dissect.target.plugins.apps.av.mcafee

Module Contents

Classes

McAfeePlugin

Base class for plugins.

Attributes

McAfeeMscLogRecord

McAfeeMscFirewallRecord

re_cdata

re_strip_tags

dissect.target.plugins.apps.av.mcafee.McAfeeMscLogRecord
dissect.target.plugins.apps.av.mcafee.McAfeeMscFirewallRecord
dissect.target.plugins.apps.av.mcafee.re_cdata
dissect.target.plugins.apps.av.mcafee.re_strip_tags
class dissect.target.plugins.apps.av.mcafee.McAfeePlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Base class for plugins.

Plugins can optionally be namespaced by specifying the __namespace__ class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified test as namespace and a function called example, you must call your plugin with test.example:

A Plugin class has the following private class attributes:

  • __namespace__

  • __record_descriptors__

With the following three being assigned in register():

  • __plugin__

  • __functions__

  • __exports__

Additionally, the methods and attributes of Plugin receive more private attributes by using decorators.

The export() decorator adds the following private attributes

  • __exported__

  • __output__: Set with the export() decorator.

  • __record__: Set with the export() decorator.

The internal() decorator and InternalPlugin set the __internal__ attribute. Finally. args() decorator sets the __args__ attribute.

Parameters:

target – The Target object to load the plugin for.

__namespace__ = 'mcafee'
DIRS = ['sysvol/ProgramData/McAfee/MSC/Logs', '/opt/McAfee/ens/log/tp', '/opt/McAfee/ens/log/esp']
LOG_FILE_PATTERN = '*.log'
TEMPLATE_ID_INFECTION = 102
MARKER_INFECTION = '%INFECTION_INFO%'
MARKER_SUSPICIOUS_TCP_CONNECTION = 'TCP port '
MARKER_SUSPICIOUS_UDP_CONNECTION = 'UDP port '
TABLE_LOG = 'log'
TABLE_FIELD = 'field'
check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

get_log_files() Iterator[pathlib.Path]
msc() Iterator[McAfeeMscLogRecord]

Return msc log history records from McAfee.

Yields McAfeeMscLogRecord with the following fields:

hostname (string): The target hostname. domain (string): The target domain. ts (datetime): timestamp. ip (net.ipadress): IP of suspicious connection (if available). tcp_port (net.tcp.Port): TCP Port of suspicious incoming connection (if available). udp_port (net.udp.Port): UDP Port of suspicious incoming connection (if available). threat (string): Description of the detected threat (if available). message (string): Message as reported in the user interface (might include template slots). keywords (string): Unparsed fields that might be visible in user interface. fkey (string): Foreign key for reference for further investigation.