Is it possible to monitor specific progress status with Host Integrity (HI) policy in endpoint protection? The answer is yes.

Here is a simple example of how to set the requirement in HI policy.

Details steps as below:

1. Edit HI policy--> click Requirements--> click "add" button--> select client platform: Windows and select "Custom requirement", click Ok:

2. On the custom requirement page, click add--> IF..THEN,

2.2. Under THEN--> add Function Utility: log message, and input message under log description: cmd running:

2.3. Under THEN, add ELSE, Under ELSE--> add Function Utility: log message, and input message under log description:cmd not running:

Open Endpoint Protection Manager console--> Monitors--> Logs--> Log type: Compliance, Log content: Client Host Integrity--> view log

The same HI event logs present. Besides, you can view Details for more information about the specific event as below.

Blacklisting and White listing domains in Symantec Messaging Gateway 10x:

1. Log On to Symantec Messaging Gateway.

2.1 Blacklisting a domain:
(a)    Go To Reputation> Policies> Bad Senders.

(b)    Edit the Local Bad Sender Domains.

(c)    In the Local Bad Sender Domains, Click on Add.

(d)    There you may add the Domain which you want to Blacklist.
(for eg. Bad-Sender.com)
You may also add multiple domains or e-mail Ids separated by comma.

Click Save.

(e)     Then Define the Action for that domain. The Action Delete is predefined.
You may also select from a list of actions from the list.

(f)    Click Save.

2.2  Whitelsiting a Domain:
            
(a)    Go To Reputation> Policies> Good Senders.

(b)    Edit the Local Good Sender Domains.

(c)    Click Add.

(d)    There you may add the Domain which you want to Whitelist.

(for eg. Good-Sender.com)
You may also add multiple domains or e-mail Ids separated by comma.

(e)    Specify the Action.

(f)    Click Save.
 

Introduction

This is the sixteenth in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles.

This article begins a new mini-series about a much misunderstood capability in SEP: how to keep SEP from scanning content that you don't want detected.

What's the Story?

For sake of illustration (pun intended) we take you now to Windows computer of a small but talented outfit that is defended by Symantec Endpoint Protection 14.  Johnny, the new security admin, is dismayed that one of the tools he has used for years at other companies is detected by SEP. 

The detection of this highlighted item is not a False Positive: AngryIPScanner is one powerful tool.  If it is on an organization's computers, perhaps brought there by someone who has compromised the network, SEP would be irresponsible not to raise a red flag.

(Note that as a Security Risk rather than a Threat, this detection is logged by default rather than quarantined or deleted.  The pop-up is still an annoyance for Johnny... he thinks: perhaps there's a way to fix that....) 

A clever professional, our security admin checks online articles and learns that he has the ability to use the Symantec Endpoint Protection Manager (SEPM) to create an exception against this detection....

Best Practice when Symantec Endpoint Protection is Detecting a File that is Believed to be Safe
http://www.symantec.com/docs/TECH98360

Creating exceptions for Virus and Spyware scans
http://www.symantec.com/docs/HOWTO80919

Who Should Have this Mighty Power?

Important note: be very careful with exclusions.  Every exception made opens a hole in the organization's defenses.  Introduce them as precisely as possible, to as few computers as possible.

Rather than have every computer in the organization ignore that tool without so much as a pop-up or record entry added to the SEPM console, our admin Johnny creates a new SEP client group, just for his band of IT rock stars.

He adds the machines of his IT staff to the group... (full details on the procedure can be found from Managing groups of clients)

This is the group which will have their own Exceptions policy that allows IT tools. For the rest of the organization, settings will be hardened to block Security Assessment Tools, Potentially Unwanted Applications and other questionable content. More details on that can be found in:

All About Grayware
https://www-secure.symantec.com/connect/articles/all-about-grayware

Here's the new Exception Policy, right after it was created.  Note that by default it's not associated with any client group - the admin has to make that connection! 

Now it's getting assigned:

Policy assigned! Now the exceptions configured in that policy will be applied to the computers in the associated client group.

How to Allow

From the SEPM console, Monitors, Logs, Risk, Johnny views the log of recent detections.  Then he just places a check next to the detection, chooses an action like Add risk to Exceptions policy, and click Apply: 

Be sure to choose the correct Exception policy!  Then Save Changes.

Here's how the Exceptions Policy looks after that Known Security Risk is excluded:

Note that Johnny can choose what action takes place in the environment he manages: completely Ignore that security risk or Log it.  

Be sure that the client machines connect to the SEPM and receive new policy settings and updates.  Once those are communicated, the client computers will begin to exclude that risk.   

Exceptions Get Tricky

All goes well for a while, and the IT client group are able to use the AngryIPScanner without detection.  Then one of the staff comes looking for Johnny's head.  Despite the exclusions, a new download of this tool is still detected and quarantined! 

Johnny has done his reading and points out that the detection name is not AngryIPScanner, but WS.Reputation.1.  That's a SEP detection for files with either a new/unknown or BAD reputation. He hits back with the truth that SEP is a whole suite of security technologies, and one component can convict a file that has slipped past another layer of defense.

SEP Times in the City: A Helpful Symantec Endpoint Protection Analogy
https://www-secure.symantec.com/connect/articles/sep-times-city-helpful-symantec-endpoint-protection-analogy

The same goes for exclusions.  This particular AngryIPScanner tool, can be used for good or ill.  That gives it its shady "This file is untrustworthy" reputation, and WS.Reputation.1 conviction.

"Well, what are you gonna do about it, Johnny?"

There were many options to select, when choosing how to exclude a detected application:

"Add Risk to Exceptions policy" will avoid the AntiVirus detection of a single classification, like AngryIPScanner.  Any different unique files (different versions of the tool) will be covered, but only for that excluded risk determination.

There's another option to select, which will avoid detecting a particular application by any method, technology or name. "Allow Application" will avoid detection for that one unique file (one fingerprint, also known as SHA256 hash), not for every different version of the tool.  Johnny quickly edits the client group's Exclusion policy so that SEP, in his environment, will not trigger on the file with the hash that his coworker encountered and a few other versions of the tool with unique hash fingerprints of their own....

Once the policy is saved and updated to all computers in the IT department client group, the detections cease. Johnny knows he's done the right thing, opening his environment up to as few specific files as possible, rather than any option that opened a potential door wider. Everyone gets back to work happily, until it's time to close up shop and head down to Dewey's for some hard-earned relaxation. 

Conclusion

Many thanks for reading!  I hope this article helps.  One note: though the illustrations are from SEP 14, the same options and actions apply to the older SEP 12.1 product. 

The next in the mini-series is now available, illustrating a few common situations.  Please leave comments and feedback below. 

Introduction

This is the seventeenth in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles.

This article continues a new mini-series about a much misunderstood capability in SEP: how to keep SEP from scanning content that you don't want detected.  For the basics, please be sure to read Exceptions, Illustrated: Part One

Fine Tuning the Terminator

Johnny, new security administrator for a small but talented organization, starts every day by taking a good look at his logs.  He has successfully created exclusions which let his band of IT gurus use powerful but potentially dangerous network auditing and admin tools that are denied to the rest of the company.  He wonders, though, what one of his staff is doing using an ancient version of the AngryIPScanner tool.  That 2.2.1 version was designed for Windows 98.

Happily, the Symantec Endpoint Protection Manager allows Johnny to tweak the settings in use in his environment.  It's possible to allow newer versions of the tool while blocking or terminating attempts to run that old one. In the correct Exceptions policy, he just changes the action for that fingerprint / hash to Terminate.....

After that, when an attempt is made to launch that old version, Windows throws a "cannot access the specified device, path, or file" error message and SEP logs an Administrator Defined Exception, Process Terminated, User-defined Risk. 

Johnny later learns that it is also possible to block the old application from running though SEP's Application and Device Control (ADC), but he is happy with the way he has accomplished his goal.

Block Software By Fingerprint
https://www.symantec.com/connect/articles/block-software-fingerprint

The Official Word

Here are two Technical Support articles that have additional details on how to learn and react to applications in the network.... 

Creating Centralized Exceptions Policies in the manager
http://www.symantec.com/docs/TECH183201

How to create an application exception in the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/HOWTO61213

Applications that Change Frequently, Part One

Constant calls come in on the IT helpline about WS.Reputation.1 False Positive detections on a tool that the company needs.  This internal tool is tweaked and recompiled at least daily, then posted to a shared network location that everyone in the company has mapped as their H Drive.  The tool is called 1939im.exe and it is the organization's number one source of complaints and IT tickets.

Creating an exclusion against the fingerprint/hash of the file will not work, or at least work for long.  That fingerprint changes every time the tool is rebuilt, which is often.  Management is so frustrated that they have asked that SEP's Download Insight be disabled entirely.  Johnny, though a newbie to SEP 14, already understands what a powerful defense Download Insight is.  It may be helpful to adjust the sensitivity of Download Insight and uncheck some options in order to avoid some detections, but he does not want to disable it altogether.

Luckily, with a bit of research, Johnny is able to see a perfect solution.  Thanks to the shared drive and folder structure, the filename and path is always H:\Hllblls\1939im.exe on every computer. An exception can be created to ignore any file of that name in that location:

(One note: this exception is made in the policy that is applied to the company's many end-user client groups, not to the exceptions policy that is for the IT only client group!)

Johnny then uses his Windows permissions to make sure that the development team, responsible for the creation and posting of that tool, are the only user accounts with write access to that shared folder.  Other users may read and run the executable, but no unauthorized user account can replace that 1939im.exe file with malware of the same name!

Applications that Change Frequently, Part Two

Another pain point is that many trusted, legitimate files downloaded from a certain domain are constantly being detected.  These necessary files, which the company requires to do its business, are frequently detected as WS.Reputation.1 and other signature names.

Again, SEP's built-in exclusions save the day: it is possible to proactively allow downloads that come from a specified website or address.

Should those files be malicious, of course, they will be detected once they are on the computer's disk and acting evil.  The scan that takes place during download, though, will give them a pass.

Conclusion

Many thanks for reading!  Part three in the mini-series, illustrating some really poorly thought out exclusions, is under development now!

Please leave comments and feedback below. 

On the Symantec site, you can not search malwares by its hash, as for now. I made two scripts to help you, if there is a need to check a lot of hashes.
You will need a free VirusTotal account, to use them. From you profile, get your Public API Key (My API Key menu entry), and copy it into the scripts to the marked area in the scripts.
In HashList.txt, one hash (MD5, SHA1, SHA256) per line, you can list the hashes to check. The example contains the EICAR test hash.
VirusTotal-ReScanHash.ps1 will initiate the recheck of the sample with the latest definitions, this can come in handy, with relatively new potential malware, when the before-latest definition could not, but the latest might detect it. It is recommended to run this before generating a report with the other script VirusTotal-GetReport.ps1. This one will check, by its hash, if SEP can detect it or not, according to its VirusTotal detection, and also outputs the name, by it is detected. Output is in SEP_detection.txt.

Notes:
- Unfortunately, Public API access to VirusTotal is limited to 4/minutes, so there is a 26 second sleep between requests (if you have a private API key, feel free to remove the Sleeps). But for most cases (for me surely), it is faster then going manual, even with this limitation.
- The initiated rescan might take a little time to finish!

Additional credit goes to:
"David B Heise" - thanks for the VT API PS module (Invoke-VTRescan) - Source: https://psvirustotal.codeplex.com !
https://virustotal.com - thanks for the public API!

 It’s simple: Click here and log into G2 Crowd using your LinkedIn Account.  

You must contribute a detailed, balanced and complete review!

After your review is verified, G2 Crowd will send the first 40 reviewers a $25 Amazon Gift Card.

It’s that easy. 

It’s simple: Click here and log into G2 Crowd using your LinkedIn Account.

You must contribute a detailed, balanced and complete review!

After your review is verified, G2 Crowd will send the first 40 reviewers a $25 Amazon Gift Card.

It’s that easy. 

In May of 2017, Symantec added a RISK detection for the tool Winexe.

Winexe is a Linux based application that allows the execution of commands remotely on Windows based OSes. It installs a service on the remote system, executes the command and can then uninstall the service. Winexe allows execution of most of the windows shell commands. Although this tool has many legitimate applications its use in security incidents is prevalent enough for us to provide controls in our Potentially Unwanted Application (PUA) category.

Apart from its legitimate uses, Winexe can and has been used for network traversal attacks as part of the Empire powershell toolkit and was also known to have been used in the 2015 attack on the German Parliament.

The 2017 Internet Security Threat Report discusses the rise of many similar “dual use” tools to breach and traverse enterprise environments.

Detection information:

Detection for PUA.Winexe was initially provided in virus definitions on May 29, 2017 revision 006.

PUA management and Risk acceptance:

RISK detections have the important distinction of not being inherently malicious and allow a greater degree of risk acceptance within many of Symantec products.

For more information please see:
Excluding known risks from virus and spyware scans on Windows clients

System requirements for Symantec Endpoint Protection Manager and the Symantec Endpoint Protection clients are the same as those of the operating systems on which they are supported.

• Symantec Endpoint Protection Manager
• Symantec Endpoint Protection client for Windows
• Symantec Endpoint Protection client for Windows Embedded
• Symantec Endpoint Protection client for Mac
• Symantec Endpoint Protection client for Linux
• Supported virtual installations and virtualization products

Hello DLP Users..

I wanted to share some information on how to get DLP to Scan using SSH.

I had a customer who wanted to scan their File Server (EMC Isilon), but NOT all of the File System was accesible via NFS or CIFS shares. They were able to provide me a ROOT account that I could SSH directly to the File server.

So I began to figure out how to be able to Mount a file system using SSH as the protocol.

This lead me to SSHFS!

SSHFS is a filesystem based on the SSH File Transfer Protocol (SFTP). On remote side (Discover Target) we just need to install SSH server, Since most of SSH servers already support this, there are nothing to do on remote server except installing SSH server. On client side (Discover Server) we need to install fuse sshfs packages to mount remote filesystem.

Features of SSHFS:
Based on FUSE (Best userspace filesystem framework for linux)
Multithreading: more than one request can be on it’s way to the server
Allowing large reads (max 64k)
Caching directory contents

**** First of all Scanning using SSH is NOT supported by Symantec and has NOT been certified or tested at all. So please make sure that you have strong Linux knowledge if you move forward with this at your own risk. ****

Also keep in mind that some of these steps will require you to edit existing configuration files and installation of Linux Packages in order for it to work.

You will need to be using a LINUX Discover Server to get this to really work.

INSTALL the SSHFS program

1. Download and install the SSHFS program (You will need the EPEL Repository to find it). It should download the fuse package as part of the dependencies.

yum install fuse-sshfs

2. Create the mount directory for testing.

mkdir /mnt/test
chmod 777 /mnt/test

3. Test mounting the directory and Accept the authenticity and type password

YOU WILL NEED TO DO THIS FOR EACH DIFFERENT server you plan to connect to from this Discover Server

sshfs root@remote.example.com:/home/remoteuser /mnt/test

The authenticity of host 'remote.example.com (192.168.1.12)' can't be established.
RSA key fingerprint is 77:85:9e:ff:de:2a:ef:49:68:09:9b:dc:f0:f3:09:07.
Are you sure you want to continue connecting (yes/no)? yes
root@remote.example.com's password:

4. Test the mount

# mount

/dev/mapper/vg_svr1-lv_root on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda1 on /boot type ext4 (rw)
root@remote.example.com:/home/remoteuser on /mnt/test type fuse.sshfs (rw,nosuid,nodev)

5. Navigate and test the share by opening a file and then unmount it.

# cd /mnt/test
# ls
# cat file.txt
# umount /mnt/test

Create a NEW filesystem Category for SSHFS and Scripts

1. Edit the /etc/sudoers file to allow the protect user to run the sshfs command (verify 'which sshfs')

# Vontu service user
Defaults:protect !requiretty
protect ALL= NOPASSWD: /bin/mount, /bin/umount, /usr/bin/sshfs, /bin/sshfs

2. Edit the SharePointMapper.properties file. (/opt/SymantecDLP/Protect/config)

You will need to type this manually or copy/paste edit from the previous settings.

You may need to change the mounterX.uri and mounterX.prefix if have added another setting before. (Make it 3 instead of 2)

Add the following lines to the bottom:

#Linux implementation of SSHFS
mounter2.uri=sshfs
mounter2.prefix=SSHFS

#General
SSHFS.ResponseExpected=No valid response
SSHFS.scriptName=sshfs.sh
SSHFS.Success=status:0
SSHFS.ScriptExecutionTimeout=60000

# SSHFS- Linux
SSHFS.AccessDenied=denied
SSHFS.ShareNotFound=Permission denied|can't get address for|No such file or directory
SSHFS.ShareExists=mountpoint is not empty
SSHFS.MultipleConnections=mountpoint is not empty
SSHFS.SyntaxError=Usage:|fuse:
SSHFS.ServerNotFound=failed|Connection reset by peer
SSHFS.AccountLockedOut=denied
SSHFS.NoLogonServers=Not Applicable
SSHFS.RequireLogin=Not Applicable

#Unmount
SSHFS.MountRemoved=umounted
SSHFS.MountDoesNotExist=not mounted
SSHFS.MountDependencyExists=open files|target is busy
SSHFS.unmountScriptName=sshfsu.sh
SSHFS.umountSuccess=status:0

3. Create the Mount and unmounting scripts for SSHFS. (Make sure to be the protect user) (copied to keep right execute permissions)

#su - protect
#cd /opt/SymantecDLP/Protect/bin
#cp nfs.sh sshfs.sh
#cp nfsu.sh sshfsu.sh
#chown protect:protect sshfs.sh
#chown protect:protect sshfsu.sh

4. Edit the sshfsu.sh file and make it look like the following. (add sleep)

sudo umount -v $1
sleep 20
echo status:$?

