:py:mod:`dissect.target.plugins.apps.av.symantec`
=================================================

.. py:module:: dissect.target.plugins.apps.av.symantec


Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.apps.av.symantec.SymantecPlugin




Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.apps.av.symantec.SEPLogRecord
   dissect.target.plugins.apps.av.symantec.SEPFirewallRecord


.. py:data:: SEPLogRecord

   

.. py:data:: SEPFirewallRecord

   

.. py:class:: SymantecPlugin(target: dissect.target.Target)


   Bases: :py:obj:`dissect.target.plugin.Plugin`

   Symantec Endpoint Security Suite Plugin, based on https://malwaremaloney.blogspot.com/2021/01/

   .. py:attribute:: __namespace__
      :value: 'symantec'

      

   .. py:attribute:: LOG_SEP_AV
      :value: 'sysvol/ProgramData/Symantec/Symantec Endpoint Protection/*/Data/Logs/AV/*'

      

   .. py:attribute:: LOG_SEP_NET
      :value: 'sysvol/ProgramData/Symantec/Symantec Endpoint Protection/*/Data/Logs/tralog.log'

      

   .. py:attribute:: LOGS

      

   .. py:attribute:: MARKER_INFECTION
      :value: 5

      

   .. py:attribute:: QUARANTINE_SUCCESS
      :value: 2

      

   .. py:attribute:: CLEANABLE
      :value: 0

      

   .. py:attribute:: DELETABLE
      :value: 4

      

   .. py:attribute:: STILL_INFECTED
      :value: 1

      

   .. py:attribute:: OUTBOUND
      :value: 2

      

   .. py:attribute:: BLOCKED
      :value: 1

      

   .. py:attribute:: COMPRESSED
      :value: 1

      

   .. py:attribute:: TCP_INIT
      :value: 301

      

   .. py:attribute:: TCP_CLOSE
      :value: 304

      

   .. py:attribute:: UDP_DATA
      :value: 302

      

   .. py:attribute:: AV_TIMESTAMP
      :value: 0

      

   .. py:attribute:: AV_EVENT
      :value: 1

      

   .. py:attribute:: AV_USER
      :value: 5

      

   .. py:attribute:: AV_VIRUS
      :value: 6

      

   .. py:attribute:: AV_FILE
      :value: 7

      

   .. py:attribute:: AV_ACTION_TAKEN
      :value: 10

      

   .. py:attribute:: AV_VIRUS_TYPE
      :value: 11

      

   .. py:attribute:: AV_SCAN_ID
      :value: 14

      

   .. py:attribute:: AV_EVENT_DATA
      :value: 17

      

   .. py:attribute:: AV_QUARANTINE_ID
      :value: 18

      

   .. py:attribute:: AV_VIRUS_ID
      :value: 19

      

   .. py:attribute:: AV_QUARANTINE_STATUS
      :value: 20

      

   .. py:attribute:: AV_COMPRESSED
      :value: 23

      

   .. py:attribute:: AV_DEPTH
      :value: 24

      

   .. py:attribute:: AV_STILL_INFECTED
      :value: 25

      

   .. py:attribute:: AV_CLEANABLE
      :value: 28

      

   .. py:attribute:: AV_DELETABLE
      :value: 29

      

   .. py:attribute:: AV_CONFIDENCE
      :value: 65

      

   .. py:attribute:: AV_PREVALENCE
      :value: 67

      

   .. py:attribute:: AV_DOWNLOADED_FROM
      :value: 68

      

   .. py:attribute:: AV_RISK
      :value: 71

      

   .. py:attribute:: FW_TIMESTAMP
      :value: 1

      

   .. py:attribute:: FW_PROTOCOL
      :value: 2

      

   .. py:attribute:: FW_LOCAL_IP
      :value: 3

      

   .. py:attribute:: FW_REMOTE_IP
      :value: 4

      

   .. py:attribute:: FW_LOCAL_PORT
      :value: 5

      

   .. py:attribute:: FW_REMOTE_PORT
      :value: 6

      

