sync: auto-sync from HOWARD-HOME at 2026-06-21 12:00:27

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-21 12:00:27
This commit is contained in:
2026-06-21 12:01:12 -07:00
parent 85887fec19
commit 760719e3a5
6 changed files with 160 additions and 16 deletions

View File

@@ -368,10 +368,105 @@ PS
echo "[OK] logs saved to: $outdir"
}
# ===========================================================================
# verify-each: re-seed a fresh EICAR before EACH engine and run that engine
# ALONE in clean mode, so the first engine's quarantine can't mask the others.
# Reports a per-engine detect+remove matrix. RKill is run but is a process
# killer (not a file scanner), so it is expected NOT to touch the file.
# Seeds in several locations to give targeted scanners (HitmanPro) a fair shot.
# ===========================================================================
VE_DIRS=('C:\GuruScanTest' 'C:\Users\Public\Desktop' 'C:\Windows\Temp')
VE_FILES=('C:\GuruScanTest\eicar_test.com' 'C:\Users\Public\Desktop\eicar_test.com' 'C:\Windows\Temp\eicar_test.com')
ve_seed_ps() { # emits PS that (re)creates a fresh EICAR in every VE_DIRS location
cat <<'PS'
$ErrorActionPreference='Continue'
$e='X5O!P%@AP[4\PZX54(P^)7CC)7}' + '$EICAR' + '-STANDARD-ANTIVIRUS-' + 'TEST-FILE!$H+H*'
foreach($d in @('C:\GuruScanTest','C:\Users\Public\Desktop','C:\Windows\Temp')){
if(-not (Test-Path $d)){ New-Item -ItemType Directory -Path $d -Force | Out-Null }
Set-Content -Path (Join-Path $d 'eicar_test.com') -Value $e -Encoding ASCII -NoNewline
}
$n=@(Get-ChildItem 'C:\GuruScanTest\eicar_test.com','C:\Users\Public\Desktop\eicar_test.com','C:\Windows\Temp\eicar_test.com' -ErrorAction SilentlyContinue).Count
Write-Output ("SEEDED $n/3 EICAR copies")
PS
}
phase_verify_each() {
echo ""; echo "=== PHASE: verify-each (per-engine re-seed, clean mode) ==="
# Defender exclusions for all seed locations (so only GuruScan's engines act)
local sfx="$WORK_DIR/ve_excl.ps1"
cat > "$sfx" <<'PS'
$ErrorActionPreference='Continue'
foreach($p in @('C:\GuruScanTest','C:\Users\Public\Desktop','C:\Windows\Temp','C:\GuruScan','C:\GuruScan\downloads','C:\EmsisoftCmd')){
try{ Add-MpPreference -ExclusionPath $p -ErrorAction Stop; Write-Output "EXCLUDED $p" }catch{ Write-Output ("EXCL-SKIP "+$p) }
}
PS
run_ps "$sfx" 60 24 "ve-defender-exclusions" || echo "[WARN] exclusion step issues"
local engines="Emsisoft HitmanPro RKill"
local matrix=""
for eng in $engines; do
echo ""; echo "--- verify engine: $eng ---"
# 1) re-seed fresh EICAR everywhere
ve_seed_ps > "$WORK_DIR/ve_seed.ps1"
run_ps "$WORK_DIR/ve_seed.ps1" 60 24 "seed-for-$eng" || { echo "[ERROR] seed failed for $eng"; return 1; }
# 2) run ONLY this engine in clean mode (long; Emsisoft updates+scans C:\)
cat > "$WORK_DIR/ve_run.ps1" <<PS
\$ErrorActionPreference='Continue'
& C:\\GuruScan\\Invoke-GuruScan.ps1 -Scanners $eng -Headless
PS
run_ps "$WORK_DIR/ve_run.ps1" 2700 600 "run-$eng" || echo "[WARN] $eng run reported non-zero"
# 3) check which seeded copies survived + read that run's result json
cat > "$WORK_DIR/ve_check.ps1" <<'PS'
$ErrorActionPreference='Continue'
foreach($f in @('C:\GuruScanTest\eicar_test.com','C:\Users\Public\Desktop\eicar_test.com','C:\Windows\Temp\eicar_test.com')){
if(Test-Path $f){ Write-Output ("PRESENT $f") } else { Write-Output ("GONE $f") }
}
$d=Get-ChildItem C:\ScanLogs -Directory -ErrorAction SilentlyContinue | Sort-Object LastWriteTime -Descending | Select-Object -First 1
if($d){
try{ $r=Get-Content (Join-Path $d.FullName 'results.json') -Raw | ConvertFrom-Json
Write-Output ("RESULT total_threats=" + $r.total_threats + " | " + (($r.scanners | ForEach-Object { $_.name + ' threats=' + $_.threats_found + ' exit=' + $_.exit_code }) -join ' ; ')) }catch{}
}
PS
run_ps "$WORK_DIR/ve_check.ps1" 60 24 "check-$eng" || true
local out gone present
out="$(jq -r '.stdout' "$WORK_DIR/last_result.json" 2>/dev/null)"
gone="$(printf '%s' "$out" | grep -c '^GONE ')"
present="$(printf '%s' "$out" | grep -c '^PRESENT ')"
local verdict
if [ "$eng" = "RKill" ]; then verdict="n/a (process killer, not a file scanner)"
elif [ "$gone" -gt 0 ]; then verdict="DETECTED+REMOVED ($gone/3 copies removed)"
else verdict="MISSED (0/3 copies removed)"; fi
matrix="${matrix}\n ${eng}: ${verdict}"
echo " -> $eng: $verdict"
done
# cleanup: remove seeded files + the exclusions we added
cat > "$WORK_DIR/ve_clean.ps1" <<'PS'
$ErrorActionPreference='Continue'
foreach($f in @('C:\GuruScanTest\eicar_test.com','C:\Users\Public\Desktop\eicar_test.com','C:\Windows\Temp\eicar_test.com')){ Remove-Item $f -Force -ErrorAction SilentlyContinue }
Remove-Item 'C:\GuruScanTest' -Recurse -Force -ErrorAction SilentlyContinue
foreach($p in @('C:\GuruScanTest','C:\Users\Public\Desktop','C:\Windows\Temp','C:\GuruScan','C:\GuruScan\downloads','C:\EmsisoftCmd')){ try{ Remove-MpPreference -ExclusionPath $p -ErrorAction Stop }catch{} }
Write-Output ("REMAINING-EXCLUSIONS: " + (((Get-MpPreference).ExclusionPath) -join '; '))
PS
run_ps "$WORK_DIR/ve_clean.ps1" 60 24 "ve-cleanup" || true
echo ""
echo "=========================================================="
echo " VERIFY-EACH RESULT (per-engine, independent re-seed)"
echo -e "$matrix"
echo "=========================================================="
post_alert "[RMM] GuruScan verify-each on $AGENT_HOST complete - see per-engine detect/remove matrix"
}
case "$PHASE" in
prep) phase_prep ;;
scan) phase_scan ;;
collect) phase_collect ;;
all) phase_prep && phase_scan && phase_collect ;;
*) echo "[ERROR] Unknown phase '$PHASE' (prep|scan|collect|all)" >&2; exit 1 ;;
prep) phase_prep ;;
scan) phase_scan ;;
collect) phase_collect ;;
verify-each) phase_verify_each ;;
all) phase_prep && phase_scan && phase_collect ;;
*) echo "[ERROR] Unknown phase '$PHASE' (prep|scan|collect|verify-each|all)" >&2; exit 1 ;;
esac