no o:JdZddlZddlZddlZddlZddlZddlZddlZddl Z ddl m Z ddl m Z ddlmZddlmZmZmZmZmZmZmZmZddlmZmZmZddlmZdd lm Z dd l!m"Z"m#Z#m$Z$m%Z%dd l&m'Z'dd l(m)Z)dd l*m+Z+ddl,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2ej3e4Z5d$dZ6Gdde2Z7Gdde1Z8Gdde2Z9de:de:fdZ;dee:eZ?Gddee:e?fZ@Gdd ZAGd!d"e##ZBdS)%u  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.  If not, see . Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see N) defaultdict)suppress)islice)CallableDict GeneratorListOptionalSetTupleUnion)MalwareMalwareSignaturesMyImunifyConfig) MessageType)&ms_clean_requires_myimunify_protection)RecurringCheckStop Singletonbase64_encode_filenamerecurring_check) MalwareTune) curator_path) MalwareHit) DeletionType ErrorTypeRescanResultTypeRevisiumCSVFileRevisiumJsonFileRevisiumTempFilecZtjrt||St||SN)rUSE_JSON_REPORTrrtempdirmodes T/opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/cleanup/cleaner.pycleaner_result_instancer'As-"/... 7D ) ))ceZdZdS)MalwareCleanerLogN)__name__ __module__ __qualname__r(r&r*r*GsDr(r*c>eZdZdZdZeddZdS)MalwareCleanerProgressz+ Get progress from external source rcK |}n-#t$rttj$rYdSwxYw|d}||jz |c}|_||dS)Ncurrent)readFileNotFoundErrorrjsonJSONDecodeError _progress)selfcallbackdataprogress increments r&watchzMalwareCleanerProgress.watchRs 99;;DD  ' ' '$&& &#    FF  ?$,t~$=x! 4>s&AAN)r+r,r-__doc__r8rr>r.r(r&r0r0KsII_Q     r(r0ceZdZdZdS)MalwareCleanupFileListc|jd5}|d|DddddS#1swxYwYdS)Nwbc3:K|]}t|dzVdS) N)r).0fs r& z/MalwareCleanupFileList.write..es0MMq/22U:MMMMMMr()_pathopen writelines)r9filelistws r&writezMalwareCleanupFileList.writecs Z__T " " Na LLMMHMMM M M M N N N N N N N N N N N N N N N N N Ns AA A N)r+r,r-rNr.r(r&rArAbs(NNNNNr(rApathreturncNtjtj|S)zRound-trip through fsencode/fsdecode to match FilenameField behavior. Ensures CleanupResult keys are consistent with MalwareHit.orig_file which goes through FilenameField's os.fsencode/os.fsdecode cycle. )osfsdecodefsencode)rOs r&_normalize_pathrUhs ;r{4(( ) ))r(valuecD t|S#t$rYdSwxYw)zbConvert str|int to int, in case errors return -2 -1 used as default value when storing CH )int ValueError)rVs r& _parse_intr[qs55zz rrs  cbeZdZdeeeeeffffd ZdZdZ dZ dZ dZ xZ S)CleanupResultEntryr;ctt|ddt|dd|d|dt|ddt|ddt|dd|d d |d d  dS) NdesrGrmbmahbha) r_rarbrGrc mtime_before mtime_after hash_before hash_after)super__init__r[get)r9r; __class__s r&rnzCleanupResultEntry.