sync: auto-sync from HOWARD-HOME at 2026-07-10 14:44:39

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-07-10 14:44:39
This commit is contained in:
2026-07-10 14:45:04 -07:00
parent df46f56e59
commit 0fdeabde3d
4 changed files with 214 additions and 19 deletions

View File

@@ -0,0 +1,145 @@
# GuruScan — RKill Process Whitelist + Scan-Log Protection — 2026-07-10
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
## Session Summary
Resumed the paused GuruScan verification effort (multi-engine malware scanner,
`projects/msp-tools/guru-scan`) to fix a real defect: RKill, which runs first in
the chain as a process killer, could terminate the PowerShell host running the
scan itself, aborting the whole chain before HitmanPro and Emsisoft ever launch.
A parallel commit pushed from another machine this same day
(`7a5a657 test-results: TPM-PC production scan ... RKill-kills-parent bug found`)
independently confirmed the bug against a live production scan, so the fix lands
on an observed real-world failure.
The clean fix uses RKill's own `-w <file>` switch, which takes a whitelist of full
EXE paths (one per line, no quotes — quotes break RKill's path matching) that it
must not terminate. The module now writes `C:\GuruScan\rkill-whitelist.txt` before
the scanner loop, containing the live host path (`(Get-Process -Id $PID).Path`)
plus the standard 64/32-bit `powershell.exe` locations, written ASCII (no BOM) so
the first line matches cleanly. `scanners.json` passes `-w C:\GuruScan\rkill-whitelist.txt`
on RKill's scan and clean args. RKill was already scanner #1 in the array order, so
no reordering was needed.
Two follow-up changes came from user direction. First, the EICAR prep-phase seed in
the RMM test harness (`.claude/scripts/guruscan-agent-test.sh`) was **disabled, not
deleted** — gated behind a `SEED_EICAR` flag (default off) with its own self-contained
Defender exclusion, so it can be switched back on (`SEED_EICAR=1`) to smoke-test
detection as new scanners are added. Detection testing otherwise uses the real
malware-samples set via the `scan-one`/`verify-each` phases. Second, the post-reboot
cleanup was hardened so scan logs are never removed: `Invoke-ScannerCleanup.ps1` already
only deleted scanner install dirs + `C:\GuruScan\downloads` (never `C:\ScanLogs`), but
it now documents that invariant and adds a runtime guard that skips any path under
`C:\ScanLogs` or `C:\GuruScan\reports`, so a future edit can't accidentally delete the
logs or archives that must survive the remediate → reboot → cleanup lifecycle.
All three guru-scan files parse clean and the harness passes `bash -n`. The guru-scan
submodule was committed and pushed (rebased onto the other machine's concurrent commits);
the superproject gitlink bump + harness change + this log sync via `/save`.
## Key Decisions
- **RKill `-w` whitelist over any process-renaming or ordering hack** — RKill natively
supports a whitelist file of full EXE paths; using it is the simplest correct fix and
needs no change to how the orchestrator launches.
- **Whitelist written ASCII (no BOM)** — RKill reads the whitelist line-by-line; a UTF-8
BOM would corrupt the first path match. The existing `whitelist.txt` (Emsisoft/HitmanPro)
stays UTF-8 because those engines tolerate it; the RKill file is deliberately ASCII.
- **EICAR disabled, not removed** — user wants it retained for future scanner smoke-tests.
Gated behind `SEED_EICAR` (default 0) rather than deleted.
- **Cleanup guard scoped to `C:\ScanLogs` + `C:\GuruScan\reports`** — belt-and-suspenders:
logs were already safe, but an explicit runtime guard + doc comment prevents a future
edit from ever adding a log path to the removal list.
- **RKill fix in module + scanners.json (not harness-only)** — so it applies to production
runs, not just the test harness (the harness just deploys the same module/JSON).
## Problems Encountered
- **guru-scan push rejected (non-fast-forward)** — remote had newer commits from another
machine (including the TPM-PC RKill-kills-parent finding). Resolved by
`git fetch` + `git rebase origin/main`, then push (`7a5a657..087c73c`).
## Configuration Changes
Modified (guru-scan submodule, committed `087c73c` + pushed):
- `GuruScan.psm1` — write `C:\GuruScan\rkill-whitelist.txt` (ASCII) before the scanner
loop; live host path via `Get-Process -Id $PID` + standard PowerShell paths, de-duped.
