#1 2017-08-24 08:52

RazorBurn
Member
Registered: 2017-08-24
Posts: 3

Renaming Files According to a File Content..

Hi all,

Can someone help me make a script where a file will be rename according to a file content in a Antivirus Log File..

Example:

This a sample line content of a Scan Report from Kaspersky Total Security 2018..

24.08.2017 14.18.41	Object (file) detected	C:\Zip\VIRUS\New\065AD63D6E4246EE8219831C55A7B4E6DCF23693.EXE	File: C:\Zip\VIRUS\New\065AD63D6E4246EE8219831C55A7B4E6DCF23693.EXE	Object name: not-a-virus:Downloader.Win32.Somato.r
24.08.2017 14.18.39	Object (file) detected	C:\Zip\VIRUS\New\063BA2111709246C94B784F7DA952847D20B6930.exe	File: C:\Zip\VIRUS\New\063BA2111709246C94B784F7DA952847D20B6930.exe	Object name: HEUR:Trojan.Win32.Generic
24.08.2017 14.18.38	Object (file) detected	C:\Zip\VIRUS\New\057A2FCF7C45C53BB36CC2DC8EED371E1CD70393.exe	File: C:\Zip\VIRUS\New\057A2FCF7C45C53BB36CC2DC8EED371E1CD70393.exe	Object name: not-a-virus:HEUR:AdWare.NSIS.Xpyn.heur
24.08.2017 14.18.38	Object (file) detected	C:\Zip\VIRUS\New\05C04443C43C27F2728014817B1265594B79DBFF.EXE	File: C:\Zip\VIRUS\New\05C04443C43C27F2728014817B1265594B79DBFF.EXE	Object name: not-a-virus:HEUR:AdWare.MSIL.Imali.gen
24.08.2017 14.18.36	Object (file) detected	C:\Zip\VIRUS\New\02F1421A0B7784A42BE5B42E3A527041D5E3344E.EXE	File: C:\Zip\VIRUS\New\02F1421A0B7784A42BE5B42E3A527041D5E3344E.EXE	Object name: not-a-virus:Downloader.Win32.DownloAdmin.bupz
24.08.2017 14.18.29	Object (file) detected	C:\Zip\VIRUS\New\09C6B30B7FF918D54EE6DB72BF1BC41B5D6F1CA1.ZIP	File: C:\Zip\VIRUS\New\09C6B30B7FF918D54EE6DB72BF1BC41B5D6F1CA1.ZIP	Object name: Backdoor.Java.Adwind.cw
24.08.2017 14.18.29	Object (file) detected	C:\Zip\VIRUS\New\09C6B30B7FF918D54EE6DB72BF1BC41B5D6F1CA1.ZIP//plugins/Server.class	File: C:\Zip\VIRUS\New\09C6B30B7FF918D54EE6DB72BF1BC41B5D6F1CA1.ZIP//plugins/Server.class	Object name: Backdoor.Java.Adwind.cw
24.08.2017 14.18.29	Object (file) detected	C:\Zip\VIRUS\New\00DE86EF1C2638C5CDC696792C383702585842E3.EXE	File: C:\Zip\VIRUS\New\00DE86EF1C2638C5CDC696792C383702585842E3.EXE	Object name: not-a-virus:Downloader.Win32.Somato.r
24.08.2017 14.18.28	Selective Scan	Task started	Time: Today, 8/24/2017 2:18 PM

I need a script that finds its current filename in Report then rename the file according to the "OBJECT NAME:"

For example in the First line

24.08.2017 14.18.41	Object (file) detected	C:\Zip\VIRUS\New\065AD63D6E4246EE8219831C55A7B4E6DCF23693.EXE	File: C:\Zip\VIRUS\New\065AD63D6E4246EE8219831C55A7B4E6DCF23693.EXE	Object name: not-a-virus:Downloader.Win32.Somato.r

FileName.Ext="065AD63D6E4246EE8219831C55A7B4E6DCF23693.EXE" ===> OBjectName="not-a-virus.Downloader.Win32.Somato.r + EXT"

Im absolute newbie in coding but can easily learn..

