From 81099579947f66d1e94f26c1578de4f07bcb98b2 Mon Sep 17 00:00:00 2001 From: Aniko Bartos Date: Thu, 15 Aug 2024 13:48:57 +0200 Subject: [PATCH 1/6] change informational to no_threat --- README.md | 20 ++++++++++---------- metadefender_sandbox_connector.py | 9 +++++++-- metadefendersandbox.json | 20 ++++++++++---------- 3 files changed, 27 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index c60c55b..bb036b2 100644 --- a/README.md +++ b/README.md @@ -125,7 +125,7 @@ action_result.data.\*.allSignalGroups.\*.signals.\*.signalReadable | string | | action_result.data.\*.allSignalGroups.\*.signals.\*.strength | numeric | | 0.25 action_result.data.\*.allSignalGroups.\*.verdict.confidence | numeric | | 1 action_result.data.\*.allSignalGroups.\*.verdict.threatLevel | numeric | | 0.2 -action_result.data.\*.allSignalGroups.\*.verdict.verdict | string | | INFORMATIONAL +action_result.data.\*.allSignalGroups.\*.verdict.verdict | string | | NO_THREAT action_result.data.\*.allTags.\*.isRootTag | boolean | | True False action_result.data.\*.allTags.\*.source | string | | MEDIA_TYPE action_result.data.\*.allTags.\*.sourceIdentifier | string | | 0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqr @@ -210,13 +210,13 @@ action_result.data.\*.taskReference.state | string | | SUCCESS action_result.summary.flow_id | string | | 0123456789abcdefghijklmn action_result.summary.rejected_reasons.\* | string | | ARCHIVE_ENCRYPTED action_result.summary.total_benign | numeric | | 3 -action_result.summary.total_informational | numeric | | 3 +action_result.summary.total_no_threat| numeric | | 3 action_result.summary.total_likely_malicious | numeric | | 3 action_result.summary.total_malicious | numeric | | 3 action_result.summary.total_rejected | numeric | | 1 action_result.summary.total_suspicious | numeric | | 3 action_result.summary.total_unknown | numeric | | 3 -action_result.message | string | | Total benign: 1, Total unknown: 0, Total informational: 0, Total suspicious: 0, Total likely malicious: 0, Total malicious: 0, Total rejected: 0, Rejected reasons: [], Flow id: 1234 +action_result.message | string | | Total benign: 1, Total unknown: 0, Total no threat: 0, Total suspicious: 0, Total likely malicious: 0, Total malicious: 0, Total rejected: 0, Rejected reasons: [], Flow id: 1234 summary.total_objects | numeric | | 2 summary.total_objects_successful | numeric | | 2 @@ -257,7 +257,7 @@ action_result.data.\*.allSignalGroups.\*.signals.\*.signalReadable | string | | action_result.data.\*.allSignalGroups.\*.signals.\*.strength | numeric | | 0.25 action_result.data.\*.allSignalGroups.\*.verdict.confidence | numeric | | 1 action_result.data.\*.allSignalGroups.\*.verdict.threatLevel | numeric | | 0.2 -action_result.data.\*.allSignalGroups.\*.verdict.verdict | string | | INFORMATIONAL +action_result.data.\*.allSignalGroups.\*.verdict.verdict | string | | NO_THREAT action_result.data.\*.allTags.\*.isRootTag | boolean | | True False action_result.data.\*.allTags.\*.source | string | | MEDIA_TYPE action_result.data.\*.allTags.\*.sourceIdentifier | string | | 0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqr @@ -342,13 +342,13 @@ action_result.data.\*.taskReference.state | string | | SUCCESS action_result.summary.flow_id | string | | 0123456789abcdefghijklmn action_result.summary.rejected_reasons.\* | string | | ARCHIVE_ENCRYPTED action_result.summary.total_benign | numeric | | 3 -action_result.summary.total_informational | numeric | | 3 +action_result.summary.total_no_threat | numeric | | 3 action_result.summary.total_likely_malicious | numeric | | 3 action_result.summary.total_malicious | numeric | | 3 action_result.summary.total_rejected | numeric | | 1 action_result.summary.total_suspicious | numeric | | 3 action_result.summary.total_unknown | numeric | | 3 -action_result.message | string | | Total benign: 1, Total unknown: 0, Total informational: 0, Total suspicious: 0, Total likely malicious: 0, Total malicious: 0, Total rejected: 0, Rejected reasons: [], Flow id: 1234 +action_result.message | string | | Total benign: 1, Total unknown: 0, Total no threat: 0, Total suspicious: 0, Total likely malicious: 0, Total malicious: 0, Total rejected: 0, Rejected reasons: [], Flow id: 1234 summary.total_objects | numeric | | 2 summary.total_objects_successful | numeric | | 2 @@ -400,15 +400,15 @@ action_result.data.\*.tags.\*.tag.verdict.confidence | numeric | | 1 action_result.data.\*.tags.\*.tag.verdict.threatLevel | numeric | | 0.75 action_result.data.\*.tags.\*.tag.verdict.verdict | string | | BENIGN action_result.data.\*.updated_date | string | | 02/14/2023, 02:34:51 -action_result.data.\*.verdict | string | | informational +action_result.data.\*.verdict | string | | suspicious action_result.summary.available_report_count | numeric | | 3 action_result.summary.total_benign | numeric | | 3 -action_result.summary.total_informational | numeric | | 3 +action_result.summary.total_no_threat | numeric | | 3 action_result.summary.total_likely_malicious | numeric | | 3 action_result.summary.total_malicious | numeric | | 3 action_result.summary.total_suspicious | numeric | | 3 action_result.summary.total_unknown | numeric | | 3 -action_result.message | string | | Total benign: 0, Total unknown: 0, Total informational: 0, Total suspicious: 2, Total likely malicious: 0, Total malicious: 0, Available report count: 5 +action_result.message | string | | Total benign: 0, Total unknown: 0, Total no threat: 0, Total suspicious: 2, Total likely malicious: 0, Total malicious: 0, Available report count: 5 summary.total_objects | numeric | | 2 summary.total_objects_successful | numeric | | 2 @@ -434,7 +434,7 @@ action_result.data.\*.filescan_reports.\*.report_date | string | | 2023-05-25 action_result.data.\*.filescan_reports.\*.report_id | string | | 00000000-aaaa-aaaa-aaaa-aaaaaaaaaaaa action_result.data.\*.filescan_reports.\*.verdict | string | | malicious action_result.data.\*.fuzzyhash.hash | string | | 0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqr -action_result.data.\*.fuzzyhash.verdict | string | | informational +action_result.data.\*.fuzzyhash.verdict | string | | suspicious action_result.data.\*.mdcloud.detected_av_engines | numeric | | 30 action_result.data.\*.mdcloud.scan_time | string | | 2023-05-25T01:15:45.789000 action_result.data.\*.mdcloud.total_av_engines | numeric | | 30 diff --git a/metadefender_sandbox_connector.py b/metadefender_sandbox_connector.py index d596ae1..994980f 100644 --- a/metadefender_sandbox_connector.py +++ b/metadefender_sandbox_connector.py @@ -207,7 +207,7 @@ def _poll_result(self, action_result, flow_id): summary = { "total_benign": 0, "total_unknown": 0, - "total_informational": 0, + "total_no_threat": 0, "total_suspicious": 0, "total_likely_malicious": 0, "total_malicious": 0, @@ -223,6 +223,8 @@ def _poll_result(self, action_result, flow_id): .get("verdict", "unknown") .lower() ) + if verdict == "informational": + verdict = "no_threat" summary[f"total_{verdict}"] += 1 rejected = response_data.get("rejected_files", None) @@ -464,7 +466,7 @@ def _handle_search_terms(self, param): summary = { "total_benign": 0, "total_unknown": 0, - "total_informational": 0, + "total_no_threat": 0, "total_suspicious": 0, "total_likely_malicious": 0, "total_malicious": 0, @@ -474,6 +476,9 @@ def _handle_search_terms(self, param): for item in items: action_result.add_data(item) verdict = item.get("verdict", "unknown").lower() + if verdict == "informational": + verdict = "no_threat" + summary[f"total_{verdict}"] += 1 summary_data.update(summary) self.save_progress(f"{len(items)} results were found!") diff --git a/metadefendersandbox.json b/metadefendersandbox.json index 929ffbf..e7755da 100644 --- a/metadefendersandbox.json +++ b/metadefendersandbox.json @@ -248,7 +248,7 @@ "data_path": "action_result.data.*.allSignalGroups.