File: //opt/microsoft/omsagent/plugin/collectmcafeeinfo.rb
require "rexml/document"
require "cgi"
require 'digest'
require 'json'
require 'date'
require 'time'
require 'logger'
require_relative 'antimalwarecommon'
class McAfee
def self.detect()
begin
if !File.file?('/opt/isec/ens/threatprevention/bin/isecav')
return false
end
detectioncmd = `/opt/isec/ens/threatprevention/bin/isecav --version 2>&1`.lines.map(&:chomp)
if !$?.success? || detectioncmd.nil? || detectioncmd.empty?
return false
else
mcafeeName = detectioncmd[0]
mcafeeVersion = detectioncmd[1].split(" : ")[1]
if mcafeeName != "McAfee Endpoint Security for Linux Threat Prevention"
return false
elsif mcafeeVersion.split(".")[0].to_i < 10
return false
end
end
return true
rescue => e
return false
end
end
def self.getprotectionstatus()
ret = {}
mcafeeName = "McAfee Endpoint Security for Linux Threat Prevention"
mcafeeVersion = "NA"
datVersion = "NA"
datTime = "NA"
engineVersion = "NA"
quickscan = "NA"
fullscan = "NA"
datengupdate = "NA"
onaccessscan = "NA"
gti = "NA"
accessprotection = "NA"
scandate = ""
protectionStatusDetails = ""
protectionStatusDetailsString = ""
protectionStatusDetailsArray = []
fullscanoutofdate = false
quickscanoutofdate = false
error = ""
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::UnknownProtectionCode
($ThreatStatusRank, $ThreatStatus) = AntimalwareCommon::UnknownThreatCode
begin
detectioncmd = `/opt/isec/ens/threatprevention/bin/isecav --version 2>&1`.lines.map(&:chomp)
if !$?.success? || detectioncmd.nil? || detectioncmd.empty?
error += "Fail to get mcafee version info; "
else
mcafeeVersion = detectioncmd[1].split(" : ")[1]
datVersion = detectioncmd[3].split(" : ")[1]
datTime = detectioncmd[4].split(" : ")[1]
engineVersion = detectioncmd[5].split(" : ")[1]
end
taskcmd = `LANG=en_US.UTF-8 /opt/isec/ens/threatprevention/bin/isecav --listtask 2>&1`.lines.map(&:chomp)
if !$?.success? || taskcmd.nil? || taskcmd.empty?
error += "fail to run listtask cmd; "
else
$i = 3
$len = taskcmd.length
while $i < $len-1 do
if taskcmd[$i].include? "quick scan"
if taskcmd[$i].include? "Not Applicable"
quickscan = "NA"
else
quickscanarray = taskcmd[$i].split(" ")
quickscanStatus = 'NA'
quickscan, quickscanStatus = parseMcAfeeDateTime(quickscanarray)
if quickscan == "NA"
protectionStatusDetailsArray.push("Fail to parse quickscan date: " + taskcmd[$i])
end
if quickscanStatus != 'NA'
protectionStatusDetailsString += "Quick scan status: " + quickscanStatus + ". "
end
end
elsif taskcmd[$i].include? "full scan"
if taskcmd[$i].include? "Not Applicable"
fullscan = "NA"
else
fullscanarray = taskcmd[$i].split(" ")
fullscanStatus = 'NA'
fullscan, fullscanStatus = parseMcAfeeDateTime(fullscanarray)
if fullscan == "NA"
protectionStatusDetailsArray.push("Fail to parse fullscan date: " + taskcmd[$i])
end
if fullscanStatus != 'NA'
protectionStatusDetailsString += "Full scan status: " + fullscanStatus + ". "
end
end
elsif taskcmd[$i].include? "DAT and Engine Update"
if taskcmd[$i].include? "Not Applicable"
datengupdate = "NA"
else
datengupdatearray = taskcmd[$i].split(" ")
datengupdateStatus = 'NA'
datengupdate, datengupdateStatus = parseMcAfeeDateTime(datengupdatearray)
if datengupdate == "NA"
protectionStatusDetailsArray.push("Fail to parse DAT Engine update date: " + taskcmd[$i])
end
if datengupdateStatus != 'NA'
protectionStatusDetailsString += "DAT Engine update status: " + datengupdateStatus + ". "
end
end
end
$i +=1
end
end
oascmd = `/opt/isec/ens/threatprevention/bin/isecav --getoasconfig --summary 2>&1`.lines.map(&:chomp)
if !$?.success? || oascmd.nil? || oascmd.empty?
error += "fail to run getoasconfig cmd; "
else
if (oascmd[0].include? "On-Access Scan")
onaccessscan = oascmd[0].split(": ")[1].strip
end
if (oascmd[3].include? "GTI")
gti = oascmd[3].split(": ")[1].strip
end
end
apcmd = `/opt/isec/ens/threatprevention/bin/isecav --getapstatus 2>&1`.lines.map(&:chomp)
if !$?.success? || apcmd.nil? || apcmd.empty?
