From aaab4a479c5f65b9914dca20da992a02a5f4ed90 Mon Sep 17 00:00:00 2001
From: Shay Nehmad <shay.nehmad@guardicore.com>
Date: Mon, 19 Aug 2019 11:56:05 +0300
Subject: [PATCH] Added doc to consts file, and moved AV list to AV file

---
 monkey/common/data/zero_trust_consts.py       | 15 ++--
 .../zero_trust_tests/antivirus_existence.py   | 77 ++++++++++++++++++-
 2 files changed, 83 insertions(+), 9 deletions(-)

diff --git a/monkey/common/data/zero_trust_consts.py b/monkey/common/data/zero_trust_consts.py
index 05edc4faa..dbb28a991 100644
--- a/monkey/common/data/zero_trust_consts.py
+++ b/monkey/common/data/zero_trust_consts.py
@@ -1,3 +1,11 @@
+"""
+This file contains all the static data relating to Zero Trust. It is mostly used in the zero trust report generation and
+in creating findings.
+
+This file contains static mappings between zero trust components such as: pillars, directives, tests, statuses. Some of
+the mappings are computed when this module is loaded.
+"""
+
 AUTOMATION_ORCHESTRATION = u"Automation & Orchestration"
 VISIBILITY_ANALYTICS = u"Visibility & Analytics"
 WORKLOADS = u"Workloads"
@@ -11,7 +19,7 @@ STATUS_UNEXECUTED = u"Unexecuted"
 STATUS_POSITIVE = u"Positive"
 STATUS_INCONCLUSIVE = u"Inconclusive"
 STATUS_CONCLUSIVE = u"Conclusive"
-# Don't change order!
+# Don't change order! The statuses are ordered by importance/severity.
 ORDERED_TEST_STATUSES = [STATUS_CONCLUSIVE, STATUS_INCONCLUSIVE, STATUS_POSITIVE, STATUS_UNEXECUTED]
 
 TEST_DATA_ENDPOINT_ELASTIC = u"unencrypted_data_endpoint_elastic"
@@ -170,8 +178,3 @@ EVENT_TYPE_ISLAND = "island"
 EVENT_TYPE_MONKEY_NETWORK = "monkey_network"
 EVENT_TYPE_MONKEY_LOCAL = "monkey_local"
 EVENT_TYPES = (EVENT_TYPE_MONKEY_LOCAL, EVENT_TYPE_MONKEY_NETWORK, EVENT_TYPE_ISLAND)
-
-ANTI_VIRUS_KNOWN_PROCESS_NAMES = [
-    u"SSPService.exe",
-    u"ipython.exe"
-]
diff --git a/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/antivirus_existence.py b/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/antivirus_existence.py
index f18e28a1a..e272ae699 100644
--- a/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/antivirus_existence.py
+++ b/monkey/monkey_island/cc/services/telemetry/zero_trust_tests/antivirus_existence.py
@@ -1,11 +1,81 @@
 import json
 
-from common.data.zero_trust_consts import EVENT_TYPE_MONKEY_LOCAL, ANTI_VIRUS_KNOWN_PROCESS_NAMES, EVENT_TYPE_ISLAND, \
+from common.data.zero_trust_consts import EVENT_TYPE_MONKEY_LOCAL, EVENT_TYPE_ISLAND, \
     STATUS_POSITIVE, STATUS_CONCLUSIVE, TEST_ENDPOINT_SECURITY_EXISTS
 from monkey_island.cc.models import Monkey
 from monkey_island.cc.models.event import Event
 from monkey_island.cc.models.finding import Finding
 
+ANTI_VIRUS_KNOWN_PROCESS_NAMES = [
+    u"AvastSvc.exe",
+    u"AvastUI.exe",
+    u"avcenter.exe",
+    u"avconfig.exe",
+    u"avgcsrvx.exe",
+    u"avgidsagent.exe",
+    u"avgnt.exe",
+    u"avgrsx.exe",
+    u"avguard.exe",
+    u"avgui.exe",
+    u"avgwdsvc.exe",
+    u"avp.exe",
+    u"avscan.exe",
+    u"bdagent.exe",
+    u"ccuac.exe",
+    u"egui.exe",
+    u"hijackthis.exe",
+    u"instup.exe",
+    u"keyscrambler.exe",
+    u"mbam.exe",
+    u"mbamgui.exe",
+    u"mbampt.exe",
+    u"mbamscheduler.exe",
+    u"mbamservice.exe",
+    u"MpCmdRun.exe",
+    u"MSASCui.exe",
+    u"MsMpEng.exe",
+    u"rstrui.exe",
+    u"spybotsd.exe",
+    u"zlclient.exe",
+    u"SymCorpUI.exe",
+    u"ccSvcHst.exe",
+    u"ccApp.exe",
+    u"LUALL.exe",
+    u"SMC.exe",
+    u"SMCgui.exe",
+    u"Rtvscan.exe",
+    u"LuComServer.exe",
+    u"ProtectionUtilSurrogate.exe",
+    u"ClientRemote.exe",
+    u"SemSvc.exe",
+    u"SemLaunchSvc.exe",
+    u"sesmcontinst.exe",
+    u"LuCatalog.exe",
+    u"LUALL.exe",
+    u"LuCallbackProxy.exe",
+    u"LuComServer_3_3.exe",
+    u"httpd.exe",
+    u"dbisqlc.exe",
+    u"dbsrv16.exe",
+    u"semapisrv.exe",
+    u"snac64.exe",
+    u"AutoExcl.exe",
+    u"DoScan.exe",
+    u"nlnhook.exe",
+    u"SavUI.exe",
+    u"SepLiveUpdate.exe",
+    u"Smc.exe",
+    u"SmcGui.exe",
+    u"SymCorpUI.exe",
+    u"symerr.exe",
+    u"ccSvcHst.exe",
+    u"DevViewer.exe",
+    u"DWHWizrd.exe",
+    u"RtvStart.exe",
+    u"roru.exe",
+    u"WSCSAvNotifier"
+]
+
 
 def test_antivirus_existence(telemetry_json):
     current_monkey = Monkey.get_single_monkey_by_guid(telemetry_json['monkey_guid'])
@@ -20,7 +90,8 @@ def test_antivirus_existence(telemetry_json):
         all_processes = telemetry_json['data']['process_list'].items()
         for process in all_processes:
             process_name = process[1]['name']
-            if process_name in ANTI_VIRUS_KNOWN_PROCESS_NAMES:
+            # This is for case-insensitive in. Generator expression for memory savings.
+            if process_name.upper() in (known_av_name.upper() for known_av_name in ANTI_VIRUS_KNOWN_PROCESS_NAMES):
                 found_av = True
                 events.append(Event.create_event(
                     title="Found AV process",
@@ -33,4 +104,4 @@ def test_antivirus_existence(telemetry_json):
             test_status = STATUS_POSITIVE
         else:
             test_status = STATUS_CONCLUSIVE
-        Finding.save_finding(test=TEST_ENDPOINT_SECURITY_EXISTS, status=test_status, events=events)
\ No newline at end of file
+        Finding.save_finding(test=TEST_ENDPOINT_SECURITY_EXISTS, status=test_status, events=events)