__init__|s #r**++#r**++3i3i#r**++#DHHT2$6$677"488D"#5#566r**xxb))  r(c |s|rdS|dtjkr#td|ddS|dtjko|dtjkS)NFraz2File has changed, assuming that it was cleaned: %srGTr_) is_failedrequires_myimunify_protectionr NOT_CLEANEDUPloggerwarningNO_ERRORrINJECTION_REMOVEDr9s r& is_cleanedzCleanupResultEntry.is_cleaneds >>   tAACC 5 9 / / / NNDd3i   4 I+ + <S \;; r(c| o+|dtjko|dtjkS)Nrar_)rrrrwrrxrys r& is_removedzCleanupResultEntry.is_removeds?   ;S Y// ;S L:: r(c.|dtjkSNrc)rDETECTEDrys r&rrzCleanupResultEntry.is_failedsCy,555r(c.|dtjkSr~)rREQUIRED_ADVANCED_SIGNATURESrys r&rsz0CleanupResultEntry.requires_myimunify_protectionsCy,IIIr(cX| o|dtjkS)Nra)rrrFILE_NOT_EXISTSrys r& not_existzCleanupResultEntry.not_exists&>>###NS Y5N(NNr()r+r,r-rstrr rYrnrzr|rrrsr __classcell__rps@r&r]r]{s T#uS#X"67      ,       666JJJOOOOOOOr(r]ceZdZdZd fd ZedeeefdefdZ deeefffd Z deeefffd Z xZ S) CleanupResultz5 Cleanup result container for result entries Ncf|r-td|DdSdS)NcTi|]%}t|dt|&S)rG)rUr])rFras r& z*CleanupResult.__init__..s?$AcF++-?-B-Br()rmrn)r9reportrps r&rnzCleanupResult.__init__sW   GG  #       r(hitrPc$t|d|S)N orig_file)getattr)rs r&__keyzCleanupResult.__keyssK---r(clt||Sr!)rm __contains___CleanupResult__keyr9rrps r&rzCleanupResult.__contains__s%ww##DJJsOO444r(clt||Sr!)rm __getitem__rrs r&rzCleanupResult.__getitem__s%ww""4::c??333r(r!) r+r,r-r?rn staticmethodr rrrrrrrs@r&rrs.5j).c...\.5c:o 65555554uS*_54444444444r(rc 6eZdZejZddZdddddZdZdZdZ d Z d Z e d e d eed edeedeef dZed ededeefdZdefdZ ddeeeeeeffdZe dededefdZdS)MalwareCleanerNTc|r|ntj|_t|_||_||_dSr!)asyncioget_event_loop_loopMalwareCleanupProxy_proxy_sink_watch_progress)r9loopsinkwatch_progresss r&rnzMalwareCleaner.__init__s=!?TTw'='?'? )++  -r() blacklistuse_csv standard_onlyc dt} d| ddddd|zdd|zd g } |r| d |z| d |zd |zgtjr| d |r| d|zgn| d|zg| r| dgt j|jr/| d| |j|r| d| S)Nz/opt/ai-bolit/wrapperz --deobfuscatez --nobackupz--forcibly_cleanupz--rescanz --list=%sz--input-fn-b64-encodedz --username=%sz--report-hashesz--black-list=%sz--log=%sz --progress=%sz--disable-cloudavz--csv_result=%sz --result=%sz--standard-onlyz--avdbz--soft) rappendextendrCLEANUP_DISABLE_CLOUDAVrRrOexistsPROCU_DB) r9filename progress_path result_pathlog_pathsoftusernamerrrcleaner_binarycmds r&_cmdzMalwareCleaner._cmdsd& #     ( " $ h &     6 JJ(94 5 5 5 X%-/     * , JJ* + + +  6 JJ)K78 9 9 9 9 JJ 34 5 5 5  , JJ)* + + + 7>>$- ( ( & JJx JJt} % % %  ! JJx  r(zCleanup failed.r1excr returncodestdoutstderrc t|jj||||dnd||dndS)Nreplaceerrorsrg) exception return_codecommandouterr)dictrpr+decode)rrrrrs r&_get_cleaner_error_infoz&MalwareCleaner._get_cleaner_error_infos_m,"393E Y ///2393E Y ///2     r(rPcH|dkrdS|j}|r|dnd}||jkr||jz } tj|j}|tjkr|d|dS|tjkr|d|d S|tjkr|d |dS|d |S#t$rYnwxYwd |vr d |vr|dSd|vr|d|dSd|vr|d|dSd|vr|d|dS||j kr|dS||j kr|dS||j kr d|vr|dS|d|S)zCategorize procu process failures into explicit error types. Returns a human-readable error string if the process failed, or None on success (exit code 0). rNrrrgz Segmentation fault (signal )z Process killed (signal z , likely OOM)z Process terminated (signal z Process killed by signal zAllowed memory size ofzbytes exhaustedz Out of memoryz Fatal errorz PHP fatal error (exit code z Parse errorz PHP parse error (exit code z$error while loading shared librariesz! Shared library error (exit code z General error (exit code 1)z# Input file not found (exit code 2)zInvalid usernamez! Invalid username (exit code 255)z Process exited with code ) CLEANUP_ERROR_PREFIXr_SIGNAL_EXIT_CODE_OFFSET signal_moduleSignalsnameSIGSEGVSIGKILLSIGTERMrZ_EXIT_ERROR_GENERAL_EXIT_ERROR_INPUT_NOT_FOUND_EXIT_ERROR_INVALID_USERNAME)clsrrprefix stderr_textsig_numsig_names r&_categorize_process_errorz(MalwareCleaner._categorize_process_error!s$ ??4)9?Gfmm9m555R 4 4 4 3#??G G(099>m333$MM(MMMMm333!<<$,<<<m333$MM(MMMM FFHFFF     % 3 3![00,,, , K ' 'GG*GGG G K ' 'GG*GGG G 1[ @ @LLzLLL L 0 0 0::: : 8 8 8AAA A #: : :"k11??? ?@@J@@@sB(( B54B5infocBK|jr tji|dtt ji}|j|d{VdS#t j$rt$rt dYdSwxYwdS)N timestampz-Exception while sending CleanupFailed message) rr CleanupFailedrYtimeprocess_messagerCancelledError Exceptionrur)r9rmsgs r&_send_cleanup_failed_messagez+MalwareCleaner._send_cleanup_failed_message\s :  !/?t? S-=-=>?j0055555555555)        C   sAA%%3BBc Ktj}t|}t|t}|||}t |d5} t |d5} t|5} |5} t|5} | ||r| ||j r7|j | |jj|r8|| j| j| j| j||| j|| }n1|| j| j| j| j||||}t$dd|d\}}d} t+jj|t,jt,jd d{V}|d{V\}}| }n#t*j$rD|r@t9t:5|dddn #1swxYwYt>$r&}| |||r|j!nd || }t$"d |#d d |#dd|#di|d|i|$i|tKtM|d{VtOtQ||fcYd}~cdddcdddcdddcdddcdddSd}~wwxYw|)|j!|}|r|| tU|||j!|| }t$"d||j!||$i|tK|d{Vn|s|j+d}| tU|||j!|| }t$"d|j!tY||$i|tK|d{VnVtY|tY|kr6t$-dtY|tY|tO|||fcdddcdddcdddcdddcdddS#1swxYwYdddn #1swxYwYdddn #1swxYwYdddn #1swxYwYddddS#1swxYwYdS)N)r$ir#)rrrr)rrrz Executing %s )r(r()rr~zCleanup failed exit_code=rz: %srrr)extra)messagez4Cleanup process failed: %s (exit_code=%d, stderr=%s)z Report is emptyzNCleanup report is empty despite successful exit (exit_code=%d, input_files=%d)z5Partial cleanup report: %d entries for %d input files).tempfile gettempdirr' isinstanceris_standard_onlyrAr0r*rNrr create_taskr>r progress_cbrrrudebugjoinr subprocesscreate_subprocess_execPIPE communicater4rrProcessLookupError terminaterrrerrorrorrrrreprr RuntimeErrorrlenrv)r9userrLrrrr$ result_filerflistblkr<resultlogrrrprocrrrrs r&startzMalwareCleaner.startjs %''-g>>> [/::--dMBB #%   u 5 *%   u 5(   u 5 { u 5 '-.?