h3"dZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z ddlmZmZmZmZmZmZmZddlmZmZmZddlmZdd lmZdd lmZm Z m!Z!m"Z"dd l#m$Z$dd l%m&Z&dd l'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-ej.e/Z0d!dZ1Gdde-Z2Gdde,Z3Gdde-Z4dee5e6fde6fdZ7Gdde8Z9Gddee5e9fZ:GddZ;Gdde Z. Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see N) defaultdict)suppress)islice)CallableDictListOptionalSetTupleUnion)MalwareMalwareSignaturesMyImunifyConfig) MessageType)&ms_clean_requires_myimunify_protection)RecurringCheckStop Singletonbase64_encode_filenamerecurring_check) MalwareTune) MalwareHit) DeletionType ErrorTypeRescanResultTypeRevisiumCSVFileRevisiumJsonFileRevisiumTempFilecZtjrt||St||SN)rUSE_JSON_REPORTrrtempdirmodes T/opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/cleanup/cleaner.pycleaner_result_instancer%?s-"/... 7D ) ))ceZdZdS)MalwareCleanerLogN)__name__ __module__ __qualname__r&r$r(r(EsDr&r(c>eZdZdZdZeddZdS)MalwareCleanerProgressz+ Get progress from external source rcK |}n-#t$rttj$rYdSwxYw|d}||jz |c}|_||dS)Ncurrent)readFileNotFoundErrorrjsonJSONDecodeError _progress)selfcallbackdataprogress increments r$watchzMalwareCleanerProgress.watchPs 99;;DD  ' ' '$&& &#    FF  ?$,t~$=x! 4>s&AAN)r)r*r+__doc__r6rr<r,r&r$r.r.IsII_Q     r&r.ceZdZdZdS)MalwareCleanupFileListc|jd5}|d|DddddS#1swxYwYdS)Nwbc3:K|]}t|dzVdS) N)r).0fs r$ z/MalwareCleanupFileList.write..cs0MMq/22U:MMMMMMr&)_pathopen writelines)r7filelistws r$writezMalwareCleanupFileList.writeas Z__T " " Na LLMMHMMM M M M N N N N N N N N N N N N N N N N N Ns AA A N)r)r*r+rLr,r&r$r?r?`s(NNNNNr&r?valuereturncD t|S#t$rYdSwxYw)zbConvert str|int to int, in case errors return -2 -1 used as default value when storing CH )int ValueError)rMs r$ _parse_intrSfs55zz rrs  cbeZdZdeeeeeffffd ZdZdZ dZ dZ dZ xZ S)CleanupResultEntryr9ctt|ddt|dd|d|dt|ddt|ddt|dd|d d |d d  dS) NdesrErmbmahbha) rWrYrZrEr[ mtime_before mtime_after hash_before hash_after)super__init__rSget)r7r9 __class__s r$rfzCleanupResultEntry.__init__qs #r**++#r**++3i3i#r**++#DHHT2$6$677"488D"#5#566r**xxb))  r&c |s|rdS|dtjkr#td|ddS|dtjko|dtjkS)NFrYz2File has changed, assuming that it was cleaned: %srETrW) is_failedrequires_myimunify_protectionr NOT_CLEANEDUPloggerwarningNO_ERRORrINJECTION_REMOVEDr7s r$ is_cleanedzCleanupResultEntry.is_cleaneds >>   tAACC 5 9 / / / NNDd3i   4 I+ + <S \;; r&c| o+|dtjko|dtjkS)NrYrW)rjrrorrprqs r$ is_removedzCleanupResultEntry.is_removeds?   ;S Y// ;S L:: r&c.|dtjkSNr[)rDETECTEDrqs r$rjzCleanupResultEntry.is_failedsCy,555r&c.