Skip to content

pullsec/antivirus_monitoring

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
scripts
scripts
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Report Bug · Request Feature

Table of Contents
  1. about
  2. architecture
  3. scripts
  4. installation
  5. usage
  6. faq

about

AV Supervision Toolkit is based on a real-world enterprise scenario involving secure antivirus update distribution in a segmented environment. In this context, systems responsible for delivering antivirus updates were isolated from the monitoring infrastructure, requiring a controlled mechanism to verify update integrity and availability.

This project focuses on ensuring:

  • successful delivery of antivirus updates
  • validation of definitions and engine freshness
  • reliable monitoring despite network segmentation

The solution reflects operational constraints typically found in sensitive environments, where direct access is restricted and secure relay mechanisms are required.

architecture

Important

This architecture is designed for segmented environments where direct access between poller and target server is not allowed.

flowchart LR
    A[Centreon Poller<br/>av_snmp.sh]
    B[Jump Server<br/>snmpd + extend]
    C[av_relay.sh]
    D[AV Server]
    E[av_supervision.sh]

    A -->|SNMP request| B
    B -->|extend execution| C
    C -->|SSH| D
    D -->|local execution| E
    E -->|plugin output| C
    C -->|SNMP response| A
Loading

scripts

The project is composed of multiple scripts distributed across different hosts.
Each script has a specific role in the monitoring chain.

script location role description
av_supervision.sh av server check validates antivirus signatures and engines
av_relay.sh jump server relay executes remote script via SSH
av_snmp.sh centreon poller entrypoint queries SNMP and retrieves result

These scripts work together to provide a complete monitoring workflow across segmented environments.

installation

1. clone repository

git clone https://github.com/Pr0xyG33k/antivirus_monitoring.git
cd antivirus_monitoring

2. av server

cp av_supervision.sh /opt/antivirus_monitoring/
chmod +x /opt/antivirus_monitoring/av_supervision.sh

3. jump server

cp av_relay.sh /usr/lib/centreon/plugins/
chmod +x /usr/lib/centreon/plugins/av_relay.sh
extend check /usr/lib/centreon/plugins/av_relay.sh
systemctl restart snmpd

4. ssh configuration

ssh-keygen
ssh-copy-id user@av-server

5. centreon poller

cp av_snmp.sh /usr/lib/centreon/plugins/
chmod +x /usr/lib/centreon/plugins/av_snmp.sh

6. test

./av_snmp.sh <jump_server> <community> check

usage

Note

The poller does not execute the antivirus check directly.
The request is forwarded via SNMP to the jump server, which executes av_supervision.sh remotely over SSH.

command

./av_snmp.sh <jump_server> <community> check

options (av_supervision.sh)

-w <int> warning threshold (default: 0)
-c <int> critical threshold (default: 1)
-t <int> HTTP timeout in seconds (default: 15)
-u <url> override update URL (default: auto)
-b <path> base directory for antivirus engines
-l <path> log directory
-v enable verbose mode
-h display help

return codes

0 OK
1 WARNING
2 CRITICAL
3 UNKNOWN

faq

why use a jump server instead of direct monitoring?

Direct access is restricted due to network segmentation.

why use snmp extend?

Allows execution of remote scripts via SNMP.

why is SSH required?

Used by the jump server to reach the AV server.

why is only the exit code used?

Centreon determines the status based on exit code only.

About

This repository provides tools and scripts for monitoring antivirus activity, collecting logs and analyzing security events.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages