This powershell script will read in a text file of full file paths, and output the unique risk name.

Symantec looks at the following risks to be unique because they are in different directories even though it is the same risk,
1051[1].js

C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3J7OGN5T\1051[1].js
C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3J7OGN5T\1051[1].js
C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YHPP0ZT5\1051[1].js
C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G11ELC4W\1051[1].js
C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7FJ8ALY5\1051[1].js
C:\1051[1].js
D:\TEMP\1051[1].js
\\SHARED DIRECTORY\abracadabra\1051[1].js

The script will take this list and extract the filename, which will be output as

1051[1].js
1051[1].js
1051[1].js
1051[1].js
1051[1].js
1051[1].js
1051[1].js
1051[1].js

I found this extremely helpful for data-manipulation in EXCEL, i.e. to Remove Duplicate rows because I am creating reports for management on
(1) number of unique risk that SEP detected
(2) how did SEP remediate the risk, i.e. did it Clean, Delete, or Leave it alone

See previous thread
https://www-secure.symantec.com/connect/forums/reports-baseline-normal-behavior-sep-clients-your-environment as reference

Name of script: extract_filename_from_full_path.ps1

Name of document with screenshots: How_to_run_script

Each attachment is in .zip file

Hi, 

Normally there is no option to check the SIC service status.

Here i am attaching a script to query SIC service on remote Systems.

It runs on Psexec  ( Download it to system 32 of the local machine) commands utilizing port no 445 port.

Host name should be supplied on Hostlist.txt, the service status output come on SIC_Service_Status.csv

Regards

Ajin

Hello all,

I want to share this script to download .exe from Symantec ftp:

When we install a new machine, it is installed with the last setup.exe I have. That setup.exe usually is older than current date, and I need to download the full definition from SEP Manager ou GUP. In my case, it is a problem to me because I'm using remote link, like MPLS network and that download congestion my network in business hours, and it is a big problem.

To resolve it, I got the script below from this website: http://www.computing.net/answers/programming/auto-update-virus-definitions-using-ftp-to-get-latest-file/27772.html and I made some changes for my environment, like delete files with -3 days. You need to have "forfiles" in your C:\Windows\System32, ok?

So, dont forget to change the path according your wish.

For download 64bits, you just need to change the line with *-v5i32.exe para *-v5i64.exe, therefore, create 2 .bat files, one for each platform, it is better :)

Create a task schedule in your server, for both scripts and be happy :)

Change the script extension to .bat and enjoy!!!

I wrote Powershell script that queries the database that Symantec Endpoint Protection Manager is installed on, and retrieves the Group Name, and Group ID, and stores in .csv.

Documentation has screenshots on how to run script.

CmdmatchV2.exe, a command line driven tool, can be used to help troubleshoot the mismatch of command line arguments in policies.  It is designed to mimic the IPS driver's behavior when parsing command line arguments.

In CSP, the command line arguments offer a very granular way to assign processes to process sets and to enable rules or exceptions.

To use:

1. Extract .zip file to a directory
    
2. Navigate to the directory where the tool was extracted to
    
3. Run the tool in verbose mode by entering "cmdmatchV2.exe -v".  Verbose mode tells you what did or did not match.
    
4. Enter in the pattern that you are adding to a rule, hit Enter
    
5. Copy and paste the argument that is reported in either the Event Viewer or the Management Console, hit enter.
    
6. View the output.  You will see that either the whole command matched, or if there was a mismatch, it will tell you where.
    

Here is a screenshot of the tool:

We encountered a problem at one point where a problem in our configuration caused a number of updates to sit on the manager unable to be posted using the BCP utility to the SQL database. The result of this was the details the console was showing us didn't represent what the reality was, clients loagging behind vastly on their updates when we knew that they were updating properly.

I put together the enclosed script to spot check the status of the of the files on the managers. The script requires a small amount of configuring with notepad before you run it, you need to edit the following lines:

Rem Replace the server(s) with the names of your SEPMs
Set Servers=Server1,Server2,Server3,Server4
Set Interval=30
Set FullDiff=0
Setlocal Enabledelayedexpansion

Rem Replace this with your install directory for the SEPM
Set RootInstalDir=C$\Symantec\Symantec Endpoint Protection Manager

So the Servers value needs to have the names of your SEPM servers

Second you need to change the RootInstallDir to match what how you have installed your SEPM.

