async def scan(self, guid, artifact_type, content, metadata, chain):
"""Scan an artifact with ClamAV
Args:
guid (str): GUID of the bounty under analysis, use to track artifacts in the same bounty
artifact_type (ArtifactType): Artifact type for the bounty being scanned
content (bytes): Content of the artifact to be scan
metadata (dict) Dict of metadata for the artifact
chain (str): Chain we are operating on
Returns:
ScanResult: Result of this scan
"""
result = await self.clamd.instream(BytesIO(content))
stream_result = result.get('stream', [])
vendor = await self.clamd.version()
metadata = Verdict().set_scanner(operating_system=platform.system(),
architecture=platform.machine(),
vendor_version=vendor.strip('\n'))
if len(stream_result) >= 2 and stream_result[0] == 'FOUND':
metadata.set_malware_family(stream_result[1].strip('\n'))
return ScanResult(bit=True,
verdict=True,
confidence=1.0,
metadata=metadata.json())
metadata.set_malware_family('')
return ScanResult(bit=True, verdict=False, metadata=metadata.json())
async def scan(self, guid, artifact_type, content, metadata, chain):
"""Scan an artifact with Yara.
Args:
guid (str): GUID of the bounty under analysis, use to track artifacts in the same bounty
artifact_type (ArtifactType): Artifact type for the bounty being scanned
content (bytes): Content of the artifact to be scan
metadata (dict) Dict of metadata for the artifact
chain (str): Chain we are operating on
Returns:
ScanResult: Result of this scan
"""
matches = self.rules.match(data=content)
sysname, _, _, _, machine = os.uname()
metadata = Verdict().set_scanner(operating_system=sysname,
architecture=machine,
vendor_version=yara.__version__)
if matches:
# author responsible for distilling multiple metadata values into a value for ScanResult
metadata.set_malware_family(matches[0].rule)
return ScanResult(bit=True, verdict=True, metadata=metadata.json())
metadata.set_malware_family('')
return ScanResult(bit=True, verdict=False, metadata=metadata.json())
def test_set_malware_family():
# arrange
verdict = Verdict()
# act
verdict.set_malware_family("Eicar")
# assert
assert verdict.malware_family == "Eicar"
def test_validate_with_family():
# arrange
verdict = Verdict()
verdict.set_malware_family("Eicar")
# assert
blob = verdict.json()
# act
assert Verdict.validate(json.loads(blob))
def scan_sync(self, guid, artifact_type, content, metadata, chain):
"""Scan an artifact
Args:
guid (str): GUID of the bounty under analysis, use to track artifacts in the same bounty
artifact_type (ArtifactType): Artifact type for the bounty being scanned
content (bytes): Content of the artifact to be scan
metadata (dict) Dict of metadata for the artifact
chain (str): Chain we are operating on
Returns:
ScanResult: Result of this scan
"""
metadata = Verdict().set_scanner(operating_system=self.system,
architecture=self.machine)
if isinstance(content, str):
content = content.encode()
if EICAR in content:
metadata.set_malware_family('Eicar Test File')
return ScanResult(bit=True, verdict=True, metadata=metadata.json())
metadata.set_malware_family('')
return ScanResult(bit=True, verdict=False, metadata=metadata.json())