dissect.target.plugins.apps.av.symantec
#
Module Contents#
Classes#
Symantec Endpoint Security Suite Plugin, based on https://malwaremaloney.blogspot.com/2021/01/ |
Attributes#
- dissect.target.plugins.apps.av.symantec.SEPLogRecord#
- dissect.target.plugins.apps.av.symantec.SEPFirewallRecord#
- class dissect.target.plugins.apps.av.symantec.SymantecPlugin(target: dissect.target.Target)#
Bases:
dissect.target.plugin.Plugin
Symantec Endpoint Security Suite Plugin, based on https://malwaremaloney.blogspot.com/2021/01/
- __namespace__ = 'symantec'#
- LOG_SEP_AV = 'sysvol/ProgramData/Symantec/Symantec Endpoint Protection/*/Data/Logs/AV/*'#
- LOG_SEP_NET = 'sysvol/ProgramData/Symantec/Symantec Endpoint Protection/*/Data/Logs/tralog.log'#
- LOGS#
- MARKER_INFECTION = 5#
- QUARANTINE_SUCCESS = 2#
- CLEANABLE = 0#
- DELETABLE = 4#
- STILL_INFECTED = 1#
- OUTBOUND = 2#
- BLOCKED = 1#
- COMPRESSED = 1#
- TCP_INIT = 301#
- TCP_CLOSE = 304#
- UDP_DATA = 302#
- AV_TIMESTAMP = 0#
- AV_EVENT = 1#
- AV_USER = 5#
- AV_VIRUS = 6#
- AV_FILE = 7#
- AV_ACTION_TAKEN = 10#
- AV_VIRUS_TYPE = 11#
- AV_SCAN_ID = 14#
- AV_EVENT_DATA = 17#
- AV_QUARANTINE_ID = 18#
- AV_VIRUS_ID = 19#
- AV_QUARANTINE_STATUS = 20#
- AV_COMPRESSED = 23#
- AV_DEPTH = 24#
- AV_STILL_INFECTED = 25#
- AV_CLEANABLE = 28#
- AV_DELETABLE = 29#
- AV_CONFIDENCE = 65#
- AV_PREVALENCE = 67#
- AV_DOWNLOADED_FROM = 68#
- AV_RISK = 71#
- FW_TIMESTAMP = 1#
- FW_PROTOCOL = 2#
- FW_LOCAL_IP = 3#
- FW_REMOTE_IP = 4#
- FW_LOCAL_PORT = 5#
- FW_REMOTE_PORT = 6#
- FW_DIRECTION = 7#
- FW_BEGIN_TIME = 8#
- FW_END_TIME = 9#
- FW_REPETITION = 10#
- FW_ACTION = 11#
- FW_SEVERITY = 13#
- FW_RULE_ID = 14#
- FW_REMOTE_HOST_NAME = 15#
- FW_RULE_NAME = 16#
- FW_APPLICATION = 17#
- FW_LOCATION = 20#
- FW_USER = 21#
- FW_LOCAL_IP6 = 25#
- FW_REMOTE_IP6 = 26#
- PROTOCOL#
- SEVERITY#
- ACTION#
- VIRUS_TYPE#
- check_compatible() None #
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- logs() Iterator[SEPLogRecord] #
Return log records.
- Yields SEPLogRecord with the following fields:
ts (datetime): Timestamp associated with the event. virus (string): Name of the virus. user (string): Name of the user associated with the event. source_file (path): File that contains the virus. action_taken (string): Action taken by SEP. virus_type (string): Description of the type of virus. scan_id (varint): ID of the scan associated with the event. event_data (string): String or bytes from a virus event. quarantine_id (varint): ID associated with the quarantined virus. still_infected (boolean): Whether the system is still infected. quarantined (boolean): True if the virus has been quarantined succesfully. compressed (boolean): True if the virus was in a compressed file. depth (varint): How many layers of compression the virus was hidden in. cleanable (boolean): Whether the virus is cleanable. deletable (boolean): Whether the virus can be deleted. confidence (varint): Confidence level about threat verdict (higher is more confident). prevalence (varint): Prevalence of the threat (higher is more prevalent). risk (varint): Risk level of the threat (1-4, higher is more dangerous, 0 = unknown). download_url (uri): Source of the virus (if available). line_no (varint): Reference line number in log file.
- firewall() Iterator[SEPFirewallRecord] #
Return log firewall records.
- Yields SEPFirewallRecord with the following fields:
ts (datetime): Timestamp associated with the event. protocol (string): Protocol name associated with the firewall record. local_ip (“net.ipaddress”): Local IP address associated with the event. remote_ip (“net.ipaddress”): Remote IP address associated with the event. local_ip6 (“net.ipaddress”): Local IPv6 address associated with the event. remote_ip6 (“net.ipaddress”): Remote IPv6 address associated with the event. local_port (varint): Local port associated with the event. remote_port (varint): Local port associated with the event. outbound (boolean): True in case of outbound traffic/connection. begin_time (datetime): Start of the event. end_time (datetime): End of the event. repetition (varint): How many times this event happened within the time frame. blocked (boolean): Whether the traffic/connection was succesfully blocked. severity (string): Severity of the event. rule_id (varint): Firewall rule ID associated with this event. rule_name (string): Name of the Firewall rule associated with this event. remote_host (string): Name of the remote host if it can be traced. application (path): Application responsible for/affected by event. user (string): User associated with the event. line_no (varint): Reference line number in log file.