def parse_results(self, response):
res = Result()
response = response.get('results', response)
if response is not None and response.get('response_code') == 1:
av_hits = ResultSection(title_text='Anti-Virus Detections')
url_section = ResultSection(
SCORE.NULL,
'Virus total report permalink',
self.SERVICE_CLASSIFICATION,
body_format=TEXT_FORMAT.URL,
body=json.dumps({"url": response.get('permalink')}))
res.add_section(url_section)
scans = response.get('scans', response)
av_hits.add_line(
'Found %d AV hit(s) from %d scans.' %
(response.get('positives'), response.get('total')))
for majorkey, subdict in sorted(scans.iteritems()):
if subdict['detected']:
virus_name = subdict['result']
res.append_tag(
VirusHitTag(virus_name,
context="scanner:%s" % majorkey))
av_hits.add_section(
AvHitSection(majorkey, virus_name, SCORE.SURE))
res.add_result(av_hits)
return res
def icap_to_alresult(self, icap_result):
infection_type = ''
infection_name = ''
result_lines = icap_result.strip().splitlines()
if not len(result_lines) > 3:
raise Exception('Invalid result from FSecure ICAP server: %s' % str(icap_result))
x_scan_result = 'X-FSecure-Scan-Result:'
x_infection_name = 'X-FSecure-Infection-Name:'
istag = 'ISTag:'
for line in result_lines:
if line.startswith(x_scan_result):
infection_type = line[len(x_scan_result):].strip()
elif line.startswith(x_infection_name):
infection_name = line[len(x_infection_name):].strip().strip('"')
elif line.startswith(istag):
version_info = line[len(istag):].strip()
self._set_av_ver(version_info)
result = Result()
if infection_name:
result.add_section(VirusHitSection(infection_name, SCORE.SURE, detection_type=infection_type))
result.append_tag(VirusHitTag(infection_name))
return result
def parse_direct_db(self, response):
result = Result()
res = self.lookup_source(response)
if res:
# Display source frequency if found
result.add_section(res)
res = self.lookup_upatre_downloader(response)
if res:
# Display Upatre data
result.add_section(res)
res, tags = self.lookup_callouts(response)
if res:
# Display Call-Outs
result.add_section(res)
# Add domain, ip and port tags
_ = [result.append_tag(tag) for tag in tags]
res = self.lookup_spam_feed(response)
if res:
# Display info from SPAM feed
result.add_section(res)
res, tags = self.lookup_av_hits(response)
if res:
# Display Anti-virus result
result.add_section(res)
# Add Virus Tags
_ = [result.append_tag(tag) for tag in tags]
return result
def icap_to_alresult(self, icap_result):
x_response_info = None
x_virus_id = None
result_lines = icap_result.strip().splitlines()
if not len(result_lines) > 3:
raise Exception('Invalid result from Kaspersky ICAP server: %s' % str(icap_result))
xri_key = 'X-Response-Info:'
xvirus_key = 'X-Virus-ID:'
for line in result_lines:
if line.startswith(xri_key):
x_response_info = line[len(xri_key):].strip()
elif line.startswith(xvirus_key):
x_virus_id = line[len(xvirus_key):].strip()
result = Result()
# Virus hits should have XRI of 'blocked' and XVIRUS containing the virus information.
# Virus misses should have XRI of 'passed' and no XVIRUS section
if x_virus_id:
if not x_response_info == 'blocked':
self.log.warn('found virus id but response was: %s', str(x_response_info))
virus_name = x_virus_id.replace('INFECTED ', '')
result.add_section(VirusHitSection(virus_name, SCORE.SURE))
result.append_tag(VirusHitTag(virus_name))
return result
def parse_results(self, response):
res = Result()
response = response.get('results', response)
if response is not None and response.get('response_code') == 204:
message = "You exceeded the public API request rate limit (4 requests of any nature per minute)"
raise VTException(message)
elif response is not None and response.get('response_code') == 203:
message = "You tried to perform calls to functions for which you require a Private API key."
raise VTException(message)
elif response is not None and response.get('response_code') == 1:
av_hits = ResultSection(title_text='Anti-Virus Detections')
url_section = ResultSection(
SCORE.NULL,
'Virus total report permalink',
self.SERVICE_CLASSIFICATION,
body_format=TEXT_FORMAT.URL,
body=json.dumps({"url": response.get('permalink')}))
res.add_section(url_section)
scans = response.get('scans', response)
av_hits.add_line('Found %d AV hit(s) from %d scans.' % (response.get('positives'), response.get('total')))
for majorkey, subdict in sorted(scans.iteritems()):
if subdict['detected']:
virus_name = subdict['result']
res.append_tag(VirusHitTag(virus_name, context="scanner:%s" % majorkey))
av_hits.add_section(AvHitSection(majorkey, virus_name, SCORE.SURE))
res.add_result(av_hits)
return res
def execute_batch(self, request_batch):
# BitDefender scans a folder at a time. Download all inputs to a folder
# and scan it.
batch_folder = request_batch.download()
# Initially mark all as failed.
for request in request_batch.requests:
request.successful = True
request.result = Result()
request.error_is_recoverable = True
request.error_text = 'Did not found an entry for this file in the AV output'
scanner = BitDefenderScanner(self.working_directory, self.exe_path)
try:
scan_results = scanner.scan_folder(batch_folder)
for original_path, av_result in scan_results.results.iteritems():
request = request_batch.find_by_local_path(original_path)
if not request:
self.log.error(
"Could not find task associated with path: %s\n.",
original_path)
continue
result = Result()
for embedded_file, (is_virus, infection_type, infection_name,
_) in av_result.iteritems():
if not is_virus:
continue
score = SCORE.HIGH
if infection_type == 'infected':
score = SCORE.SURE
result.append_tag(VirusHitTag(infection_name))
result.add_section(
VirusHitSection(infection_name, score, embedded_file,
infection_type))
# TODO(CVE / Exploit tag extraction)
request.result = result
request.successful = True
request.task.report_service_context(self._av_info)
except RecoverableError, rec_err:
for request in request_batch.requests:
request.successful = False
request.error_text = rec_err.message
def execute_batch(self, request_batch):
self.log.info('Execute batch of size %d', len(request_batch.requests))
request_batch.download()
paths_to_scan = []
for request in request_batch.requests:
if request.successful and request.local_path:
paths_to_scan.append(request.local_path)
# Initially mark all as failed.
for request in request_batch.requests:
request.successful = True
request.error_is_recoverable = True
request.result = Result()
# request.error_text = 'Did not find an entry for this file in the AV output'
scanner = McAfeeScanner(self.exe_path, self.dat_directory,
self.working_directory) # pylint: disable=E0602
scan_results = scanner.scan_files(paths_to_scan)
if not scan_results:
return
for original_path, av_result in scan_results.results.iteritems():
request = request_batch.find_by_local_path(original_path)
if not request:
self.log.error(
'Could not find request associated with path %s',
original_path)
continue
request.task.report_service_context(self._av_info)
result = Result()
for embedded_file, (is_virus, detection_type, virus_name,
_reserved) in av_result.iteritems():
if not is_virus:
continue
result.append_tag(VirusHitTag(virus_name))
result.add_section(
VirusHitSection(virus_name, SCORE.SURE, embedded_file,
detection_type))
request.result = result
request.successful = True
request_batch.delete_downloaded()
def parse_results(self, response):
res = Result()
response = response.get('scan_results', response)
virus_name = ""
if response is not None and response.get('progress_percentage') == 100:
hit = False
av_hits = ResultSection(title_text='Anti-Virus Detections')
scans = response.get('scan_details', response)
for majorkey, subdict in sorted(scans.iteritems()):
