Example #1
0
        /////////////////////////////////////////////////////
        //                                                 //
        // DoMitigate()                                    //
        //                                                 //
        /////////////////////////////////////////////////////
        //Description:  Performs various mitigation tasks, such
        //              as usb device disabling.
        //
        //              NOTE:  depends on DoSignatureScan()
        //
        //Returns:      true if successful
        //////////////////////////////////////////////////////
        private unsafe bool DoMitigate()
        {
            AgentScanLog.AppendLine("");
            AgentScanLog.AppendLine("*********************************************");
            AgentScanLog.AppendLine("            MITIGATE/CLEAN                   ");
            AgentScanLog.AppendLine("*********************************************");
            AgentScanLog.AppendLine("");

            //remove file references we found in registry from disk?
            bool removeReferences = false;
            if (AgentSettings.ContainsKey("Option_Delete_MalwareFoundInRegistry"))
                if (AgentSettings["Option_Delete_MalwareFoundInRegistry"] == "True")
                    removeReferences = true;

            //instantiate our helper classes
            RegistryHelper RegHelper = new RegistryHelper();
            FileHelper FileHelper = new FileHelper();
            MemoryHelper MemHelper = new MemoryHelper();

            if (AgentSignatureMatches.RegistrySignatureMatches != null)
                if (AgentSignatureMatches.RegistrySignatureMatches.Length > 0)
                    RegHelper.CleanRegistryFindings(ref AgentSignatureMatches.RegistrySignatureMatches, removeReferences);
            if (AgentSignatureMatches.FileSignatureMatches != null)
                if (AgentSignatureMatches.FileSignatureMatches.Length > 0)
                    FileHelper.CleanFileFindings(ref AgentSignatureMatches.FileSignatureMatches);
            if (AgentSignatureMatches.MemorySignatureMatches != null)
                if (AgentSignatureMatches.MemorySignatureMatches.Length > 0)
                    MemHelper.CleanMemoryFindings(ref AgentSignatureMatches.MemorySignatureMatches);

            //=============================================
            //          Disable/Disassociate autorun
            //=============================================
            if (AgentSettings["Option_Disable_Autorun"] == "True")
                Mitigate.DisableAndDisassociateAutorun();

            //=============================================
            //          Disable USB
            //=============================================
            if (AgentSettings["Option_Disable_USB"] == "True")
                Mitigate.DisableUseOfUSBDevices();

            AgentScanLog.AppendLine("MITIGATE:  Cleanup process complete.");
            AgentScanLog.AppendLine("MITIGATE:  Closing log file...");
            AgentScanLog.AppendLine("FINALIZE:  Codeword exiting on " + DateTime.Now.ToString("MM/dd/yyyy HH:mm:ss"));

            return true;
        }