?HAMA

Preview: malicious.py Size: 3.20 KB

//opt/imunify360/venv/lib64/python3.11/site-packages/imav/malwarelib/advanced/rpc/endpoints/malicious.py

"""
This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License,
or (at your option) any later version.


This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 
See the GNU General Public License for more details.


You should have received a copy of the GNU General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.

Copyright © 2019 Cloud Linux Software Inc.

This software is also available under ImunifyAV commercial license,
see <https://www.imunify360.com/legal/eula>
"""
import asyncio
from functools import partial
from pathlib import Path

from defence360agent.feature_management.constants import AV, AV_REPORT, FULL
from defence360agent.feature_management.lookup import feature
from defence360agent.model.simplification import run_in_executor
from defence360agent.rpc_tools.lookup import bind
from defence360agent.utils import Scope
from imav.malwarelib.config import MalwareScanResourceType
from imav.malwarelib.model import MalwareHit
from imav.malwarelib.rpc.endpoints.base import (
    MaliciousEndpointStatus,
    MaliciousEndpoints as MaliciousEndpointsAV,
)
from imav.malwarelib.subsys.malware import HackerTrapHitsSaver


class MaliciousEndpoints(MaliciousEndpointsAV):
    """Ignore or drop malicious files.

    On top of the AV base endpoints this scope also keeps
    ``malware_standalone_b64.list`` (consumed by modsec rule 77316817)
    in sync, so a path the operator marks as not-actually-malware is
    no longer blocked at the WAF layer. See DEF-38724.
    """

    SCOPE = Scope.IM360

    @feature(AV, [FULL, AV_REPORT])
    @bind("malware", "malicious", "move-to-ignore")
    async def malicious_move_to_ignore(self, ids, user=None):
        ignored = await self._malicious_move_to_ignore(ids, user)
        await HackerTrapHitsSaver.update_sa_hits(
            files_to_add=[],
            files_to_remove=[Path(f) for f in ignored],
        )

        return len(ignored)

    @feature(AV, [FULL, AV_REPORT])
    @bind("malware", "malicious", "remove-from-list")
    async def malicious_remove_from_list(self, ids, user=None):
        # AV-base drops MalwareHit rows but leaves the path in
        # malware_standalone_b64.list, so modsec rule 77316817 keeps
        # blocking it. Mirror _malicious_move_to_ignore's run_in_executor
        # wrap of the peewee calls.
        hits_to_remove = await run_in_executor(
            asyncio.get_event_loop(),
            partial(MalwareHit.malicious_select, ids, user=user),
        )
        sa_paths_to_remove = [
            Path(hit.orig_file)
            for hit in hits_to_remove
            if hit.resource_type == MalwareScanResourceType.FILE.value
        ]
        await run_in_executor(
            asyncio.get_event_loop(),
            partial(MalwareHit.delete_instances, hits_to_remove),
        )
        await HackerTrapHitsSaver.update_sa_hits(
            files_to_add=[], files_to_remove=sa_paths_to_remove
        )
        return MaliciousEndpointStatus(hits_to_remove, [])

Name	Size	Perms	Modified	Actions
__pycache__ DIR	-	drwxr-xr-x	2026-06-08 20:24:37	Edit Download recursive recursive
backup.py	9.18 KB	lrw-r--r--	2026-05-26 21:31:52	Edit Download recursive recursive
malicious.py	3.20 KB	lrw-r--r--	2026-05-26 21:31:52	Edit Download recursive recursive
malware.py	1.81 KB	lrw-r--r--	2026-05-26 21:31:52	Edit Download recursive recursive
pure_ftpd.py	2.01 KB	lrw-r--r--	2026-05-26 21:31:52	Edit Download recursive recursive
submit.py	1.41 KB	lrw-r--r--	2026-05-26 21:31:52	Edit Download recursive recursive
__init__.py	0 B	lrw-r--r--	2026-05-26 21:31:52	Edit Download recursive recursive

Directory Contents