:py:mod:`dissect.target.plugins.apps.av.mcafee`
===============================================

.. py:module:: dissect.target.plugins.apps.av.mcafee




Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.apps.av.mcafee.McAfeePlugin




Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.apps.av.mcafee.McAfeeMscLogRecord
   dissect.target.plugins.apps.av.mcafee.McAfeeMscFirewallRecord
   dissect.target.plugins.apps.av.mcafee.re_cdata
   dissect.target.plugins.apps.av.mcafee.re_strip_tags


.. py:data:: McAfeeMscLogRecord

.. py:data:: McAfeeMscFirewallRecord

.. py:data:: re_cdata

.. py:data:: re_strip_tags

.. py:class:: McAfeePlugin(target: dissect.target.target.Target)

   Bases: :py:obj:`dissect.target.plugin.Plugin`


   McAfee antivirus plugin.


   .. py:attribute:: __namespace__
      :value: 'mcafee'


      Defines the plugin namespace.


   .. py:attribute:: DIRS
      :value: ('sysvol/ProgramData/McAfee/MSC/Logs', '/opt/McAfee/ens/log/tp', '/opt/McAfee/ens/log/esp')



   .. py:attribute:: LOG_FILE_PATTERN
      :value: '*.log'



   .. py:attribute:: TEMPLATE_ID_INFECTION
      :value: 102



   .. py:attribute:: MARKER_INFECTION
      :value: '%INFECTION_INFO%'



   .. py:attribute:: MARKER_SUSPICIOUS_TCP_CONNECTION
      :value: 'TCP port '



   .. py:attribute:: MARKER_SUSPICIOUS_UDP_CONNECTION
      :value: 'UDP port '



   .. py:attribute:: TABLE_LOG
      :value: 'log'



   .. py:attribute:: TABLE_FIELD
      :value: 'field'



   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with the current target (``self.target``).
      For example, check if a certain file exists. Otherwise it should raise an
      :class:`UnsupportedPluginError`.

      :raises UnsupportedPluginError: If the plugin could not be loaded.



   .. py:method:: get_log_files() -> collections.abc.Iterator[pathlib.Path]


   .. py:method:: msc() -> collections.abc.Iterator[McAfeeMscLogRecord]

      Return msc log history records from McAfee.

      Yields McAfeeMscLogRecord with the following fields:

      .. code-block:: text

          hostname (string): The target hostname.
          domain (string): The target domain.
          ts (datetime): timestamp.
          ip (net.ipadress): IP of suspicious connection (if available).
          tcp_port (net.tcp.Port): TCP Port of suspicious incoming connection (if available).
          udp_port (net.udp.Port): UDP Port of suspicious incoming connection (if available).
          threat (string): Description of the detected threat (if available).
          message (string): Message as reported in the user interface (might include template slots).
          keywords (string): Unparsed fields that might be visible in user interface.
          fkey (string): Foreign key for reference for further investigation.