SmartConnector Support for v. 14.2 Symantec Endpoint Protection

Idea ID 2803986

SmartConnector Support for v. 14.2 Symantec Endpoint Protection

Customer has been looking forward to the support of Symantec Endpoint Protection in version of 14.2 (the current release of Smart Connector does support SEP of version 14.0 only)

The sample of SEP events of customer environment have been down this entry.

Customer has been willing to provide more samples and SEP logs if required to ease the estimation of the scope of work and timeline for delivery.

Virus found syslog event:
<54>Aug 20 14:07:48 <hostname_of_customer_environment> SymantecServer: Virus found,IP Address: <IP_address_of_customer_environment>,Computer name: <hostname_of_customer_environment>,Source: Auto-Protect scan,Risk name: W32.Pholdicon,Occurrences: 1,File path: C:\ProgramData\Symantec\DefWatch.DWH\DWH11F4.exe,Description: ,Actual action: Deleted,Requested action: Deleted,Secondary action: Deleted,Event time: 2019-08-20 11:58:37,Event Insert Time: 2019-08-20 12:28:28,End Time: 2019-08-20 11:58:37,Last update time: 2019-08-20 14:07:48,Domain Name: PRG-DC,Group Name: My Company\EEMEA\GPWS\ZA\Express\Desktops,Server Name: <hostname_of_customer_environment>,User Name: SYSTEM,Source Computer Name: ,Source Computer IP: ,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: ,Prevalence: This file has been seen by tens of thousands of Symantec users.,Confidence: This file is untrustworthy.,URL Tracking Status: Off,First Seen: Reputation was not used in this detection.,Sensitivity: Low,Permitted application reason: Not on the permitted application list,Application hash: F96FD5F6E577AACF3579CDD0364D7ACDE18A479497975554AED82D559A215A40,Hash type: SHA2,Company name: ,Application name: System Volume Information.exe,Application version: ,Application type: 127,File size (bytes): 1568450,Category set: Malware,Category type: Virus,Location: Office,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: ,Certificate serial number:
 
Potential Risk found syslog event:
<54>Aug 27 10:31:12 <hostname_of_customer_environment> SymantecServer: Potential risk found,IP Address: <IP_address_of_customer_environment>,Computer name: <hostname_of_customer_environment>,Source: Auto-Protect scan,Risk name: SecurityRisk.Mtray,Occurrences: 1,File path: Unavailable,Description: ,Actual action: Left alone,Requested action: Left alone,Secondary action: Left alone,Event time: 2019-08-27 10:30:10,Event Insert Time: 2019-08-27 10:31:12,End Time: 2019-08-27 10:30:10,Last update time: 2019-08-27 10:31:12,Domain Name: PRG-DC,Group Name: My Company\EMEA\GPWS\FR\Express\Notebooks,Server Name: <hostname_of_customer_environment>,User Name: Système,Source Computer Name: ,Source Computer IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,First Seen: Reputation was not used in this detection.,Sensitivity: Low,Permitted application reason: Not on the permitted application list,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes): 0,Category set: Security risk,Category type: Security Risk,Location: VPN,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: ,Certificate serial number:
 
Security risk found syslog event:
<54>Aug 27 10:43:26 <hostname_of_customer_environment> SymantecServer: Security risk found,IP Address: <IP_address_of_customer_environment>,Computer name: <hostname_of_customer_environment>,Source: Auto-Protect scan,Risk name: WS.Reputation.1,Occurrences: 1,File path: C:\Users\irechins\Documents\# PROJECTS&TASKS\_ANALITICS_\EcomNotification\EcomNotification_1.1\Release\Ecom Notification.exe,Description: ,Actual action: Quarantined,Requested action: Quarantined,Secondary action: Deleted,Event time: 2019-08-27 10:41:48,Event Insert Time: 2019-08-27 10:43:26,End Time: 2019-08-27 10:41:48,Last update time: 2019-08-27 10:43:26,Domain Name: PRG-DC,Group Name: My Company\EEMEA\GPWS\RU\Express\Notebooks,Server Name: <hostname_of_customer_environment>,User Name: SYSTEM,Source Computer Name: ,Source Computer IP: ,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: slack.exe,Prevalence: Unknown,Confidence: There is not enough information about this file to recommend it.,URL Tracking Status: On,First Seen: Symantec has known about this file approximately 2 days.,Sensitivity: ,Permitted application reason: Not on the permitted application list,Application hash: D3078D4C01028D9F0C5E3AF207D4C902DD5648ADC35039A5B4AF9E8E3E16A238,Hash type: SHA2,Company name: ,Application name: Notification,Application version: 1.0.0.0,Application type: 127,File size (bytes): 29184,Category set: Malware,Category type: Insight Network Threat,Location: Office,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number:
 
