:py:mod:`dissect.target.plugins.apps.av.trendmicro` =================================================== .. py:module:: dissect.target.plugins.apps.av.trendmicro Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.av.trendmicro.TrendMicroPlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.apps.av.trendmicro.TrendMicroWFLogRecord dissect.target.plugins.apps.av.trendmicro.TrendMicroWFFirewallRecord dissect.target.plugins.apps.av.trendmicro.pfwlog_def dissect.target.plugins.apps.av.trendmicro.c_pfwlog .. py:data:: TrendMicroWFLogRecord .. py:data:: TrendMicroWFFirewallRecord .. py:data:: pfwlog_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ struct firewall_entry { char _pad1[1]; char direction; uint16 port; uint32 timestamp; char _pad2[8]; char local_ip[65]; char remote_ip[65]; char path[520]; wchar description[128]; char _pad3[10]; }; """ .. raw:: html
.. py:data:: c_pfwlog .. py:class:: TrendMicroPlugin(target: dissect.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Base class for plugins. Plugins can optionally be namespaced by specifying the ``__namespace__`` class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified ``test`` as namespace and a function called ``example``, you must call your plugin with ``test.example``:: A ``Plugin`` class has the following private class attributes: - ``__namespace__`` - ``__record_descriptors__`` With the following three being assigned in :func:`register`: - ``__plugin__`` - ``__functions__`` - ``__exports__`` Additionally, the methods and attributes of :class:`Plugin` receive more private attributes by using decorators. The :func:`export` decorator adds the following private attributes - ``__exported__`` - ``__output__``: Set with the :func:`export` decorator. - ``__record__``: Set with the :func:`export` decorator. The :func:`internal` decorator and :class:`InternalPlugin` set the ``__internal__`` attribute. Finally. :func:`args` decorator sets the ``__args__`` attribute. :param target: The :class:`~dissect.target.target.Target` object to load the plugin for. .. py:attribute:: __namespace__ :value: 'trendmicro' .. py:attribute:: LOG_FOLDER :value: 'sysvol/Program Files (x86)/Trend Micro/Security Agent' .. py:attribute:: LOG_FILE_FIREWALL .. py:attribute:: LOG_FILE_INFECTIONS .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: wflogs() -> Iterator[TrendMicroWFLogRecord] Return Trend Micro Worry-free log history records. Yields TrendMicroWFLogRecord with the following fields: hostname (string): The target hostname. domain (string): The target domain. ts (datetime): timestamp. threat (string): Description of the detected threat. path (string): Path to file that is associated with the threat. filename (string): Name to file that is associated with the threat. lineno (uint16): Line number for reference for further investigation. .. py:method:: wffirewall() -> Iterator[TrendMicroWFFirewallRecord] Return Trend Micro Worry-free firewall log history records. Yields TrendMicroWFFirewallRecord with the following fields: hostname (string): The target hostname. domain (string): The target domain. ts (datetime): timestamp. local_ip (net.ipadress): Local IPv4/IPv6. remote_ip (net.ipaddress): Remote IPv4/IPv6. port (uint16): Port of suspicious connection. direction (string): Direction of the traffic path (string): Path to object that initiated/received connection description (string): Description of the detected threat