require "rexml/document" require "cgi" require 'digest' require 'json' require 'date' require 'time' require 'logger' require_relative 'antimalwarecommon' class Defender def self.detect() begin if !File.file?('/usr/bin/mdatp') return false end return true rescue => e return false end end def self.getprotectionstatus() ret = {} defenderName = "Defender Endpoint Protection for Linux" defenderVersion = "NA" engineVersion = "NA" realtimeprotection = "NA" signatureVersion = "NA" protectionStatusDetails = "" protectionStatusDetailsString = "" error = "" ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::UnknownProtectionCode ($ThreatStatusRank, $ThreatStatus) = AntimalwareCommon::UnknownThreatCode begin json_data = `/usr/bin/mdatp health --output json 2>&1` if !$?.success? || json_data.nil? || json_data.empty? error += "fail to run mdatp health cmd; " else defenderhealth = JSON.parse(json_data) signatureStatus = defenderhealth["definitionsStatus"]["$type"] if signatureStatus != "upToDate" ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::SignaturesOutOfDateProtectionCode protectionStatusDetailsString += "Signatures out of date; " end signatureVersion = defenderhealth["definitionsVersion"] defenderVersion = defenderhealth["appVersion"] realtimeprotection = defenderhealth["realTimeProtectionEnabled"]["value"] if (realtimeprotection == "NA" || !realtimeprotection) ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::NoRealTimeProtectionProtectionCode protectionStatusDetailsString += "Real-time protection disabled; " end if protectionStatusDetailsString.empty? ($ProtectionStatusRank, $ProtectionStatus) = AntimalwareCommon::RealTimeProtectionCode protectionStatusDetailsString += "MDATP is running healthy." end protectionStatusDetails = protectionStatusDetailsString end rescue => e error += "Getting exception when trying to find MDATP health info: " + e.message + " " + e.backtrace.inspect ret["Error"] = error end ret["ProtectionStatusRank"] = $ProtectionStatusRank ret["ProtectionStatus"] = $ProtectionStatus ret["ProtectionStatusDetails"] = protectionStatusDetails ret["DetectionId"] = SecureRandom.uuid ret["Threat"] = "" ret["ThreatStatusRank"] = $ThreatStatusRank ret["ThreatStatus"] = $ThreatStatus ret["ThreatStatusDetails"] = "Threat Status is currently not supported in MDATP" ret["Signature"] = (signatureVersion.nil? || signatureVersion.empty? || signatureVersion == "NA")? "Signature version not found" : signatureVersion ret["ScanDate"] = "" ret["DateCollected"] = DateTime.now.strftime("%m/%d/%Y %H:%M") ret["Tool"] = defenderName ret["AMProductVersion"] = (defenderVersion.nil? || defenderVersion.empty? || defenderVersion == "NA")? "MDATP version not found" : defenderVersion return ret end end