This sample script is provided for illustrative purpose only and is not guaranteed to be functional in a production environment.
MetaDefender Core V4.8.0 has a new feature "External scanners".
You can define an "External scanner" which can be invoked through a command line executable or script. This executable/script will be called for each scanned file, after all other engines but before final verdict is decided.
The documentation of this feature can be found here: https://onlinehelp.opswat.com/corev4/3.10._External_Scanners_And_Post_Actions.html
The script in this sample is a Powershell script, for this script to work properly, we need to call the Powershell executable in the External Scanners screen of MetaDefender Core:
You will need to specify the location from where Powershell is running in your system, followed by:
We created a sample Powershell script that attempts to flag files suspicious as False Positive.
The script checks the scan results of the current file, if the file is flagged as infected by only one engine , the file's hash is then
sent to MetaDefender cloud.
cloud's results are then analysed :
In case the file is flagged as infected in MetaDefender Cloud by ONLY the same one engine which flagged the file in MetaDefender Core
OR if the file is found to be clean by MetaDefender Cloud, the file will be copied to a $false_positive folder for later investigation,
and verdict will be "Suspicious" (2). and threat_found will be 'Suspected False Positive'.
If the file is flagged by any other engine on MetaDefender Cloud then the verdict will be "Infected" (1) and threat_found will be "Infected - Probably NOT False Positive ".
If the file is not flagged by any local engine the script returns the verdict " No Threat Detected" (0).
It accepts as its input:
It is your responsibility to create and populate the system context variable %false_positive% with a valid folder name before running the script
It is your responsibility to create and populate the system context variable %apikey% with your valid MetaDefender cloud license key.
The script accepts the currently scanned file location as its last command line argument, and stores it in the variable $current_file_path
The script expects to find the scan results json on STDIN. it is read into the variable $scan_results
The script will add its verdict (based on results from MetaDefender Cloud) to the result JSON and write it to the STDOUT
if only the same engine (or no engine at all) flag the file as malicious the script will copy the file to the folder $false_positive for later investigation
The script has 6 possible return values:
"0" - Success
"1" - Input Json Parse error
"2" - Copy error
"3" - file path of currently scanned file is invalid
"4" - the destination path of "false positive" is invalid.
"5" - call to MetaDefender hash lookup failed
"6" - hash not found on MetaDefender Cloud
The script itself can be found and downloaded from the following link:
This article applies to
Core v4 Windows
This article was last updated on 2018-03-22