Create a one-time Endpoint Security for Linux on-demand scan for a file
Technical Articles ID:
KB89768
Last Modified: 2022-07-06 05:46:12 Etc/GMT
Last Modified: 2022-07-06 05:46:12 Etc/GMT
Environment
Endpoint Security for Linux Threat Prevention (ENSLTP) 10.x
Summary
During daily operations, you can run a quick on-demand scan (ODS) for a specific file in an ENSLTP environment. This ODS is accomplished using a right-click scan in ENS for Windows. With ENSLTP, one solution is to create an ODS task and schedule it to "Run immediately." But, it requires interaction with the ePolicy Orchestrator (ePO) administrator.
This article describes an alternative solution that creates a local ODS task for a specified file using the command line interface (CLI) feature of ENSLTP, rather than ePO.
Create a shell script as shown below. This script is provided as a customizable example that you can modify according to your needs.
NOTE: Technical Support doesn't support the use of custom scripts.
This script runs with two arguments. The first argument is the target file and the second argument is the task name. The script creates an ODS task, gets the created task ID, runs the task, deletes the task, and shows the task report.
ENSLTP 10.6.6 and later:
$ cat targetscan.sh
#!/bin/bash
TARGET=$1
TASKNAME=$2
rm -rf /var/McAfee/ens/log/tp/odsreport/archive/$TASKNAME-*.zip
/opt/McAfee/ens/tp/bin/mfetpcli --addodstask --name $TASKNAME --scanpath $TARGET
INDEX=`/opt/McAfee/ens/tp/bin/mfetpcli --listtask | grep $TASKNAME | awk '{print $1}' | tr -d "|"`
/opt/McAfee/ens/tp/bin/mfetpcli --runtask --index $INDEX
sleep 45
/opt/McAfee/ens/tp/bin/mfetpcli --deltask --index $INDEX
zcat /var/McAfee/ens/log/tp/odsreport/archive/$TASKNAME-*.zip
For example, below is the log when you scan a local test file namedeicar.com.txt , where the task name is ODSscan .
./targetscan.sh $PWD/eicar.com.txt ODSscan
ODS Task was successfully added
Task was successfully started
Task was successfully deleted
YYYY-MM-DD HH:MM:SS.000Z|LEVEL |FACILITY |PROCESS | PID| TID|TOPIC |FILE_NAME(LINE) | MESSAGE
2022-07-04 19:04:16.539Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(167) | Scan started core-analyzer\root ODSscan
2022-07-04 19:04:17.744Z|Activity|AMODSScanManager |mfetpd | 30335| 30350|ODS |AMODSScanManager.cpp(802) | core-analyzer\root ran the "ODSscan" on-demand scan, which detected the Test named EICAR test file while scanning /home/appsadm/ODS/eicar.com.txt The file was deleted.
2022-07-04 19:04:17.744Z|Activity|AMODSScanManager |mfetpd | 30335| 30350|ODS |AMODSScanManager.cpp(803) | Additional information:
2022-07-04 19:04:17.744Z|Activity|AMODSScanManager |mfetpd | 30335| 30350|ODS |AMODSScanManager.cpp(804) | Primary Action: Clean
2022-07-04 19:04:17.744Z|Activity|AMODSScanManager |mfetpd | 30335| 30350|ODS |AMODSScanManager.cpp(805) | Secondary Action: Delete
2022-07-04 19:04:17.744Z|Activity|AMODSScanManager |mfetpd | 30335| 30350|ODS |AMODSScanManager.cpp(807) | Event ID: 1278
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(844) | Scan Summary core-analyzer\root Scan Summary
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(846) | Scan Summary core-analyzer\root Task Name : ODSscan
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(848) | Scan Summary core-analyzer\root Start time : Mon Jul 4 19:04:16 2022
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(850) | Scan Summary core-analyzer\root End time : Mon Jul 4 19:04:18 2022
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(852) | Scan Summary core-analyzer\root Total Requests : 1
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(854) | Scan Summary core-analyzer\root No of files skipped : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(856) | Scan Summary core-analyzer\root No. of Good files : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(858) | Scan Summary core-analyzer\root No. of Cache hit : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(860) | Scan Summary core-analyzer\root No of Files Excluded : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(862) | Scan Summary core-analyzer\root No. of Infections : 1
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(864) | Scan Summary core-analyzer\root Timeout : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(866) | Scan Summary core-analyzer\root ScanError : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(868) | Scan Summary core-analyzer\root No of files cleaned : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(870) | Scan Summary core-analyzer\root No of files deleted : 1
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(872) | Scan Summary core-analyzer\root Time taken : 2.122491s
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(874) | Scan Summary core-analyzer\root Engine version : 6400.9594
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(876) | Scan Summary core-analyzer\root DAT version : 5022.0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(879) | Scan completed core-analyzer\root ODSscan(2.122491s)
2022-07-04 19:04:18.662Z|Activity|ScanFactory |mfetpd | 30335| 30335|ODS |ScanFactory.cpp(477) | ODS Scan Manager is shutting down gracefully
ENSLTP 10.6.5 and earlier:
$ cat targetscan.sh
#!/bin/bash
TARGET=$1
TASKNAME=$2
/opt/isec/ens/threatprevention/bin/isecav --addodstask --name $TASKNAME --scanpath $TARGET
INDEX=`/opt/isec/ens/threatprevention/bin/isecav --listtask | grep $TASKNAME | awk '{print $1}' | tr -d "|"`
/opt/isec/ens/threatprevention/bin/isecav --runtask --index $INDEX
/opt/isec/ens/threatprevention/bin/isecav --deltask --index $INDEX
cat /opt/isec/ens/threatprevention/var/odsreport/$TASKNAME.log
For example, below is the log when you scan a local test file namedeicar.com.txt , where the task name is 170901scan .
