You can block executables in ESET Inspect On-Prem by calling REST API from script languages like Python. First, you must log in to ESET Inspect Server by typing your username and password, which will retrieve a token. Then, you can call the function for blocking hashes, giving the hash and token. Here are the details for both REST calls:
Login request
Method: “PUT”
URL: “[server_address]/FRONTEND/LOGIN”
Body: JSON object with fields:
“username”—string
“password”—string
Response:
The response header "X-Security-Token" will contain the token.
Ban hash request
Method: “PUT”
URL: “[server_address]/FRONTEND/HASHES/BLOCK”
Body: JSON object with fields:
“sha1”—an array of strings with hexadecimal sha1 of executables that will be blocked (one hash has to be in an array)
“shouldClean”— a bool indicating if executables should be cleaned
“comment”—the string that ESET Inspect will display in the blocked hashes list
Headers:
“Authorization”—string: “Bearer ” + token
Python example:
import requests
# disable warnings caused by using requests with verify=False argument
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
# helper function to check request response; may raise Exception
def _check_response(res, error_message):
if res.status_code != 200:
message = "EI Server replied with: {0} ({1}).".format(res.status_code, res.reason)
if error_message:
message = "{0}. {1}".format(error_message, message)
raise Exception(message)
def get_token(user, password, server_address, server_port):
server = "https://{0}:{1}/".format(server_address, server_port)
response = requests.put(server + "FRONTEND/LOGIN", verify=False,
json={"username": user, "password": password})
_check_response(response, "Login failed")
return {"server": server, "token": response.headers.get("X-Security-Token")}
def ban_hash(token, sha1, should_clean=True, comment=""):
headers = {"Authorization": "Bearer {0}".format(token["token"])}
response = requests.put(token["server"] + "FRONTEND/HASHES/BLOCK", headers=headers, verify=False,
json={"sha1": [sha1], "shouldClean": should_clean, "comment": comment})
_check_response(response, "Ban hash failed")
token = get_token("More", "supersecretpassword", "localhost", 8889)
ban_hash(token, "1234567890abcdef1234567890abcdef12345678")
|
JavaScript example:
function getConnection() {
var http = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
// bypassing certificate error - set option WinHttpRequestOption_SslErrorIgnoreFlags(4)
http.Option(4) = 0x1100;
return http;
}
function checkResponse(res, errorMessage) {
if (res.Status != 200) {
var message = "EI Server replied with: " + res.Status + " (" + res.StatusText + ")."
if (errorMessage) {
message = errorMessage + ". " + message;
}
throw new Error(message);
}
}
function getToken(user, password, server_address, server_port) {
var connection = getConnection();
var server = "https://" + server_address + ":" + server_port + "/";
connection.Open("PUT", server + "FRONTEND/LOGIN", false);
var body = '{"username": "' + user + '", "password": "' + password + '"}';
connection.Send(body);
checkResponse(connection, "Login failed");
return {token: connection.GetResponseHeader("X-Security-Token"), server: server};
}
function banHash(token, sha1, shouldClean, comment) {
var connection = getConnection();
connection.Open("PUT", token.server + "FRONTEND/HASHES/BLOCK", false);
connection.SetRequestHeader("Authorization", "Bearer " + token.token);
var body = '{"sha1": ["' + sha1 + '"], "shouldClean": ' + shouldClean.toString() + ', "comment": "' + comment + '"}';
connection.Send(body);
checkResponse(connection, "Ban hash failed")
}
var token = getToken("More", "supersecretcode", "localhost", 8889);
banHash(token, "1234567890abcdef1234567890abcdef12345678", true, "")
|
