Last active
November 28, 2024 07:35
-
-
Save deskoh/f6cbed8aea247b8b8a83b700e119b73b to your computer and use it in GitHub Desktop.
Symantec EndPoint Protection Cheatsheet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2020-01-28 02:40:26 | Virus found | IP Address: 10.10.10.1 | Computer name: COM-01 | Source: Auto-Protect scan | Risk name: EICAR Test String | Occurrences: 1 | File path: C:\Users\user\Downloads\eicar_com\eicar.com | Description: | Actual action: Cleaned by deletion | Requested action: Cleaned | Secondary action: Quarantined | Event time: 2020-01-28 02:38:49 | Event Insert Time: 2020-01-28 02:40:26 | End Time: 2020-01-28 02:38:49 | Last update time: 2020-01-28 02:40:26 | Domain Name: Default | Group Name: My Company\Default Group | Server Name: COM-01 | User Name: user1 | Source Computer Name: | Source Computer IP: | Disposition: Reputation was not used in this detection. | Download site: | Web domain: | Downloaded by: | Prevalence: Reputation was not used in this detection. | Confidence: Reputation was not used in this detection. | URL Tracking Status: On | First Seen: Reputation was not used in this detection. | Sensitivity: | Permitted application reason: Not on the permitted application list | Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F | Hash type: SHA2 | Company name: | Application name: eicar.com | Application version: | Application type: 127 | File size (bytes): 68 | Category set: Malware | Category type: Virus | Location: Default | Intensive Protection Level: 0 | Certificate issuer: | Certificate signer: | Certificate thumbprint: | Signing timestamp: 0 | Certificate serial number: |
|---|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Event Time | Severity | Host Name | Event Description | Local Host IP | Local Host MAC | Remote Host Name | Remote Host IP | Remote Host MAC | Traffic Direction | Network Protocol | Hack Type | Begin Time | End Time | Occurrences | Application Name | Location | User Name | Domain Name | Local Port | Remote Port | CIDS Signature ID | CIDS Signature string | CIDS Signature SubID | Intrusion URL | Intrusion Payload URL | SHA-256 | MD-5 | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2020-01-04 06:53:24 | Major | COM-01 | Event Description: The client will block traffic from IP address 192.168.1.58 for the next 600 seconds (from 8/4/2020 6:53:23 AM to 8/4/2020 7:03:23 AM). | Local Host IP: 192.168.68.89 | Local Host MAC: 000000000000 | Remote Host Name: | Remote Host IP: 192.168.1.58 | Remote Host MAC: 000000000000 | Inbound | OTHERS | Begin: 2020-01-04 06:53:23 | End Time: 2020-01-04 07:03:23 | Occurrences: 1 | Application: | Location: Default | User Name: user1 | Domain Name: COM-01 | Local Port: 0 | Remote Port: 0 | CIDS Signature ID: 0 | CIDS Signature string: | CIDS Signature SubID: 0 | Intrusion URL: | Intrusion Payload URL: | SHA-256: | MD-5: | ||
| 2020-01-04 06:54:26 | Minor | COM-01 | Event Description: Somebody is scanning your computer. Your computer's TCP ports: 3306, 53, 1720, 21 and 1723 have been scanned from 192.168.1.58. | Local Host IP: 192.168.68.89 | Local Host MAC: 000000000000 | Remote Host Name: | Remote Host IP: 192.168.1.58 | Remote Host MAC: 000000000000 | Inbound | TCP | Begin: 2020-01-04 06:53:22 | End Time: 2020-01-04 06:53:22 | Occurrences: 2 | Application: | Location: Default | User Name: user1 | Domain Name: COM-01 | Local Port: 0 | Remote Port: 0 | CIDS Signature ID: 0 | CIDS Signature string: | CIDS Signature SubID: 0 | Intrusion URL: | Intrusion Payload URL: | SHA-256: | MD-5: | ||
| 2020-01-04 07:04:25 | Info | COM-01 | Event Description: Active Response that started at 8/4/2020 6:53:23 AM is disengaged. The traffic from IP address 192.168.1.58 was blocked for 600 second(s). | Local Host IP: 192.168.68.89 | Local Host MAC: 000000000000 | Remote Host Name: | Remote Host IP: 192.168.1.58 | Remote Host MAC: 000000000000 | Unknown | OTHERS | Begin: 2020-01-04 07:03:23 | End Time: 2020-01-04 07:03:23 | Occurrences: 1 | Application: | Location: Default | User Name: user1 | Domain Name: COM-01 | Local Port: 0 | Remote Port: 0 | CIDS Signature ID: 0 | CIDS Signature string: | CIDS Signature SubID: 0 | Intrusion URL: | Intrusion Payload URL: | SHA-256: | MD-5: | ||
| 2020-01-16 03:48:46 | Critical | COM-01 | Event Description: [SID: 30413] Web Attack: Passwd File Download Attempt attack blocked. Traffic has been blocked for this application: SYSTEM | Local Host IP: 192.168.68.89 | Local Host MAC: 000000000000 | Remote Host Name: | Remote Host IP: 192.168.1.58 | Remote Host MAC: 000000000000 | Inbound | TCP | Intrusion ID: 0 | Begin: 2020-01-16 03:47:45 | End Time: 2020-01-16 03:47:45 | Occurrences: 2 | Application: SYSTEM | Location: Default | User Name: none | Domain Name: | Local Port: 8530 | Remote Port: 58551 | CIDS Signature ID: 30413 | CIDS Signature string: Web Attack: Passwd File Download Attempt | CIDS Signature SubID: 75167 | Intrusion URL: ip-192-168-1-89.ap-southeast-1.compute.internal/../../../../../../../../../../../../etc/passwd | Intrusion Payload URL: | SHA-256: 0000000000000000000000000000000000000000000000000000000000000000 | MD-5: | |
| 2020-01-16 03:48:51 | Info | COM-01 | Event Description: [SID: 30369] Audit: Nessus Vulnerability Scanner Activity 3 attack detected but not blocked. Application path: SYSTEM | Local Host IP: 192.168.68.89 | Local Host MAC: 000000000000 | Remote Host Name: | Remote Host IP: 192.168.1.58 | Remote Host MAC: 000000000000 | Inbound | TCP | Intrusion ID: 0 | Begin: 2020-01-16 03:47:46 | End Time: 2020-01-16 03:47:46 | Occurrences: 1 | Application: SYSTEM | Location: Default | User Name: none | Domain Name: | Local Port: 8530 | Remote Port: 58740 | CIDS Signature ID: 30369 | CIDS Signature string: Audit: Nessus Vulnerability Scanner Activity 3 | CIDS Signature SubID: 74905 | Intrusion URL: ip-192-168-1-89.ap-southeast-1.compute.internal/vxvut0g6.do?<meta%20http-equiv=Set-Cookie%20content=%22testnlzc=9720%22> | Intrusion Payload URL: | SHA-256: 0000000000000000000000000000000000000000000000000000000000000000 | MD-5: | |
| 2020-01-16 03:59:16 | Critical | COM-01 | Event Description: [SID: 27517] Attack: OpenSSL Heartbleed CVE-2014-0160 3 attack blocked. Traffic has been blocked for this application: C:\PROGRAM FILES (X86)\SYMANTEC\SYMANTEC ENDPOINT PROTECTION MANAGER\APACHE\BIN\HTTPD.EXE | Local Host IP: 192.168.68.89 | Local Host MAC: 000000000000 | Remote Host Name: | Remote Host IP: 192.168.1.58 | Remote Host MAC: 000000000000 | Inbound | TCP | Intrusion ID: 0 | Begin: 2020-01-16 03:58:12 | End Time: 2020-01-16 03:58:12 | Occurrences: 1 | Application: C:/PROGRAM FILES (X86)/SYMANTEC/SYMANTEC ENDPOINT PROTECTION MANAGER/APACHE/BIN/HTTPD.EXE | Location: Default | User Name: none | Domain Name: | Local Port: 443 | Remote Port: 64570 | CIDS Signature ID: 27517 | CIDS Signature string: Attack: OpenSSL Heartbleed CVE-2014-0160 3 | CIDS Signature SubID: 81967 | Intrusion URL: | Intrusion Payload URL: | SHA-256: 83A61877F7504CCF1EEC60BD0E782C17BF7FC473EA43BD2042258525B5B058A9 | MD-5: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| forfiles -p "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\clu-prod" -s -m *.* -d -1 -c "cmd /c del @path" | |
| explorer "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\clu-prod" | |
| call aws s3 rm s3://my-bucket/clu-prod --recursive | |
| call aws s3 cp "C:/Program Files (x86)/Symantec/LiveUpdate Administrator/clu-prod/" s3://my-bucket/clu-prod --recursive |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment