n(m.tUdZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z ddlmZddlmZmZmZmZmZmZmZmZmZmZmZddlmZdd lmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%dd l&m'Z'm(Z(m)Z)dd l*m+Z+dd l,m-Z-dd l.m/Z/ddl0m1Z1ddl2m3Z3m4Z4ddl5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>m?Z?m@Z@ddlAmBZBmCZCddlDmEZFddlGmHZHmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPmQZQmRZRmSZSmTZTmUZUmVZVmWZWmXZXmYZYmZZZm[Z[m\Z\m]Z]m^Z^m_Z_m`Z`maZambZbddlcmdZdmeZemfZfmgZgmhZhddlimjZjddlkmlZlddlmmnZnmoZoddlpmqZqerddlrmsZse etZudZveewexejyfZyedZzedefejZ{de|fdZ}dZ~d Zd!Zd"ewdeewewdzffd#ZGd$d%Zd&Zd'Zeewd(fed)<Gd*d+ZGd,d-eZdS).u  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.  If not, see . Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see N) defaultdict) ConfigParser) getLogger)Path) TYPE_CHECKINGCallable CollectionDictIterableListOptionalTupleTypeVarUnioncast)IntegrityError)Core HackerTrapMyImunifyConfigUserType"choose_use_backups_start_from_datechoose_value_from_config should_try_autorestore_malicious)MS_CONFIG_DEFAULT_ACTION_EDIThas_permissionmyimunify_protection_enabled)g)run_in_executor) web_server) hosting_panel)ModsecVendorsErrorPanelException) COPY_TO_MODSEC_MAXTRIES CheckRunErrorLazyLockatomic_rewritebase64_decode_filenamebase64_encode_filename check_run is_cloudwayslog_failed_to_copy_to_modsecretry_on safe_sequence)MalwareCleanupRevertMalwareCleanupTask)Malware)ADDED_TO_IGNORECLEANUP CLEANUP_DONECLEANUP_ON_SCHEDULECLEANUP_REMOVEDDELETED_FROM_IGNOREFAILED_TO_CLEANUPFAILED_TO_DELETE_FROM_IGNOREFAILED_TO_IGNOREFAILED_TO_RESTORE_FROM_BACKUPFAILED_TO_RESTORE_ORIGINALFAILED_TO_STORE_ORIGINALFAILED_TO_SUBMITFOUND NOT_EXISTNOTIFYPENDINGREQUIRES_MYIMUNIFY_PROTECTIONRESTORED_FROM_BACKUPRESTORED_ORIGINALSUBMITTED_FOR_ANALYSISUNABLE_TO_CLEANUP MalwareEventMalwareEventPostponedMalwareHitStatusMalwareScanResourceTypeMalwareScanType)MalwareHistory MalwareHitMalwareHitAlternateMalwareIgnorePath MalwareScan)MalwareDatabaseHitInfo) restore_files) hash_pathsubmit) detected_hook) RestoreReportcKtdrddg}ngd} t|d{VdS#t$rtdYdSwxYw)Nz/usr/bin/imunify360-wsctlzimunify360-wsctlreload) systemctlrXzimunify360-wafdz"Failed to reload 'imunify360-wafd')ris_filer)r$loggerwarning)argss S/opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/subsys/malware.py reload_wafdr_s '((0022:"H-999=oo ===;<<<<<<=sA$A-,A-T HitInfoTypereturnc t}|d|ddddk}|o tS#t$rYnwxYwdS)Nz*/etc/sysconfig/imunify360/integration.confr server_type)fallbacknginxF)rreadgetr* Exception)cfgis_nginxs r^_is_force_use_corazarmss nn =>>>77<7DDO*LNN*      5sAA AActj dfd }tj dfd }tjr|n|S)z8Decorator responsible for logging