5. Edit the sshfs.sh file to look like the following:

#!/bin/bash
#
# sshfs.sh - mount a share using sshfs on a Linux system
#
# $1 = <mount point>
# $2 = <share path>
# $3 = <user name>
# $4 = <password>
#
# usage: sshfs.sh <options> <user>@<share path> <mount point>
#
#       <mount point>: The point where the file system is mounted. Ex: /mnt/vontu
#
#       <share path>: The path to mount in the following format:
#                     "//<host.domain.com>/dir1/dir2"  (can be surrounded by single or double quotes)
#
# Author: Ronak Patel

#Format the Share Path to be suitable for the mount command.
share_path=`echo $2 | sed -e 's/\([^\/]*\)\/\/\([^\/]*\)\([^"'"'"']*\).*/\2:\3/'`

#Format the Username to be suitable for the mount command (remove quotes).
user="${3%\"}"
user="${user#\"}"

#Format the Password to be suitable for the mount command (remove quotes).
password="${4%\"}"
password="${password#\"}"


#Then mount!
#sleep commands are to make sure system has time to mount
sleep 10
echo $password | sudo sshfs -o allow_other -o async_read -o password_stdin -o ro $user@"$share_path" $1
sleep 10
echo status:$?

6. Restart the VontuMonitor service on the Discover Servers

7. Create the Discover Target

When creating your Discover Target make sure to use the following structure so it recognizes which mount script to use.

Watch the backlashes!

sshfs:\\server.company.com\ifs\home\local data\

sshfs:\\10.0.0.1\ifs\home\local data

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Troubleshooting:

1. Discover Scan Fails: error: Unknown Error
   1. Restart VontuMonitor Service
2. Discover Scan Fails: error: The content root URI is malformed: sshfs:\\10.0.0.2.10\ifs
   1. Retype the settings in the SharePaointMapper.properties file
3. Discover Scan Fails: error: Unknown Error
   1. Check the permsissions on the sshfs files in the Bin directory (Should be owned by Protect and Executable)
4. Discover scan cannot scan any data
   1. Mount the share manually using the following commands as root

   2. #sshfs -o allow_other -o async_read user@10.253.2.10:/ifs /mnt/test/
      #su - protect
      #cd /mnt/test
      #ls -al
      #cat file.txt

   3. If this fails then you have a permissions issue with the SSHFS and how it mounts the share.
   4. You will then have to play with the sshfs.sh script to inlcude the the following settings or try it manually
      1. -o uid=XXX
      2. -o gid=XXX
      3. -o umask=XXX
      4. For UID try using the same one that the protect user has by looking at /etc/passwd
      5. For GID try using the same one that the protect user has by looking at /etc/groups

   #sshfs -o allow_other -o async_read -o uid=1001 -o gid=10 user@10.253.2.10:/ifs /mnt/test/
   #su - protect
   #cd /mnt/test
   #ls -al
   #cat file.txt

5. When trying to scan lots of targets consecutively you may see that it will not scan after mounting and unmounting more than 3 shares in 1 Discover Target. I have seen this and not sure of the issue.
   1. I have then created multiple targets of 1-2 Shares and spread them out over time.

Hope this helps...

Good Luck

Ronak Patel

IMPORTANT: As of June 20th this page is still being updated with additional coverage information. It should be considered a "Work in Progress" 

In April 2017, an attack group calling itself the TheShadowBrokers, released a trove of data it claims to have stolen from the Equation cyberespionage group. The data contains a range of exploits and tools the attack group state were used by Equation. TheShadowBrokers said that the data dump was a sample of what had been stolen from hacking Equation and that the “best” files would be auctioned off to the highest bidder.

The Equation group has been known for some time and uses highly advanced malware tools to target organizations in a range of countries. The group is technically competent and well resourced, using highly developed malware tools that go to great lengths to evade detection.
Shadows Brokers has released this data in a series of dumps. 

Symantec Security response often has coverage for these vulnerbilties and tools well in advance of disclosure, but in an effort to make the coverage more readable these are renamed to represent the events they are assoiciated with.

Lost In Translation
On April 14, 2017 TheShadowBrokers released a collection of files, containing exploits and hacking tools targeting Microsoft Windows.
Later that week Microsoft published a blog stating that most of the exploits that were disclosed in this dump fall into vulnerabilities that are already patched in their supported products.

Dont Forget Your Base
On April 8th a missive from the TheShadowBrokers also contained another large batch of files. These are mostly characterised as tools and scripts as opposed to the vulnerbilties as seen in the Lost in translation dump. Additionally items like scripts are easily customizable and altered to impact different targets and to avoid static detection.

All coverage information is based on available virus definitions from June 20, 2017

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, that allegedly detail activities and capabilities of the United States Central Intelligence Agency to perform electronic surveillance and cyber warfare. The files, dated from 2013–2016 and again allegedly include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers and the operating systems of most smartphones (including Apple's iOS and Google's Android), as well as other operating systems.

Coverage:

Please note that this is a work in progress and new reseach can cause this to be updated.

Changelog:

Hello All,

On June 27th, 2017 we all became aware of a new variant of the Petya malware which is spreading over the Microsoft Windows SMB protocol. The malware appears to use the ETERNALBLUE exploit tool to accomplish this. This is the same exploit the WanaCrypt0r/WanaCry malware exploited to spread globally in May, 2017. Multiple organizations have reported network outages, including government and critical infrastructure operators.

Windows users should take the following general steps to protect themselves:

• Apply security updates in MS17-010
• Block inbound connections on TCP Port 445
• Create and maintain good back-ups so that if an infection occurs, you can restore your data.

Overview

Petya is a ransomware family that works by modifying the Window’s system’s Master Boot Record (MBR), causing the system to crash. When the user reboots their PC, the modified MBR prevents Windows from loading and instead displays an ASCII Ransom note demanding payment from the victim.

The latest version of the Petya ransomware is spreading over Windows SMB and is reportedly using the ETERNALBLUE exploit tool, which exploits CVE-2017-0144 and was originally released by the Shadow Brokers group in April 2017.

After the system is compromised the victim is asked to send US $300 in Bitcoin to a specific Bitcoin address and then send an e-mail with the victim’s bitcoin wallet ID to wowsmith123456@posteo[.]net to retrieve their individual decryption key. As of 16:00 UTC on Jun 27th, 13 payments have already been made to attackers wallet.

Lifecycle

We are aware of the following information about how the Petya attack lifecycle works.

Exploitation

We have not yet confirmed the initial infection vector for this new Petya variant. Previous variants were spread through e-mail, but we have not identified this latest sample carried in any e-mail related attacks.

We have seen public speculation that a Ukrainian Tax software package was compromised and delivered the Petya DLL via an update on the morning of June 27th. This infection vector would explain the high concentration of infections in Ukraine, but we have not been able to independently confirm this information.

Trusted sources and open-source reporting have suggested that the initial infection vector for this campaign was a poisoned update for the MeDoc software suite, a software package used by many Ukrainian organizations. The timing of a MeDoc software update, which occurred on June 27, is consistent with initial reporting of the ransomware attack, and the timing correlates to lateral movement via PSExec we observed in victim networks starting around 10:12 UTC. Additionally, the MeDoc website currently displays a warning message in Russian stating: "On our servers is occurring a virus attack. Our apologies for the temporary inconvenience!"

Installation

This variant of Petya is spread as a DLL file, which must be executed by another process before it takes action on the system. Once executed, it overwrites the Master Boot Record and creates a scheduled task to reboot the system. Once the system reboots, the malware displays a ransom note which demands a payment of $300 in bitcoin.

Command and Control

Petya contains no Command and Control mechanisms that we know of. After a host is infected, there is no communication from the malware back to the attacker.

Lateral Movement

Petya uses three mechanisms to spread to additional hosts.

• Petya scans the local /24 to discover enumerate ADMIN$ shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on system hosting the share.
• Petya uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatz to extract credentials from the infected system and use them to execute itself on the targeted host.
• Petya finally attempts to use the ETERNALBLUE exploit tool against hosts on the local subnet. This will only be successful if the targeted host does not have the MS17-010 patches deployed.

Affected countries: UK, Ukraine, India, the Netherlands, Spain, Denmark, and others

Behavior:

Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.

Prevention Steps:

1. Block below source E-mail address:

emails: wowsmith123456@posteo.net
emails: wowsmith123456@posteo.net
emails: iva76y3pr@outlook.com
emails: carmellar4hegp@outlook.com
emails: amanda44i8sq@outlook.com

2. Block below domains and URL's :

domain: coffeinoffice.xyz
domain: french-cooking.com
domain: sundanders.online
url: http[:]//french-cooking[.]com/myguy[.]exe
url: http[:]//84[.]200[.]16[.]242/myguy[.]xls
url: http://84[.]200[.]16[.]242/Profoma[.]xls
url: http://84[.]200[.]16[.]242/Lucky[.]exe
url: http://185.165.29.78/~alex/svchost.exe
url: http[:]//mischapuk6hyrn72.onion/
url: http[:]//petya3jxfp2f7g3i.onion/
url: http[:]//petya3sen7dyko2n.onion/
url: http[:]//mischa5xyix2mrhd.onion/MZ2MMJ
url: http[:]//mischapuk6hyrn72.onion/MZ2MMJ
url: http[:]//petya3jxfp2f7g3i.onion/MZ2MMJ
url: http[:]//petya3sen7dyko2n.onion/MZ2MMJ
url: http[:]//benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin

3. Block below IPs:

ip: 95.141.115.108
ip-dst: 185.165.29.78
ip-dst: 84.200.16.242
ip-dst: 111.90.139.247  

4. Apply latest below patches:

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

5. Disable SMBv1

6. Update Anti-Virus hashes

md5: 9B853B8FE232B8DED38355513CFD4F30
md5: CBB9927813FA027AC12D7388720D4771
md5: a809a63bc5e31670ff117d838522dec433f74bee
md5: bec678164cedea578a7aff4589018fa41551c27f
md5: d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
md5: aba7aa41057c8a6b184ba5776c20f7e8fc97c657
md5: 0ff07caedad54c9b65e5873ac2d81b3126754aac
md5: 51eafbb626103765d3aedfd098b94d0e77de1196
md5: 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
md5: 7ca37b86f4acc702f108449c391dd2485b5ca18c
md5: 2bc182f04b935c7e358ed9c9e6df09ae6af47168
md5: 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
md5: 82920a2ad0138a2a8efc744ae5849c6dde6b435d

sha256: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
sha256: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
sha256: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
sha256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
sha256: fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206
sha256: ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
sha256: EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
sha256: 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
sha256: 22053C34DCD54A5E3C2C9344AB47349A702B8CFDB5796F876AEE1B075A670926
sha256: 1FE78C7159DBCB3F59FF8D410BD9191868DEA1B01EE3ECCD82BCC34A416895B5
sha256: EEF090314FBEC77B20E2470A8318FC288B2DE19A23D069FE049F0D519D901B95

filename: C:\0487382a4daf8eb9660f1c67e30f8b25.hta
filename: petwrap.exe
filename: C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll
filename: Order-20062017.doc
filename: myguy[1].hta
filename: myguy.xls
filename: dllhost.dat
named pipe: {df458642-df8b-4131-b02d-32064a2f4c19}

