https-moralis.io-/AmMonitoringInstall.mof at main · ferhter/https-moralis.io- · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
// AmMonitoringInstall.mof : mof source for Malware class
//
// Copyright (c) Microsoft Corporation. All rights reserved.
//
// This file will be processed by MOFCOMP utility to
// register the provider with the WMI repository.
//

#pragma autorecover

#pragma namespace ("\\\\.\\root\\Microsoft\\SecurityClient")

////////////////////////////////////////////////////////
// Declare WMI class : Malware
////////////////////////////////////////////////////////

[
    Description("Describes malware detected by Forefront Antimalware"): ToInstance ToSubClass,
    dynamic: DisableOverride ToInstance,
    provider("AntimalwareMonitoringProvider"): ToInstance ToSubClass
]
class Malware: SerializableToXml
{
    string SchemaVersion = "1.0.0.0"; // derived from SerializableToXml

    [
        Description("Detection time in the Round-Trip Format"): ToInstance ToSubClass,
        read: ToInstance ToSubClass
    ]
    string DetectionTime;

    [
        Description("Action Time in the Round-Trip Format"): ToInstance ToSubClass,
        read: ToInstance ToSubClass
    ]
    string ActionTime;

    [
        Description("Version of the security client"): ToInstance ToSubClass,
        read: ToInstance ToSubClass
    ]
    string ProductVersion;

    [
        Description("Unique Detection ID (GUID)"): ToInstance ToSubClass,
        read: ToInstance ToSubClass,
        key
    ]
    string DetectionID;

    [
        Description("How was the malware detected (Enumeration)? RTP/Scheduled Scan/..."): ToInstance ToSubClass,
        read: ToInstance ToSubClass,
        ValueMap {"0", "1", "2", "3", "4", "5", "6", "7", "8", "9"},
        Values {"Unknown", "User", "System", "Realtime", "IOAV", "NIS", "BHO", "ELAM", "LocalAttestation", "RemoteAttestation"}
    ]
    uint8 DetectionSource;

    [
        Description("Pending actions (bit flags indicating reboot/full scan/manual steps required)"): ToInstance ToSubClass,
        read: ToInstance ToSubClass,
        ValueMap { "0", "4", "8", "12", "16", "20", "24", "28", "32768", "32772", "32776", "32780", "32784", "32788", "32792", "32796" },
        Values { "None", "FullScanRequired", "RebootRequired", "FullScanAndRebootRequired", "ManualStepsRequired", "FullScanAndManualStepsRequired", "RebootAndManualStepsRequired", "FullScanAndRebootAndManualStepsRequired", "OfflineScanRequired", "FullScanAndOfflineScanRequired", "RebootAndOfflineScanRequired", "FullScanAndRebootAndOfflineScanRequired", "ManualStepsAndOfflineScanRequired", "FullScanAndManualStepsAndOfflineScanRequired", "RebootAndManualStepsAndOfflineScanRequired", "FullScanAndRebootAndManualStepsAndOfflineScanRequired" }
    ]
    uint32 PendingActions;

    [
        Description("Infected process"): ToInstance ToSubClass,
        read: ToInstance ToSubClass
    ]
    string Process;

    [
        Description("Domain hosting the user"): ToInstance ToSubClass,
        read: ToInstance ToSubClass
    ]
    string Domain = "Domain";

    [
        Description("User account hosting the infected process"): ToInstance ToSubClass,
        read: ToInstance ToSubClass
    ]
    string User;

    [
        Description("Name of the threat"): ToInstance ToSubClass,
        read: ToInstance ToSubClass
    ]
    string ThreatName;

    [
        Description("Threat ID - Enumeration"): ToInstance ToSubClass,
        read: ToInstance ToSubClass
    ]
    sint64 ThreatID;

    [
        Description("Severity ID - Enumeration"): ToInstance ToSubClass,
        read: ToInstance ToSubClass,
        ValueMap {"0", "1", "2", "4", "5"},
        Values {"Unknown", "Low", "Moderate", "High", "Severe"}
    ]
    uint8 SeverityID;

