K6h. PdZddlZddlZddlZddlZddlZddlZddlmZddl m Z m Z m Z m Z mZddlmZmZddlmZddlmZddlmZdd lmZejeZed Zed Zed z Zd Z dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(edZ)Gdde*Z+dede e,ddfdZ-de e,dee e,e e,ffdZ.dede e,fdZ/Gd d!e0Z1Gd"d#e,Z2d$e,d%e,dee e,e e,ffd&Z3Gd'd(Z4d)e,de e,d*e e,de4fd+Z5Gd,d-Z6d)e,de e,de6fd.Z7deddfd/Z8d0ed1ede9fd2Z:ded3e e egdfde9fd4Z;d:d5Zd:d8Z?de9fd9Z@dS);u  This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program.  If not, see . Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see N)Path)CallableIterableListSetTuple)ANTIVIRUS_MODEMalware) HostingPanel) check_run)MalwareIgnorePath) crontab_pathz4/etc/sysconfig/imunify360/malware-filters-admin-confz)/var/imunify360/files/realtime-av-conf/v1 processedzpd-combined.txtzav-internal.txtz av-admin.txtzav-admin-paths.txtignoredizimunify-realtime-avz/usr/bin/i360-exclcompz/usr/sbin/imunify-realtime-avceZdZdZdS)PatternLengthErrorz(Raised when pattern's length is too big.N)__name__ __module__ __qualname____doc__L/opt/imunify360/venv/lib/python3.11/site-packages/imav/subsys/realtime_av.pyrr;s22Drrdirbasedirsreturnc|dz d5}t|D]7}|tj|dz8 ddddS#1swxYwYdS)z+Save list of basedirs in a file inside dir.zbasedirs-list.txtw N)opensortedwriteospathrealpath)rrfbasedirs r_save_basedirsr(As # # ) )# . .6!h'' 6 6G GGBG$$W--4 5 5 5 5 6666666666666666666sAA//A36A3pathscgg}}|D]J}|dr||dd5||K||fS)zSplit paths into two lists: absolute and relative. Relative paths start with +. This + sign is removed from resulting path.+N) startswithappend)r)absoluterelativer$s r _split_pathsr1HsmRhH"" ??3   " OODH % % % % OOD ! ! ! ! X rr$c |5}d|D}d|DcdddS#1swxYwYdS#t$rgcYSwxYw)zRead file at path and return its lines as a list. Empty lines or lines starting with '#' symbol are skipped. Lines are stripped of leading and trailing whitespace. If the file does not exist, empty list is returned.c6g|]}|Sr)strip).0lines r z_read_list..]s 000dTZZ\\000rcbg|],}t|dk|d*|-S)r#)lenr-)r5xs rr7z_read_list..^s3MMM!A 1<<;L;L A rN)r FileNotFoundError)r$r&liness r _read_listr>Us  YY[[ NA00a000EMMuMMM N N N N N N N N N N N N N N N N N N  s.A; A?A?A AAceZdZdZdeedeeddffd Zedede fdZ ed eedeedeefd Z d e ddfd Z xZS) _Watchedz8Holds a list of watched glob patterns ready to be saved.rrrNctt|\}}fd|||zDdS)Nc3K|]8}|tj|V9dSN) _is_validr#r$r%)r5pselfs r z$_Watched.__init__..isY  ~~a   G  Q        r)super__init__r1extend_extend_relative)rFrrr/r0 __class__s` rrIz_Watched.__init__fs )!__(      5 5h I II        rpatterncj|dstd|dSdS)z(Return True if watched pattern is valid./z+skipping watched path %s: not starts with /FTr-loggerwarningrMs rrDz_Watched._is_validosA!!#&&  NN=w   5trr)cg}|D]:}|D]5}|tj||6;|S)z7Join basedirs with all paths and return resulting list.)r.r#r$join)r)rextendedr$r's rrKz_Watched._extend_relativeysV = =D# = = Wd ; ;<<<< =rr$c|d5}|d|ddddS#1swxYwYdS)z$Save watched list at specified path.rrN)r r"rUrFr$r&s rsavez _Watched.saves YYs^^ %q GGDIIdOO $ $ $ % % % % % % % % % % % % % % % % % %s)A  AA)rrrrrstrrrI staticmethodboolrDrKrrY __classcell__)rLs@rr@r@csBB $s) s3x D      34\S SX$s)\%%$%%%%%%%%rr@ceZdZdZededefdZededefdZededefdZ e de ede eddfd Z d efd Zd S) _Ignoredz:Holds a list of ignored regexp patterns ready to be saved.rMrcj|drtd|dSdS)z1Return True if relative ignored pattern is valid.