symantec.logs#
$ target-query <path/to/target> -f symantec.logs
Module |
|
Output |
|
Module documentation
Symantec Endpoint Security Suite Plugin, based on https://malwaremaloney.blogspot.com/2021/01/
Function documentation
Return log records.
- Yields SEPLogRecord with the following fields:
ts (datetime): Timestamp associated with the event. virus (string): Name of the virus. user (string): Name of the user associated with the event. source_file (path): File that contains the virus. action_taken (string): Action taken by SEP. virus_type (string): Description of the type of virus. scan_id (varint): ID of the scan associated with the event. event_data (string): String or bytes from a virus event. quarantine_id (varint): ID associated with the quarantined virus. still_infected (boolean): Whether the system is still infected. quarantined (boolean): True if the virus has been quarantined succesfully. compressed (boolean): True if the virus was in a compressed file. depth (varint): How many layers of compression the virus was hidden in. cleanable (boolean): Whether the virus is cleanable. deletable (boolean): Whether the virus can be deleted. confidence (varint): Confidence level about threat verdict (higher is more confident). prevalence (varint): Prevalence of the threat (higher is more prevalent). risk (varint): Risk level of the threat (1-4, higher is more dangerous, 0 = unknown). download_url (uri): Source of the virus (if available). line_no (varint): Reference line number in log file.