malware events into DBNc K|fp tj d |d{Vttj  fdd{VS)N) path file_owner file_user signature_id initiatorapp_name resource_typedb_hostdb_portdb_namescan_idctjdid jddd ddddd d d d d dd d S)Neventrprurvrqrrrtcauserwrxry table_name table_field table_row_infrzrs)rL save_eventtitle)rur}rwryrxrqrrrtrprvresultrzrsrr~rsr^z?update_malware_history..async_wrapper..sN-llT",m  &:  $) $)e   &:(K,m  *\!)rROOTrasyncioget_event_loopclsrprqrrrsrtr}rvrurwrxryr~rrrzkwargsrcoros ``````````````` @r^ async_wrapperz-update_malware_history..async_wrappers+(t  !%08='             " $ $                            * rc|f||||p tj||| | | ||d |}tjdid|jd|d|d|d|d|d|d |d | d | d | d | d| d|d|d||S)N) rprqrrrtrurvrwrxryrzrsr|rprurvrqrrrtr}rwrxryr~rrrzrsr)rrrLrrrs r^wrapperz'update_malware_history..wrappers6(  !08='%     !   ,,  X (-  "z   i   i % G G G "z $  (- G &!  $ r) NNNNNNNNNNN) functoolswrapsriscoroutinefunction)rrrs` r^update_malware_historyrs_T!888888t_T!555555n$7== J==7Jrc< ddttffd }|S) Decorator responsible for logging multiple malware events into DB at once. Decorated function accepts an iterable of `MalwareHit`s. NhitscKtjfd|Dd{V}|s|Stjfdt ||D|S)Nc3TK|]"}|j|j|jV#dS))rprqrrN) orig_fileowneruser).0hitrrs r^ zCmultiple_update_malware_history..wrapper..-s\ "y!h rcg|]^\}}|j|j|j|j|j|jp t jp tj |j |j |j |j d _S)) r|rprvrurqrrr}rtrwrxryrz)rrrvrurrrKMANUALrrrwrxryscanidrrrr}rts r^ zDmultiple_update_malware_history..wrapper..:s~    C$\M%(%6 # "%)!$".wrapper)s           N"     $'tW#5#5      &rNNr rMrrs` r^multiple_update_malware_historyr#sB@D##J'######J Nrc< ddttffd }|S)rNrcK||fi|d{V}|s|Stjfd|D|S)Nc g|]:\}}|j|j|j|jp tjp t jd;S))r|rprqrrr}rt)rrrrrKrrrrs r^rz@bulk_update_malware_history..wrapper..^s_    C$\M"%)!$".wrapperWs!Dd55f55555555   "     $/#4#4#6#6    rrrrs` r^bulk_update_malware_historyrQsA@DJ'* NrusernamecKtjrt|s t|fSt t |d{Vrt dd|St ddS)NMALWARE_SCANNINGdefault_action)rENABLEDrr@rrrrs r^choose_action_for_maliciousros$+H55 $8# # 98 D DDDDDDD '  0(    $$68H I IIrc eZdZdZeeZedZedZ ee dde fdZ ee de fdZ ee de fdZee d Zee d Zee d Zee dd d ededfdZeedZeedZeedZeedZeedZeedZe ddeedeeee eeffdZ edZ!edZ"edZ#ee$de%e&e ffdZ'e ddeee&e ffdZ(dS) MalwareActionz Responsible for manipulations with malware files. As long as each handler function is wrapped in `update_malware_history`, arguments should be passed in kwargs form. c K|j|D]w} ||t|d{V##tj$rt$r9}t d|||Yd}~pd}~wwxYwdS)z$Execute callback for specific actionNzEError '{!r}' happened when run callback {} forMalwareAction {} method) _CALLBACKrGrCancelledErrorrjr[ exceptionformat)r method_namerprcallbackes r^run_callbacks_forzMalwareAction.run_callbacks_fors k2  H ht\%%8%89999999999)        ..4fQ+.N.N   s3B /BBcF|j||dSN)radd)rrrs r^ add_callbackzMalwareAction.add_callbacks# k"&&t,,,,,rNrbcKtj|||d{V}tjttjt tjti}||t}t|Sr) rTsubmit_malwareSUBMIT_SUCCESSrESUBMIT_PENDINGrA SUBMIT_FAILEDr=rirG)rrptypereason_r status_map event_titles r^submit_for_analysisz!MalwareAction.submit_for_analysisss ,T4@@@@@@@@  !