$ ./targetscan.sh $PWD/eicar.com.txt 170901scan
ODS Task was successfully added
Task was successfully started
Task was successfully deleted
EVENT = ODS_START | NAME = 170901scan | TIME = 1504224836 | USER = 0
ERROR AMODSScanner [25440] Infection caught File Name: /home/user1/test/eicar.com.txt File Size: 68 Infection Name: EICAR test file Time: 1504224836 Process Name: User Name: root Profile Type: 0
EVENT = ODS_INFECTION | FILENAME = /home/user1/test/eicar.com.txt | VIRUSNAME = EICAR test file | VIRUSTYPE = 6 | ACTION = DELETED
EVENT = ODS_STOP | NAME = 170901scan | TIME = 1504224837 | USER = 0
EVENT = ODS_SUMMARY |
Task Name : 170901scan
Start time : 01/09/17 00:13:56 UTC
End time : 01/09/17 00:13:57 UTC
Total Requests : 1
No of files skipped : 0
No. of Good files : 0
No. of Cache hit : 0
No of Files Excluded : 0
No. of Infections : 1
Timeout : 0
ScanError : 0
No of files cleaned : 0
No of files deleted : 1
Time taken : 1.153279s
Engine version : 5900.7806
DAT version : 8634.0
INFO ScanFactory [25440] ODS Scan Manager is shutting down gracefully
This article describes an alternative solution that creates a local ODS task for a specified file using the command line interface (CLI) feature of ENSLTP, rather than ePO.
Create a shell script as shown below. This script is provided as a customizable example that you can modify according to your needs.
NOTE: Technical Support doesn't support the use of custom scripts.
This script runs with two arguments. The first argument is the target file and the second argument is the task name. The script creates an ODS task, gets the created task ID, runs the task, deletes the task, and shows the task report.
ENSLTP 10.6.6 and later:
TARGET=$1
TASKNAME=$2
rm -rf /var/McAfee/ens/log/tp/odsreport/archive/$TASKNAME-*.zip
/opt/McAfee/ens/tp/bin/mfetpcli --addodstask --name $TASKNAME --scanpath $TARGET
INDEX=`/opt/McAfee/ens/tp/bin/mfetpcli --listtask | grep $TASKNAME | awk '{print $1}' | tr -d "|"`
/opt/McAfee/ens/tp/bin/mfetpcli --runtask --index $INDEX
sleep 45
/opt/McAfee/ens/tp/bin/mfetpcli --deltask --index $INDEX
zcat /var/McAfee/ens/log/tp/odsreport/archive/$TASKNAME-*.zip
For example, below is the log when you scan a local test file named
Task was successfully started
Task was successfully deleted
YYYY-MM-DD HH:MM:SS.000Z|LEVEL |FACILITY |PROCESS | PID| TID|TOPIC |FILE_NAME(LINE) | MESSAGE
2022-07-04 19:04:16.539Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(167) | Scan started core-analyzer\root ODSscan
2022-07-04 19:04:17.744Z|Activity|AMODSScanManager |mfetpd | 30335| 30350|ODS |AMODSScanManager.cpp(802) | core-analyzer\root ran the "ODSscan" on-demand scan, which detected the Test named EICAR test file while scanning /home/appsadm/ODS/eicar.com.txt The file was deleted.