Offline

#2 2017-08-24 11:15

den4b
Administrator
From: den4b.com
Registered: 2006-04-06
Posts: 3,367

Re: Renaming Files According to a File Content..

Hello,

Below is a script which will parse the report file and rename each matching file in ReNamer to its detected threat name.

Adjust the REPORT constant so it points to your report file. Also, you will most likely have many duplicated filenames and invalid characters in filenames. You can fix them using the standard renaming rules.

Now, learn... smile

const
  REPORT = 'C:\Temp\Report.txt';
  PATTERN = '\tFile:\s*(.+?)\tObject name:\s*([^\s]+)';
  MATCH_FILE = 0;
  MATCH_VIRUS = 1;
  SUBCONTENT_DELIM = '//';
var
  Initialized: Boolean;
  Matches, ReportLines, ReportFiles, ReportViruses: TWideStringArray;
  I, DelimPos: Integer;
begin
  // Initialize
  if not Initialized then
  begin
    Initialized := True;
    // Read report file lines
    ReportLines := FileReadTextLines(REPORT);
    // Parse each line into Files and Viruses arrays
    for I := 0 to Length(ReportLines) - 1 do
    begin
      Matches := SubMatchesRegEx(ReportLines[I], PATTERN, False);
      if (Length(Matches) > MATCH_FILE) and (Length(Matches) > MATCH_VIRUS) then
      begin
        SetLength(ReportFiles, Length(ReportFiles) + 1);
        SetLength(ReportViruses, Length(ReportViruses) + 1);
        ReportFiles[Length(ReportFiles) - 1] := Matches[MATCH_FILE];
        ReportViruses[Length(ReportViruses) - 1] := Matches[MATCH_VIRUS];
      end;
    end;
    // Strip subcontent component from file paths
    for I := 0 to Length(ReportFiles) - 1 do
    begin
      DelimPos := Pos(SUBCONTENT_DELIM, ReportFiles[I]);
      if DelimPos > 0 then
        ReportFiles[I] := Copy(ReportFiles[I], 1, DelimPos - 1);
    end;
  end;
  // Find current file in the report and change its new name to a virus name
  for I := 0 to Length(ReportFiles) - 1 do
  begin
    if WideSameFileName(FilePath, ReportFiles[I]) then
    begin
      FileName := ReportViruses[I] + WideExtractFileExt(FileName);
      Break;
    end;
  end;
end.

For the reference: http://www.den4b.com/wiki/ReNamer:Pascal_Script

Offline

#3 2017-08-25 02:21

RazorBurn
Member
Registered: 2017-08-24
Posts: 3

Re: Renaming Files According to a File Content..

Thanks..

Added Destination Folder

const 
  DEST_FOLDER = 'Renamed\';   

    begin
      FileName := DEST_FOLDER + ReportViruses[I] + WideExtractFileExt(FileName);
      Break;
    end;   

added rule for Invalid Char
added Serialize Duplicate

Just want to ask, as per Karspersky Virus Naming Procedure.. Duplicate name but different variant must be by letters, sample:

vir.exe
vir (2).exe
vir (3).exe
....
....
vir (200).exe
vir (201).exe

to

vir.exe
vir.a.exe
vir.b.exe 
....
....
vir.aa.exe
vir.ab.exe

Offline

#4 2017-08-25 05:43

RazorBurn
Member
Registered: 2017-08-24
Posts: 3

Re: Renaming Files According to a File Content..

Found the Solution for the Invalid Chars. and the Alphabathical Serialize for the Duplicate files

iXnlQ9r.jpg

Offline

#5 2017-08-25 10:25

den4b
Administrator
From: den4b.com
Registered: 2006-04-06
Posts: 3,367

Re: Renaming Files According to a File Content..

Duplicate name but different variant must be by letters

You might find useful a new option in the Serialize rule which allows you to select a different numbering system, including: Decimal digits (0..9), English letters (a..z), Roman numerals (I,II,III,IV,...), Simplified Chinese, Custom alphabetic and Custom numeric.

This option was added in ReNamer v6.7.0.2 Beta.

Added Destination Folder

You can also do that with a simple Insert rule, to keep things more transparent.

Offline

Board footer

Powered by FluxBB