hPdZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z ddlmZmZddlZddlZddlmZddlmZdd lmZmZmZdd lmZdd lmZdd l m!Z!m"Z"dd l#m$Z$ddl%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-ddl.m/Z/m0Z0m1Z2m3Z3ddl4m5Z5ddl6m7Z7ddl8m9Z9m:Z:m;Z;e e<Z=Gddej>Z?GddeeZ@Gdde@ZAdS)u  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.  If not, see . Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see N) defaultdict)Enum) getLogger)AnyUnion) inactivity) MessageType) MessageSink MessageSourceexpect)run_in_executor) HostingPanel)Scope nice_iterator) ProcessOrder)CLEANUPCLEANUP_ON_SCHEDULE MalwareEventMalwareEventPostponedMalwareHitStatusMalwareScanResourceTypeMalwareScanTypeNOTIFY) MalwareHitMalwareHitAlternate MalwareScanVulnerabilityHit)MalwareScanMessageInfo)MalwareDatabaseHitInfo)HackerTrapHitsSaver MalwareActionMalwareActionIm360c(eZdZdedeffd ZxZS)MalwareScanJSONEncoderoreturnc~t|tr|jSt|SN) isinstancervaluesuperdefault)selfr% __class__s R/opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/plugins/store.pyr,zMalwareScanJSONEncoder.defaultNs2 a   7Nwwq!!!)__name__ __module__ __qualname__rr, __classcell__r.s@r/r$r$MsK""""""""""""r0r$c\eZdZejZejZe Z d\Z Z dZ dZeejddZeejdZedZe dd eeefd efd Zd ejdd fdZededd fdZedZd ejfdZd S)StoreMalwareHits)NNc&K||_||_dSr()_loop_sink)r-loopsinks r/ create_sourcezStoreMalwareHits.create_sourceZs  r0c KdSr()r-r;s r/ create_sinkzStoreMalwareHits.create_sink^s  r0F) async_lockcK|ddsdStjd5||d{VddddS#1swxYwYdS)a1MalwareScan is saved to DB when: 1. Detached scan started - message has no results 2. Any scan finished - message has summary and results Message without summary means that detached scan is finished and summary will arrive along with results in another message. summarypathN store_scan)getrtracktask _store_scan)r-messages r/ process_hitszStoreMalwareHits.process_hitsasy!%%f--  F   " "< 0 0 , ,""7++ + + + + + + + , , , , , , , , , , , , , , , , , ,sA((A,/A,cKtjj5}t jt |d|ddtddddS#1swxYwYdS)NrC)rCF)indent sort_keyscls)defence360agent internalsloggeropenMalwareScanLogjsondumpdictr$)r-rJlogfs r/ store_logzStoreMalwareHits.store_logns  & - @ @ B B d IWY/000*                       s3A&&A*-A*ctj|||d|d|d|d||ddd|ddd||ddd  S) Nownerusersizehashhitsrmatches timestamp suspicious) scanid resource_typer[r\r]r^ orig_filetyperastatus malicious)rcreate)rcfilenamergrddatas r/ _store_hitzStoreMalwareHits._store_hitysw 'w-ffffa+6l1ok2v,q/,77    r0Npath_obj scan_typec #Ktjg}t|tr|gn|}|tjkrt |Ed{VdS|D]}tj|D]v}tj |}tj |rtjtj|ktj|ztjt(jjkzr|Vt1j|dz}dtjtj|tj|ztjt(jjkzDEd{VxdS)z Return files that may already not be infected, yet we still consider them such. For example, an infected file might have been removed manually. Nz(/.*|\b)c3$K|] }|jV dSr(re).0is r/ z8StoreMalwareHits.get_outdated_entries..s8         r0)rFOUNDr)strrREALTIMEiterglobiglobosrDrealpathisfilerselectwhererergin_rdrFILEr*firstreescaperegexp)rmrnpossibly_infected_statusespaths target_pathrD scanned_dirs r/get_outdated_entriesz%StoreMalwareHits.get_outdated_entriess'7&<%="(377E X 0 0 0E{{ " " " " " " " F ! ! K ;//  w''--GNN4((")++U#-5%,001KLLN'46;ABUWWJJJJ"$)D//K"?K  !