use safe attr check and db default exclusions

sonroyaalmerol · Nov 18, 2024 · 94b2b7e · 94b2b7e
1 parent 21638ca
commit 94b2b7e
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 104 deletions.
diff --git a/internal/agent/cache/exclusions.go b/internal/agent/cache/exclusions.go
@@ -35,84 +35,7 @@ func CompileExcludedPaths() []*regexp.Regexp {
 		}
 	}
 
-	excludedPaths := []string{
-		`:\hiberfil.sys`,
-		`:\pagefile.sys`,
-		`:\swapfile.sys`,
-		`:\autoexec.bat`,
-		`:\Config.Msi`,
-		`:\Documents and Settings`,
-		`:\Recycled`,
-		`:\Recycler`,
-		`:\$$Recycle.Bin`,
-		`:\Recovery`,
-		`:\Program Files`,
-		`:\Program Files (x86)`,
-		`:\ProgramData`,
-		`:\PerfLogs`,
-		`:\Windows`,
-		`:\Windows.old`,
-		`:\$$WINDOWS.~BT`,
-		`:\$$WinREAgent`,
-		"$RECYCLE.BIN",
-		"$WinREAgent",
-		"System Volume Information",
-		"Temporary Internet Files",
-		`Microsoft\Windows\Recent`,
-		`Microsoft\**\RecoveryStore**`,
-		`Microsoft\**\Windows\**.edb`,
-		`Microsoft\**\Windows\**.log`,
-		`Microsoft\**\Windows\Cookies**`,
-		`Microsoft\**\Logs**`,
-		`Users\Public\AccountPictures`,
-		`I386`,
-		`Internet Explorer\`,
-		`MSOCache`,
-		`NTUSER**`,
-		`UsrClass.dat`,
-		`Thumbs.db`,
-		`AppData\Local\Temp**`,
-		`AppData\Temp**`,
-		`Local Settings\Temp**`,
-		`**.tmp`,
-		`AppData\**cache**`,
-		`AppData\**Crash Reports`,
-		`AppData\Local\AMD\DxCache`,
-		`AppData\Local\Apple Computer\Mobile Sync`,
-		`AppData\Local\Comms\UnistoreDB`,
-		`AppData\Local\ElevatedDiagnostics`,
-		`AppData\Local\Microsoft\Edge\User Data\Default\Cache`,
-		`AppData\Local\Microsoft\VSCommon\**SQM**`,
-		`AppData\Local\Microsoft\Windows\Explorer`,
-		`AppData\Local\Microsoft\Windows\INetCache`,
-		`AppData\Local\Microsoft\Windows\UPPS`,
-		`AppData\Local\Microsoft\Windows\WebCache`,
-		`AppData\Local\Microsoft\Windows Store`,
-		`AppData\Local\Packages`,
-		`AppData\Roaming\Thunderbird\Profiles\*\ImapMail`,
-		`Application Data\Apple Computer\Mobile Sync`,
-		`Application Data\Application Data**`,
-		`Dropbox\Dropbox.exe.log`,
-		`Dropbox\QuitReports`,
-		`Google\Chrome\User Data\Default\Cache`,
-		`Google\Chrome\User Data\Default\Cookies`,
-		`Google\Chrome\User Data\Default\Cookies-journal`,
-		`Google\Chrome\**LOCK**`,
-		`Google\Chrome\**Current**`,
-		`Google\Chrome\Safe Browsing**`,
-		`BraveSoftware\Brave-Browser\User Data\Default\Cache`,
-		`BraveSoftware\Brave-Browser\User Data\Default\Cookies`,
-		`BraveSoftware\Brave-Browser\User Data\Default\Cookies-journal`,
-		`BraveSoftware\Brave-Browser\**LOCK**`,
-		`BraveSoftware\Brave-Browser\**Current**`,
-		`BraveSoftware\Brave-Browser\Safe Browsing**`,
-		`iPhoto Library\iPod Photo Cache`,
-		`cookies.sqlite-**`,
-		`permissions.sqlite-**`,
-		`Local Settings\History`,
-		`OneDrive\.849C9593-D756-4E56-8D6E-42412F2A707B`,
-		`Safari\Library\Caches`,
-	}
+	excludedPaths := []string{}
 
 	for _, userExclusions := range exclusionResp.Data {
 		if userExclusions.IsGlobal {

diff --git a/internal/agent/sftp/windows.go b/internal/agent/sftp/windows.go
@@ -4,55 +4,39 @@ package sftp
 
 import (
 	"os"
-	"unsafe"
 
 	"golang.org/x/sys/windows"
 )
 
-// FileStandardInfo contains extended information for the file.
-// FILE_STANDARD_INFO in WinBase.h
-// https://docs.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-file_standard_info
-type FileStandardInfo struct {
-	AllocationSize, EndOfFile int64
-	NumberOfLinks             uint32
-	DeletePending, Directory  bool
-}
-
-type FileAttributeTagInfo struct {
-	FileAttributes uint32
-	ReparseTag     uint32
-}
-
 func invalidAttributes(path string) (bool, error) {
-	file, err := os.Open(path)
+	p, err := windows.UTF16PtrFromString(path)
 	if err != nil {
-		return true, err
+		return false, err
 	}
-	defer file.Close()
 
