Hello DLP Users..

I wanted to share some information on how to get DLP to Scan using SSH.

I had a customer who wanted to scan their File Server (EMC Isilon), but NOT all of the File System was accesible via NFS or CIFS shares. They were able to provide me a ROOT account that I could SSH directly to the File server.

So I began to figure out how to be able to Mount a file system using SSH as the protocol.

This lead me to SSHFS!

SSHFS is a filesystem based on the SSH File Transfer Protocol (SFTP). On remote side (Discover Target) we just need to install SSH server, Since most of SSH servers already support this, there are nothing to do on remote server except installing SSH server. On client side (Discover Server) we need to install fuse sshfs packages to mount remote filesystem.

Features of SSHFS:
Based on FUSE (Best userspace filesystem framework for linux)
Multithreading: more than one request can be on it’s way to the server
Allowing large reads (max 64k)
Caching directory contents

**** First of all Scanning using SSH is NOT supported by Symantec and has NOT been certified or tested at all. So please make sure that you have strong Linux knowledge if you move forward with this at your own risk. ****

Also keep in mind that some of these steps will require you to edit existing configuration files and installation of Linux Packages in order for it to work.

You will need to be using a LINUX Discover Server to get this to really work.

INSTALL the SSHFS program

1. Download and install the SSHFS program (You will need the EPEL Repository to find it). It should download the fuse package as part of the dependencies.

yum install fuse-sshfs

2. Create the mount directory for testing.

mkdir /mnt/test
chmod 777 /mnt/test

3. Test mounting the directory and Accept the authenticity and type password

YOU WILL NEED TO DO THIS FOR EACH DIFFERENT server you plan to connect to from this Discover Server

sshfs root@remote.example.com:/home/remoteuser /mnt/test

The authenticity of host 'remote.example.com (192.168.1.12)' can't be established.
RSA key fingerprint is 77:85:9e:ff:de:2a:ef:49:68:09:9b:dc:f0:f3:09:07.
Are you sure you want to continue connecting (yes/no)? yes
root@remote.example.com's password:

4. Test the mount

# mount

/dev/mapper/vg_svr1-lv_root on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda1 on /boot type ext4 (rw)
root@remote.example.com:/home/remoteuser on /mnt/test type fuse.sshfs (rw,nosuid,nodev)

5. Navigate and test the share by opening a file and then unmount it.

# cd /mnt/test
# ls
# cat file.txt
# umount /mnt/test

Create a NEW filesystem Category for SSHFS and Scripts

1. Edit the /etc/sudoers file to allow the protect user to run the sshfs command (verify 'which sshfs')

# Vontu service user
Defaults:protect !requiretty
protect ALL= NOPASSWD: /bin/mount, /bin/umount, /usr/bin/sshfs, /bin/sshfs

2. Edit the SharePointMapper.properties file. (/opt/SymantecDLP/Protect/config)

You will need to type this manually or copy/paste edit from the previous settings.

You may need to change the mounterX.uri and mounterX.prefix if have added another setting before. (Make it 3 instead of 2)

Add the following lines to the bottom:

#Linux implementation of SSHFS
mounter2.uri=sshfs
mounter2.prefix=SSHFS

#General
SSHFS.ResponseExpected=No valid response
SSHFS.scriptName=sshfs.sh
SSHFS.Success=status:0
SSHFS.ScriptExecutionTimeout=60000

# SSHFS- Linux
SSHFS.AccessDenied=denied
SSHFS.ShareNotFound=Permission denied|can't get address for|No such file or directory
SSHFS.ShareExists=mountpoint is not empty
SSHFS.MultipleConnections=mountpoint is not empty
SSHFS.SyntaxError=Usage:|fuse:
SSHFS.ServerNotFound=failed|Connection reset by peer
SSHFS.AccountLockedOut=denied
SSHFS.NoLogonServers=Not Applicable
SSHFS.RequireLogin=Not Applicable

#Unmount
SSHFS.MountRemoved=umounted
SSHFS.MountDoesNotExist=not mounted
SSHFS.MountDependencyExists=open files|target is busy
SSHFS.unmountScriptName=sshfsu.sh
SSHFS.umountSuccess=status:0

3. Create the Mount and unmounting scripts for SSHFS. (Make sure to be the protect user) (copied to keep right execute permissions)

#su - protect
#cd /opt/SymantecDLP/Protect/bin
#cp nfs.sh sshfs.sh
#cp nfsu.sh sshfsu.sh
#chown protect:protect sshfs.sh
#chown protect:protect sshfsu.sh

4. Edit the sshfsu.sh file and make it look like the following. (add sleep)

sudo umount -v $1
sleep 20
echo status:$?

5. Edit the sshfs.sh file to look like the following:

#!/bin/bash
#
# sshfs.sh - mount a share using sshfs on a Linux system
#
# $1 = <mount point>
# $2 = <share path>
# $3 = <user name>
# $4 = <password>
#
# usage: sshfs.sh <options> <user>@<share path> <mount point>
#
#       <mount point>: The point where the file system is mounted. Ex: /mnt/vontu
#
#       <share path>: The path to mount in the following format:
#                     "//<host.domain.com>/dir1/dir2"  (can be surrounded by single or double quotes)
#
# Author: Ronak Patel

#Format the Share Path to be suitable for the mount command.
share_path=`echo $2 | sed -e 's/\([^\/]*\)\/\/\([^\/]*\)\([^"'"'"']*\).*/\2:\3/'`

#Format the Username to be suitable for the mount command (remove quotes).
user="${3%\"}"
user="${user#\"}"

#Format the Password to be suitable for the mount command (remove quotes).
password="${4%\"}"
password="${password#\"}"


#Then mount!
#sleep commands are to make sure system has time to mount
sleep 10
echo $password | sudo sshfs -o allow_other -o async_read -o password_stdin -o ro $user@"$share_path" $1
sleep 10
echo status:$?

