File: //opt/microsoft/omsagent/plugin/collectsophosinfo.rb
require "rexml/document"
require "cgi"
require 'digest'
require 'json'
require 'date'
require 'time'
require 'logger'
require_relative 'antimalwarecommon'
class Sophos
def self.detect()
begin
sophosPath = "/opt/sophos-av/bin/savdstatus"
if !File.file?('/opt/sophos-av/bin/savdstatus')
findSophosCmd = `readlink $(which savscan)`.lines.map(&:chomp)
if !$?.success? || findSophosCmd.nil? || findSophosCmd.empty?
return false
else
savscanPath = findSophosCmd[0].strip
sophosPathArray = savscanPath.split("/")
sophosPathArray[sophosPathArray.length-1] = "savdstatus"
sophosPath = sophosPathArray.join('/')
if !File.file?(sophosPath)
return false
end
end
end
detectioncmd = `#{sophosPath} --version 2>&1`.lines.map(&:chomp)
if !$?.success? || detectioncmd.nil? || detectioncmd.empty?
return false
else
sophosInfo = detectioncmd[1].split(" = ")
sophosName = sophosInfo[0].strip
sophosVersion = sophosInfo[1].strip
if sophosName != "Sophos Anti-Virus"
#puts "Sophos Name is not Sophos Anti-Virus"
return false
elsif sophosVersion.split(".")[0].to_i < 9
#puts "Sophos version is less than 9, please install latest Sophos"
return false
end
end
#puts "Sophos is detected on the machine at path " + sophosPath
return true
rescue => e
#puts "Getting exception when checking sophos is installed or not: " + e.message
return false
end
end
def self.getprotectionstatus()
ret = {}
sophosName = "Sophos Anti-Virus"
sophosVersion = "NA"
lastUpdate = "NA"
lastUpdateTime = "NA"
buildRevision = "NA"
threatDetectionEngine = "NA"
threatData = "NA"
threatCount = "NA"
threatDataRelease = "NA"
ondemandscan = "NA"
scheduledscan = "NA"
rmsstatus = "NA"
onaccessscan = "NA"
liveprotection = "NA"
scanDate = ""
protectionStatusDetails = ""
protectionStatusAlertArray = []
protectionStatusDetailsArray = []
error = ""
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::UnknownProtectionCode
($ThreatStatusRank, $ThreatStatus) = AntimalwareCommon::UnknownThreatCode
begin
sophosPath = "/opt/sophos-av/bin/savdstatus"
#if !File.file?('/opt/sophos-av/bin/savdstatus')
#findSophosCmd = `find / -iname savdstatus | grep /bin/savdstatus 2>&1`.lines.map(&:chomp)
#if !$?.success? || findSophosCmd.nil? || findSophosCmd.empty?
#error += "Getting issue when trying to find custmized sophos path, Sophos not detected; "
#else
#sophosPath = findSophosCmd[0]
#end
#end
if !File.file?('/opt/sophos-av/bin/savdstatus')
findSophosCmd = `readlink $(which savscan)`.lines.map(&:chomp)
if !$?.success? || findSophosCmd.nil? || findSophosCmd.empty?
error += "Getting issue when trying to find custmized sophos path, Sophos not detected; "
else
savscanPath = findSophosCmd[0].strip
sophosPathArray = savscanPath.split("/")
sophosPathArray[sophosPathArray.length-1] = "savdstatus"
sophosPath = sophosPathArray.join('/')
end
end
detectioncmd = `LANG=en_US.UTF-8 #{sophosPath} --version 2>&1`.lines.map(&:chomp)
if !$?.success? || detectioncmd.nil? || detectioncmd.empty?
