Please review instructions in the support article below.

https://support.symantec.com/en_US/article.TECH253299.html

The Risk and Visibility Report in Security Analytics is a powerful way to provide non-analysts, executives, and other members of your organization with a general overview of the latest threats that have been detected by Security Analytics. It’s also a great way to track progress as you make improvements on your network to fortify security. The report gives you a high-level view and reports including:

• The predicted count of files hiding in encrypted traffic. Modern day threats are hiding in encrypted traffic
• The amount of encrypted traffic crossing your network. Might be enlightening to you.
• Risky applications on the network. Do you know what applications are in use across your network?
• Anomalous network behavior based on a benchmark of your actual traffic. Identify what “normal” is in your network so you can identify “abnormal”.
• An executive summary to share with security team or management so you can prioritize activities. It’s a great way to shine light on the value of Security Analytics.

Check out the attached on how to get the report in Security Analytics.

     My team just finished creating a whitepaper on How to build a Cloud Center of Excellence. We were sitting back and contemplating follow-on papers representing deeper dives into each of the topics therein. In our review of the Shadow IT discovery documentation, we threw about funny titles like:

         “How to Have a Frank Talk with Marketing about Their Cloud Services Stack”

And other conversation starters for CASB Admins such as,

         “Do We Really Need Five Document Sharing Services?”

     But after the laughter, I sobered up and looked at what people really don’t have much of a handle on, which is how to use a CASB solution to do Investigation and Incident Response. I come from over a decade of Security Operations Center work, both as an analyst and as senior management. I’m sadly aware that there are few truly gifted SIEM engineers in the world that can write really good Events of Interest across multiple disciplines – most of them are in development, not support or ops.

     That doesn’t mean that it doesn’t need doing. But until we get the SIEM discipline to include topics like AppSec and CASB in addition to the standard Network and (in a dream) Vulnerability Management traditions, we need to talk about how to use the data found in CloudSOC CASB.

     Data by itself is boring – you have to make it sing out when it’s interesting. Here’s the beginning of some thoughts on how to make your CloudSOC CASB data in Detect sing like a bird.

     First step: I’m not making any assumptions about who an organization’s CASB Admin is – what their role, background, experience, etc. It’s likely in many cases that the CASB Administrator and representative on the CCoE is someone with experience in Security (likely Network) and/or Network Operations/IT.

     It is equally likely, once one gets out of high tech that the CASB Administrator is going to be an Audit/Compliance specialist or even the Department Secretary who has the spark and drive for learning new systems and reading manuals. (This happened in South Dakota – I’m a witness. Anyone who likes learning about Security can become a Security Analyst, regardless of background and education.)

     Therefore I must assume no security knowledge, so here’s some background for the CASB Admin on Network Security.

Intrusion Detection/Prevention Systems (IDS/IPS) and Firewalls (Old School or Next Gen) both work by recording the IP that is the source of an attack as well as the destination. These systems look at Port, Protocols, and (for some) packet/payload. They are fantastic for seeing outside surveillance and attacks against your system, perimeter, etc. The challenge: You can never quickly identify “Who” in a scenario if the source is interior. Or rather, you can, but it’s exceptionally difficult.

     Example: Say I’m a disgruntled employee who is downloading all the source code before going to work for a competitor. Because I am legitimately logged in and my sessions are legit, my activity is likely not going to show up on an IDS/IPS as an Event of Interest. Or if it does, it’s going to offer up my IP address. You can map an IP address to a MAC address and then ask IT who is assigned the laptop/computer with that MAC address. If you’re stunningly lucky they might know, but for most organizations that’s going to be pure black magic.

     But you, you lucky CASB Administrator, have CloudSOC Detect as a source of truth for What’s Going On in your network. Here’s your first three ideas for getting started on managing incidents and finding out what’s going on. For these illustrations, I’m using scenarios created by my Sales Engineering team, who have done Bad Things to make them easy for you to see.

     Dave Coder is a Developer on my team that is looking to find another job. How do I come to suspect this? Here are my warning flags. Dave Coder has a high ThreatScore in Detect. This score is calculated by his behavior online with different events that contribute to high-risk behavior.

     I want to see what activities led to this score, so I open up his threat tree:

     I see that Dave has policy violations, virus violations, excessive data uploads, excessive data downloads. My first instinct is that this guy may be giving his “Three weeks’ notice” and violating ethics by downloading company IP and uploading them to personal accounts.

     As a CASB administrator, I should talk to the owner of my organization’s SalesForce application/instance during our CCoE and ask what Coder Dave’s role is as a user. There are, after all, perfectly legitimate uses of SalesForce which involve large data uploads, including anything PowerPoint or video, or other resource-heavy files. I care if he’s been downloading customer lists and reports outside of the normal time frame for quarterly reports, etc., but what does normal look like for someone on his team?

         Let’s look at his activities on SalesForce compared to his team. As you’ll see below, Dave looks reasonably normal in the context of everyone else's activity in his group. Maybe he’s not planning on leaving us.

     But do I jump to conclusions that all is well with Dave? No, there’s still some issues and flags that led to a high score. Let’s look at precisely what happened with this credential, sorted by timestamp.

     I can see that on April 18, Coder Dave experienced a Brute Force Login attack on his SalesForce credentials. (For those pondering this at home, your average Network device may not be able to see this event as it happened in the cloud at SalesForce.com.) Immediately after that, CloudSOC CASB started to see SalesForce login issues, virus violations, and policy violations. This gives me some data to check with my Network Security team to look at problems.

         With specific timestamps and events, they can investigate via Symantec Endpoint Protection administrator to check for infection, or IDS/Firewall logs for network activity to see if there is any corresponding network event with the same timestamp that represents an external attack. But if Dave was working from a coffee shop there may be no other records showing us what happened.

         Better safe than sorry: I’m going to suggest that Dave’s manager send him down to IT to take a look at his laptop and see if it’s got a trojan or other virus still on his system. Dave should change his passwords, too, and if the organization has Multi-Factor Authentication in place, I could make a policy for this ThreatScore level or post brute-force attack that forces a secondary authentication to keep out credential thieves.

         How fun was that?

A follow up to my previous article - "SEP 15 is Cloud based - what's your views" - Symantec has published a new article, where they explained the differences between Symantec Endpoint Protection 14.2 RU1 and 15 releases.

They also broken them down into easy to read sections, allowing you to see what both of them are offering so you can decide which version is the most suitable version for your environment.

Head over to https://support.symantec.com/en_US/article.HOWTO130010.html and have a read.

Based on the information above, would you migrate over to v15? Or staying with v14? And why?

Your views are welcome!

Tips from the Security Analytics Support Desk

Here are a few tips from the Security Analytics Support Team they thought would be helpful for customers to get the most out of their Security Analytics deployment. Feel free to share topics you'd like to see in future Support Tips posts.

NTP Configuration:

Security Analytics relies on accurate time settings for capture, certificates, and CMC functionality. For this reason you should configure NTP onSettings > Date/Time prior to starting capture and prior to setting up a CMC VPN.

System Monitoring:

Symantec recommends that you frequently check /var/log/messages to see important status messages, statistics, and logs.

Health Status for High-Density Storage Arrays:

For Security Analytics E5660 300T Intelligent Storage Arrays (NetApp® E2760 Storage Arrays) you can do a health-status check by running this command from the head unit console:

SMcli -d;SMcli -n <array_name>

Check SAS Drives:

For Security Analytics J5300 40T Direct-Attached Storage you can see the RAID information on the SAS drives by running lsi-show

Documentation for lsi-show is located here: https://origin-symwisedownload.symantec.com//resources/webguides/security_analytics/ENG/80/Content/_Reference/ds_cli/lsi-show.htm

Direct Downloads of Software Upgrade TAR Files:

To download software upgrade TAR files from the CLI instead of the web UI, run this command:

wget --no-check-certificate --user=Y0UR-L1C3-N53K-K3YH --password= Y0UR-L1C3-N53K-K3YHhttps://upgrade.soleranetworks.com/upgrades/atpsa-8.0.2-53045-x86_64-DVD.tar

The integration of Web Security Service (WSS) and SEP Mobile brings advanced web security to the mobile devices. WSS protects web and cloud app traffic, users, and devices via cloud-delivered security service incorporating: URL filtering, Categorization, Advanced Threat Protection, Content & Malware Analysis (sandboxing), Web Isolation, CASB integration (for example CASB audit feeding telemetry to WSS), SSL break and inspect support, as well as native DLP integration. I have been using WSS and SEP Mobile for some time now, and taking a snapshot of just one month of my mobile traffic, it shows the blocking of close to 600K of advertising, unwanted or potentially risky sites by WSS, while allowing legitimate web browsing traffic during that timeframe. It’s surprising the level of additional protection WSS adds just by leveraging the SEP Mobile integration, furthermore the ability to filter out unwanted traffic.

Blocked Traffic – 30 Day Period

Allowed Traffic – 30 Day Period

    Advanced threat protection levels represent a fundamental role in securing the volume of information in companies in such a competitive market businesses are constantly looking to improve security by implementing New strategies which are just and necessary even if the goal is to be aware of cyber attacks that are recorded daily with new malicious elements. It is more than clear that one of the most sought after targets for threats are the endpoints that somehow or other keep these remote attacks as best as possible or neutralizes momentarily.

    The objective of this article has the technical and specific purpose of explaining how Symantec Endpoint Detection and response should be used to avoid activating the blocking of new threats and neutralising them in real time.

    ¿Is it possible to stop the attack of these threats? Symantec's advanced threat protection products are the solution to increase the control status of all suspicious activities to stop them on time and in this way to ensure success, these are the procedures that must be achieved to obtain the expected result.

                                                                                  Procedures

1. Start the search for threats, alerts, in a pane of more visibility after the automated responses a diagnosis begins and as a result a report to evaluate the situation and together a decision to treat the threat.
2. Revision and control of all the devices in search of additional threats that are part of a weak point and cause of the data leakage so it will be allowed to give a value more accurate to the weaknesses or vulnerablilidades with which the volume data are committed.
3. Continuous supervision of how the application maintains its behavior or if it generates some unexpected alteration outside the established parameters.
4. Each suspicious activity diagnosis must be carried out separately with the objective of elaborating a concrete report of the threats of each affected sector and then totaling a percentage of threats to the system by reinforcing security with extra tools that allow an immediate response to the problem.

    After having successfully performed the visualization, supervision, revision and control of all the devices that may be being infected by the thre ats is proceed to run SymantecEndPoint Detection, it is important to have the latest version because the upgrades have a higher response capacity and 3 times higher throughput.

