Black CryptoKnight <[EMAIL PROTECTED]> wrote:
Hmmm ... so maybe it's possible to just write some rules to recognize the symantec av events in the windows event log. That approach could work with other applications as well.
I found a description of the Symantec event ids in the windows event log at http://entkb.symantec.com/security/resultDisplay.do?gotoLink=2935&docType=1000&contextId=15092%3A2935.2991&clusterName=Fusion&contentId=d631e4bc-060e-424e-b590-df430e1dfe4a&responseId=f5ce98835b4fd980%3A1b1fbf4%3A10ed80eb96a%3A3671&groupId=6&answerGroup=2&score=813&page=http%3A%2F%2Fservice1.symantec.com%2Fsupport%2Fent-security.nsf%2Fpfdocs%2F2002110112213648&result=1&excerpt=Keywords%3A+event+viewer%2C+event+ID%2C+error%2C+application+log&resultType=5000#
It is for version 8.x. I'm not sure if they kept the same standard for the later versions (I couldn't find any documentation on the later versions).
"McClinton, Rick" <[EMAIL PROTECTED]> wrote:
> -----Original Message-----
> From: ossec-list@googlegroups.com [mailto:[EMAIL PROTECTED]
On
> Behalf Of Daniel Cid
> Sent: Thursday, November 09, 2006 8:58 PM
> To: ossec-list@googlegroups.com
> Subject: [ossec-list] Re: OSSEC support for ...
> Importance: Low
>
>
> Thanks for all the information provided. I already started working on
> some of them
> (symantec and lotus notes), but I would like some more information
> (keep reading)...
>
> -For the symantec. Can you show me one or two entries of a log where a
> virus
> was found?
>
Symantec drops interesting things in the event log, as well.
I hit something funny on the "Interweb" yesterday, here is what went in
my PC's APP event log:
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 51
Date: 11/9/2006
Time: 1:23:58 PM
User: N/A
Computer: DD-RMCCLINT
Description:
Security Risk Found!Threat: Downloader in File:
C:\DOCUME~1\RMCCLI~1.TMA\LOCALS~1\TEMPOR~1\Content.IE5\YZXRL031\INDEX_~2
.HTM by: Auto-Protect scan. Action: Clean failed : Quarantine failed :
Delete succeeded : Access denied. Action Description: The file was
deleted successfully.
And from the Symantec log file:
240A090D173A,51,1,2,DD-RMCCLINT,rmcclint,Downloader,C:\DOCUME~1\RMCCLI~1
.TMA\LOCALS~1\TEMPOR~1\Content.IE5\YZXRL031\INDEX_~2.HTM,5,1,3,256,37748
804,"",1163096587,,0,101 {5006ACC9-1A67-4515-B2CB-C9BDB9DC6D01}
0 2 Downloader 2;0;13 0
0
,0,26637,0,0,0,,,0,,0,0,1,0,master_server,{C9AEC239-1D1A-4185-89B8-AC698
2F3E115},,(IP)-172.22.2.0,,TMAR,00:0D:56:D5:80:F9,10.0.2.2021,,,,,,,,,,,
,,,,,999,,dbe52be8-8e8a-459c-a900-2b922d091b9d,0,TMAR
A significant event from one of my Symantec master servers:
Event Type: Warning
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 4
Date: 11/10/2006
Time: 10:15:58 AM
User: N/A
Computer: DC2
Description:
Update to computer DD-QABLACKBOX of virus definition file 81109s failed.
Status 00000016
And from the server's Symantec log:
240A0A000313,4,3,7,DC2,someusername,,,,,,,16777216,"Update to computer
DD-QABLACKBOX of virus definition file 81109s failed. Status
00000016",0,,0,,,,,0,,,,,,,,,,,{172C0CB2-A11A-464E-A7D2-D413D488F0A8},,(
IP)-172.22.1.2,TMAR,TMAR,00:11:43:32:0E:BA,10.1.0.394,,,,,,,,,,,,,,,,0,2
5388938387D0247A2FAE1DAE3CF2B08,,,TMAR
I'd love to get the event and Symantec log from this failed client for
you, but I can't connect to it remotely right now. Seems it has more
problems than just Symantec.
Thanks,
Rick
This message contains TMA Resources confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version.
Cheap Talk? Check out Yahoo! Messenger's low PC-to-Phone call rates.
Visit Jamaica's Tech Portal http://www.techjamaica.com
__________________________________________________
Do You
Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
