`dissect.target.plugins.apps.av.sophos`¶

Module Contents¶

Classes¶

SophosPlugin

Sophos antivirus plugin.

Attributes¶

`HitmanAlertRecord`
`SophosLogRecord`

dissect.target.plugins.apps.av.sophos.HitmanAlertRecord¶

dissect.target.plugins.apps.av.sophos.SophosLogRecord¶

class dissect.target.plugins.apps.av.sophos.SophosPlugin(target: dissect.target.Target)¶

Bases: dissect.target.plugin.Plugin

Sophos antivirus plugin.

__namespace__ = 'sophos'¶: Defines the plugin namespace.

LOG_SOPHOS_HOME = 'sysvol/ProgramData/Sophos/Clean/Logs/Clean.log'¶

LOG_SOPHOS_HITMAN = 'sysvol/ProgramData/HitmanPro.Alert/excalibur.db'¶

MARKER_INFECTION = '{"command":"clean-threat'¶

LOGS¶

codepage¶

check_compatible() → None¶

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:: UnsupportedPluginError – If the plugin could not be loaded.

hitmanlogs() → Iterator[HitmanAlertRecord]¶

Return alert log records from Sophos Hitman Pro/Alert.

Yields HitmanAlertRecord with the following fields:

ts (datetime): Timestamp.
alert (string): Type of Alert.
description (string): Short description of the alert.
details (string): Detailed description of the alert.

Note that because Hitman also catches suspicious behaviour of systems, the details field might contain a lot of text, it might contain stracktraces etc.

sophoshomelogs() → Iterator[SophosLogRecord]¶

Return log history records from Sophos Home.

Yields SophosLogRecord with the following fields:

ts (datetime): Timestamp.
description (string): Short description of the alert.
path (path): Path to the infected file (if available).

dissect.target.plugins.apps.av.sophos¶

Module Contents¶

Classes¶

Attributes¶

`dissect.target.plugins.apps.av.sophos`¶