Block Hashes From External Tools

The action of blocking executables in Enterprise Inspector can be achieved by calling REST API from script languages like Python. First, the user needs to log in to EEI Server by typing their username and password, and as a result, a token will be retrieved. Then the user can call the function for blocking hashes, giving the hash and previously received token. Here are the details of both REST calls:

1.Login request:

Method: “PUT”

URL: “[server_address]/ FRONTEND/LOGIN”

Body: JSON object with fields:

o“username” – string

o“password” – string

Response:
As a result, the following token is received in response header “X-Security-Token”.

2.Ban hash request:

Method: “PUT”

URL: “[server_address]/ FRONTEND/HASHES/BLOCK”

Body: JSON object with fields:

o“sha1” – an array of strings with hexadecimal sha1 of executables that will be blocked (even one hash has to be in an array)

o“shouldClean” – bool indicating if executables should be cleaned

o“comment” –the string that will be displayed in EEI in a list of blocked hashes

Headers:

o“Authorization” – string: “Bearer ” + token

 

Python code example:

import requests

 
# disable warnings caused by using requests with verify=False argument
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

 
# helper function to check request response; may raise Exception
def _check_response(res, error_message):
   if res.status_code != 200:
       message = "EI Server replied with: {0} ({1}).".format(res.status_code, res.reason)
       if error_message:
           message = "{0}. {1}".format(error_message, message)
       raise Exception(message)

 
def get_token(user, password, server_address, server_port):
   server = "https://{0}:{1}/".format(server_address, server_port)
   response = requests.put(server + "FRONTEND/LOGIN", verify=False,
                           json={"username": user, "password": password})
   _check_response(response, "Login failed")
   return {"server": server, "token": response.headers.get("X-Security-Token")}

 
def ban_hash(token, sha1, should_clean=True, comment=""):
   headers = {"Authorization": "Bearer {0}".format(token["token"])}
   response = requests.put(token["server"] + "FRONTEND/HASHES/BLOCK", headers=headers, verify=False,
                           json={"sha1": [sha1], "shouldClean": should_clean, "comment": comment})
   _check_response(response, "Ban hash failed")

 
token = get_token("Admin", "supersecretpassword", "localhost", 8889)
ban_hash(token, "1234567890abcdef1234567890abcdef12345678")

 

JavaScript code example:

function getConnection() {
   var http = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
   // bypassing certificate error - set option WinHttpRequestOption_SslErrorIgnoreFlags(4)
   http.Option(4) = 0x1100;
 
   return http;
}

 
function checkResponse(res, errorMessage) {
   if (res.Status != 200) {
       var message = "EI Server replied with: " + res.Status + " (" + res.StatusText + ")."
       if (errorMessage) {
           message = errorMessage + ". " + message;
       }
       throw new Error(message);
   }
}

 
function getToken(user, password, server_address, server_port) {
   var connection = getConnection();
   var server = "https://" + server_address + ":" + server_port + "/";
 
   connection.Open("PUT", server + "FRONTEND/LOGIN", false);
 
   var body = '{"username": "' + user + '", "password": "' + password + '"}';
   connection.Send(body);
   checkResponse(connection, "Login failed");
 
   return {token: connection.GetResponseHeader("X-Security-Token"), server: server};
}

 
function banHash(token, sha1, shouldClean, comment) {
   var connection = getConnection();
   connection.Open("PUT", token.server + "FRONTEND/HASHES/BLOCK", false);
 
   connection.SetRequestHeader("Authorization", "Bearer " + token.token);
 
   var body = '{"sha1": ["' + sha1 + '"], "shouldClean": ' + shouldClean.toString() + ', "comment": "' + comment + '"}';
   connection.Send(body);
 
   checkResponse(connection, "Ban hash failed")
}

 
var token = getToken("Admin", "supersecretcode", "localhost", 8889);
banHash(token, "1234567890abcdef1234567890abcdef12345678", true, "")