$vރLe$dZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl Z ddl m Z ddl mZddlmZddlmZmZddlZddlmZdd lmZdd lmZmZmZdd lmZdd lm Z dd l!m"Z"m#Z#ddl$m%Z&ddl'm(Z(m)Z)m*Z*ddl+m,Z,ddl-m.Z.m/Z/ddl0m1Z1ddl2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:ddl;mZ>ddl;m*Z?ddl@mAZAddlBmCZCddlDmEZEmFZFmGZGddl;mHZHeeIZJGddejKZLGddeeZMGddeMZNdS) u  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.  If not, see . Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see N) defaultdict)Enum) getLogger)Path)AnyUnion) inactivity) MessageType) MessageSink MessageSourceexpect)run_in_executor) HostingPanel)Scope nice_iterator)Malware)MalwareDatabaseCleanupMalwareDatabaseScan MalwareScan) ProcessOrder)open_aibolit_actions_logopen_mds_actions_log) HookEvent)CLEANUPCLEANUP_ON_SCHEDULENOTIFY MalwareEventMalwareEventPostponedMalwareHitStatusMalwareScanResourceTypeMalwareScanType) MalwareHitMalwareHitAlternateVulnerabilityHit)r)MalwareScanMessageInfo)MalwareDatabaseHitInfo)HackerTrapHitsSaver MalwareActionMalwareActionIm360)MalwareIgnorePathc(eZdZdedeffd ZxZS)MalwareScanJSONEncoderoreturnct|tr|jSt|trt |St j|rt j|St |SN) isinstancervaluesetlist dataclasses is_dataclassasdictsuperdefault)selfr- __class__s R/opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/plugins/store.pyr9zMalwareScanJSONEncoder.default]ss a   7N a   77N  #A & & )%a(( (wwq!!!)__name__ __module__ __qualname__rr9 __classcell__r;s@r<r,r,\sK""""""""""""r=r,cZeZdZejZejZe Z d\Z Z dZ dZdefdZeejddZeejd Zed Ze dd eeefd ed zfdZdedd fdZededd fdZedZdefdZ d S)StoreMalwareHits)NNc&K||_||_dSr0)_loop_sink)r:loopsinks r< create_sourcezStoreMalwareHits.create_sourcems  r=c KdSr0)r:rHs r< create_sinkzStoreMalwareHits.create_sinkqs  r=summarycK|drdnd}d}d|di}|D]}||vr ||||<|d}t|tr |r|dnd}tj|d |d ||d |d|d d|d|||d pi }|jr"|j|d{VdSdS)zFEmit MalwareScanningFinished using summary dict, including perf stats.errorfailedok) scan_time scan_time_hsscan_time_preg smart_time_hssmart_time_preg finder_timecas_timedeobfuscate_timemem_peak total_filespathrscanidtypestartedtotal_malicious scan_args) scan_id scan_typer]rar\rbrPstatusstats scan_paramsN)getr1r4rMalwareScanningFinishedrGprocess_message)r:rNrf stats_keysrgkey event_pathfinished_events r<_call_scan_finished_hookz)StoreMalwareHits._call_scan_finished_hooktsq$[[11;t   M : :; * *Cg~~$S\c [[(( j$ ' ' =*4<A"J":KK))kk&))KK ** M22#KK(91==++g&& K006B     : =*,,^<< < < < < < < < < < = =r=F) async_lockcK|ddsdStjd5||d{VddddS#1swxYwYdS)a1MalwareScan is saved to DB when: 1. Detached scan started - message has no results 2. Any scan finished - message has summary and results Message without summary means that detached scan is finished and summary will arrive along with results in another message. rNr]N store_scan)rir tracktask _store_scan)r:messages r< process_hitszStoreMalwareHits.process_hitssy!