error += "Getting issue when running sophos version cmd; "
else
sophosInfo = detectioncmd[1].split(" = ")
sophosVersion = sophosInfo[1].strip
buildRevision = detectioncmd[2].split(" = ")[1].strip
threatDetectionEngine = detectioncmd[3].split(" = ")[1].strip
threatData = detectioncmd[4].split(" = ")[1].strip
threatCount = detectioncmd[5].split(" = ")[1].strip
threatDataRelease = detectioncmd[6].split(" = ")[1].split("UTC")[0].strip
lastUpdate = detectioncmd[7].split(" = ")[1].split("UTC")[0].strip
#250
#signature date
#threat release date
lastUpdate = Time.strptime(lastUpdate, '%a %d %b %Y %I:%M:%S %p')
threatDataRelease = Time.strptime(threatDataRelease, '%a %d %b %Y %I:%M:%S %p')
protectionStatusDetailsArray.push("buildRevision: " + buildRevision)
protectionStatusDetailsArray.push("threatData: " + threatData)
protectionStatusDetailsArray.push("threatCount: " + threatCount)
#puts "threatDataRelease " + threatDataRelease.to_s
if (!threatDataRelease.nil? && threatDataRelease != "NA")
#if (threatDataRelease < (Time.now - 30*24*3600).utc)
#($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode
#protectionStatusAlertArray.push("Threat Data Release Update out of 30 days: " + threatDataRelease.to_s)
#else
protectionStatusDetailsArray.push("Threat Data Release Update: " + threatDataRelease.to_s)
#end
else
error += "threat Data Release not found; "
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode
protectionStatusAlertArray.push("Threat Data Release not found: " + threatDataRelease)
end
#puts "lastUpdate " + lastUpdate.to_s
if (!lastUpdate.nil? && lastUpdate != "NA")
if (lastUpdate < (Time.now - 7*24*3600).utc)
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode
protectionStatusAlertArray.push("Last Update out of 7 days: " + lastUpdate.to_s)
else
protectionStatusDetailsArray.push("Last Update within 7 days: " + lastUpdate.to_s)
end
else
error += "Last Update not found, running lastupdate cmd; "
lutcmd = `LANG=en_US.UTF-8 #{sophosPath} --lastupdate 2>&1`.lines.map(&:chomp)
if !$?.success? || lutcmd.nil? || lutcmd.empty?
error += "Fail to run last update time cmd; "
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode
protectionStatusAlertArray.push("Last Update not when running last update cmd: " + lastUpdateTime)
else
lastUpdateTime = lutcmd[0].split("UTC")[0].strip
if(lastUpdateTime == "NA") or (lastUpdateTime.include? "Never updated")
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode
protectionStatusAlertArray.push("Last Update not found: " + lastUpdateTime)
else
lastUpdateTime = Time.strptime(lastUpdateTime, '%a %d %b %Y %I:%M:%S %p')
if (lastUpdateTime < (Time.now - 7*24*3600).utc)
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode
protectionStatusAlertArray.push("Last Update out of 7 days: " + lastUpdateTime.to_s)
else
protectionStatusDetailsArray.push("Last Update within 7 days: " + lastUpdateTime.to_s)
end
end
end
end
end
#############################
#270
#on access scan
#live protection
#################################################
oascmd = `#{sophosPath} -v 2>&1`.lines.map(&:chomp)
if !$?.success? || oascmd.nil? || oascmd.empty?
error += "Fail to run On Access Scan cmd; "
else
onaccessscan = oascmd[0].strip + "; " + oascmd[1].strip
if(onaccessscan == "NA") or (onaccessscan.include? "On-access scanning is not running")
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::NoRealTimeProtectionProtectionCode
protectionStatusAlertArray.push("On Access Scan is not running: " + onaccessscan)
else
protectionStatusDetailsArray.push(onaccessscan)
end
end
###########################
sophosconfigpathArray = sophosPath.split("/")
sophosconfigpathArray[sophosconfigpathArray.length-1] = "savconfig"
sophosconfigpath = sophosconfigpathArray.join('/')
lpcmd = `#{sophosconfigpath} get LiveProtection 2>&1`.lines.map(&:chomp)
if !$?.success? || lpcmd.nil? || lpcmd.empty?
error += "live protection cmd failed; "
else
liveProtection = lpcmd[0].strip
if(liveProtection == "NA") or (liveProtection != "enabled")
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::NoRealTimeProtectionProtectionCode
protectionStatusAlertArray.push("liveProtection is not enabled: " + liveProtection)
else
protectionStatusDetailsArray.push("Live Protection is enabled")
end
end
#350
#find scan date
#rms not connected
#############################
rmscmd = `#{sophosPath} --rms 2>&1`.lines.map(&:chomp)
status = $?
