hxKdZddlZddlZddlZddlZddlZddlZddlZddlm Z ddlm Z ddl m Z m Z ddlmZmZddlmZddlmZdd lmZmZdd lmZmZmZdd lmZdd lmZdd l m!Z!ddl"m#Z#m$Z$m%Z%ddl&m'Z'ddl(m)Z)m*Z*ddl+m,Z,m-Z-m.Z.m/Z/m0Z0ddl1m2Z2m3Z3m4Z4ddl5m6Z6ddl7m8Z8m9Z9ddl:m;Z;mm?Z?ddl@mAZAddlBmCZDddlEmFZFddlGmHZHmIZIddlJmKZKddlLmMZMmNZNmOZOddlPmQZQejReSZTe dgdd !ZUGd"d#e$ZVGd$d%e#ZWd&eXeYeYffd'ZZeeeegGd(d)e#Z[Gd*d+e$Z\Gd,d-e$Z]Gd.d/e$Z^dS)0u  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.  If not, see . Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see N) namedtuple)partial)ListSequence)MalwareUserType) LicenseError) MessageType)MS_IGNORE_LIST_EDITcheck_permission)AV AV_REPORTFULL)feature)db)run_in_executor)CommonEndpoints RootEndpointsbind)run_in_executor_decorator)validate_av_plus_licenseValidationError)Scopedoes_path_belong_to_userget_path_owner is_cloudways safe_fileops)MalwareHitStatusMalwareScanResourceTypeMalwareScanType)CleanupStorage) DiffErrorMalwareHitDiff)MalwareHistory MalwareHitMalwareIgnorePath) split_args get_crontab)QueueSupervisorSync) MalwareAction)malware_response user_list)MaliciousEndpointStatus)FALSE_NEGATIVEFALSE_POSITIVEsubmit_malware)get_sites_for_userIgnoreParameters)pathapp_namedb_hostdb_portdb_name)NNNNN)defaultscveZdZejZdZeddddZedddZ dS) SubmitEndpointsuWarning: This server’s security can be enhanced by enabling the MALWARE_SCANNING.sends_file_for_analysis option. This may minimize the number of undetected malware, making your system more resistant to new threats. The command below can be used to enable the option: imunify-antivirus config update '{"MALWARE_SCANNING": {"sends_file_for_analysis": true}}' - or - imunify360-agent config update '{"MALWARE_SCANNING": {"sends_file_for_analysis": true}}' submitzfalse-positiveNcK t|t|d{VdS#t$r}t|d}~wt$r#td|wxYw)N)reasonFile {} doesn't exist.)r1r0r rFileNotFoundErrorformat)selffilenamer>scanneres W/opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/rpc/endpoints/base.py submit_fpzSubmitEndpoints.submit_fpss M >&III I I I I I I I I I % % %!!$$ $  M M M!":"A"A("K"KLL L Ms# A,<0A,zfalse-negativec$K t|td{Vtjst j|jSdS#t$r}t|d}~wt$r#td |wxYw)Nr?) r1r/r SEND_FILESwarningswarn_SEND_FILES_DISABLED_BANNERr rr@rA)rBrCrEs rF submit_fnzSubmitEndpoints.submit_fn}s G >:: : : : : : : : % G}T%EFFF G G  % % %!!$$ $  M M M!":"A"A("K"KLL L MsA BA0BN) __name__ __module__ __qualname__rr SCOPErLrrGrMrFr;r;bs HE # T($%%MMM&%M T($%% G G&% G G GrTr;c4eZdZejZfdZeeee ge ddde ddZ e eeee ge ddddZeeeee ge ddd dd Zeeee ge ddd dd Zdd Zeeee g ddedefdZeeege ddedefdZe dddddZeeee ge ddde ddZe ddd ddZe ddd ddZxZS)MaliciousEndpointsctt|t||_dS)N)sink)super__init__ ScanQueuequeue)rBrX __class__s rFrZzMaliciousEndpoints.__init__s1 D))) rTmalware maliciouslistNc g}|r8|dr#tj|}t|}t jd||d|S)N site_search)user user_sitesrS)getpwdgetpwnamr2r%malicious_list)rBrckwargsrd user_infos rFrhz!MaliciousEndpoints.malicious_listsl  7FJJ}-- 7 T**I+I66J( *  06   rTreadc Kd}tj|std|r$t jt j|||d}nt jt||} |5}| || |} | rdnd} | dd} d | | ||tj | jd icdddS#1swxYwYdS#tj$rt"$r} t%d | d} ~ wwxYw) Nrbznotifications.fileNotFoundF)respect_homedirTutf-8ignore)errorsdata)chunkeoflimitoffsetsizenotifications.permissionError)osr4existsr@ functoolsrrsafe_open_fileopenseekrkdecodefstatfilenost_sizeasyncioCancelledError ExceptionPermissionError) clsr4rvrurc_modeopen_funfrsrttextrEs rF read_filezMaliciousEndpoints.read_filesw~~d## B#$@AA A  ; (+ % HH!