Skip to content

Commit d0399db

Browse files
javimedjavimed
authored
Merge pull request #9086 from wazuh/bug/9072-incorrect-indentation-in-remove-threat.py-4.7
Fix line indentation in PoC script 4.7
2 parents 4106fb3 + a839f5b commit d0399db

File tree

1 file changed

+31
-31
lines changed

1 file changed

+31
-31
lines changed

source/proof-of-concept-guide/detect-remove-malware-virustotal.rst

Lines changed: 31 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -252,84 +252,84 @@ Perform the following steps to configure Wazuh to monitor near real-time changes
252252
253253
# Copyright (C) 2015-2025, Wazuh Inc.
254254
# All rights reserved.
255-
255+
256256
import os
257257
import sys
258258
import json
259259
import datetime
260260
import stat
261261
import tempfile
262262
import pathlib
263-
263+
264264
if os.name == 'nt':
265265
LOG_FILE = "C:\\Program Files (x86)\\ossec-agent\\active-response\\active-responses.log"
266266
else:
267267
LOG_FILE = "/var/ossec/logs/active-responses.log"
268-
268+
269269
ADD_COMMAND = 0
270270
DELETE_COMMAND = 1
271271
CONTINUE_COMMAND = 2
272272
ABORT_COMMAND = 3
273-
273+
274274
OS_SUCCESS = 0
275275
OS_INVALID = -1
276-
276+
277277
class message:
278278
def __init__(self):
279279
self.alert = ""
280280
self.command = 0
281-
281+
282282
def write_debug_file(ar_name, msg):
283283
with open(LOG_FILE, mode="a") as log_file:
284284
log_file.write(str(datetime.datetime.now().strftime('%Y/%m/%d %H:%M:%S')) + " " + ar_name + ": " + msg +"\n")
285-
285+
286286
def setup_and_check_message(argv):
287287
input_str = ""
288288
for line in sys.stdin:
289289
input_str = line
290290
break
291-
291+
292292
msg_obj = message()
293293
try:
294294
data = json.loads(input_str)
295295
except ValueError:
296296
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
297297
msg_obj.command = OS_INVALID
298298
return msg_obj
299-
299+
300300
msg_obj.alert = data
301301
command = data.get("command")
302-
302+
303303
if command == "add":
304304
msg_obj.command = ADD_COMMAND
305305
elif command == "delete":
306306
msg_obj.command = DELETE_COMMAND
307307
else:
308308
msg_obj.command = OS_INVALID
309309
write_debug_file(argv[0], 'Not valid command: ' + command)
310-
310+
311311
return msg_obj
312-
312+
313313
def send_keys_and_check_message(argv, keys):
314314
keys_msg = json.dumps({"version": 1,"origin":{"name": argv[0],"module":"active-response"},"command":"check_keys","parameters":{"keys":keys}})
315315
write_debug_file(argv[0], keys_msg)
316-
316+
317317
print(keys_msg)
318318
sys.stdout.flush()
319-
319+
320320
input_str = ""
321321
while True:
322322
line = sys.stdin.readline()
323323
if line:
324324
input_str = line
325325
break
326-
326+
327327
try:
328328
data = json.loads(input_str)
329329
except ValueError:
330330
write_debug_file(argv[0], 'Decoding JSON has failed, invalid input format')
331331
return OS_INVALID
332-
332+
333333
action = data.get("command")
334334
if action == "continue":
335335
return CONTINUE_COMMAND
@@ -338,51 +338,51 @@ Perform the following steps to configure Wazuh to monitor near real-time changes
338338
else:
339339
write_debug_file(argv[0], "Invalid value of 'command'")
340340
return OS_INVALID
341-
341+
342342
def secure_delete_file(filepath_str, ar_name):
343343
filepath = pathlib.Path(filepath_str)
344-
344+
345345
# Reject NTFS alternate data streams
346346
if '::' in filepath_str:
347347
raise Exception(f"Refusing to delete ADS or NTFS stream: {filepath_str}")
348-
348+
349349
# Reject symbolic links and reparse points
350350
if os.path.islink(filepath):
351351
raise Exception(f"Refusing to delete symbolic link: {filepath}")
352-
352+
353353
attrs = os.lstat(filepath).st_file_attributes
354354
if attrs & stat.FILE_ATTRIBUTE_REPARSE_POINT:
355355
raise Exception(f"Refusing to delete reparse point: {filepath}")
356-
356+
357357
resolved_filepath = filepath.resolve()
358-
358+
359359
# Ensure it's a regular file
360360
if not resolved_filepath.is_file():
361361
raise Exception(f"Target is not a regular file: {resolved_filepath}")
362-
362+
363363
# Perform deletion
364364
os.remove(resolved_filepath)
365-
365+
366366
def main(argv):
367367
write_debug_file(argv[0], "Started")
368368
msg = setup_and_check_message(argv)
369-
369+
370370
if msg.command < 0:
371371
sys.exit(OS_INVALID)
372-
372+
373373
if msg.command == ADD_COMMAND:
374374
alert = msg.alert["parameters"]["alert"]
375375
keys = [alert["rule"]["id"]]
376376
action = send_keys_and_check_message(argv, keys)
377-
377+
378378
if action != CONTINUE_COMMAND:
379379
if action == ABORT_COMMAND:
380380
write_debug_file(argv[0], "Aborted")
381381
sys.exit(OS_SUCCESS)
382382
else:
383383
write_debug_file(argv[0], "Invalid command")
384384
sys.exit(OS_INVALID)
385-
385+
386386
try:
387387
file_path = alert["data"]["virustotal"]["source"]["file"]
388388
if os.path.exists(file_path):
@@ -392,14 +392,14 @@ Perform the following steps to configure Wazuh to monitor near real-time changes
392392
write_debug_file(argv[0], f"File does not exist: {file_path}")
393393
except OSError as error:
394394
write_debug_file(argv[0], json.dumps(msg.alert) + "Error removing threat")
395-
except Exception as e:
395+
except Exception as e:
396396
write_debug_file(argv[0], f"{json.dumps(msg.alert)}: Error removing threat: {str(e)}")
397397
else:
398398
write_debug_file(argv[0], "Invalid command")
399-
399+
400400
write_debug_file(argv[0], "Ended")
401401
sys.exit(OS_SUCCESS)
402-
402+
403403
if __name__ == "__main__":
404404
main(sys.argv)
405405

0 commit comments

Comments
 (0)