#9  !7  "2 !nnV-=>> K(((rcK ttjfdd{Vt}n#t$r t }YnwxYwt |S)Nc0tjS)Nrprv)rOcreatersr^rz&MalwareAction.ignore..s)0]r)rrrr1rr9rG)rrprvrrs `` r^ignorezMalwareAction.ignores $!&((       $EE % % %$EEE %E"""s+9A  A c tjtj|k}t |rt ntSr)rOdeletewhererpexecuterGr6r8)rrprdeleteds r^delete_from_ignore_syncz%MalwareAction.delete_from_ignore_syncsW  $ & & U$)T1 2 2 WYY  #* L  0L   rc.KttSr)rGr>rr__s r^notifyzMalwareAction.notifysE"""rc.KttSr)rGr;rs r^cleanup_failed_restorez$MalwareAction.cleanup_failed_restores6777rc.KttSr)rGr<rs r^cleanup_failed_storez"MalwareAction.cleanup_failed_stores4555r)reportrtrrVcK|rWtjdx}rA||_|t |d{Vt tS)Nsink)rrirtprocess_messager.to_dictrGrD)rrtrrrrs r^cleanup_restored_originalz'MalwareAction.cleanup_restored_originalsv  OquV}},t O(F &&';FNN.hD  ,<== >      r r$r[r\r-rpr setdefaultrrrupdate_restore_from_backup rrrr!r"f user_hitsrresr_hitss r^restore_from_backupz!MalwareAction.restore_from_backupO^ #&"<".r++++++rfilesuntilrrc&g|] }|jv |Srr:rrrestoreds r^rz6MalwareAction._restore_from_backup..~%DDDqAK8,C,C,C,C,Crc&g|] }|jv |Srr:rrfaileds r^rz6MalwareAction._restore_from_backup..%@@@Q!+*?*?q*?*?*?r File %s was restored from backupc2g|]}|tfSrrGrrhrs r^rz6MalwareAction._restore_from_backup..&FFF"Re,,-FFFr#File %s wasn't restored from backupc2g|]}|tfSrrJrfhrs r^rz6MalwareAction._restore_from_backup..&DDD"Re,,-DDDr rrRrr-rpr[inforCextendr\r:rrrqrrpathsrr4 restored_hits failed_hitsp safe_pathrFrBrs @@@r^r0z"MalwareAction._restore_from_backupn,+d+++"":..!.4Z@@ " " "       & DDDDDDDD @@@@$@@@  G GA%*1--I KK:I F F F F$ FFFF FFFGGG M MA%*1--I NN@) L L L L- DDDD DDDEEE rr)NNN))__name__ __module__ __qualname____doc__rsetr classmethodrrrrGrrrrrrr r rrrrrrrrr rNrboolrrrr$rr rMr6r0rrr^rr|s  C  I  [ --[- $ ) )  ) ) )[ ) #| # # #[ # <   [ ##[#88[866[6EI////)1/)B///[/$//%$[/$**%$[*$--%$[-$//%$[/$;;%$[;$''%$['  &' e'sD@A B[822[2  [ ''['>  j,& '! [:$(   eJ ,- .   [   rrc<t||dSr)rr)rrs r^subscribe_to_malware_actionresvt,,,,,r)z admin.tool..ADMIN_TOOL_TYPE_PATTERNSceZdZejZejZejZdZ dZ dZ e Z ededefdZededefdZed$defd Zedefd Zed$d eefd Zed eedeedeefdZed eedeefdZedZed eefdZed%deefdZ edeefdZ!edeefdZ"edefdZ#edZ$ee%e&e'e(ddZ)edZ*edZ+edZ,edZ-edeed eedefd!Z.edeed eefd"Z/ed#Z0d S)&HackerTrapHitsSaveriiQz-SA- signaturerbc|j|vS)zwTrue iff *signature* carries the standalone (-SA-) mark that lands a path into ``malware_standalone_b64.list``.)STANDALONE_MARK)rris r^is_standalone_matchz'HackerTrapHitsSaver.is_standalone_matchs"i//rhit_typect|sdS|tfdtDS)aQTrue iff *hit_type* is an AI-Bolit admin-tool signature. Used at the projection-time filter in :meth:`reset_sa_hits` (against ``MalwareHit.type``) and at the write-time filter in ``StoreMalwareHitsIm360._process_default_action_results`` (against in-flight ``hit["matches"]`` from a scan result). Fc3 K|]}|vV dSrr)rrZlowereds r^rz9HackerTrapHitsSaver.is_admin_tool_type..s'BBA1<BBBBBBr)loweranyrf)rmrps @r^is_admin_tool_typez&HackerTrapHitsSaver.is_admin_tool_typesE 5..""BBBB)ABBBBBBrNc>|p|j}t|j|Sr)NAMErBASE_DIR)rfilenamenames r^ _filepathzHackerTrapHitsSaver._filepaths #38CL$'''rc<t|j|jdzS)Nz.clean)rrvrurs r^_clean_filepathz#HackerTrapHitsSaver._clean_filepathsCL#(X"5666r file_listc t||dd|DddddS#t$r&}td|Yd}~dSd}~wwxYw)N c34K|]}t|VdSr)r()rrxs r^rz-HackerTrapHitsSaver._write..s+NND1$77NNNNNNrFT)backupallow_empty_content permissionsz#Unable to write HackerTrap file: %r)r&ryjoinOSErrorr[error)rr}rwoes r^_writezHackerTrapHitsSaver._writes D  h'' NNINNNNN$(!        D D D LL> C C C C C C C C C DsAA A8A33A8 files_to_addct|}|}|D]0}||vr||||1||j dS)a> adds files_to_add to file_list the method has side_effect (file_list will be modified) yet, given that it is private class method -- we can do it :param file_list: existing files :param files_to_add: files to add :return: joined list, limited to MAX_HITS_COUNT N)racopyremoverMAX_HITS_COUNT)rr}rfile_set _file_listfiles r^_extendzHackerTrapHitsSaver._extends|y>>^^%%   $ $Dx!!$'''   d # # # #3--//00rcd|DS)a This method checks if any of the files on the list is present and removes that entry from the list :param file_list: list of files :return: new list of files, in the same order, with files that exist skipped cPg|]#}tj|!|$Sr)rrpexists)rrs r^rz3HackerTrapHitsSaver._clean_list..s+GGG"'..2F2FGGGGrr)r}s r^ _clean_listzHackerTrapHitsSaver._clean_listsHGGGGGrc||z |jkSr)SECONDS_BEFORE_CLEAN)r file_mtime current_times r^ _should_cleanz!HackerTrapHitsSaver._should_cleansj(3+CCCrcR|}|ri||jt jr*|d||}n|d|S)z We will use extra file to track last time we cleaned For that we will use mtime of that file :param file_list: list to clean :return: cleaned list r)r|rrstatst_mtimetime write_bytesr)rr}rZs r^ _clean_filezHackerTrapHitsSaver._clean_files    ! ! 88::   !2DIKK@@ 7 c"""OOI66 MM#   rTc ||}g}|D]]} |t |&#t j$r&}td||Yd}~Vd}~wwxYw|r| |n|S#t$rgcYSwxYw)Nz*Can't decode filepath [%r] with error [%r]) ry read_bytessplitrr'binasciiErrorr[rrr)rrw skip_existsr}decoded_file_listrrs r^_readzHackerTrapHitsSaver._reads  h''2244::<< -/ !  %,,-CD-I-IJJJJ~LLDdA ' 1222&  !   III s;?B6"A%$B6%B4BB6BB66 CCcrK|j|g|Ri|d{V|g|d{VdS)z"Same behavior as for separate hit.N)rfiles_to_remove) _add_hitsupdate_sa_hits)rrr]rs r^add_hitszHackerTrapHitsSaver.add_hitssmcmL:4:::6:::::::::  b, OOOOOOOOOOOrc0K |}|||}||||jd{VdS#t $r&}t d|Yd}~dSd}~wwxYw)Nz!Unable to read HackerTrap file %r)rrr_copy_to_modsec_rulesrurr[r)rrr]rr}rrs r^rzHackerTrapHitsSaver._add_hits$s B$'IIKKI!$Y !E!EF JJv   ++CH55 5 5 5 5 5 5 5 5 5 B B B LLK||gd{VS)zWhen storing separate hit it needs to be added to malware_found_b64.list and excluded from malware_sa_found_b64.list as well from proactive/dangerous/[hash]Nr)rrr]rs r^add_hitzHackerTrapHitsSaver.add_hit.s. \\;-000000000rc@K|gd{VdSrrr{s r^initzHackerTrapHitsSaver.init6s0ll2r) max_trieson_errorsilentc.Ktj} |d{V}nF#ttf$r2}t t|Yd}~dSd}~wwxYw |||d{V}n3#t$r&}t d|Yd}~dSd}~wwxYwttj |}| |jdz}|rz|j|jkrF||krt ddS t)jt|t|||dS#t.$r}|d}~wt0$r&}t d|Yd}~dSd}~wwxYw)NFz%Can't get malware found list file: %sz.tmpzNothing to updateTz%Failed to copy malware found list: %s)r rget_i360_vendor_namer!r"r[r\r build_vendor_file_pathrrrDIR with_suffixsuffixrrst_sizerrTshutilrrenamerrr)rmalware_list_namervendorrtarget found_list target_tmps r^rz)HackerTrapHitsSaver._copy_to_modsec_rules:s1 ' ) ) 2244444444FF"N3    NN3q66 " " "55555  44V=NOOOOOOOOFF!      Da H H H55555 *.*;<< '' (>??  MMOO  %):):)BBB!!##z'<'<'>'>>> KK+ , , ,5  KJZ 9 9 9   f % % %4    G    LL@! D D D55555 sR2A5'A00A59B C CCAG HG!! H.HHctj|j5}d|DcdddS#1swxYwYdS)NcDg|]}||jSr)rZrx)rentrys r^rz>HackerTrapHitsSaver._get_exists_hash_files..gs'BBB5%--//BEJBBBr)rscandir BASE_PD_DIR)rits r^_get_exists_hash_filesz*HackerTrapHitsSaver._get_exists_hash_filesds Z ( ( CBBBBBBB C C C C C C C C C C C C C C C C C Cs 377c~|D]9}t|jt|z d:dS)Nr)rrtouchrr>fnames r^_create_hash_filesz&HackerTrapHitsSaver._create_hash_filesisG ? ?E #/ " "T%[[ 0 7 7 > > > > ? ?rc||D]8}t|jt|z 9dSr)rrunlinkrs r^_remove_hash_filesz&HackerTrapHitsSaver._remove_hash_filesnsE ; ;E #/ " "T%[[ 0 8 8 : : : : ; ;rc |tjd}d|D}|}t |t |z }t |t |z }||||dS#t$r9}t d||j r d|j dndYd}~dSd}~wwxYw) z SA hits stored for PD as sha256 hash of full path in HackerTrap.DIR_PD. Not more than MAX_HITS_COUNT files in dir. Remove older (by mtime) files first. Frwrc0g|]}|t|Sr)rS)rrps r^rz=HackerTrapHitsSaver._update_sa_hash_files..~s3$($rzHackerTrap error: %r%sz ()reN) rrSA_NAMErrarrrr[r\rw)rsaved_files_listhash_file_listexists_hash_file_listfiles_to_createfiles_to_deleters r^_update_sa_hash_filesz)HackerTrapHitsSaver._update_sa_hash_filesss4 "yy#+ )   ,<N%($>$>$@$@ !!.11C8M4N4NNO!"7883~;N;NNO  " "? 