                                                   It is advisable to run the attacks from the following order:

1. Elimination of threats in the cloud, here is the most information of the company therefore it is essential to execute the attack from the cloud.
2. Elimination of threats in devices, emails, and all vulnerable and infected areas.
3. Elimination of gaps that are the cause of infections as other endpoints and devices related to the problem.
4. Apply debugging throughout the system especially in the affected areas.

    The threats always are to the order of the day in indefinite hours so it is advisable to create a unit of backup of all the data of the different areas of the company and to replenish the loss of information that could have been cause of leakage or infection In addition to carry out a daily analysis after having executed the elimination of threats this will allow to make a more accurate forecast for the implementation of more Symantec tools that allow to make the process easier in the next threats and the Advanced Symantec Threat Protection system stands firm in eliminating all kinds of threats that put information and devices at risk.

Using SEP, come join us at the SEP user group in London May 30th

Product Management will be in attendance to give the latest roadmap, hear from other customers about their SEP implementation, and our senior threat researcher will give you a view on the landscape. As always fun, games and some beers after.

Please register here,

Hi,

Recently, I implemented Symantec Data Loss Prevention 15.5 MP1 and encountered an issue on configuring the Exchange Server section for mail notifications. The issue notification I received was: "Couldn't connect to the SMTP server using the specified settings. Please re-enter the SMTP settings".

If you encounter the same notification, use the following fix I received from a Symantec support engineer.

SOLUTION; (Symantec support share)

Attached to this case you will find the attachment mail.jar-190507080847.zip. Please download this attachment and use the following instructions to implement this hotfix.
 
Please locate the below path  (update below paths as per your environment if different): 

\<DLP_home>\DataLossPrevention\ServerPlatformCommon\15.5\Protect\lib\jar
\<DLP_home>\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\lib

The workaround is to remove both of the mail JARs, and replace them with the attached inside the zip:
1.      Stop all DLP Services on Enforce Box
2.      On the 15.5 MP1 Enforce install, remove both mail-1.4.7.jar and javax.mail1.6.0 jar from the following directories:

•      <DLP_home>\ServerPlatformCommon\15.5\Protect\lib\jar

•      <DLP_home>\EnforceServer\15.5\Protect\tomcat\lib

•      Extract the content of the zip in a folder in the Enforce server

•      The one listed under folder Protec will be copied on

•      <DLP_home>\ServerPlatformCommon\15.5\Protect\lib\jar

•      The one listed under folder Tomcat will be copied on
•      <DLP_home>\EnforceServer\15.5\Protect\tomcat\lib

•         Restart DLP services
•         Update the SMTP mail settings (System > Settings > General)
•         Ensure the settings save properly.
•         Restart DLP services
•         Revert the workaround

I attached the .Zip file

Best regards.

Batuhan Calin

Agilis Technology Solutions

Symantec Gold Partner

Introduction

This is the twenty-third in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in May 2019.

This article hopes to give admins the techniques they need to eliminate one of their network's most persistent ransomware pests: Ransom.Wannacry, also known as WCry and WannaCrypt.

What is Wanncry, and Why Won't it Go Away?

Ransom.Wannacry
https://www.symantec.com/security-center/writeup/2017-051310-3522-99

 

What you need to know about the WannaCry Ransomware
https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack

 

Webinar: Don't Cry Over WannaCry Ransomware

https://www.symantec.com/about/webcasts?commid=261539#featured

 

WannaCry: Lessons Learned 1 Year Later
https://www.symantec.com/blogs/feature-stories/wannacry-lessons-learned-1-year-later

 

WannaCry: Ransomware attacks show strong links to Lazarus group
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group

 

Can files locked by WannaCry be decrypted: A technical analysis
https://medium.com/threat-intel/wannacry-ransomware-decryption-821c7e3f0a2b

The good news: this existing information about how the Wannacry threat operates remains accurate.  Though slightly different samples appear from time to time, no one today is facing a new strain of this threat- just the same code that others have successfully defeated. 

With the proper care and action, administrators can eliminate Wannacry for good.  Administrator involvement is the key.  Wannacry will remain in a network until steps are taken to remove it.  It will not go away by itself.

Are You Ready to Fight WannaCry?

Symantec released protection against Wannacry on May 12, 2017.  Scanning for the threat with definitions older than that won't do much good. From the Symantec Endpoint Protection Manager (SEPM), export a Computer Status log and confirm if there are Symantec Endpoint Protection (SEP) clients which have failed to update their definitions.  

You may be surprised to discover clients which are malfunctioning and unable to update their signatures, or even clients with releases of SEP that have gone past their End Of Life years ago.  These clients are incapable of mounting an effective defense against Wannacry. (Some columns hidden for clarity...)

If the SEPM shows no Wannacry detections but corporate firewalls or DNS servers are seeing traffic to the distinctive Wannacry domains iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com and ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, there is an infected computer in the network without SEP installed.  Find it and fix it because it is trying to spread that infection to others! In large organizations it is common for a few forgotten boxes, locked in closets or remote offices, to continue computing away.  Just because these machines do not appear in a management console, it doesn't mean that they don't exist. 

Configuring a client to detect unmanaged devices
https://www.symantec.com/docs/HOWTO80763

Remember: a working, supported SEP client on every computer is the starting point.  Get one installed!

Help!  Hundreds of Computers are Infected!!

First off: are computers actually being encrypted?  If so, they may look like this:

Wannacry has a worm component to spread and a payload that encrypts.  It's been rare to see ransom-demanding damage done since the early days of this threat. Mostly, today, it's just the constant annoyance of the worm component causing alarm.

Each infected machine will attempt to spread Ransom.Wannacry to other computers that it can reach.  If SEP is installed on those computers and is running with signatures newer than 2017, SEP's Auto-Protect capabilities should be able to stop it from falling victim. However, it will log a successful detection of Ransom.Wannacry.  That detection will be forwarded to the SEPM to be displayed there.  New admins running a Risk Report can give themselves a heart attack by seeing hundreds of Wannacry events from all across their company.

Examining the action taken for all those events will show the great majority of Actual Actions are successful protections against attempted infection.

The solution to a persistent Ransom.Wannacry outbreak is to identify and clean the handful of computers in the network that are actually infected.

This will require action by the network admins.  Having SEP installed on the computers in the network will not be enough to automatically safeguard the security of the organization.  SEP is a good tool, but it is only one tool- it is up to the network admins to use it.  SEP is also not a replacement for following best practices and proven computer security techniques.

The following article is full of good advice- completely invaluable for fighting Ransom.Wannacry and other outbreaks.  The steps within may not be convenient, but they are necessary.  Following these procedures will work.

Best Practices for Troubleshooting Viruses on a Network
http://www.symantec.com/docs/TECH122466

Tracking Down the Infected Computers, Part 1: Risk Tracer

The SEPM's Risk Reports can also tell admins which computers are highly likely to have attempted to infect their peers.  All details can be found in the following article:

What is Risk Tracer?
Article URL http://www.symantec.com/docs/TECH102539

Enable and use Risk Tracer to locate those computers in the organization that are infected with Ransom.Wannacry- then isolate them!  Only let them back onto the network when they are completely clean and secure.

Tracking Down the Infected Computers, Part 2: IPS

IPS is a very strong defense against this threat: three signatures in particular...  

21331 Attack: SMB Double Pulsar Ping
23875 OS Attack: Microsoft SMB MS17-010 Disclosure Attempt
30239 Audit: Unimplemented Trans2 Subcommand
 

Those not only block suspicious EternalBlue-related traffic, but provide the IP Address of the remote computer which attempted to spread the infection. Export the IPS events (Network Threat Protection, Attacks) as csv, then open with your favorite spreadsheet program to see which Remote Host IPs are sending the malicious traffic. (Some columns hidden for clarity...)

Isolate those remote machines and only let them back onto the network when they are completely clean and secure!

What if the IP Address is from Outside the Organization?

If the network is configured to allow SMB connections from anywhere, IPS logs can display the Remote Host IP as an address from the public Internet.  Follow the advice from US-CERT, Microsoft and other experts: disable ancient versions of SMB, and configure perimeter firewalls to keep SMB traffic within your own network only!

Kill it with fire: US-CERT urges admins to firewall off Windows SMB
https://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_shadow_brokers_dump/

SMB Security Best Practices
https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices  

Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment
https://support.microsoft.com/en-ie/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic

Tracking Down the Infected Computers, Part 3: NMap

NMap is a great tool for spotting which computers are open to infection via the EternalBlue vulnerability. Scan your network and patch any machines missing security update MS17-010 to keep them safe!

As it is not a Symantec tool, NMap will get a nod here but not an elaborate set of instructions on how to use it.  I'll leave that to the experts at SANS.

Using nmap to scan for MS17-010 (CVE-2017-0143 EternalBlue)
https://isc.sans.edu/forums/diary/Using+nmap+to+scan+for+MS17010+CVE20170143+EternalBlue/22574/

Microsoft released patches for Windows XP and Windows Server 2003 even though they are past their End Of Life, so there really is no excuse!

Effectively Cleaning Machines

Once those infected computers have been identified:

1. Isolate the computer from the network (pull out the network cable), then reboot
2. Perform a full system scan and then reboot again
3. Check the logs to confirm the complete removal of Ransom.Wannacry (and any other threats!)
4. Apply all missing Microsoft patches and ensure that autorun is disabled on the computer

As a best practice, provide the user who will be logging in to that machine with a new, strong password.  

Conclusion

Many thanks for reading!  Following the actions above should leave you with a safer, better-secured Wannacry-free network.

Please leave comments and feedback below. 

Starting from PMImport 7.3.333 Patch Management solution supports non-public Oracle Java 8 updates.

Initial release includes JAVA8-211 and JAVA8-212 bulletins for corresponding JRE releases (8u211 and 8u212).

Knowledge base article TECH252140 provides overview of implementation and step-by-step instructions.

For those of you who have read our whitepaper on line, How to Implement a Cloud Center of Excellence, we've recorded a webinar on the topic that is available on-demand.

Click HERE to enjoy the webinar about Creating and Operationalizing your CCoE.

If you have a CASB solution (or are even just curious about whether you need one) and wonder about the day-to-day organizational and procedural work you should start to make your CASB service successful, this is the webinar for you. As you start to investigate your Shadow IT usage and have concerns about how to enhance your cloud application security in a methodical program, you'll want to organize your team, documentation, and meetings in a sustainable way where everyone understands their roles.

Everyone talks about user behavior analytics and business risk scores - this webinar is for organizations who are ready to take the next step in getting a Shadow IT report (don't forget that we're happy to do one for you for free) and then using it to start driving changes to secure cloud usage.

Download Software from https://support.symantec.com/en_US/mysymantec.html it's a zip file & size is around 266 MB

Once the download finishes successfully, extract the contents of the compressed file to a location of your choice.

ICT System requirements are mentioned here:

https://www.symantec.com/docs/TECH250504

ICT installation is divided into 3 parts

1. AD Configuration 
2. IIS configuration 
3. SQL configuration 

AD Configuration

To start the installation

1. Login to AD, Create Service account (ictsrv OR create username as per business requirement), This account will run application pool.

• Start > Administrative Tools > Active Directory Users and Computers
• In the left pane, right-click on Users and select New > User.
• In the Full name field enter ICT Service Account 
• Enter 'ICTSRV' username or any username as per business requirement
• In the User logon name enter: ictsrv or username created as per the business requirement. 
• Provide the password
• Click Finish

2. Create new OU called as “ICT”.

• In the left pane, right-click the root domain and select New > Organizational Unit (OU).  
• Right click OU & Delegate control to service account, especially read all user information, create & modify membership of group

3. Create new Sub groups inside NEW OU i.e. ICT. Group scope should be 'Universal' and Group type 'Security'.

4. Need to create 9 sub-groups as per the following '

Note: Inside OU you may see new groups, later on will see that. First create following groups inside ICT OU.    

• ICT_BLACLIST
• ICT_ROLES
• ICT_RULES
• ICT_CONFIGURATION 
• ICT_ClASSIFICATION 
• ICT_USERS
• ICT_MONIT
• ICT_AUDITING
   

  Refer the below screenshot: -  

Install and Configure IIS.

• Login to the machine where IIS is installed. 
• Right-click the PowerShell icon (third in the bar) and select Windows PowerShell > Run as Administrator
• Paste and run the following script. 

             Install-WindowsFeature Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Http-Redirect, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Stat-Compression, Web-Filtering, Web-Windows-Auth, Web-Net-Ext, Web-Net-Ext45, Web-ASP, Web-ASP-Net, Web-ASP-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Metabase, Web-WMI

• Ignore the Windows Update warning message if any.
• Use the following command-let to install ASP.NET 3.5 Support
• Close the PowerShell window.
• Download and install the Microsoft Visual C++ Redistributable Packages for Visual Studio 2013 (x64).

• • Go to Start > Administrative Tools and click Internet Information Services (IIS) Manager.
  • In the Connections pane, expand the root (ICT (ACME\Administrator)).
  • Select Do not show this message and click No in the “Internet Information Services (IIS) Manager” message window.
  • Select Application Pools.
  • In the Actions pane, select Add Application Pool.
  • In the Name field, type: ICTAppPool
  • For the .NET framework, select .Net CLR Version v4.0.30319.
  • Set the Managed pipeline mode to Classic
  • Click OK.
  • Select the recently created ICTAppPool application pool, and in the Actions pane, select Advanced Settings.
  • Select Identity and click the ellipsis icon (...).
  • Select Custom account and click Set.
  • In the User name field, type: (Domain Name)\Service account name (ictsrv)
  • Provide the password
  • Click OK twice.
  • Set the “Load User Profile” property to True and click OK.
•  Refer the below screenshot.

Create MS SQL databases

Symantec provides you the script to create SQL databases.
 

Navigate to C:\SW and extract the installation files to a path of your choice. 

Open the recently extracted ICT-db-scripts folder and unzip the contents of the ICT-db-scripts.zip file. 

Use Notepad to edit the create-databases-sql-user-and-grant-permissions.sql file, changing TRAINING\adrmssrvc to ACME\ictsrv •

• Creates a SQL user for the service account (ACME\ictsrv)
• Creates RightsWATCH databases
• Grants the required access these databases

This script accomplishes the following:

The following lines at the end of the SQL script should be deleted or will otherwise produce a warning:

USE [DRMS_Config_rms_training_watchfulsoftware_local_443]

GO

EXEC sp_addrolemember N'db_datareader', N'ACME\ictsrv'

GO

4. In production, you would need to edit the ict_db_script.bat file, but in this lab, localhost is the right value for the SQL Server parameter. This batch file calls the SQL scripts that: • Create databases and users

• Apply the schemas and data

5. Open an elevated command prompt window and navigate to the ICT-db-scripts folder.

Type the following and press Enter:

ict_db_script.bat

Run this script only ONCE.

This script will create three databases as per below:-

Install ICT component

Go to the server where you would like to install ICT componenets,  open a command prompt with elevated privileges and navigate to the ICT installation folder or you can install through by doing double click as well.

• Run the installer for the Administration module by typing: Symantec_ICT_SERVER_Administration_15.5.exe

• Click Next, select the ICTAppPool in the Application Pool drop-down menu, and click Next.             

• Click Next, and when the installation finishes, click Close.        