+!2!4!4!:!:'188EE * 1 5 5$>!"!"!+ 8#:#?#E!F  " "   % ! ! r0rJr&cK|d}|dsdSt|}|jrtjtj|ddksGtjdi|tj j |j d}d|_ | dStd|dddS||d{VdS) zLProcess scan message results. message: MalwareScan message rCstartedNrc)rd initiatorrzScan %s already in databaser?)r is_summaryMalwareScanModelr~rrcexistsrirrr*rtotal_malicioussaverSwarning_store_scan_from_results)r-rJrC message_typescans r/rIzStoreMalwareHits._store_scans- )$y!  F-g66  " 9 '))'.')2DX2NNOO  (."9">"D%/ ()$ 1793Eh3O//88 8 8 8 8 8 8 8 8 8r0rCc |dd}|dd}|d=|=|=||d|d}tj|dSdSdSdS)N file_patternsexclude_patternserrorrDrf)rn)poprFrr delete_hits)rPrCrroutdated_entriess r/_delete_outdated_entriesz)StoreMalwareHits._delete_outdated_entriess OT:: ";;'94@@ KK (% ("7776? 8     "#3 4 4 4 4 4 ) (%%((r0c KdSr(r?)hit_datadefault_action_resultss r/_process_default_action_resultsz0StoreMalwareHits._process_default_action_resultss  r0c  K|d}|d}tj|i|dtjji\}|s |d_|d*|d||d|dD}d tj t| D}tt}d }d tfd } tt|23d{V} | |vrZ| || || dd dr0|| |d| f6fd|D} |j| |d|d|jd{V} i} | D]\}}}}|||f| |j<|D]J\} }|dd drt*j}d}| | vr| | \}}}t/|t0r4|jt4kr$|dt6jkrt:nt<}||d<||d<|dz }t/|t>r|j rtC|j"tGj$|j%j&| |tjj|d{V}t/|t0r<|j'|j(|j)|j*|jff}||+|L|_,|d_-t]t_j/_0|dx}r|_12|jr|D]w\\}\}}}}}|t4kr1|dt6jkrtf4dI|j5||||||d{Vx|6|d| Dd{VdS)NrCrcrd)rcdefaults completedresultsrDcfi|].\}}tj|ddd+||/S)r_rr`)rmatch)rrfilerks r/ z=StoreMalwareHits._store_scan_from_results..sL   d#)$v,q/)*DEE $   r0ci|] }|j| Sr?rqrrhits r/rz=StoreMalwareHits._store_scan_from_results.. s,    M3   r0)filesrrc|jtjkp)|jtjtjfvo |j|kSr()rgrCLEANUP_STARTED CLEANUP_DONECLEANUP_REMOVED cleaned_at)rdetected_timestamps r/_hit_status_race_detectedzLStoreMalwareHits._store_scan_from_results.._hit_status_race_detectedsG .>>8:$1$48 N%77 r0r_ractg|]4\}}|dddtjj||5S)r_rrb)rrirc)rrrrkrs r/ z=StoreMalwareHits._store_scan_from_results..&sQ   d<?<0  &t{D$ ? ?   r0rrf)r_rcauser<rbdefault_action try_restore total_filesrzCSkipping auto-cleanup because it's allowed for scheduled scans onlyr_scan_idrr post_actionc(i|]\}}}}|j|Sr?rq)rrrevent_s r/rz=StoreMalwareHits._store_scan_from_results..s% I I I&6c5!QS]E I I Ir0)7r get_or_createrrr*rrFritemsrget_hitslistrrtuplekeysrmalware_actionapply_default_actionr:rerrur)ractionrr BACKGROUNDrrrmalware_eliminatedr r9 functoolspartialrlrcrJrrrappendrtotal_resourcesinttimerarrrSinfoprocess_messager)r-rJrCrcreatedrr_postponed_hitsrrrmalicious_hitsaction_results apply_dicthit_inforrrrkrgresultrrkeyrmsg_clsrrrrs @r/rz)StoreMalwareHits._store_scan_from_resultss)$(#(6!8!=!C   g 2%[1DN 9  )gkk&.A.A.M  ) )' 2 2 2  %i06688      !*g???   %T** :    (gllnn(=(=>> - - - - - - -$t|| 9 9T GDM&1!4[A!!| D!!! "&&t,,, ?    %mmoo    $2GGkk+..&/ H         4B J J 0HeV[.3V[-IJx) * *!--//7 07 0JD$F|A|, %+FFz!! t$ " v'<==  )<<< #6?o.HHH ## *8%&&1]#1$fl33!0! ' !OK+06         C&"788 0N (* s#**3///.&}5TY[[))KK(( (5 DJ :  %%''  BA5)[&111?+EEEKK/ *44!%$+"'&/(3 22  I I. I I I           s"Fr() r1r2r3r STORE_SCANPROCESSING_ORDERrAVSCOPEr!rr9r:r=r@r r rrKrY staticmethodrlrrvrrrI classmethodrWrrrr?r0r/r7r7Ts#. HE"NLE5    VK #666 , ,76 , VK #$$%$   \  11T "1111\1f9)@9T9999> 5t 5 5 5 5[ 5  \ b k6Mb b b b b b r0r7ceZdZejZeZfdZe dZ e e j de j ddfdZe dZxZS)StoreMalwareHitsIm360cKt|d{Vtjd{VdSr()r+r@r init)r-r;r.s r/r@z!StoreMalwareHitsIm360.create_sinksXgg!!