score = SCORE.NULL
if subdict['scan_result_i'] == 1:
virus_name = subdict['threat_found']
if virus_name:
score = SCORE.SURE
elif subdict['scan_result_i'] == 2:
virus_name = subdict['threat_found']
if virus_name:
score = SCORE.VHIGH
if score:
virus_name = virus_name.replace("a variant of ", "")
engine = self.engine_map[self._format_engine_name(
majorkey)]
res.append_tag(
VirusHitTag(virus_name,
context="scanner:%s" % majorkey))
av_hits.add_section(
AvHitSection(majorkey, virus_name, engine, score))
hit = True
if hit:
res.add_result(av_hits)
return res
def parse_api(data):
result = Result()
# Info block
hash_info = data.get('hash_info')
if not hash_info:
return result
r_info = ResultSection(title_text='File Info')
r_info.score = SCORE.NULL
r_info.add_line('Received Data: %s-%s-%s' %
(data['received_date'][:4], data['received_date'][4:6],
data['received_date'][6:]))
r_info.add_line('Size: %s' % hash_info.get('filesize', ""))
r_info.add_line('MD5: %s' % hash_info.get('md5', ""))
r_info.add_line('SHA1: %s' % hash_info.get('sha1', ""))
r_info.add_line('SHA256: %s' % hash_info.get('sha256', ""))
r_info.add_line('SSDeep Blocksize: %s' %
hash_info.get('ssdeep_blocksize', ""))
r_info.add_line('SSDeep Hash1: %s' % hash_info.get('ssdeep_hash1', ""))
r_info.add_line('SSDeep Hash2: %s' % hash_info.get('ssdeep_hash1', ""))
result.add_result(r_info)
callouts = data.get('callouts', [])
if len(callouts) > 0:
max_callouts = 10
r_callouts = ResultSection(title_text='Sandbox Call-Outs')
r_callouts.score = SCORE.VHIGH
analyser = ''
r_call_sub_section = None
reported_count = 0
for callout in callouts:
reported_count += 1
if reported_count <= max_callouts:
if analyser != callout['ip']:
title = '%s (Analysed on %s)' % (callout['ip'],
callout['addedDate'])
r_call_sub_section = ResultSection(title_text=title,
parent=r_callouts)
analyser = callout['ip']
channel = callout['channel']
if channel is not None:
channel = "(%s)" % channel.split('~~')[0]
else:
channel = ""
r_call_sub_section.add_line("{0:s}:{1:d}{2:s}".format(
callout['callout'], callout['port'], channel))
try:
p1, p2, p3, p4 = callout['callout'].split(".")
if int(p1) <= 255 and int(p2) <= 255 and int(
p3) <= 255 and int(p4) <= 255:
result.append_tag(
Tag(TAG_TYPE.NET_IP,
callout['callout'],
TAG_WEIGHT.MED,
context=Context.BEACONS))
except ValueError:
result.append_tag(
Tag(TAG_TYPE.NET_DOMAIN_NAME,
callout['callout'],
TAG_WEIGHT.MED,
context=Context.BEACONS))
if callout['port'] != 0:
result.append_tag(
Tag(TAG_TYPE.NET_PORT,
str(callout['port']),
TAG_WEIGHT.MED,
context=Context.BEACONS))
if len(callouts) > max_callouts:
r_callouts.add_line("And %s more..." % str(len(callouts) - 10))
result.add_result(r_callouts)
spamcount = data.get('spamCount', {})
if spamcount:
r_spam = ResultSection(title_text='SPAM feed')
r_spam.score = SCORE.VHIGH
r_spam.add_line('Found %d related spam emails' %
spamcount['count'])
email_sample = spamcount.get("email_sample", {})
r_spam.add_line('\tFirst Seen: %s' % email_sample['firstSeen'])
r_spam.add_line('\tLast Seen: %s' % email_sample['lastSeen'])
r_sub_section = ResultSection(title_text='Attachments',
parent=r_spam)
if email_sample['filename']:
r_sub_section.add_line(
'%s - md5: %s' %
(email_sample['filename'], email_sample['filenameMD5']))
if email_sample['attachment']:
r_sub_section.add_line('%s - md5: %s' %
(email_sample['attachment'],
email_sample['attachmentMD5']))
result.add_result(r_spam)
av_results = data.get('av_results', [])
if len(av_results) > 0:
r_av_sec = ResultSection(title_text='Anti-Virus Detections')
r_av_sec.add_line('Found %d AV hit(s).' % len(av_results))
for av_result in av_results:
r_av_sec.add_section(
AvHitSection(av_result['scannerID'], av_result['name'],
SCORE.SURE))
result.append_tag(
VirusHitTag(av_result['name'],
context="scanner:%s" % av_result['scannerID']))
result.add_result(r_av_sec)
return result