From a634a2e7fd3729132e28f7b306f17e1073131f8f Mon Sep 17 00:00:00 2001
From: Greg DiCristofaro <gregd@basistech.com>
Date: Mon, 24 Jul 2023 15:49:57 -0400
Subject: [PATCH] dont rescan

---
 .../malwarescan/MalwareScanIngestModule.java  | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java b/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java
index beffd8e594..a760c3bbe3 100644
--- a/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java
+++ b/Core/src/com/basistech/df/cybertriage/autopsy/malwarescan/MalwareScanIngestModule.java
@@ -50,6 +50,7 @@
 import org.sleuthkit.datamodel.BlackboardArtifact;
 import org.sleuthkit.datamodel.Score;
 import org.sleuthkit.datamodel.SleuthkitCase;
+import org.sleuthkit.datamodel.TskCoreException;
 import org.sleuthkit.datamodel.TskData;
 
 /**
@@ -198,12 +199,21 @@ private static long remaining(Long limit, Long used) {
         })
         IngestModule.ProcessResult process(AbstractFile af) {
             try {
-                if (runState == RunState.STARTED_UP && af.getKnown() != TskData.FileKnown.KNOWN
-                        && EXECUTABLE_MIME_TYPES.contains(StringUtils.defaultString(fileTypeDetector.getMIMEType(af)).trim().toLowerCase())) {
+                if (runState == RunState.STARTED_UP 
+                        && af.getKnown() != TskData.FileKnown.KNOWN
+                        && EXECUTABLE_MIME_TYPES.contains(StringUtils.defaultString(fileTypeDetector.getMIMEType(af)).trim().toLowerCase())
+                        && CollectionUtils.isEmpty(af.getAnalysisResults(malwareType))) {
+                    
                     batchProcessor.add(new FileRecord(af.getId(), af.getMd5Hash()));
 
                 }
                 return ProcessResult.OK;
+            } catch (TskCoreException ex) {
+                notifyWarning(
+                        Bundle.MalwareScanIngestModule_SharedProcessing_generalProcessingError_title(),
+                        Bundle.MalwareScanIngestModule_SharedProcessing_generalProcessingError_desc(),
+                        ex);
+                return IngestModule.ProcessResult.ERROR;
             } catch (InterruptedException ex) {
                 notifyWarning(
                         Bundle.MalwareScanIngestModule_ShareProcessing_batchTimeout_title(),
@@ -231,7 +241,7 @@ private void handleBatch(List<FileRecord> fileRecords) {
 
             // create mapping of md5 to corresponding object ids as well as just the list of md5's
             Map<String, List<Long>> md5ToObjId = new HashMap<>();
-            List<String> md5Hashes = new ArrayList<>();
+
             for (FileRecord fr : fileRecords) {
                 if (fr == null || StringUtils.isBlank(fr.getMd5hash()) || fr.getObjId() <= 0) {
                     continue;
@@ -242,9 +252,10 @@ private void handleBatch(List<FileRecord> fileRecords) {
                         .computeIfAbsent(sanitizedMd5, (k) -> new ArrayList<>())
                         .add(fr.getObjId());
 
-                md5Hashes.add(sanitizedMd5);
             }
 
+            List<String> md5Hashes = new ArrayList<>(md5ToObjId.keySet());
+            
             if (md5Hashes.isEmpty()) {
                 return;
             }
-- 
GitLab