162 lines
3.5 KiB
Python
162 lines
3.5 KiB
Python
"""Constants for AYN Antivirus."""
|
|
|
|
import os
|
|
|
|
# --- Default Paths ---
|
|
DEFAULT_CONFIG_PATHS = [
|
|
"/etc/ayn-antivirus/config.yaml",
|
|
os.path.expanduser("~/.ayn-antivirus/config.yaml"),
|
|
]
|
|
DEFAULT_SCAN_PATH = "/"
|
|
DEFAULT_QUARANTINE_PATH = "/var/lib/ayn-antivirus/quarantine"
|
|
DEFAULT_DB_PATH = "/var/lib/ayn-antivirus/signatures.db"
|
|
DEFAULT_LOG_PATH = "/var/log/ayn-antivirus/"
|
|
DEFAULT_YARA_RULES_DIR = os.path.join(os.path.dirname(__file__), "signatures", "yara_rules")
|
|
QUARANTINE_ENCRYPTION_KEY_FILE = "/var/lib/ayn-antivirus/.quarantine.key"
|
|
|
|
# --- Database ---
|
|
DB_SCHEMA_VERSION = 1
|
|
|
|
# --- Scan Limits ---
|
|
SCAN_CHUNK_SIZE = 65536 # 64 KB
|
|
MAX_FILE_SIZE = 100 * 1024 * 1024 # 100 MB
|
|
HIGH_CPU_THRESHOLD = 80 # percent
|
|
|
|
# --- Suspicious File Extensions ---
|
|
SUSPICIOUS_EXTENSIONS = [
|
|
".php",
|
|
".sh",
|
|
".py",
|
|
".pl",
|
|
".rb",
|
|
".js",
|
|
".exe",
|
|
".elf",
|
|
".bin",
|
|
".so",
|
|
".dll",
|
|
]
|
|
|
|
# --- Crypto Miner Process Names ---
|
|
CRYPTO_MINER_PROCESS_NAMES = [
|
|
"xmrig",
|
|
"minerd",
|
|
"cpuminer",
|
|
"ethminer",
|
|
"claymore",
|
|
"phoenixminer",
|
|
"nbminer",
|
|
"t-rex",
|
|
"gminer",
|
|
"lolminer",
|
|
"bfgminer",
|
|
"cgminer",
|
|
"ccminer",
|
|
"nicehash",
|
|
"excavator",
|
|
"nanominer",
|
|
"teamredminer",
|
|
"wildrig",
|
|
"srbminer",
|
|
"xmr-stak",
|
|
"randomx",
|
|
"cryptonight",
|
|
]
|
|
|
|
# --- Crypto Pool Domains ---
|
|
CRYPTO_POOL_DOMAINS = [
|
|
"pool.minergate.com",
|
|
"xmrpool.eu",
|
|
"nanopool.org",
|
|
"mining.pool.observer",
|
|
"supportxmr.com",
|
|
"pool.hashvault.pro",
|
|
"moneroocean.stream",
|
|
"minexmr.com",
|
|
"herominers.com",
|
|
"2miners.com",
|
|
"f2pool.com",
|
|
"ethermine.org",
|
|
"unmineable.com",
|
|
"nicehash.com",
|
|
"prohashing.com",
|
|
"zpool.ca",
|
|
"miningpoolhub.com",
|
|
]
|
|
|
|
# --- Suspicious Mining Ports ---
|
|
SUSPICIOUS_PORTS = [
|
|
3333,
|
|
4444,
|
|
5555,
|
|
7777,
|
|
8888,
|
|
9999,
|
|
14433,
|
|
14444,
|
|
45560,
|
|
45700,
|
|
]
|
|
|
|
# --- Known Rootkit Files ---
|
|
KNOWN_ROOTKIT_FILES = [
|
|
"/usr/lib/libproc.so",
|
|
"/usr/lib/libext-2.so",
|
|
"/usr/lib/libns2.so",
|
|
"/usr/lib/libpam.so.1",
|
|
"/dev/shm/.x",
|
|
"/dev/shm/.r",
|
|
"/tmp/.ICE-unix/.x",
|
|
"/tmp/.X11-unix/.x",
|
|
"/usr/bin/sourcemask",
|
|
"/usr/bin/sshd2",
|
|
"/usr/sbin/xntpd",
|
|
"/etc/cron.d/.hidden",
|
|
"/var/tmp/.bash_history",
|
|
]
|
|
|
|
# --- Suspicious Cron Patterns ---
|
|
SUSPICIOUS_CRON_PATTERNS = [
|
|
r"curl\s+.*\|\s*sh",
|
|
r"wget\s+.*\|\s*sh",
|
|
r"curl\s+.*\|\s*bash",
|
|
r"wget\s+.*\|\s*bash",
|
|
r"/dev/tcp/",
|
|
r"base64\s+--decode",
|
|
r"xmrig",
|
|
r"minerd",
|
|
r"cryptonight",
|
|
r"\bcurl\b.*-o\s*/tmp/",
|
|
r"\bwget\b.*-O\s*/tmp/",
|
|
r"nohup\s+.*&",
|
|
r"/dev/null\s+2>&1",
|
|
]
|
|
|
|
# --- Malicious Environment Variables ---
|
|
MALICIOUS_ENV_VARS = [
|
|
"LD_PRELOAD",
|
|
"LD_LIBRARY_PATH",
|
|
"LD_AUDIT",
|
|
"LD_DEBUG",
|
|
"HISTFILE=/dev/null",
|
|
"PROMPT_COMMAND",
|
|
"BASH_ENV",
|
|
"ENV",
|
|
"CDPATH",
|
|
]
|
|
|
|
# ── Dashboard ──────────────────────────────────────────────────────────
|
|
DEFAULT_DASHBOARD_HOST = "0.0.0.0"
|
|
DEFAULT_DASHBOARD_PORT = 7777
|
|
DEFAULT_DASHBOARD_DB_PATH = "/var/lib/ayn-antivirus/dashboard.db"
|
|
DASHBOARD_COLLECTOR_INTERVAL = 10 # seconds between metric samples
|
|
DASHBOARD_REFRESH_INTERVAL = 30 # JS auto-refresh seconds
|
|
DASHBOARD_MAX_THREATS_DISPLAY = 50
|
|
DASHBOARD_MAX_LOG_LINES = 20
|
|
DASHBOARD_SCAN_HISTORY_DAYS = 30
|
|
DASHBOARD_METRIC_RETENTION_HOURS = 168 # 7 days
|
|
|
|
# Dashboard authentication
|
|
DEFAULT_DASHBOARD_USERNAME = "admin"
|
|
DEFAULT_DASHBOARD_PASSWORD = "ayn@2024"
|