*.verdict.verdict", "data_type": "string", "example_values": [ - "INFORMATIONAL" + "NO_THREAT" ] }, { @@ -844,7 +844,7 @@ ] }, { - "data_path": "action_result.summary.total_informational", + "data_path": "action_result.summary.total_no_threat", "data_type": "numeric", "example_values": [ 3 @@ -889,7 +889,7 @@ "data_path": "action_result.message", "data_type": "string", "example_values": [ - "Total benign: 1, Total unknown: 0, Total informational: 0, Total suspicious: 0, Total likely malicious: 0, Total malicious: 0, Total rejected: 0, Rejected reasons: [], Flow id: 1234" + "Total benign: 1, Total unknown: 0, Total no threat: 0, Total suspicious: 0, Total likely malicious: 0, Total malicious: 0, Total rejected: 0, Rejected reasons: [], Flow id: 1234" ] }, { @@ -1086,7 +1086,7 @@ "data_path": "action_result.data.*.allSignalGroups.*.verdict.verdict", "data_type": "string", "example_values": [ - "INFORMATIONAL" + "NO_THREAT" ] }, { @@ -1682,7 +1682,7 @@ ] }, { - "data_path": "action_result.summary.total_informational", + "data_path": "action_result.summary.total_no_threat", "data_type": "numeric", "example_values": [ 3 @@ -1727,7 +1727,7 @@ "data_path": "action_result.message", "data_type": "string", "example_values": [ - "Total benign: 1, Total unknown: 0, Total informational: 0, Total suspicious: 0, Total likely malicious: 0, Total malicious: 0, Total rejected: 0, Rejected reasons: [], Flow id: 1234" + "Total benign: 1, Total unknown: 0, Total no threat: 0, Total suspicious: 0, Total likely malicious: 0, Total malicious: 0, Total rejected: 0, Rejected reasons: [], Flow id: 1234" ] }, { @@ -2006,7 +2006,7 @@ "data_path": "action_result.data.*.verdict", "data_type": "string", "example_values": [ - "informational" + "no_threat" ] }, { @@ -2024,7 +2024,7 @@ ] }, { - "data_path": "action_result.summary.total_informational", + "data_path": "action_result.summary.total_no_threat", "data_type": "numeric", "example_values": [ 3 @@ -2062,7 +2062,7 @@ "data_path": "action_result.message", "data_type": "string", "example_values": [ - "Total benign: 0, Total unknown: 0, Total informational: 0, Total suspicious: 2, Total likely malicious: 0, Total malicious: 0, Available report count: 5" + "Total benign: 0, Total unknown: 0, Total no threat: 0, Total suspicious: 2, Total likely malicious: 0, Total malicious: 0, Available report count: 5" ] }, { @@ -2158,7 +2158,7 @@ "data_path": "action_result.data.*.fuzzyhash.verdict", "data_type": "string", "example_values": [ - "informational" + "no_threat" ] }, { From 3ca3475acd69bd6fbcc60c368060a88c67295318 Mon Sep 17 00:00:00 2001 From: Aniko Bartos Date: Thu, 15 Aug 2024 18:47:54 +0200 Subject: [PATCH 2/6] Add release notes --- release_notes/unreleased.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md index fbcb2fd..93b3766 100644 --- a/release_notes/unreleased.md +++ b/release_notes/unreleased.md @@ -1 +1,3 @@ **Unreleased** + +- Handle "NO_THREAT" verdict: From MetaDefender version 2.0.0, the verdict 'NO_THREAT' is displayed instead of 'INFORMATIONAL'. \ No newline at end of file From 501eaf4639d46734b90419e725aa8fd925772f8d Mon Sep 17 00:00:00 2001 From: Aniko Bartos Date: Fri, 16 Aug 2024 13:26:24 +0200 Subject: [PATCH 3/6] increase phantom version --- README.md | 2 +- metadefendersandbox.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bb036b2..73a6c41 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Connector Version: 1.2.0 Product Vendor: OPSWAT Product Name: MetaDefender Sandbox Product Version Supported (regex): ".