fbpx
preloader

Symantec Risk Not Found

Qradar supports Symantec endpoint security out of the box , see link for IBM knowledge center.
Symantec Endpoint DSM 

Symantec EPS is combined of many endpoint security modules like HIPS, firewall and sonar.

We usually will see Virus associated logs like :

<54>Apr 10 00:00:25 Symantec Server SEPBEDPROD: Virus found,IP Address: 10.0.1.5,Computer name: af73075-pc,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 2,****SUMMARIZED DATA****,,Actual action: Left alone,Requested action: Left alone,Secondary action: Left alone,Event time: 2012-04-02 17:00:00,Inserted: 2012-04-02 18:00:00,End: 2012-04-02 17:59:59,Domain: Default,Group: My Company\MITRE Production Desktop\MAC Prod,Server: SEPBEDPROD,User: ,Source computer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,0,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes)


And logs which are least known \ populer are risk found\ Detected  logs which indicates some kind of compromise , lets say for example symantec detectes Hacking tool like mimikatz .

We will get a risk found alert and not a virus alert , so what is the problem ?.

For some unknown reason all symantec risk alerts are written as both SYSTEM category And  Malware, but catgorized as system and warning  , basically means our malware rules WOULD NOT WORK as they connected to high level categorize, meaning we wont get any related  offense !

Example:

 

System Category view

​​ 

Malware  Category view

 

How can we deal with it , luckily we are using qradar so it’s pretty easy .

First enter admin tab and choose reference set .
Create new reference collection , Name it something you will remember.

Use Numeric type and add those QIDs:

42002495
42002464
42000025
42004067
42002833
42002834
42002835
42002836
42002837
42002838
42002839
42004256
42002895
42002896

Now use this reference set in a rule or in a building block.

 

 

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

ClearPass Vulnerability Alert

Aruba has informed us about a new security advisory for...

VIDEO: Carbon Black Webinar - Investigating an Incident

This video link has expired. Please contact Michelle at michelled@qmasters.co...

1 2 3 6

Join our newsletter!

x
c
o
n
t
a
c
t

u
s
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram