The action of blocking executables in ESET Inspect can be achieved by calling REST API from script languages like Python. First, the user needs to log in to ESET Inspect Server by typing their username and password, and as a result, a token will be retrieved. Then the user can call the function for blocking hashes, giving the hash and previously received token. Here are the details of both REST calls:
Login request
Method: “PUT”
URL: “[server_address]/ FRONTEND/LOGIN”
Body: JSON object with fields:
“username”—string
“password”—string
Response:
As a result, the following token is received in response header “X-Security-Token”.
Ban hash request
Method: “PUT”
URL: “[server_address]/ FRONTEND/HASHES/BLOCK”
Body: JSON object with fields:
“sha1”—an array of strings with hexadecimal sha1 of executables which will be blocked (even one hash has to be in an array)
“shouldClean”—bool indicating if executables should be cleaned
“comment”—the string that will be displayed in ESET Inspect in a list of blocked hashes
Headers:
“Authorization”—string: “Bearer ” + token
Python code example:
import requests
# disable warnings caused by using requests with verify=False argument
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
# helper function to check request response; may raise Exception
def _check_response(res, error_message):
if res.status_code != 200:
message = "EI Server replied with: {0} ({1}).".format(res.status_code, res.reason)
if error_message:
message = "{0}. {1}".format(error_message, message)
raise Exception(message)
def get_token(user, password, server_address, server_port):
server = "https://{0}:{1}/".format(server_address, server_port)
response = requests.put(server + "FRONTEND/LOGIN", verify=False,
json={"username": user, "password": password})
_check_response(response, "Login failed")
return {"server": server, "token": response.headers.get("X-Security-Token")}
def ban_hash(token, sha1, should_clean=True, comment=""):
headers = {"Authorization": "Bearer {0}".format(token["token"])}
response = requests.put(token["server"] + "FRONTEND/HASHES/BLOCK", headers=headers, verify=False,
json={"sha1": [sha1], "shouldClean": should_clean, "comment": comment})
_check_response(response, "Ban hash failed")
token = get_token("More", "supersecretpassword", "localhost", 8889)
ban_hash(token, "1234567890abcdef1234567890abcdef12345678")
|
JavaScript code example:
function getConnection() {
var http = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// bypassing certificate error - set option WinHttpRequestOption_SslErrorIgnoreFlags(4)
http.Option(4) = 0x1100;
return http;
}
function checkResponse(res, errorMessage) {
if (res.Status != 200) {
var message = "EI Server replied with: " + res.Status + " (" + res.StatusText + ")."
if (errorMessage) {
message = errorMessage + ". " + message;
}
throw new Error(message);
}
}
function getToken(user, password, server_address, server_port) {
var connection = getConnection();
var server = "https://" + server_address + ":" + server_port + "/";
connection.Open("PUT", server + "FRONTEND/LOGIN", false);
var body = '{"username": "' + user + '", "password": "' + password + '"}';
connection.Send(body);
checkResponse(connection, "Login failed");
return {token: connection.GetResponseHeader("X-Security-Token"), server: server};
}
function banHash(token, sha1, shouldClean, comment) {
var connection = getConnection();
connection.Open("PUT", token.server + "FRONTEND/HASHES/BLOCK", false);
connection.SetRequestHeader("Authorization", "Bearer " + token.token);
var body = '{"sha1": ["' + sha1 + '"], "shouldClean": ' + shouldClean.toString() + ', "comment": "' + comment + '"}';
connection.Send(body);
checkResponse(connection, "Ban hash failed")
}
var token = getToken("More", "supersecretcode", "localhost", 8889);
banHash(token, "1234567890abcdef1234567890abcdef12345678", true, "")
|