\*" -Minimum Product Version: 6.1.1 +Minimum Product Version: 6.2.1 MetaDefender Sandbox (previously known as OPSWAT Filescan Sandbox) is a unique adaptive threat analysis technology, enabling zero-day malware detection and comprehensive Indicator of Compromise (IOC) extraction diff --git a/metadefendersandbox.json b/metadefendersandbox.json index e7755da..194a6af 100644 --- a/metadefendersandbox.json +++ b/metadefendersandbox.json @@ -23,7 +23,7 @@ "utctime_updated": "2023-05-12T18:00:17.655821Z", "package_name": "phantom_metadefendersandbox", "main_module": "metadefender_sandbox_connector.py", - "min_phantom_version": "6.1.1", + "min_phantom_version": "6.2.1", "app_wizard_version": "1.0.0", "fips_compliant": true, "latest_tested_versions": [ From ad52e0c9fa23d1f782db4a392966e500d9ffd90a Mon Sep 17 00:00:00 2001 From: gdelavadiya-crest Date: Fri, 6 Sep 2024 14:29:01 +0530 Subject: [PATCH 4/6] Done developer checklist --- LICENSE | 2 +- README.md | 2 +- metadefendersandbox.json | 2 +- release_notes/unreleased.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/LICENSE b/LICENSE index 747c747..d03c7f6 100644 --- a/LICENSE +++ b/LICENSE @@ -198,4 +198,4 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and - limitations under the License. \ No newline at end of file + limitations under the License. diff --git a/README.md b/README.md index 73a6c41..117e3ce 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # Metadefender Sandbox Publisher: OPSWAT -Connector Version: 1.2.0 +Connector Version: 1.2.1 Product Vendor: OPSWAT Product Name: MetaDefender Sandbox Product Version Supported (regex): ".\*" diff --git a/metadefendersandbox.json b/metadefendersandbox.json index 194a6af..d198e45 100644 --- a/metadefendersandbox.json +++ b/metadefendersandbox.json @@ -19,7 +19,7 @@ } ], "license": "Copyright (c) OPSWAT, 2024", - "app_version": "1.2.0", + "app_version": "1.2.1", "utctime_updated": "2023-05-12T18:00:17.655821Z", "package_name": "phantom_metadefendersandbox", "main_module": "metadefender_sandbox_connector.py", diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md index 93b3766..c285d05 100644 --- a/release_notes/unreleased.md +++ b/release_notes/unreleased.md @@ -1,3 +1,3 @@ **Unreleased** -- Handle "NO_THREAT" verdict: From MetaDefender version 2.0.0, the verdict 'NO_THREAT' is displayed instead of 'INFORMATIONAL'. \ No newline at end of file +- Changed the verdict from 'INFORMATIONAL' to 'NO_THREAT' [PAPP-34526]. \ No newline at end of file From 769e3bd3cb5c8d4a10cca03fabab0d32960a4807 Mon Sep 17 00:00:00 2001 From: gdelavadiya-crest Date: Fri, 6 Sep 2024 18:09:24 +0530 Subject: [PATCH 5/6] changed metadefender_sandbox_connector.py and unreleased.md file --- metadefender_sandbox_connector.py | 12 ++++++++---- release_notes/unreleased.md | 3 +-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/metadefender_sandbox_connector.py b/metadefender_sandbox_connector.py index 994980f..9adae9e 100644 --- a/metadefender_sandbox_connector.py +++ b/metadefender_sandbox_connector.py @@ -667,20 +667,24 @@ def finalize(self): def main(): import argparse + import sys argparser = argparse.ArgumentParser() argparser.add_argument("input_test_json", help="Input Test JSON file") argparser.add_argument("-u", "--username", help="username", required=False) argparser.add_argument("-p", "--password", help="password", required=False) + argparser.add_argument("-v", "--verify", action="store_true", help="verify", required=False, default=False) args = argparser.parse_args() session_id = None username = args.username password = args.password + verify = args.verify if username is not None and password is None: + # User specified a username but not a password, so ask import getpass @@ -691,7 +695,7 @@ def main(): login_url = MetaDefenderSandboxConnector._get_phantom_base_url() + "/login" print("Accessing the Login page") - r = requests.get(login_url, verify=False) + r = requests.get(login_url, verify=verify) csrftoken = r.cookies["csrftoken"] data = dict() @@ -704,11 +708,11 @@ def main(): headers["Referer"] = login_url print("Logging into Platform to get the session id") - r2 = requests.post(login_url, verify=False, data=data, headers=headers) + r2 = requests.post(login_url, verify=verify, data=data, headers=headers) session_id = r2.cookies["sessionid"] except Exception as e: print("Unable to get session id from the platform. Error: " + str(e)) - exit(1) + sys.exit(1) with