6. Restart the VontuMonitor service on the Discover Servers

7. Create the Discover Target

When creating your Discover Target make sure to use the following structure so it recognizes which mount script to use.

Watch the backlashes!

sshfs:\\server.company.com\ifs\home\local data\

sshfs:\\10.0.0.1\ifs\home\local data

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Troubleshooting:

1. Discover Scan Fails: error: Unknown Error
   1. Restart VontuMonitor Service
2. Discover Scan Fails: error: The content root URI is malformed: sshfs:\\10.0.0.2.10\ifs
   1. Retype the settings in the SharePaointMapper.properties file
3. Discover Scan Fails: error: Unknown Error
   1. Check the permsissions on the sshfs files in the Bin directory (Should be owned by Protect and Executable)
4. Discover scan cannot scan any data
   1. Mount the share manually using the following commands as root

   2. #sshfs -o allow_other -o async_read user@10.253.2.10:/ifs /mnt/test/
      #su - protect
      #cd /mnt/test
      #ls -al
      #cat file.txt

   3. If this fails then you have a permissions issue with the SSHFS and how it mounts the share.
   4. You will then have to play with the sshfs.sh script to inlcude the the following settings or try it manually
      1. -o uid=XXX
      2. -o gid=XXX
      3. -o umask=XXX
      4. For UID try using the same one that the protect user has by looking at /etc/passwd
      5. For GID try using the same one that the protect user has by looking at /etc/groups

   #sshfs -o allow_other -o async_read -o uid=1001 -o gid=10 user@10.253.2.10:/ifs /mnt/test/
   #su - protect
   #cd /mnt/test
   #ls -al
   #cat file.txt

5. When trying to scan lots of targets consecutively you may see that it will not scan after mounting and unmounting more than 3 shares in 1 Discover Target. I have seen this and not sure of the issue.
   1. I have then created multiple targets of 1-2 Shares and spread them out over time.

Hope this helps...

Good Luck

Ronak Patel

In April 2017, an attack group calling itself the TheShadowBrokers, released a trove of data it claims to have stolen from the Equation cyberespionage group. The data contains a range of exploits and tools the attack group state were used by Equation. TheShadowBrokers said that the data dump was a sample of what had been stolen from hacking Equation and that the “best” files would be auctioned off to the highest bidder.

The Equation group has been known for some time and uses highly advanced malware tools to target organizations in a range of countries. The group is technically competent and well resourced, using highly developed malware tools that go to great lengths to evade detection.
Shadows Brokers has released this data in a series of dumps. 

Symantec Security response often has coverage for these vulnerbilties and tools well in advance of disclosure, but in an effort to make the coverage more readable these are renamed to represent the events they are assoiciated with.

Lost In Translation
On April 14, 2017 TheShadowBrokers released a collection of files, containing exploits and hacking tools targeting Microsoft Windows.
Later that week Microsoft published a blog stating that most of the exploits that were disclosed in this dump fall into vulnerabilities that are already patched in their supported products.

Dont Forget Your Base
On April 8th a missive from the TheShadowBrokers also contained another large batch of files. These are mostly characterised as tools and scripts as opposed to the vulnerbilties as seen in the Lost in translation dump. Additionally items like scripts are easily customizable and altered to impact different targets and to avoid static detection.

All coverage information is based on available virus definitions from June 20, 2017

Changelog:

June 21: Updated "Dont Forget your base" coverage infromation 

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, that allegedly detail activities and capabilities of the United States Central Intelligence Agency to perform electronic surveillance and cyber warfare. The files, dated from 2013–2016 and again allegedly include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers and the operating systems of most smartphones (including Apple's iOS and Google's Android), as well as other operating systems.

Coverage:

Please note that this is a work in progress and new reseach can cause this to be updated.

Changelog:

Hello All,

On June 27th, 2017 we all became aware of a new variant of the Petya malware which is spreading over the Microsoft Windows SMB protocol. The malware appears to use the ETERNALBLUE exploit tool to accomplish this. This is the same exploit the WanaCrypt0r/WanaCry malware exploited to spread globally in May, 2017. Multiple organizations have reported network outages, including government and critical infrastructure operators.

Windows users should take the following general steps to protect themselves:

• Apply security updates in MS17-010
• Block inbound connections on TCP Port 445
• Create and maintain good back-ups so that if an infection occurs, you can restore your data.

Overview

Petya is a ransomware family that works by modifying the Window’s system’s Master Boot Record (MBR), causing the system to crash. When the user reboots their PC, the modified MBR prevents Windows from loading and instead displays an ASCII Ransom note demanding payment from the victim.

The latest version of the Petya ransomware is spreading over Windows SMB and is reportedly using the ETERNALBLUE exploit tool, which exploits CVE-2017-0144 and was originally released by the Shadow Brokers group in April 2017.