if rmscmd.nil? || rmscmd.empty?
error += "Fail to run Remote Management status cmd; "
else
rmsstatus = rmscmd[0].strip
if(rmsstatus == "NA") or (rmsstatus.include? "inactive")
#($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::ActionRequiredProtectionCode
protectionStatusDetailsArray.push("Remote Management status is not active: " + rmsstatus)
else
protectionStatusDetailsArray.push(rmsstatus)
end
end
#############################
sophoslogArray = sophosPath.split("/")
sophoslogArray[sophoslogArray.length-1] = "savlog"
sophoslogpath = sophoslogArray.join('/')
scancmd = `LANG=en_US.UTF-8 #{sophoslogpath} --maxage=7 | grep "scan finished" | tail -1 2>&1`.lines.map(&:chomp)
if !$?.success? || scancmd.nil? || scancmd.empty?
error += "On demand scan cmd failed; "
else
ondemandscan = scancmd[0].split("UTC: savscan.log")[0].strip
if(ondemandscan == "NA" || ondemandscan.nil? || ondemandscan.empty? )
#puts "On demand scanDate within 7 days not found"
else
ondemandscan = Time.strptime(ondemandscan, '%a %d %b %Y %I:%M:%S %p')
end
end
#puts ondemandscan.to_s
#########################################
scheduleScancmd = `LANG=en_US.UTF-8 #{sophoslogpath} --maxage=7 | grep -i "Scheduled scan .* completed" | tail -1`.lines.map(&:chomp)
if !$?.success? || scheduleScancmd.nil? || scheduleScancmd.empty?
error += "Scheduled scan cmd failed; "
else
scheduledscan = scheduleScancmd[0].split("UTC: scheduled.scan.log")[0].strip
if(scheduledscan == "NA" || scheduledscan.nil? || scheduledscan.empty? )
#puts "scheduled scanDate within 7 days not found"
else
scheduledscan = Time.strptime(scheduledscan, '%a %d %b %Y %I:%M:%S %p ')
end
end
#puts scheduledscan.to_s
#############################
if (scheduledscan == "NA" && ondemandscan == "NA")
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::ActionRequiredProtectionCode
protectionStatusAlertArray.push("No On demand Scan or scheduled Scan found in past 7 days, please run an active scan")
else
if(ondemandscan != "NA")
scanDate = ondemandscan
protectionStatusDetailsArray.push("On Demand Scan Date: " + ondemandscan.to_s)
end
if(scheduledscan != "NA")
scanDate = scheduledscan
protectionStatusDetailsArray.push("Scheduled Scan Date: " + scheduledscan.to_s)
end
end
if protectionStatusAlertArray.length == 0
($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::RealTimeProtectionCode
protectionStatusDetails += "Sophos is running healthy. "
protectionStatusDetails += protectionStatusDetailsArray.join('; ')
else
protectionStatusDetails += protectionStatusDetailsArray.join('; ')
protectionStatusDetails += "; "
protectionStatusDetails += protectionStatusAlertArray.join('; ')
end
rescue => e
error += "Getting exception when trying to find Sophos health info: " + e.message + " " + e.backtrace.inspect
ret["Error"] = error
end
ret["ProtectionStatusRank"] = $ProtectionStatusRank
ret["ProtectionStatus"] = $ProtectionStatus
ret["ProtectionStatusDetails"] = protectionStatusDetails
ret["DetectionId"] = SecureRandom.uuid
ret["Threat"] = ""
ret["ThreatStatusRank"] = $ThreatStatusRank
ret["ThreatStatus"] = $ThreatStatus
ret["ThreatStatusDetails"] = "Threat Status is currently not supported in Linux Sophos"
ret["Signature"] = (threatDetectionEngine.nil? || threatDetectionEngine.empty? || threatDetectionEngine == "NA")? "Signature version not found" : threatDetectionEngine
ret["ScanDate"] = scanDate
ret["DateCollected"] = DateTime.now.strftime("%m/%d/%Y %H:%M")
ret["Tool"] = sophosName
ret["AMProductVersion"] = (sophosVersion.nil? || sophosVersion.empty? || sophosVersion == "NA")? "Sophos version not found" : sophosVersion
return ret
end
end