The result looks something like this

[ 9:21:47.84] System: SEPM1     -     RUNNING
inbox\agentinfo: 0  (0)  .Err: 0
inbox\log\client: 40  (2)  .Err: 0
inbox\log\behavior: 5  (1)  .Err: 0
inbox\log\system: 38  (2)  .Err: 0
inbox\log\security: 0  (0)  .Err: 0
inbox\log\packets: 31  (1)  .Err: 1
inbox\log\traffic: 2  (-1)  .Err: 0
inbox\log\tex\avman: 1  (1)  .Err: 0
inbox\learnedapp\computerapp: 42  (-1)  .Err: 0
**Total .Dat files: 159   (5)   Total .Err files: 1

So you see the total count in the directory, the difference in the last cycle (example inbox\log\traffic reduced by 1), and finally the count of err files. Error files would indicate a problem requiring further attention. Also we can see that the SEMSRV service is running on the SEMP1 server.

I created this scrpt to address systems that have run our of disk space for various reasons and are no longer updating AV definitions. The only external utility you need is Psexec to remotely execute one of the scripts.

To clean a single system you would use: CleanMark2.cmd Systemname

To clean multiple systems, place all the systemnames in the BatchClrMk2.lst file and run the BatchClrMk2.cmd file.

As you would expect you need to run these logged in as an ID that can remotely access the admin shares and delete on these remote systems.

I had originally written this to do all the deletes via the master script file but cleaning systems that were connected via slow connections were a problem, remotely executing the commands to parse and clear the temp directories ended up speeding up the process by a serious measure.

I created a MoveClient Script using powershell.

There are actually two scripts

1 - get_group_IDs.ps1 generates a list of groups, along with their group ID to help you create an input file (based on your environment)

2 - Moveclient.ps1 is the actual script that takes the input file you created, and prompts you for information about your database

The script does the following:

1. gets a list of all SEP clients in your SEPM. Depending on the number of clients in your SEPM, and the amount of operations taking place in your SEPM at a particular time, this reading of IP address can take a minute, or even an hour, so be patient!

2. for each SEP client, goes through the input file to see if the SEP client's IP address fits in a particular IP range. If it fits, the group ID is updated, otherwise, it is not moved. And when I tested this, I noticed that going through 3,000 clients takes about an hour. Your timing may be different.

3. generates an output file, clients_that_have_been_moved.txt that indicates which clients were moved, which were not

And because this script prompts for database information, such as database schema, you may need help from your Database Administrator.

This script is different from the last script because you had to move ALL SEP clients to Default Group before the script would move it. If you work with 100,000 SEP clients, spread throughout 200 groups, and are not sure whether they belong in the right group or not, well, it can drive anyone batty

Please read the instructions - it is mostly screenshots, and I believe it is quite straightforward

This was tested numerous times on SEP 11 and SEP 12 Management Console. However, it is always safe to back up your database.

This community has been a great help to me in managing SEP, and I really hope this Moveclient script helps you all.

Attached is a perl script written by Oliver Karow from Symantec.  This script is designed to allow you to automate the download of the DeepSight Vulnerability Datafeed.

Symantec Data Loss Prevention 11.5: Administration

NOTES: This course is 5 days long.

• TK-DLP-0115 Symantec Data Loss Prevention 11.5: Administration [5-Day ILT]

Click here for full course description

Click on links below to download course materials:

Click here for Lab and VM files

Click here for Symantec Evaluation License Key

Hello guys,

I want to share with you a problem I had having.

I have Explicit proxy in my network. I have a GPO that update it for my clients.

Here, in my subnet, I have a WPAD script, to set it by DHCP and Auto-Detect by Internet Explorer. In case of my partners to use.

It is a point.

Well, we have clone images to improve delivery of new machines. These images do not have SEP installed, it is installed after, cause that problem with ID as well.

Now, is the point!!!

