all files / src/controllers/ content-inspection-evaluation.js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
 
2×
2×
 
 
2×
 
2×
464×
 
 
 
464×
464×
 
396×
 
 
68×
 
 
2×
50×
 
50×
14×
 
 
36×
36×
10×
 
 
36×
36×
36×
56×
32×
32×
 
 
36×
36×
 
 
2×
464×
464×
 
 
 
464×
 
464×
 
 
 
464×
1848×
1848×
 
464×
 
 
1384×
 
56×
 
1384×
 
 
464×
 
 
2×
 
36×
36×
 
 
 
 
 
36×
36×
36×
5×
 
5×
 
5×
5×
 
5×
 
 
 
5×
5×
 
5×
 
 
 
 
3×
 
 
5×
 
 
36×
 
 
'use strict';
 
const _ = require('lodash');
const logger = require(__dirname + '/../loggers/logger');
 
//export namespace as `contentInspectionEvaluation`
const contentInspectionEvaluation = exports;
 
let isVTEnabled = function(policy, globalVTEnabled) {
   Iif (!policy.content || !globalVTEnabled) {
      return false;
   }
 
   let cNode = policy.content;
   if ((!cNode.documentAv || !cNode.documentAv.enabled) &&
       (!cNode.fileAv || !cNode.fileAv.enabled)) {
      return false;
   }
 
   return true;
};
 
contentInspectionEvaluation.isActiveException = function(rule, enabledModules) {
   let rNode = rule.rule;
 
   if (!rNode.modules || _.isEmpty(rNode.modules)) {
      return true;
   }
 
   let checkModules = rNode.modules;
   if (rNode.modules[0] === 'All') {
      checkModules = _.keys(enabledModules);
   }
 
   let result = false;
   let validModules = [];
   _.forEach(checkModules, function(module) {
      if (enabledModules[module]) {
         result = true;
         validModules.push(module);
      }
   });
   rule.rule.modules = validModules;
   return result;
};
 
contentInspectionEvaluation.getModules = function(policy, globalVTEnabled) {
   let modules = {};
   Iif (!policy) {
      return modules;
   }
 
   modules.hash = isVTEnabled(policy, globalVTEnabled);
 
   Iif (!policy.contentInspection) {
      return modules;
   }
 
   _.forEach(policy.contentInspection.order, function(module) {
      let isEnabled = false;
      if (module === 'hash') {
         // Special case not contained in content inspection policy
         return; //continue iteration
      }
 
      if (policy.contentInspection[module] &&
          policy.contentInspection[module].enabled) {
         isEnabled = true;
      }
      modules[module] = isEnabled;
   });
 
   return modules;
};
 
contentInspectionEvaluation.evaluateHashException = function(eNode, analyticsData,
   result) {
      let ruleNode = eNode.rule;
      Iif (!ruleNode.fileHashes || _.isEmpty(ruleNode.fileHashes)) {
         logger.warn('msg="Invalid content inspection exception rule"' +
            ' tid=' + analyticsData.tid + ' eNode=' + JSON.stringify(eNode));
         return false;
      }
 
      let isMatch = false;
      _.forEach(ruleNode.fileHashes, function(hash) {
         if (hash === analyticsData.sha256) {
            isMatch = true;
            // skip AV if mark as infected or mark as clean
            result.skipAV = ruleNode.action === 'inspect' ? false : true;
            // treat inspect as allow for icap purposes
            result.action = ruleNode.action === 'inspect' ? 'allow' : ruleNode.action;
            result.modules = ruleNode.modules || [];
 
            Iif (!result.skipVT) {
               result.skipVT = !_.contains(result.modules, 'hash');
            }
 
            result.is_hash_match = true;
            result.download_original = result.action;
 
            if (result.action === 'block') {
               // Mark the scan result as 'ExceptionBlock' which will be picked up in
               // avLogHandler and an 'Infected' message logged to druid/kafka
               // If result was 'allow' the log is already correct, but if we wanted
               // to change that in the future we should add 'ExceptionAllow'
               analyticsData.av_scan_result = 'ExceptionBlock';
            }
 
            return false; //stop iteration
         }
      });
      return isMatch;
};