'use strict';
const _ = require('lodash');
const logger = require(__dirname + '/../loggers/logger');
//export namespace as `contentInspectionEvaluation`
const contentInspectionEvaluation = exports;
let isVTEnabled = function(policy, globalVTEnabled) {
Iif (!policy.content || !globalVTEnabled) {
return false;
}
let cNode = policy.content;
if ((!cNode.documentAv || !cNode.documentAv.enabled) &&
(!cNode.fileAv || !cNode.fileAv.enabled)) {
return false;
}
return true;
};
contentInspectionEvaluation.isActiveException = function(rule, enabledModules) {
let rNode = rule.rule;
if (!rNode.modules || _.isEmpty(rNode.modules)) {
return true;
}
let checkModules = rNode.modules;
if (rNode.modules[0] === 'All') {
checkModules = _.keys(enabledModules);
}
let result = false;
let validModules = [];
_.forEach(checkModules, function(module) {
if (enabledModules[module]) {
result = true;
validModules.push(module);
}
});
rule.rule.modules = validModules;
return result;
};
contentInspectionEvaluation.getModules = function(policy, globalVTEnabled) {
let modules = {};
Iif (!policy) {
return modules;
}
modules.hash = isVTEnabled(policy, globalVTEnabled);
Iif (!policy.contentInspection) {
return modules;
}
_.forEach(policy.contentInspection.order, function(module) {
let isEnabled = false;
if (module === 'hash') {
// Special case not contained in content inspection policy
return; //continue iteration
}
if (policy.contentInspection[module] &&
policy.contentInspection[module].enabled) {
isEnabled = true;
}
modules[module] = isEnabled;
});
return modules;
};
contentInspectionEvaluation.evaluateHashException = function(eNode, analyticsData,
result) {
let ruleNode = eNode.rule;
Iif (!ruleNode.fileHashes || _.isEmpty(ruleNode.fileHashes)) {
logger.warn('msg="Invalid content inspection exception rule"' +
' tid=' + analyticsData.tid + ' eNode=' + JSON.stringify(eNode));
return false;
}
let isMatch = false;
_.forEach(ruleNode.fileHashes, function(hash) {
if (hash === analyticsData.sha256) {
isMatch = true;
// skip AV if mark as infected or mark as clean
result.skipAV = ruleNode.action === 'inspect' ? false : true;
// treat inspect as allow for icap purposes
result.action = ruleNode.action === 'inspect' ? 'allow' : ruleNode.action;
result.modules = ruleNode.modules || [];
Iif (!result.skipVT) {
result.skipVT = !_.contains(result.modules, 'hash');
}
result.is_hash_match = true;
result.download_original = result.action;
if (result.action === 'block') {
// Mark the scan result as 'ExceptionBlock' which will be picked up in
// avLogHandler and an 'Infected' message logged to druid/kafka
// If result was 'allow' the log is already correct, but if we wanted
// to change that in the future we should add 'ExceptionAllow'
analyticsData.av_scan_result = 'ExceptionBlock';
}
return false; //stop iteration
}
});
return isMatch;
};
|