Recommendations

• In order to prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.
  https://technet.microsoft.com/library/security/MS17-010
• Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
• Block SMB ports on Enterprise Edge/perimeter network devices [UDP 137, 138 and TCP 139, 445] or Disable SMBv1. 
  https://support.microsoft.com/en-us/help/2696547
• Applocker policies to block execution of files having name perfc.dat as well as psexec.exe utility from sysinternals.
• A quick fix to prevent by creating the files (perfc, perfc.dll, and perfc.dat) to already exist on the Windows machine, under C:\Windows, with READONLY permissions. A brief description is here:
  https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/     [ NOTE: This is not a Kill Switch but only a vaccine with no Guarantees ]
• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser.
• Restrict execution of powershell /WSCRIPT/ PSEXEC / WMIC in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
• Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
• Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
• Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
• Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
• Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
• Maintain updated Antivirus software on all systems.
• Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.
• Block the attachments of file types, 
  exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
• Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
• Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
• Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
• Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
• Disable remote Desktop Connections, employ least-privileged accounts.
• Ensure integrity of the codes /scripts being used in database, authentication and sensitive systems, Check regularly for the integrity of the information stored in the databases.
• Restrict users' abilities (permissions) to install and run unwanted software applications.
• Employ data-at-rest and data-in-transit encryption.

What are the details of Symantec's protection?

Network-based protection

Symantec has the following IPS protection in place to block attempts to exploit the MS17-010 vulnerability:

• OS Attack: Microsoft SMB MS17-010 Disclosure Attempt (released May 2, 2017)
• Attack: Shellcode Download Activity (released April 24, 2017)

Symantec encourages to install all features of Symantec Endpoint Protection on all the machines for best protection.

Antivirus

• Ransom.Petya

SONAR behavior detection technology

• SONAR.Module!gen3

Conclusion

Ransomware attacks are very common, but they are rarely coupled with an exploit that allows the malware to spread as a network worm. The WannaCry attacks in May, 2017 demonstrated that many Windows systems had not been patched for this vulnerability. The ideas behind the Trojan have been seen before in earlier malware; the creators of Petya have simply combined them all in a single creation. That said, it should be acknowledged that it requires a certain degree of technical skill to implement a low-level code to encrypt and decrypt data prior to OS booting.

Secondly, the spread of Petya using this vulnerability indicates that many organizations may still be vulnerable, despite the attention WannaCry received.

Following are the highlights of the SCU 2017-1:

New features

The SCU 2017-1 includes the following new features:

• Command-based data collection support for UNIX platform

  From SCU 2017-1 onwards, command-based data collection support for UNIX platform is available in CCS. You can use this feature in both the agent-based and the agentless methods of data collection.

By using this feature, you can achieve the following:

 -> Collect data and assess security configuration of middleware and third-party applications that are currently not supported out-of-the-box by CCS.

 -> Create customized command-based checks in CCS Standards Manager, and collect and evaluate data for UNIX assets in your system.

Note: To use this feature you must upgrade your CCS deployment to the 11.5.2 version (Product Update 2017-1).

• Automated MS SQL password management in agent-based data collection

  From SCU 2017-1 onwards, you can choose to automate the process of password management for SQL Server instances and SQL Server clusters while collecting agent-based raw data from these assets.

By using this feature, you can achieve the following:

 -> Quickly ensure that MS SQL user passwords configured for data collection are changed as per the password policy of your organization.

 -> Improve the security practices of your organization by managing passwords without any human intervention.

• Data collection support for Windows Server Core platform

  From SCU 2017-1 onwards, agent-based and agentless data collection support for assets that run Windows Server Core operating systems is available in CCS. By using this support, you can now take informed decisions about the security configuration of Windows Server Core assets in your environment.

• Data collection support for SUSE Linux Enterprise Server 12 platform

  From SCU 2017-1 onwards, data collection support for SUSE 12 assets is available in CCS. By using the Security Essentials for SUSE Linux Enterprise Server 12 standard available in this SCU, you can collect and evaluate data to secure SUSE Linux Enterprise Server 12 assets in your system.

• Data collection support on 64-bit CCS agent for RHEL 7.x server assets

  From SCU 2017-1 onwards, data collection support on 64-bit agent for Red Hat Enterprise Linux 7.x server assets is available in CCS.

New technical standards

The SCU 2017-1 contains the following new technical standards:

• CIS Benchmark for Red Hat Enterprise Linux 6, v2.0.2
• CIS Benchmark for Cisco IOS 15, v4.0.0 (level 1 profile)
• Security Essentials for Junos OS 15.x Devices
• Security Essentials for SUSE Linux Enterprise Server 12

Updated technical standards

The CIS Red Hat Enterprise Linux 7.x Benchmark v2.1.1 standard is an updated standard in SCU 2017-1.

New regulatory framework

The SCU 2017-1 contains the following new regulatory framework:

• Australian Government Information Security Manual (ISM) 2016 Release

For more details and downloading the web packages and agent tpks visit following page:

https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=ccs&pvid=scu&year=&suid=20170601_00

Do let us know for any questions/queries regarding this SCU release.

Regards,

Chetan

Protirus were asked to solve the problem of providing additional functionality to Symantec’s DLP Endpoint Agent without impacting the end user. We did this by creating a development framework that allows us integrate DLP Endpoint and any customer applications via the Endpoint flex response functionality.

In this video you will find examples of the following bespoke flex response rules:

• An integration between the customers DLP endpoint solution and their incumbent RMS platform. This allowed the DLP endpoint agent to automatically protect the customers data, on the move, with Security Templates without any user interaction
• Executing customer created PowerShell scripts. This allowed the DLP endpoint agent to automatically block and then redact specific keywords from documents before transferring them over the network or even out to the internet, with no or limited user interaction.

Original Case Study: https://protirus.com/Cases/Detail/26

The security documentation provided by WordPress and found online for plugin security is sparse, outdated or unclear. This cheat sheet is intended for Penetration Testers who audit WordPress plugins or developers who wish to audit their own WordPress plugins. This cheat sheet can be effectively used to test various WordPress plugins.