open(args.input_test_json) as f: in_json = f.read() @@ -725,7 +729,7 @@ def main(): ret_val = connector._handle_action(json.dumps(in_json), None) print(json.dumps(json.loads(ret_val), indent=4)) - exit(0) + sys.exit(0) if __name__ == "__main__": diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md index c285d05..f12d648 100644 --- a/release_notes/unreleased.md +++ b/release_notes/unreleased.md @@ -1,3 +1,2 @@ **Unreleased** - -- Changed the verdict from 'INFORMATIONAL' to 'NO_THREAT' [PAPP-34526]. \ No newline at end of file +* Changed the verdict from 'INFORMATIONAL' to 'NO_THREAT'. \ No newline at end of file From b69dedd864830ab7f5040f8c77554bc5f7160f4e Mon Sep 17 00:00:00 2001 From: root Date: Mon, 9 Sep 2024 02:05:29 -0700 Subject: [PATCH 6/6] Release notes for version 1.2.1 --- LICENSE | 2 +- README.md | 8 ++++---- release_notes/1.2.1.md | 1 + release_notes/unreleased.md | 1 - 4 files changed, 6 insertions(+), 6 deletions(-) create mode 100644 release_notes/1.2.1.md diff --git a/LICENSE b/LICENSE index d03c7f6..747c747 100644 --- a/LICENSE +++ b/LICENSE @@ -198,4 +198,4 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and - limitations under the License. + limitations under the License. \ No newline at end of file diff --git a/README.md b/README.md index 117e3ce..3832762 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # Metadefender Sandbox Publisher: OPSWAT -Connector Version: 1.2.1 +Connector Version: 1.2.1 Product Vendor: OPSWAT Product Name: MetaDefender Sandbox Product Version Supported (regex): ".\*" @@ -210,7 +210,7 @@ action_result.data.\*.taskReference.state | string | | SUCCESS action_result.summary.flow_id | string | | 0123456789abcdefghijklmn action_result.summary.rejected_reasons.\* | string | | ARCHIVE_ENCRYPTED action_result.summary.total_benign | numeric | | 3 -action_result.summary.total_no_threat| numeric | | 3 +action_result.summary.total_no_threat | numeric | | 3 action_result.summary.total_likely_malicious | numeric | | 3 action_result.summary.total_malicious | numeric | | 3 action_result.summary.total_rejected | numeric | | 1 @@ -400,7 +400,7 @@ action_result.data.\*.tags.\*.tag.verdict.confidence | numeric | | 1 action_result.data.\*.tags.\*.tag.verdict.threatLevel | numeric | | 0.75 action_result.data.\*.tags.\*.tag.verdict.verdict | string | | BENIGN action_result.data.\*.updated_date | string | | 02/14/2023, 02:34:51 -action_result.data.\*.verdict | string | | suspicious +action_result.data.\*.verdict | string | | no_threat action_result.summary.available_report_count | numeric | | 3 action_result.summary.total_benign | numeric | | 3 action_result.summary.total_no_threat | numeric | | 3 @@ -434,7 +434,7 @@ action_result.data.\*.filescan_reports.\*.report_date | string | | 2023-05-25 action_result.data.\*.filescan_reports.\*.report_id | string | | 00000000-aaaa-aaaa-aaaa-aaaaaaaaaaaa action_result.data.\*.filescan_reports.\*.verdict | string | | malicious action_result.data.\*.fuzzyhash.hash | string | | 0123456789abcdefghijklmnopqrstuvwxyz0123456789abcdefghijklmnopqr -action_result.data.\*.fuzzyhash.verdict | string | | suspicious +action_result.data.\*.fuzzyhash.verdict | string | | no_threat action_result.data.\*.mdcloud.detected_av_engines | numeric | | 30 action_result.data.\*.mdcloud.scan_time | string | | 2023-05-25T01:15:45.789000 action_result.data.\*.mdcloud.total_av_engines | numeric | | 30 diff --git a/release_notes/1.2.1.md b/release_notes/1.2.1.md new file mode 100644 index 0000000..de9954b --- /dev/null +++ b/release_notes/1.2.1.md @@ -0,0 +1 @@ +* Changed the verdict from 'INFORMATIONAL' to 'NO_THREAT'. \ No newline at end of file diff --git a/release_notes/unreleased.md b/release_notes/unreleased.md index f12d648..fbcb2fd 100644 --- a/release_notes/unreleased.md +++ b/release_notes/unreleased.md @@ -1,2 +1 @@ **Unreleased** -* Changed the verdict from 'INFORMATIONAL' to 'NO_THREAT'. \ No newline at end of file