hdZddlZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z ddl m Z ddlmZmZmZmZmZmZmZmZmZmZddlmZddlmZmZmZmZm Z m!Z!m"Z"dd l#m$Z$m%Z%m&Z&dd l'm(Z(dd l)m*Z*dd l+m,Z,m-Z-dd l.m/Z/ddl0m1Z1m2Z2ddl3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;ddlZ>ddl?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPmQZQmRZRmSZSmTZTmUZUmVZVmWZWmXZXddlYmZZZm[Z[m\Z\m]Z]m^Z^ddl_m`Z`ddlambZbddlcmdZdddlemfZfddlgmhZherddlimjZje ekZleemenejofZoedZpede\e`ZqdZrdZsdZtdemdeememffd ZuGd!d"Zvd#ZwGd$d%ZxGd&d'evZydS)(u  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.  If not, see . Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see N) defaultdict) getLogger)Path) Callable CollectionDictIterableList TYPE_CHECKINGTupleTypeVarUnioncast)IntegrityError)Core HackerTrapMyImunifyConfigUserType"choose_use_backups_start_from_datechoose_value_from_config should_try_autorestore_malicious)MS_CONFIG_DEFAULT_ACTION_EDIThas_permissionmyimunify_protection_enabled)g)run_in_executor) web_serversvcctl) hosting_panel)ModsecVendorsErrorPanelException)COPY_TO_MODSEC_MAXTRIESLazyLockatomic_rewritebase64_decode_filenamebase64_encode_filenamelog_failed_to_copy_to_modsecretry_on safe_sequence)MalwareCleanupRevertMalwareCleanupTask)ADDED_TO_IGNORECLEANUP CLEANUP_DONECLEANUP_ON_SCHEDULECLEANUP_REMOVEDDELETED_FROM_IGNOREFAILED_TO_CLEANUPFAILED_TO_DELETE_FROM_IGNOREFAILED_TO_IGNOREFAILED_TO_RESTORE_FROM_BACKUPFAILED_TO_RESTORE_ORIGINALFAILED_TO_STORE_ORIGINALFOUND MalwareEventMalwareEventPostponedMalwareHitStatusMalwareScanResourceTypeMalwareScanTypeNOTIFY NOT_EXISTREQUIRES_MYIMUNIFY_PROTECTIONRESTORED_FROM_BACKUPRESTORED_ORIGINALSUBMITTED_FOR_ANALYSISUNABLE_TO_CLEANUP)MalwareHistory MalwareHitMalwareHitAlternateMalwareIgnorePath MalwareScan)MalwareDatabaseHitInfo) restore_files hash_path)submit_in_background) detected_hook) RestoreReportT HitInfoTypectj dfd }tj dfd }tjr|n|S)z8Decorator responsible for logging malware events into DBNc K|fp tj d |d{Vttj  fdd{VS)N path file_owner file_user initiatorapp_name resource_typedb_hostdb_portdb_namescan_idcTtj j   S)NeventrVrZr[rWrXrYcauser\r]r^ table_name table_field table_row_infr_)rE save_eventtitle)rZrcr\r^r]rWrXrYrVr[resultr_rerdrfsS/opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/subsys/malware.pyz?update_malware_history..async_wrapper..sHN-l!+%##%'+)rROOTrasyncioget_event_loopclsrVrWrXrYrcr[rZr\r]r^rdrerfr_kwargsricoros `````````````` @rj async_wrapperz-update_malware_history..async_wrappers"&t   !08='              " $ $                           ( rlc|f||||p tj|||| | |d |}tj|j||||||||| | | | | ||S)NrUra)rrmrErgrhrps rjwrapperz'update_malware_history..wrappers&   !08='       !,'!!