Forum Home


ExternalTool Tommy
    ExternalTool Synametrics Support
        ExternalTool Tommy
        ExternalTool Tommy
            ExternalTool Synametrics Support
                ExternalTool Tommy

From: Tommy
Date: 4/14/21 2:55 AM
Topic: ExternalTool
Type: General Discussions
Post a follow up

I am testing Avast as another antivirus,but seems can not get the result txt.

At the shell window,i run: 

/usr/bin/scan 001.xls,it return result: /root/001.xls VBS:Malware-gen
/usr/bin/scan 002.xlsx,it return result: /root/002.xlsx  Other:Malware-gen [Trj]

ExternalTool.xml config file is as below:

<?xml version="1.0" encoding="UTF-8"?>
<ExternalTools>
<ToolSet>
<oneTool>
<path>/usr/bin/scan</path>
<condition>1</condition>
<exitCode>1</exitCode>
<resultText><![CDATA[.*:.*]]></resultText>
<parameters>
<oneParam>$SINGLE_ATTACHMENT</oneParam>
</parameters>
</oneTool>
</ToolSet>
</ExternalTools>

 

It only return as such: scan was applied. Exit Code: 1

no virus name showing.
Top
From: Synametrics Support
Date: 4/14/21 4:00 AM
Topic: ExternalTool
Type: General Discussions
Post a follow up

Try enabling additional logging using the following steps:
Top
From: Tommy
Date: 4/14/21 5:43 AM
Topic: ExternalTool
Type: General Discussions
Post a follow up

I mean i can not have the virus name at score description:

 

100 An MS Office document found containing embedded objects
500 scan was applied. Exit Code: 1 <==no virus name here

I hope it show as below:

100 An MS Office document found containing embedded objects

500 scan was applied. Exit Code: 1 VBS:Malware-gen

 

2021-04-14 17:37:37,658 DEBUG ExternalTool - Executing [/usr/bin/scan /tmp/emlF276466076164588630.tmp]
2021-04-14 17:37:37,709 DEBUG ExternalTool - Exit code: 1
2021-04-14 17:37:52,598 DEBUG ExternalTool - Executing [/usr/bin/scan /tmp/emlF6884164323627886395.tmp]
2021-04-14 17:37:52,638 DEBUG ExternalTool - Exit code: 1
Top
From: Tommy
Date: 4/14/21 6:08 AM
Topic: ExternalTool
Type: General Discussions
Post a follow up

Is it the resultText format wrong? At shell i run as below,and it return result:

[root@localhost ~]# scan -i 001.xls
/root/001.xls VBS:Malware-gen|TX30877A620BBD598016000339|troj
[root@localhost ~]# scan -v 001.xls
3.0.3
[root@localhost ~]# scan -V 001.xls
21041400
[root@localhost ~]# scan -a 001.xls
/root/001.xls VBS:Malware-gen
[root@localhost ~]# scan 001.xls
/root/001.xls VBS:Malware-gen
Top
From: Synametrics Support
Date: 4/14/21 7:53 AM
Topic: ExternalTool
Type: General Discussions
Post a follow up

I see what you mean now. Currently, Xeams does not print the output of the external tool in the reason. This is done by design for the following reason:

The External Tool rule can be used for several reasons. It is not limited to running a third-party virus scanner. For example, a company could automatically process incoming purchase orders based on the attached file. The ONLY way to print the name of the virus is to print the entire output of the application. Depending upon the application that is executed, this output could be very long and printing the entire output in reason is not practical.

 
Top
From: Tommy
Date: 4/14/21 8:19 AM
Topic: ExternalTool
Type: General Discussions
Post a follow up

I test sophos,it can have the result by such format: <resultText><![CDATA[>>> Virus .* found]]></resultText>

savscan was applied. >>> Virus 'Troj/DocDl-TRH' found in file /tmp/emlF303338649421064410.tmp

But main problem is,the sophos takes several seconds to load database when using command line,someting muti thead will cause CPU take up 100%

Avast can have the scan reuslt within 1-2 seconds,very good speed.
Top