How Can We Help?
< All Topics
Print

Run a hook script after file detection

cPGuard allows you to run a script after detecting a bad file, in which you can run necessary actions on the affected file. In hook script, you will get the following details as arguments.

  • The original path of the infected file
  • Path to Quarantined file or “not-quarantined” if the file is not quarantined
  • Virus Description
  • Category of the detected file
  • Username affected
  • User email

A sample hook script is available at “/opt/cpguard/app/scripts/virus_hook_sample.php”  and the sample content is also given below. It contains a sample code to push the notification to your Slack channel or send a notification to the end-user.

<?php

## Remember to make this file executable

$original_path = $argv[1];      // Original path of infected file
$quarantine_path = $argv[2];    // Path to Quarantined file or "not-quarantined" if file was not quarantined
$virus_definition = $argv[3];   // Virus Description
$category = $argv[4];           // Virus File | Supicious File | Binary File | Symbolic Link
$username = $argv[5];           // Username affected
$user_email = $argv[6];         // User email


/* -------------------------------------------------------------------------
 *      SLACK WEBHOOKS
 *      REFER https://api.slack.com/messaging/webhooks
 * ---------------------------------------------------------------------- */

$server = gethostname();

$webhook_url = "https://hooks.slack.com/xxxxxxxxxxxx";

$data = array(
    "text" => "$category found on $server",
    "blocks" => array(
        array(
            "type" => "section",
            "text" => array(
                "type" => "mrkdwn",
                "text" => "*$category* found on $server"
            )
        ),
        array(
            "type" => "context",
            "elements" => array(array(
                    "type" => "mrkdwn",
                    "text" => "*Original path* : $original_path\n"
                    . "*Quarantine path* : $quarantine_path\n"
                    . "*Definition* : $virus_definition\n"
                    . "*User* : $username\n"
                )
            )
        ),
    )
);

$data_string = json_encode($data);
$ch = curl_init($webhook_url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_POSTFIELDS, $data_string);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
    'Content-Type: application/json',
    'Content-Length: ' . strlen($data_string))
);

$result = curl_exec($ch);


/* -------------------------------------------------------------------------
 *      SENDING EMAILS TO END USERS
 * ---------------------------------------------------------------------- */

$subject = "$category found";

$message = "
<html>
    <head>
        <title>$category found</title>
    </head>
    <body>
        <p>$category found</p>
        <table>
            <tr>
                <th style=\"text-align:left\">Type</th>
                <td>$category</td>
            </tr>
            <tr>
                <th style=\"text-align:left\">Original Path</th>
                <td>$original_path</td>
            </tr>
            <tr>
                <th style=\"text-align:left\">Quarantine path</th>
                <td>$quarantine_path</td>
            </tr>
            <tr>
                <th style=\"text-align:left\">Description</th>
                <td>$virus_definition</td>
            </tr>
            <tr>
                <th style=\"text-align:left\">User</th>
                <td>$username</td>
            </tr>
        </table>
    </body>
</html>
";

// Always set content-type when sending HTML email
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=UTF-8" . "\r\n";

// More headers
$headers .= 'From: <[email protected]>' . "\r\n";
$headers .= 'Cc: [email protected]' . "\r\n";

mail($user_email, $subject, $message, $headers);

Please contact our support if you need any additional details or want any additional features with the hook script.

Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.
Previous Whitelist a WAF rule ID
Next Whitelist a user in the scanner engine
Table of Contents