sync: auto-sync from HOWARD-HOME at 2026-06-21 12:00:27
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-06-21 12:00:27
This commit is contained in:
@@ -368,10 +368,105 @@ PS
|
||||
echo "[OK] logs saved to: $outdir"
|
||||
}
|
||||
|
||||
# ===========================================================================
|
||||
# verify-each: re-seed a fresh EICAR before EACH engine and run that engine
|
||||
# ALONE in clean mode, so the first engine's quarantine can't mask the others.
|
||||
# Reports a per-engine detect+remove matrix. RKill is run but is a process
|
||||
# killer (not a file scanner), so it is expected NOT to touch the file.
|
||||
# Seeds in several locations to give targeted scanners (HitmanPro) a fair shot.
|
||||
# ===========================================================================
|
||||
VE_DIRS=('C:\GuruScanTest' 'C:\Users\Public\Desktop' 'C:\Windows\Temp')
|
||||
VE_FILES=('C:\GuruScanTest\eicar_test.com' 'C:\Users\Public\Desktop\eicar_test.com' 'C:\Windows\Temp\eicar_test.com')
|
||||
|
||||
ve_seed_ps() { # emits PS that (re)creates a fresh EICAR in every VE_DIRS location
|
||||
cat <<'PS'
|
||||
$ErrorActionPreference='Continue'
|
||||
$e='X5O!P%@AP[4\PZX54(P^)7CC)7}' + '$EICAR' + '-STANDARD-ANTIVIRUS-' + 'TEST-FILE!$H+H*'
|
||||
foreach($d in @('C:\GuruScanTest','C:\Users\Public\Desktop','C:\Windows\Temp')){
|
||||
if(-not (Test-Path $d)){ New-Item -ItemType Directory -Path $d -Force | Out-Null }
|
||||
Set-Content -Path (Join-Path $d 'eicar_test.com') -Value $e -Encoding ASCII -NoNewline
|
||||
}
|
||||
$n=@(Get-ChildItem 'C:\GuruScanTest\eicar_test.com','C:\Users\Public\Desktop\eicar_test.com','C:\Windows\Temp\eicar_test.com' -ErrorAction SilentlyContinue).Count
|
||||
Write-Output ("SEEDED $n/3 EICAR copies")
|
||||
PS
|
||||
}
|
||||
|
||||
phase_verify_each() {
|
||||
echo ""; echo "=== PHASE: verify-each (per-engine re-seed, clean mode) ==="
|
||||
|
||||
# Defender exclusions for all seed locations (so only GuruScan's engines act)
|
||||
local sfx="$WORK_DIR/ve_excl.ps1"
|
||||
cat > "$sfx" <<'PS'
|
||||
$ErrorActionPreference='Continue'
|
||||
foreach($p in @('C:\GuruScanTest','C:\Users\Public\Desktop','C:\Windows\Temp','C:\GuruScan','C:\GuruScan\downloads','C:\EmsisoftCmd')){
|
||||
try{ Add-MpPreference -ExclusionPath $p -ErrorAction Stop; Write-Output "EXCLUDED $p" }catch{ Write-Output ("EXCL-SKIP "+$p) }
|
||||
}
|
||||
PS
|
||||
run_ps "$sfx" 60 24 "ve-defender-exclusions" || echo "[WARN] exclusion step issues"
|
||||
|
||||
local engines="Emsisoft HitmanPro RKill"
|
||||
local matrix=""
|
||||
for eng in $engines; do
|
||||
echo ""; echo "--- verify engine: $eng ---"
|
||||
# 1) re-seed fresh EICAR everywhere
|
||||
ve_seed_ps > "$WORK_DIR/ve_seed.ps1"
|
||||
run_ps "$WORK_DIR/ve_seed.ps1" 60 24 "seed-for-$eng" || { echo "[ERROR] seed failed for $eng"; return 1; }
|
||||
|
||||
# 2) run ONLY this engine in clean mode (long; Emsisoft updates+scans C:\)
|
||||
cat > "$WORK_DIR/ve_run.ps1" <<PS
|
||||
\$ErrorActionPreference='Continue'
|
||||
& C:\\GuruScan\\Invoke-GuruScan.ps1 -Scanners $eng -Headless
|
||||
PS
|
||||
run_ps "$WORK_DIR/ve_run.ps1" 2700 600 "run-$eng" || echo "[WARN] $eng run reported non-zero"
|
||||
|
||||
