virus_blacklist 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (2) hide show
  1. data/lib/virus_blacklist.rb +60 -0
  2. metadata +61 -0
data/lib/virus_blacklist.rb ADDED
@@ -0,0 +1,60 @@
1
+ require 'dnsruby'
2
+
3
+ # CYMRU publishes the MD5 hashes of known viruses as DNS records, which is perfect for us. In short:
4
+ # You get 127.0.0.1 back if the file is in their registry and marked as safe.
5
+ # You get 127.0.0.2 back if the file is in their registry and marked as unsafe.
6
+ # You get NXDOMAIN if the file isn't in their registry at all.
7
+ # You may also get no reply if you're being rate limited.
8
+ # See http://www.team-cymru.org/Services/MHR/ for more info on this service.
9
+
10
+ module VirusBlacklist
11
+
12
+ include Dnsruby
13
+ extend self
14
+
15
+ def resolver
16
+ # Our default query_timeout is pretty aggressive. You might want to wait longer, depending
17
+ # on the application.
18
+ @resolver ||= Dnsruby::Resolver.new(:query_timeout => 2) # Only waits for 2 seconds
19
+ end
20
+
21
+ # For testing, use md5 = "733a48a9cb49651d72fe824ca91e8d00" which should get marked as a known virus.
22
+ # That example is directly from their documentation on the service.
23
+
24
+ def scan(md5)
25
+ unless md5.match(/\A[a-f0-9]{32}\z/i)
26
+ # MD5s are exactly 32 hex characters.
27
+ raise ArgumentError, "Invalid MD5 value (" + md5 + "). MD5s contain exactly 32 hexadecimal digits."
28
+ end
29
+
30
+ begin
31
+ case resolver.query(md5.downcase + ".malware.hash.cymru.com", Types.A).answer[0].address.to_s
32
+ when /\A127\.0\.0\.1\z/
33
+ return :safe
34
+ when /\A127\.0\.0\.2\z/
35
+ return :unsafe
36
+ else
37
+ return :unknown
38
+ end
39
+
40
+ rescue Exception => e
41
+ puts e.message
42
+ return :error
43
+ end
44
+ end
45
+
46
+ def is_ok?(md5)
47
+ # Unfortunately, we're limited by the fact that this is a blacklist and that there's
48
+ # no way to whitelist every possible benign file. So we consider it safe if it's
49
+ # not known to be bad. That doesn't matter much, because it's also trivial to change
50
+ # any unimportant part of a malicious file, which will change its hash. So this is poor
51
+ # security, but it's the best we can do.
52
+
53
+ if scan(md5) == :unsafe
54
+ return false
55
+ else
56
+ return true
57
+ end
58
+ end
59
+
60
+ end
metadata ADDED
@@ -0,0 +1,61 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: virus_blacklist
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.0
5
+ prerelease:
6
+ platform: ruby
7
+ authors:
8
+ - Matt Venzke
9
+ autorequire:
10
+ bindir: bin
11
+ cert_chain: []
12
+ date: 2012-07-08 00:00:00.000000000 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
15
+ name: dnsruby
16
+ requirement: !ruby/object:Gem::Requirement
17
+ none: false
18
+ requirements:
19
+ - - ~>
20
+ - !ruby/object:Gem::Version
21
+ version: '1.5'
22
+ type: :runtime
23
+ prerelease: false
24
+ version_requirements: !ruby/object:Gem::Requirement
25
+ none: false
26
+ requirements:
27
+ - - ~>
28
+ - !ruby/object:Gem::Version
29
+ version: '1.5'
30
+ description: A simple interface for the CYMRU DNS-based virus blacklist.
31
+ email: mvenzke@gmail.com
32
+ executables: []
33
+ extensions: []
34
+ extra_rdoc_files: []
35
+ files:
36
+ - lib/virus_blacklist.rb
37
+ homepage: https://github.com/Qsario/virus_blacklist
38
+ licenses: []
39
+ post_install_message:
40
+ rdoc_options: []
41
+ require_paths:
42
+ - lib
43
+ required_ruby_version: !ruby/object:Gem::Requirement
44
+ none: false
45
+ requirements:
46
+ - - ! '>='
47
+ - !ruby/object:Gem::Version
48
+ version: '0'
49
+ required_rubygems_version: !ruby/object:Gem::Requirement
50
+ none: false
51
+ requirements:
52
+ - - ! '>='
53
+ - !ruby/object:Gem::Version
54
+ version: '0'
55
+ requirements: []
56
+ rubyforge_project:
57
+ rubygems_version: 1.8.24
58
+ signing_key:
59
+ specification_version: 3
60
+ summary: Interface for CYMRU DNS-based virus blacklist.
61
+ test_files: []