Hacked By AnonymousFox

Current Path : /opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/subsys/__pycache__/
Current File : //opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/subsys/__pycache__/malware.cpython-311.pyc
�

��g�����dZddlZddlZddlZddlZddlZddlZddlZddlm	Z	ddl
mZddlm
Z
ddlmZmZmZmZmZmZmZmZmZmZddlmZddlmZmZmZmZm Z m!Z!m"Z"dd	l#m$Z$m%Z%m&Z&dd
l'm(Z(ddl)m*Z*ddl+m,Z,dd
l-m.Z.ddl/m0Z0m1Z1ddl2m3Z3m4Z4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:ddl;m<Z<m=Z=ddl>m?Z?m@Z@mAZAmBZBmCZCmDZDmEZEmFZFmGZGmHZHmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPmQZQmRZRmSZSmTZTmUZUmVZVddlWmXZXmYZYmZZZm[Z[m\Z\ddl]m^Z^ddl_m`Z`ddlambZbddlcmdZdddlemfZferddlgmhZheei��ZjeekelejmfZmed��ZnedeZe^��Zod�Zpd�Zqd�Zrdekdeekekffd �ZsGd!�d"��Ztd#�ZuGd$�d%��ZvGd&�d'et��ZwdS)(u

This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.


This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
See the GNU General Public License for more details.


You should have received a copy of the GNU General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.

Copyright © 2019 Cloud Linux Software Inc.

This software is also available under ImunifyAV commercial license,
see <https://www.imunify360.com/legal/eula>
�N)�defaultdict)�	getLogger)�Path)
�Callable�
Collection�Dict�Iterable�List�
TYPE_CHECKING�Tuple�TypeVar�Union�cast)�IntegrityError)�Core�
HackerTrap�MyImunifyConfig�UserType�"choose_use_backups_start_from_date�choose_value_from_config� should_try_autorestore_malicious)�MS_CONFIG_DEFAULT_ACTION_EDIT�has_permission�myimunify_protection_enabled)�g)�run_in_executor)�
web_server)�
hosting_panel)�ModsecVendorsError�PanelException)�COPY_TO_MODSEC_MAXTRIES�LazyLock�atomic_rewrite�base64_decode_filename�base64_encode_filename�log_failed_to_copy_to_modsec�retry_on�
safe_sequence)�MalwareCleanupRevert�MalwareCleanupTask)�ADDED_TO_IGNORE�CLEANUP�CLEANUP_DONE�CLEANUP_ON_SCHEDULE�CLEANUP_REMOVED�DELETED_FROM_IGNORE�FAILED_TO_CLEANUP�FAILED_TO_DELETE_FROM_IGNORE�FAILED_TO_IGNORE�FAILED_TO_RESTORE_FROM_BACKUP�FAILED_TO_RESTORE_ORIGINAL�FAILED_TO_STORE_ORIGINAL�FOUND�MalwareEvent�MalwareEventPostponed�MalwareHitStatus�MalwareScanResourceType�MalwareScanType�NOTIFY�REQUIRES_MYIMUNIFY_PROTECTION�RESTORED_FROM_BACKUP�RESTORED_ORIGINAL�SUBMITTED_FOR_ANALYSIS�UNABLE_TO_CLEANUP)�MalwareHistory�
MalwareHit�MalwareHitAlternate�MalwareIgnorePath�MalwareScan)�MalwareDatabaseHitInfo)�
restore_files��	hash_path)�submit_in_background)�
detected_hook)�
RestoreReport�T�HitInfoTypec����tj���											d�fd�	��}tj���											d�fd�	��}tj���r|n|S)z8Decorator responsible for logging malware events into DBNc�������������	�
���
��K��|f����ptj����	�
�d�
|���d{V���ttj������
�	����������
fd����d{V���S)N�
�path�
file_owner�	file_user�	initiator�app_name�
resource_type�db_host�db_port�db_name�scan_idc�T��tj�
j���	��������
������S)N��eventrTrXrYrUrVrW�causerZr[r\�
table_name�table_field�
table_row_infr])rC�
save_event�title)rXrarZr\r[rUrVrWrTrY�resultr]rcrbrds����������������S/opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/subsys/malware.py�<lambda>z?update_malware_history.<locals>.async_wrapper.<locals>.<lambda>�sH���N�-��l��!�+�%�#�#�����%�'�+������)r�ROOTr�asyncio�get_event_loop��clsrTrUrVrWrarYrXrZr[r\rbrcrdr]�kwargsrg�coros `````````````` @�rh�
async_wrapperz-update_malware_history.<locals>.async_wrapper�s"��������������������&�t��

��!���0�8�=��'�����

�

��

�

�

�

�

�

�

�

����"�$�$�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�	
�	
�	
�	
�	
�	
�	
�(�
rjc����|f||||ptj||||	|
|d�
|��}tj|j|||||||||	|
|||
|���|S)NrSr_)rrkrCrerfrns                 �rh�wrapperz'update_malware_history.<locals>.wrapper�s����&���

��!���0�8�=��'�����

�

��

�

��	�!��,���'�!�������!�#�'��	
�	
�	
�	
�"�
rj)NNNNNNNNNNN)�	functools�wrapsrl�iscoroutinefunction)rqrrrts`  rh�update_malware_historyrx�s�����_�T��������������5�5�5�5�5���5�n�_�T��������������2�2�2�2�2���2�h$�7��=�=�J�=�=�7�Jrjc�<��	ddttf�fd�
}|S)��
    Decorator responsible for logging multiple malware events into DB at once.
    Decorated function accepts an iterable of `MalwareHit`s.
    N�hitsc������K�tj��fd�|D����d{V��}|s|Stj��fd�t	||��D����|S)Nc3�T�K�|]"}��|j|j|j���V��#dS))rTrUrVN)�	orig_file�owner�user)�.0�hitrorqs  ��rh�	<genexpr>zCmultiple_update_malware_history.<locals>.wrapper.<locals>.<genexpr>s\��������
�����"�y�!�h�	��������rjc����g|]^\}}|j|j|j|j|j|j�ptj�ptj	|j
|j|j|j
d���_S))r`rTrYrXrUrVrarWrZr[r\r])rfr~rYrXrr�r<�MANUALrrkrZr[r\�scanid�r�r�rgrarWs   ��rh�
<listcomp>zDmultiple_update_malware_history.<locals>.wrapper.<locals>.<listcomp>s~���
�
�
� �C��$�\��M�%(�%6� #��"%�)�!$��"�<�o�&<�!*�!;�h�m�"�{�"�{�"�{�"�z�
�
�
�
�
rj)rl�gatherrC�save_events�zip)ror{rWra�resultsrqs` `` �rhrtz0multiple_update_malware_history.<locals>.wrappers��������� ������� ����

�

�

�

�

�

�

���	��N��"�
�
�
�
�
�$'�t�W�#5�#5�
�
�
�	
�	
�	
�&�rj�NN�r	rD�rqrts` rh�multiple_update_malware_historyr��sB���@D�#�#��J�'�#�#�#�#�#�#�J�Nrjc�<��	ddttf�fd�
}|S)rzNr{c�����K��||fi|���d{V��}|s|Stj��fd�|���D����|S)Nc	���g|]:\}}|j|j|j|j�ptj�ptjd���;S))r`rTrUrVrarW)rfr~rr�r<r�rrkr�s   ��rhr�z@bulk_update_malware_history.<locals>.wrapper.<locals>.<listcomp>6s_���

�

�

� �C��$�\��M�"%�)�!$��"�<�o�&<�!*�!;�h�m�
��

�

�

rj)rCr��items)ror{rarWrp�hit_resultsrqs  ``  �rhrtz,bulk_update_malware_history.<locals>.wrapper/s��������!�D��d�5�5�f�5�5�5�5�5�5�5�5���	����"�

