dissect.target.plugins.apps.av.mcafee¶
Module Contents¶
Classes¶
McAfee antivirus plugin. |
Attributes¶
- dissect.target.plugins.apps.av.mcafee.McAfeeMscLogRecord¶
- dissect.target.plugins.apps.av.mcafee.McAfeeMscFirewallRecord¶
- dissect.target.plugins.apps.av.mcafee.re_cdata¶
- dissect.target.plugins.apps.av.mcafee.re_strip_tags¶
- class dissect.target.plugins.apps.av.mcafee.McAfeePlugin(target: dissect.target.Target)¶
Bases:
dissect.target.plugin.PluginMcAfee antivirus plugin.
- __namespace__ = 'mcafee'¶
Defines the plugin namespace.
- DIRS = ['sysvol/ProgramData/McAfee/MSC/Logs', '/opt/McAfee/ens/log/tp', '/opt/McAfee/ens/log/esp']¶
- LOG_FILE_PATTERN = '*.log'¶
- TEMPLATE_ID_INFECTION = 102¶
- MARKER_INFECTION = '%INFECTION_INFO%'¶
- MARKER_SUSPICIOUS_TCP_CONNECTION = 'TCP port '¶
- MARKER_SUSPICIOUS_UDP_CONNECTION = 'UDP port '¶
- TABLE_LOG = 'log'¶
- TABLE_FIELD = 'field'¶
- check_compatible() None¶
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- get_log_files() Iterator[pathlib.Path]¶
- msc() Iterator[McAfeeMscLogRecord]¶
Return msc log history records from McAfee.
Yields McAfeeMscLogRecord with the following fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): timestamp. ip (net.ipadress): IP of suspicious connection (if available). tcp_port (net.tcp.Port): TCP Port of suspicious incoming connection (if available). udp_port (net.udp.Port): UDP Port of suspicious incoming connection (if available). threat (string): Description of the detected threat (if available). message (string): Message as reported in the user interface (might include template slots). keywords (string): Unparsed fields that might be visible in user interface. fkey (string): Foreign key for reference for further investigation.