^z0skipping relative ignored path %s: starts with ^FTrPrSs r_is_valid_relativez_Ignored._is_valid_relativesA   c " "  NNBG   5trcD|dr |ddS|S)z.Remove leading slash from pattern, if present.rOr,N)r-rSs r_remove_leading_slashz_Ignored._remove_leading_slashs-   c " " 122; rc tj|dS#t$rtd|YdSwxYw)z7Return True if pattern successfully compiles as regexp.Tz*skipping ignored pattern %s: invalid regexF)recompile ExceptionrQrRrSs r _compilesz_Ignored._compiless[  Jw   4    NNg|]}||Sr)rir5rEclss rr7z*_Ignored.from_patterns..s*<<.sa   %%a(( .1]]1-=-=  % %a ( (   rrz^(?:{})/(?:{})|z^$)r1r:formatrUr.r_)rnrjrr/r0relative_patternpats` r from_patternsz_Ignored.from_patternss *(33(<<<lowerexistsrJ _ADMIN_PATH)ryrz common_dirinternal panel_paths r _read_configsrs{(*J*t+,,H%++--/J7 :#455666 Z d 233 33rc2eZdZdededdfdZdeddfdZdS) _WatchedCtxradminrNc"||_||_dSrC)rr)rFrrs rrIz_WatchedCtx.__init__s   rrc|dz }|d|j|tz |j|t z dS)NwatchedTexist_ok)mkdirrrY_INTERNAL_NAMEr _ADMIN_NAMErFrrs rrYz_WatchedCtx.savesX )O  1~-... K(((((r)rrrr@rIrrYrrrrrs_(t))))))))rr panel_nameextract|d\}}||tt||t||S)Nz watched.txt)rrJrr@)rrrinternal_watched admin_watcheds r_watched_contextrsY'4J &N&N#mE""" !8,,h}h.O.O  rc6eZdZdedededdfdZdeddfdZdS) _IgnoredCtxrrpdrNc0||_||_||_dSrC)rrr)rFrrrs rrIz_IgnoredCtx.__init__s!  rrc|tz }|d|j|tz |j|t z |j|tz dS)NTr) _IGNORED_SUB_DIRrrrYrrrr_PD_NAMErs rrYz_IgnoredCtx.savesr " "  1~-... K(((  Q\"""""r)rrrr_rIrrYrrrrrsj )17? ########rrct|d\}}tt||t||t||z|S)Nz ignored.txt)rrr_ru)rrinternal_ignored admin_ignoreds r_ignored_contextrsi&3J &N&N#m /::}h77/-?JJ  rctj}dd|D}|tz tz }||dS)Nrc3hK|]-}tjtj|dzV.dS) N)base64 b64encoder#fsencode)r5r$s rrGz'_admin_ignored_paths..sM$$8<T**++e3$$$$$$r)r path_listrUr_ADMIN_PATHS_NAME write_bytes)r ignored_pathsignored_paths_base64targets r_admin_ignored_pathsrsn%/11M88$$@M$$$# #&7 7F +,,,,,rdir1dir2cX|D]}|rt|||jz rdS|sF||jz }|sdS||krdSdS)zXCompare content of two folders if files in this directory are the same return False.TF)iterdiris_dir_contain_changesrzis_filer read_bytes)rrfileothers rrr s    ;;== dTY&677 tt||~~  ty ||~~ 44 ??   0 0 2 2 2 244 3 5rsaversc|d}|r!tjt |||D] }|||r|d}|r!tjt ||| ||n$#t$r||wxYwt||S||dS)zySave configs in directory dir using saves callable. Each function in savers will be called with single dir argument.z.tmpz.backupT) with_suffixrshutilrmtreerZr with_namerenamerhr)rrtemprYbackups r _save_configsrs2 ??6 " "D {{}}! c$ii   JJLLL T  zz|| y)) ==?? ' M#f++ & & & 6  KK        MM#      V,,, Cts #C99!Dcttz tz }ttz } |}|r2t jt|t|ks+| | |dSdS#t$r| |YdSwxYwrC) _PROCESSED_PATHrrrlstat is_symlinkr#readlinkrZunlink symlink_tor<)rsource_s r_update_pd_symlinkr:s / /( :F 8 #F & LLNN      &$&KF $<$<F $K$K MMOOO   f % % % % %%L$K """&!!!!!!"sB//CCc t}|ttjr.t tttfdt|j j t|j j tg}t|S)z*Generate new malware paths filters config.c,t|hSrC)r()rr extra_watcheds rz"generate_configs..Wss,Gh,G,GHHr)r)r rsetr CRONTABS_SCAN_ENABLEDaddrZrrrrNAMErYrrr)rychangedrrs @@rgenerate_configsrKs NNE~~HEEM$/#lnn--... H H H H H UZ G G G L UZ 2 2 7  G Nrc4tSrC) _BIN_PATHrrrr is_installedras     rcKtdtdgttgg}|D]L} |d{V #tj$rt $r%}t d|Yd}~Ed}~wwxYwdS)Nservicerestartz)realtime_av.reload_services exception: %s)r REALTIME_SERVICE_NAME _PD_PREPAREasyncioCancelledErrorrhrQrR)taskstes rreload_servicesres93Y?@@;-   EKK KGGGGGGGG%     K K K NNF J J J J J J J J K KKs=A;A66A;c*t o tjSrC)r r INOTIFY_ENABLEDrrrshould_be_runningrss  9'"99r)rN)Arrrloggingr#rfrpathlibrtypingrrrrr defence360agent.contracts.configr r +defence360agent.subsys.panels.hosting_panelr defence360agent.utilsr imav.malwarelib.modelr imav.malwarelib.scan.crontabr getLoggerrrQrr}rrrrrrrwREALTIME_PACKAGErrrrhrrZr(r1r>listr@r_rrrrrrr\rrrrrrrrrrrsm*  77777777777777DDDDDDDDDDDDDD++++++333333555555  8 $ $dIJJ ABB + " ((-& D0 1 1         66C6T6666 S eDItCy,@&A     T d3i    "%"%"%"%"%t"%"%"%J=====s===@ 4 4C 4E$s)T#Y2F,G 4 4 4 4 ) ) ) ) ) ) ) )"3x3;C= # # # # # # # # C[-d-t----4t"tT(D64<*@%Ad8&&&&"$,d K K K K:4::::::r