�

�

�

�

�$/�#4�#4�#6�#6�

�

�

�	
�	
�	
��rjr�r�r�s` rh�bulk_update_malware_historyr�)sA���@D����J�'�������*�Nrj�username�returnc��tjrt|��s	t|fSt	t
|��rt
dd|��St
dd��S)N�MALWARE_SCANNING�default_action)r�ENABLEDrr=rrr�r�s rh�choose_action_for_maliciousr�Gsi����$�+�H�5�5�	$��8�#�#��3�X�>�>�
�'�� 0�(�
�
�	
�$�$6�8H�I�I�Irjc�P�eZdZdZee��Zed���Zed���Z	ee
	ddefd�����Zee
defd�����Z
ee
defd�����Zee
d	�����Zee
d
�����Zee
d�����Zee
dd�d
eddfd�����Zeed�����Zeed�����Zeed�����Zeed�����Zeed�����Ze			ddeedeeeeeeffd���Zed���Zed���Z ed���Z!ee"de#e$effd�����Z%e	ddeee$effd���Z&dS)�
MalwareActionz�
    Responsible for manipulations with malware files.
    As long as each handler function is wrapped in `update_malware_history`,
    arguments should be passed in kwargs form.
    c	��K�|j|D]w}	||t|�����d{V���##tj$r�t$r9}t
�d�|||����Yd}~�pd}~wwxYwdS)z$Execute callback for specific actionNzEError '{!r}' happened when run callback {} forMalwareAction {} method)�	_CALLBACKr8rl�CancelledError�	Exception�logger�	exception�format)ro�method_namerTrf�callback�es      rh�run_callbacks_forzMalwareAction.run_callbacks_for]s������
�k�2�		�		�H�
��h�t�\�%�%8�%8�9�9�9�9�9�9�9�9�9�9���)�
�
�
���
�
�
�� � �.�.4�f�Q��+�.N�.N�������������
����		�		s�3�B�/B�Bc�F�|j|�|��dS�N)r��add)ror�rqs   rh�add_callbackzMalwareAction.add_callbackls#���
�k�"�&�&�t�,�,�,�,�,rjNr�c��PK�t|||��tt��Sr�)rLr8rA)rorT�type�reason�_s     rh�submit_for_analysisz!MalwareAction.submit_for_analysisps)����
	�T�4��0�0�0��2�3�3�3rjc����K�	ttj����fd����d{V��t}n#t$r
t
}YnwxYwt
|��S)Nc�0��tj�����S)N�rTrY)rF�creater�s��rhriz&MalwareAction.ignore.<locals>.<lambda>~s���)�0��]����rj)rrlrmr+rr3r8)rorTrYr�rfs ``  rh�ignorezMalwareAction.ignorexs�������
	$�!��&�(�(��������
�
�
�
�
�
�
�$�E�E���	%�	%�	%�$�E�E�E�	%�����E�"�"�"s�+9�A
�A
c���tj���tj|k�����}t|rtnt��Sr�)rF�delete�whererT�executer8r0r2)rorTr��deleteds    rh�delete_from_ignore_syncz%MalwareAction.delete_from_ignore_sync�sW��
�$�&�&�
�U�$�)�T�1�
2�
2�
�W�Y�Y�	�
�#*�L���0L�
�
�	
rjc��.K�tt��Sr�)r8r7�ror��__s   rh�notifyzMalwareAction.notify�s�����E�"�"�"rjc��.K�tt��Sr�)r8r5r�s   rh�cleanup_failed_restorez$MalwareAction.cleanup_failed_restore�s�����6�7�7�7rjc��.K�tt��Sr�)r8r6r�s   rh�cleanup_failed_storez"MalwareAction.cleanup_failed_store�s�����4�5�5�5rj)�reportrWr�rNc���K�|rWtjd��x}rA||_|�t	|��������d{V��t
t��S)N�sink)r�getrW�process_messager)�to_dictr8r@)rorWr�r�r�r�s      rh�cleanup_restored_originalz'MalwareAction.cleanup_restored_original�sv����
�	O�q�u�V�}�}�,�t�	O�(�F���&�&�';�F�N�N�<L�<L�'M�'M�N�N�N�N�N�N�N�N�N��-�.�.�.rjc��.K�tt��Sr�)r8rBr�s   rh�cleanup_unablezMalwareAction.cleanup_unable�������-�.�.�.rjc��rK�|�d|t���d{V��tt��S)N�cleanup)r�r-r8)rorTr�r�s    rh�cleanup_donezMalwareAction.cleanup_done�s@�����#�#�I�t�\�B�B�B�B�B�B�B�B�B��L�)�)�)rjc��.K�tt��Sr�)r8r/r�s   rh�cleanup_removedzMalwareAction.cleanup_removed�s�����O�,�,�,rjc��.K�tt��Sr�)r8r1r�s   rh�cleanup_failedzMalwareAction.cleanup_failed�r�rjc��.K�tt��Sr�)r8r>r�s   rh�%cleanup_requires_myimunify_protectionz3MalwareAction.cleanup_requires_myimunify_protection�s�����9�:�:�:rjr{c
���K�g}|D]b}t|j���\}}	|jd|j|j|j|p|	|d�|���d{V��}
|�||
tdf���c|S)�8Perform action with malware which user set in the configr�)rUrVrTrWraNF�)r�r�r�rr~�appendr=)ror{rWrar�rpr��hr��config_ownerr`s           rh�apply_default_actionz"MalwareAction.apply_default_action�s��������
