dissect.target.plugins.apps.av.symantec
¶
Module Contents¶
Classes¶
Symantec Endpoint Security Suite Plugin, based on https://malwaremaloney.blogspot.com/2021/01/ |
Attributes¶
- dissect.target.plugins.apps.av.symantec.SEPLogRecord¶
- dissect.target.plugins.apps.av.symantec.SEPFirewallRecord¶
- class dissect.target.plugins.apps.av.symantec.SymantecPlugin(target: dissect.target.Target)¶
Bases:
dissect.target.plugin.Plugin
Symantec Endpoint Security Suite Plugin, based on https://malwaremaloney.blogspot.com/2021/01/
- __namespace__ = 'symantec'¶
- LOG_SEP_AV = 'sysvol/ProgramData/Symantec/Symantec Endpoint Protection/*/Data/Logs/AV/*'¶
- LOG_SEP_NET = 'sysvol/ProgramData/Symantec/Symantec Endpoint Protection/*/Data/Logs/tralog.log'¶
- LOGS¶
- MARKER_INFECTION = 5¶
- QUARANTINE_SUCCESS = 2¶
- CLEANABLE = 0¶
- DELETABLE = 4¶
- STILL_INFECTED = 1¶
- OUTBOUND = 2¶
- BLOCKED = 1¶
- COMPRESSED = 1¶
- TCP_INIT = 301¶
- TCP_CLOSE = 304¶
- UDP_DATA = 302¶
- AV_TIMESTAMP = 0¶
- AV_EVENT = 1¶
- AV_USER = 5¶
- AV_VIRUS = 6¶
- AV_FILE = 7¶
- AV_ACTION_TAKEN = 10¶
- AV_VIRUS_TYPE = 11¶
- AV_SCAN_ID = 14¶
- AV_EVENT_DATA = 17¶
- AV_QUARANTINE_ID = 18¶
- AV_VIRUS_ID = 19¶
- AV_QUARANTINE_STATUS = 20¶
- AV_COMPRESSED = 23¶
- AV_DEPTH = 24¶
- AV_STILL_INFECTED = 25¶
- AV_CLEANABLE = 28¶
- AV_DELETABLE = 29¶
- AV_CONFIDENCE = 65¶
- AV_PREVALENCE = 67¶
- AV_DOWNLOADED_FROM = 68¶
- AV_RISK = 71¶
- FW_TIMESTAMP = 1¶
- FW_PROTOCOL = 2¶
- FW_LOCAL_IP = 3¶
- FW_REMOTE_IP = 4¶
- FW_LOCAL_PORT = 5¶
- FW_REMOTE_PORT = 6¶
- FW_DIRECTION = 7¶
- FW_BEGIN_TIME = 8¶
- FW_END_TIME = 9¶
- FW_REPETITION = 10¶
- FW_ACTION = 11¶
- FW_SEVERITY = 13¶
- FW_RULE_ID = 14¶
- FW_REMOTE_HOST_NAME = 15¶
- FW_RULE_NAME = 16¶
- FW_APPLICATION = 17¶
- FW_LOCATION = 20¶
- FW_USER = 21¶
- FW_LOCAL_IP6 = 25¶
- FW_REMOTE_IP6 = 26¶
- PROTOCOL¶
- SEVERITY¶
- ACTION¶
- VIRUS_TYPE¶
- check_compatible() None ¶
Perform a compatibility check with the target.
This function should return
None
if the plugin is compatible with the current target (self.target
). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError
.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- logs() Iterator[SEPLogRecord] ¶
Return log records.
- Yields SEPLogRecord with the following fields:
ts (datetime): Timestamp associated with the event. virus (string): Name of the virus. user (string): Name of the user associated with the event. source_file (path): File that contains the virus. action_taken (string): Action taken by SEP. virus_type (string): Description of the type of virus. scan_id (varint): ID of the scan associated with the event. event_data (string): String or bytes from a virus event. quarantine_id (varint): ID associated with the quarantined virus. still_infected (boolean): Whether the system is still infected. quarantined (boolean): True if the virus has been quarantined succesfully. compressed (boolean): True if the virus was in a compressed file. depth (varint): How many layers of compression the virus was hidden in. cleanable (boolean): Whether the virus is cleanable. deletable (boolean): Whether the virus can be deleted. confidence (varint): Confidence level about threat verdict (higher is more confident). prevalence (varint): Prevalence of the threat (higher is more prevalent). risk (varint): Risk level of the threat (1-4, higher is more dangerous, 0 = unknown). download_url (uri): Source of the virus (if available). line_no (varint): Reference line number in log file.
- firewall() Iterator[SEPFirewallRecord] ¶
Return log firewall records.
- Yields SEPFirewallRecord with the following fields:
ts (datetime): Timestamp associated with the event. protocol (string): Protocol name associated with the firewall record. local_ip (“net.ipaddress”): Local IP address associated with the event. remote_ip (“net.ipaddress”): Remote IP address associated with the event. local_ip6 (“net.ipaddress”): Local IPv6 address associated with the event. remote_ip6 (“net.ipaddress”): Remote IPv6 address associated with the event. local_port (varint): Local port associated with the event. remote_port (varint): Local port associated with the event. outbound (boolean): True in case of outbound traffic/connection. begin_time (datetime): Start of the event. end_time (datetime): End of the event. repetition (varint): How many times this event happened within the time frame. blocked (boolean): Whether the traffic/connection was succesfully blocked. severity (string): Severity of the event. rule_id (varint): Firewall rule ID associated with this event. rule_name (string): Name of the Firewall rule associated with this event. remote_host (string): Name of the remote host if it can be traced. application (path): Application responsible for/affected by event. user (string): User associated with the event. line_no (varint): Reference line number in log file.