Cross-Site Scripting (XSS)

Check if the following global PHP variables are echo'd to pages, or stored in the database and echo'd at a later time without first being sanitised or output encoded.

• $_GET
• $_POST
• $_REQUEST
• $_SERVER['REQUEST_URI']
• $_SERVER['PHP_SELF']
• $_SERVER['HTTP_REFERER']
• $_COOKIE

(Note: the list of sources above is not extensive nor complete)

Cross-Site Scripting (XSS) Tips

The following functions can cause XSS if not secured:

• add_query_arg()
• remove_query_arg()

See References Below:

When doing dynamic testing for XSS the following setting in the wp-config.php file may reduce false positive results as it prevents administrative and editor users from being able to embed/execute JavaScript/HTML, which by default they are permitted to do.

define( 'DISALLOW_UNFILTERED_HTML', true );

SQL Injection

Unsafe API methods (require sanitising/escaping):

• $wpdb->query()
• $wpdb->get_var()
• $wpdb->get_row()
• $wpdb->get_col()
• $wpdb->get_results()
• $wpdb->replace()

Safe API methods (according to WordPress):

• $wpdb->insert()
• $wpdb->update()
• $wpdb->delete()

Safe code, prepared statement:

<?php $sql = $wpdb->prepare( 'query' , value_parameter[, value_parameter ... ] ); ?>

Note: Before WordPress 3.5 $wpdb->prepare could be used insecurely as you could just pass the query without using placeholders, like in the following example:

$wpdb->query( $wpdb->prepare( "INSERT INTO table (user, pass) VALUES ('$user', '$pass')" ) );

SQL Injection Tips

Unsafe escaping ('securing') API methods:

• esc_sql() function does not adequately protect against SQL Injection - see refs below
• escape() same as above
• esc_like() same as above
• like_escape() same as above

<?php $wpdb->show_errors(); ?> <?php $wpdb->hide_errors(); ?> <?php $wpdb->print_error(); ?>

File Inclusion

• include()
• require()
• include_once()
• require_once()

PHP Object Injection

• unserialize()

Command Execution

• system()
• exec()
• passthru()
• shell_exec()

PHP Code Execution

• eval()
• assert()
• preg_replace() dangerous "e" flag deprecated since PHP >= 5.5.0 and removed in PHP >= 7.0.0.

Authorisation

• is_admin() does not check if the user is authenticated as administrator, only checks if page displayed is in the admin section, can lead to auth bypass if misused.
• is_user_admin() same as above
• current_user_can() used for checking authorisation. This is what should be used to check authorisation.

Open Redirect

• wp_redirect() function can be used to redirect to user supplied URLs. If user input is not sanitised or validated this could lead to Open Redirect vulnerabilities.

Cross-Site Request Forgery (CSRF)

• wp_nonce_field() adds CSRF token to forms
• wp_nonce_url() adds CSRF token to URL
• wp_verify_nonce() checks the CSRF token validity server side
• check_admin_referer() checks the CSRF token validity server side and came from admin screen

SSL/TLS

• CURLOPT_SSL_VERIFYHOST if set to 0 then does not check name in host certificate
• CURLOPT_SSL_VERIFYPEER if set to FALSE then does not check if the certificate (inc chain), is trusted
• Check if HTTP is used to communicate with backend servers or APIs. A grep for "http://" should be sufficient.

Further reading/references:

1. https://developer.wordpress.org/plugins/security/
2. https://codex.wordpress.org/FunctionReference/escsql
3. https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
4. https://secure.wphackedhelp.com/fixmysite.html
5. https://curl.haxx.se/libcurl/c/CURLOPTSSLVERIFYHOST.html
6. https://www.owasp.org/index.php/OWASPWordpressSecurityImplementationGuideline
7. http://php.net/manual/en/function.preg-replace.php

This will helps download, install and configure Symantec Endpoint Protection (SEP) and desinged for defult, first time managed client installation of 500 or fewer.

• Preinstall: Check System requirements
• Step 1: Download Symantec Endpoint Protection
• Step 2: Install Symantec Endpoint Protection Manager
• Step 3: Activate your license and add a group
• Step 4: Install the Symantec Endpoint Protection clients 
• Step 5: Check that the latest definitions are installed
• Step 6: Check the database backup settings
•  
•  

Before you install SEP Manager or the SEP clients, perform the following steps:

--> First Download "SymDiag" for preinstall system requirement

1. Download Symantec Endpoint Protection

• If you have any issue for received an Order Fulfillment email with your license certificate, contact Symantec Customer Support by phone for further assistance. 

             --> First go to FileConnect

            --> Type the serial number that you found in your Order Fulfillment email. The serial number is case-sensitive. 

            --> Than Submit Serial Number

            --> Select the appropriate version based on language, such as Symantec Endpoint Protection 14 - International English. 

            --> Click the plus sign next to a file name to expand the information about it. The file name that includes the phrase Full Installation contains Symantec Endpoint Protection Manager.

           --> download the file, click the file link next to HTTPS Download.

           --> Repeat this process for any additional files that you want to download. When you are finished, you can close the browser window.

         2. Install Symantec Endpoint Protection Manager 14

            --> where you downloaded the Symantec Endpoint Protection installation file, double-click the file to extract all files. If you see an Open File - Security Warning prompt, click Run. 

           --> Type or browse to a location to extract to, and then click Extract. 

           --> When the extraction finishes, find and double-click Setup.exe

           --> Click Install Symantec Endpoint Protection. 

          -->  Accept the terms and condition given in the license agreement and then click install.

         --> On the Welcome to the Management Server Configuration Wizard panel, click Default configuration, and then click next.

        --> Fill out the required fields to create the system administrator account and email address to which Symantec Endpoint Protection Manager sends notifications, and then click next.

for futher more information read out pdf, which is i attach with article.

Thanks,

Devang Raval.

(SOC Analyst)

Sequretek IT Solution Pvt. Ltd.

