Attached is a perl script written by Oliver Karow from Symantec. This script is designed to allow you to automate the download of the DeepSight Vulnerability Datafeed.
↧
DeepSight Vulnerability Datafeed Perl Script
↧
Symantec Data Loss Prevention 11.5: Administration
Symantec Data Loss Prevention 11.5: Administration
NOTES: This course is 5 days long.
- TK-DLP-0115 Symantec Data Loss Prevention 11.5: Administration [5-Day ILT]
Click on links below to download course materials:
↧
↧
How to adjust proxy settings for System Account
Hello guys,
I want to share with you a problem I had having.
I have Explicit proxy in my network. I have a GPO that update it for my clients.
Here, in my subnet, I have a WPAD script, to set it by DHCP and Auto-Detect by Internet Explorer. In case of my partners to use.
It is a point.
Well, we have clone images to improve delivery of new machines. These images do not have SEP installed, it is installed after, cause that problem with ID as well.
Now, is the point!!!
I noticed, some clients were using proxy to communicate with GUPs, those GUPs were in the same subnet, so, my client used my MPLS link to go to my Data Center, were the proxy is, and proxy connects in the GUPs to update the client.
I did not have the exceptions for local address and my subnets and names in the WPAD file. I fixed it anyway.
Well.. when I ran internet explorer with System Account, I saw that Auto-Detect was enabled. I just have DHCP deliver for WPAD in my subnet.
Anyway, I needed to fix the IE proxy settings for System Account. I need to set a proxy and correct exceptions.
Below, we have the most important. How to adjust it!!!
If you have an equal or similiar problem, you can follow :)
1 - Create a .bat script with these lines below:
@echo off
REM Created by Diego Maciel Gomes, at 12-14-2013
REM Script created to adjust IE proxy settings for system account
REM bitsadmin is a windows utility
REM here, we clear whole proxy config
bitsadmin /util /setieproxy localsystem NO_PROXY
REM here, we set the proxy and exceptions
REM change proxy.company.com according with your. Adjust the port and exceptions as well.
bitsadmin /util /setieproxy localsystem MANUAL_PROXY proxy.company.com:3128 "<local>*.company.com; 172.19.*; 172.20.*;"
exit
2 - Create a computer GPO and associate this script to run when Startup (at this moment, I assume you know how to do it)
3 - You can check the update by regedit:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
The key above has the stored config for system account.
Here, I show a line of my squid proxy that shows the wrong connection:
1387277796.586 9188 172.20.163.158 TCP_MISS/200 1454326 GET http://172.20.163.21:2967/content/{55DE35DC-862A-44c9-8A2B-3EF451665D0A}/131216011/xdelta131213011.dax - DIRECT/172.20.163.21 text/plain
After ran this script above, the machine does not use proxy anymore. The traffic is direct and save my bandwidth.
I hope it helps you like helped me!
Feel free to ask me something :)
Regards,
Diego
↧
Chicago User Group - Rich Bagurdes - Application and Device control and Storage Devices
Here is my presentation from 1.15.2014 Chicago security and compliance user group meeting. Along with this powerpoint deck are some sample policies to try in your own environment.
↧
Come identificare un Server DHCP duplicato in una LAN
DHCPFind è un programma portatile per identificare se vi sono più serverDHCPattivisulla rete. Con una semplice scansione con questo tool, in pochi secondiverranno mostrate diverse informazioniutilicome l'indirizzoIPoffertodal server DHCP, la maschera di rete,gateway,serverindirizzo di rete e la lease DHCP.
È uno strumento molto utile per verificare se vi sono dei server DHCPintrusi, come ad esempio un router wireless introdotto nella rete con un dhcp attivo..
Ma può anche servire semplicemente per un rapido controllosulla rete e per verificare che la rete e il server DHCP siano regolarmente funzionanti.
Sistemi Operativi: Windows 9x/Me, Windows NT 4, Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8
Let me know if you have questions.
English version : Detect rogue DHCP servers on a network
Credits : DHCP Find
↧
↧
Apache logs disk size after GUP Monitor Tool
Hello guys,
If you are noticing some problem with disk space after configuring GUP Monitor Tool, take a look below:
"C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\logs" = It should be your problem, right?
In that folder, SEPM just save errors, by default!