• Go to Start > Administrative Tools and click Internet Information Services (IIS) Manager.                  
• In the Connections pane, expand the root, expand Sites, expand Default Web Site, and select the ICT folder. 
• In the Actions pane, select Edit Permissions, Click Add..., type ictsrv, click Check Names, and click OK. 
• In the permissions section, place a mark in the Allow checkbox next to Modify, then click OK twice.
• Select the ICT folder, and in the middle pane, double-click Authentication in the IIS group:
• Disable Anonymous Authentication
• Enable Windows Authentication.
• On the left pane left-click on administration under ICT
• On the center pane, double-click on Connection Strings
• Double click on ConfigurationConnectionString
• Enter SQL db details.
• The resulting line should look like:
  Data Source= DOMAIN FQDN;Initial Catalog=ICT_CONFIG;Integrated Security=SSPI

Set up the ICT Administration Console

• Open Internet Explorer, press the gear on the top right corner, select Internet options
• Security tab > Local intranet > Sites > Advanced
• In the Add this website to the zone enter domain FQDN, press Add, then Close, then OK twice
• Press the gear on the top right corner, select Compatibility View settings
• Uncheck Display intranet sites in Compatibility View
• Maximize Internet Explorer window
• In the browser’s address field, type: http://Domain FQDN/ICT/administration/
  It may take a couple of seconds to load, please hold.
• Complete the initial “System Setup Wizard” using the following information

Install ICT Web Service 

• Run the installer for the Webservice module.

• Click Next, select the ICTAppPool in the Application Pool drop-down menu, and click Next.

• Click Next, then when the installation finishes, click Close.

• Go to Start > Administrative Tools and click Internet Information Services (IIS) Manager.
• In the Connections pane, expand the root (ICT (Domain name\Administrator)), expand Sites, expand Default Web Site, and select the ICT folder.
• On the left pane left-click on administration under ICT
• On the center pane, double-click on Connection Strings
• Double click on ConfigurationConnectionString
• Copy the entire string on the Custom box
• On the left pane left-click on webservice under ICT (press F5 to refresh if does not show up)
• On the center pane, double-click on Connection Strings
• Double click on ConfigurationConnectionString
• Delete all text in the Custom box and paste

Information Centric Tagging Monitoring console

• Run the installer for the Monitoring module.

• Click Next, select the ICTAppPool in the Application Pool drop-down menu, and click Next.

• Click Next, then when the installation finishes, click Close.

• Go to Start > Administrative Tools and click Internet Information Services (IIS) Manager.
• In the Connections pane, expand the root (ICT (Domain name\Administrator)), expand Sites, expand Default Web Site, and select the ICT folder.
• On the left pane left-click on administration under ICT
• On the center pane, double-click on Connection Strings
• Double click on ConfigurationConnectionString
• Copy the entire string on the Custom box
• On the right pane left-click on monitoring under ICT (press F5 to refresh if does not show up)
• On the center pane, double-click on Connection Strings
• Double click on ConfigurationConnectionString
• Delete all text in the Custom box and paste

Login to Monitoring Console:- 

In the browser’s address field, type: http://Domain FQDN/ICT/monitoring

Hey Symantec Connect Community, 

Attached is a walkthrough of a successful upgrade on Windows for 15.1 DLP to 15.5 in a 3 tier environment. As this is a lot of Customer environments I hope others find it useful. Let me know if anything else is needed on it or if there are any suggestions. 

We have some spaces left for the UK SEP user group this Thursday, 30th May, agenda below.

Please register here if interested in attending

https://resource.elq.symantec.com/LP=7212?elqTrackId=b82ba0ccb85844f0a92427e1ab43f2d0

Hi All, 

See attached doc on a successful step by step upgrade to 12c Oracle, using the most selections during upgrade. 

This error occurs when DLP cannot remove certain index files from the server on which the problem occurred.

Solution

Download the logs for the server on which the error occurred. Navigate to the SymantecDLPLogs/<server name>/logs/debug folder and perform a command equivalent to the following, which will list all the problematic files:

grep "remove orphan" FileReader*.log

Navigate to C:\ProgramData\Symantec\DataLossPrevention\ServerPlatformCommon\15.5\index and delete all offending files therein.If you cannot find the files within that folder, run a command similar to to the above but replace "remove orphan" with the name of one of the files identified and you should be able to see the directory in which the files are located.

Introduction

This is the twenty-fourth in my Security Series of Connect articles.  For more information on how to keep your enterprise environment secure using often-overlooked capabilities of Symantec Endpoint Protection (and the OS upon which it functions), see Mick's Greatest Hits: Index of Helpful Connect Security Articles. This article was last updated in June 2019.

This article provides tips on how to track down the true source of security incidents or infections that are flagged upstream on a DNS server.

Help!  My DNS Server is Badly Infected!

Administrators, monitoring for malicious activity in their network, have been known to panic when Windows Event logs or Symantec Endpoint Protection logs display a storm of Intrusion Prevention System (IPS) entries like:

[SID: 30574] Audit: Malicious Domain Request attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\DNS.EXE

[SID: 24129] Web Attack: Fake Tech Support Website 235 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\DNS.EXE

[SID: 29582] System Infected: Ransom.GandCrab Activity attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\DNS.EXE

[SID: 30190] System Infected: Trojan.Mdropper Activity 10 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\DNS.EXE

[SID: 31450] Web Attack: Malicious Phishing Website 25 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\DNS.EXE

[SID: 26940] System Infected: Trojan.Jectin Activity 2 attack blocked. Traffic has been blocked for this application: C:\WINDOWS\SYSTEM32\DNS.EXE

Hundreds of IPS events, especially coming from a Domain Controller, should set the alarm bells ringing.  But if the events are all related to the server’s legitimate DNS.exe, breathe a sigh of relief.