I noticed, some clients were using proxy to communicate with GUPs, those GUPs were in the same subnet, so, my client used my MPLS link to go to my Data Center, were the proxy is, and proxy connects in the GUPs to update the client.

I did not have the exceptions for local address and my subnets and names in the WPAD file. I fixed it anyway.

Well.. when I ran internet explorer with System Account, I saw that Auto-Detect was enabled. I just have DHCP deliver for WPAD in my subnet.

Anyway, I needed to fix the IE proxy settings for System Account. I need to set a proxy and correct exceptions.

Below, we have the most important. How to adjust it!!!

If you have an equal or similiar problem, you can follow :)

1 - Create a .bat script with these lines below:

@echo off

REM Created by Diego Maciel Gomes, at 12-14-2013
REM Script created to adjust IE proxy settings for system account

REM bitsadmin is a windows utility
REM here, we clear whole proxy config
bitsadmin /util /setieproxy localsystem NO_PROXY

REM here, we set the proxy and exceptions
REM change proxy.company.com according with your. Adjust the port and exceptions as well.
bitsadmin /util /setieproxy localsystem MANUAL_PROXY proxy.company.com:3128 "<local>*.company.com; 172.19.*; 172.20.*;"

exit

2 - Create a computer GPO and associate this script to run when Startup (at this moment, I assume you know how to do it)

3 - You can check the update by regedit:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings

The key above has the stored config for system account.

Here, I show a line of my squid proxy that shows the wrong connection:

1387277796.586   9188 172.20.163.158 TCP_MISS/200 1454326 GET http://172.20.163.21:2967/content/{55DE35DC-862A-44c9-8A2B-3EF451665D0A}/131216011/xdelta131213011.dax - DIRECT/172.20.163.21 text/plain

After ran this script above, the machine does not use proxy anymore. The traffic is direct and save my bandwidth.

I hope it helps you like helped me!

Feel free to ask me something :)

Regards,

Diego
 

The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited. EMET achieves this goal by using security mitigation technologies.The enhanced Mitigation Experience Toolkit (EMET) is designed to help prevent hackers from gaining access to your system. The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques.

Some of these techniques are:

Data Execution Prevention

SEHOP: Structured Exception Handler Override Protection

Deep Hooks

and a lot more..

You can choose if an application should choose to stay within these boundaries or it should get unusual access.

This is aclled Opt In or Opt Out.

Hi, 

Normally there is no option to check the SIC service status.

Here i am attaching a script to query SIC service on remote Systems.

It runs on Psexec  ( Download it to system 32 of the local machine) commands utilizing port no 445 port.

Host name should be supplied on Hostlist.txt, the service status output come on SIC_Service_Status.csv

Regards

Ajin

Here is my presentation from 1.15.2014 Chicago security and compliance user group meeting.  Along with this powerpoint deck are some sample policies to try in your own environment.

DHCP Find è un programma portatile per identificare se vi sono più server DHCP attivi sulla rete. Con una semplice scansione con questo tool, in pochi secondi verranno mostrate diverse informazioni utili come l'indirizzo IP offerto dal server DHCP, la maschera di rete, gateway, server indirizzo di rete e la lease DHCP.
 È uno strumento molto utile per verificare se vi sono dei server DHCP intrusi, come ad esempio un router wireless introdotto nella rete con un dhcp attivo..

Ma può anche servire semplicemente per un rapido controllo sulla rete e per verificare che la rete e il server DHCP siano regolarmente funzionanti.

Sistemi Operativi: Windows 9x/Me, Windows NT 4, Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8

Let me know if you have questions.

English version : Detect rogue DHCP servers on a network

Credits : DHCP Find

Download Here!

Hi,

Administrators maintaining multiple SEPM's or security products have problem in resetting in SEPM 12.1.x is they have missed out to provide email address during installation.

resetpass.bat was present in 11.0.x and greatly missed in 12.1.x. i have re-constructed restpass.bat to reset password for 12.1.x SEPM.