|dtjkSrv)rREQUIRED_ADVANCED_SIGNATURESrqs r$rkz0CleanupResultEntry.requires_myimunify_protectionsCy,IIIr&cX| o|dtjkS)NrY)rjrFILE_NOT_EXISTSrqs r$ not_existzCleanupResultEntry.not_exists&>>###NS Y5N(NNr&)r)r*r+rstrr rQrfrrrtrjrkr| __classcell__rhs@r$rUrUps T#uS#X"67      ,       666JJJOOOOOOOr&rUceZdZdZd fd ZedeeefdefdZ deeefffd Z deeefffd Z xZ S) CleanupResultz5 Cleanup result container for result entries Ncf|r-td|DdSdS)Nc:i|]}|dt|S)rE)rU)rDrYs r$ z*CleanupResult.__init__..s'LLLaf&8&;&;LLLr&)rerf)r7reportrhs r$rfzCleanupResult.__init__sE  N GG  LLVLLL M M M M M N Nr&hitrNc$t|d|S)N orig_file)getattr)rs r$__keyzCleanupResult.__keyssK---r&clt||Sr)re __contains___CleanupResult__keyr7rrhs r$rzCleanupResult.__contains__s%ww##DJJsOO444r&clt||Sr)re __getitem__rrs r$rzCleanupResult.__getitem__s%ww""4::c??333r&r) r)r*r+r=rf staticmethodr r}rrrrr~rs@r$rrsNNNNNN.5j).c...\.5c:o 65555554uS*_54444444444r&rc eZdZdZejZddZdddddZede de e d e d e ed e ef d Zd efdZ ddeee e e e ffdZede dedefdZdS)MalwareCleanerz/opt/ai-bolit/procu2.phpNTc|r|ntj|_t|_||_||_dSr)asyncioget_event_loop_loopMalwareCleanupProxy_proxy_sink_watch_progress)r7loopsinkwatch_progresss r$rfzMalwareCleaner.__init__s=!?TTw'='?'? )++  -r&) blacklistuse_csv standard_onlyc Rd|jddddd|zdd|zd g } |r| d |z| d |zd |zgtjr| d |r| d|zgn| d|zg| r| dgt j|jr/| d| |j|r| d| S)Nz/opt/ai-bolit/wrapperz --deobfuscatez --nobackupz--forcibly_cleanupz--rescanz --list=%sz--input-fn-b64-encodedz --username=%sz--report-hashesz--black-list=%sz--log=%sz --progress=%sz--disable-cloudavz--csv_result=%sz --result=%sz--standard-onlyz--avdbz--soft) PROCU_PATHappendextendr CLEANUP_DISABLE_CLOUDAVospathexistsPROCU_DB) r7filename progress_path result_pathlog_pathsoftusernamerrrcmds r$_cmdzMalwareCleaner._cmds] $ O    ( " $ h &     6 JJ(94 5 5 5 X%-/     * , JJ* + + +  6 JJ)K78 9 9 9 9 JJ 34 5 5 5  , JJ)* + + + 7>>$- ( ( & JJx JJt} % % %  ! JJx  r&excr returncodestdoutstderrc t|jj||||dnd||dndS)Nreplace)errorsr_) exception return_codecommandouterr)dictrhr)decode)rrrrrs r$_get_cleaner_error_infoz&MalwareCleaner._get_cleaner_error_infos_m,"393E Y ///2393E Y ///2     r&infocBK|jr tji|dtt ji}|j|d{VdS#t j$rt$rt dYdSwxYwdS)N timestampz-Exception while sending CleanupFailed message) rr CleanupFailedrQtimeprocess_messagerCancelledError Exceptionrmr)r7rmsgs r$_send_cleanup_failed_messagez+MalwareCleaner._send_cleanup_failed_message s :  !