阻止来自外部工具的哈希

您可以通过从 Python 等脚本语言调用 REST API 来阻止可执行文件 ESET Inspect On-Prem。首先，键入用户名和密码以登录 ESET Inspect Server，系统将获取一个令牌。然后，您可以调用用于阻止哈希、提供哈希和令牌的函数。以下是这两个 REST 调用的详细信息：

登录请求

方法“PUT”

URL：“[server_address]/FRONTEND/LOGIN”

正文JSON 对象和字段：

“username”- 字符串

“password”- 字符串

响应:

响应标头“X-Security-Token”将包含令牌。

禁止哈希请求

方法“PUT”

URL：“[server_address]/FRONTEND/HASHES/BLOCK”

正文JSON 对象和字段：

“sha1”- 字符串数组，包含要被阻止的可执行文件的十六进制 sha1 哈希（至少包含一个哈希）

“shouldClean”- 布尔值，指示是否应清除这些可执行文件

“comment”- 字符串，ESET Inspect On-Prem 将显示在“阻止的哈希”列表中

标题

“Authorization”- 字符串：“Bearer”+ 标记

Python 示例：

import requests

# disable warnings caused by using requests with verify=False argument
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

# helper function to check request response; may raise Exception
def _check_response(res, error_message):
    if res.status_code != 200:
        message = "EI Server replied with: {0} ({1}).".format(res.status_code, res.reason)
        if error_message:
            message = "{0}. {1}".format(error_message, message)
        raise Exception(message)

def get_token(user, password, server_address, server_port):
    server = "https://{0}:{1}/".format(server_address, server_port)
    response = requests.put(server + "FRONTEND/LOGIN", verify=False,
                            json={"username": user, "password": password})
    _check_response(response, "Login failed")
    return {"server": server, "token": response.headers.get("X-Security-Token")}

def ban_hash(token, sha1, should_clean=True, comment=""):
    headers = {"Authorization":"Bearer {0}".format(token["token"])}
    response = requests.put(token["server"] + "FRONTEND/HASHES/BLOCK", headers=headers, verify=False,
                            json={"sha1": [sha1], "shouldClean": should_clean, "comment": comment})
    _check_response(response, "Ban hash failed")

token = get_token("More", "supersecretpassword", "localhost", 8889)
ban_hash(token, "1234567890abcdef1234567890abcdef12345678")

JavaScript 示例：

function getConnection() {
    var http = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
    // bypassing certificate error - set option WinHttpRequestOption_SslErrorIgnoreFlags(4)
    http.Option(4) = 0x1100;

    return http;
}

function checkResponse(res, errorMessage) {
    if (res.Status != 200) {
        var message = "EI Server replied with: " + res.Status + " (" + res.StatusText + ")."
        if (errorMessage) {
            message = errorMessage + ". " + message;
        }
        throw new Error(message);
    }
}

function banHash(token, sha1, shouldClean, comment) {
    var connection = getConnection();
    connection.Open("PUT", token.server + "FRONTEND/HASHES/BLOCK", false);

    connection.SetRequestHeader("Authorization", "Bearer " + token.token);

    var body = '{"sha1": ["' + sha1 + '"], "shouldClean": ' + shouldClean.toString() + ', "comment": "' + comment + '"}';
    connection.Send(body);

    checkResponse(connection, "Ban hash failed")
}

var token = getToken("More", "supersecretcode", "localhost", 8889);
banHash(token, "1234567890abcdef1234567890abcdef12345678", true, "")

˄˅