Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Scan and remove if file infected using bash

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Scan and remove if file infected using bash
# 1  
Old 01-23-2017
Scan and remove if file infected using bash
The below bash runs clamav on all files in DIR and produces virus-scan.log. My question is the portion in bold is supposed to move the infected files, lines not OK, to /home/cmccabe/quarantine. Does the bash look correct? Thank you Smilie.

virus-scan.log
Code:
Mon Jan 16 14:39:05 CST 2017
/home/cmccabe/Desktop/NGS/API/R_2017_01_13_14_46_04_user_S5-00580-25-Medexome/IonXpress_008_xx-xxx_R_2017_01_13_14_46_04_user_S5-00580-25-Medexome.bam.bai: OK
/home/cmccabe/Desktop/NGS/API/R_2017_01_13_14_46_04_user_S5-00580-25-Medexome/IonXpress_007_xx-xxx_R_2017_01_13_14_46_04_user_S5-00580-25-Medexome.bam: OK
/home/cmccabe/Desktop/NGS/API/R_2017_01_13_14_46_04_user_S5-00580-25-Medexome/IonXpress_007_xx-xxx_R_2017_01_13_14_46_04_user_S5-00580-25-Medexome.bam.bai: OK

Code:
#!/bin/bash

DIR=/home/cmccabe/Desktop/NGS/API
cd $DIR
line_no=$(ls | awk -F . '{print $NF}' | sort | uniq -c | awk '{print $2,$1}') # count folder type and store as variable
echo "The folders detected are:
$line_no"

# Get rid of old log file
rm $HOME/virus-scan.log 2> /dev/null
 
for FILE in $DIR;
do
     # check file length is nonzero otherwise commands may be repeated
     if [ -s $FILE ]; then
          date > $HOME/virus-scan.log
          clamscan -r $FILE >> $HOME/virus-scan.log
if grep -iq "OK" "${file}"; then
        echo "echo nothing detected by scan"
    else
        if [[ -f "$f" ]]; then
               mv -f "$f" /home/cmccabe/Desktop/API/$filename /home/cmccabe/quarantine
            # rm -f "$f"
            echo "The files infected have been moved to the folder at /home/cmccabe/quarantine"
        fi
     fi
done

# 2  
Old 01-23-2017
Hi cmccabe, I think the script will need work.

First the script goes in to the directory $DIR and then iterates in a for loop over one single value, the contents of $DIR, which is the name of the parent directory: /home/cmccabe/Desktop/NGS/API. Probably because clamscan also takes directories as an argument, the command will eventually work, but no thanks to the script.

Likewise, [ -s $FILE ] tests that directory again so that also serves no purpose and the condition will always be true.

Then a grep is performed on the same directory as if it were a regular file and it test for the case insensitive ok (which in itself is a very bad test since it will easily give false positives). This will fail, since since it is not a file, but an empty string (the uninitialized variable file is empty that does not contain the characters OK.

So then it tests with [[ -f "$f" ]] if the empty string (uninitialized variable f is empty) is a file, which is not the case, so fortunately the rest of the code will be skipped, otherwise it would have move the entire directory /home/cmccabe/Desktop/API to /home/cmccabe/quarantine .
Last edited by Scrutinizer; 01-23-2017 at 03:58 PM..
This User Gave Thanks to Scrutinizer For This Post:
cmccabe
# 3  
Old 01-23-2017
Using some helpful suggestions from @MadeInGermany as well as yourself. Not sure how to address the grep Thank you very much Smilie.

Code:
#!/bin/bash
DIR=/home/cmccabe/Desktop/NGS/API
log=$HOME/virus-scan.log

{
echo "The extensions are"
ls | awk -F'\.' 'NF>1 {ext[$NF]++} END {for (i in ext) print ext[i],i}'
} > $log

scanned=0
for FILE in "$DIR"/*
do
     # check file length is nonzero otherwise commands may be repeated
     if [ -s "$FILE" ]; then
          {
          date
          clamscan -r "$FILE"
          } >> $log
          ((scanned++))
     if grep -iq "OK" "${file}"; then
        echo "echo nothing detected by scan"
    else
        if [[ -f "$f" ]]; then
               mv -f "$f" /home/cmccabe/Desktop/API/$filename /home/cmccabe/quarantine
            # rm -f "$f"
            echo "The files infected have been moved to the folder at /home/cmccabe/quarantine"
        fi
     fi
done
[ $scanned -eq 0 ] && echo "nothing detected by scan" >> $log

Last edited by cmccabe; 01-23-2017 at 06:43 PM.. Reason: added details
# 4  
Old 01-24-2017
What would happen with an infected file called This_file_OK_and_not_infected? I would suggest that your grep will ignore it.

I have this section of code reading the output:-
Code:
        while read line
        do
           line="${line% FOUND}"
           virus_name="${line#* }"
           file_name="${line%: *}"
           ((virus_count=$virus_count+1))

           printf "  %s\n" "${file_name}"            # Output to screen
           printf "%s\n" "${file_name}" >&3          # Output to log_file
        done < <(grep " FOUND$" $scan_log) 3>log_file

Obviously the scan_log is defined earlier and written to by clamav

This then gives me output to screen and in the file log_file with a list of infected files, which I then deal with.


Does this help?