Compressed file syslog event:
<54>Aug 27 11:39:43 <hostname_of_customer_environment> SymantecServer: Compressed File,IP Address: <IP_address_of_customer_environment>,Computer name: <hostname_of_customer_environment>,Source: On-Demand scan,Risk name: SecurityRisk.Mtray,Occurrences: 1,File path: C:\Windows\System32\DriverStore\FileRepository\chdrt.inf_amd64_f1c368d4dc55f171\MicTray.cab,Description: Still contains 2 infected items,Actual action: Quarantined,Requested action: Quarantined,Secondary action: Left alone,Event time: 2019-08-27 10:49:15,Event Insert Time: 2019-08-27 10:50:03,End Time: 2019-08-27 10:49:15,Last update time: 2019-08-27 11:39:43,Domain Name: PRG-DC,Group Name: My Company\EMEA\GPWS\_ITSCPRG\GBS\Notebooks,Server Name: <hostname_of_customer_environment>,User Name: operator_ddesiena,Source Computer Name: ,Source Computer IP: ,Disposition: Good,Download site: null,Web domain: null,Downloaded by: null,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,First Seen: Reputation was not used in this detection.,Sensitivity: Low,Permitted application reason: Not on the permitted application list,Application hash: ,Hash type: SHA1,Company name: ,Application name: ,Application version: ,Application type: -1,File size (bytes): 0,Category set: Security risk,Category type: Security Risk,Location: Office,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: ,Certificate serial number:

 

 

11 Comments
Knowledge Partner
Knowledge Partner

This is catching out a few customers now - they are not noticing that Virus alerts have stopped when upgrading to SEP 14.2+. All other logs seem to be OK Still 
Can you prioritse the support of the "alerts" parser.

 

Schema for 14.2 is here: https://knowledge.broadcom.com/external/article?articleId=185076

Super Contributor.
Super Contributor.

We experienced the same problem with SEP 14.2 and SmartConnector 7.14.  The associated "alerts" table and "virus found" events were not working.  We had to roll back to SmartConnector 7.11.

Knowledge Partner
Knowledge Partner

@MicroFocus From looking at the parsers - the query appears to be wrong:

in the select statement for the alerts 14.2 parser you have:

<redacted> ....

where alerts.DELETED = ' + ? + ' OR alerts.DELETED IS NULL \
AND (com.DELETED = 0 OR com.DELETED IS NULL) \
AND (site.DELETED = 0 OR site.DELETED IS NULL) \
AND (server.DELETED = 0 OR server.DELETED IS NULL) \
AND (app.DELETED = 0 OR app.DELETED IS NULL) \
AND (hppalerts.DELETED = 0 OR hppalerts.DELETED IS NULL) \
order by alerts.TIME_STAMP')

I believe it should be.....

<redacted>....

where alerts.TIME_STAMP >= ' + ? + ' \
AND (alerts.DELETED = 0 OR alerts.DELETED IS NULL) \
AND (com.DELETED = 0 OR com.DELETED IS NULL) \
AND (site.DELETED = 0 OR site.DELETED IS NULL) \
AND (server.DELETED = 0 OR server.DELETED IS NULL) \
AND (app.DELETED = 0 OR app.DELETED IS NULL) \
AND (hppalerts.DELETED = 0 OR hppalerts.DELETED IS NULL) \
order by alerts.TIME_STAMP')

 

Otherwise, the select statement will always return NULL

Established Member..
Established Member..

Is there a timeline to support SEP v14.2 ?

Documentation is still saying 14.0.

Regular Contributor.. Regular Contributor..
Regular Contributor..
Status changed to: New Idea

Hi all out there,

did you see there were changes to the Symantec SEP DB connector to address alert mapping for 14.2 in SC release 7.15.1.8305.0. Changelog says "Added Alert Maping for 14.2". Sounds quite close to whats been discussed here.

I know, its not the syslog one, but maybe worth testing?

Please let me know if that helps,

M

 

Knowledge Partner
Knowledge Partner

No it doesnt work - the DB Query is wrong - hopefully can be fixed in the next release

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
Status changed to: Accepted
 
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Greetings,

We are actively working on this request.

It is in the immediate roadmap, currently being targeted for the SmartConnector 8.0.1 parser update release.

Thank you,

Emrah Alpa
Sr. Product Manager | ArcSight Global Content & Connectors
Micro Focus

Super Contributor.
Super Contributor.

@Emrah Alpa 

What is the expected release date of SmartConnector 8.0.1?  

This is another example of a huge lag time between product release and ArcSight SmartConnector Support.  Symantec Endpoint Protection 14.2 was released over two years ago and is still not supported.

Established Member..
Established Member..

Right. Kindly provide ETA for 8.0.1.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.