h2XdZddlZddlZddlZddlZddlZddlZddlmZddl m Z ddl m Z ddl mZmZmZddlmZddlmZdd lmZdd lmZdd lmZmZdd lmZdd lmZm Z ddl!m"Z"ddl#m$Z$ddl%m&Z&m'Z'ddl(m)Z)ej*e+Z,GddeZ-GddZ.dS)u  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.  If not, see . Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see N)suppress)Path)Core)MalwareScanIntensityMalwareSignaturesget_rapid_rescan_frequency) LicenseCLN)resource_limits)Malware) MalwareTune)AIBOLIT_SCAN_INTENSITY_KEYMalwareScanType)ScanFailedError)AIBOLIT AIBOLIT_PATH)AiBolitDetachedDir)parse_report_json) crontab_path in_crontab) get_memoryceZdZdS) AiBolitErrorN)__name__ __module__ __qualname__Z/opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/scan/ai_bolit/scanner.pyrr;sDrrc eZdZd dZddddddddddd defdZedZedZdddddddddddd defd Z dS) AiBolitNc"d|_||_dSN)cmdscan_id)selfr$s r__init__zAiBolit.__init__@s rT) scan_pathr$db_dir detect_elfexclude_patternsfollow_symlinks file_patterns use_filtersjson_report_pathcsv_report_path scan_typec b||_dtdddtjddt |d|g | rdgng|d urd gn|d urd gngt jrd tjgngt jrdgng}|r|s|s%|s#td ||d }|t j sgtj tt!dg}| r|| d|} nt%t'|}|d|g| rdgng| rd| gng| d| gngddd|s|dgn|d|g|t*jkr|S|d|dtt jgt jrd|4|s2|d|dtt3g|d tt jg|t*jt*jt*jfvr}|d!|d"|gt<jr|d#| gn|d$|g|d%n|gd&t@!||S)'z :param detect_elf: True - detect as malicious False - detect as suspicious None - do nothing z/opt/ai-bolit/wrapperz--smartz --deobfuscatez--avdbz --no-htmlz--memoryz --progressz --use-filtersTz--use-heuristicsFz--use-heuristics-suspiciousz--hsz--detect-admin-toolszaAi-Bolit cmd generation error, cannot select from finder and filelist.scan_path: {}, filename: {}N*,z--pathz--follow-symlinkz--ignore-filenamesz--only-filepathsz--ignore-quarantinez--use-template-in-pathz--skip-imunify360-storagez--skip-system-ownerz --listingz--with-suspiciousz--sizez--rapid-account-scanz--rapid-scan-rescan-frequencyz--cloudscan-sizez--encode-b64-fnz --detached --json_reportz --csv_reportz--quite)r4.z --json-stdout)"r$rrAI_BOLIT_HOSTERr MalwareConfig HYPERSCANAI_BOLIT_HYPERSCANDETECT_ADMIN_TOOLS TypeErrorformatCRONTABS_SCAN_ENABLEDospathjoinstrrappendrrextendrMODSECMAX_SIGNATURE_SIZE_TO_SCANCLOUD_ASSISTED_SCANrMAX_CLOUDSCAN_SIZE_TO_SCAN BACKGROUND ON_DEMANDUSERr USE_JSON_REPORTloggerinfo)r%filename intensity_ram progress_pathr0r'r$r(r)r*r+r,r-r.r/r# in_crontabsexclude_crontabs r_cmdz AiBolit._cmdDs. #      -   } % %  " $/6B" %%$$$&&444%" 4!**=>>7" >!3'((A" H   ) H ..4fY.I.I     6 :#%7<<LNN0C0CS#I#I"J#=#**+;<<<#&88O#<#<  (i99 JJ/>E)**2 , -/?@@)4,];;*- 0!   ( 4 12333 JJ X. / / / . . .J &''' Hc-"JKKLMMM  , !+! .768899  JJ& @AA      &  %     JJ( ) ) ) JJ g. / / /* > O-=>???? NO<=== JJy ! ! ! ! JJ>>> ? ? ? C rctjrCtj}t t j|d<|SdS)N CLOUD_ASSIST)r7rFr>environcopyrAr get_server_id) environments rget_updated_environmentzAiBolit.get_updated_environmentsD  , *//++K*-j.F.H.H*I*IK ' trc tjtjdt tjdzS)Nzprogress_file_{}gcA)r>r?r@ CoreConfigTMPDIRr<inttimerrr_generate_progress_filezAiBolit._generate_progress_filesDw||    % %c$)++*<&=&= > >   r) intensity_cpu intensity_iorOr)r-r$r(r'r*r+r,c K||_|p tj}|p tj}|p tj}|t jt jt jfv}|r|sJt|j|5}| |rt|j nd|t|j ||| || | | | t|jt|j }||d}|jd5}t%j||dddn #1swxYwY|jd5}|jd5}t-j|||t0|d||t|| d{Vdddn #1swxYwYdddn #1swxYwYdddn #1swxYwYiS| ||jnd||||| || | | | | |_t:d d |jt-j|j||t@j!t@j!tDj#|t0| d{V|_$ |j$%d{V\|_&|_'nY#tPj)$rGtUtV5|j$,dddn #1swxYwYwxYw t%j-|j&.}nL#t$j/$r:}tad |j|j$j1|j&|j'|j| |d}~wwxYwt:dtd|tg|dS)a :param file: path to file with list of paths to scan :param intensity_cpu: [inverse] niceness level of the scan. The higher the number the more priority the process gets (more cpu) :param intensity_io: [inverse] ioniceness level of the scan. Higher number means more disk time may be provided in a given period :param intensity_ram: memory value :param detect_elf: enable binary malware (elf) detection :param use_filters: apply ignore filters to list of scanning files :param scan_type: type of scan :param scan_id: id of scan :param db_dir: path to rapid scan database :param scan_path: str with scan path (templates allowed) :param exclude_patterns: patterns of filenames to ignore :param follow_symlinks: bool, if True -> follow symlinks :param file_patterns: patterns of filenames to scan :raise CancelledError: when scan was cancelled :return iterator: parsed report )tmp_listing_fileN) r0r$r(r)r*r+r'r,r.r/)r#r0w)modeT)rarbkeystart_new_sessionstdoutstderrcwdenv) r0r$r(r)r*r+r'r,r-z Executing %s )rarbrirjrkrlrgJSONDecodeError)messagecommand return_codeouterrr$r?z%s returned %sF) base64_path)4r$rCPUIORAMrrIrHrJrrSrA listing_file progress_filer.r/scan_info_fileopenjsondumplog_fileerr_filer create_subprocessr rZnamer`r#rLdebugr@ subprocessPIPEr\r]proc communicaterrrsasyncioCancelledErrorrProcessLookupError terminateloadsdecodernr returncoderr)r%filer0rarbrOr)r-r$r(r'r*r+r,_detachedwork_dirr# scan_infofl_fe_freportrss rscanz AiBolit.scansN %A)=)A #>';'> %A)=)A   %  &  !   ( NN7# !%% ii26@C-...D!.//'#!)%5$3'"/%()B%C%C$'(@$A$A %(i@@ ,11s1;;,qIi+++,,,,,,,,,,,,,,,%**3//36%**3//36);&3%16yA*.""MM 88::           /% % % % % % % % % % % % % % % LI99)DIIt   ( ( * *!-+'#     ^SXXdh%7%7888); H'%??!,,..*95            '+y'<'<'>'>!>!>!>!>!>!> DHdhh%   ,-- & & ##%%% & & & & & & & & & & & & & & &   Z 1 122FF#   ) I0HH     %w777 U;;;;s6BG/D' G/'D+ +G/.D+ /G/ G'AG5 GG GG G G/G G/G G//G36G3,L#M(M MM MM M+N O5OOr") rrrr&rArS staticmethodrZr`rrrrr r ?s!RRR  RRRRh\  \ N<N<N< N<N<N<N<N<Nrr_ contextlibrpathlibr defence360agent.contracts.configrr\rrr!defence360agent.contracts.licenser defence360agent.utilsr imav.contracts.configr r7r imav.malwarelib.configr rimav.malwarelib.scanrimav.malwarelib.scan.ai_bolitrr&imav.malwarelib.scan.ai_bolit.detachedr$imav.malwarelib.scan.ai_bolit.reportrimav.malwarelib.scan.crontabrrimav.malwarelib.utilsr getLoggerrrLrr rrrrs0*    988888111111.-----100000????????EEEEEEBBBBBBAAAAAAAA,,,,,,  8 $ $     ?   v<v<v<v<v<v<v<v<v<v