Skip to content

Symantec Endpoint protection

Description

Constructor : Symantec

Product : Symantec Endpoint Protection (SEP)

Log type(s) : ids, fw, av

Theoretical injector performance

24923 EPS

Log sample

1
myServer: S0308805,[SID : 28732] attaque de System Infected: Adware.Gen Activity 6 bloquée. Le trafic a été bloqué pour cette application : \DEVICE\HARDDISKVOLUME1\USERS\U457203\APPDATA\LOCAL\{58856ED9-7C2D-0261-11B5-278935DDDB11}\UNINSTALL.EXE,Local: 1.1.1.1,Local: 000000000000,Remote: ,Remote: 2.2.2.2,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2016-03-14 20:03:52,End: 2016-03-14 20:03:52,Occurrences: 1,Application: /DEVICE/HARDDISKVOLUME1/USERS/U457203/APPDATA/LOCAL/{58856ED9-7C2D-0261-11B5-278935DDDB11}/UNINSTALL.EXE,Location: Outside,User: U457203,Domain: PROXIMITE,Local Port 49222,Remote Port 80,CIDS Signature ID: 28732,CIDS Signature string: System Infected: Adware.Gen Activity 6,CIDS Signature SubID: 66196,Intrusion URL: wcyud.com/?v=3.18#to_replace#pcrc=1251370627#to_replace#LSVRDT=#to_replace#ty=Uninstall,Intrusion Payload URL: 
1
myServ: Compressed File,IP Address: 1.1.1.1,Computer name: MK62W024,Source: Scheduled Scan,Risk name: Infostealer.Limitail,Occurrences: 1,f:\Mes Documents\MANU\QS10856.rar,'Contient encore 1 éléments infectés',Actual action: Left alone,Requested action: Left alone,Secondary action: Left alone,Event time: 2016-01-24 02:49:37,Inserted: 2016-01-24 03:05:57,End: 2016-01-24 02:49:37,Last update time: 2016-01-24 03:05:57,Domain: Default,Group: My Company\Serveurs\Cafet Serveurs,Server: XC001WC5,User: SYSTEM,Source computer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,MDS,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes): 0,Category set: Malware,Category type: Virus
1
SymantecServer: Scan ID: 1484555122,Begin: 2017-01-16 09:28:29,End: 2017-01-16 09:50:34,Completed,Duration (seconds): 1325,User1: SYSTEM,User2: SYSTEM,'Scan started on selected drives and folders and all extensions.','Scan Complete:  Risks: 0   Scanned: 2218   Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 1939',Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 2218,Omitted: 0,Computer: TARGETPC,IP Address: 1.1.1.1,Domain: mydomain-intra.net,Group: My Company\mydomain-intra.net\Helsinki\Workstation,Server: mysymantechost2
1
SymantecServer: 1B3HY3J,The client will block traffic from IP address 1.1.1.1 for the next 600 seconds (from 10/9/2016 6:15:03 AM to 10/9/2016 6:25:03 AM). ,Local: 3.3.3.3,Local: 000000000000,Remote: ,Remote: 2.2.2.2,Remote: 000000000000,Inbound,OTHERS,,Begin: 2016-10-09 07:15:03,End: 2016-10-09 07:25:03,Occurrences: 1,Application: ,Location: Default,User: user6,Domain: DOM-INTRA,Local Port 0,Remote Port 0,CIDS Signature ID: 0,CIDS Signature string: ,CIDS Signature SubID: 0,Intrusion URL: ,Intrusion Payload URL: 
1
SymantecServer: MYPC3,Blocked,Autorun has been blocked. Check the Control Log for more details. - Caller MD5=9d77cc4a36feea644d002cfb9b2d42c0,File Read,Begin: 2017-01-16 15:58:13,End: 2017-01-16 15:58:13,Rule: Explorer | [AC9-1.1] Autorun.inf,4480,C:/Windows/explorer.exe,0,No Module Name,F:/Autorun.inf,User: myuser4,Domain: DOM-INTRA,Action Type: ,File size (bytes): 115,Device ID: USBSTOR\Disk&Ven_BUFFALO&Prod_HD-PEU2&Rev_1.04\57442D575837304138394E39&0

Parsing explanation

Parsing process abstract

The parser is based upon a CSV-based component, where each value has or not a key (e.g. ).

Then log type is guessed assuming the number of columns: 17, 19, 24 or 41 fields

The part is then trimmed to only keep the real value. For example, the following item : , we cut the prefix . Then, this value is put under the right normalized fields (i.e. [[init][host][ip]]).

Good to know: if the final trimmed value is empty (i.e. ), the normalized fields is not added to the main document so it won\'t appear.

Useful information

  • [[obs][ts]] is always corresponding to the action;
  • [[session][duration]] is either given in a log fields or caculated
  • if the log contains a field , depending on the situation, the fields [init] and [target] can be invert. For : [[target]=Local] and [[init]=Remote], else if : Outbound : [[target]=Remote] and [[init]=Local]