def on_crypto_ransom(self, evt):
logger.debug('Whitelist: %s' % json.dumps(self.whitelist, indent=4))
logger.debug('Suspended: %s' % json.dumps([
{'pid': p.pid, 'exe': p.exe()} for p in self.suspended
], indent=4))
if any(suspended.pid == evt.pid for suspended in self.suspended):
return # ignore captured ransom events
try:
p = psutil.Process(evt.pid)
cmdline = p.cmdline()
except (psutil.NoSuchProcess, psutil.AccessDenied):
logger.warn('Suspicious process %d exited before being caught'
% evt.pid)
return
if cmdline not in self.whitelist:
p.suspend()
self.suspended.append(p)
event.EventAskUserAllowOrDeny(p, evt.path).fire()
else:
logger.info('Allowed white-listed process: %d' % evt.pid)
评论列表
文章目录
