From: | Tommy |
---|---|
Date: | 4/14/21 2:55 AM |
Topic: | ExternalTool |
Type: | General Discussions |
Post a follow up |
I am testing Avast as another antivirus,but seems can not get the result txt. At the shell window,i run: /usr/bin/scan 001.xls,it return result: /root/001.xls VBS:Malware-gen ExternalTool.xml config file is as below: <?xml version="1.0" encoding="UTF-8"?>
It only return as such: scan was applied. Exit Code: 1 no virus name showing. |
|
Top |
From: | Synametrics Support |
---|---|
Date: | 4/14/21 4:00 AM |
Topic: | ExternalTool |
Type: | General Discussions |
Post a follow up |
Try enabling additional logging using the following steps:
|
|
Top |
From: | Tommy |
---|---|
Date: | 4/14/21 5:43 AM |
Topic: | ExternalTool |
Type: | General Discussions |
Post a follow up |
I mean i can not have the virus name at score description:
100 An MS Office document found containing embedded objects I hope it show as below: 100 An MS Office document found containing embedded objects 500 scan was applied. Exit Code: 1 VBS:Malware-gen
2021-04-14 17:37:37,658 DEBUG ExternalTool - Executing [/usr/bin/scan /tmp/emlF276466076164588630.tmp] 2021-04-14 17:37:37,709 DEBUG ExternalTool - Exit code: 1 2021-04-14 17:37:52,598 DEBUG ExternalTool - Executing [/usr/bin/scan /tmp/emlF6884164323627886395.tmp] 2021-04-14 17:37:52,638 DEBUG ExternalTool - Exit code: 1 |
|
Top |
From: | Tommy |
---|---|
Date: | 4/14/21 6:08 AM |
Topic: | ExternalTool |
Type: | General Discussions |
Post a follow up |
Is it the resultText format wrong? At shell i run as below,and it return result: [root@localhost ~]# scan -i 001.xls |
|
Top |
From: | Synametrics Support |
---|---|
Date: | 4/14/21 7:53 AM |
Topic: | ExternalTool |
Type: | General Discussions |
Post a follow up |
I see what you mean now. Currently, Xeams does not print the output of the external tool in the reason. This is done by design for the following reason: The External Tool rule can be used for several reasons. It is not limited to running a third-party virus scanner. For example, a company could automatically process incoming purchase orders based on the attached file. The ONLY way to print the name of the virus is to print the entire output of the application. Depending upon the application that is executed, this output could be very long and printing the entire output in reason is not practical.
|
|
Top |
From: | Tommy |
---|---|
Date: | 4/14/21 8:19 AM |
Topic: | ExternalTool |
Type: | General Discussions |
Post a follow up |
I test sophos,it can have the result by such format: <resultText><![CDATA[>>> Virus .* found]]></resultText> savscan was applied. >>> Virus 'Troj/DocDl-TRH' found in file /tmp/emlF303338649421064410.tmp But main problem is,the sophos takes several seconds to load database when using command line,someting muti thead will cause CPU take up 100% Avast can have the scan reuslt within 1-2 seconds,very good speed. |
|
Top |