#'    " rl) NNNNNNNNNNN) functoolswrapsrniscoroutinefunction)rsrtrvs` rjupdate_malware_historyrzs_T 555555n_T 222222h$7== J==7Jrlc< ddttffd }|S) Decorator responsible for logging multiple malware events into DB at once. Decorated function accepts an iterable of `MalwareHit`s. NhitscKtjfd|Dd{V}|s|Stjfdt ||D|S)Nc3TK|]"}|j|j|jV#dS))rVrWrXN) orig_fileowneruser).0hitrqrss rj zCmultiple_update_malware_history..wrapper..s\ "y!h rlcg|]^\}}|j|j|j|j|j|jp t jp tj |j |j |j |j d _S)) rbrVr[rZrWrXrcrYr\r]r^r_)rhrr[rZrrr=MANUALrrmr\r]r^scanidrrrircrYs rj zDmultiple_update_malware_history..wrapper..s~    C$\M%(%6 # "%)!$".wrappers           N"     $'tW#5#5      &rlNNr rFrsrvs` rjmultiple_update_malware_historyrsB@D##J'######J Nrlc< ddttffd }|S)r|Nr}cK||fi|d{V}|s|Stjfd|D|S)Nc g|]:\}}|j|j|j|jp tjp t jd;S))rbrVrWrXrcrY)rhrrrr=rrrmrs rjrz@bulk_update_malware_history..wrapper..7s_    C$\M"%)!$".wrapper0s!Dd55f55555555   "     $/#4#4#6#6    rlrrrs` rjbulk_update_malware_historyr*sA@DJ'* Nrlusernamereturnctjrt|s t|fSt t |rt dd|St ddS)NMALWARE_SCANNINGdefault_action)rENABLEDrr>rrrrs rjchoose_action_for_maliciousrHsi$+H55 $8# #3X>> '  0(    $$68H I IIrlc veZdZdZeeZedZedZ ee dde fdZ ee de fdZ ee de fdZee d Zee d Zee d Zee dd d eddfdZeedZeedZeedZeedZeedZeedZe ddeedeeee eeffdZedZ edZ!edZ"ee#de$e%e ffdZ&e ddeee%e ffdZ'dS) MalwareActionz Responsible for manipulations with malware files. As long as each handler function is wrapped in `update_malware_history`, arguments should be passed in kwargs form. c K|j|D]w} ||t|d{V##tj$rt$r9}t d|||Yd}~pd}~wwxYwdS)z$Execute callback for specific actionNzEError '{!r}' happened when run callback {} forMalwareAction {} method) _CALLBACKr9rnCancelledError Exceptionlogger exceptionformat)rq method_namerVrhcallbackes rjrun_callbacks_forzMalwareAction.run_callbacks_for^s k2  H ht\%%8%89999999999)        ..4fQ+.N.N   s3B /BBcF|j||dSN)radd)rqrrss rj add_callbackzMalwareAction.add_callbackms# k"&&t,,,,,rlNrcPKt|||ttSr)rNr9rC)rqrVtypereason_s rjsubmit_for_analysisz!MalwareAction.submit_for_analysisqs) T40002333rlcK ttjfdd{Vt}n#t$r t }YnwxYwt |S)Nc0tjS)NrVr[)rHcreatersrjrkz&MalwareAction.ignore..s)0]rl)rrnror,rr4r9)rqrVr[rrhs `` rjignorezMalwareAction.ignoreys $!