   .. py:attribute:: FW_DIRECTION
      :value: 7

      

   .. py:attribute:: FW_BEGIN_TIME
      :value: 8

      

   .. py:attribute:: FW_END_TIME
      :value: 9

      

   .. py:attribute:: FW_REPETITION
      :value: 10

      

   .. py:attribute:: FW_ACTION
      :value: 11

      

   .. py:attribute:: FW_SEVERITY
      :value: 13

      

   .. py:attribute:: FW_RULE_ID
      :value: 14

      

   .. py:attribute:: FW_REMOTE_HOST_NAME
      :value: 15

      

   .. py:attribute:: FW_RULE_NAME
      :value: 16

      

   .. py:attribute:: FW_APPLICATION
      :value: 17

      

   .. py:attribute:: FW_LOCATION
      :value: 20

      

   .. py:attribute:: FW_USER
      :value: 21

      

   .. py:attribute:: FW_LOCAL_IP6
      :value: 25

      

   .. py:attribute:: FW_REMOTE_IP6
      :value: 26

      

   .. py:attribute:: PROTOCOL

      

   .. py:attribute:: SEVERITY

      

   .. py:attribute:: ACTION

      

   .. py:attribute:: VIRUS_TYPE

      

   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with
      the current target (``self.target``). For example, check if a certain
      file exists.
      Otherwise it should raise an ``UnsupportedPluginError``.

      :raises UnsupportedPluginError: If the plugin could not be loaded.


   .. py:method:: logs() -> Iterator[SEPLogRecord]

      Return log records.

      Yields SEPLogRecord with the following fields:
          ts (datetime): Timestamp associated with the event.
          virus (string): Name of the virus.
          user (string): Name of the user associated with the event.
          source_file (path): File that contains the virus.
          action_taken (string): Action taken by SEP.
          virus_type (string): Description of the type of virus.
          scan_id (varint): ID of the scan associated with the event.
          event_data (string): String or bytes from a virus event.
          quarantine_id (varint): ID associated with the quarantined virus.
          still_infected (boolean): Whether the system is still infected.
          quarantined (boolean): True if the virus has been quarantined succesfully.
          compressed (boolean): True if the virus was in a compressed file.
          depth (varint): How many layers of compression the virus was hidden in.
          cleanable (boolean): Whether the virus is cleanable.
          deletable (boolean): Whether the virus can be deleted.
          confidence (varint): Confidence level about threat verdict (higher is more confident).
          prevalence (varint): Prevalence of the threat (higher is more prevalent).
          risk (varint): Risk level of the threat (1-4, higher is more dangerous, 0 = unknown).
          download_url (uri): Source of the virus (if available).
          line_no (varint): Reference line number in log file.


   .. py:method:: firewall() -> Iterator[SEPFirewallRecord]

      Return log firewall records.

      Yields SEPFirewallRecord with the following fields:
          ts (datetime): Timestamp associated with the event.
          protocol (string): Protocol name associated with the firewall record.
          local_ip ("net.ipaddress"): Local IP address associated with the event.
          remote_ip ("net.ipaddress"): Remote IP address associated with the event.
          local_ip6 ("net.ipaddress"): Local IPv6 address associated with the event.
          remote_ip6 ("net.ipaddress"): Remote IPv6 address associated with the event.
          local_port (varint): Local port associated with the event.
          remote_port (varint): Local port associated with the event.
          outbound (boolean): True in case of outbound traffic/connection.
          begin_time (datetime): Start of the event.
          end_time (datetime): End of the event.
          repetition (varint): How many times this event happened within the time frame.
          blocked (boolean): Whether the traffic/connection was succesfully blocked.
          severity (string): Severity of the event.
          rule_id (varint): Firewall rule ID associated with this event.
          rule_name (string): Name of the Firewall rule associated with this event.
          remote_host (string): Name of the remote host if it can be traced.
          application (path): Application responsible for/affected by event.
          user (string): User associated with the event.
          line_no (varint): Reference line number in log file.