3 3 3  " "? 3 3 3 3 3    NN(() :$QZ$$$$          sB)B-- C07.C++C0rcL |tjd}|||}fd|D}||kr#||tjdSn2#t $r%}t d|Yd}~nd}~wwxYwdS)z Update file of malware standalone list. Return True if malware standalone list was changed otherwise False. Frcg|]}|v| Srr)rrprs r^rz;HackerTrapHitsSaver._update_sa_hit_list..s*$o2M2M2M2M2MrrwTzHackerTrap error: %sN)rrrrrrr[r)rrr saved_list extended_list updated_listrs ` r^_update_sa_hit_listz'HackerTrapHitsSaver._update_sa_hit_lists 4%(YY#+&/&&J), J (M(MM!.Lz)) <*2D EEEt* 4 4 4 LL/ 3 3 3 3 3 3 3 3 4usA,A22 B!<BB!c4K|s|sdSd|D}d|D}|j4d{V|||r|tjd{Vrvt jd{Vts!tj j j dkr.t dtd{V|dddd{VdS#1d{VswxYwYdS)NcPg|]#}ttj|$Srrrfsdecoderr2s r^rz6HackerTrapHitsSaver.update_sa_hits..s(CCCR[^^,,CCCrcPg|]#}ttj|$Srrrs r^rz6HackerTrapHitsSaver.update_sa_hits..s(IIIA4 A//IIIr cPanelCoraza:Reloading 'imunify360-wafd' as coraza ruleset is in action)LOCKrrrrrgraceful_restartrmr r __class__r]r[rTr_r)rrrs r^rz"HackerTrapHitsSaver.update_sa_hitss    F DClCCC IIIII8 , , , , , , , ,&&|_EE ,22:3EFFFFFFFF ,$5777777777-.. ,(577AJ)** ,*mm+++++++))+++! , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,sCD DDcKtjj}tjt jt jt j gtj tj |j tj|kg}tjdur$|dt$D|j4d{Vtjtjj|tj|jt;t=jfdd{V}| d|DtBj"|#tBj"d{VrvtIj%d{VtMs!tOj(j)j*dkr.tV,dt[d{V|.dddd{VdS#1d{VswxYwYdS) zI Re-populate HackerTrap records using data from database Fc3VK|]$}tj|V%dSr)rMrcontains)rpatterns r^rz4HackerTrapHitsSaver.reset_sa_hits..sI!!))'222!!!!!!rNc"tSr)list)rowssr^rz3HackerTrapHitsSaver.reset_sa_hits..s $t**rc:g|]\}tj|Sr)rfsencoders r^rz5HackerTrapHitsSaver.reset_sa_hits..s"111CQQ111rrrr)/rJFILEvaluerMstatusin_rIr>CLEANUP_STARTEDRESTORE_FROM_BACKUP_STARTED maliciousrrrkrv MalwareConfigDETECT_ADMIN_TOOLSrUrfrrrrorder_by timestampdesclimitrtuplesrrrrrrrrrrmr rrr]r[rTr_r)rrv where_clausesr>rs @r^ reset_sa_hitsz!HackerTrapHitsSaver.reset_sa_hitss404:    ! !$*$4$@    O $ $S%8 9 9  $ 5    +u 4 4  !!7!!!   8 ( ( ( ( ( ( ( ( !*"677 '*.335566s)** *&((*<*<*<*<E JJ115111J.wrapper2s#*#)        )#,E=C rr)rrrrs``` r^rzMalwareActionIm360.postpone0s/       rcKtj|}t|||j|j|j|jd{VdS)N)r)rPrirUrstartedrptotal_resources)rrzrrscans r^rzMalwareActionIm360.detectAsmg...   I L I             rcK||\}}|D]4}tdtj|j5i}|D]0}||jg|1i}| D].