Added doc to consts file, and moved AV list to AV file
This commit is contained in:
parent
ba1667372b
commit
aaab4a479c
|
@ -1,3 +1,11 @@
|
|||
"""
|
||||
This file contains all the static data relating to Zero Trust. It is mostly used in the zero trust report generation and
|
||||
in creating findings.
|
||||
|
||||
This file contains static mappings between zero trust components such as: pillars, directives, tests, statuses. Some of
|
||||
the mappings are computed when this module is loaded.
|
||||
"""
|
||||
|
||||
AUTOMATION_ORCHESTRATION = u"Automation & Orchestration"
|
||||
VISIBILITY_ANALYTICS = u"Visibility & Analytics"
|
||||
WORKLOADS = u"Workloads"
|
||||
|
@ -11,7 +19,7 @@ STATUS_UNEXECUTED = u"Unexecuted"
|
|||
STATUS_POSITIVE = u"Positive"
|
||||
STATUS_INCONCLUSIVE = u"Inconclusive"
|
||||
STATUS_CONCLUSIVE = u"Conclusive"
|
||||
# Don't change order!
|
||||
# Don't change order! The statuses are ordered by importance/severity.
|
||||
ORDERED_TEST_STATUSES = [STATUS_CONCLUSIVE, STATUS_INCONCLUSIVE, STATUS_POSITIVE, STATUS_UNEXECUTED]
|
||||
|
||||
TEST_DATA_ENDPOINT_ELASTIC = u"unencrypted_data_endpoint_elastic"
|
||||
|
@ -170,8 +178,3 @@ EVENT_TYPE_ISLAND = "island"
|
|||
EVENT_TYPE_MONKEY_NETWORK = "monkey_network"
|
||||
EVENT_TYPE_MONKEY_LOCAL = "monkey_local"
|
||||
EVENT_TYPES = (EVENT_TYPE_MONKEY_LOCAL, EVENT_TYPE_MONKEY_NETWORK, EVENT_TYPE_ISLAND)
|
||||
|
||||
ANTI_VIRUS_KNOWN_PROCESS_NAMES = [
|
||||
u"SSPService.exe",
|
||||
u"ipython.exe"
|
||||
]
|
||||
|
|
|
@ -1,11 +1,81 @@
|
|||
import json
|
||||
|
||||
from common.data.zero_trust_consts import EVENT_TYPE_MONKEY_LOCAL, ANTI_VIRUS_KNOWN_PROCESS_NAMES, EVENT_TYPE_ISLAND, \
|
||||
from common.data.zero_trust_consts import EVENT_TYPE_MONKEY_LOCAL, EVENT_TYPE_ISLAND, \
|
||||
STATUS_POSITIVE, STATUS_CONCLUSIVE, TEST_ENDPOINT_SECURITY_EXISTS
|
||||
from monkey_island.cc.models import Monkey
|
||||
from monkey_island.cc.models.event import Event
|
||||
from monkey_island.cc.models.finding import Finding
|
||||
|
||||
ANTI_VIRUS_KNOWN_PROCESS_NAMES = [
|
||||
u"AvastSvc.exe",
|
||||
u"AvastUI.exe",
|
||||
u"avcenter.exe",
|
||||
u"avconfig.exe",
|
||||
u"avgcsrvx.exe",
|
||||
u"avgidsagent.exe",
|
||||
u"avgnt.exe",
|
||||
u"avgrsx.exe",
|
||||
u"avguard.exe",
|
||||
u"avgui.exe",
|
||||
u"avgwdsvc.exe",
|
||||
u"avp.exe",
|
||||
u"avscan.exe",
|
||||
u"bdagent.exe",
|
||||
u"ccuac.exe",
|
||||
u"egui.exe",
|
||||
u"hijackthis.exe",
|
||||
u"instup.exe",
|
||||
u"keyscrambler.exe",
|
||||
u"mbam.exe",
|
||||
u"mbamgui.exe",
|
||||
u"mbampt.exe",
|
||||
u"mbamscheduler.exe",
|
||||
u"mbamservice.exe",
|
||||
u"MpCmdRun.exe",
|
||||
u"MSASCui.exe",
|
||||
u"MsMpEng.exe",
|
||||
u"rstrui.exe",
|
||||
u"spybotsd.exe",
|
||||
u"zlclient.exe",
|
||||
u"SymCorpUI.exe",
|
||||
u"ccSvcHst.exe",
|
||||
u"ccApp.exe",
|
||||
u"LUALL.exe",
|
||||
u"SMC.exe",
|
||||
u"SMCgui.exe",
|
||||
u"Rtvscan.exe",
|
||||
u"LuComServer.exe",
|
||||
u"ProtectionUtilSurrogate.exe",
|
||||
u"ClientRemote.exe",
|
||||
u"SemSvc.exe",
|
||||
u"SemLaunchSvc.exe",
|
||||
u"sesmcontinst.exe",
|
||||
u"LuCatalog.exe",
|
||||
u"LUALL.exe",
|
||||
u"LuCallbackProxy.exe",
|
||||
u"LuComServer_3_3.exe",
|
||||
u"httpd.exe",
|
||||
u"dbisqlc.exe",
|
||||
u"dbsrv16.exe",
|
||||
u"semapisrv.exe",
|
||||
u"snac64.exe",
|
||||
u"AutoExcl.exe",
|
||||
u"DoScan.exe",
|
||||
u"nlnhook.exe",
|
||||
u"SavUI.exe",
|
||||
u"SepLiveUpdate.exe",
|
||||
u"Smc.exe",
|
||||
u"SmcGui.exe",
|
||||
u"SymCorpUI.exe",
|
||||
u"symerr.exe",
|
||||
u"ccSvcHst.exe",
|
||||
u"DevViewer.exe",
|
||||
u"DWHWizrd.exe",
|
||||
u"RtvStart.exe",
|
||||
u"roru.exe",
|
||||
u"WSCSAvNotifier"
|
||||
]
|
||||
|
||||
|
||||
def test_antivirus_existence(telemetry_json):
|
||||
current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
|
||||
|
@ -20,7 +90,8 @@ def test_antivirus_existence(telemetry_json):
|
|||
all_processes = telemetry_json['data']['process_list'].items()
|
||||
for process in all_processes:
|
||||
process_name = process[1]['name']
|
||||
if process_name in ANTI_VIRUS_KNOWN_PROCESS_NAMES:
|
||||
# This is for case-insensitive in. Generator expression for memory savings.
|
||||
if process_name.upper() in (known_av_name.upper() for known_av_name in ANTI_VIRUS_KNOWN_PROCESS_NAMES):
|
||||
found_av = True
|
||||
events.append(Event.create_event(
|
||||
title="Found AV process",
|
||||
|
@ -33,4 +104,4 @@ def test_antivirus_existence(telemetry_json):
|
|||
test_status = STATUS_POSITIVE
|
||||
else:
|
||||
test_status = STATUS_CONCLUSIVE
|
||||
Finding.save_finding(test=TEST_ENDPOINT_SECURITY_EXISTS, status=test_status, events=events)
|
||||
Finding.save_finding(test=TEST_ENDPOINT_SECURITY_EXISTS, status=test_status, events=events)
|
||||
|
|
Loading…
Reference in New Issue