+91 99984 00299

(devang.raval@sequretek.com)

Dear All,

I'd tried to get information about how to read current definitions on Symantec via Python on your site but unfortunately I could not. After that I tried to get it by myself and created on Python the code below.

import os
import platform
import winreg

def get_registry_value(key, subkey, value):
    key = getattr(winreg, key)
    handle = winreg.OpenKey(key, subkey)
    (value, type) = winreg.QueryValueEx(handle, value)
    return value

if windowsbit.find("64") == -1:
    strWinX = "32Bit"
else:
    strWinX = "64bit"

if strWinX == "64bit":
    SEPstatus = get_registry_value("HKEY_LOCAL_MACHINE","SOFTWARE\\WOW6432Node\\Symantec\\Symantec Endpoint Protection\\AV","UsingPattern")
else:
    SEPstatus = get_registry_value("HKEY_LOCAL_MACHINE","SOFTWARE\\Symantec\\Symantec Endpoint Protection\\AV","UsingPattern")

SEPyear = str ((SEPstatus >> 18) + 1998)
SEPmonth = (SEPstatus >> 14)
SEPmontha = str ((SEPmonth & 0x0f))
SEPday = (SEPstatus >> 9)
SEPdaya = str ((SEPday & 0x1f))

strSEPdate = SEPdaya + "/" + SEPmontha + "/" + SEPyear # day/month/year format
print(strSEPdate)

Thanks in advance.

Regards.

Hello again,

            With your serial number when you log on to fileConnect for SEP (Symantec Endpoint Protecation). There are the file that you can download. 

            What you download from FileConnect depends on how you plan to implement SEP in your organization. You don't need to download every file displayed in the FileConnect list.

            Most files begin with the product name and version (shown here as ProductVersion), and end with the product’s language code (shown here as language). Bold text in the file name highlights what the file contains.

• All files

                 If you want full installation file, which includes management console (Symantec Endpoint Protection Manager (SEPM)), clients for Windows, Mac, and Linux, the supplemental tools and some of the virtualization tools.

               --> Symantec_Endpoint_Protection_ProductVersion_Full_Installation_language.exe

Note: This file is a self-extracting archive, which prompts you to choose a folder in which to save the extracted files. The default is to save the files in the same folder as the downloaded file. You should create a new folder for the extracted files.

• Individual files

                  --> If you just need the standalone client installers for Windows, Mac, and Linux, download:
                        "Symantec_Endpoint_Protection_ProductVersion_All_Clients_language.zip"

                 --> If you just need the management console and server, download:
                        "Symantec_Endpoint_Protection_ProductVersion_SEPM_language.zip"

                 --> (12.1.x only) If you just need the tools to take advantage of virtualization enhancements, such as Security Virtual Appliance or Shared Insight                         Cache, download: "Symantec_Endpoint_Protection_12.1.5_Virtual_Toolkit_ML.zip"

• Additional files

                 --> If you also use SSIM (Symantec Security Information Management) , download:
                      (14) symantec_sim_8_0_103_win_en.exe
                      (12.1.x) symantec_sim_7_6_78_win_en.exe

                --> (12.1.x only) If you also use a Symantec Management Platform solution and want tools to integrate the management of Symantec Endpoint                           Protection installations, download: "Symantec_Endpoint_Protection_Integration_Component_7_1_2.zip"

 --> Detailed file information

         -- Full installation (all files)

          Symantec_Endpoint_Protection_ProductVersion_Full_Installation_language.exe contains the following:

• Symantec Endpoint Protection Manager
• Symantec Endpoint Protection unmanaged client installer for Windows, 32-bit
• Symantec Endpoint Protection unmanaged client installer for Windows, 64-bit
• Symantec Endpoint Protection unmanaged client installer for Mac
• Symantec Endpoint Protection unmanaged client installer for Linux
• Tools, a folder that contains the following optional or advanced tools:

                 --> Apache Reverse Proxy

                --> Central Quarantine (12.1.x only)

                --> CleanWipe

                --> Content Distribution Monitor

               --> DeviceInfo (14 only)

               --> DevViewer

               --> Integration for Symantec Endpoint Protection Remote Monitoring and Management (RMM) SDK (12.1.x only)

               --> IT Analytics

              --> JAWS screen reader (assistive technology) scripts

              --> NoSupport, a folder containing unsupported tools

              --> Offline Image Scanner* (12.1.x only)

              --> Push Deployment Wizard

             --> SylinkDrop

             --> SymDiag

             --> Virtualization, a folder containing Security Virtual Appliance information (12.1.x only), Shared Insight Cache*, and Virtual Image Exception*

             --> WebSevicesDocumentation, which includes the Symantec Endpoint Protection Remote Monitoring and Management (RMM) SDK (14 only)

Note:- Items with a star (*) are included in the Virtual Toolkit download (12.1.x only). You must download the Virtual Toolkit for the Security Virtual Appliance .ova file.

Symantec Endpoint Protection clients only

"Symantec_Endpoint_Protection_ProductVersion_All_Clients_language.zip" contains the following:

• Symantec Endpoint Protection unmanaged client installer for Windows, 32-bit
• Symantec Endpoint Protection unmanaged client installer for Windows, 64-bit
• Symantec Endpoint Protection unmanaged client installer for Mac
• Symantec Endpoint Protection unmanaged client installer for Linux

Symantec Endpoint Protection Manager only

"Symantec_Endpoint_Protection_ProductVersion_SEPM_language.zip" contains the following:

• Symantec Endpoint Protection Manager

Symantec Security Information Management (SSIM)

     --> "symantec_sim_ProductVersion_win_en.exe" installs files for supporting an SSIM installation.

Symantec Endpoint Protection Integration Component for Symantec Management Platform

(12.1.x only) "Symantec_Endpoint_Protection_Integration_Component_7_1_2.zip" contains the following:

       --> Symantec Installation Manager Setup (.exe)

if you have any query than let me know.