There is a security event or infection, but it’s not on this server.  SEP’s IPS component is reacting to malicious traffic forwarded to this Domain Name Server.  

If Not Here…. Where?

If one-off IPS events signify that a Fake Tech Support Website or Phishing site was blocked, no further action is needed (except to schedule in some training for the organization on what not to click!)  But if the events warn of a system infected with a malware, and these events occur constantly, there’s malware on a computer somewhere in the organization.  That is more serious.  It’s time to play detective and track down where those DNS requests for malicious sites are coming from.

Sometimes this job is straightforward... export the "Network Threat Protection" - “Attacks” logs from the Symantec Endpoint Protection Manager. When opened in your favorite spreadsheet program and you filter for DNS events, it's possible to see the Remote Host IP where the traffic came from... (some columns removed for clarity)

In this network, the admin knows that 192.168.1.32 and 192.168.1.33 are the network's DNS servers.  The events from 192.168.1.33 are caused by recursive DNS traffic, the remote DNS server asking EXAMPLE-DNS if it has information on a malicious domain.  Those can be ignored. 

The other entry, though, is an endpoint.  The machine with IP 192.168.1.166 turned out to be a computer running SEP with AntiVirus only (no IPS, SONAR or other technologies) and very old definitions.  There's the infection.  The machine was isolated, cleaned, patched and added back to the network with the full SEP suite installed.  IPS storm resolved!

What if this job is not that straightforward?

If the SEPM's IPS logs don't point directly to the infected culprit, dig a little deeper.

Sometimes it’s possible to hunt down the source based on known domain name IoCs (Indicators of Compromise).  For example, if a network admin sees events “[SID: 29582] System Infected: Ransom.GandCrab Activity attack blocked” and knows that a certain variant of GandCrab ransomware is making the rounds, perhaps from a well-respected news item….

GandCrab Ransomware: Now Coming From Malspam
https://isc.sans.edu/forums/diary/GandCrab+Ransomware+Now+Coming+From+Malspam/23321/
 …

First was the HTTP GET request to butcaketforthen.com for the Word document.  Next was an HTTP request to sorinnohoun.com by the Word macro for the PowerShell script.  After that was post-infection traffic to nomoreransom.coin (an IP address check followed by callback traffic) caused by the GandCrab DLL.

A good starting point is to check if DNS is fielding requests for those domains, and from where.

Another technique to learn the domain name: set up a packet capture tool like Wireshark and record the DNS traffic. Be sure to set a filter for port 53- that will catch UDP or TCP DNS traffic, and nothing else.  When the IPS events occur in SEP, check the timestamp and see what domains were being resolved.

Either way: determine the domain name that is responsible for the IPS events.  That’s key. 

Any Job is Easy When You Use the Right Tool

There is far more DNS activity going on than most users realize.  Run this (free!) tool in the background on any Windows computer for an hour or so to see what I mean.  

DNSQuerySniffer v1.76
http://www.nirsoft.net/utils/dns_query_sniffer.html

(Symantec is not affiliated with NirSoft in any way- I just personally like and recommend their tools. This particular tool can help threat hunters spot potential C2 traffic, for instance.)

DNSQuerySniffer shows all of the requests, how long they took, what types of resource records were involved, and much more.  A visit to one web page may result in a number of DNS queries, thanks to various trackers and so on, and it’s not just web browsers which are responsible for all this activity. 

Now imagine that flood of activity, aggregated for a whole organization.  There are hundreds of DNS requests per second hitting the network’s DNS servers even in mid-sized offices. Also, keep in mind that Domain Controllers are recursive DNS servers: when they receive queries and the answer is not in their cache, they will forward the request on to the other DNS servers in the domain.  It’s busy.  

Luckily, there are a couple of tools to make this job easier….

1. DNS Server Logging

Microsoft Windows Server 2012 and above have excellent built-in DNS logging capabilities. 

DNS Logging and Diagnostics
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)

Older releases have debug logging that can be enabled for a short period.    

Select and enable debug logging options on the DNS server
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759581%28v%3dws.10%29

Oncea log has been collected, use a text editor to narrow the search just to the traffic related to the domain in question: (some columns removed, for clarity…)

[date] [time] 07FC PACKET  UDP Snd 10.x.x.199   A      (12)nomoreransom(4)coin(0)

[date] [time] 0DD8 PACKET  UDP Rcv 10.x.x.199   A      (12)nomoreransom(4)coin(0)

[date] [time] 07FC PACKET  UDP Snd 10.x.x.18    A      (12)nomoreransom(4)coin(0)

[date] [time] 07FC PACKET  UDP Snd 10.x.x.199   A      (12)nomoreransom(4)coin(0)

[date] [time] 07FC PACKET  UDP Snd 10.x.x.2     A      (12)nomoreransom(4)coin(0)

[date] [time] 0U81 PACKET  UDP Rcv 10.x.x.2     A      (12)nomoreransom(4)coin(0)

[date] [time] 0DD8 PACKET  UDP Snd 10.x.x.2     A      (12)nomoreransom(4)coin(0)

[date] [time] 07FC PACKET  UDP Snd 10.x.x.199   A      (12)nomoreransom(4)coin(0)

[date] [time] 0DB4 PACKET  UDP Rcv 10.x.x.1     A      (12)nomoreransom(4)coin(0)

[date] [time] 0DB4 PACKET  UDP Snd 10.x.x.18    A      (12)nomoreransom(4)coin(0)

[date] [time] 0DB4 PACKET  UDP Rcv 10.x.x.1     A      (12)nomoreransom(4)coin(0)

[date] [time] 07FC PACKET  UDP Snd 198.x.x.54   A      (12)nomoreransom(4)coin(0)

Further narrow it down to just the Rcv records- the IP address is where the query came from.

