///////////////////////////////////////////////////// // // // DoMitigate() // // // ///////////////////////////////////////////////////// //Description: Performs various mitigation tasks, such // as usb device disabling. // // NOTE: depends on DoSignatureScan() // //Returns: true if successful ////////////////////////////////////////////////////// private unsafe bool DoMitigate() { AgentScanLog.AppendLine(""); AgentScanLog.AppendLine("*********************************************"); AgentScanLog.AppendLine(" MITIGATE/CLEAN "); AgentScanLog.AppendLine("*********************************************"); AgentScanLog.AppendLine(""); //remove file references we found in registry from disk? bool removeReferences = false; if (AgentSettings.ContainsKey("Option_Delete_MalwareFoundInRegistry")) if (AgentSettings["Option_Delete_MalwareFoundInRegistry"] == "True") removeReferences = true; //instantiate our helper classes RegistryHelper RegHelper = new RegistryHelper(); FileHelper FileHelper = new FileHelper(); MemoryHelper MemHelper = new MemoryHelper(); if (AgentSignatureMatches.RegistrySignatureMatches != null) if (AgentSignatureMatches.RegistrySignatureMatches.Length > 0) RegHelper.CleanRegistryFindings(ref AgentSignatureMatches.RegistrySignatureMatches, removeReferences); if (AgentSignatureMatches.FileSignatureMatches != null) if (AgentSignatureMatches.FileSignatureMatches.Length > 0) FileHelper.CleanFileFindings(ref AgentSignatureMatches.FileSignatureMatches); if (AgentSignatureMatches.MemorySignatureMatches != null) if (AgentSignatureMatches.MemorySignatureMatches.Length > 0) MemHelper.CleanMemoryFindings(ref AgentSignatureMatches.MemorySignatureMatches); //============================================= // Disable/Disassociate autorun //============================================= if (AgentSettings["Option_Disable_Autorun"] == "True") Mitigate.DisableAndDisassociateAutorun(); //============================================= // Disable USB //============================================= if (AgentSettings["Option_Disable_USB"] == "True") Mitigate.DisableUseOfUSBDevices(); AgentScanLog.AppendLine("MITIGATE: Cleanup process complete."); AgentScanLog.AppendLine("MITIGATE: Closing log file..."); AgentScanLog.AppendLine("FINALIZE: Codeword exiting on " + DateTime.Now.ToString("MM/dd/yyyy HH:mm:ss")); return true; }