cc global antivirus

-- Good AV+ Improved
-- 2025 No Rights Reserved
-- Version 2 (improved)
-- Made By A and hecker
local safe = shell.getRunningProgram()
local detectedPatternsString = ""
local quarantineDir = ".av_quarantine"
local logFile = ".avlog"
local detectionThreshold = 3

local function isPathRestricted (path)
    return (string.find(path, "av_quarantine", 1, true) or string.find(path, safe, 1, true))
end

local _shell_original_resolveProgram = shell.resolveProgram
shell.resolveProgram = function(name)
    local resolvedPath = _shell_original_resolveProgram(name)

    if resolvedPath and string.find(resolvedPath, "av_quarantine", 1, true) then
        return nil
    end

    return resolvedPath
end

local _shell_original_run = shell.run
shell.run = function ( name )
    SCAN()
    return _shell_original_run(name)
end


if not fs.exists(quarantineDir) then
    local ok, err = fs.makeDir(quarantineDir)
    if not ok then print("Warning: could not create quarantine dir:", err) end
end


local maliciousPatterns = {
    "%(shell%.getRunningProgram%(%),%s*\"r\"%)", -- attempted self-identification pattern
    "payload", -- suspicious marker (broad)
    "os%.pullEvent%s*=%s*os%.pullEventRaw", -- event hijack / cannot be terminated
    "in%s+ipairs%(%s*fs%.list%(%w*%)%s*%)", -- scanning directories
    "[%a_][%w_]*:%s*byte%s*%(%s*%)%s*%+.-%%.-", -- weird byte ops (cheap heuristic)
    "%x%x%x%x%x%x%x%x", -- hex sequences (possible obfuscation)
    "fs%.open%(%s*[\"']%.startup", -- writing startup
    "fs%.open%(%s*[\"']%.startup%.luax", -- writing .startup.luax
    "shell%.setAlias%s*%(", -- alias changes
    "_G%.[%a_][%w_]*%s*=", -- direct global table assignments
    "^%s*(local%s*)?%w+%s*=%s*_G%.[%a_][%w_]*", -- wrapping globals into locals
    "for%s+[%w_,%s]+in%s+pairs%(%w+%)%s+do%s+_G%.fs%[k%]%s*=%s*v%s+end", -- wrapper loop
    "http%.get%s*%(", -- remote fetch
    "load%s*%(", -- dynamic execution
    "loadstring%s*%(", -- dynamic execution
    "os%.reboot%s*%(", -- reboot calls
    "while%s+true%s+do%s-.-os%.reboot" -- infinite reboot loop
}

local maliciousPatternsExplain = {
    "Self-Replicating", "Interfering", "Cannot Be Terminated",
    "Scanning for files", "Encryption-ish / Byte ops", "Obfuscation / Hex",
    "Startup modification", "Startup modification (.luax)", "Changing Aliases",
    "Global Table Manipulation", "Global Table Wrapping",
    "Global Table Wrapping (loop)", "Remote Fetch", "Remote/Dynamic Execution",
    "Remote/Dynamic Execution", "Reboot calls", "Forced Reboot Loop"
}

local function dedupe(list)
    local seen = {}
    local out = {}
    for _, v in ipairs(list) do
        if not seen[v] then
            table.insert(out, v)
            seen[v] = true
        end
    end
    return out
end

local function isMalicious(contents)
    local matches = 0
    local detected = {}
    local seen = {}
    if not contents or #contents == 0 then return false, {} end

    for i, pat in ipairs(maliciousPatterns) do

        local ok, found = pcall(function() return contents:find(pat) end)
        if ok and found then
            local expl = maliciousPatternsExplain[i] or ("Pattern #" .. i)
            if not seen[expl] then
                matches = matches + 1
                table.insert(detected, expl)
                seen[expl] = true
            end
        end
    end

    detected = dedupe(detected)
    return matches >= detectionThreshold, detected
end

local function typeofInfection(detectedPatterns)
    local selfReplicating, scanningForFiles, cannotBeTerminated = false, false,
                                                                  false
    local interfering, Encryption, SuspiciousActivity, nolua = false, false,
                                                               false, false

    for _, p in ipairs(detectedPatterns) do
        if p == "Self-Replicating" then
            selfReplicating = true
        elseif p == "Scanning for files" then
            scanningForFiles = true
        elseif p == "Cannot Be Terminated" then
            cannotBeTerminated = true
        elseif p == "Interfering" then
            interfering = true
        elseif p == "Encryption-ish / Byte ops" then
            Encryption = true
        elseif p == "Changing Aliases" then
            interfering = true;
            nolua = true
        elseif p == "Global Table Manipulation" then
            nolua = true
        end
    end

    local endType = "Unknown"
    if selfReplicating and (scanningForFiles or interfering) then
        endType = "Quine"
        if nolua then endType = "Quine (Evading)" end
    elseif Encryption and cannotBeTerminated then
        endType = "Ransomware"
    elseif cannotBeTerminated and interfering then
        endType = "Malware"
    elseif scanningForFiles then
        endType = "Spyware"
    elseif Encryption then
        endType = "Ransomware"
    elseif nolua then
        endType = "Malware (Global mods)"
    end

