From 35c33efce10605af8571c6849583890f4ce95c1a Mon Sep 17 00:00:00 2001 From: cschantz Date: Thu, 13 Nov 2025 16:52:44 -0500 Subject: [PATCH] Fix ImunifyAV output parsing in malware scanner MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes: - Fixed incorrect scan result retrieval (was getting oldest scan instead of newest) - Changed tail -1 to tail -n +2 | head -1 (skip header, get most recent scan) - Fixed field number from 0 to 1 (TOTAL files scanned) - Extract TOTAL_MALICIOUS from scan result directly (field 12) - Added number validation to ImunifyAV, ClamAV, and Maldet parsers - Now correctly reports realistic file counts (e.g., 3997 files in 69s, not millions) Tested: ✓ ImunifyAV parsing verified with actual output ✓ Syntax check passed Bug reference: BUG_014 in REFDB_FORMAT.txt --- REFDB_FORMAT.txt | 28 +++++++++++++++++++++++-- modules/security/malware-scanner.sh | 32 +++++++++++++++++++++++++---- 2 files changed, 54 insertions(+), 6 deletions(-) diff --git a/REFDB_FORMAT.txt b/REFDB_FORMAT.txt index d030470..5a554cf 100644 --- a/REFDB_FORMAT.txt +++ b/REFDB_FORMAT.txt @@ -2,14 +2,14 @@ # SERVER TOOLKIT - CLAUDE AI CONTEXT DATABASE ################################################################################ # OPTIMIZED FOR: Claude Code AI parsing and context loading -# LAST UPDATED: 2025-11-07 +# LAST UPDATED: 2025-11-12 # VERSION: 2.1.0 # FORMAT: Structured key-value with hierarchical sections ################################################################################ [META] version: 2.1.0 -updated: 2025-11-07 +updated: 2025-11-12 status: production_ready base_path: /root/server-toolkit entry_point: launcher.sh @@ -353,6 +353,21 @@ options: 0: Return to menu (cancel) [RECENT_COMMITS] +# Latest changes (2025-11-12) + +commit: d5eb8c7 + date: 2025-11-12 + title: Fix ImunifyAV output parsing in malware scanner + files: modules/security/malware-scanner.sh + changes: + - Fixed incorrect scan result retrieval (was getting oldest scan instead of newest) + - Changed tail -1 to tail -n +2 | head -1 (skip header, get most recent scan) + - Extract TOTAL_MALICIOUS from scan result directly (field 12) + - Added number validation to ImunifyAV, ClamAV, and Maldet parsers + - Now correctly reports realistic file counts (e.g., 3997 files in 69s, not millions) + testing: Verified with actual ImunifyAV output - parsing works correctly + bug_ref: BUG_014 + # Latest changes (2025-11-10) commit: 172a115 @@ -417,6 +432,15 @@ push: git push origin main [BUGS_FIXED_HISTORY] # Historical bug fixes - DO NOT REINTRODUCE +BUG_014: ImunifyAV scan results parsing incorrect + issue: Used tail -1 to get "last scan" but ImunifyAV lists newest first, so was getting oldest scan + issue: Was reading wrong/stale scan results showing unrealistic file counts + fix: Changed to tail -n +2 | head -1 (skip header, get first data line = newest scan) + fix: Extract TOTAL_MALICIOUS (field 12) directly from scan result instead of separate query + fix: Added validation to ensure parsed values are numbers + location: modules/security/malware-scanner.sh:673-692 + tested: 2025-11-12 - Correctly shows 3997 files in 69s (not millions in seconds) + BUG_013: Brace redirection blocks variable assignment fix: Use exec file descriptor manipulation instead of { } >/dev/null location: lib/system-detect.sh:439-445 diff --git a/modules/security/malware-scanner.sh b/modules/security/malware-scanner.sh index d9832dc..5a9cda5 100755 --- a/modules/security/malware-scanner.sh +++ b/modules/security/malware-scanner.sh @@ -670,15 +670,26 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do imunify-antivirus malware on-demand start --path="$path" &>> "$LOG_DIR/imunify.log" - # Get scan results from last scan - LAST_SCAN=$(imunify-antivirus malware on-demand list 2>/dev/null | tail -1) - FILES_SCANNED=$(echo "$LAST_SCAN" | awk '{print $10}') + # Get scan results from most recent scan (newest scans are at top) + # Skip header line (tail -n +2), then get first data line (head -1) + # Field 11 is TOTAL (files scanned) + LAST_SCAN=$(imunify-antivirus malware on-demand list 2>/dev/null | tail -n +2 | head -1) + FILES_SCANNED=$(echo "$LAST_SCAN" | awk '{print $11}') + # Verify we got a valid number, otherwise show 0 + if ! [[ "$FILES_SCANNED" =~ ^[0-9]+$ ]]; then + FILES_SCANNED=0 + fi echo " ✓ Scanned $FILES_SCANNED files" fi done # Extract malicious file count - IMUNIFY_INFECTED=$(imunify-antivirus malware malicious list 2>/dev/null | grep -c "malicious" || echo 0) + # Skip header line and count data rows, or use TOTAL_MALICIOUS from most recent scan + IMUNIFY_INFECTED=$(echo "$LAST_SCAN" | awk '{print $12}') + # Verify we got a valid number, otherwise try malicious list + if ! [[ "$IMUNIFY_INFECTED" =~ ^[0-9]+$ ]]; then + IMUNIFY_INFECTED=$(imunify-antivirus malware malicious list 2>/dev/null | tail -n +2 | wc -l || echo 0) + fi SCAN_END=$(date +%s) DURATION=$((SCAN_END - SCAN_START)) @@ -709,6 +720,11 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do FILES_SCANNED=$(grep "Scanned files:" "$LOG_DIR/clamav.log" | tail -1 | awk '{print $3}') CLAM_INFECTED=$(grep -c "FOUND" "$LOG_DIR/clamav.log" 2>/dev/null || echo 0) + # Validate numbers + if ! [[ "$FILES_SCANNED" =~ ^[0-9]+$ ]]; then + FILES_SCANNED=0 + fi + SCAN_END=$(date +%s) DURATION=$((SCAN_END - SCAN_START)) echo " ✓ Scanned $FILES_SCANNED files" @@ -738,6 +754,14 @@ for scanner in "${AVAILABLE_SCANNERS[@]}"; do FILES_SCANNED=$(grep "files scanned" "$LOG_DIR/maldet.log" | tail -1 | awk '{print $1}') MALDET_HITS=$(grep "malware hits" "$LOG_DIR/maldet.log" | tail -1 | awk '{print $1}') + # Validate numbers + if ! [[ "$FILES_SCANNED" =~ ^[0-9]+$ ]]; then + FILES_SCANNED=0 + fi + if ! [[ "$MALDET_HITS" =~ ^[0-9]+$ ]]; then + MALDET_HITS=0 + fi + rm -f "$TEMP_PATHLIST" SCAN_END=$(date +%s)