with these options.

To troubleshoot I made a simple test case, placing 2 copies of a known malware sample as follows:

/root/abuse/scantest/
/root/abuse/scantest/.trash
/root/abuse/scantest/.trash/zoom.php
/root/abuse/scantest/subdir
/root/abuse/scantest/subdir/zoom.php


I've tried lots of variations of the on-demand scan, without using wildcards or several ignore mask directories, to make this as simple as possible, for example the following:
/usr/bin/imunify360-agent malware on-demand start --path /root/abuse/scantest --ignore-mask '/root/abuse/scantest/.trash' --intensity=high --no-follow-symlinks
/usr/bin/imunify360-agent malware on-demand start --path /root/abuse/scantest --ignore-mask '/root/abuse/scantest/subdir' --intensity=high --no-follow-symlinks


I've also tried the same scans in the WHM plugin, using ignore mask in the advanced options.

In every case, both files are detected as malicious.

Am I doing something wrong, or is the ignore mask feature not working correctly?

Thanks in advance.
Rate this post:
Accepted Answer
  1. 01.07.2019 08:07:16
  2. # Permalink
Sergey Khristich Accepted Answer
Posts: 75
Joined: 20.05.2019
0
Votes
Undo
Hello John!
We have to admit that

--ignore-mask

The argument's format is not straightforward. It has to be a mask that matches all of the files you want to ignore. We have tested it the following way:
We used a wildcard for the path that matches 3 users on my machine and tried to exclude 2 of them using said argument. The following did not work:

$ imunify360-agent malware on-demand start --path='/var/www/vhosts/d*' --ignore-mask='/var/www/vhosts/dixon.com,/var/www/vhosts/dunn.com'


$ imunify360-agent malware on-demand list
CREATED ERROR PATH SCAN_STATUS SCANID STARTED TOTAL TOTAL_FILES TOTAL_MALICIOUS
1561969069 None /var/www/vhosts/d* stopped 73c52bb4a0b145b0a932a420b94bf6af 1561969069 84 84 2

But adding a `*` to the end of each mask did the trick:

$ imunify360-agent malware on-demand start --path='/var/www/vhosts/d*' --ignore-mask='/var/www/vhosts/http://dixon.com/*,/var/www/vhosts/dunn.com/*'


$ imunify360-agent malware on-demand start --path='/var/www/vhosts/d*' --ignore-mask='/var/www/vhosts/http://dixon.com/*,/var/www/vhosts/dunn.com/*'
1561968922 None /var/www/vhosts/d* stopped 7fc87a489ec743a28a1a4ec5a126be4f 1561968922 27 27 0
1561968821 None /var/www/vhosts/d* stopped cd1f60f2c56f4d24bf721a132ebc5f7f 1561968821 84 84 2
  1. 30.07.2019 20:07:38
  2. # 1
John Carpenter Accepted Answer
Posts: 3
Joined: 28.06.2019
0
Votes
Undo
Thanks for your help on this. I can confirm this works as you explained it.
  1. 31.07.2019 08:07:36
  2. # 2
Sergey Khristich Accepted Answer
Posts: 75
Joined: 20.05.2019
0
Votes
Undo
Hello John!
Happy to hear it and thanks for following up!
  • Page :
  • 1


There are no replies made for this post yet.
Be one of the first to reply to this post!
Guest
Submit Your Response
Upload files or images for this discussion by clicking on the upload button below. Supports gif,jpg,png,zip,rar,pdf
• Insert • Remove Upload Files (Maximum File Size: 2 MB)
Captcha
To protect the site from bots and unauthorized scripts, we require that you enter the captcha codes below before posting your question.