After the system is compromised the victim is asked to send US $300 in Bitcoin to a specific Bitcoin address and then send an e-mail with the victim’s bitcoin wallet ID to wowsmith123456@posteo[.]net to retrieve their individual decryption key. As of 16:00 UTC on Jun 27th, 13 payments have already been made to attackers wallet.

Lifecycle

We are aware of the following information about how the Petya attack lifecycle works.

Delivery/Exploitation

We have not yet confirmed the initial infection vector for this new Petya variant. Previous variants were spread through e-mail, but we have not identified this latest sample carried in any e-mail related attacks.

We have seen public speculation that a Ukrainian Tax software package was compromised and delivered the Petya DLL via an update on the morning of June 27th. This infection vector would explain the high concentration of infections in Ukraine, but we have not been able to independently confirm this information.

Installation

This variant of Petya is spread as a DLL file, which must be executed by another process before it takes action on the system. Once executed, it overwrites the Master Boot Record and creates a scheduled task to reboot the system. Once the system reboots, the malware displays a ransom note which demands a payment of $300 in bitcoin.

Command and Control

Petya contains no Command and Control mechanisms that we know of. After a host is infected, there is no communication from the malware back to the attacker.

Lateral Movement

Petya uses three mechanisms to spread to additional hosts.

• Petya scans the local /24 to discover enumerate ADMIN$ shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on system hosting the share.
• Petya uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatz to extract credentials from the infected system and use them to execute itself on the targeted host.
• Petya finally attempts to use the ETERNALBLUE exploit tool against hosts on the local subnet. This will only be successful if the targeted host does not have the MS17-010 patches deployed.

Affected countries: UK, Ukraine, India, the Netherlands, Spain, Denmark, and others

Behavior:

Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.

Prevention Steps:

1. Block source E-mail address:wowsmith123456@posteo.net

2. Block below domains:

http://mischapuk6hyrn72.onion/

http://petya3jxfp2f7g3i.onion/

http://petya3sen7dyko2n.onion/

http://mischa5xyix2mrhd.onion/MZ2MMJ

http://mischapuk6hyrn72.onion/MZ2MMJ

http://petya3jxfp2f7g3i.onion/MZ2MMJ

http://petya3sen7dyko2n.onion/MZ2MMJ

http://benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin 

COFFEINOFFICE.XYZ

http://french-cooking.com/

3. Block below IPs:

95.141.115.108

185.165.29.78

84.200.16.242

111.90.139.247    

4. Apply latest below patches:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

5. Disable SMBv1

6. Update Anti-Virus hashes

a809a63bc5e31670ff117d838522dec433f74bee

bec678164cedea578a7aff4589018fa41551c27f

d5bf3f100e7dbcc434d7c58ebf64052329a60fc2

aba7aa41057c8a6b184ba5776c20f7e8fc97c657

0ff07caedad54c9b65e5873ac2d81b3126754aac

51eafbb626103765d3aedfd098b94d0e77de1196

078de2dc59ce59f503c63bd61f1ef8353dc7cf5f

7ca37b86f4acc702f108449c391dd2485b5ca18c

2bc182f04b935c7e358ed9c9e6df09ae6af47168

1b83c00143a1bb2bf16b46c01f36d53fb66f82b5

82920a2ad0138a2a8efc744ae5849c6dde6b435d

myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6

BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD

What are the details of Symantec's protection?

Network-based protection

Symantec has the following IPS protection in place to block attempts to exploit the MS17-010 vulnerability:

• OS Attack: Microsoft SMB MS17-010 Disclosure Attempt (released May 2, 2017)
• Attack: Shellcode Download Activity (released April 24, 2017)

Symantec encourages to install all features of Symantec Endpoint Protection on all the machines for best protection.

Antivirus

• Ransom.Petya

SONAR behavior detection technology

• SONAR.Module!gen3

Conclusion

Ransomware attacks are very common, but they are rarely coupled with an exploit that allows the malware to spread as a network worm. The WannaCry attacks in May, 2017 demonstrated that many Windows systems had not been patched for this vulnerability. The spread of Petya using this vulnerability indicates that many organizations may still be vulnerable, despite the attention WannaCry received.

Following are the highlights of the SCU 2017-1:

New features

The SCU 2017-1 includes the following new features:

• Command-based data collection support for UNIX platform

  From SCU 2017-1 onwards, command-based data collection support for UNIX platform is available in CCS. You can use this feature in both the agent-based and the agentless methods of data collection.

By using this feature, you can achieve the following:

 -> Collect data and assess security configuration of middleware and third-party applications that are currently not supported out-of-the-box by CCS.

 -> Create customized command-based checks in CCS Standards Manager, and collect and evaluate data for UNIX assets in your system.

Note: To use this feature you must upgrade your CCS deployment to the 11.5.2 version (Product Update 2017-1).

• Automated MS SQL password management in agent-based data collection

  From SCU 2017-1 onwards, you can choose to automate the process of password management for SQL Server instances and SQL Server clusters while collecting agent-based raw data from these assets.

By using this feature, you can achieve the following:

 -> Quickly ensure that MS SQL user passwords configured for data collection are changed as per the password policy of your organization.

 -> Improve the security practices of your organization by managing passwords without any human intervention.

• Data collection support for Windows Server Core platform

  From SCU 2017-1 onwards, agent-based and agentless data collection support for assets that run Windows Server Core operating systems is available in CCS. By using this support, you can now take informed decisions about the security configuration of Windows Server Core assets in your environment.