If you have configured GUP Monitor Tool, like me, you need to know that you have enabled the access.log as well.
These logs, are very large and increase your hard disk. All access are logged in this file!!!
You could disable the access.log but your GUP Monitor Tool will not work fine. In my case, I want to keep using that tool, so, I created a script to make a clean.
Put it in your task schedule!!!
I chose to keep 60 days, just for safety and if I need some troubleshooting.
I wish you enjoy it and solve any problem to you, like me!!!
Diego
↧
Custom IPS Signatues to detect various filetype downloads
To build on my last IR article:
How to utilize SEP 12.1 for Incident Response - PART 6
I'm attaching a custom IPS policy which will detect the download of various filetypes via HTTP and HTTPS.
The signatures are in Allow mode and set to write to the Packet log for detailed information.
As of now, this policy will detect 37 different filetypes. I will update it as I add more.
Feel free to use and let me know if you have any questions or feedback.
↧
Custom file detection script (DICOM) for use in Data Loss Prevention.
The script below is intended to detect data leakage in helthcare environments. Files detecting by this script is widely used in a variety of medical diagnostic systems and may include personal information.
$Zero=getHexStringValue('0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000');
$Str1=getBinaryValueAt($data, 0x0, 128);
assertTrue($Zero == $Str1);
$name=getHexStringValue('4449434D');
$str2=getBinaryValueAt($data, 0x80, 4);
assertTrue($name == $str2);↧
Dividing full file path into a separate subfolder names
This script is intended for use in Symantec Data Loss Prevention and provide an ability to sort incidents not only by file name but also by separate subfolders in it's path.
You need to create following Custom Attributes:
- FPath_Drive_Letter
- FPath_Root_Folder
- FPath_SubFolder_1
- FPath_SubFolder_2
- FPath_SubFolder_3
- FPath_SubFolder_4
'''
Created on 8 feb 2016
@author: Stepanov Alexander x-and@yandex.ru'''
import sys
import traceback
import codecs
reload(sys)
sys.setdefaultencoding('cp1251')
sys.stdout = codecs.getwriter('cp1251')(sys.stdout,'replace')
# Switch this to 0 when in production mode.
debugMode = 0
filePath=""
FolderList = ('FPath_Root_Folder',\'FPath_SubFolder_1',\'FPath_SubFolder_2',\'FPath_SubFolder_3',\'FPath_SubFolder_4')
def main(args):
try:
attributeMap = parseInput(args)
try:
filePath = attributeMap["endpoint-file-path"]
except:
return
if filePath !="" :
tempTuple = filePath.split(":")
print "FPath_Drive_Letter =",tempTuple[0]
File_Path_Temp = filePath.split("\\")
i = 0
while(FolderList):
try:
tempTuple = File_Path_Temp[i+2]
try:
print FolderList[i],"=",File_Path_Temp[i+1]
i+=1
except:
print FolderList[i],"=",""
break
except:
print FolderList[i],"=",""
return
return
except:
error()
print "There was an error while executing the File Path script (",args[0],"). Something went wrong!"
return "something went wrong!"
def parseInput(args):
# Input data is a list of key value pairs seperated by carraige return
# Create a python dictionary to create the attribute map
attributeMap = {}
delimiter = "="
for item in args:
if delimiter in item:
tuple = item.split(delimiter)
attributeMap[tuple[0]] = tuple[1]
return attributeMap
def error():
# "SCRIPT PROCESSING ERROR"
if(debugMode):
#print "Script Processing Error"
traceback.print_exc(file=sys.stdout)
return ""
if __name__ == "__main__":
if(len(sys.argv) == 0):
error()
else:
main(sys.argv)↧
↧
Symantec SEP Reporting Template V1.0
Hi All,
As I am working on Symantec SEPM and Clients issues and reporting, prepared the task summary sheet which specifies that being Syamntec Admin/engineer what are the task needs to be done daily,weekly,monthly and quarterly basis.
Attaching for your ref, postive inpute appreciated.
↧
Symantec DLP Installation DOC
Oracle 11g Symantec DLP Installation
↧
Symantec Data Loss Prevention- Triggering Endpoint Response Rules
Symantec Data Loss Prevention- Triggering Endpoint Response Rules Video
↧
To uninstall Symantec Endpoint Encryption Device Control client's deployed via GPO a startup batch file can be utilized
At times, a customer may require the details for creating a batch file (startup script) to assist in the uninstallation of a Symantec Endpoint Encryption Device Control client that was installed via GPO. You cannot use the automatic uninstall feature in the GPO software installation package because the Device Control uninstall procedure is password protected. To uninstall Device Control you must use a startup script, please refer to the attached guide "steps.pdf" for utilization.