error += "fail to run getapstatus cmd; "
else
if (apcmd[0].include? "Access Protection")
accessprotection = apcmd[0].split(": ")[1].strip
end
end
if (datTime == "NA" && datengupdate == "NA" )
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::NotReportingProtectionCode
protectionStatusDetailsArray.push("DAT and Engine update not found")
elsif (datTime == "NA" || (Time.strptime(datTime, "%d-%m-%Y") < (Time.now - 7*24*3600))) &&
(datengupdate == "NA" || datengupdate < (Time.now - 7*24*3600).utc)
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode
protectionStatusDetailsArray.push("DAT and Engine update are out of 7 days: " + datengupdate.to_s)
end
if (!fullscan.nil? && fullscan != "NA")
scandate = fullscan
if (fullscan < (Time.now - 7*24*3600).utc)
fullscanoutofdate = true
end
end
if (!quickscan.nil? && quickscan != "NA")
if (quickscan < (Time.now - 7*24*3600).utc)
quickscanoutofdate = true
end
if ((fullscanoutofdate && !quickscanoutofdate) || scandate == "")
scandate = quickscan
end
else
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::ActionRequiredProtectionCode
protectionStatusDetailsArray.push("Full Scan and quick Scan are Not Applicable, please run an active scan")
end
if (fullscanoutofdate && quickscanoutofdate) ||
(fullscanoutofdate && (quickscan.nil? || quickscan == "NA")) ||
(quickscanoutofdate && (fullscan.nil? || fullscan == "NA"))
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::ActionRequiredProtectionCode
protectionStatusDetailsArray.push("Both quick scan and full scan are out of 7 days, please run an active scan")
end
if (onaccessscan == "NA")
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::NotReportingProtectionCode
protectionStatusDetailsArray.push("On access scan status not found: " + onaccessscan)
elsif (!onaccessscan.downcase.include? "enabled")
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::NoRealTimeProtectionProtectionCode
protectionStatusDetailsArray.push("On access scan is not enabled: " + onaccessscan)
else
protectionStatusDetailsString += "On access scan status: " + onaccessscan + ". "
end
if (gti != "NA")
protectionStatusDetailsString += "GIT status: " + gti + ". "
end
if (accessprotection != "NA")
protectionStatusDetailsString += "Access Protection status: " + accessprotection + ". "
end
if (datengupdate != "NA")
protectionStatusDetailsString += "DAT and Engine update Time: " + datengupdate.to_s + ". "
elsif(datTime != "NA")
protectionStatusDetailsString += "DAT and Engine update Time: " + datTime.to_s + ". "
end
if protectionStatusDetailsArray.length == 0
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::RealTimeProtectionCode
protectionStatusDetailsString += "McAfee is running healthy."
protectionStatusDetails = protectionStatusDetailsString
else
protectionStatusDetails = protectionStatusDetailsArray.join('; ')
end
rescue => e
error += "Getting exception when trying to find mcafee health info: " + e.message + " " + e.backtrace.inspect
ret["Error"] = error
end
if(scandate != "")
scanarray = scandate.to_s.split(" ")
if (scanarray.length >= 3)
scandate = scanarray[0] + " " + scanarray[1]
end
end
ret["ProtectionStatusRank"] = $ProtectionStatusRank
ret["ProtectionStatus"] = $ProtectionStatus
ret["ProtectionStatusDetails"] = protectionStatusDetails
ret["DetectionId"] = SecureRandom.uuid
ret["Threat"] = ""
ret["ThreatStatusRank"] = $ThreatStatusRank
ret["ThreatStatus"] = $ThreatStatus
ret["ThreatStatusDetails"] = "Threat Status is currently not supported in Linux McAfee"
ret["Signature"] = (datVersion.nil? || datVersion.empty? || datVersion == "NA")? "Signature version not found" : datVersion
ret["ScanDate"] = scandate
ret["DateCollected"] = DateTime.now.strftime("%m/%d/%Y %H:%M")
ret["Tool"] = mcafeeName
ret["AMProductVersion"] = (mcafeeVersion.nil? || mcafeeVersion.empty? || mcafeeVersion == "NA")? "McAfee version not found" : mcafeeVersion
return ret
end
def self.parseMcAfeeDateTime(datearray)
$l = datearray.length
scandate = 'NA'
scanstatus = 'NA'
if $l >= 4
if(!datearray[$l-3].include? "AM") && (!datearray[$l-3].include? "PM")
scandate = datearray[$l-4] + " " + datearray[$l-3] + " " + datearray[$l-2]
scandate = Time.strptime(scandate, '%d/%m/%y %H:%M:%S %Z')
elsif $l >= 8
scandate = datearray[$l-7] + " " + datearray[$l-6] + " " + datearray[$l-5] + " " + datearray[$l-4] + " " + datearray[$l-3] + " " + datearray[$l-2]
scandate = Time.strptime(scandate, '%d %b %Y %I:%M:%S %p %Z')
end
if $l >= 5 && (!datearray[4].include? "Not")
scanstatus = datearray[4]
end
if $l >= 10 && (datearray[4].include? "task") && (!datearray[9].include? "Not")
scanstatus = datearray[9]
end
end
return scandate, scanstatus
end
end