Update filters.json for Windows files (#88)

* Improvements to thread safety

* Ignore default location logfile

* Improve registry filters

* Update filters.json

* Revert inadvertant change to runid behavior

* Fix issue with provided paths to filter in directory walker

.gitignore

@@ -264,3 +264,4 @@ Application Insights/
 *.sqlite-journal
 Tools/
 asa.sqlite
+Cli/asa.log.txt

Cli/Program.cs

@@ -1057,7 +1057,10 @@ public static int RunCollectCommand(CollectCommandOptions opts)
             StartEvent.Add("Service", opts.EnableServiceCollector.ToString());
 
             Telemetry.Client.TrackEvent("Begin collecting", StartEvent);
-
+            if (opts.RunId.Equals("Timestamp"))
+            {
+                opts.RunId = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss");
+            }
 
             if (opts.EnableFileSystemCollector || opts.EnableAllCollectors)
             {
@@ -1093,11 +1096,6 @@ public static int RunCollectCommand(CollectCommandOptions opts)
             Filter.LoadFilters(opts.FilterLocation);
             DatabaseManager.SqliteFilename = opts.DatabaseFilename;
 
-            if (opts.RunId.Equals("Timestamp"))
-            {
-                opts.RunId = DateTime.Now.ToString("yyyy-MM-dd HH:mm:ss");
-            }
-
             if (opts.Overwrite)
             {
                 DatabaseManager.DeleteRun(opts.RunId);

Lib/Utils/DirectoryWalker.cs

@@ -100,8 +100,7 @@ public static IEnumerable<FileSystemInfo> WalkDirectory(string root)
                         Log.Debug(e.Message);
                         continue;
                     }
-                    string FullPath = String.Format("{0}{1}{2}", currentDir, Path.PathSeparator, file);
-                    if (Filter.IsFiltered(Filter.RuntimeString(), "Scan", "File", "Path", FullPath))
+                    if (Filter.IsFiltered(Filter.RuntimeString(), "Scan", "File", "Path", file))
                     {
                         continue;
                     }

Lib/Utils/Filter.cs

@@ -71,17 +71,41 @@ public static bool IsFiltered(string Platform, string ScanType, string ItemType,
                         foreach (var filter in jFilters)
                         {
                             Log.Debug(filter.ToString());
-                            filters.Add(new Regex(filter.ToString()));
+                            try
+                            {
+                                filters.Add(new Regex(filter.ToString()));
+                            }
+                            catch (Exception e)
+                            {
+                                Log.Debug(e.GetType().ToString());
+                                Log.Debug("Failed to make a regex from {0}", filter.ToString());
+                            }
+                        }
+                        try
+                        {
+                            _filters.Add(key, filters);
+                        }
+                        catch (ArgumentException)
+                        {
+                            // We are running in parallel, its possible someone added it in between the original check and now. No problem here.
+                            filters = _filters[key];
                         }
-                        _filters.Add(key, filters);
                         Log.Warning("Successfully parsed {0} {1} {2} {3} {4}", Platform, ScanType, ItemType, Property, FilterType);
                     }
                     catch (NullReferenceException)
                     {
                         Log.Debug("Failed parsing {0} {1} {2} {3} {4} (no entry?)", Platform, ScanType, ItemType, Property, FilterType);
-                        _filters.Add(key, new List<Regex>());
+                        try
+                        {
+                            _filters.Add(key, new List<Regex>());
+                        }
+                        catch (ArgumentException)
+                        {
+                            // We are running in parallel, its possible someone added it in between the original check and now. No problem here.
+                        }
                         return false;
                     }
+
                 }
                 catch (Exception e)
                 {

filters.json

@@ -4,15 +4,35 @@
       "Registry": {
         "Key": {
           "Exclude": [
-            "HKEY_CLASSES_ROOT\\WOW6432Node\\Interface\\",
-            "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Class\\"
+            "^HKEY_CLASSES_ROOT\\\\WOW6432Node\\\\Interface$",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Control$",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\DriverDatabase\\\\DriverPackages$",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Enum$",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\DeviceAssociationService\\\\State\\\\Store$",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\mpssvc\\\\Parameters$",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Enum$",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Control$",
+            "^HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services$"
           ]
         },
         "Hive": {
           "Exclude": [
             "ClassesRoot"
           ]
         }
+      },
+      "File": {
+        "Path": {
+          "Exclude": [
+            "[A-Z]:\\\\pagefile.sys",
+            "[A-Z]:\\\\hiberfil.sys",
+            "[A-Z]:\\\\swapfile.sys",
+            "[A-Z]:\\\\Windows\\\\CSC",
+            "[A-Z]:\\\\Windows\\\\System32\\\\LogFiles\\\\WMI\\\\RTBackup",
+            "[A-Z]:\\\\Windows\\\\ServiceProfiles\\\\LocalService\\\\AppData\\\\Local\\\\Microsoft\\\\NGC"
+
+          ]
+        }
       }
     }
   },