some fixes

WelsonJS.Toolkit/WelsonJS.Service/FileEventMonitor.cs

@@ -19,9 +19,16 @@ namespace WelsonJS.Service
         public FileEventMonitor(ServiceBase parent, string workingDirectory)
         {
             this.parent = (ServiceMain)parent;
-            this.ruleFolderPath = Path.Combine(workingDirectory, "app/assets/yar");
+            ruleFolderPath = Path.Combine(workingDirectory, "app/assets/yar");
 
-            AddYaraRules(new List<string>(Directory.GetFiles(this.ruleFolderPath, "*.yar")));
+            try
+            {
+                AddYaraRules(new List<string>(Directory.GetFiles(ruleFolderPath, "*.yar")));
+            }
+            catch (Exception ex)
+            {
+                this.parent.Log($"Exception (FileEventMonitor): {ex.Message}");
+            }
         }
 
         public void AddYaraRulesFromDirectory(string directoryPath)
@@ -71,17 +78,25 @@ namespace WelsonJS.Service
 
         public void Start()
         {
-            string query = @"<QueryList>
-                                <Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'>
-                                    <Select Path='Microsoft-Windows-Sysmon/Operational'>*[System/EventID=11]</Select>
-                                </Query>
-                             </QueryList>";
+            try
+            {
+                string query = @"<QueryList>
+                                    <Query Id='0' Path='Microsoft-Windows-Sysmon/Operational'>
+                                        <Select Path='Microsoft-Windows-Sysmon/Operational'>*[System/EventID=11]</Select>
+                                    </Query>
+                                 </QueryList>";
 
-            EventLogQuery eventLogQuery = new EventLogQuery("Microsoft-Windows-Sysmon/Operational", PathType.LogName, query);
-            eventLogWatcher = new EventLogWatcher(eventLogQuery);
+                EventLogQuery eventLogQuery = new EventLogQuery("Microsoft-Windows-Sysmon/Operational", PathType.LogName, query);
+                eventLogWatcher = new EventLogWatcher(eventLogQuery);
 
-            eventLogWatcher.EventRecordWritten += new EventHandler<EventRecordWrittenEventArgs>(OnEventRecordWritten);
-            eventLogWatcher.Enabled = true;
+                eventLogWatcher.EventRecordWritten += new EventHandler<EventRecordWrittenEventArgs>(OnEventRecordWritten);
+                eventLogWatcher.Enabled = true;
+            }
+            catch (Exception ex)
+            {
+                parent.Log($"Exception (FileEventMonitor): {ex.Message}");
+                Stop();
+            }
         }
 
         public void Stop()

WelsonJS.Toolkit/WelsonJS.Service/ScreenMatching.cs

@@ -59,20 +59,30 @@ public class ScreenMatching
     public ScreenMatching(ServiceBase parent, string workingDirectory)
     {
         this.parent = (ServiceMain)parent;
-        this.templateFolderPath = Path.Combine(workingDirectory, "app/assets/img/_templates");
-        this.templateImages = new List<Bitmap>();
+        templateFolderPath = Path.Combine(workingDirectory, "app/assets/img/_templates");
+        templateImages = new List<Bitmap>();
 
         LoadTemplateImages();
     }
 
     public void LoadTemplateImages()
     {
-        var files = System.IO.Directory.GetFiles(templateFolderPath, "*.png");
+        string[] files;
+
+        try
+        {
+            files = Directory.GetFiles(templateFolderPath, "*.png");
+        }
+        catch (Exception ex)
+        {
+            files = new string[] { };
+            parent.Log($"Exception (ScreenMatching): {ex.Message}");
+        }
 
         foreach (var file in files)
         {
             Bitmap bitmap = new Bitmap(file);
-            bitmap.Tag = System.IO.Path.GetFileName(file);
+            bitmap.Tag = Path.GetFileName(file);
             templateImages.Add(bitmap);
         }
     }

app/assets/yar/MALW_Eicar.yar

@@ -1,22 +0,0 @@
-rule malw_eicar  {
-	
-	meta:
-
-		description = "Rule to detect the EICAR pattern"
-      	author = "Marc Rivero | McAfee ATR Team"
-      	reference = "https://www.eicar.org/"
-      	rule_version = "v1"
-        malware_type = "eicar"
-        malware_family = "W32/Eicar"
-        actor_type = "Unknown"
-        actor_group = "Unknown"
-		hash = "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"
-
-	strings:
-
-		$s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
-
-	condition:
-
-	 	any of them
-}

app/assets/yar/eicar.yara

@@ -0,0 +1,34 @@
+rule eicar_av_test {
+    /*
+       Per standard, match only if entire file is EICAR string plus optional trailing whitespace.
+       The raw EICAR string to be matched is:
+       X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
+    */
+
+    meta:
+        description = "This is a standard AV test, intended to verify that BinaryAlert is working correctly."
+        author = "Austin Byers | Airbnb CSIRT"
+        reference = "http://www.eicar.org/86-0-Intended-use.html"
+
+    strings:
+        $eicar_regex = /^X5O!P%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H\+H\*\s*$/
+
+    condition:
+        all of them
+}
+
+rule eicar_substring_test {
+    /*
+       More generic - match just the embedded EICAR string (e.g. in packed executables, PDFs, etc)
+    */
+
+    meta:
+        description = "Standard AV test, checking for an EICAR substring"
+        author = "Austin Byers | Airbnb CSIRT"
+
+    strings:
+        $eicar_substring = "$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!"
+
+    condition:
+        all of them
+}