&((       $EE % % %$EEE %E"""s+9A  A c tjtj|k}t |rt ntSr)rHdeletewhererVexecuter9r1r3)rqrVrdeleteds rjdelete_from_ignore_syncz%MalwareAction.delete_from_ignore_syncsW  $ & & U$)T1 2 2 WYY  #* L  0L   rlc.KttSr)r9r8rqr__s rjnotifyzMalwareAction.notifysE"""rlc.KttSr)r9r6rs rjcleanup_failed_restorez$MalwareAction.cleanup_failed_restores6777rlc.KttSr)r9r7rs rjcleanup_failed_storez"MalwareAction.cleanup_failed_stores4555rl)reportrYrrPcK|rWtjdx}rA||_|t |d{Vt tS)Nsink)rgetrYprocess_messager*to_dictr9rB)rqrYrrrrs rjcleanup_restored_originalz'MalwareAction.cleanup_restored_originalsv  OquV}},t O(F &&';FNN) rqr}rYrcrrrrhr config_ownerrbs rjapply_default_actionz"MalwareAction.apply_default_actions 6 6A916JJJOA|$#*7&[#3|   E NNAufe4 5 5 5 5rlcLK|D]}||j|jd{VdS)z Apply the action to multiple hits :param action: thr action to apply :param hits: list of hits N)rr)rqactionr}rs rjmultiplezMalwareAction.multiplesL 2 2C&11 1 1 1 1 1 1 1 1 2 2rlc6tj} tj|}n##tt f$rt jcYSwxYw t| |j }n##ttf$rt jcYSwxYw|Sr r HostingPanelpwdgetpwnamKeyError TypeErrorrTMPDIRstr base_home_dirpw_dir RuntimeErrorFileNotFoundErrorrqrWhprtmp_dirs rj _get_tmp_dirzMalwareAction._get_tmp_dir  ' ) ) < ++DD)$   ;     "**4;7788GG/0   ;    !*A  A 'A66BBc6g}g}|D]}|j}d} ttj|}n=#t $r0t dtj|YnwxYw|jtj tj|ktj tktj|k ||||||fSNz4File %s not found during restore from backup processrintosrVgetctimerrwarningr)rEselectrrbr5ctimefirstrrqr} to_restore not_restorerrV file_ctimes rj_split_hits_on_restorez$MalwareAction._split_hits_on_restore*   ( (C=DJ  !1!1$!7!788 $   J!&t,, "!(**"'4/"(,II"(J6 !!#&&&&""3'''';&&,A7A;:A;cK||\}}|D]4}tdtj|j5i}|D]0}||jg|1i}| D].\} } | |j | fd| i|d{V/| d|D|S)NHFile %s wasn't restored from backup, because last restore attempt failedrWc3BK|]}|ttfVdSrr9r5rrs rjrz4MalwareAction.restore_from_backup..8D  ,<== >      rl r rrr)rVr setdefaultrrrupdate_restore_from_backup rqr}rrrrf user_hitsrresr_hitss rjrestore_from_backupz!MalwareAction.restore_from_backup^ #&"<".B++++++rlfilesuntilrrc&g|] }|jv |Srr rrrestoreds rjrz6MalwareAction._restore_from_backup..N%DDDqAK8,C,C,C,C,Crlc&g|] }|jv |Srr rrfaileds rjrz6MalwareAction._restore_from_backup..O%@@@Q!+*?*?q*?*?*?rl File %s was restored from backupc2g|]}|tfSrr9rrhrhs rjrz6MalwareAction._restore_from_backup..V&FFF"Re,,-FFFrl#File %s wasn't restored from backupc2g|]}|tfSrr0rfhrhs rjrz6MalwareAction._restore_from_backup..]&DDD"Re,,-DDDrl rrKrr)rVrinforAextendrr5rqr}rWrrpathsrr restored_hits failed_hitsp safe_pathr,r(rhs @@@rjrz"MalwareAction._restore_from_backup>,+d+++"":..!.4Z@@ " " "       & DDDDDDDD @@@@$@@@  G GA%*1--I KK:I F F F F$ FFFF FFFGGG M MA%*1--I NN@) L L L L- DDDD DDDEEE rlr)NNN)(__name__ __module__ __qualname____doc__rsetr classmethodrrrzr9rrrrrrrrrrrrrrrr rGr boolrrrr rrrFrrrrlrjrrUs  C  I  [ --[- $44 444[4  #| # # #[ # <   [ ##[#88[866[6;?////)8///[/$//%$[/$**%$[*$--%$[-$//%$[/$;;%$[;$''%$['  &' e'sD@A B[222[2  [ ''['>  j,& '! [:$(   eJ ,- .   [   rlrc<t||dSr)rr)rrss rjsubscribe_to_malware_actionrKbsvt,,,,,rlcHeZdZejZejZejZdZ dZ dZ e Z ed defdZedefdZed deefd Zedeed eedeefd Zedeedeefd Zed ZedeefdZed!deefdZed eefdZed eefdZedefdZedZ ee!e"e#e$ddZ%edZ&edZ'edZ(edZ)ed eedeede*fdZ+ed eedeefdZ,edZ-dS)"HackerTrapHitsSaveriiQz-SA-Nrc>|p|j}t|j|Sr)NAMErBASE_DIR)rqfilenamenames rj _filepathzHackerTrapHitsSaver._filepathos #38CL$'''rlc<t|j|jdzS)Nz.clean)rrPrOrqs rj_clean_filepathz#HackerTrapHitsSaver._clean_filepathtsCL#(X"5666rl file_listc t||dd|DddddS#t$r&}td|Yd}~dSd}~wwxYw)N c34K|]}t|VdSr)r&)rrRs rjrz-HackerTrapHitsSaver._write..}s+NND1$77NNNNNNrlFT)backupallow_empty_content permissionsz#Unable to write HackerTrap file: %r)r$rSjoinOSErrorrerror)rqrWrQoes rj_writezHackerTrapHitsSaver._writexs D  h'' NNINNNNN$(!        D D D LL> C C C C C C C C C DsAA A8A33A8 files_to_addct|}|}|D]0}||vr||||1||j dS)a> adds files_to_add to file_list the method has side_effect (file_list will be modified) yet, given that it is private class method -- we can do it :param file_list: existing files :param files_to_add: files to add :return: joined list, limited to MAX_HITS_COUNT N)rGcopyremoverMAX_HITS_COUNT)rqrWrdfile_set _file_listfiles rj_extendzHackerTrapHitsSaver._extends|y>>^^%%   $ $Dx!!$'''   d # # # #3--//00rlcd|DS)a This method checks if any of the files on the list is present and removes that entry from the list :param file_list: list of files :return: new list of files, in the same order, with files that exist skipped cPg|]#}tj|!|$Sr)rrVexists)rrks rjrz3HackerTrapHitsSaver._clean_list..s+GGG"'..2F2FGGGGrlr)rWs rj _clean_listzHackerTrapHitsSaver._clean_listsHGGGGGrlc||z |jkSr)SECONDS_BEFORE_CLEAN)rq file_mtime current_times rj _should_cleanz!HackerTrapHitsSaver._should_cleansj(3+CCCrlcR|}|ri||jt jr*|d||}n|d|S)z We will use extra file to track last time we cleaned For that we will use mtime of that file :param file_list: list to clean :return: cleaned list rl)rVrorustatst_mtimetime write_bytesrp)rqrWr@s rj _clean_filezHackerTrapHitsSaver._clean_files    ! ! 88::   !2DIKK@@ 7 c"""OOI66 MM#   rlTc ||}g}|D]]} |t |&#t j$r&}td||Yd}~Vd}~wwxYw|r| |n|S#t$rgcYSwxYw)Nz*Can't decode filepath [%r] with error [%r]) rS read_bytessplitrr%binasciiErrorrrar{r)rqrQ skip_existsrWdecoded_file_listrkrs rj_readzHackerTrapHitsSaver._reads  h''2244::<< -/ !  %,,-CD-I-IJJJJ~LLDdA ' 1222&  !   III s;?B6"A%$B6%B4BB6BB66 CCcrK|j|g|Ri|d{V|g|d{VdS)z"Same behavior as for separate hit.N)rdfiles_to_remove) _add_hitsupdate_sa_hits)rqrdargsrrs rjadd_hitszHackerTrapHitsSaver.add_hitssmcmL:4:::6:::::::::  b, OOOOOOOOOOOrlc0K |}|||}||||jd{VdS#t $r&}t d|Yd}~dSd}~wwxYw)Nz!Unable to read HackerTrap file %r)rrlrc_copy_to_modsec_rulesrOr`rra)rqrdrrrrWrirbs rjrzHackerTrapHitsSaver._add_hitss B$'IIKKI!