Exemple #1
0
def analyzeLog(filename):
    sigversion = None
    scannervv = None
    file_confirm = False
    malicious = False
    line_count = 0
    most_recent, mtime = getMostRecent(msseccli_data_dir, 'MPDetection')
    # Look for signature info
    if most_recent:
        lines = []
        with codecs.open(most_recent, 'r', 'utf-16le') as data:
            lines = data.readlines()
        lines.reverse()
        for line in lines:
            parts = line.split()
            if not scannervv and 'Version:' in parts:
                scannervv = '%s %s' % (module_name, parts[3])
                sigversion = parts[11]
            elif not file_confirm and 'DETECTION' in parts:
                if parts[3].find(filename) > len('file:'):
                    malicious = True
                    file_confirm = True
            line_count += 1
            if line_count > 1000:
                break
            if scannervv and sigversion and file_confirm:
                break
    sigdate = getSigDate(msseccli_update_dir)
    return [malicious, scannervv, sigversion, sigdate]
Exemple #2
0
def getSigInfo():
    global cursiginfo
    global siginfotime
    now = datetime.now()
    if cursiginfo == None or now - siginfotime > expiry:
        scannervv, sigversion = getVersionInfo()
        sigdate = getSigDate(avira_dir, search='.vdf')
        cursiginfo = SigInfo(scannervv, sigversion, sigdate)
        siginfotime = now
    return cursiginfo
Exemple #3
0
from socialscan.util import SigInfo


module_name = os.path.splitext(os.path.basename(__file__))[0]
cursiginfo = None
siginfotime = None
expiry = timedelta(hours=1)

avira_dir = os.path.join('C:' + os.sep, 'Program Files (x86)', 'Avira', 'AntiVir Desktop')
avira_bin = os.path.join(avira_dir, 'scancl')

scannervv_re = re.compile("Avira / Windows Version (.*)")
engineversion_re = re.compile("engine set: (.*)")
vdfversion_re = re.compile("VDF Version: (.*)")

sigdate = getSigDate(avira_dir, search='.vdf')

def scan(filename):
    global cursiginfo
    global siginfotime

    process = subprocess.Popen([avira_bin, filename], stdout=subprocess.PIPE)
    output = process.communicate()[0]
    lines = output.replace('\r\n', '\n').split('\n')

    malicious = False

    for line in lines:
        split = line.split()
        if not split:
            continue