Handling Virus Scan Results

Function

This API is used to handle virus scan results.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.
If you are using identity policy-based authorization, no identity policy-based permission required for calling this API.

URI

POST /v5/{project_id}/antivirus/result/operate

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Definition Project ID, which is used to specify the project that an asset belongs to. After the project ID is configured, you can query assets in the project using the project ID. For details about how to obtain it, see Obtaining a Project ID. Constraints N/A Range The value can contain 1 to 256 characters. Default Value N/A

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Definition Enterprise project ID, which is used to filter assets in different enterprise projects. For details, see Obtaining an Enterprise Project ID. To query assets in all enterprise projects, set this parameter to all_granted_eps. Constraints You need to set this parameter only after the enterprise project function is enabled. Range The value can contain 1 to 256 characters. Default Value 0: default enterprise project.

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	Definition User token, which contains user identity and permissions. The token can be used for identity authentication when an API is called. For details about how to obtain the token, see Obtaining a User Token. Constraints N/A Range The value can contain 1 to 32,768 characters. Default Value N/A

**Table 4** Request body parameters
Parameter	Mandatory	Type	Description
operate_type	Yes	String	Handling method. Its value can be: mark_as_handled: Mark as handled ignore: Ignore add_to_alarm_whitelist: Add to alarm whitelist manual_isolate_and_kill: Isolate a file unhandle: Cancel manual handling do_not_ignore: Unignore remove_from_alarm_whitelist: Remove from the alarm whitelist do_not_isolate_or_kill: Cancel isolation of a file
memo	No	String	Definition Remarks. Range The value can contain 0 to 512 characters.
operate_results	No	Array of OperateResultRequestInfo objects	Handling result list
event_white_rules	No	Array of AntiVirusEventWhiteRuleListRequestInfo objects	Adding an alarm whitelist rule

**Table 5** OperateResultRequestInfo
Parameter	Mandatory	Type	Description
agent_id	Yes	String	Definition Unique ID of the antivirus agent installed on a server, which is used to associate the server with the antivirus service. Constraints N/A Range The value can contain 1 to 64 characters. Default Value N/A
result_id	Yes	String	Virus scan and removal result ID
event_type	Yes	Integer	Definition Event type ID corresponding to the virus scan and removal result. Range 0 to 10. (0 indicates a file virus event. 1 indicates a memory virus event. For more information, see the product error code or enumeration document.)
occur_time	No	Integer	Definition Occurrence time, accurate to milliseconds Range The value ranges from 0 to 9223372036854775807. The time format is a timestamp (UTC time zone, starting from 1970-01-01 00:00:00), in milliseconds.
file_hash	Yes	String	Definition File hash. Range The value can contain 1 to 256 characters.
file_path	Yes	String	Definition File path. Range The value can contain 1 to 256 characters.
file_attr	Yes	String	Definition System attributes of a file (such as read and write permissions, hidden attributes, and execution permissions). Range The value can contain 1 to 256 characters.

**Table 6** AntiVirusEventWhiteRuleListRequestInfo
Parameter	Mandatory	Type	Description
event_type	Yes	Integer	Definition Event type. Range 1001: common malware 1002: virus 1003: worm 1004: Trojan 1005: botnet 1006: backdoor 1010: rootkit 1011: ransomware 1012: hacker tool 1015: web shell 1016: mining 1017: reverse shell 2001: common vulnerability exploit 2012: remote code execution 2047: Redis vulnerability exploit 2048: Hadoop vulnerability exploit 2049: MySQL vulnerability exploit 3002: file privilege escalation 3003: process privilege escalation 3004: critical file change 3005: file/directory change 3007: abnormal process behavior 3015: high-risk command execution 3018: abnormal shell 3027: suspicious crontab task 3029: system protection disabled 3030: backup deletion 3031: suspicious registry operations 3036: container image blocking 4002: brute-force attack 4004: abnormal login 4006: invalid accounts 4014: account added 4020: password theft 6002: port scan 6003: server scan 13001: Kubernetes event deletion 13002: abnormal pod behavior 13003: user information enumeration 13004: cluster role binding
field_key	Yes	String	Whitelist fields. The options are as follows: file_path
field_value	Yes	String	Whitelist field value
judge_type	Yes	String	Wildcard. The options are as follows: equal contain

Response Parameters

Status code: 200

Request succeeded.

None

Example Requests

Set the action to whitelist, agent ID to e2ad65100314897c3dc5b50857f49a5f53e78c4b495fbed3d8097249456830f3, task ID to 9767484d-cc39-4de1-b214-621c3acce4b5, event type to virus, file hash to d36b44b1cd6d5767f788ba3265b075ad74d70ba8a1ce89db7c43ab6ea6e2c8eb, file path to /root/xx, and file attribute to -rw-r--r--.

{
  "operate_type" : "add_to_alarm_whitelist",
  "memo" : "xxx",
  "operate_results" : [ {
    "agent_id" : "e2ad65100314897c3dc5b50857f49a5f53e78c4b495fbed3d8097249456830f3",
    "result_id" : "9767484d-cc39-4de1-b214-621c3acce4b5",
    "event_type" : 1002,
    "file_hash" : "d36b44b1cd6d5767f788ba3265b075ad74d70ba8a1ce89db7c43ab6ea6e2c8eb",
    "file_path" : "/root/xx",
    "file_attr" : "-rw-r--r--"
  } ]
}