%%f--  F   " "< 0 0 , ,""7++ + + + + + + + , , , , , , , , , , , , , , , , , ,sA((A,/A,crK|ddS|di}|d}|std|dSt|5}t jt ||ddtddddS#1swxYwYdS)NresultsrNr_z1MalwareScan message received without a scanid: %sFindent sort_keyscls)riloggerrPrjsondumpdictr,)r:rwrNrdlogfs r< store_logzStoreMalwareHits.store_logs ;;y ! ! ) F++i,,++h''  LLCW    F %g . . $ IW *                       s3,B,,B03B0ctj|||d|d|d|d||ddd|ddd||ddd  S) Nownerusersizehashhitsrmatches timestamp suspicious) r_ resource_typerrrr orig_filer`rrf malicious)r"create)r_filenamerfrdatas r< _store_hitzStoreMalwareHits._store_hitsw 'w-ffffa+6l1ok2v,q/,77    r=Npath_objrec #Ktjg}t|tr|gn|}|tjkrt |Ed{VdS|D]}tj|D]v}tj |}tj |rtjtj|ktj|ztjt(jjkzr|Vt1j|dz}dtjtj|tj|ztjt(jjkzDEd{VxdS)z Return files that may already not be infected, yet we still consider them such. For example, an infected file might have been removed manually. Nz(/.*|\b)c3$K|] }|jV dSr0r).0is r< z8StoreMalwareHits.get_outdated_entries..s8         r=)rFOUNDr1strr!REALTIMEiterglobiglobosr]realpathisfiler"selectwhererrfin_rr FILEr2firstreescaperegexp)rrepossibly_infected_statusespaths target_pathr] scanned_dirs r<get_outdated_entriesz%StoreMalwareHits.get_outdated_entriess'7&<%="(377E X 0 0 0E{{ " " " " " " " F ! ! K ;//  w''--GNN4((")++U#-5%,001KLLN'46;ABUWWJJJJ"$)D//K"?K  !+!2!4!4!:!:'188EE * 1 5 5$>!"!"!+ 8#:#?#E!F  " "   % ! ! r=rwr.cK|d}|dsdSt|}|jrtjtj|ddksGtjdi|tj j |j d}d|_ | dStd|dddS||d{VdS) zLProcess scan message results. message: MalwareScan message rNraNr_)r initiatorrzScan %s already in databaserL)r% is_summaryMalwareScanModelrrr_existsrr rr2rrbsaverwarning_store_scan_from_results)r:rwrN message_typescans r<rvzStoreMalwareHits._store_scans- )$y!  F-g66  " 9 '))'.')2DX2NNOO  (."9">"D%/ ()$ 1793Eh3O//88 8 8 8 8 8 8 8 8 8r=c |dd}|dd}|d=|=|=||d|d}tj|dSdSdSdS)N file_patternsexclude_patternsrPr]r`)re)poprirr" delete_hits)rrNrroutdated_entriess r<_delete_outdated_entriesz)StoreMalwareHits._delete_outdated_entries!s OT:: ";;'94@@ KK (% ("7776? 8     "#3 4 4 4 4 4 ) (%%((r=c KdSr0rL)hit_datadefault_action_resultss r<_process_default_action_resultsz0StoreMalwareHits._process_default_action_results/s  r=c * K|d}|d}tj|i|dtjji\}|s |d_|d*|d||d|dD}d tj t| D}tt}d }d tfd } tt|23d{V} | |vr\| || || dd dr2|| d|d| dh6tt|23d{V} t#j| d{Vr2|| d|d| dU#t&$r&} t(d| | Yd} ~ d} ~ wwxYw6fd|D} |j| |d|d|jd{V} i}| D]\}}}}|||f||j<|D]J\} }|dd drt4j}d}| |vr|| \}}}t9|t:r4|jt>kr$|dt@j!krtDntF}||d<||d<|dz }t9|tHr|j%rtM|j'tQj)|j*j+| |tjj|d{V}t9|t:r<|j,|j-|j.|j/|jff}||0|L|_1|d_2tgtij4_5|dx}r|_67 j1|d<|8|d{Vn*#t&$rt(dYnwxYw|jr|D]w\\}\}}}}}|t>kr1|dt@j!krt(9dI|j:||||||d{Vx|;|d | Dd{VdS)!NrNr_r)r_defaults completedrzr]cfi|].\}}tj|ddd+||/S)rrr)r$match)rfilers r< z=StoreMalwareHits._store_scan_from_results..JsL   d#)$v,q/)*DEE $   r=ci|] }|j| SrLrrhits r<rz=StoreMalwareHits._store_scan_from_results..Os,    M3   r=)filesrrc|jtjkp)|jtjtjfvo |j|kSr0)rfrCLEANUP_STARTED CLEANUP_DONECLEANUP_REMOVED cleaned_at)rdetected_timestamps r<_hit_status_race_detectedzLStoreMalwareHits._store_scan_from_results.._hit_status_race_detectedVsG .