Just like 11.0.x the resetpass.bat has to placed in the 

For 32 bit:

Driven in which SEPM is installed/Program files/symantec/symantec endpoint protection manager/tools/

For 64 bit:

Driven in which SEPM is installed/Program files(x86)/symantec/symantec endpoint protection manager/tools/

Once it is placed in tools folder its will open a command prompt and close automatically it might take a couple of minutes, once the command prompt closes. 

Open SEPM console and type 

Username: admin

Password: admin

Hello guys,

If you are noticing some problem with disk space after configuring GUP Monitor Tool, take a look below:

"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\logs" = It should be your problem, right?

In that folder, SEPM just save errors, by default!

If you have configured GUP Monitor Tool, like me, you need to know that you have enabled the access.log as well.

These logs, are very large and increase your hard disk. All access are logged in this file!!!

You could disable the access.log but your GUP Monitor Tool will not work fine. In my case, I want to keep using that tool, so, I created a script to make a clean.

Put it in your task schedule!!!

I chose to keep 60 days, just for safety and if I need some troubleshooting.

I wish you enjoy it and solve any problem to you, like me!!!

Diego

To build on my last IR article:

How to utilize SEP 12.1 for Incident Response - PART 6

I'm attaching a custom IPS policy which will detect the download of various filetypes via HTTP and HTTPS.

The signatures are in Allow mode and set to write to the Packet log for detailed information.

As of now, this policy will detect 37 different filetypes. I will update it as I add more.

Feel free to use and let me know if you have any questions or feedback.

The script below is intended to detect data leakage in helthcare environments. Files detecting by this script is widely used in a variety of medical diagnostic systems and may include personal information.

$Zero=getHexStringValue('0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000');
$Str1=getBinaryValueAt($data, 0x0, 128);
assertTrue($Zero == $Str1);
$name=getHexStringValue('4449434D');
$str2=getBinaryValueAt($data, 0x80, 4);
assertTrue($name == $str2);

This script is intended for use in Symantec Data Loss Prevention and provide an ability to sort incidents not only by file name but also by separate subfolders in it's path.

You need to create following Custom Attributes:

• FPath_Drive_Letter
• FPath_Root_Folder
• FPath_SubFolder_1
• FPath_SubFolder_2
• FPath_SubFolder_3
• FPath_SubFolder_4

'''
Created on 8 feb 2016

@author: Stepanov Alexander x-and@yandex.ru'''

import sys
import traceback
import codecs

reload(sys)

sys.setdefaultencoding('cp1251')
sys.stdout = codecs.getwriter('cp1251')(sys.stdout,'replace')

# Switch this to 0 when in production mode.
debugMode = 0

filePath=""
FolderList = ('FPath_Root_Folder',\
              'FPath_SubFolder_1',\
              'FPath_SubFolder_2',\
              'FPath_SubFolder_3',\
              'FPath_SubFolder_4')

def main(args):
    try:
        attributeMap = parseInput(args)
        
        try:
            filePath = attributeMap["endpoint-file-path"]
        except:
            return
        
        if filePath !="" :
            tempTuple = filePath.split(":")
            print "FPath_Drive_Letter =",tempTuple[0]

            File_Path_Temp = filePath.split("\\")
            
            i = 0
            while(FolderList):
                try:
                    tempTuple = File_Path_Temp[i+2]
                    try:
                        print FolderList[i],"=",File_Path_Temp[i+1]
                        i+=1
                    except:
                        print FolderList[i],"=",""
                        break
                except:
                        print FolderList[i],"=",""
                        return
            return

    except:
        error()
        print "There was an error while executing the File Path script (",args[0],"). Something went wrong!"
        return "something went wrong!"
    
def parseInput(args):
    # Input data is a list of key value pairs seperated by carraige return
    # Create a python dictionary to create the attribute map
    attributeMap = {}
    delimiter = "="
    for item in args:
        if delimiter in item:
            tuple = item.split(delimiter)
            attributeMap[tuple[0]] = tuple[1]
    return attributeMap

def error():
    # "SCRIPT PROCESSING ERROR"
    if(debugMode):
        #print "Script Processing Error"
        traceback.print_exc(file=sys.stdout)
    return ""

if __name__ == "__main__":
    if(len(sys.argv) == 0):
        error()
    else:
        main(sys.argv)