dissect.target.plugins.apps.av.sophos

Module Contents

Classes

SophosPlugin

Base class for plugins.

Attributes

HitmanAlertRecord
SophosLogRecord

dissect.target.plugins.apps.av.sophos.HitmanAlertRecord

dissect.target.plugins.apps.av.sophos.SophosLogRecord

class dissect.target.plugins.apps.av.sophos.SophosPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

• __namespace__

• __record_descriptors__

With the following three being assigned in register():

• __plugin__

• __functions__

• __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

• __exported__

• __output__: Set with the export() decorator.

• __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

Parameters:

target – The Target object to load the plugin for.

__namespace__ = 'sophos'

LOG_SOPHOS_HOME = 'sysvol/ProgramData/Sophos/Clean/Logs/Clean.log'

LOG_SOPHOS_HITMAN = 'sysvol/ProgramData/HitmanPro.Alert/excalibur.db'

MARKER_INFECTION = '{"command":"clean-threat'

LOGS

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

hitmanlogs() → Iterator[HitmanAlertRecord]

Return alert log records from Sophos Hitman Pro/Alert.

Yields HitmanAlertRecord with the following fields:

ts (datetime): Timestamp. alert (string): Type of Alert. description (string): Short description of the alert. details (string): Detailed description of the alert.

Note that because Hitman also catches suspicious behaviour of systems, the details field might contain a lot of text, it might contain stracktraces etc.

sophoshomelogs() → Iterator[SophosLogRecord]

Return log history records from Sophos Home.

Yields SophosLogRecord with the following fields:

ts (datetime): Timestamp. description (string): Short description of the alert. path (path): Path to the infected file (if available).