>>8:$1$48 N%77 r=rrz0Ignore check failed for file %s: %s; keeping hitctg|]4\}}|dddtjj||5S)rrr)r#rr_)rrrrs r< z=StoreMalwareHits._store_scan_from_results..ysQ   d<?<0  &t{D$ ? ?   r=rr`)rrcauserIrdefault_action try_restorer\rPrbrN@Failed to emit MalwareScanningFinished after store (DB, no hits)zCSkipping auto-cleanup because it's allowed for scheduled scans onlyrrdrr post_actionc(i|]\}}}}|j|SrLr)rrevent_s r<rz=StoreMalwareHits._store_scan_from_results..s% I I I&6c5!QS]E I I Ir=)> 3 3 3 3 3 3 3$t|| 9 9T GDM&1!4[A!!| D$''' "&&tT222 ?(gllnn(=(=>>       $ *:4@@@@@@@@7KKd+++I&**4666     F  ?    %mmoo    $2GGkk+..&/ H         4B J J 0HeV[.3V[-IJx) * *!--//7 07 0JD$F|A|, %+FFz!! t$ " v'<==  )<<< #6?o.HHH ## *8%&&1]#1$fl33!0! ' !OK+06         C&"788 0N (* s#**3///.&}5TY[[))KK(( (5 DJ  )-)=G% &///@@ @ @ @ @ @ @ @ @             :  %%''  BA5)[&111?+EEEKK/ *44!%$+"'&/(3 22  I I. I I I           s7"F 9IA H H>H99H> &R00$SSr0)!r>r?r@r STORE_SCANPROCESSING_ORDERrAVSCOPEr(rrFrGrJrMrrpr r rrxr staticmethodrrrr4rrv classmethodrrrrLr=r<rDrDgs#. HE"NLE5   %=%=%=%=%=N VK #666 , ,76 , VK #$$%$*   \  !%11T "1:111\1f999999> 5t 5 5 5 5[ 5  \ z kz z z z z z r=rDceZdZejZeZfdZe dZ e e j de ddfdZe dZe e jdefdZxZS) StoreMalwareHitsIm360cKt|d{Vtjd{VdSr0)r8rMr'init)r:rHr;s r<rMz!StoreMalwareHitsIm360.create_sinksXgg!!$'''''''''!&(((((((((((r=cRKg}g}tjdu}tj|D]\}}||}t |ts0|jr| |tfd|dDsn|r"tfd|dDr| |tj d|Dd{Vtj d|Dgd{VdS)z,Do additional processing for malicious filesFc3:K|]}|dVdSrNrLrhis_sas r<rzHStoreMalwareHitsIm360._process_default_action_results..s1AAquuQy\**AAAAAAr=rc3nK|]/}|dtj|dV0dSr)r'is_admin_tool_typers r<rzHStoreMalwareHitsIm360._process_default_action_results..sZ((59&&(#6q|DD((((((r=cPg|]#}ttj|$SrLrrfsdecoderps r<rzIStoreMalwareHitsIm360._process_default_action_results..s( < < .s( ? ? ?aT"+a.. ! ! ? ? ?r=) MalwareConfigDETECT_ADMIN_TOOLSr'is_standalone_matchrrir1rrranyalladd_hitsupdate_sa_hits) rrhacker_trap_hitshacker_trap_sa_hitsskip_admin_toolsr]rrrs @r<rz5StoreMalwareHitsIm360._process_default_action_resultss  );uD#7"..** - -JD$+//55Ffl33 ( . ''---AAAADLAAAAA  C((((f(((%%    & &t , , , ,!* < <+; < < <         "0 ? ?+> ? ? ?           r=rwr.Nc V K|jr|jdS tj|j|j|j|j|j|j|j|j tj j |j  }nW#tj$rDtj|j}|jrV|jsO|jr|jrA|jr:|j|jks*|j|jks|jtj j kr5t$d|j|j|j|jYdS|j|_|j|_|j|_|j|_|j |_ tj j |_|j |_ |t$d|jdYnwxYw|d}|rRt-|5}t/jt3||ddt4 dddn #1swxYwY|js<|js|jd }t;jtj d |d zft:j!|kzt:jtj j kzt:j"tFj$kz% |j|j|j|j|j|j|j pd |jid }|&|d{Vn*#tN$rt$(dYnwxYwdStStU+d{VfdtYj-D}|.|j|j/0|j|d|d|j1tj j d{V}i} |D]\} } } } | | f| | j<tetf}tij5|j}|D]@}d}|j| vr-| |j\}}tm|tnr|j8r;t;jd(id|d||j9|j9d||j:|j:d|jd|j;dddddddddtFj$ddd tj j d!