:py:mod:`dissect.target.plugins.apps.av.sophos`
===============================================

.. py:module:: dissect.target.plugins.apps.av.sophos




Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.apps.av.sophos.SophosPlugin




Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.apps.av.sophos.HitmanAlertRecord
   dissect.target.plugins.apps.av.sophos.SophosLogRecord


.. py:data:: HitmanAlertRecord

.. py:data:: SophosLogRecord

.. py:class:: SophosPlugin(target: dissect.target.target.Target)

   Bases: :py:obj:`dissect.target.plugin.Plugin`


   Sophos antivirus plugin.


   .. py:attribute:: __namespace__
      :value: 'sophos'


      Defines the plugin namespace.


   .. py:attribute:: LOG_SOPHOS_HOME
      :value: 'sysvol/ProgramData/Sophos/Clean/Logs/Clean.log'



   .. py:attribute:: LOG_SOPHOS_HITMAN
      :value: 'sysvol/ProgramData/HitmanPro.Alert/excalibur.db'



   .. py:attribute:: MARKER_INFECTION
      :value: '{"command":"clean-threat'



   .. py:attribute:: LOGS


   .. py:attribute:: codepage


   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with the current target (``self.target``).
      For example, check if a certain file exists. Otherwise it should raise an
      :class:`UnsupportedPluginError`.

      :raises UnsupportedPluginError: If the plugin could not be loaded.



   .. py:method:: hitmanlogs() -> collections.abc.Iterator[HitmanAlertRecord]

      Return alert log records from Sophos Hitman Pro/Alert.

      Yields HitmanAlertRecord with the following fields:

      .. code-block:: text

          ts (datetime): Timestamp.
          alert (string): Type of Alert.
          description (string): Short description of the alert.
          details (string): Detailed description of the alert.

      Note that because Hitman also catches suspicious behaviour of
      systems, the details field might contain a lot of text, it might
      contain stracktraces etc.



   .. py:method:: sophoshomelogs() -> collections.abc.Iterator[SophosLogRecord]

      Return log history records from Sophos Home.

      Yields SophosLogRecord with the following fields:

      .. code-block:: text

          ts (datetime): Timestamp.
          description (string): Short description of the alert.
          path (path): Path to the infected file (if available).