post111
Facebook
Twitter
LinkedIn
WhatsApp

Symantec Risk Not Found

Qradar supports Symantec endpoint security out of the box , see link for IBM knowledge center.
Symantec Endpoint DSM 

Symantec EPS is combined of many endpoint security modules like HIPS, firewall and sonar.

We usually will see Virus associated logs like :

<54>Apr 10 00:00:25 Symantec Server SEPBEDPROD: Virus found,IP Address: 10.0.1.5,Computer name: af73075-pc,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 2,****SUMMARIZED DATA****,,Actual action: Left alone,Requested action: Left alone,Secondary action: Left alone,Event time: 2012-04-02 17:00:00,Inserted: 2012-04-02 18:00:00,End: 2012-04-02 17:59:59,Domain: Default,Group: My Company\MITRE Production Desktop\MAC Prod,Server: SEPBEDPROD,User: ,Source computer: ,Source IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,,First Seen: Reputation was not used in this detection.,Sensitivity: Low,0,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes)


And logs which are least known \ populer are risk found\ Detected  logs which indicates some kind of compromise , lets say for example symantec detectes Hacking tool like mimikatz .

We will get a risk found alert and not a virus alert , so what is the problem ?.

For some unknown reason all symantec risk alerts are written as both SYSTEM category And  Malware, but catgorized as system and warning  , basically means our malware rules WOULD NOT WORK as they connected to high level categorize, meaning we wont get any related  offense !

Example:

 

System Category view

​​ 

Malware  Category view

 

How can we deal with it , luckily we are using qradar so it’s pretty easy .

First enter admin tab and choose reference set .
Create new reference collection , Name it something you will remember.

Use Numeric type and add those QIDs:

42002495
42002464
42000025
42004067
42002833
42002834
42002835
42002836
42002837
42002838
42002839
42004256
42002895
42002896

Now use this reference set in a rule or in a building block.

 

 

Share with your freinds

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Stay up to date with our latest news and products

Contact Us.