diff --git a/assemblyline/common/constants.py b/assemblyline/common/constants.py index 97dbd9361..553f53bc4 100644 --- a/assemblyline/common/constants.py +++ b/assemblyline/common/constants.py @@ -207,6 +207,11 @@ class ServiceStatus(enum.IntEnum): 'resource/unity': True, 'text/calendar': True, 'text/markdown': True, + 'quarantine/ahnlab': True, + 'quarantine/avast': True, + 'quarantine/avira': True, + 'quarantine/mcafee': True, + 'quarantine/windowsdefender': True, 'unknown': True, } diff --git a/assemblyline/common/custom.magic b/assemblyline/common/custom.magic index e54e09512..c92e15784 100644 --- a/assemblyline/common/custom.magic +++ b/assemblyline/common/custom.magic @@ -100,3 +100,9 @@ >&0 short 0xA1B2 custom: network\tcpdump # Email 0 string DKIM-Signature: custom: document/email +# Quarantine Files +0 string AhnLab\040Inc.\0402006 custom: quarantine/ahnlab +0 string \055chest\055\040 custom: quarantine/avast +0 string AntiVir\040\Qua custom: quarantine/avira +0 beshort 0x0BAD custom: quarantine/windowsdefender +0 belong 0xDBE8C501 custom: quarantine/windowsdefender diff --git a/assemblyline/common/identify.py b/assemblyline/common/identify.py index 8b920f3fc..dfd7a79a3 100644 --- a/assemblyline/common/identify.py +++ b/assemblyline/common/identify.py @@ -544,11 +544,15 @@ def ident(buf, length: int, path) -> Dict: clsid_offset = root_entry_property_offset + 0x50 if len(buf) >= clsid_offset + 16: clsid = buf[clsid_offset:clsid_offset + 16] - if len(clsid) == 16 and clsid != "\0" * len(clsid): + if len(clsid) == 16 and clsid != b"\0" * len(clsid): clsid_str = uuid.UUID(bytes_le=clsid) clsid_str = clsid_str.urn.rsplit(':', 1)[-1].upper() if clsid_str in OLE_CLSID_GUIDs: data['type'] = OLE_CLSID_GUIDs[clsid_str] + else: + bup_details_offset = buf[:root_entry_property_offset+0x100].find(u"Details".encode("utf-16-le")) + if -1 != bup_details_offset: + data['type'] = 'quarantine/mcafee' except Exception: pass