Forum Discussion
Azure Defender On Linux VM - Help With Exit Codes
Hello,
We have installed Azure Defender on a Linux VM and need to run a custom virus scan from a bash script. Our goal is to scan a file and identify any threats.
Below is the bash script we are using. We assumed that mdatp would return an exit code of 0 if no threat is found, and an exit code greater than 0 if a threat is identified. However, it always returns an exit code of 0. Could you guide us on the correct exit codes returned by mdatp or suggest a better approach?
Many thanks in advance
2 Replies
You're right, mdatp's exit codes might not behave exactly as expected. Here's what you can do:
Refer to Microsoft Documentation: While there isn't specific documentation on exit codes for mdatp, you can look for similar tools from Microsoft Defender. Microsoft Defender Antivirus uses exit codes 0 and 2 - 0 for success (no threat) and 2 for failures or threats found https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windowshttps://umactrackshipment.com/ This might be a similar behavior for mdatp.
Test with a Sample Threat: Create a test file with a known malware signature and try scanning it with mdatp. If it still returns 0, then it's likely mdatp uses a different scheme.
Alternative Approach: Parsing mdatp Output: If exit codes are unreliable, consider parsing the text output of mdatp. The output should indicate if any threats were found. You can use tools like grep to search for keywords related to threats within the output.
Here's a possible approach using grep:
Bash
scan_result=$(mdatp <file_path>)
if grep -i "threat found" <<< "$scan_result" > /dev/null; then
echo "Threat identified!"
else
echo "Scan completed successfully. No threats found."
fi
Use code with caution.
content_copy
This script scans the file with mdatp and stores the output in scan_result. Then, it uses grep to search for the case-insensitive phrase "threat found" within the output. If grep finds a match, it means a threat was identified.
Remember to replace <file_path> with the actual path to the file you want to scan. This is a basic example, and you might need to refine the grep pattern based on mdatp's specific output format.- Many thanks for this response.
We have successfully implemented a working script with Microsoft Defender operating in passive mode. However, we intend to switch to active mode for virus scanning. Our current goal is to develop a Bash script that uploads files to Azure Blob Storage after the Microsoft Defender scan is performed and confirms that no threats are identified. The files are received on a Linux VM from a third-party application (LiquidFiles), and we assume that the scan will run as soon as a file lands on the Linux VM, with any identified threats resulting in the file being deleted.
We have a couple of questions regarding this process:
Threat Identification: How can we identify if there was a threat identified in a specific file and decide whether to continue with further steps?
File Access During Scan: If we attempt to access the incoming file through a Bash script that runs immediately, will Microsoft Defender lock the file until the scan is complete and it is deemed safe for further processing?
Any thoughts, advice, or insights on the above would be greatly appreciated.
Best regards,
Marc