(tT::H J qvu $.ee$||GH|==!%"!&"( " 4 4 <                    %     J J J!"ABB I Js=5 D?A:D9 DD  D D DE,D<<Ezremove-from-listczKtj||}tj|t|gS)Nrc)r%malicious_selectdelete_instancesr.)idsrchits_to_removes rFmalicious_remove_from_listz-MaliciousEndpoints.malicious_remove_from_lists>$4StDDD#N333&~r:::rTzmove-to-ignorec\K|||d{V}t|SrN)_malicious_move_to_ignorelen)rBrrcignoreds rFmalicious_move_to_ignorez+MaliciousEndpoints.malicious_move_to_ignores;66sDAAAAAAAA7||rTc Ktt|ttjt t j||d{V}d|D}ttjt t j|d{Vd|D}d|D}d|D}t|j  |tj jd{Vt|j  |tjjd{Vz}t jr|D]} t%| jt(jvrt-j| n| j} t3j| | j} t7jt:| j| | j| j |d{V|S) Nrc3DK|]}|jtjk|VdSrN)statusrFOUND).0hs rF z?MaliciousEndpoints._malicious_move_to_ignore..s;  qx+;+AAAAAAAA  rTcFg|]}|jtjjk|SrS) resource_typerFILEvaluerhits rF z@MaliciousEndpoints._malicious_move_to_ignore..s7    $;$@$FFF FFFrTc8g|]}t|jS)r4)r3 orig_filers rFrz@MaliciousEndpoints._malicious_move_to_ignore..s3   58 #- 0 0 0   rTc g|]H}|jtjjkt |j|j|j|j|j ISrS) rrDBrr3rr5r6r7r8rs rFrz@MaliciousEndpoints._malicious_move_to_ignore..s_     $;$>$DDD        EDDrTr) content_path real_path)typer>r4 file_owner file_user initiator)!r r rrget_event_looprr%rrIgnoreEndpoints_sinktry_add_to_ignorerrrrrrIstrrrCLEANEDr!get_hit_store_pathrr,MalwareHitPathr+submit_for_analysisr0rownerrc) rBrrchitsmalicious_found file_hits file_itemsdb_itemsrrrfiles rFrz,MaliciousEndpoints._malicious_move_to_ignores,d333$  " $ $ J/4 @ @ @                " $ $ J/ A A                >??s$BB-- C;7CC;&C66C;historyc (tjdd|i|SNrcrS)r$ get_historyrBrcris rFrzMaliciousEndpoints.get_history=s )>>t>v>>>rTrccRK|r:tj|jj|hd{V\}}t |} n|r9tj|jj|d{V\}}t |} nS|r*tj|jj|d{V\} }n'tj|jjd{V\} }tj|}t |pgD]#} tj|| j| j}$|} ||z} | || | fS)N)match)desc) r-fetch_user_listr\get_scans_from_pathsrsortreversed column_namer) rBrvrusearchorder_byrcrrusers max_countorderstartends rFr-zMaliciousEndpoints.user_listCs  &6 /vHAuE II  &6 /vHAuE II  %.%> /s&&&       Iuu &/%> /&&       Iu u%%hn"-- N NEN5%*;%*MMMEEun%c ***rTscanFcK|s|std|r;|jdrtd|r tj}n tj}tjd{V}d|D}|r3|jj d|tj |dt|d{V|r3|jj d|tj |dt|d{V|rMtjrCd|D}|jj d|tj |dt|d{VdSdSdS)Nz3Either --scan-file or --scan-db should be specified backgroundzBackground scan pendingcg|] }|d S)homerSrrcs rFrz0MaliciousEndpoints.user_scan..zs000$f000rT)pathsr scan_typec8g|]}t|dSrr(rs rFrz0MaliciousEndpoints.user_scan..s$III4[f66IIIrTrS)rr\rrer BACKGROUND ON_DEMANDr- panel_usersputrrr'rrCRONTABS_SCAN_ENABLED) rB scan_filescan_dbr scan_argsrrr crontab_pathss rF user_scanzMaliciousEndpoints.user_scanhs&  !E   =$*++--11,?? =!";<< <  2'2II'1I+--------00%000   $*.58#Y''           $*.5:#Y''          '7 II5IIIM $*.#5:#Y''              rTrN)NNNN)F)rOrPrQrr rRrZrrrrrrh classmethodr staticmethodrrrr#bytesrrrrrr-r __classcell__)r]s@rFrVrVs5 HE***** WR$ "## T)[&))   *)$#  WR$ "## T)V"J"J"J$#["JH WR$ "## T)["455;;;65$#\;  WR$ "## T)["23343$#????B WR$ "##+/@@$@ @@@$#@  WR$+/99$9 9999  T)[&))@@@*)@8 WR$ "## T)Y''???