    [
        Description("Category ID - Enumeration"): ToInstance ToSubClass,
        read: ToInstance ToSubClass,
        ValueMap { "0", "1", "2", "3", "4", "5", "6", "7,"  "8", "9", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "20", "21", "22", "23", "24", "25", "26", "27", "28", "29", "30", "31", "32", "33", "34", "36", "37", "38", "39", "40", "42", "43", "44", "45", "46", "47", "48" },
        Values { "INVALID", "ADWARE", "SPYWARE", "PASSWORDSTEALER", "TROJANDOWNLOADER", "WORM", "BACKDOOR", "REMOTEACCESSTROJAN", "TROJAN", "EMAILFLOODER", "KEYLOGGER", "DIALER", "MONITORINGSOFTWARE", "BROWSERMODIFIER", "COOKIE", "BROWSERPLUGIN", "AOLEXPLOIT", "NUKER", "SECURITYDISABLER", "JOKEPROGRAM", "HOSTILEACTIVEXCONTROL", "SOFTWAREBUNDLER", "STEALTHNOTIFIER", "SETTINGSMODIFIER", "TOOLBAR", "REMOTECONTROLSOFTWARE", "TROJANFTP", "POTENTIALUNWANTEDSOFTWARE", "ICQEXPLOIT", "TROJANTELNET", "FILESHARINGPROGRAM", "MALWARE_CREATION_TOOL", "REMOTE_CONTROL_SOFTWARE", "TOOL", "TROJAN_DENIALOFSERVICE", "TROJAN_DROPPER", "TROJAN_MASSMAILER", "TROJAN_MONITORINGSOFTWARE", "TROJAN_PROXYSERVER", "VIRUS", "KNOWN", "UNKNOWN", "SPP", "BEHAVIOR", "VULNERABILTIY", "POLICY" }
    ]
    uint8 CategoryID;

    [
        Description("Path to infected resource"): ToInstance ToSubClass,
        read: ToInstance ToSubClass
    ]
    string Path;

    [
        Description("Cleaning Action - Enumeration"): ToInstance ToSubClass,
        read: ToInstance ToSubClass,
        ValueMap { "0", "1", "2", "3", "6", "8", "9", "10" },
        Values { "UNKNOWN", "CLEAN", "QUARANTINE", "REMOVE", "ALLOW", "USERDEFINED", "NOACTION", "BLOCK" }
    ]
    uint8 CleaningAction;

    [
        Description("What happened to the malware? (Enumeration)? Blocked/Allowed/Executing/..."): ToInstance ToSubClass,
        read: ToInstance ToSubClass,
        ValueMap {"0", "1", "2", "3", "4"},
        Values {"Unknown", "Blocked", "Allowed", "Executing", "NotExecuting"}
    ]
    uint8 ExecutionStatus;

    [
        Description("Was the cleaning action successful?"): ToInstance ToSubClass,
        read: ToInstance ToSubClass
    ]
    boolean ActionSuccess;

    [
        Description("Error code if cleaning action failed"): ToInstance ToSubClass,
        read: ToInstance ToSubClass
    ]
    sint32 ErrorCode;
};


////////////////////////////////////////////////////////
// instance of the provider class
////////////////////////////////////////////////////////

instance of Win32_ProviderEx as $AntimalwareMonitoringProvider
{
    Name    = "AntimalwareMonitoringProvider";   //Name is the key property for __Provider objects.
                                        //vendor|provider|version is the suggested format
                                        //to prevent name collisions.

    ClsId   = "{DACA056E-216A-4FD1-84A6-C306A017ECEC}" ;     //provider GUID


    DefaultMachineName = NULL;         //NULL for local machine

    ClientLoadableCLSID = NULL;         //reserved

    ImpersonationLevel = 1;             //reserved

    InitializationReentrancy = 0;       //Set of flags that provide information about serialization:
                                        //0 = all initialization of this provider must be serialized
                                        //1 = all initializations of this provider in the same namespace must be serialized
                                        //2 = no initialization serialization is necessary

    InitializeAsAdminFirst = FALSE;     //Request to be fully initialized as "Admin" before
                                        //initializations begin for users

    PerLocaleInitialization = FALSE;    //Indicates whether the provider is initialized for each
                                        //locale if a user connects to the same namespace more
                                        //than once using different locales.

    PerUserInitialization = TRUE;       //Indicates whether the provider is initialized once for each actual
                                        //Windows NT/Windows 2000 NTLM user making requests of the provider.
                                        //If set to FALSE, the provider is initialized once for all users

    Pure = TRUE;                        //A pure provider exists only to service requests from
                                        //applications and WMI. Most providers are pure providers.
                                        //Non-pure providers transition to the role of client after they have
                                        //finished servicing requests.


    UnloadTimeout = NULL;               //Currently ignored
                                        //Use __CacheControl class in the root namespace to control provider unloading.
                                        //A string in the DMTF date/time format that specifies how long WMI
                                        //allows the provider to remain idle before it is unloaded.


} ;


////////////////////////////////////////////////////////
// registration of the instance of the provider class
////////////////////////////////////////////////////////

instance of __InstanceProviderRegistration
{
    Provider = $AntimalwareMonitoringProvider;

    SupportsPut = "FALSE";
    SupportsGet = "FALSE";
    SupportsDelete = "FALSE";
    SupportsEnumeration = "TRUE";


};