\} } | |j | fd| i|d{V/| d|D|S)Nr(rqc3BK|]}|ttfVdSrr*r+s r^rz9MalwareActionIm360.restore_from_backup..fr,rr-r1s r^r6z&MalwareActionIm360.restore_from_backupMr7rc6g}g}|D]}|j}d} ttj|}n=#t $r0t dtj|YnwxYw|jtj tj|ktj tktj|k ||||||fSrrr s r^r$z)MalwareActionIm360._split_hits_on_restorelr%r&NcP Kd|D}||}t|t|||d{V\ g} fd|D} fd|D} D]1} tj| } t d| 2t|fd|D D]1} tj| } t d| 2t|fd| D|S) Ncg|] }|j Srr:r;s r^rz;MalwareActionIm360._restore_from_backup..r<rr=c&g|] }|jv |Srr:rAs r^rz;MalwareActionIm360._restore_from_backup..rCrc&g|] }|jv |Srr:rEs r^rz;MalwareActionIm360._restore_from_backup..rGrrHc2g|]}|tfSrrJrKs r^rz;MalwareActionIm360._restore_from_backup..rMrrNc2g|]}|tfSrrJrPs r^rz;MalwareActionIm360._restore_from_backup..rRrrSrVs @@@r^r0z'MalwareActionIm360._restore_from_backupr\rc6tj} tj|}n##tt f$rt jcYSwxYw t| |j }n##ttf$rt jcYSwxYw|Srrrs r^rzMalwareActionIm360._get_tmp_dirrrrcKd|D}|j|f|||d|d{V}ttjd{Vfdt jD} g} |D]} t| tr|| | j t| j } | | j t| j } tt| j}| j}n/| j } | j } tt | j}| j}t'| d{V\}}| |vr.|| jr!| | || |df |}t| trF| j|d<| j|d<| j|d<| j|d <| j|d <| j|d <| j|d <||}|d|| | ||p||| j||d |d{V}| | ||df| S)rcdg|]-}t|jt|t+|.Sr)rr isinstancerQr+s r^rz;MalwareActionIm360.apply_default_action..sM   /99 s$:;;     r)rtrr}Nc<i|]}|jv |j|jSr)pw_namepw_uid)rpw panel_userss r^ z;MalwareActionIm360.apply_default_action..s6   z[(( Irz(((rTryrwrxr~rrrz) rprqrrr}rtrrurvrsFr) r6rar r get_usersrgetpwallr,rQrirr rrrprirNrrr successfulrrryrwrxr~rrrzrru)rrrtr}rrvrr!restore_events uid_to_namer4rrrrprsrrhandler_kw_argshandlerr|r1s @r^rz'MalwareActionIm360.apply_default_actions      7s6  "+$e  GM          : < < F F H HHHHHHHII     lnn   , 4, 4C#566 (# 3sy>>BB"sxSX??2C88="}  x/55?"x )DT)J)J#J#J#J#J#J#J FLn$$)<)G$ C!4fdCDDD$kkmmO#566 9-0[ *-0[ *-0[ *03 -14 .363D0-0[ *&&v..G!'  #3|+)  "        E JJUFE2 3 3 3 3 rr)NNNN)r]r^r_rbrrrrrr rMrGr6r$r rr0rr rar rcrrrr^rrsX[.[    [    j,& '! [:''['>$(   eJ ,- .   [ D  [   LL%L eKsD89 :LLL[LLLrr)r`rrrrrrr collectionsr configparserrloggingrpathlibrtypingrrr r r r r rrrrpeeweer defence360agent.contracts.configrrrrrrr%defence360agent.contracts.permissionsrrr&defence360agent.internals.global_scoper$defence360agent.model.simplificationrdefence360agent.subsysrdefence360agent.subsys.panelsr "defence360agent.subsys.panels.baser!r"defence360agent.utilsr#r$r%r&r'r(r)r*r+r,r-imav.contracts.messagesr.r/imav.contracts.configr0rimav.malwarelib.configr1r2r3r4r5r6r7r8r9r:r;r<r=r>r?r@rArBrCrDrErFrGrHrIrJrKimav.malwarelib.modelrLrMrNrOrPimav.malwarelib.scan.mds.reportrQ*imav.malwarelib.subsys.restore_from_backuprRimav.malwarelib.utilsrSrT imav.plugins.event_hook_executorrUimav.malwarelib.cleanup.storagerVr]r[r_r bytesrr`rarcrmrrrrrrerf__annotations__rhrrrr^rSsn* ######%%%%%%                          "!!!!! 544444@@@@@@------777777                          ;::::::CBBBBBDDDDDD33333333::::::>====== 8  === eR[( ) GCLLg&(> dvKvKvKr+++\< J Jc3:o8N J J J JSSSSSSSSl----=%S/<<<v(v(v(v(v(v(v(v(r ssssssssssr