Merge pull request #243 from malvidin/quarantine_magic

Add Custom Magic for Quarantine

assemblyline/common/constants.py

@@ -207,6 +207,11 @@ class ServiceStatus(enum.IntEnum):
     'resource/unity': True,
     'text/calendar': True,
     'text/markdown': True,
+    'quarantine/ahnlab': True,
+    'quarantine/avast': True,
+    'quarantine/avira': True,
+    'quarantine/mcafee': True,
+    'quarantine/windowsdefender': True,
     'unknown': True,
 }
 

assemblyline/common/custom.magic

@@ -100,3 +100,9 @@
 >&0 short   0xA1B2        custom: network\tcpdump
 # Email
 0   string  DKIM-Signature:     custom: document/email
+# Quarantine Files
+0	string	AhnLab\040Inc.\0402006	custom: quarantine/ahnlab
+0	string	\055chest\055\040		custom: quarantine/avast
+0	string	AntiVir\040\Qua			custom: quarantine/avira
+0	beshort	0x0BAD					custom: quarantine/windowsdefender
+0	belong	0xDBE8C501				custom: quarantine/windowsdefender

assemblyline/common/identify.py

@@ -544,11 +544,15 @@ def ident(buf, length: int, path) -> Dict:
                 clsid_offset = root_entry_property_offset + 0x50
                 if len(buf) >= clsid_offset + 16:
                     clsid = buf[clsid_offset:clsid_offset + 16]
-                    if len(clsid) == 16 and clsid != "\0" * len(clsid):
+                    if len(clsid) == 16 and clsid != b"\0" * len(clsid):
                         clsid_str = uuid.UUID(bytes_le=clsid)
                         clsid_str = clsid_str.urn.rsplit(':', 1)[-1].upper()
                         if clsid_str in OLE_CLSID_GUIDs:
                             data['type'] = OLE_CLSID_GUIDs[clsid_str]
+                    else:
+                        bup_details_offset = buf[:root_entry_property_offset+0x100].find(u"Details".encode("utf-16-le"))
+                        if -1 != bup_details_offset:
+                            data['type'] = 'quarantine/mcafee'
         except Exception:
             pass