$'''''''''!&(((((((((((r0cKg}g}|D]\}}||}t|ts0|jr||t d|dDr||tj|d{Vtj |gd{VdS)z,Do additional processing for malicious filesc3>K|]}tj|dvVdS)r`N)r STANDALONE_MARKrs r/rtzHStoreMalwareHitsIm360._process_default_action_results..sB$3s9~Er0r_N) rrFr)rrranyr add_hitsupdate_sa_hits)rrhacker_trap_hitshacker_trap_sa_hitsrDrkrs r/rz5StoreMalwareHitsIm360._process_default_action_resultss  "..** 1 1JD$+//55Ffl33 ( . ''---< 1$**4000!*+;<<<<<<<<<!01DbIIIIIIIIIIIr0rJr&Nc " K|jr|jdS tj|j|j|j|j|j|j|j|j tj j |j  }nW#tj$rDtj|j}|jrV|jsO|jr|jrA|jr:|j|jks*|j|jks|jtj j kr5t$d|j|j|j|jYdS|j|_|j|_|j|_|j|_|j |_ tj j |_|j |_ |t$d|jdYnwxYw|js|jst/jt.j|jkt.jtj j kzt.jt8jkzdSt?tA!d{VfdtEj#D}tIj%|j}|&||j'(|j|d|d|j)tj j d{V}i}|D]\}}} } || f||j<tUtV} |D]@} d} | j|vr-|| j\} }tY| tZr| j.r;t/jdid |d || j/| j/d || j0| j0d | jd| j1dddddddddt8jdddtj j d| j2d| j3d| j4d| j5d| j6}tY| tnr6| j8| j9| j | j:ff}| |;|B|j)rT| <D]A\\}\}}}}|j)=|||j|||d{V@dSdS)N) rcrrrfrDrrrrdr)rczBThe scan %s has already been saved: type=%s, path=%s, completed=%sz Updated scan z with new data from messagec<i|]}|jv |j|jSr?)pw_namepw_uid)rrpw panel_userss r/rz7StoreMalwareHitsIm360.store_db_scan..s6   z[(( Irz(((r0rrf)r_rrr<rdrcr[r\rerhTr^r] timestamergrrdapp_namedb_hostdb_portdb_namesnippetrr?)>rrfrrirrrDrrrrDBr*rpeeweeIntegrityErrorrFrdrSrcrrr_rdeleterrergrruexecutesetr get_userspwdgetpwallrget_hits_per_db_delete_outdated_db_entriesrrr:rrr)rrr[r\ signaturerrrrrrrJrrrrr)r-rJr uid_to_nameunique_db_hitsrrrrrrrrrrnew_hitrrrrrr_rs @r/ store_db_scanz#StoreMalwareHitsIm360.store_db_scans ',"6 F- #*!+\\m ' 7 ' 758>!+   DD$   #'w???D% = N ,0: ~   <49,,<49,,%)@)C)III $K&IN #?DL$.DN DJ#*#:D #*#:D !8!;!AD $.DN IIKKK KKH HHH     = D| = !##)))W\9"025;< "(,<,BB D'))) F  8 8 : :::::::;;     lnn   0? MM ((888 $2GGkk+..++f%%14: H         %3 3 3 !C$)6?Jsx $T**&& 4& 4HF} **x}-" fl33!0! ","3###t#!oohnhnEEE#!__X]HMBBB##-- # '' # $ #T#T#$#(--# 4#68>>#"**#!((#!((# !((!#"!((##G&&"788 4N\6#3V5GHs#**7333 :  %%''  :95)[j00G! '#"+$/     sAA11B9G-BGGcFd|D}tj|dS)Ncg|] }|j Sr?)rDrs r/rzEStoreMalwareHitsIm360._delete_outdated_db_entries..Ns///3ch///r0)rr)r_ orig_filess r/rz1StoreMalwareHitsIm360._delete_outdated_db_entriesLs,//$/// z*****r0)r1r2r3rIM360rr"rr@rrr r MalwareDatabaseScanr rr4r5s@r/rrs KE'N)))))JJ\J0 VK +,,S"6S SSS-,Sj++\+++++r0r)B__doc__rryrUr{rrr collectionsrenumrloggingrtypingrrr defence360agent.internals.loggerrQdefence360agent.apir"defence360agent.contracts.messagesr !defence360agent.contracts.pluginsr r r $defence360agent.model.simplificationr +defence360agent.subsys.panels.hosting_panelrdefence360agent.utilsrrimav.contracts.pluginsrimav.malwarelib.configrrrrrrrrimav.malwarelib.modelrrrrr%imav.malwarelib.plugins.detached_scanrimav.malwarelib.scan.mds.reportrimav.malwarelib.subsys.malwarer r!r"r1rS JSONEncoderr$r7rr?r0r/r%s* ###### ''''******:::::: A@@@@@DDDDDD66666666//////                     CBBBBB 8  """""T-"""~ ~ ~ ~ ~ {M~ ~ ~ B z+z+z+z+z+,z+z+z+z+z+r0