$Y !E!EF JJv   ++CH55 5 5 5 5 5 5 5 5 5 B B B LLK||gd{VS)zWhen storing separate hit it needs to be added to malware_found_b64.list and excluded from malware_sa_found_b64.list as well from proactive/dangerous/[hash]Nr)rqrrrrs rjadd_hitzHackerTrapHitsSaver.add_hits. \\;-000000000rlc@K|gd{VdSrrrUs rjinitzHackerTrapHitsSaver.inits0ll2rl) max_trieson_errorsilentc.Ktj} |d{V}nF#ttf$r2}t t|Yd}~dSd}~wwxYw |||d{V}n3#t$r&}t d|Yd}~dSd}~wwxYwttj |}| |jdz}|rz|j|jkrF||krt ddS t)jt|t|||dS#t.$r}|d}~wt0$r&}t d|Yd}~dSd}~wwxYw)NFz%Can't get malware found list file: %sz.tmpzNothing to updateTz%Failed to copy malware found list: %s)rrget_i360_vendor_namer r!rrrbuild_vendor_file_pathrrrDIR with_suffixsuffixrorwst_sizer}r:shutilrfrenamerr`ra)rqmalware_list_namervendorrtarget found_list target_tmps rjrz)HackerTrapHitsSaver._copy_to_modsec_ruless1 ' ) ) 2244444444FF"N3    NN3q66 " " "55555  44V=NOOOOOOOOFF!      Da H H H55555 *.*;<< '' (>??  MMOO  %):):)BBB!!##z'<'<'>'>>> KK+ , , ,5  KJZ 9 9 9   f % % %4    G    LL@! D D D55555 sR2A5'A00A59B C CCAG HG!! H.HHctj|j5}d|DcdddS#1swxYwYdS)NcDg|]}||jSr)is_filerR)rentrys rjrz>HackerTrapHitsSaver._get_exists_hash_files..s'BBB5%--//BEJBBBrl)rscandir BASE_PD_DIR)rqits rj_get_exists_hash_filesz*HackerTrapHitsSaver._get_exists_hash_filess Z ( ( CBBBBBBB C C C C C C C C C C C C C C C C C Cs 377c~|D]9}t|jt|z d:dS)Nr[)rrtouchrqr$fnames rj_create_hash_filesz&HackerTrapHitsSaver._create_hash_filessG ? ?E #/ " "T%[[ 0 7 7 > > > > ? ?rlc||D]8}t|jt|z 9dSr)rrunlinkrs rj_remove_hash_filesz&HackerTrapHitsSaver._remove_hash_files"sE ; ;E #/ " "T%[[ 0 8 8 : : : : ; ;rlc |tjd}d|D}|}t |t |z }t |t |z }||||dS#t$r9}t d||j r d|j dndYd}~dSd}~wwxYw) z SA hits stored for PD as sha256 hash of full path in HackerTrap.DIR_PD. Not more than MAX_HITS_COUNT files in dir. Remove older (by mtime) files first. FrQrc0g|]}|t|SrrL)rrVs rjrz=HackerTrapHitsSaver._update_sa_hash_files..2s3$($rlzHackerTrap error: %r%sz ()N) rrSA_NAMErrGrrr`rrrQ)rqsaved_files_listhash_file_listexists_hash_file_listfiles_to_createfiles_to_deleters rj_update_sa_hash_filesz)HackerTrapHitsSaver._update_sa_hash_files's4 "yy#+ )   ,<N%($>$>$@$@ !!.11C8M4N4NNO!"7883~;N;NNO  " "? 3 3 3  " "? 