    return endType
end

local function logEntry(text)
    local ok, f = pcall(fs.open, logFile, "a")
    if not ok or not f then
        print("Could not write to log file:", logFile)
        print(text)
        return
    end
    local ts = "UNKNOWN TIME"
    if os and os.date then
        pcall(function() ts = os.date("%Y-%m-%d %H:%M:%S") end)
    end
    f.write(("[%s] %s\n\n"):format(ts, text))
    f.close()
end

local function quarantineFile(fullPath)

    if not fs.exists(quarantineDir) then pcall(fs.makeDir, quarantineDir) end

    local base = fs.getName(fullPath)
    local dest = fs.combine(quarantineDir, base)

    local counter = 1
    while fs.exists(dest) do
        dest = fs.combine(quarantineDir, base .. "_" .. tostring(counter))
        counter = counter + 1
    end

    local ok, err = pcall(fs.move, fullPath, dest)
    if not ok or not fs.exists(dest) then
        -- try copy then delete
        local copyOk, copyErr = pcall(fs.copy, fullPath, dest)
        if not copyOk then
            return false,
                   "quarantine move/copy failed: " .. tostring(copyErr or err)
        end
        pcall(fs.delete, fullPath)
    end
    return true, dest
end

-- Recursively scan directory safely
local function scanAndQuarantine(directory)
    local listOk, entries = pcall(function() return fs.list(directory) end)
    if not listOk or not entries then return end

    for _, name in ipairs(entries) do
        local fullPath = fs.combine(directory, name)
        -- skip rom and system mounts
        if fullPath:sub(1, 4) ~= "rom/" and fullPath ~= safe then
            local ok, isDir = pcall(function()
                return fs.isDir(fullPath)
            end)
            if ok and isDir then

                if fullPath ~= quarantineDir then
                    pcall(scanAndQuarantine, fullPath)
                end
            else

                local handleOk, handle = pcall(fs.open, fullPath, "r")
                if handleOk and handle then
                    local contents = handle.readAll()
                    handle.close()
                    local flagged, patterns = isMalicious(contents)
                    if flagged then
                        -- move to quarantine
                        local quarantined, destOrErr = quarantineFile(fullPath)
                        local fileName = fs.getName(fullPath)
                        local typ = typeofInfection(patterns)
                        local text =
                            ("Removed malicious file: %s\nFamily Type: %s\nDetected Patterns:\n%s\nQuarantined to: %s"):format(
                                fileName, typ, table.concat(patterns, "\n- "),
                                tostring(destOrErr))
                        print(text)
                        logEntry(text)
                    end
                end
            end
        end
    end
end

print("AV: Starting scan. This may take a while...")


function SCAN()

    pcall(function() scanAndQuarantine("") end)

    for i = 0, 9 do
        local mount = (i == 0) and "disk" or ("disk" .. tostring(i))
        if fs.exists(mount) and fs.isDir(mount) then
            pcall(function() scanAndQuarantine(mount) end)
        end
    end

    local topListOk, topEntries = pcall(function() return fs.list("/") end)
    if topListOk and topEntries then
        for _, entry in ipairs(topEntries) do
            local entryPath = "/" .. entry
            -- skip rom and quarantine to avoid recursion
            if entryPath:sub(1, 4) ~= "/rom" and entry ~= quarantineDir then
                pcall(function() scanAndQuarantine(entry) end)
            end
        end
    end
end
SCAN()

print("AV: Scan complete. Check " .. logFile .. " and " .. quarantineDir ..
          " for details.")
print("Use `edit " .. logFile .. "` to view logs. Quarantined files are in " ..
          quarantineDir .. ".")

-- anti virus protection:
local fs_wrapper = {}
for k, v in pairs(_G.fs) do
    fs_wrapper[k] = v -- backup originals
end

_G.fs.exists = function(path)
    if isPathRestricted(path) then return false end
    return fs_wrapper.exists(path) -- call original
end

_G.fs.makeDir = function(path)
    if isPathRestricted(path) then
        return false, "Access denied: Cannot create restricted directory."
    end
    return fs_wrapper.makeDir(path)
end

_G.fs.move = function(from, to)
    if isPathRestricted(from) then
        return false, "Access denied: Cannot move restricted files/directories."
    end
    return fs_wrapper.move(from, to) -- fixed args
end

_G.fs.copy = function(from, to)
    if isPathRestricted(from) or isPathRestricted(to) then
        return false, "Access denied: Cannot copy restricted files/directories."
    end
    return fs_wrapper.copy(from, to) -- fixed args
end

_G.fs.delete = function(path)
    if isPathRestricted(path) then
        return false, "Access denied: Cannot delete restricted files/directories."
    end
    return fs_wrapper.delete(path)
end