dissect.target.plugins.apps.av.trendmicro

Module Contents

Classes

TrendMicroPlugin

TrendMicro antivirus plugin.

Attributes

dissect.target.plugins.apps.av.trendmicro.TrendMicroWFLogRecord
dissect.target.plugins.apps.av.trendmicro.TrendMicroWFFirewallRecord
dissect.target.plugins.apps.av.trendmicro.pfwlog_def = Multiline-String
Show Value
"""
struct firewall_entry {
    char      _pad1[1];
    char      direction;
    uint16    port;
    uint32    timestamp;
    char      _pad2[8];
    char      local_ip[65];
    char      remote_ip[65];
    char      path[520];
    wchar     description[128];
    char      _pad3[10];
};
"""
dissect.target.plugins.apps.av.trendmicro.c_pfwlog
class dissect.target.plugins.apps.av.trendmicro.TrendMicroPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

TrendMicro antivirus plugin.

__namespace__ = 'trendmicro'

Defines the plugin namespace.

LOG_FOLDER = 'sysvol/Program Files (x86)/Trend Micro/Security Agent'
LOG_FILE_FIREWALL = 'sysvol/Program Files (x86)/Trend Micro/Security Agent/PFW/PfwLog_*.dat'
LOG_FILE_INFECTIONS = 'sysvol/Program Files (x86)/Trend Micro/Security Agent/Misc/pccnt35.log'
codepage
check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

wflogs() Iterator[TrendMicroWFLogRecord]

Return Trend Micro Worry-free log history records.

Yields TrendMicroWFLogRecord with the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): timestamp.
threat (string): Description of the detected threat.
path (string): Path to file that is associated with the threat.
filename (string): Name to file that is associated with the threat.
lineno (uint16): Line number for reference for further investigation.
wffirewall() Iterator[TrendMicroWFFirewallRecord]

Return Trend Micro Worry-free firewall log history records.

Yields TrendMicroWFFirewallRecord with the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): timestamp.
local_ip (net.ipadress): Local IPv4/IPv6.
remote_ip (net.ipaddress): Remote IPv4/IPv6.
port (uint16): Port of suspicious connection.
direction (string): Direction of the traffic
path (string): Path to object that initiated/received connection
description (string): Description of the detected threat