/ / / u 5 KK ! ! ! % )$$$# P &&x~~dk6M'N'NOOO iiN%OL!!l#"/  iiN%OL!#"/   LL# 7 7 7HCD 7$/F%?%? "&!1!1!3!3333333S)   )!"455))((())))))))))))))) 7 7 733'+4DOO 4 M0G0GMMMxx::%::4T4;44 776t6tCHH5556%S 3666666Qu 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5n 7&224?CHHE( 33 ''O 4 JO  773t3tE2223 4FFF33 ''O 4 6OMM  773t3tE2223Vs8}},,KKKMM !((%4ku 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5u 5s$"V<4V$V U6 D U %A"H U %N .I N IN IN %CN N U U6  V ! V$- V<N FU " U6 . V : V$ V<U##U6 &U#'U6 * V 6U: :V =U: >V  V$ V V$V V$ V<$V( (V<+V( ,V<<WWrrcdS)z@Check if only standard signatures should be applied for the userF)rENABLEDr)rrs r&rzMalwareCleaner.is_standard_onlys ur()NNT)TNN)r+r,r-rrrnrrrrrrrrr rrYr bytesr classmethodrrrr rrboolrr.r(r&rrs )H....33333j-"##& "    #Y          \  8A8A8A # 8A8A8A[8At t    $ B5B5 }hsmT#Y6 7B5B5B5B5H s 4 D   \   r(rcheZdZdZ dZdZdeeeee ee fddffdZ d dZ d Z d ZdS) ri'cTdx|_|_tt|_dSNr)r3totalrsethitsrys r&rnzMalwareCleanupProxy.__init__s#$%% tz$$ r(cP|j|||||f|dSr!)rupdate)r9cause initiator post_actionscan_idrrs r&addzMalwareCleanupProxy.add s+ I{G] C &,,,,,r(rPNc#K|jr|j\}}t|}tt ||j}t |d}|@|j|||j|||xj t|z c_ g||RV|jdSdSr!) rpopitemiterrr _CHUNK_SIZEnextrrrr)r9 scan_inforall_hits remaining_hits r&flushzMalwareCleanupProxy.flushsi #"i//11OItDzzHvh(899::D 400M( )$((777 )$++H555 JJ#d)) #JJ"9"d"" " " "i # # # # #r(rc&|xj|z c_dSr!)r3)r9r=s r&rzMalwareCleanupProxy.progress_cbs ! r(c"dx|_|_dSr)r3rrys r&resetzMalwareCleanupProxy.reset"s$%% tzzzr(c t|j|jt|jzz dzS#t $rYdSwxYw)Nd)rYr3rrrZeroDivisionErrorrys r& get_progressz MalwareCleanupProxy.get_progress%sR t|tzC NN'BCcIJJ J    44 s36 AA)r)r+r,r-rrnrrr rrr r"rr%r)r.r(r&rrsK%%% # 5c8S#56dB C####"""""&&&r(r) metaclass)NN)Cr?rr6loggingrRsignalrrrr collectionsr contextlibr itertoolsrtypingrrrr r r r r defence360agent.contracts.configrrr"defence360agent.contracts.messagesr%defence360agent.contracts.permissionsrdefence360agent.utilsrrrrimav.contracts.configrimav.malwarelib.enginerimav.malwarelib.modelrimav.malwarelib.utils.revisiumrrrrrr getLoggerr+rur'r*r0rArrUrYr[rr]rrrr.r(r&r:s*   ######OOOOOOOOOOOOOOOOOOOO ;::::: .-----//////,,,,,,  8 $ $****      (   -.NNNNN-NNN *#*#****eCHo#4O4O4O4O4O4O4O4On44444D0014442qqqqqqqqh *****I******r(