You can block executables in ESET Inspect by calling REST API from script languages like Python. First, you must log in to ESET Inspect Server by typing your username and password, which will retrieve a token. Then, you can call the function for blocking hashes, giving the hash and token. Here are the details for both REST calls:
Login request
Method: “PUT”
URL: “[server_address]/ FRONTEND/LOGIN”
Body: JSON object with fields:
“username”—string
“password”—string
Response:
As a result, a token is received in the response header “X-Security-Token”.
Ban hash request
Method: “PUT”
URL: “[server_address]/ FRONTEND/HASHES/BLOCK”
Body: JSON object with fields:
“sha1”—an array of strings with hexadecimal sha1 of executables that will be blocked (one hash has to be in an array)
“shouldClean”— a bool indicating if executables should be cleaned
“comment”—the string that ESET Inspect will display in the blocked hashes list
Headers:
“Authorization”—string: “Bearer ” + token
Python example:
import requests
# disable warnings caused by using requests with verify=False argument
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
# helper function to check request response; may raise Exception
def _check_response(res, error_message):
if res.status_code != 200:
message = "EI Server replied with: {0} ({1}).".format(res.status_code, res.reason)
if error_message:
message = "{0}. {1}".format(error_message, message)
raise Exception(message)
def get_token(user, password, server_address, server_port):
server = "https://{0}:{1}/".format(server_address, server_port)
response = requests.put(server + "FRONTEND/LOGIN", verify=False,
json={"username": user, "password": password})
_check_response(response, "Login failed")
return {"server": server, "token": response.headers.get("X-Security-Token")}
def ban_hash(token, sha1, should_clean=True, comment=""):
headers = {"Authorization": "Bearer {0}".format(token["token"])}
response = requests.put(token["server"] + "FRONTEND/HASHES/BLOCK", headers=headers, verify=False,
json={"sha1": [sha1], "shouldClean": should_clean, "comment": comment})
_check_response(response, "Ban hash failed")
token = get_token("More", "supersecretpassword", "localhost", 8889)
ban_hash(token, "1234567890abcdef1234567890abcdef12345678")
|
JavaScript example:
function getConnection() {
var http = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// bypassing certificate error - set option WinHttpRequestOption_SslErrorIgnoreFlags(4)
http.Option(4) = 0x1100;
return http;
}
function checkResponse(res, errorMessage) {
if (res.Status != 200) {
var message = "EI Server replied with: " + res.Status + " (" + res.StatusText + ")."
if (errorMessage) {
message = errorMessage + ". " + message;
}
throw new Error(message);
}
}
function getToken(user, password, server_address, server_port) {
var connection = getConnection();
var server = "https://" + server_address + ":" + server_port + "/";
connection.Open("PUT", server + "FRONTEND/LOGIN", false);
var body = '{"username": "' + user + '", "password": "' + password + '"}';
connection.Send(body);
checkResponse(connection, "Login failed");
return {token: connection.GetResponseHeader("X-Security-Token"), server: server};
}
function banHash(token, sha1, shouldClean, comment) {
var connection = getConnection();
connection.Open("PUT", token.server + "FRONTEND/HASHES/BLOCK", false);
connection.SetRequestHeader("Authorization", "Bearer " + token.token);
var body = '{"sha1": ["' + sha1 + '"], "shouldClean": ' + shouldClean.toString() + ', "comment": "' + comment + '"}';
connection.Send(body);
checkResponse(connection, "Ban hash failed")
}
var token = getToken("More", "supersecretcode", "localhost", 8889);
banHash(token, "1234567890abcdef1234567890abcdef12345678", true, "")
|