('$#? T)VV$$HL"+"+"+%$"+H T)VV$$-2'''%$'''''rTrVrctrt|}|p tj}n|pt|x}}||fSrN)rrrROOT)r4rcrs rFget_file_ownershiprsL~~4t$$$x}3~d333 $;rTc eZdZedddeddZedddddZeddddd Zeddd dd Z dd e e de de de e fdZ ddZdS)rr^rpr`Nc \tt||||d<tjdi|Sr)r r r&paths_count_and_listrs rF ignore_listzIgnoreEndpoints.ignore_lists; ,d333  !F6N 5?????rTz delete-uicBK|||dd{VS)NF)rrc skip_rescan) ignore_delete)rBrrcs rFignore_delete_uiz IgnoreEndpoints.ignore_delete_uisJ''(         rTdeleteFc  Kttttjtj|}t  fd|D}d|D}tj 5|D]I}t|j \}}tj|j ||p tj|jJ dddn #1swxYwY|rf|s3|jt)j|d{V|jt)jd{Vt/|S)NcTg|]$}t|js |jk"|%SrSrr4)r ignore_pathrcuser_crontab_paths rFrz1IgnoreEndpoints.ignore_delete..sK+K,.s:   (,C,H,NNN  NNNrT)r4rrrr)filelist)r r r`r&selectwhererin_r)ratomicrr4r+delete_from_ignore_syncrrrrprocess_messager MalwareScanTaskMalwareIgnorePathUpdatedr) rBrrcr  ignore_paths file_pathsrrrrs ` @rFr zIgnoreEndpoints.ignore_deletes6,d33304  $ & & , ,->-A-E-Ec-J-J K K1 1    +D 1 1 #/L  +   Y[[  +   (:$d))% I5$))'"3hm"-";                    j00/DDD*,,466       <   s)A DD DaddcvKd|D}||||d{V}t|S)Nc,g|]}t|SrS)r3)rr4s rFrz.IgnoreEndpoints.ignore_add..s!:::D!$'':::rT)rr)rBrrrcitemsaddeds rF ignore_addzIgnoreEndpoints.ignore_addsN::E:::,,UM4HHHHHHHH5zzrTr#rrcrc N Kttg}d|D}t  fd|D}tj| fd|D}|D]}t |j\}}tj|j|||p tj |j |j |j |j d{V}|jr||j|r1|jt'jd{V|S)NcZg|](}tj|j&|)SrS)ryr4isabs)ritems rFrz5IgnoreEndpoints.try_add_to_ignore..s-DDD$27==+C+CDDDDrTc3\K|]&}t|js |jk"|V'dSrNr)rircrs rFrz4IgnoreEndpoints.try_add_to_ignore..sU+AFD996.../... rTrc3.K|]}|jv |VdSrNr)rr#already_ignoreds rFrz4IgnoreEndpoints.try_add_to_ignore..s/OO5UZ-N-N-N-N-N-NOOrT) r4rrrrr5r6r7r8)r r r)r& path_listrr4r+rprrr5r6r7r8 successfulappendrrr r) rBr#rrcr$r)rrresultr-rs ` @@rFrz!IgnoreEndpoints.try_add_to_ignores ,d333DD%DDD   +D 1 1 E,5'   POOOEOOO ( (D$6ty$$G$G !J (/Y+%#/(-            F  ( TY'''  *,,466        rTcKtj|sJ|t||sdSt j|d{VSNF)ryr4r(rr&is_path_ignored)rB check_pathrcs rFr4zIgnoreEndpoints.is_path_ignoreds^w}}Z(((((  $crK|jtj||d{ViS)N)r>r?)rrr rD)rBr>r?s rFmalware_send_filesz#MalwareSendFiles.malware_send_files2sXj((  (e D D D          rTN)rOrPrQrrrrGrSrTrFrDrD1sS T)VW%%s49&%rTrD)___doc__rrr{loggingryrJrf collectionsrrtypingrr defence360agent.contracts.configrr!defence360agent.contracts.licenser "defence360agent.contracts.messagesr %defence360agent.contracts.permissionsr r ,defence360agent.feature_management.constantsr rr)defence360agent.feature_management.lookuprdefence360agent.model.instancer$defence360agent.model.simplificationr defence360agent.rpc_tools.lookuprrrdefence360agent.rpc_tools.utilsr"defence360agent.rpc_tools.validaterrdefence360agent.utilsrrrrrimav.malwarelib.configrrr imav.malwarelib.cleanup.storager!imav.malwarelib.difflibr"r#imav.malwarelib.modelr$r%r&&imav.malwarelib.rpc.endpoints.ondemandr'imav.malwarelib.scan.crontabr)*imav.malwarelib.scan.queue_supervisor_syncr*r[imav.malwarelib.subsys.malwarer+imav.malwarelib.utilsr,r-imav.malwarelib.utils.endpointsr.imav.malwarelib.utils.submitr/r0r1imav.wordpress.site_repositoryr2 getLoggerrOrr3r;rVtuplerrrr7r=rDrSrTrFrfs*   """"""!!!!!!!!>>>>>>>>::::::::::::MLLLLLLLLL======------@@@@@@ FEEEEE ;:::::======== >=====444444988888========CCCCCC >=====  8 $ $:999 +%G%G%G%G%Gm%G%G%GPFFFFFFFFR eCHo     dI |C|C|C|C|Co|C|C |C~]]}rT