|j<d"|j=d#|j>d$|j?d%|j@}tm|tr6|jB|jC|j |jDff}||E|B|j1r |j|j|j|j|j|j|j pd |jid }|&|d{Vn*#tN$rt$(d&YnwxYw|FD]A\\}\}}}}|j1G|||j|||'d{V@dSdS))N) r_rarr`r]rPrrbrr)r_zBThe scan %s has already been saved: type=%s, path=%s, completed=%sz Updated scan z with new data from messagerdr{Fr|/zCAST(orig_file AS TEXT) LIKE ?z/%r) r_r`r]rarr\rbrPrcrrc<i|]}|jv |j|jSrL)pw_namepw_uid)rpw panel_userss r<rz7StoreMalwareHitsIm360.store_db_scan..s6   z[(( Irz(((r=rr`)rrrrIrr_rrrrTrr timestamerfrrapp_namedb_hostdb_portdb_namesnippetz=Failed to emit MalwareScanningFinished after store (DB, hits)rrL)Hrar`rrrdrr]rPrrbr DBr2rpeeweeIntegrityErrorrirrr_rrrrrrr,rrstripr"deleterSQLrrfrrexecuterprrr3r get_userspwdgetpwall_delete_outdated_db_entriesrrrGrr4r&get_hits_per_dbr1rrrr signaturer.r/r0r1r2rrwrrrrrk)r:rwrrdr scan_pathrN uid_to_namerrrrrrrunique_hits_inforrrnew_hitrmrrrrrr,s @r< store_db_scanz#StoreMalwareHitsIm360.store_db_scan sd ',"6 F- #*!+\\m ' 7 ' 758>!+   DD$   #'w???D% = N ,0: ~   <49,,<49,,%)@)C)III $K&IN #?DL$.DN DJ#*#:D #*#:D !8!;!AD $.DN IIKKK KKH HHH     = D++i((  %g.. $ MM#.                |# = #L//44 !##)) <&-/&/9< >#025;< "(,<,BB D  '))) %o#L#L&!(!2#*#:'.'>'C!$]!#  33G3DDDDDDDDDD        F  8 8 : :::::::;;     lnn   ((666 $2GGkk+..++f%%14: H         %3 3 3 !C$)6?Jsx $T**1A',OO(& 4& 4HF} **x}-" fl33!0! ","3###t#!oohnhnEEE#!__X]HMBBB##-- # '' # $ #T#T#$#(--# 4#68>>#"**#!((#!((# !((!#"!((##G&&"788 4N\6#3V5GHs#**7333 :!  %o#L#L&!(!2#*#:'.'>'C!$]!#  33G3DDDDDDDDDD       %%''  :95)[j00G! '#"+$/ 3! ! *  sRAA11B9G-BGG.,H&&H*-H*6AM $M0/M0AX))$YYcFd|D}tj|dS)Ncg|] }|j SrL)r]rs r<rzEStoreMalwareHitsIm360._delete_outdated_db_entries..s///3ch///r=)r"r)r orig_filess r<r=z1StoreMalwareHitsIm360._delete_outdated_db_entriess,//$/// z*****r=cK|d}|std|dSt|5}t jt ||ddtddddS#1swxYwYdS)Nrdz=MalwareDatabaseCleanup message received without a scan_id: %sr{Fr|)rirrPrrrrr,)r:rwrdrs r<store_db_cleanup_logz*StoreMalwareHitsIm360.store_db_cleanup_logs++i((  LL    F !' * * d IW *                       s,A??BB)r>r?r@rIM360rr)rrMrrr r rrDr=rrIrArBs@r<r r s KE'N)))))# # \# J VK +,,G+>G4GGG-,GR++\+ VK .//2H0/r=r )O__doc__rrrrr;rr collectionsrr5enumrloggingrpathlibrtypingrrr4defence360agent.apir "defence360agent.contracts.messagesr !defence360agent.contracts.pluginsr r r $defence360agent.model.simplificationr+defence360agent.subsys.panels.hosting_panelrdefence360agent.utilsrrimav.contracts.configrrimav.contracts.messagesrrrimav.contracts.pluginsrimav.internals.loggerrr%defence360agent.contracts.hook_eventsrimav.malwarelib.configrrrrrrr r!imav.malwarelib.modelr"r#r$r%imav.malwarelib.plugins.detached_scanr%imav.malwarelib.scan.mds.reportr&imav.malwarelib.subsys.malwarer'r(r)r*r>r JSONEncoderr,rDr rLr=r<rbs* ###### ******:::::: A@@@@@DDDDDD66666666:::::: 0/////<;;;;;                     CBBBBB 433333 8  """""T-"""H H H H H {MH H H V OOOOO,OOOOOr=