3 3 3 3 3    NN(() :$QZ$$$$          sB)B-- C07.C++C0rcL |tjd}|||}fd|D}||kr#||tjdSn2#t $r%}t d|Yd}~nd}~wwxYwdS)z Update file of malware standalone list. Return True if malware standalone list was changed otherwise False. Frcg|]}|v| Srr)rrVrs rjrz;HackerTrapHitsSaver._update_sa_hit_list..Ns*$o2M2M2M2M2MrlrQTzHackerTrap error: %sN)rrrrlrcr`rra)rqrdr saved_list extended_list updated_listrs ` rj_update_sa_hit_listz'HackerTrapHitsSaver._update_sa_hit_listAs 4%(YY#+&/&&J), J (M(MM!.Lz)) <*2D EEEt* 4 4 4 LL/ 3 3 3 3 3 3 3 3 4usA,A22 B!<BB!ctK|s|r0|j4d{V|||r|tjd{Vrt jd{Vtjj j dkrst dtj} |d{Vn*#t $rtdYnwxYw|dddd{VdS#1d{VswxYwYdSdS)N cPanelCoraza:Reloading 'imunify360-wafd' as coraza ruleset is in action"Failed to reload 'imunify360-wafd')LOCKrrrrrgraceful_restartrr __class__rCrr:rimunify360_wafd_servicereloadrrr)rqrdrunitctls rjrz"HackerTrapHitsSaver.update_sa_hitsXs  0? 0x 0 0 0 0 0 0 0 0**<II0 66z7IJJJJJJJJ"(9;;;;;;;;;*688BK-..#KK!0'-&D&F&FG"&-nn&6&6 6 6 6 6 6 6 6 6#,""" &$H!"!"!"!"!""--///+ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0s6B#D%9CD%$C;8D%:C;;D%% D/2D/cKtjj}|j4d{Vt jtjtj tj tj tj gtjtj|jtj|ktj|j}|d|Dt4j|t4jd{Vrt;jd{Vt?j j!j"dkrtF$dtKj&} |'d{Vn*#tP$rtF)dYnwxYw|*|*dddd{VdS#1d{VswxYwYdS)zI Re-populate HackerTrap records using data from database Nc:g|]\}tj|Sr)rfsencode)rrs rjrz5HackerTrapHitsSaver.reset_sa_hits..s"111CQQ111rlrrrr)+r<FILEvaluerrFrrrstatusin_r;r8CLEANUP_STARTEDRESTORE_FROM_BACKUP_STARTED maliciousrcontainsSTANDALONE_MARKr[order_by timestampdesclimitrhtuplesrcrrrrrrrrrCrr:rrrrrr)rqr[r$rs rj reset_sa_hitsz!HackerTrapHitsSaver.reset_sa_hitsts404: 8* (* (* (* (* (* (* (* (!*"677%)),2,<,H(O,,S-@AA, =  *.335566s)**% ( JJ115111J>GM%nn..........$MMM'KLLLLLM--///  % % ' ' 'U* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (* (s6F=IG:9I:$H!I H!!+I I),I)r)NT).rCrDrErrrPDIR_PDrrOrhrrrr#rrHrrSrVr rcrQrl staticmethodr PathLikerprur{rrrrrr(rr"r'rrrrrrIrrrrrlrjrMrMfs~H#K ?DN'O 8::D((((([(7777[7 D DtDz D D D[ D1Q1tAw147111[1&Hx1Hd8nHHH\HDD[DHX$6["tDz[,P$t*PPP[P B4:BBB[B1111[1[ X)-  !! [!FCC[C??[?;;[;[2:8rr-postponer+detectr/rrra)rqrpossible_actionsris rj _get_handlerzMalwareActionIm360._get_handlers CJ S\\"J" "J*".""   %f-FF   %f-F LLA6        s(A112B&%B&c fd}|S)NcTKjd||d|d{Vtf||dS)N)rYrcr)rr:)rYrcrkwrqrrmessages rjrvz,MalwareActionIm360.postpone..wrappersd#*DyDDDD D D D D D D D(#,E=C rlr)rqrrrrvs``` rjrzMalwareActionIm360.postpones/       rlcKtj|}t|||j|j|j|jd{VdS)N)r)rIrrOrstartedrVtotal_resources)rqr_rrscans rjrzMalwareActionIm360.detectsmg...   I L I             rlcK||\}}|D]4}tdtj|j5i}|D]0}||jg|1i}| D].\} } | |j | fd| i|d{V/| d|D|S)NrrWc3BK|]}|ttfVdSrrrs rjrz9MalwareActionIm360.restore_from_backup..rrlrrs rjrz&MalwareActionIm360.restore_from_backuprrlc6g}g}|D]}|j}d} ttj|}n=#t $r0t dtj|YnwxYw|jtj tj|ktj tktj|k ||||||fSrrrs rjr z)MalwareActionIm360._split_hits_on_restore r r NcP Kd|D}||}t|t|||d{V\ g} fd|D} fd|D} D]1} tj| } t d| 2t|fd|D D]1} tj| } t d| 2t|fd| D|S) Ncg|] }|j Srr r!s rjrz;MalwareActionIm360._restore_from_backup..0r"rlr#c&g|] }|jv |Srr r's rjrz;MalwareActionIm360._restore_from_backup..