/?t? S-=-=>?j0055555555555)        C   sAA%%3BBrNcKtj}t|}t|t}|||}t |d5} t |d5} t|5} |5} t|5} | ||r| ||j r7|j | |jj|r8|| j| j| j| j||| j|| }n1|| j| j| j| j||||}t$dd|d\}}d} t+jj|t,jt,jd d{V}|d{V\}}| }n#t*j$rD|r@t9t:5|dddn #1swxYwYt>$r&}| |||r|j!nd || }t$"d |#d d |#dd|#di|d|i|$i|tKtM|d{VtOtQ||fcYd}~cdddcdddcdddcdddcdddSd}~wwxYwtO|d|fcdddcdddcdddcdddcdddS#1swxYwYdddn #1swxYwYdddn #1swxYwYdddn #1swxYwYddddS#1swxYwYdS)N)r"ir!)rrrr)rrrz Executing %s )r&r&)rr~zCleanup failed exit_code=rz: %srrr)extra)message))tempfile gettempdirr% isinstanceris_standard_onlyr?r.r(rLrr create_taskr<r progress_cbrrrmdebugjoinr subprocesscreate_subprocess_execPIPE communicater2rrProcessLookupError terminaterrrerrorrgrrr}rrepr)r7userrJrrrr" result_filerflistblkr:resultlogrrrprocrrrs r$startzMalwareCleaner.starts%''-g>>> [/::--dMBB #%   J 4 *%   J 4(   J 4 { J 4 '-.?/ / / J 4 KK ! ! ! % )$$$# P &&x~~dk6M'N'NOOO iiN%OL!!l#"/  iiN%OL!#"/   LL# 7 7 7HCD 7$/F%?%? "&!1!1!3!3333333S)   )!"455))((())))))))))))))) 7 7 733'+4DOO 4 M0G0GMMMxx::%::4T4;44 776t6tCHH5556%S 3666666QJ 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4n 7&!(($3UJ 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4J 4s#"P94P!P O3 D O %A"H O %N .I N IN IN %CN N O O3  P ! P!- P9N O  O3 + P 7 P! P9O  O3 #O $O3 ' P 3O7 7P :O7 ;P > P! P P!P P! P9!P% %P9(P% )P99P=P=rrcdS)z@Check if only standard signatures should be applied for the userF)rENABLEDr)rrs r$rzMalwareCleaner.is_standard_onlyps ur&)NNT)TNN)r)r*r+rrrrfrrrrr}rQr bytesrrrr rrboolrr,r&r$rrsM+J )H....22222h    #Y          \   t    $ W4W4 }hsmT#Y6 7W4W4W4W4r s 4 D   \   r&rcVeZdZdZ dZdZdeeeeee ffdZ d dZ dZ d Z d S) ri'cTdx|_|_tt|_dSNr)r1totalrsethitsrqs r$rfzMalwareCleanupProxy.__init__s#$%% tz$$ r&cP|j|||||f|dSr)rupdate)r7cause initiator post_actionscan_idrrs r$addzMalwareCleanupProxy.adds+ I{G] C &,,,,,r&rNc#K|jr|j\}}t|}tt ||j}t |d}|@|j|||j|||xj t|z c_ g||RV|jdSdSr) rpopitemiterrr _CHUNK_SIZEnextrrrlen)r7 scan_inforall_hits remaining_hits r$flushzMalwareCleanupProxy.flushsi #"i//11OItDzzHvh(899::D 400M( )$((777 )$++H555 JJ#d)) #JJ"9"d"" " " "i # # # # #r&c&|xj|z c_dSr)r1)r7r;s r$rzMalwareCleanupProxy.progress_cbs ! r&c"dx|_|_dSr)r1rrqs r$resetzMalwareCleanupProxy.resets$%% tzzzr&c t|j|jt|jzz dzS#t $rYdSwxYw)Nd)rQr1rrrZeroDivisionErrorrqs r$ get_progressz MalwareCleanupProxy.get_progresssR t|tzC NN'BCcIJJ J    44 s36 AAN)r)r)r*r+rrfrr r}rr rrrr r,r&r$rrsK%%% #uS#xc9: # # # #""""&&&r&r) metaclass)NN)=r=rr4loggingrrrr collectionsr contextlibr itertoolsrtypingrrrr r r r defence360agent.contracts.configr rr"defence360agent.contracts.messagesr%defence360agent.contracts.permissionsrdefence360agent.utilsrrrrimav.contracts.configrimav.malwarelib.modelrimav.malwarelib.utils.revisiumrrrrrr getLoggerr)rmr%r(r.r?r}rQrSrrUrrrr,r&r$rs*   ######DDDDDDDDDDDDDDDDDD ;::::: .-----,,,,,,  8 $ $****      (   -.NNNNN-NNN eCHo#4O4O4O4O4O4O4O4On44444D001444(CCCCCCCCL(((((I((((((r&