↧
↧
Symantec Endpoint Encryption Full Disk 8.2.0 with Encase 7 requires the appropriate DLLs for use between the two products
When a customer is using the forensics software "Encase 7" with our Symantec Endpoint Encryption Full Disk 8.2.0 software, the customer will need the appropriate DLLs so that the Encase product can successfully work with our Full Disk product.
The DLLs required are attached here and can also be located within the original product download under the subfolder "utilities". The DLLs required in this scenario are named
msvcr80.dll
msvcp80.dll
↧
Symantec DCS Policy Utility v1.0
Symantec DCS Policy Utility v1.0.0.11 For Windows OS (Note .NET Framework 4.5 is required)
Designed to help you tune your policy by processing the log files from an Agent.
There's a getting started tab that explains the best steps to get the logs and events you need to troubleshoot your policy.
The program does not make any changes to the machine or policy. It parses the sisidsevents and sisrtevents log files.
How does the utility work for the real time events?
The utility will parse the log file, create an id based on policy id, process path, target, sandbox, network src/dst (ip and port), and module. It uses that to remove duplicated events.
After the utility finishes loading and parsing, it will display a Grid View of the events, filtered down by only unique events, and mulit-column sorted on policy id, then sandbox, then type, then process, then target, then module.
What to search for
If prevention is disabled, search for [EVENT_TYPE]=Warning,[DISPOSITION]=Allowed
if prevention is enabled, search for [DISPOSITION]=Denied
This utility includes cmdmatch.exe to help test out argument matching in policies
v1.0.0.10 - Add's in the test option to Argument Match Utility, and add's support for the "?" character in IDS Windows Event Argument Testing
v1.0.0.11 - Clarifies the use of wildcards and ? in Windows Event Argument Testing
v1.0.0.12 - Added in the Show Details field option and fixed an event status parsing issue during log processing.
↧
Russian stop-words list
To make use of stop-words for russian language, download attached file, unzip it and place to the "Protect\config\stopwords" subfolder in the Symantec DLP installation directory. Then go to the "Advanced settings" page of selected detection server and set the variable "Lexer.StopwordLanguages" to "en,ru".
Do it for every detection server you have.
↧
Updating CCS Agent Name or IP
Ever had the CCS Agent registered with wrong name or agent IP changed? In some situations it can be pain to fix this as it requires going to agent and running the registration again (imaging you do not have access to agent server and you have to raise ticket to 3rd party supplier and he asks you to raise a change request).
Well with these two simple scripts, you can change both agent name and IP directly in CCS. All you need is little windows batch skill, sql skill and account that has permissions to modify few records in CCS_DB.
DISCLAMER: the script is performing modification of records directly in CCS_DB. Scripts are provided as is, use them at our own risk, author is not bearing any responsibility for any damage done.
↧
↧
Remove assets script
Script is intended to help with asset cleanup by searching and removing assets from a given assets list. When CCS and your asset management application are not directly connected, this script will help you perform clean-up by providing it the list of "hostnames" to be removed (asset_list.txt). Script will search for the assets that matches the "hostname" provided in the list and delete it. Script is rough, with just a basic functionality to get the things done quickly.
Any feedback for improvement is welcome.
DISCLAIMER: The sample scripts intended for demonstration purpose only and are provided AS IS without warranty of any kind.
↧
DLP Python custom plugin
This is a sample custom plugin written in python which compute number of email recipient. You could use it as a skeleton for your own needs.
In this zip file, you will find:
- Sample.py : main script
- test_script.bat : a windows script to easily test your script as if it was called by DLP
- Etc directory contains configuration file
- Lib directory contain a DLP library which could be reused for all your DLP plugins as it contgains all common functions.
- Log directory will contain log file when you will activate this functionality
↧
Presentation - LONDON SEP Roadshow 2016-Nov-16
Please find attached the presentation from the SEP Roadshow that took place in London.
Should you have any questions, please post a comment below.
Thank you!
↧