- `scanners.json` — RKill `scan_args`/`clean_args` add `-w C:\GuruScan\rkill-whitelist.txt`.
- `Invoke-ScannerCleanup.ps1` — doc that scan logs/archives are never removed; runtime
guard skips any path under `C:\ScanLogs` or `C:\GuruScan\reports`.
Modified (main repo):
- `.claude/scripts/guruscan-agent-test.sh` — EICAR prep seed gated behind `SEED_EICAR`
(default off, self-contained Defender exclusion); readiness check no longer requires
EICAR; header/alert comments updated.
## Credentials & Secrets
- None created or discovered this session.
## Infrastructure & Servers
- **DESKTOP-MS42HNC** — GuruScan test VM (agent id `0de89b88-b21d-4647-ab64-96157ba87cc5`,
AZ Computer Guru / Howard-VM). Not touched this session; RKill-whitelist verification
(re-run `prep`) pending its next online window.
- **TPM-PC** — production endpoint where the RKill-kills-parent bug was observed (see the
concurrent commit `7a5a657` / `test-results/` in guru-scan).
- **GuruRMM API** — `http://172.16.3.30:3001`; creds vault `infrastructure/gururmm-server.sops.yaml`.
- GuruScan deploy paths: `C:\GuruScan\` (module + `rkill-whitelist.txt`), `C:\GuruScan\downloads\`
(scanner EXEs), `C:\EmsisoftCmd\` (Emsisoft), `C:\ScanLogs\<scanid>\` (logs, preserved),
`C:\GuruScan\reports\<scanid>.zip` (log archive, preserved).
## Commands & Outputs
- RKill whitelist switch: `rkill -w C:\path\wl.txt` — full EXE paths, one per line, no quotes,
ANSI/UTF-8 (no BOM). RKill lists whitelisted-and-ignored processes at run.
- Validation: `bash -n .claude/scripts/guruscan-agent-test.sh` → OK; PowerShell AST
`ParseFile` on `GuruScan.psm1` + `Invoke-ScannerCleanup.ps1` → clean.
- Enable EICAR smoke-test: `SEED_EICAR=1 bash .claude/scripts/guruscan-agent-test.sh <host> prep`.
- guru-scan submodule push: `7a5a657..087c73c main -> main`.
## Pending / Incomplete Tasks
- **Verify the RKill whitelist live** — re-run `bash .claude/scripts/guruscan-agent-test.sh
DESKTOP-MS42HNC prep` (or `scan`) when the VM is online; confirm `rkill-whitelist.txt` is
written and RKill logs the PowerShell host as an ignored/whitelisted process.
- **Emsisoft vs HitmanPro detection comparison** — still open from the prior session
(`scan-one Emsisoft` on DESKTOP-MS42HNC). See `project_guruscan_in_test_paused`.
- **Clean up DESKTOP-MS42HNC** — remove samples/zip/EICAR/test artifacts; re-enable Defender
RTP + Tamper Protection (disabled at the console for malware testing).
## Reference Information
- guru-scan commit: `087c73c` (pushed to `https://git.azcomputerguru.com/azcomputerguru/guru-scan.git` main).
- Prior related logs: `session-logs/2026-06/2026-06-22-howard-guruscan-hardening.md`,
`.../2026-06-22-howard-gururmm-dispatch-hang-fix-guruscan-paused.md`.
- Memory: `project_guruscan_in_test_paused`.
- RKill command-line reference (BleepingComputer): `-d` debug, `-h` help, `-l <log>`, `-w <whitelist>`.
- HitmanPro exit-code bitmask: bit0(1)=threats, bit2(4)=reboot → 5 = threats+reboot.
## Update: guru-scan `3ca5ba7` — whitelist Syncro/Datto EDR/GuruRMM from RKill + HitmanPro
Per follow-up: ensure RKill **and** HitmanPro (and Emsisoft) never touch Syncro, Datto
EDR, or GuruRMM files/folders.
- **HitmanPro/Emsisoft (folder exclusion via `whitelist.txt`)** — GuruRMM
(`C:\Program Files\GuruRMM`, `C:\ProgramData\GuruRMM`) and Syncro
(`C:\Program Files\RepairTech`, `(x86)`, `C:\ProgramData\Syncro`) were already listed.
Added **Datto EDR / Datto AV** (Infocyte lineage): `C:\Program Files\Infocyte`,
`C:\Program Files\Datto`, `C:\Program Files (x86)\Datto`, `C:\ProgramData\Datto`,
`C:\ProgramData\CentraStage\AEMAgent\RMM.AdvancedThreatDetection`. Datto EDR agent is
`agent.exe` (service `HUNTAgent`); standard install is the Infocyte tree, CentraStage
path covers a Datto-RMM-bundled EDR deployment.
- **RKill (process killer, not a file scanner)** — folder exclusions don't apply, so the
module now enumerates every RUNNING process whose EXE lives under a whitelisted tool
folder and adds it to the `-w` RKill whitelist by full path (folder-membership → no
hardcoded exe names). Spares GuruRMM, Syncro, Datto EDR, ScreenConnect, Bitdefender,
MSP360, Splashtop agents live at scan time.
Datto EDR paths confirmed from Datto's own allowlisting guide
(`edr.datto.com/.../allowlisting-agent.htm`). `GuruScan.psm1` parses clean.
guru-scan HEAD now `3ca5ba7` (pushed).