How to test a custom script on Imunify360 notification engine?

Issue

This article addresses a solution to:

• Imunify360 does not trigger my custom script when a notification event is triggered;
• How can I write a custom script to be used with the notification engine;
• The custom script does not send an e-mail.

Environment

• Imunify360
• ImunifyAV

Solution

By design, the imunify-notifier daemon drops privileges to the _imunify user to avoid any kind of escalation to root in case of security issues with insecure custom scripts, so it runs over a very limited user, _imunify.

You need to make sure of checking if the script has the "x" bit allowing execution for the _imunify user/group:

# chown root:_imunify hook_script.sh && \
    chmod g+x hook_script.sh

We have a sample script that works pretty well in most of the scenarios. It supports sending an e-mail once upon an event. This script can be used as a generic code and you can add your custom changes and implement your own integrations. 

How to use the script:

cd /etc/imunify360 && \
      curl https://docs.imunify360.com/hook_script.sh -O && \
      chown root:_imunify hook_script.sh && \
      chmod g+x hook_script.sh

Change the following two lines of the script to enable sending an e-mail:

MAIL_ENABLE=yes              # default no, change to "yes" for enabling

MAIL_TO="your-email@domain"  # for multiple email addresses, use commas

Then, hook up the script to a desired event:

# imunify360-agent notifications-config update '{"rules": {"CUSTOM_SCAN_MALWARE_FOUND":
        {"SCRIPT": {"scripts": ["/etc/imunify360/hook_script.sh"], "enabled":
        true}}}}'

Test if upon malware detection the notification event is being matched:

# cd /home/imunifytest/public_html && \
    curl https://secure.eicar.org/eicar.com.txt -O && \
    chown imunifytest: eicar.com.txt

# imunify360-agent malware on-demand start \
        --path /home/imunifytest/public_html/eicar.com.txt

Look at MTA logs, example:

# tail -f /var/log/maillog | grep _imunify

2022-03-28 19:11:38 SMTP connection identification H=localhost A=127.0.0.1 P=38558 U=_imunify ID=987 S=_imunify B=identify_local_connection

The following is the list of events with sidenotes: 

• USER_SCAN_FINISHED – occurs immediately after the user scanning has finished, regardless the malware has been found or not;
• USER_SCAN_MALWARE_FOUND – occurs when the malware scanning process of a user account has finished and malware is found;
• USER_SCAN_STARTED – occurs immediately after the user scanning has started;
• CUSTOM_SCAN_STARTED – occurs immediately after on-demand (manual) scanning has started;
• CUSTOM_SCAN_FINISHED – occurs immediately after on-demand (manual) scanning has finished, regardless the malware has been found or not;
• CUSTOM_SCAN_MALWARE_FOUND – occurs when the on-demand scanning process has finished and malware is found;
• REALTIME_MALWARE_FOUND – occurs when malware is detected during real-time scanning. (Only Imunify360);
• SCRIPT_BLOCKED – occurs when the Proactive Defense has blocked the malicious script. (Only Imunify360).

All the events above will work on malware scanning, except the SCRIPT_BLOCKED that is related to Proactive Defense and it's triggered upon an event of script blocking, it's an advanced mechanism that protects against 0days besides the malware scan.