golden hour
/opt/imunify360/venv/lib/python3.11/site-packages/imav/malwarelib/advanced/rpc/endpoints
⬆️ Go Up
Upload
File/Folder
Size
Actions
__init__.py
0 B
Del
OK
__pycache__
-
Del
OK
backup.py
9.18 KB
Del
OK
malicious.py
3.2 KB
Del
OK
malware.py
1.81 KB
Del
OK
pure_ftpd.py
2.01 KB
Del
OK
submit.py
1.41 KB
Del
OK
Edit: malicious.py
""" This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>. Copyright © 2019 Cloud Linux Software Inc. This software is also available under ImunifyAV commercial license, see <https://www.imunify360.com/legal/eula> """ import asyncio from functools import partial from pathlib import Path from defence360agent.feature_management.constants import AV, AV_REPORT, FULL from defence360agent.feature_management.lookup import feature from defence360agent.model.simplification import run_in_executor from defence360agent.rpc_tools.lookup import bind from defence360agent.utils import Scope from imav.malwarelib.config import MalwareScanResourceType from imav.malwarelib.model import MalwareHit from imav.malwarelib.rpc.endpoints.base import ( MaliciousEndpointStatus, MaliciousEndpoints as MaliciousEndpointsAV, ) from imav.malwarelib.subsys.malware import HackerTrapHitsSaver class MaliciousEndpoints(MaliciousEndpointsAV): """Ignore or drop malicious files. On top of the AV base endpoints this scope also keeps ``malware_standalone_b64.list`` (consumed by modsec rule 77316817) in sync, so a path the operator marks as not-actually-malware is no longer blocked at the WAF layer. See DEF-38724. """ SCOPE = Scope.IM360 @feature(AV, [FULL, AV_REPORT]) @bind("malware", "malicious", "move-to-ignore") async def malicious_move_to_ignore(self, ids, user=None): ignored = await self._malicious_move_to_ignore(ids, user) await HackerTrapHitsSaver.update_sa_hits( files_to_add=[], files_to_remove=[Path(f) for f in ignored], ) return len(ignored) @feature(AV, [FULL, AV_REPORT]) @bind("malware", "malicious", "remove-from-list") async def malicious_remove_from_list(self, ids, user=None): # AV-base drops MalwareHit rows but leaves the path in # malware_standalone_b64.list, so modsec rule 77316817 keeps # blocking it. Mirror _malicious_move_to_ignore's run_in_executor # wrap of the peewee calls. hits_to_remove = await run_in_executor( asyncio.get_event_loop(), partial(MalwareHit.malicious_select, ids, user=user), ) sa_paths_to_remove = [ Path(hit.orig_file) for hit in hits_to_remove if hit.resource_type == MalwareScanResourceType.FILE.value ] await run_in_executor( asyncio.get_event_loop(), partial(MalwareHit.delete_instances, hits_to_remove), ) await HackerTrapHitsSaver.update_sa_hits( files_to_add=[], files_to_remove=sa_paths_to_remove ) return MaliciousEndpointStatus(hits_to_remove, [])
Save