	6�
	6�A�9�1�6�J�J�J�O�A�|�$�#�*���7��&��[�#�3�|�����
��������E�
�N�N�A�u�f�e�4�5�5�5�5��rjc��LK�|D]}||j|j���d{V���dS)z�
        Apply the action to multiple hits
        :param action: thr action to apply
        :param hits: list of hits
        N)r~r�)ro�actionr{r�s    rh�multiplezMalwareAction.multiple�sL�����	2�	2�C��&�����1�1�1�1�1�1�1�1�1�1�	2�	2rjc�6�tj��}	tj|��}n##tt
f$rtjcYSwxYw	t|�	|j
����}n##ttf$rtjcYSwxYw|Sr��
r�HostingPanel�pwd�getpwnam�KeyError�	TypeErrorr�TMPDIR�str�
base_home_dir�pw_dir�RuntimeError�FileNotFoundError�rorU�hpr��tmp_dirs     rh�_get_tmp_dirzMalwareAction._get_tmp_dir����
�
'�
)�
)��	��<�
�+�+�D�D���)�$�	�	�	��;����	����	��"�*�*�4�;�7�7�8�8�G�G���/�0�	�	�	��;����	������!�*�A
�	A
�'A6�6B�Bc�6�g}g}|D�]}|j}d}	ttj�|����}n=#t
$r0t�dtj|����YnwxYw|�jtj
���tj|ktjtktj|k�����	�|�|����|�|����||fS�Nz4File %s not found during restore from backup process�r~�int�osrT�getctimer�r��warningr(rC�selectr�r`r4�ctime�firstr��ror{�
to_restore�not_restorer�rT�
file_ctimes       rh�_split_hits_on_restorez$MalwareAction._split_hits_on_restore��*���
����	(�	(�C��=�D��J�
� ���!1�!1�$�!7�!7�8�8�
�
��$�
�
�
����J�!�&�t�,�,������
�����"�!�(�*�*���"�'�4�/�"�(�,I�I�"�(�J�6���
�������!�!�#�&�&�&�&��"�"�3�'�'�'�'��;�&�&��,A�7A;�:A;c���K�|�|��\}}|D]4}t�dtj|j�����5i}|D]0}|�|jg���|���1i}|�	��D].\}	}
|�
|j|
fd|	i|���d{V�����/|�
d�|D����|S)N�HFile %s wasn't restored from backup, because last restore attempt failedrUc3�BK�|]}|tt��fV��dSr��r8r4�r�r�s  rhr�z4MalwareAction.restore_from_backup.<locals>.<genexpr>3�D����
�
���,�<�=�=�>�
�
�
�
�
�
rj�rr�r�r(rTr~�
setdefaultr�r�r��update�_restore_from_backup�ror{rprr�f�	user_hitsr��resr��_hitss           rh�restore_from_backupz!MalwareAction.restore_from_backup�^����
#&�"<�"<�T�"B�"B��
�K��	�	�A��N�N�8��"�1�;�/�/�
�
�
�
��	��	;�	;�C�� � ���2�.�.�5�5�c�:�:�:�:���$�?�?�,�,�	�	�K�D�%��J�J�.�c�.����&*��.4���������
�
�
�
�
	�
�
�
�
�"�
�
�
�	
�	
�	
��
rjc��P��
�K�d�|D��}|�|��}t|t|��||����d{V��\�
�g}�
fd�|D��}�fd�|D��}	�
D]1}
tj|
��}t
�d|���2t�|��fd�|D�����D]1}
tj|
��}t
�	d|���2t�|��fd�|	D����|S)	Nc��g|]	}|j��
Sr��r~�r�r�s  rhr�z6MalwareAction._restore_from_backup.<locals>.<listcomp>=���+�+�+����+�+�+rj��files�untilr�r�c�&��g|]
}|j�v�|��Sr�r�r�r��restoreds  �rhr�z6MalwareAction._restore_from_backup.<locals>.<listcomp>I�%���D�D�D�q�A�K�8�,C�,C��,C�,C�,Crjc�&��g|]
}|j�v�|��Sr�r�r�r��faileds  �rhr�z6MalwareAction._restore_from_backup.<locals>.<listcomp>J�%���@�@�@�Q�!�+��*?�*?�q�*?�*?�*?rj� File %s was restored from backupc�2��g|]}|t���f��Sr��r8�r��rhrfs  �rhr�z6MalwareAction._restore_from_backup.<locals>.<listcomp>Q�&���F�F�F�"�R��e�,�,�-�F�F�Frj�#File %s wasn't restored from backupc�2��g|]}|t���f��Sr�r,�r��fhrfs  �rhr�z6MalwareAction._restore_from_backup.<locals>.<listcomp>X�&���D�D�D�"�R��e�,�,�-�D�D�Drj�r�rIrr(rTr��infor?�extendr�r4�ror{rUr�r��pathsr�r�
restored_hits�failed_hits�p�	safe_pathr(r$rfs            @@@rhrz"MalwareAction._restore_from_backup9��������,�+�d�+�+�+���"�"�:�.�.��!.��4�Z�@�@���	"
�"
�"
�
�
�
�
�
�
���&���D�D�D�D�D�D�D�D�
�@�@�@�@�$�@�@�@���	G�	G�A�%�*�1�-�-�I��K�K�:�I�F�F�F�F�$���
�
�F�F�F�F�
�F�F�F�G�G�G��	M�	M�A�%�*�1�-�-�I��N�N�@�)�L�L�L�L�-���
�
�D�D�D�D��D�D�D�E�E�E��
rjr�)NNN)'�__name__�
__module__�__qualname__�__doc__r�setr��classmethodr�r�rxr8r�r�r�r�r�r�r�r�r�r�r�r�r�r�r
rEr�boolr�r�r�rr�rrDrrr�rjrhr�r�Ts�����������C� � �I�����[���-�-��[�-��� $�4�4�	�4�4�4����[�4���#�|�#�#�#����[�#���
�<�
�
�
����[�
���#�#����[�#���8�8����[�8���6�6����[�6���;?�/�/�/��/�)8�/�/�/����[�/��$�/�/�%�$��[�/��$�*�*�%�$��[�*��$�-�-�%�$��[�-��$�/�/�%�$��[�/��$�;�;�%�$��[�;����
����&�'��
�e�'��s�D�@�A�	B�����[��2�2�2��[�2�����[���'�'��[�'�>� ��	
�j�,�&�	'����!� ��[��:�$(� � �	
�e�J��,�-�	.� � � ��[� � � rjr�c�<�t�||��dSr�)r�r�)r�rqs  rh�subscribe_to_malware_actionrG]s�����v�t�,�,�,�,�,rjc�H�eZdZejZejZejZdZ	dZ
dZe��Z
ed defd���Zedefd���Zed deefd	���Zedeed
eedeefd���Zedeedeefd���Zed
���Zedeefd���Zed!deefd���Zed
eefd���Zed
eefd���Zedefd���Zed���Z ee!e"e#e$d���d�����Z%ed���Z&ed���Z'ed���Z(ed���Z)ed
eedeede*fd���Z+ed
eedeefd���Z,ed���Z-dS)"�HackerTrapHitsSaveri�i�Qz-SA-Nr�c�>�|p|j}t|j|��Sr�)�NAMEr�BASE_DIR)ro�filename�names   rh�	_filepathzHackerTrapHitsSaver._filepathjs ���#�3�8���C�L�$�'�'�'rjc�<�t|j|jdz��S)Nz.clean)rrLrK�ros rh�_clean_filepathz#HackerTrapHitsSaver._clean_filepathos���C�L�#�(�X�"5�6�6�6rj�	file_listc��	t|�|��d�d�|D����ddd���dS#t$r&}t�d|��Yd}~dSd}~wwxYw)N�
c3�4K�|]}t|��V��dSr�)r%)r�rNs  rhr�z-HackerTrapHitsSaver._write.<locals>.<genexpr>xs+����N�N�D�1�$�7�7�N�N�N�N�N�NrjFT�)�backup�allow_empty_content�permissionsz#Unable to write HackerTrap file: %r)r#rO�join�OSErrorr��error)rorSrM�oes    rh�_writezHackerTrapHitsSaver._writess���		D���
�
�h�'�'��
�
�N�N�I�N�N�N�N�N��$(�!�
�
�
�
�
�
���	D�	D�	D��L�L�>��C�C�C�C�C�C�C�C�C�����	D���s�AA�
A8�A3�3A8�files_to_addc���t|��}|���}|D]0}||vr|�|��|�|���1||jd�S)a>
        adds files_to_add to file_list
        the method has side_effect (file_list will be modified)
        yet, given that it is private class method -- we can do it
        :param file_list: existing files
        :param files_to_add: files to add
        :return: joined list, limited to MAX_HITS_COUNT
        N)rC�copy�remover��MAX_HITS_COUNT)rorSr`�file_set�
_file_list�files      rh�_extendzHackerTrapHitsSaver._extend�s|���y�>�>���^�^�%�%�
� �	$�	$�D��x����!�!�$�'�'�'����d�#�#�#�#��3�-�-�/�/�0�0rjc��d�|D��S)a
        This method checks if any of the files on the list is present
        and removes that entry from the list
        :param file_list: list of files
        :return: new list of files, in the same order, with files that exist
        skipped
        c�P�g|]#}tj�|���!|��$Sr�)r�rT�exists)r�rgs  rhr�z3HackerTrapHitsSaver._clean_list.<locals>.<listcomp>�s+��G�G�G��"�'�.�.��2F�2F�G��G�G�Grjr�)rSs rh�_clean_listzHackerTrapHitsSaver._clean_list�s��H�G��G�G�G�Grjc��||z
|jkSr�)�SECONDS_BEFORE_CLEAN)ro�
file_mtime�current_times   rh�
_should_cleanz!HackerTrapHitsSaver._should_clean�s���j�(�3�+C�C�Crjc�R�|���}|���ri|�|���jtj����r*|�d��|�|��}n|�d��|S)z�
        We will use extra file to track last time we cleaned
        For that we will use mtime of that file
        :param file_list: list to clean
        :return: cleaned list
        rj)rRrkrq�stat�st_mtime�time�write_bytesrl)rorSr<s   rh�_clean_filezHackerTrapHitsSaver._clean_file�s���
���!�!���8�8�:�:�	�� � ������!2�D�I�K�K�@�@�
7��
�
�c�"�"�"��O�O�I�6�6�	��
�M�M�#�����rjTc��	|�|��������}g}|D]]}	|�t	|�����&#t
j$r&}t�d||��Yd}~�Vd}~wwxYw|r|�	|��n|S#t$rgcYSwxYw)Nz*Can't decode filepath [%r] with error [%r])rO�
read_bytes�splitr�r$�binascii�Errorr�r]rwr�)rorM�skip_existsrS�decoded_file_listrgr�s       rh�_readzHackerTrapHitsSaver._read�s��	��
�
�h�'�'�2�2�4�4�:�:�<�<�
�-/��!�
�
���%�,�,�-C�D�-I�-I�J�J�J�J���~�����L�L�D�d�A������������������'���� 1�2�2�2�&�
��!�	�	�	��I�I�I�	���s;�?B6�"A%�$B6�%B�4B�B6�B�B6�6C�Cc��rK�|j|g|�Ri|���d{V��|�g|����d{V��dS)z"Same behavior as for separate hit.N)r`�files_to_remove)�	_add_hits�update_sa_hits)ror`�argsrps    rh�add_hitszHackerTrapHitsSaver.add_hits�sm�����c�m�L�:�4�:�:�:�6�:�:�:�:�:�:�:�:�:�� � �b�,� �O�O�O�O�O�O�O�O�O�O�Orjc��0K�	|���}|�||��}|�|��|�|j���d{V��dS#t
$r&}t�d|��Yd}~dSd}~wwxYw)Nz!Unable to read HackerTrap file %r)rrhr_�_copy_to_modsec_rulesrKr\r�r])ror`r�rprSrgr^s       rhr�zHackerTrapHitsSaver._add_hits�s�����	B�$'�I�I�K�K�I�!$���Y��!E�!E�F��J�J�v�����+�+�C�H�5�5�5�5�5�5�5�5�5�5�5���	B�	B�	B��L�L�<�b�A�A�A�A�A�A�A�A�A�����	B���s�AA%�%
B�/B�B�file_to_addc��>K�|�|g���d{V��S)z�When storing separate hit it needs to be added to
        malware_found_b64.list
        and excluded from malware_sa_found_b64.list as well from
        proactive/dangerous/[hash]N�r�)ror�r�rps    rh�add_hitzHackerTrapHitsSaver.add_hit�s.�����\�\�;�-�0�0�0�0�0�0�0�0�0rjc��@K�|�g���d{V��dSr�r�rQs rh�initzHackerTrapHitsSaver.init�s0�����l�l�2�����������rj)�	max_tries�on_error�silentc��.K�tj��}	|����d{V��}nF#ttf$r2}t
�t|����Yd}~dSd}~wwxYw	|�||���d{V��}n3#t$r&}t
�	d|��Yd}~dSd}~wwxYwttj|��}|�
|jdz��}|���rz|���j|���jkrF|���|���krt
�d��dS	t)jt|��t|����|�|��dS#t.$r}|�d}~wt0$r&}t
�d|��Yd}~dSd}~wwxYw)NFz%Can't get malware found list file: %sz.tmpzNothing to updateTz%Failed to copy malware found list: %s)rr��get_i360_vendor_namerr r�r�r��build_vendor_file_pathr�rr�DIR�with_suffix�suffixrkrs�st_sizeryr6�shutilrb�renamer�r\r])ro�malware_list_namer��vendorr��target�
found_list�
target_tmps        rhr�z)HackerTrapHitsSaver._copy_to_modsec_rules�s1�����
'�
)�
)��	��2�2�4�4�4�4�4�4�4�4�F�F��"�N�3�	�	�	��N�N�3�q�6�6�"�"�"��5�5�5�5�5�����	����	��4�4�V�=N�O�O�O�O�O�O�O�O�F�F��!�	�	�	����D�a�H�H�H��5�5�5�5�5�����	�����*�.�*;�<�<�
��'�'��
��(>�?�?�
�
�M�M�O�O�	����
�
�%����):�):�)B�B�B��!�!�#�#�z�'<�'<�'>�'>�>�>��K�K�+�,�,�,��5�	��K��J����Z���9�9�9����f�%�%�%��4�� �	�	�	��G������	�	�	��L�L�@�!�D�D�D��5�5�5�5�5�����	���sR�2�A5�'A0�0A5�9B�
C� C�C�AG�
H�G!�!
H�.H�Hc��tj|j��5}d�|D��cddd��S#1swxYwYdS)Nc�D�g|]}|����|j��Sr�)�is_filerN)r��entrys  rhr�z>HackerTrapHitsSaver._get_exists_hash_files.<locals>.<listcomp>s'��B�B�B�5�%�-�-�/�/�B�E�J�B�B�Brj)r��scandir�BASE_PD_DIR)ro�its  rh�_get_exists_hash_filesz*HackerTrapHitsSaver._get_exists_hash_filess���
�Z���
(�
(�	C�B�B�B�B�B�B�B�	C�	C�	C�	C�	C�	C�	C�	C�	C�	C�	C�	C����	C�	C�	C�	C�	C�	Cs�3�7�7c�~�|D]9}t|j��t|��z�d���:dS)NrW)rr��touch�ror �fnames   rh�_create_hash_filesz&HackerTrapHitsSaver._create_hash_filessG���	?�	?�E�
�#�/�
"�
"�T�%�[�[�
0�7�7��>�>�>�>�	?�	?rjc�|�|D]8}t|j��t|��z����9dSr�)rr��unlinkr�s   rh�_remove_hash_filesz&HackerTrapHitsSaver._remove_hash_filessE���	;�	;�E�
�#�/�
"�
"�T�%�[�[�
0�8�8�:�:�:�:�	;�	;rjc���	|�tjd���}d�|D��}|���}t	|��t	|��z
}t	|��t	|��z
}|�|��|�|��dS#t$r9}t�	d||j
rd|j
�d�nd��Yd}~dSd}~wwxYw)	z�
        SA hits stored for PD as sha256 hash of full path in
        HackerTrap.DIR_PD. Not more than MAX_HITS_COUNT files in dir.
        Remove older (by mtime) files first.