Robin
Last edited by rbatte1; 01-24-2017 at 09:48 AM..
This User Gave Thanks to rbatte1 For This Post:
cmccabe
# 5  
Old 01-24-2017
So if I am following correctly, something more like:

Code:
#!/bin/bash
DIR=/home/cmccabe/Desktop/NGS/API
log=$HOME/virus-scan.log

{
echo "The extensions are"
ls | awk -F'\.' 'NF>1 {ext[$NF]++} END {for (i in ext) print ext[i],i}'
} > $log

scanned=0
for FILE in "$DIR"/*
do
     # check file length is nonzero otherwise commands may be repeated
     if [ -s "$FILE" ]; then
          {
          date
          clamscan -r "$FILE"
          } >> $log
          ((scanned++))
          while read line
          do
              line="${line% FOUND}"
              virus_name="${line#* }"
              file_name="${line%: *}"
              ((virus_count=$virus_count+1))

              printf "  %s\n" "${file_name}"            # Output to screen
              printf "%s\n" "${file_name}" >&3          # Output to log
          done < <(grep " FOUND$" $scan_log) 3>log
          echo "The files infected have been moved to the folder at /home/cmccabe/quarantine"
        fi
     fi
done
[ $scanned -eq 0 ] && echo "nothing detected by scan" >> $log

Thank you for your help Smilie.
Last edited by rbatte1; 01-24-2017 at 09:50 AM.. Reason: Adjusted indenting for clarity
# 6  
Old 01-24-2017
I'm not sure why you have the loop for for FILE in "$DIR"/* when you follow it up with clamscan -r "$FILE"

The -r flag asks clamscan to recursively search. This will call clamscan once for each item in the directory. Can you not just clamscan -r "$DIR" instead? I find that running clamscan has a several second overhead as it loads up the definitions. You could be scanning for hours just on calling the process repeatedly. An alternate might be to list the files into another file and use that as input with the -f flag, e.g. clamscan -if /tmp/file_list.txt

I've added the -i flag to only list infected files, which might make reading the output easier.

You have the basis of some good code here though, keep going Smilie

Do you have a virus signature to test this with?


Robin
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Bash to remove find and remove specific extension

The bash below executes and does find all the .bam files in each R_2019 folder. However set -x shows that the .bam extension only gets removed from one .bam file in each folder (appears to be the last in each). Why is it not removing the extension from each (this is $SAMPLE)? Thank you :). set... (4 Replies)
Discussion started by: cmccabe
4 Replies

2. Shell Programming and Scripting

Create automated scan of specific directory using bash

I am trying to use bash to automate the scan of a specific directory using clamav. Having this in place is a network requirement. The below is an attempt to: 1. count the extensions (.txt, .jpeg) in a directory and write them to a virus-scan.log (section in bold) 2. scan each folder in the... (6 Replies)
Discussion started by: cmccabe
6 Replies

3. Shell Programming and Scripting

Remove original file from directory after bash executes

The below bash works great, except I can not seem to delete the original file $f from the directory. Thank you :) For example, after the bash executes there are 8 files in the directory: 123.txt (original file) 123_remove.txt 123_index.txt 123_final.txt 456.txt (original file)... (11 Replies)
Discussion started by: cmccabe
11 Replies

4. Shell Programming and Scripting

How to remove '^[[00m' in bash file?

Hi, This should be a simple one: I run the following commands in bash and ksh respectively but got differenant results: # ls -l /var/log > /tmp/a # vi /tmp/a In bash shell, I got: ^ In ksh, I got: total 828552 -rw-r----- 1 root root 189 Aug 9 00:00 acpid -rw-r----- 1 root... (7 Replies)
Discussion started by: aixlover
7 Replies

5. Shell Programming and Scripting

scan and edit in bash

so assume I have a dozen files in local directory and half of them are .txt and I only want to scan these text files and go inside each of them and replace absolute paths (e.g. C:\blabla\more blahblah\myfile.txt) with just the name of that file (myfile.txt) and then go to next line and look if... (6 Replies)
Discussion started by: Jaymz
6 Replies

6. What is on Your Mind?

iPad infected with virus

What to say nothing is no more secure Apple's new iPad has been taken down by malware within a few weeks of it being in the shops. It is an article of faith amongst Apple fanboys that Jobs' Mob gear is super secure and malware only exists on Windows machines. Despite the fact that Apple gear... (1 Reply)
Discussion started by: solaris_user
1 Replies

7. Shell Programming and Scripting

How to get rid of cannot remove file error in bash script?

Hi Guys, I am creating a couple of temp. files in a script. After completing the script, I am using the rm command to delete these files. The files are getting deleted but I am getting "filename - cannot find file;no such file or directory" error in my bash shell terminal window. I am using... (3 Replies)
Discussion started by: npatwardhan
3 Replies

8. Windows & DOS: Issues & Discussions

Internet Explorer is infected - small windows keep popping up

hello, I have an annoying problem on my Internet Explorer. When I open that browser, after some time advertisement windows just pop up, even if I am not browsing anything, or when the browser is running at the background. That is, the pop-ups don't come from the websites I visit, rather, I... (17 Replies)
Discussion started by: milhan
17 Replies

9. Shell Programming and Scripting

how can i remove comments in random positions in a file?(bash)

Suppose i have a file like this: #bla bla #bla bla bla bla bla Bla BLA BLA BLA #bla bla .... .... how can i remove all comments from every line,even if they are behind commands or strngs that are not comments? any idea how i could do that using awk? (2 Replies)
Discussion started by: bashuser2
2 Replies

10. Shell Programming and Scripting

File Scan

Hi everyone , i m working on Sun solaris and i have a file "smsapp.cur" which has information like this paragraph given below , there are millions of such paragraphs From:923212802736 To:923222326807 logMessage: 07-04-08 17:34:29 Getting message topup from code page default in language English... (2 Replies)
Discussion started by: Dastard
2 Replies
Login or Register to Ask a Question