[date] [time] 0DD8 PACKET  UDP Rcv 10.x.x.199   A      (12)nomoreransom(4)coin(0)

[date] [time] 0U81 PACKET  UDP Rcv 10.x.x.2     A      (12)nomoreransom(4)coin(0)

[date] [time] 0DB4 PACKET  UDP Rcv 10.x.x.1     A      (12)nomoreransom(4)coin(0)

[date] [time] 0DB4 PACKET  UDP Rcv 10.x.x.1     A      (12)nomoreransom(4)coin(0)

An admin familiar with the network and its infrastructure will be able to recognize what IP addresses are for other DNS servers (recursive queries going from server to server) and what IP addresses are endpoints.  In this case, the 10.x.x.1 and 10.x.x.2 were Domain Controllers (with DNS servers built in) but 10.x.x.199 was a Windows XP machine.  That was the infected one.    

2. Wireshark

What if the DNS server is something other than a Microsoft product?  Or if it is not possible to generate and examine sufficient logs… a second option is to use a tool like Wireshark to capture the DNS-related traffic.  Filter for DNS and search for a string that contains the domain name you seek….

In that example an old endpoint machine at 10.x.x.82 sent a request for the suspicious domain to DNS server 10.x.x.24.

Use Unmanaged Detector

In both examples above, the endpoint which was infected was one that did not have a functioning SEP client installed.  This makes sense: if there had been a SEP client with IPS installed and definitions up to date, that IPS event would have happed right there, not upstream at the DNS server!

As mentioned in the Killing Wannacry: How to Eradicate Ransom.Wannacry for Good article, it’s essential to check the network for any computers where SEP is malfunctioning or completely absent. 

Configuring a client to detect unmanaged devices
https://www.symantec.com/docs/HOWTO80763

Unprotected or poorly protected computers are easily infected and can give an attacker a means of causing widespread destruction.  With ransomware like the GandCrab used in this article, that can be very costly to clean up, after!    

Know What’s Normal for Your Network

Just a final tip: keep an eye on what’s going on in your network even when there’s no outbreak underway.  Logging what DNS activity occurs can make it easy to spot what is abnormal, both when hunting for threats or when investigating an incident and trying to figure out what happened.  Explore Passive DNS!

Conclusion

Many thanks for reading!  

Please leave comments and feedback below. 

With the release of ITMS 8.5 RU2 there were some new Web Service methods added to the following:

Collection Management Service

• GetExclusionGuids
• GetInclusionGuids
• IsExclusion / IsExclusionX
• IsInclusion / IsInclusionX

Patch Management Service

• CreatePatchInstallationTask
• EditPatchInstallationTask
• SetGuidCollectionProperty
• SetPluginPolicyMicrosoftUpdateOptions

You may want to update the Zero Day Patch  Workflow to leverage these new methods:

Workflow Template - Zero Day Patch
https://www.symantec.com/connect/videos/workflow-template-zero-day-patch

Resource Management Service

• SetAssetOwner / SetAssetOwnerX
• SetAssetState / SetAssetStateX

Resource Model (NSWebService)

• GetDataClassRows / GetDataClassRows2
• SaveDataClassRows

---

To keep track of updates you can compare Web Service Methods using a tool I've written

• https://protirus.github.io/SMPWebServiceDiff/

---

Documentation

Symantec™ IT Management Suite 8.5 RU2 Release Notes
https://support.symantec.com/en_US/article.DOC11423.html
DOC11423

With the release of ITMS 8.5 there were some new Web Service methods added to the following:

• 8.5.3025.0

Patch Management Service

• CreateUpdatePolicyViaUpdates
• DisableBulletins
  • Article - SMP - Patch Management - Disable Bulletins
• SetPluginPolicyMicrosoftUpdateOptions

Resource Management Service

• PushPolicy
• PushPolicy2

Task Management Service

• ChangeAdvancedOptions
• ExecuteTCMTask / ExecuteTCMTask2
• GetTCMTaskResult / GetTCMTaskResult2
• GetTCMTaskResults / GetTCMTaskResults2
• GetTCMTaskStatus / GetTCMTaskStatus2
• TCMTaskStatusDetails
• TaskStatus

See 

• SMP - ASDK - Time Critical Management

---

To keep track of updates you can compare Web Service Methods using a tool I've written

• https://protirus.github.io/SMPWebServiceDiff/

---

Documentation

IT Management Suite (ITMS) 8.5 Documentation
https://support.symantec.com/en_US/article.DOC11076.html
DOC11076

Symantec™ IT Management Suite 8.5 RU1 Release Notes
https://support.symantec.com/en_US/article.DOC11313.html
DOC11313