dissect.target.plugins.apps.av.trendmicro

Module Contents

Classes

TrendMicroPlugin

Base class for plugins.

Attributes

TrendMicroWFLogRecord
TrendMicroWFFirewallRecord
pfwlog_def
c_pfwlog

dissect.target.plugins.apps.av.trendmicro.TrendMicroWFLogRecord

dissect.target.plugins.apps.av.trendmicro.TrendMicroWFFirewallRecord

dissect.target.plugins.apps.av.trendmicro.pfwlog_def = Multiline-String

Show Value

"""
struct firewall_entry {
    char      _pad1[1];
    char      direction;
    uint16    port;
    uint32    timestamp;
    char      _pad2[8];
    char      local_ip[65];
    char      remote_ip[65];
    char      path[520];
    wchar     description[128];
    char      _pad3[10];
};
"""

dissect.target.plugins.apps.av.trendmicro.c_pfwlog

class dissect.target.plugins.apps.av.trendmicro.TrendMicroPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

• __namespace__

• __record_descriptors__

With the following three being assigned in register():

• __plugin__

• __functions__

• __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

• __exported__

• __output__: Set with the export() decorator.

• __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

Parameters:

target – The Target object to load the plugin for.

__namespace__ = 'trendmicro'

LOG_FOLDER = 'sysvol/Program Files (x86)/Trend Micro/Security Agent'

LOG_FILE_FIREWALL

LOG_FILE_INFECTIONS

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

wflogs() → Iterator[TrendMicroWFLogRecord]

Return Trend Micro Worry-free log history records.

Yields TrendMicroWFLogRecord with the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): timestamp. threat (string): Description of the detected threat. path (string): Path to file that is associated with the threat. filename (string): Name to file that is associated with the threat. lineno (uint16): Line number for reference for further investigation.

wffirewall() → Iterator[TrendMicroWFFirewallRecord]

Return Trend Micro Worry-free firewall log history records.

Yields TrendMicroWFFirewallRecord with the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): timestamp. local_ip (net.ipadress): Local IPv4/IPv6. remote_ip (net.ipaddress): Remote IPv4/IPv6. port (uint16): Port of suspicious connection. direction (string): Direction of the traffic path (string): Path to object that initiated/received connection description (string): Description of the detected threat