-	at := &FileAttributeTagInfo{}
-	err = windows.GetFileInformationByHandleEx(windows.Handle(file.Fd()), windows.FileAttributeTagInfo, (*byte)(unsafe.Pointer(at)), uint32(unsafe.Sizeof(*at)))
+	// Get file attributes
+	attributes, err := windows.GetFileAttributes(p)
 	if err != nil {
-		return true, err
+		return false, os.NewSyscallError("GetFileAttributes", err)
 	}
 
-	if at.FileAttributes&windows.FILE_ATTRIBUTE_TEMPORARY != 0 {
+	if attributes&windows.FILE_ATTRIBUTE_TEMPORARY != 0 {
 		return true, nil
 	}
 
-	if at.FileAttributes&windows.FILE_ATTRIBUTE_RECALL_ON_OPEN != 0 {
+	if attributes&windows.FILE_ATTRIBUTE_RECALL_ON_OPEN != 0 {
 		return true, nil
 	}
 
-	if at.FileAttributes&windows.FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS != 0 {
+	if attributes&windows.FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS != 0 {
 		return true, nil
 	}
 
-	if at.FileAttributes&windows.FILE_ATTRIBUTE_VIRTUAL != 0 {
+	if attributes&windows.FILE_ATTRIBUTE_VIRTUAL != 0 {
 		return true, nil
 	}
 
-	if at.FileAttributes&windows.FILE_ATTRIBUTE_OFFLINE != 0 {
+	if attributes&windows.FILE_ATTRIBUTE_OFFLINE != 0 {
 		return true, nil
 	}
 

diff --git a/internal/store/db.go b/internal/store/db.go
@@ -111,6 +111,8 @@ func (store *Store) CreateTables() error {
 		return fmt.Errorf("CreateTables: error creating target table -> %w", err)
 	}
 
+	_, exclusionCheck := store.Db.Query("SELECT * FROM exclusions;")
+
 	createExclusionTable := `
     CREATE TABLE IF NOT EXISTS exclusions (
         path TEXT PRIMARY KEY NOT NULL,
@@ -123,6 +125,16 @@ func (store *Store) CreateTables() error {
 		return fmt.Errorf("CreateTables: error creating exclusions table -> %w", err)
 	}
 
+	if exclusionCheck != nil {
+		for _, path := range defaultExclusions {
+			_ = store.CreateExclusion(Exclusion{
+				Path:     path,
+				IsGlobal: true,
+				Comment:  "Generated from default list of exclusions",
+			})
+		}
+	}
+
 	createExclusionBridgeTable := `
     CREATE TABLE IF NOT EXISTS exclusion_bridges (
         id INTEGER PRIMARY KEY AUTOINCREMENT,

diff --git a/internal/store/default_exclusions.go b/internal/store/default_exclusions.go
@@ -0,0 +1,61 @@
+package store
+
+var defaultExclusions = []string{
+	`\hiberfil.sys`,
+	`\pagefile.sys`,
+	`\swapfile.sys`,
+	`\autoexec.bat`,
+	`\Config.Msi`,
+	`\Documents and Settings`,
+	`\Recycled`,
+	`\Recycler`,
+	`\$$Recycle.Bin`,
+	`\Recovery`,
+	`\Program Files`,
+	`\Program Files (x86)`,
+	`\ProgramData`,
+	`\PerfLogs`,
+	`\Windows`,
+	`\Windows.old`,
+	`\$$WINDOWS.~BT`,
+	`\$$WinREAgent`,
+	"$RECYCLE.BIN",
+	"$WinREAgent",
+	"System Volume Information",
+	"Temporary Internet Files",
+	`Microsoft\Windows\Recent`,
+	`Microsoft\**\RecoveryStore**`,
+	`Microsoft\**\Windows\**.edb`,
+	`Microsoft\**\Windows\**.log`,
+	`Microsoft\**\Windows\Cookies**`,
+	`Microsoft\**\Logs**`,
+	`Users\Public\AccountPictures`,
+	`I386`,
+	`Internet Explorer\`,
+	`MSOCache`,
+	`NTUSER**`,
+	`UsrClass.dat`,
+	`Thumbs.db`,
+	`AppData\Local\Temp**`,
+	`AppData\Temp**`,
+	`Local Settings\Temp**`,
+	`**.tmp`,
+	`AppData\**cache**`,
+	`AppData\**Crash Reports`,
+	`AppData\Local\Apple Computer\Mobile Sync`,
+	`AppData\Local\Comms\UnistoreDB`,
+	`AppData\Local\ElevatedDiagnostics`,
+	`AppData\Local\Microsoft\Windows\Explorer`,
+	`AppData\Local\Microsoft\Windows\INetCache`,
+	`AppData\Local\Microsoft\Windows\UPPS`,
+	`AppData\Local\Microsoft\Windows\WebCache`,
+	`AppData\Local\Microsoft\Windows Store`,
+	`AppData\Local\Packages`,
+	`Application Data\Apple Computer\Mobile Sync`,
+	`Application Data\Application Data**`,
+	`iPhoto Library\iPod Photo Cache`,
+	`cookies.sqlite-**`,
+	`permissions.sqlite-**`,
+	`Local Settings\History`,
+	`OneDrive\.849C9593-D756-4E56-8D6E-42412F2A707B`,
+}