• Data collection support for SUSE Linux Enterprise Server 12 platform

  From SCU 2017-1 onwards, data collection support for SUSE 12 assets is available in CCS. By using the Security Essentials for SUSE Linux Enterprise Server 12 standard available in this SCU, you can collect and evaluate data to secure SUSE Linux Enterprise Server 12 assets in your system.

• Data collection support on 64-bit CCS agent for RHEL 7.x server assets

  From SCU 2017-1 onwards, data collection support on 64-bit agent for Red Hat Enterprise Linux 7.x server assets is available in CCS.

New technical standards

The SCU 2017-1 contains the following new technical standards:

• CIS Benchmark for Red Hat Enterprise Linux 6, v2.0.2
• CIS Benchmark for Cisco IOS 15, v4.0.0 (level 1 profile)
• Security Essentials for Junos OS 15.x Devices
• Security Essentials for SUSE Linux Enterprise Server 12

Updated technical standards

The CIS Red Hat Enterprise Linux 7.x Benchmark v2.1.1 standard is an updated standard in SCU 2017-1.

New regulatory framework

The SCU 2017-1 contains the following new regulatory framework:

• Australian Government Information Security Manual (ISM) 2016 Release

For more details and downloading the web packages and agent tpks visit following page:

https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=ccs&pvid=scu&year=&suid=20170601_00

Do let us know for any questions/queries regarding this SCU release.

Regards,

Chetan

Protirus were asked to solve the problem of providing additional functionality to Symantec’s DLP Endpoint Agent without impacting the end user. We did this by creating a development framework that allows us integrate DLP Endpoint and any customer applications via the Endpoint flex response functionality.

In this video you will find examples of the following bespoke flex response rules:

• An integration between the customers DLP endpoint solution and their incumbent RMS platform. This allowed the DLP endpoint agent to automatically protect the customers data, on the move, with Security Templates without any user interaction
• Executing customer created PowerShell scripts. This allowed the DLP endpoint agent to automatically block and then redact specific keywords from documents before transferring them over the network or even out to the internet, with no or limited user interaction.

Original Case Study: https://protirus.com/Cases/Detail/26

The security documentation provided by WordPress and found online for plugin security is sparse, outdated or unclear. This cheat sheet is intended for Penetration Testers who audit WordPress plugins or developers who wish to audit their own WordPress plugins. This cheat sheet can be effectively used to test various WordPress plugins.

Cross-Site Scripting (XSS)

Check if the following global PHP variables are echo'd to pages, or stored in the database and echo'd at a later time without first being sanitised or output encoded.

• $_GET
• $_POST
• $_REQUEST
• $_SERVER['REQUEST_URI']
• $_SERVER['PHP_SELF']
• $_SERVER['HTTP_REFERER']
• $_COOKIE

(Note: the list of sources above is not extensive nor complete)

Cross-Site Scripting (XSS) Tips

The following functions can cause XSS if not secured:

• add_query_arg()
• remove_query_arg()

See References Below:

When doing dynamic testing for XSS the following setting in the wp-config.php file may reduce false positive results as it prevents administrative and editor users from being able to embed/execute JavaScript/HTML, which by default they are permitted to do.

define( 'DISALLOW_UNFILTERED_HTML', true );

SQL Injection

Unsafe API methods (require sanitising/escaping):

• $wpdb->query()
• $wpdb->get_var()
• $wpdb->get_row()
• $wpdb->get_col()
• $wpdb->get_results()
• $wpdb->replace()

Safe API methods (according to WordPress):

• $wpdb->insert()
• $wpdb->update()
• $wpdb->delete()

Safe code, prepared statement:

<?php $sql = $wpdb->prepare( 'query' , value_parameter[, value_parameter ... ] ); ?>

Note: Before WordPress 3.5 $wpdb->prepare could be used insecurely as you could just pass the query without using placeholders, like in the following example:

$wpdb->query( $wpdb->prepare( "INSERT INTO table (user, pass) VALUES ('$user', '$pass')" ) );

SQL Injection Tips

Unsafe escaping ('securing') API methods:

• esc_sql() function does not adequately protect against SQL Injection - see refs below
• escape() same as above
• esc_like() same as above
• like_escape() same as above

<?php $wpdb->show_errors(); ?> <?php $wpdb->hide_errors(); ?> <?php $wpdb->print_error(); ?>

File Inclusion

• include()
• require()
• include_once()
• require_once()

PHP Object Injection

• unserialize()

Command Execution

• system()
• exec()
• passthru()
• shell_exec()

PHP Code Execution

• eval()
• assert()
• preg_replace() dangerous "e" flag deprecated since PHP >= 5.5.0 and removed in PHP >= 7.0.0.

Authorisation

• is_admin() does not check if the user is authenticated as administrator, only checks if page displayed is in the admin section, can lead to auth bypass if misused.
• is_user_admin() same as above
• current_user_can() used for checking authorisation. This is what should be used to check authorisation.

Open Redirect

• wp_redirect() function can be used to redirect to user supplied URLs. If user input is not sanitised or validated this could lead to Open Redirect vulnerabilities.

Cross-Site Request Forgery (CSRF)

• wp_nonce_field() adds CSRF token to forms
• wp_nonce_url() adds CSRF token to URL
• wp_verify_nonce() checks the CSRF token validity server side
• check_admin_referer() checks the CSRF token validity server side and came from admin screen

SSL/TLS

• CURLOPT_SSL_VERIFYHOST if set to 0 then does not check name in host certificate
• CURLOPT_SSL_VERIFYPEER if set to FALSE then does not check if the certificate (inc chain), is trusted
• Check if HTTP is used to communicate with backend servers or APIs. A grep for "http://" should be sufficient.

Further reading/references:

1. https://developer.wordpress.org/plugins/security/
2. https://codex.wordpress.org/FunctionReference/escsql
3. https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
4. https://secure.wphackedhelp.com/fixmysite.html
5. https://curl.haxx.se/libcurl/c/CURLOPTSSLVERIFYHOST.html
6. https://www.owasp.org/index.php/OWASPWordpressSecurityImplementationGuideline
7. http://php.net/manual/en/function.preg-replace.php

This will helps download, install and configure Symantec Endpoint Protection (SEP) and desinged for defult, first time managed client installation of 500 or fewer.

• Preinstall: Check System requirements
• Step 1: Download Symantec Endpoint Protection
• Step 2: Install Symantec Endpoint Protection Manager
• Step 3: Activate your license and add a group
• Step 4: Install the Symantec Endpoint Protection clients 
• Step 5: Check that the latest definitions are installed
• Step 6: Check the database backup settings
•  
•  

Before you install SEP Manager or the SEP clients, perform the following steps:

--> First Download "SymDiag" for preinstall system requirement

1. Download Symantec Endpoint Protection

• If you have any issue for received an Order Fulfillment email with your license certificate, contact Symantec Customer Support by phone for further assistance. 

             --> First go to FileConnect

            --> Type the serial number that you found in your Order Fulfillment email. The serial number is case-sensitive. 

            --> Than Submit Serial Number

            --> Select the appropriate version based on language, such as Symantec Endpoint Protection 14 - International English. 

            --> Click the plus sign next to a file name to expand the information about it. The file name that includes the phrase Full Installation contains Symantec Endpoint Protection Manager.

           --> download the file, click the file link next to HTTPS Download.

           --> Repeat this process for any additional files that you want to download. When you are finished, you can close the browser window.

         2. Install Symantec Endpoint Protection Manager 14

            --> where you downloaded the Symantec Endpoint Protection installation file, double-click the file to extract all files. If you see an Open File - Security Warning prompt, click Run. 

           --> Type or browse to a location to extract to, and then click Extract. 

           --> When the extraction finishes, find and double-click Setup.exe

           --> Click Install Symantec Endpoint Protection. 

          -->  Accept the terms and condition given in the license agreement and then click install.

         --> On the Welcome to the Management Server Configuration Wizard panel, click Default configuration, and then click next.

        --> Fill out the required fields to create the system administrator account and email address to which Symantec Endpoint Protection Manager sends notifications, and then click next.

for futher more information read out pdf, which is i attach with article.

Thanks,

Devang Raval.

(SOC Analyst)

Sequretek IT Solution Pvt. Ltd.

+91 99984 00299

(devang.raval@sequretek.com)

Dear All,

I'd tried to get information about how to read current definitions on Symantec via Python on your site but unfortunately I could not. After that I tried to get it by myself and created on Python the code below.

import os
import platform
import winreg

def get_registry_value(key, subkey, value):
    key = getattr(winreg, key)
    handle = winreg.OpenKey(key, subkey)
    (value, type) = winreg.QueryValueEx(handle, value)
    return value

if windowsbit.find("64") == -1:
    strWinX = "32Bit"
else:
    strWinX = "64bit"

if strWinX == "64bit":
    SEPstatus = get_registry_value("HKEY_LOCAL_MACHINE","SOFTWARE\\WOW6432Node\\Symantec\\Symantec Endpoint Protection\\AV","UsingPattern")
else:
    SEPstatus = get_registry_value("HKEY_LOCAL_MACHINE","SOFTWARE\\Symantec\\Symantec Endpoint Protection\\AV","UsingPattern")

SEPyear = str ((SEPstatus >> 18) + 1998)
SEPmonth = (SEPstatus >> 14)
SEPmontha = str ((SEPmonth & 0x0f))
SEPday = (SEPstatus >> 9)
SEPdaya = str ((SEPday & 0x1f))

strSEPdate = SEPdaya + "/" + SEPmontha + "/" + SEPyear # day/month/year format
print(strSEPdate)

Thanks in advance.

Regards.

Hello again,

            With your serial number when you log on to fileConnect for SEP (Symantec Endpoint Protecation). There are the file that you can download. 

            What you download from FileConnect depends on how you plan to implement SEP in your organization. You don't need to download every file displayed in the FileConnect list.

            Most files begin with the product name and version (shown here as ProductVersion), and end with the product’s language code (shown here as language). Bold text in the file name highlights what the file contains.

• All files

                 If you want full installation file, which includes management console (Symantec Endpoint Protection Manager (SEPM)), clients for Windows, Mac, and Linux, the supplemental tools and some of the virtualization tools.

               --> Symantec_Endpoint_Protection_ProductVersion_Full_Installation_language.exe

Note: This file is a self-extracting archive, which prompts you to choose a folder in which to save the extracted files. The default is to save the files in the same folder as the downloaded file. You should create a new folder for the extracted files.

