Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add quarantine check to scan for quarantine files and meddlesome processes #1333

Merged
merged 13 commits into from
Sep 7, 2023
Merged

add quarantine check to scan for quarantine files and meddlesome processes #1333

merged 13 commits into from
Sep 7, 2023

Conversation

James-Pickett
Copy link
Contributor

@James-Pickett James-Pickett commented Sep 5, 2023
edited
Loading

This check reports and files that have "quarantine" in their path. It recursively checks each of the provided root dirs to the specified depth.

example summary:
❌ Quarantine: found 1 quarantined files

example log:

starting quarantine check

possilby meddlesome proccesses:
map[cmdline:[] create_time:1693926941054 exe:C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe pid:9268 ppid:1236 status:error: not implemented yet]
map[cmdline:[] create_time:1693926936001 exe:C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe pid:15636 ppid:1236 status:error: not implemented yet]

searching for quarantined files:
failed to read C:\ProgramData\Microsoft\Windows\CapabilityAccessManager: open C:\ProgramData\Microsoft\Windows\CapabilityAccessManager: Access is denied.
/Library/Application Support does not exist
total dirs checked: 1159
quarantine directory paths and files:
C:\ProgramData\Microsoft\Windows Defender\Quarantine: 0 files
C:\ProgramData\quarantine: 1 files
  test.txt

@James-Pickett James-Pickett marked this pull request as ready for review September 5, 2023 23:59
RebeccaMahany
RebeccaMahany reviewed Sep 6, 2023
View reviewed changes
pkg/debug/checkups/quarantine.go Show resolved Hide resolved
pkg/debug/checkups/quarantine.go Show resolved Hide resolved
pkg/debug/checkups/quarantine.go Outdated
q.quarantineCounts = make(map[string]int)

var (
quarantinePathDepths = map[string]int{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add some documentation for what we're looking for in these directories? So that if the exact location of quarantined files ever changes for one of the meddlesome processes, we know what kind of file names or directories we're looking for

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also maybe we'd want to switch on runtime.GOOS to only check the directories we care about for that particular OS? Would make the output a little bit cleaner

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

pkg/debug/checkups/quarantine.go Outdated Show resolved Hide resolved
pkg/debug/checkups/quarantine.go Outdated
continue
}

q.quarantineCounts[dirPath]++
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to list the names of the quarantined files? It looks like we're only doing count per directory, but maybe I'm missing it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I started off with that but learned that AVs tend to renamed the files to GUIDs then keep some metadata some where. I don't know if they all do this, only learned from seph that crowdstrike does this. Windows defender does the same.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After further discussion, re adding file names, even if their just guid's it wont hurt.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with this, but I'll note that the test host I found had ~600 of them

pkg/debug/checkups/quarantine.go Outdated Show resolved Hide resolved
directionless
directionless reviewed Sep 6, 2023
View reviewed changes
pkg/debug/checkups/quarantine.go Outdated Show resolved Hide resolved
pkg/debug/checkups/quarantine.go
`virus`,
`quarantine`,
`snitch`,
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we know what carbonblack's process name is?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

googling revealed many possibilities, I added all the ones that looked promising

@James-Pickett James-Pickett added this pull request to the merge queue Sep 7, 2023
directionless
directionless approved these changes Sep 7, 2023
View reviewed changes
Copy link
Contributor

@directionless directionless left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, let's try

Merged via the queue into kolide:main with commit c5342fb Sep 7, 2023
24 checks passed
@James-Pickett James-Pickett deleted the james/quarantined-check branch September 7, 2023 01:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RebeccaMahany RebeccaMahany RebeccaMahany left review comments

@directionless directionless directionless approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@James-Pickett @directionless @RebeccaMahany