2022-07-04 19:04:17.744Z|Activity|AMODSScanManager |mfetpd | 30335| 30350|ODS |AMODSScanManager.cpp(803) | Additional information:
2022-07-04 19:04:17.744Z|Activity|AMODSScanManager |mfetpd | 30335| 30350|ODS |AMODSScanManager.cpp(804) | Primary Action: Clean
2022-07-04 19:04:17.744Z|Activity|AMODSScanManager |mfetpd | 30335| 30350|ODS |AMODSScanManager.cpp(805) | Secondary Action: Delete
2022-07-04 19:04:17.744Z|Activity|AMODSScanManager |mfetpd | 30335| 30350|ODS |AMODSScanManager.cpp(807) | Event ID: 1278
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(844) | Scan Summary core-analyzer\root Scan Summary
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(846) | Scan Summary core-analyzer\root Task Name : ODSscan
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(848) | Scan Summary core-analyzer\root Start time : Mon Jul 4 19:04:16 2022
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(850) | Scan Summary core-analyzer\root End time : Mon Jul 4 19:04:18 2022
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(852) | Scan Summary core-analyzer\root Total Requests : 1
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(854) | Scan Summary core-analyzer\root No of files skipped : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(856) | Scan Summary core-analyzer\root No. of Good files : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(858) | Scan Summary core-analyzer\root No. of Cache hit : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(860) | Scan Summary core-analyzer\root No of Files Excluded : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(862) | Scan Summary core-analyzer\root No. of Infections : 1
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(864) | Scan Summary core-analyzer\root Timeout : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(866) | Scan Summary core-analyzer\root ScanError : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(868) | Scan Summary core-analyzer\root No of files cleaned : 0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(870) | Scan Summary core-analyzer\root No of files deleted : 1
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(872) | Scan Summary core-analyzer\root Time taken : 2.122491s
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(874) | Scan Summary core-analyzer\root Engine version : 6400.9594
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(876) | Scan Summary core-analyzer\root DAT version : 5022.0
2022-07-04 19:04:18.662Z|Activity|AMODSScanManager |mfetpd | 30335| 30335|ODS |AMODSScanManager.cpp(879) | Scan completed core-analyzer\root ODSscan(2.122491s)
2022-07-04 19:04:18.662Z|Activity|ScanFactory |mfetpd | 30335| 30335|ODS |ScanFactory.cpp(477) | ODS Scan Manager is shutting down gracefully
ENSLTP 10.6.5 and earlier:
TARGET=$1
TASKNAME=$2
/opt/isec/ens/threatprevention/bin/isecav --addodstask --name $TASKNAME --scanpath $TARGET
INDEX=`/opt/isec/ens/threatprevention/bin/isecav --listtask | grep $TASKNAME | awk '{print $1}' | tr -d "|"`
/opt/isec/ens/threatprevention/bin/isecav --runtask --index $INDEX
/opt/isec/ens/threatprevention/bin/isecav --deltask --index $INDEX
cat /opt/isec/ens/threatprevention/var/odsreport/$TASKNAME.log
For example, below is the log when you scan a local test file named
Task was successfully started
Task was successfully deleted
EVENT = ODS_START | NAME = 170901scan | TIME = 1504224836 | USER = 0
ERROR AMODSScanner [25440] Infection caught File Name: /home/user1/test/eicar.com.txt File Size: 68 Infection Name: EICAR test file Time: 1504224836 Process Name: User Name: root Profile Type: 0
EVENT = ODS_INFECTION | FILENAME = /home/user1/test/eicar.com.txt | VIRUSNAME = EICAR test file | VIRUSTYPE = 6 | ACTION = DELETED
EVENT = ODS_STOP | NAME = 170901scan | TIME = 1504224837 | USER = 0
EVENT = ODS_SUMMARY |
Task Name : 170901scan
Start time : 01/09/17 00:13:56 UTC
End time : 01/09/17 00:13:57 UTC
Total Requests : 1
No of files skipped : 0
No. of Good files : 0
No. of Cache hit : 0
No of Files Excluded : 0
No. of Infections : 1
Timeout : 0
ScanError : 0
No of files cleaned : 0
No of files deleted : 1
Time taken : 1.153279s
Engine version : 5900.7806
DAT version : 8634.0
INFO ScanFactory [25440] ODS Scan Manager is shutting down gracefully
Affected Products
Languages:
This article is available in the following languages: