Skip to main content

To review the content of files being generated in the /tmp directory on an Ubuntu server before Microsoft Defender removes them, you can use several approaches.  Following is the approach we took.

 

Real-Time Monitoring

You can set up a script to monitor the /tmp directory and log the contents of new files. Use inotifywait to watch for new files and then copy them to another directory for review.

Install inotify-tools:

sudo apt-get install inotify-tools

Create a monitoring script:

#!/bin/bash

# Directory to monitor
WATCH_DIR="/tmp"
# Directory to copy files for review
COPY_DIR="/path/to/your/review_directory"

# Ensure the review directory exists
mkdir -p "$COPY_DIR"

# Monitor the /tmp directory for new files and directories
inotifywait -m "$WATCH_DIR" -e create |
while read path action file; do
    SOURCE_PATH="$path/$file"
    DEST_PATH="$COPY_DIR/$file"
    
    echo "New item detected: $SOURCE_PATH"

    # Small delay to ensure the file is fully created
    sleep 0.5

    if [ -e "$SOURCE_PATH" ]; then
        if [ -d "$SOURCE_PATH" ]; then
            # If it's a directory, copy it recursively
            cp -r "$SOURCE_PATH" "$COPY_DIR"
        else
            # If it's a file, copy it
            cp "$SOURCE_PATH" "$COPY_DIR"
        fi
    else
        echo "File $SOURCE_PATH does not exist."
    fi
done

Make the script executable and run it:

chmod +x monitor_tmp.sh
./monitor_tmp.sh


Microsoft Defender Configuration

If possible, configure Microsoft Defender to quarantine the files instead of deleting them immediately. This will give you the chance to review them.

One configuration (specific steps may vary based on Defender version and setup):

  1. Open Microsoft Defender settings;
  2. Go to the "Threat history" or "Quarantine" section;
  3. Adjust settings to move detected files to quarantine instead of immediate deletion; and
  4. Using these methods, you can review the content of files being generated in the /tmp directory before they are removed by Microsoft Defender.

 

How to stop the script

If you want to stop the script monitor_tmp.sh after running it, you can interrupt it using a signal.

 

Stopping the Script with Ctrl+C

If you are running the script in a terminal session, you can usually stop it by pressing Ctrl+C. This sends the SIGINT (interrupt) signal to the script, causing it to terminate.

 

Stopping the Script with kill

If the script is running in the background or you are unable to stop it with Ctrl+C, you can find its process ID (PID) and kill it using the kill command.

Find the PID

You can find the PID of the script by using the ps command combined with grep.

ps aux | grep monitor_tmp.sh

This will output a list of processes that include monitor_tmp.sh. Look for the line that represents your script and note the PID, which is the second column in the output.

Kill the process

Once you have the PID, you can stop the script by using the kill command followed by the PID.

kill <PID>

Replace <PID> with the actual process ID of your script. For example, if the PID value is 12345

kill 12345

Stopping the Script with pkill

If you want to kill the script by name, you can use the pkill command.

pkill -f monitor_tmp.sh

This command sends the SIGTERM (terminate) signal to all processes whose command line contains monitor_tmp.sh.

 

Using a Specific Signal

If the script does not terminate with SIGTERM, you can use a stronger signal such as SIGKILL.

kill -9 <PID>

Or with pkill:

pkill -9 -f monitor_tmp.sh

This forcefully stops the script by sending the SIGKILL signal.

 

Summary

Interactive terminal session: Press Ctrl+C.

Find and kill process: Use ps aux | grep monitor_tmp.sh to find the PID, then kill <PID>.

Kill by name: Use pkill -f monitor_tmp.sh.

Force kill: Use kill -9 <PID> or pkill -9 -f monitor_tmp.sh.
These methods will allow you to stop the monitor_tmp.sh script when necessary.

Related articles