New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Defender Quarantine Recovery #96
Conversation
Initial version, requires additional testing. (DIS-1573)
Codecov Report
@@ Coverage Diff @@
## main #96 +/- ##
==========================================
+ Coverage 58.54% 58.86% +0.32%
==========================================
Files 189 189
Lines 14754 14900 +146
==========================================
+ Hits 8637 8771 +134
- Misses 6117 6129 +12
Flags with carried forward coverage won't be shown. Click here to find out more.
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Bugfix. Sometimes The filename is not the complete resource_id.
Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com>
Refactor parsing into quarantine entry (resource) classes Move several constants around for better reading order Add doc strings
Per code review suggestions
@Schamper I implemented your suggested changes, thanks :) While I like the approach of refactoring most of the parsing stuff into the QuarantineEntry and QuarantineEntryResource classes, I have a little problem with the hierarchy. QuarantineEntry now has a property resources, which is a list of QuarantineEntryResource instances. However, for both plugin functions, in the end the plugin yields results based on all available instances of QuarantineEntryResource. This means I have to loop over all QuarantineEntry objects, and then within that for loop, loop over the QuarantineEntryResource objects that said entry contains. This means that both plugin functions are now nested one level deeper, which hurts readability a little. If you have any ideas in that regard, that would be great (: |
Small docstring changes Variable renames Typehints
@Schamper suggestions implemented :) |
Due to a bug, we encountered a situation where only a part of the resource_id was found in the acquired evidence. This led to the invalid assumption on my end that sometimes defender will only use a part of the resource id for the filename of a ResourceData file. Now, we assume the a quarantine entry's resource_id will be the filename found in the ResourceData folder. This also aligns with what we saw when investigating mpengine.dll.
from flow.record import Record | ||
|
||
import dissect.util.ts as ts | ||
from dissect.cstruct import Structure, cstruct | ||
from dissect.target import plugin | ||
from dissect.target.helpers.record import TargetRecordDescriptor | ||
from flow.record import Record |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you run isort? You can optionally add the following configuration to your .vscode/settings.json
:
"editor.codeActionsOnSave": {
"source.organizeImports": true
}
Initial version, requires additional testing.
(DIS-1573)