        F�rMr}c�0�g|]}|�t|����Sr�rJ)r�rTs  rhr�z=HackerTrapHitsSaver._update_sa_hash_files.<locals>.<listcomp>-s3�����$(����$�����rjzHackerTrap error: %r%sz (�)�N)rr�SA_NAMEr�rCr�r�r\r�r�rM)ro�saved_files_list�hash_file_list�exists_hash_file_list�files_to_create�files_to_deleter�s       rh�_update_sa_hash_filesz)HackerTrapHitsSaver._update_sa_hash_files"s4��	�"�y�y�#�+�� )� � ����,<����N�%(�$>�$>�$@�$@�!�!�.�1�1�C�8M�4N�4N�N�O�!�"7�8�8�3�~�;N�;N�N�O��"�"�?�3�3�3��"�"�?�3�3�3�3�3���	�	�	��N�N�(��()�
�:�$�Q�Z�$�$�$�$��
�
�
�
�
�
�
�
�
�����	���s�B)B-�-
C0�7.C+�+C0r�c�L��	|�tjd���}|�||��}�fd�|D��}||kr#|�|tj���dSn2#t
$r%}t�d|��Yd}~nd}~wwxYwdS)z�
        Update file of malware standalone list.
        Return True if malware standalone list was changed otherwise False.
        Fr�c���g|]}|�v�|��	Sr�r�)r�rTr�s  �rhr�z;HackerTrapHitsSaver._update_sa_hit_list.<locals>.<listcomp>Is*�������$�o�2M�2M��2M�2M�2Mrj�rMTzHackerTrap error: %sN)rrr�rhr_r\r�r])ror`r��
saved_list�
extended_list�updated_listr�s  `    rh�_update_sa_hit_listz'HackerTrapHitsSaver._update_sa_hit_list<s����	4�%(�Y�Y�#�+��&/�&�&�J�),���J��(M�(M�M�����!.����L��z�)�)��
�
�<�*�2D�
�E�E�E��t�*���	4�	4�	4��L�L�/��3�3�3�3�3�3�3�3�����	4�����us�A,A2�2
B!�<B�B!c��JK�|s|r�|j4�d{V��|�||��rR|�tj���d{V��rtj���d{V��|���ddd���d{V��dS#1�d{V��swxYwYdSdSr�)�LOCKr�r�rr�r�graceful_restartr�)ror`r�s   rhr�z"HackerTrapHitsSaver.update_sa_hitsSs]�����	0�?�	0��x�
0�
0�
0�
0�
0�
0�
0�
0��*�*�<��I�I�0� �6�6�z�7I�J�J�J�J�J�J�J�J�<�(�9�;�;�;�;�;�;�;�;�;��-�-�/�/�/�	
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0�
0����
0�
0�
0�
0�
0�
0�	0�	0s�A)B�
B�Bc��K�tjj}|j4�d{V��t	jtj���tj�	tjtjtj
g��tjtj�|j��tj|k���tj������|j�����}|�d�|D��t4j���|�t4j���d{V��rt;j���d{V��|���ddd���d{V��dS#1�d{V��swxYwYdS)zI
        Re-populate HackerTrap records using data from database
        Nc�:�g|]\}tj|����Sr�)r��fsencode)r�rs  rhr�z5HackerTrapHitsSaver.reset_sa_hits.<locals>.<listcomp>�s"��1�1�1�C�Q���Q���1�1�1rjr�) r;�FILE�valuer�rDr�r~r��status�in_r:r7�CLEANUP_STARTED�RESTORE_FROM_BACKUP_STARTED�	maliciousr��contains�STANDALONE_MARKrY�order_by�	timestamp�desc�limitrd�tuplesr_rr�r�rr�r�)rorYr s   rh�
reset_sa_hitsz!HackerTrapHitsSaver.reset_sa_hits^s ����40�4�:�
��8�	(�	(�	(�	(�	(�	(�	(�	(��!�*�"6�7�7����%�)�)�,�2�,�<�,�H�����(��O�,�,�S�-@�A�A��,�
�=�
�
���*�.�3�3�5�5�6�6���s�)�*�*�����%
�(
�J�J�1�1�5�1�1�1�J�<N�
�
�
�
��.�.�z�/A�B�B�B�B�B�B�B�B�
4� �1�3�3�3�3�3�3�3�3�3��%�%�'�'�'�5	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(�	(����	(�	(�	(�	(�	(�	(s�FF7�7
G�Gr�)NT).r?r@rArr�rL�DIR_PDr�rKrdrnr�r"r�rDrrOrRr
r_rOrh�staticmethodr	�PathLikerlrqrwrr�r�r�r�r'r�r!r&r�r�r�r�r�rEr�r�r�r�rjrhrIrIas��������~�H��#�K��?�D��N�'���O��8�:�:�D��(�(��(�(�(��[�(��7��7�7�7��[�7��
D�
D�t�D�z�
D�
D�
D��[�
D��1��Q��1�t�A�w�1�4��7�1�1�1��[�1�&�H�x��1�H�d�8�n�H�H�H��\�H��D�D��[�D���H�X�$6�����[��"���t�D�z�����[��,�P�$�t�*�P�P�P��[�P��B�4��:�B�B�B��[�B��1��1�1�1��[�1�����[���
�X��)�-��	���!�!�
���[�!�F�C�C��[�C��?�?��[�?��;�;��[�;�����[��2����:��8<�T�
��	
�����[��,�0���:�0�8<�T�
�0�0�0��[�0��4(�4(��[�4(�4(�4(rjrIc�P�eZdZedefd���Zed���Zed���Zee	de
eeffd�����Z
ed���Ze	ddeeeeffd���Zed	���Ze				d
d
eedeeeeeeffd���ZdS)�MalwareActionIm360r�c
�V�t|jt|�t|jt���t|�t|jt���i}	||}n8#t$r+|t}t�	d|��YnwxYw|S)N)�post_actionr�z/There is no such action '%s'. Config is invalid)
r=r�r,�postponer*�detectr.r�r�r])ror��possible_actionsrgs    rh�_get_handlerzMalwareActionIm360._get_handler�s���
�C�J��S�\�\�"��J��"���

 ����"��J�*�".�"�"�
��	�%�f�-�F�F���	�	�	�%�f�-�F��L�L�A�6�
�
�
�
�
�	����
�
s�(A1�12B&�%B&c������fd�}|S)Nc��(�K�t�f||d����S)N)rWra)r9)rWrar�r�rp�messages    ��rhrtz,MalwareActionIm360.postpone.<locals>.wrapper�s3�����(���#,�E���=C���
rjr�)r�rprts`` rhr�zMalwareActionIm360.postpone�s)����	�	�	�	�	�	�
�rjc��K�tj|���}t|||j|j|j|j���d{V��dS)N)r�)rGr�rMr��startedrT�total_resources)ror]r�r��scans     rhr�zMalwareActionIm360.detect�sm������g�.�.�.������I��L��I�� �

�
�	
�	
�	
�	
�	
�	
�	
�	
�	
rjc���K�|�|��\}}|D]4}t�dtj|j�����5i}|D]0}|�|jg���|���1i}|�	��D].\}	}
|�
|j|
fd|	i|���d{V�����/|�
d�|D����|S)Nr
rUc3�BK�|]}|tt��fV��dSr�rr
s  rhr�z9MalwareActionIm360.restore_from_backup.<locals>.<genexpr>�rrjrrs           rhrz&MalwareActionIm360.restore_from_backup�rrjc�6�g}g}|D�]}|j}d}	ttj�|����}n=#t
$r0t�dtj|����YnwxYw|�jtj
���tj|ktjtktj|k�����	�|�|����|�|����||fSr�r�rs       rhrz)MalwareActionIm360._split_hits_on_restore�rrNc��P��
�K�d�|D��}|�|��}t|t|��||����d{V��\�
�g}�
fd�|D��}�fd�|D��}	�
D]1}
tj|
��}t
�d|���2t�|��fd�|D�����D]1}
tj|
��}t
�	d|���2t�|��fd�|	D����|S)	Nc��g|]	}|j��
Sr�rrs  rhr�z;MalwareActionIm360._restore_from_backup.<locals>.<listcomp>rrjrc�&��g|]
}|j�v�|��Sr�rr#s  �rhr�z;MalwareActionIm360._restore_from_backup.<locals>.<listcomp>r%rjc�&��g|]
}|j�v�|��Sr�rr's  �rhr�z;MalwareActionIm360._restore_from_backup.<locals>.<listcomp>r)rjr*c�2��g|]}|t���f��Sr�r,r-s  �rhr�z;MalwareActionIm360._restore_from_backup.<locals>.<listcomp>r/rjr0c�2��g|]}|t���f��Sr�r,r2s  �rhr�z;MalwareActionIm360._restore_from_backup.<locals>.<listcomp>"r4rjr5r8s            @@@rhrz'MalwareActionIm360._restore_from_backupr>rjc�6�tj��}	tj|��}n##tt
f$rtjcYSwxYw	t|�	|j
����}n##ttf$rtjcYSwxYw|Sr�r�r�s     rhr�zMalwareActionIm360._get_tmp_dir&r�r�r{c
��t�K�d�|D��}|j|f|||d�|���d{V��}ttj������d{V������fd�tj��D��}	g}
|D�]�}t|t��ru|	�	|j
t|j
����}|	�	|jt|j����}
tt|��j}n(|j
}|j}
tt|��j}t#|
��\}}||vr-||jr |
�||||df����|���}t|t��rF|j|d<|j|d<|j|d<|j|d	<|j|d
<|j|d<|j|d<|�|��}|d|||
||p|||j|d
�|���d{V��}|
�|||df�����|
S)r�c�d�g|]-}t|j���t|t���+|��.Sr�)rr��
isinstancerHr
s  rhr�z;MalwareActionIm360.apply_default_action.<locals>.<listcomp>@sM��
�
�
��/���9�9�
�
�s�$:�;�;�
��
�
�
rj)rWr�raNc�<��i|]}|j�v�|j|j��Sr�)�pw_name�pw_uid)r��pw�panel_userss  �rh�
<dictcomp>z;MalwareActionIm360.apply_default_action.<locals>.<dictcomp>Ms6���
�
�
���z�[�(�(�
�I�r�z�(�(�(rjTr\rZr[rbrcrdr])rTrUrVrarWr�rXrYFr�)rrCrr��	get_usersr��getpwallr�rHr�rr�r�rrTrEr~r��
successfulr�rbr\rZr[rbrcrdr]r�rX)ror{rWrar�rYrpr�restore_events�uid_to_namerr�rr�rTr�r��handler_kw_args�handlerr`r�s                    @rhr�z'MalwareActionIm360.apply_default_action4s������
�
��
�
�
�
� 7�s�6�� 
�"+�$�e� 
� 
�GM� 
� 
�
�
�
�
�
�
��
�
� :� <� <� F� F� H� H�H�H�H�H�H�H�I�I��
�
�
�
��l�n�n�
�
�
��
���)	4�)	4�C��#�5�6�6�
@�#����	�3�s�y�>�>�B�B��"���s�x��S�X���?�?���2�C�8�8�=����	���x���/��5�5�?��#>�t�#D�#D� �F�L��n�$�$���)<�)G�$��
�
�C���!4�f�d�C�D�D�D��$�k�k�m�m�O��#�5�6�6�	
9�-0�[��	�*�-0�[��	�*�-0�[��	�*�03����-�14���
�.�36�3D���0�-0�[��	�*��&�&�v�.�.�G�!�'�
�� ���#�3�|����+�
�
�"�
�
�
�
�
�
�
�
�E�
�J�J��U�F�E�2�3�3�3�3��
rjr�)NNNN)r?r@rArDrr�r�r�r�r�rrDr8rrr
rrr�rrPr�rEr�r�rjrhr�r��s���������X�����[��.����\���	
�	
��[�	
�� ��	
�j�,�&�	'����!� ��[��:�'�'��[�'�>�$(� � �	
�e�J��,�-�	.� � � ��[� �D����[�����
��
I�I���%�I�
�e�K��s�D�8�9�	:�I�I�I��[�I�I�Irjr�)xrBrlr{rur�r�r�ru�collectionsr�loggingr�pathlibr�typingrrrr	r
rrr
rr�peeweer� defence360agent.contracts.configrrrrrrr�%defence360agent.contracts.permissionsrrr�&defence360agent.internals.global_scoper�$defence360agent.model.simplificationr�defence360agent.subsysr�defence360agent.subsys.panelsr�"defence360agent.subsys.panels.baserr �defence360agent.utilsr!r"r#r$r%r&r'r(�imav.contracts.messagesr)r*�imav.malwarelib.configr+r,r-r.r/r0r1r2r3r4r5r6r7r8r9r:r;r<r=r>r?r@rArB�imav.malwarelib.modelrCrDrErFrG�imav.malwarelib.scan.mds.reportrH�*imav.malwarelib.subsys.restore_from_backuprI�imav.malwarelib.utilsrK�imav.malwarelib.utils.submitrL� imav.plugins.event_hook_executorrM�imav.malwarelib.cleanup.storagerNr?r�r��bytesr�rOrPrxr�r�r�r�rGrIr�r�rjrh�<module>rs�����*������������	�	�	�	�
�
�
�
�
�
�
�
�����#�#�#�#�#�#�������������������������������������"�!�!�!�!�!�����������������������������
5�4�4�4�4�4�@�@�@�@�@�@�-�-�-�-�-�-�7�7�7�7�7�7���������	�	�	�	�	�	�	�	�	�	�	�	�	�	�	�	�	�	�	�	�������������������������������������������������������������4��������������C�B�B�B�B�B�D�D�D�D�D�D�+�+�+�+�+�+�=�=�=�=�=�=�:�:�:�:�:�:��>�=�=�=�=�=�=�	��8�	�	����e�R�[�(�)���G�C�L�L���g��&�(>����
pK�pK�pK�f+�+�+�\���<
J�#�
J�%��S��/�
J�
J�
J�
J�F�F�F�F�F�F�F�F�R-�-�-�r(�r(�r(�r(�r(�r(�r(�r(�j	h�h�h�h�h��h�h�h�h�hrj
Hacked By AnonymousFox1.0, Coded By AnonymousFox