External scanners in MetaDefender core v4.8.0 and above

Disclaimer

This sample script is provided for illustrative purpose only and is not guaranteed to be functional in a production environment.

MetaDefender Core V4.8.0 has a new feature "External scanners".

You can define an "External scanner" which can be invoked through a command line executable or script. This executable/script will be called for each scanned file, after all other engines but before final verdict is decided.

The documentation of this feature can be found here: https://onlinehelp.opswat.com/corev4/3.10._External_Scanners_And_Post_Actions.html

The script in this sample is a Powershell script, for this script to work properly, we need to call the Powershell executable in the External Scanners screen of MetaDefender Core:

images/download/attachments/28640149/image2017-7-4_12-21-3.png

You will need to specify the location from where Powershell is running in your system, followed by:

  • ExecutionPolicy Bypass

  • -File TheNameAndPathOfYourScriptFile.ps1

We created a sample Powershell script that attempts to flag files suspicious as False Positive.

The script checks the scan results of the current file, if the file is flagged as infected by only one engine , the file's hash is then
sent to MetaDefender cloud.

MetaDefender cloud's results are then analysed :
In case the file is flagged as infected in MetaDefender Cloud by ONLY the same one engine which flagged the file in MetaDefender Core
OR if the file is found to be clean by MetaDefender Cloud, the file will be copied to a $false_positive folder
for later investigation,
and verdict will be "Suspicious" (2). and threat_found will be
'Suspected False Positive'.

If the file is flagged by any other engine on MetaDefender Cloud then the verdict will be "Infected" (1) and threat_found will be "Infected - Probably NOT False Positive ".

If the file is not flagged by any local engine the script returns the verdict " No Threat Detected" (0).

It accepts as its input:

  1. It is your responsibility to create and populate the system context variable %false_positive% with a valid folder name before running the script

  2. It is your responsibility to create and populate the system context variable %apikey% with your valid MetaDefender cloud license key.

  3. The script accepts the currently scanned file location as its last command line argument, and stores it in the variable $current_file_path

  4. The script expects to find the scan results json on STDIN. it is read into the variable $scan_results

output:

  1. The script will add its verdict (based on results from MetaDefender Cloud) to the result JSON and write it to the STDOUT

  2. if only the same engine (or no engine at all) flag the file as malicious the script will copy the file to the folder $false_positive for later investigation

  3. The script has 6 possible return values:

  • "0" - Success

  • "1" - Input Json Parse error

  • "2" - Copy error

  • "3" - file path of currently scanned file is invalid

  • "4" - the destination path of "false positive" is invalid.

  • "5" - call to MetaDefender hash lookup failed

  • "6" - hash not found on MetaDefender Cloud

The script itself can be found and downloaded from the following link:

external_scanner_sample.ps1

This article applies to MetaDefender Core v4 Windows
This article was last updated on 2018-03-22
CN