> -----Original Message-----
> From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
On
> Behalf Of Daniel Cid
> Sent: Thursday, November 09, 2006 8:58 PM
> To: ossec-list@googlegroups.com
> Subject: [ossec-list] Re: OSSEC support for ...
> Importance: Low
>
>
> Thanks for all the information provided. I already started working on
> some of them
> (symantec and lotus notes), but I would like some more information
> (keep reading)...
>
> -For the symantec. Can you show me one or two entries of a log where a
> virus
> was found?
>
Symantec drops interesting things in the event log, as well.
I hit something funny on the "Interweb" yesterday, here is what went in
my PC's APP event log:
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 51
Date: 11/9/2006
Time: 1:23:58 PM
User: N/A
Computer: DD-RMCCLINT
Description:
Security Risk Found!Threat: Downloader in File:
C:\DOCUME~1\RMCCLI~1.TMA\LOCALS~1\TEMPOR~1\Content.IE5\YZXRL031\INDEX_~2
.HTM by: Auto-Protect scan. Action: Clean failed : Quarantine failed :
Delete succeeded : Access denied. Action Description: The file was
deleted successfully.
And from the Symantec log file:
240A090D173A,51,1,2,DD-RMCCLINT,rmcclint,Downloader,C:\DOCUME~1\RMCCLI~1
.TMA\LOCALS~1\TEMPOR~1\Content.IE5\YZXRL031\INDEX_~2.HTM,5,1,3,256,37748
804,"",1163096587,,0,101 {5006ACC9-1A67-4515-B2CB-C9BDB9DC6D01}
0 2 Downloader 2;0;13 0
0
,0,26637,0,0,0,,,0,,0,0,1,0,master_server,{C9AEC239-1D1A-4185-89B8-AC698
2F3E115},,(IP)-172.22.2.0,,TMAR,00:0D:56:D5:80:F9,10.0.2.2021,,,,,,,,,,,
,,,,,999,,dbe52be8-8e8a-459c-a900-2b922d091b9d,0,TMAR
A significant event from one of my Symantec master servers:
Event Type: Warning
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 4
Date: 11/10/2006
Time: 10:15:58 AM
User: N/A
Computer: DC2
Description:
Update to computer DD-QABLACKBOX of virus definition file 81109s failed.
Status 00000016
And from the server's Symantec log:
240A0A000313,4,3,7,DC2,someusername,,,,,,,16777216,"Update to computer
DD-QABLACKBOX of virus definition file 81109s failed. Status
00000016",0,,0,,,,,0,,,,,,,,,,,{172C0CB2-A11A-464E-A7D2-D413D488F0A8},,(
IP)-172.22.1.2,TMAR,TMAR,00:11:43:32:0E:BA,10.1.0.394,,,,,,,,,,,,,,,,0,2
5388938387D0247A2FAE1DAE3CF2B08,,,TMAR
I'd love to get the event and Symantec log from this failed client for
you, but I can't connect to it remotely right now. Seems it has more
problems than just Symantec.
Thanks,
Rick
This message contains TMA Resources confidential information and is intended
only for the individual named. If you are not the named addressee you should
not disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete
this e-mail from your system. E-mail transmission cannot be guaranteed to be
secure or error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents of this
message which arise as a result of e-mail transmission. If verification is
required please request a hard-copy version.