<r)rlc&g|] }|jv |Srr r+s rjrz;MalwareActionIm360._restore_from_backup..=r-rlr.c2g|]}|tfSrr0r1s rjrz;MalwareActionIm360._restore_from_backup..Dr3rlr4c2g|]}|tfSrr0r6s rjrz;MalwareActionIm360._restore_from_backup..Kr8rlr9r<s @@@rjrz'MalwareActionIm360._restore_from_backup,rBrlc6tj} tj|}n##tt f$rt jcYSwxYw t| |j }n##ttf$rt jcYSwxYw|Srrrs rjrzMalwareActionIm360._get_tmp_dirOrrr}c tKd|D}|j|f|||d|d{V}ttjd{Vfdt jD} g} |D]} t| tru| | j t| j } | | j t| j } tt| j}n(| j } | j } tt| j}t#| \}}| |vr-|| jr | | || |df|}t| trF| j|d<| j|d<| j|d<| j|d <| j|d <| j|d <| j|d <||}|d|| | ||p||| j|d |d{V}| | ||df| S)rcdg|]-}t|jt|t+|.Sr)rr isinstancerJrs rjrz;MalwareActionIm360.apply_default_action..isM   /99 s$:;;     rl)rYrrcNc<i|]}|jv |j|jSr)pw_namepw_uid)rpw panel_userss rj z;MalwareActionIm360.apply_default_action..vs6   z[(( Irz(((rlTr^r\r]rdrerfr_)rVrWrXrcrYrrZr[Fr)rrGrr get_usersrgetpwallrrJrrrrrrVrGrr successfulrrfr^r\r]rdrerfr_rrZ)rqr}rYrcrr[rrrrestore_events uid_to_namerrrrrVrrhandler_kw_argshandlerrbrs @rjrz'MalwareActionIm360.apply_default_action]s      7s6  "+$e  GM          : < < F F H HHHHHHHII     lnn   ) 4) 4C#566 @# 3sy>>BB"sxSX??2C88= x/55?#>t#D#D FLn$$)<)G$ C!4fdCDDD$kkmmO#566 9-0[ *-0[ *-0[ *03 -14 .363D0-0[ *&&v..G!'  #3|+  "        E JJUFE2 3 3 3 3 rlr)NNNN)rCrDrErHrrrrrrrFr9rr r r rrrrRrrIrrrlrjrrsX[.  [    [    j,& '! [:''['>$(   eJ ,- .   [ D  [   II%I eKsD89 :III[IIIrlr)zrFrnrrwrrrry collectionsrloggingrpathlibrtypingrrrr r r r r rrpeeweer defence360agent.contracts.configrrrrrrr%defence360agent.contracts.permissionsrrr&defence360agent.internals.global_scoper$defence360agent.model.simplificationrdefence360agent.subsysrrdefence360agent.subsys.panelsr"defence360agent.subsys.panels.baser r!defence360agent.utilsr"r#r$r%r&r'r(r)imav.contracts.messagesr*r+imav.malwarelib.configr,r-r.r/r0r1r2r3r4r5r6r7r8r9r:r;r<r=r>r?r@rArBrCrDimav.malwarelib.modelrErFrGrHrIimav.malwarelib.scan.mds.reportrJ*imav.malwarelib.subsys.restore_from_backuprKimav.malwarelib.utilsrMimav.malwarelib.utils.submitrN imav.plugins.event_hook_executorrOimav.malwarelib.cleanup.storagerPrCrrbytesrrQrRrzrrrrrKrMrrrlrjr&s* ######                        "!!!!! 544444@@@@@@55555555777777                    6CBBBBBDDDDDD++++++======::::::>====== 8   eR[( ) GCLLg&(> pKpKpKf+++\< J# J%S/ J J J JJJJJJJJJZ---S(S(S(S(S(S(S(S(l kkkkkkkkkkrl