• Individual files

                  --> If you just need the standalone client installers for Windows, Mac, and Linux, download:
                        "Symantec_Endpoint_Protection_ProductVersion_All_Clients_language.zip"

                 --> If you just need the management console and server, download:
                        "Symantec_Endpoint_Protection_ProductVersion_SEPM_language.zip"

                 --> (12.1.x only) If you just need the tools to take advantage of virtualization enhancements, such as Security Virtual Appliance or Shared Insight                         Cache, download: "Symantec_Endpoint_Protection_12.1.5_Virtual_Toolkit_ML.zip"

• Additional files

                 --> If you also use SSIM (Symantec Security Information Management) , download:
                      (14) symantec_sim_8_0_103_win_en.exe
                      (12.1.x) symantec_sim_7_6_78_win_en.exe

                --> (12.1.x only) If you also use a Symantec Management Platform solution and want tools to integrate the management of Symantec Endpoint                           Protection installations, download: "Symantec_Endpoint_Protection_Integration_Component_7_1_2.zip"

 --> Detailed file information

         -- Full installation (all files)

          Symantec_Endpoint_Protection_ProductVersion_Full_Installation_language.exe contains the following:

• Symantec Endpoint Protection Manager
• Symantec Endpoint Protection unmanaged client installer for Windows, 32-bit
• Symantec Endpoint Protection unmanaged client installer for Windows, 64-bit
• Symantec Endpoint Protection unmanaged client installer for Mac
• Symantec Endpoint Protection unmanaged client installer for Linux
• Tools, a folder that contains the following optional or advanced tools:

                 --> Apache Reverse Proxy

                --> Central Quarantine (12.1.x only)

                --> CleanWipe

                --> Content Distribution Monitor

               --> DeviceInfo (14 only)

               --> DevViewer

               --> Integration for Symantec Endpoint Protection Remote Monitoring and Management (RMM) SDK (12.1.x only)

               --> IT Analytics

              --> JAWS screen reader (assistive technology) scripts

              --> NoSupport, a folder containing unsupported tools

              --> Offline Image Scanner* (12.1.x only)

              --> Push Deployment Wizard

             --> SylinkDrop

             --> SymDiag

             --> Virtualization, a folder containing Security Virtual Appliance information (12.1.x only), Shared Insight Cache*, and Virtual Image Exception*

             --> WebSevicesDocumentation, which includes the Symantec Endpoint Protection Remote Monitoring and Management (RMM) SDK (14 only)

Note:- Items with a star (*) are included in the Virtual Toolkit download (12.1.x only). You must download the Virtual Toolkit for the Security Virtual Appliance .ova file.

Symantec Endpoint Protection clients only

"Symantec_Endpoint_Protection_ProductVersion_All_Clients_language.zip" contains the following:

• Symantec Endpoint Protection unmanaged client installer for Windows, 32-bit
• Symantec Endpoint Protection unmanaged client installer for Windows, 64-bit
• Symantec Endpoint Protection unmanaged client installer for Mac
• Symantec Endpoint Protection unmanaged client installer for Linux

Symantec Endpoint Protection Manager only

"Symantec_Endpoint_Protection_ProductVersion_SEPM_language.zip" contains the following:

• Symantec Endpoint Protection Manager

Symantec Security Information Management (SSIM)

     --> "symantec_sim_ProductVersion_win_en.exe" installs files for supporting an SSIM installation.

Symantec Endpoint Protection Integration Component for Symantec Management Platform

(12.1.x only) "Symantec_Endpoint_Protection_Integration_Component_7_1_2.zip" contains the following:

       --> Symantec Installation Manager Setup (.exe)

if you have any query than let me know.

Lorem ipsum dolor sit amet, mei idque nihil cu. Dicta diceret mel ad. Nam te omnis petentium, movet ubique nec ad, ei dicant graeco quaestio quo. Nam causae omnium quaestio ex, ne nonumy maiestatis moderatius cum, in purto placerat molestiae duo. Mel no facer ocurreret adolescens, duo persius epicurei recteque in. Ad solum nostrud sit, nec ad tacimates iracundia repudiandae.

Lorem ipsum dolor sit amet, mei idque nihil cu. Dicta diceret mel ad. Nam te omnis petentium, movet ubique nec ad, ei dicant graeco quaestio quo. Nam causae omnium quaestio ex, ne nonumy maiestatis moderatius cum, in purto placerat molestiae duo. Mel no facer ocurreret adolescens, duo persius epicurei recteque in. Ad solum nostrud sit, nec ad tacimates iracundia repudiandae.

This is only for windows 7 and installation of SEP 12.1 

-->  First Download SEP_Package_unmanaged from following link

Download the latest version of Symantec Endpoint Protection

--> After Download SEP_Package_unmanaged extract it.

--> Than right click on setup.exe and run as administrator.

(Because if you want to advantage of all SEP than you must run with administrator.)

​

4. Than it will process automatically.

​

​

--> Setup will automatically download catalogs file for installations.

--> After complete installation your machine ask for reboot

SEP Gives you following advantages for security purpose.

--> You can also check the antivirus logs, there are different types of logs available, following screenshot gives you idea about different types of logs (Defult Scan logs, Risk logs, System log.)

--> You can also investigate for the "Proactive Therat Protecation logs, Network Therat Protecation logs and Client Management logs".

If any concern than let me know.

Thanks,

Think about this scenario: a department neet to protect an account and password table, but, it cannot be provided to the DLP administrator to create the EDM index as it's sensitive to other department.