# 3) check which seeded copies survived + read that run's result json
|
||||
cat > "$WORK_DIR/ve_check.ps1" <<'PS'
|
||||
$ErrorActionPreference='Continue'
|
||||
foreach($f in @('C:\GuruScanTest\eicar_test.com','C:\Users\Public\Desktop\eicar_test.com','C:\Windows\Temp\eicar_test.com')){
|
||||
if(Test-Path $f){ Write-Output ("PRESENT $f") } else { Write-Output ("GONE $f") }
|
||||
}
|
||||
$d=Get-ChildItem C:\ScanLogs -Directory -ErrorAction SilentlyContinue | Sort-Object LastWriteTime -Descending | Select-Object -First 1
|
||||
if($d){
|
||||
try{ $r=Get-Content (Join-Path $d.FullName 'results.json') -Raw | ConvertFrom-Json
|
||||
Write-Output ("RESULT total_threats=" + $r.total_threats + " | " + (($r.scanners | ForEach-Object { $_.name + ' threats=' + $_.threats_found + ' exit=' + $_.exit_code }) -join ' ; ')) }catch{}
|
||||
}
|
||||
PS
|
||||
run_ps "$WORK_DIR/ve_check.ps1" 60 24 "check-$eng" || true
|
||||
local out gone present
|
||||
out="$(jq -r '.stdout' "$WORK_DIR/last_result.json" 2>/dev/null)"
|
||||
gone="$(printf '%s' "$out" | grep -c '^GONE ')"
|
||||
present="$(printf '%s' "$out" | grep -c '^PRESENT ')"
|
||||
local verdict
|
||||
if [ "$eng" = "RKill" ]; then verdict="n/a (process killer, not a file scanner)"
|
||||
elif [ "$gone" -gt 0 ]; then verdict="DETECTED+REMOVED ($gone/3 copies removed)"
|
||||
else verdict="MISSED (0/3 copies removed)"; fi
|
||||
matrix="${matrix}\n ${eng}: ${verdict}"
|
||||
echo " -> $eng: $verdict"
|
||||
done
|
||||
|
||||
# cleanup: remove seeded files + the exclusions we added
|
||||
cat > "$WORK_DIR/ve_clean.ps1" <<'PS'
|
||||
$ErrorActionPreference='Continue'
|
||||
foreach($f in @('C:\GuruScanTest\eicar_test.com','C:\Users\Public\Desktop\eicar_test.com','C:\Windows\Temp\eicar_test.com')){ Remove-Item $f -Force -ErrorAction SilentlyContinue }
|
||||
Remove-Item 'C:\GuruScanTest' -Recurse -Force -ErrorAction SilentlyContinue
|
||||
foreach($p in @('C:\GuruScanTest','C:\Users\Public\Desktop','C:\Windows\Temp','C:\GuruScan','C:\GuruScan\downloads','C:\EmsisoftCmd')){ try{ Remove-MpPreference -ExclusionPath $p -ErrorAction Stop }catch{} }
|
||||
Write-Output ("REMAINING-EXCLUSIONS: " + (((Get-MpPreference).ExclusionPath) -join '; '))
|
||||
PS
|
||||
run_ps "$WORK_DIR/ve_clean.ps1" 60 24 "ve-cleanup" || true
|
||||
|
||||
echo ""
|
||||
echo "=========================================================="
|
||||
echo " VERIFY-EACH RESULT (per-engine, independent re-seed)"
|
||||
echo -e "$matrix"
|
||||
echo "=========================================================="
|
||||
post_alert "[RMM] GuruScan verify-each on $AGENT_HOST complete - see per-engine detect/remove matrix"
|
||||
}
|
||||
|
||||
case "$PHASE" in
|
||||
prep) phase_prep ;;
|
||||
scan) phase_scan ;;
|
||||
collect) phase_collect ;;
|
||||
all) phase_prep && phase_scan && phase_collect ;;
|
||||
*) echo "[ERROR] Unknown phase '$PHASE' (prep|scan|collect|all)" >&2; exit 1 ;;
|
||||
prep) phase_prep ;;
|
||||
scan) phase_scan ;;
|
||||
collect) phase_collect ;;
|
||||
verify-each) phase_verify_each ;;
|
||||
all) phase_prep && phase_scan && phase_collect ;;
|
||||
*) echo "[ERROR] Unknown phase '$PHASE' (prep|scan|collect|verify-each|all)" >&2; exit 1 ;;
|
||||
esac
|
||||
|
||||
Reference in New Issue
Block a user