Remote EDM Indexing enables the owner of the data, rather than the DLP administrator, to index the data on a remote machine.

Here are the graphical steps to implement Remote EDM Indexing.

We just assume that the data needed to be protected is an account/password table, just like this:

1. Firstly, install Remote EDM Indexer on the machine of the data owner. The Remote EDM Indexer is installed from the same installation program as the other Symantec DLP components. Run the ProtectInstaller64_14.6.exe:

2. Choose to install the 'Indexer' only and no other components:

3. The Remote EDM Indexer is named RemoteEDMIndexer.exe under the SymantecDLP\Protect\bin:

4. From DLP Enforce console, select 'Manage' - 'Data Profiles' - 'Exact Data':

5. Click 'Add Exact Data Profile':

6. Enter a name of the profile, in the 'Data Source' field, select 'Use This File Name', and enter the name of the index file to create with the *.edm extension; input the number of columns; select 'Column Separator Char' and 'File Encoding' accordingly:

7. Do not select any Indexing option, click 'Finish' to complete the profile creation process:

8. Download the EDM profile by click 'download profile' link:

9. Save the EDM profile as a file with *.edm extension:

10. Assume there are three folders, the 'account-password-source' for the source file to be protected, the 'account-password-index' for the EDM profile file that downloaded in step 9, the 'account-password-index-result' for the Remote EDM Profile result:

11. Copy the source file to be protected into 'account-password-source' folder:

12. Copy the EDM Profile file that downloaded in step 9 in the 'account-password-index' folder:

13. Run Windows cmd, change the directory to the Remote EDM Indexer installed, run this command to generate the remote index files:

RemoteEDMIndexer.exe -data=C:\account-password-source\account-password.txt -profile=C:\account-password-index\account-password.edm -result=C:\account-password-index-result

confirm the command run successfully:

14. After the indexing process completes, the Remote EDM Indexer generates several files in the specified result directory. There files are named after the data file that was indexed, with one file have the .pdx extension and another file with .rdx extension. The system generates 12 .rdx files:

15. Copy all the index files with .pdx and .rdx extensions to the index directory on the Enforce Server which is located at \SymantecDLP\Protect\Index:

16. From DLP Enforce console, select 'Manage' - 'Data Profiles' - 'Exact Data', click the name of the Exact Data Profile used with the Remote EDM Indexer, select 'Load Externally Generated Index' of the 'Data Source' field, click to select 'Submit Indexing Job on Save' of the 'Indexing' field, then click 'Save' button:

17. Finally, you can select to add this EDM rule to a detection policy:

Who: SEPM Administrator
What: Sylink Debugging/Logging
When: When you determine there is a communication issue between SEP client(s) and the SEPM
Where: Enabled via the registry (Windows)
Why: Troubleshooting communication issues
How: How to enable Sylink debugging for Endpoint Protection clients

Enabling and reviewing the sylink debug log is the first step in troubleshooting communication issues between SEP client(s) and the SEPM. It reveals a great amount of information on what's really going on behind the scenes. However, the problem is that it's not always easy to review the log and understand how to interpret it. My purpose is to change that with this article. I want it to be dynamic and have a life of its own. I urge everyone to contribute to it by adding comments below as I'll be constantly updating this article with new information that has been posted. If you've ever reviewed a sylink log in detail than you know how frustrating it can be at times. Let's get this started and help out SEPM admins who's responsibility it is to review sylink logs.

I'll start by adding my list of "keyword searches" and error codes that I've used and seen in the past.

Keyword searches in the sylink log:

</SSARegData>

HEARTBEAT:

<SendRegistrationRequest:>

<ParseHTTPStatusCode:>

HTTP returns status code=

EVENT_LICENSE_EXPIRATION_DAYS

Got Gup

Got data

Error codes/messages in the sylink log:

<ParseHTTPStatusCode:>503=>503 SERVICE NOT AVAILABLE

<ParseHTTPStatusCode:>400=>400 Bad Request

<ParseHTTPStatusCode:>469=>469 CONTENT PENDING

<ParseHTTPStatusCode:>200=>200 OK

<ParseHTTPStatusCode:>500=>500 INTERNAL SERVER ERROR

<ParseHTTPStatusCode:>0=>Uninterpreted Status

<ParseHTTPStatusCode:>468=>468 Request not allowed

<ParseHTTPStatusCode:>403=>403 Forbidden

<ParseHTTPStatusCode:>404=>404 Not Found

<ParseHTTPStatusCode:>407=>Uninterpreted Status

Here's your opportunity now. What keywords do you search for or what errors codes have you seen that helped you fix a problem between SEP client(s) and the SEPM?

Responses from Symantec employees would also be very much appreciated as I'm sure there are many more that can be added.

Please contribute and help make interpreting the sylink log easier for SEPM admins everywhere.

Feel free to reach out to me privately as well if you need anything.

Thanks,

Brian

On the Symantec site, you can not search malwares by its hash, as for now. I made two scripts to help you, if there is a need to check a lot of hashes.
You will need a free VirusTotal account, to use them. From you profile, get your Public API Key (My API Key menu entry), and copy it into the scripts to the marked area in the scripts.
In HashList.txt, one hash (MD5, SHA1, SHA256) per line, you can list the hashes to check. The example contains the EICAR test hash.
VirusTotal-ReScanHash.ps1 will initiate the recheck of the sample with the latest definitions, this can come in handy, with relatively new potential malware, when the before-latest definition could not, but the latest might detect it. It is recommended to run this before generating a report with the other script VirusTotal-GetReport.ps1. This one will check, by its hash, if SEP can detect it or not, according to its VirusTotal detection, and also outputs the name, by it is detected. Output is in SEP_detection.txt.

Notes:
- Unfortunately, Public API access to VirusTotal is limited to 4/minutes, so there is a 26 second sleep between requests (if you have a private API key, feel free to remove the Sleeps). But for most cases (for me surely), it is faster then going manual, even with this limitation.
- The initiated rescan might take a little time to finish!

Additional credit goes to:
"David B Heise" - thanks for the VT API PS module (Invoke-VTRescan) - Source: https://psvirustotal.codeplex.com !
https://virustotal.com - thanks for the public API!

The Zero Trust Model, a conviction where by both internal and external entities can never be trusted, is a mature security principle seen in cyber security as Nirvana which has become quite relevant nowadays largely due to cloud computing.

Many security products try to implement a Zero Trust Model on cloud workloads via application whitelists/blacklists or through an approved point-in-time workload baseline. Regrettably, none of these tactics provide zero trust leading to wasted opportunities. As a matter of fact, a major unrecognized security threat that many organizations face in their environment is a trusted workload being compromised. The flaw of these tactics come down to the fact that underlying components of the workload, i.e. OS components, or existing binaries are trusted by default. For example, if a Workload was compromised by a vulnerability, the first action an attacker will take is to try and access operating system components such as administration utilities, i.e. powershell.exe, to do their nefarious business. If powershell.exe is trusted to execute without restriction, there is no chance of preventing an attack. We see this today in many of today’s popular file-less attacks such as Petya and WannaCry, ransomware malcode that manipulate existing files that live on the system to create a devastating effect as part of their attack.

Symantec Cloud Workload Protection (CWP) is the evolution of the proven and mature Data Center Security: Server Advanced product built in the cloud, for the cloud. Unlike whitelisting or approved baselines tactics, which are in no way substitute techniques to place zero reliance on trust when it comes to workload security, CWP provides policy-based controls that enforce Least Privilege Access Control (LPAC) with a low impact agent to monitor and protect hybrid and cloud environments existing in both AWS and Azure.

In CWP’s workload segmentation model every application, service, daemon or kernel process is encapsulated. Inside each capsule, LPAC works intelligently to only allow exactly the right access to relevant resources on a workload. The workload actions are never fully trusted - although allowed to perform its desired functions - and isolated from the underlying system and running processes. This is critical because there is often a large “gap” between the resources and privileges requested by a workload and those resources and privileges it actually needs to execute correctly and safely. This “gap” is what hackers and cyber criminals look to exploit.

The LPAC approach is almost the direct opposite to of traditional methods. It creates a condition where no trust is granted to any user, application, service or operating system component if that element starts to behave suspiciously. In this way, policies can be simply applied to a workload to make it impenetrable to insider or external attack without having to intently look at which application is running, baseline the workload or learn what applications are in use day to day.

This approach is looked upon favorably by Compliance and Risk analysts and Auditors alike. The LPAC approach even allows for removal of full administrator or root privileges from DevOps staff, thereby reducing the threats from insider attack or from well-meaning “misconfiguration” of the workload.

SysAdmin Day is an annual event celebrated on the last Friday in July and exists to show appreciation for the work of Sys Admins and other IT workers.

Your network is secure, your computer is up and running, and your printer is jam-free. Why? Because you’ve got an awesome sysadmin (or maybe a whole IT department) keeping your business up and running. So say IT loud; say IT proud …

But it's not all roses and sunshine right? I'm sure you all have your own tales of woe and have had things go downhill and hit the fan. As bad as you think your story is, there always seems to be another story that makes yours look like a cake walk.

Tell us your story in the comments below, we want to hear about your worst day at work and we will award you 100 Connect Reward Points. Please keep your comments "Safe for Work" or PG-13.

Naturally there are some rules - comment as often as you like, but only one comment per Connect community member will be eligible to receive Connect Reward Points. We will accept comments until Midnight August 2, 2017 PDT 

If you need help uploading a photo to your comment, there is a How To post here: How to upload an image.

This article is the tenth installment in an on-going series of articles on how to utilize SEP for Incident Response. The complete index to my SEP Incident Response articles can be found here:

How to utilize SEP for Incident Response - Complete Index

In this article, I will demonstrate the steps needed to use the custom IPS feature to detect inbound network connections on clients running SEP.

Note: This applies to both SEP 12.1 and SEP 14

To start using custom IPS, login to the SEPM and go to Policies >> select the Custom Intrusion Prevention Signatures tab:

Select Add Custom Intrusion Prevention Signatures...

On the Signatures select Add... to add a new group and give it a name:

On your newly created group select Add... to build your signature like so:

To detect inbound network connections attempts, enter in the following syntax:

rule tcp, dest=(0), tcp_flag&ack, daddr=(0.0.0.0/0), msg="Inbound Connection Attempt Detected", content="SYN"

Click OK twice to save your changes and make sure you enable Custom Intrusion Prevention from the Clients page:

Once the client has received the new policy, custom IPS signature detections are logged to the Security Log on the SEP client:

You can also view them from the SEPM using the Network and Host Exploit Mitigation Log:

As always, please leave feedback, comments, or questions. Or you can reach out to me directly.