Absent Member.
Absent Member.
478 views

Kaspersky Antivirus

Hi to all.
ArcSight currently officially supports Kaspersky Anti-Virus 6.0 for Windows Workstations, Kaspersky Anti-Virus 6.0 for Windows Servers Enterprise Edition, Kaspersky Administration Kit 8.0, and Kaspersky Endpoint Security 10.0 for Windows.
But parsing is stupid and all event details go into the message field.

I think it's not completely ArcSight fault, because KAV itself writes its log in database in such strange huge multiline form. Obviously its developers have no idea about database normalization.


I've attached my rough-and-ready parser addition for Kaspersky events.
How it works:

  1. tested with SC versions >= 7.0. As far as I remember only starting with that version connector writes flexString1 field, used in my parsers. Maybe I'm wrong.
  2. uses additional regex parsing so you should place configs into current\user\agent\fcp\additionalregexparsing\kaspersky_db directory
  3. parses not all event types but the most interesting (12 for my use cases).
  4. multiline regexes for inconvenient KAV logs.

Drawbacks:

  1. perfomance. Because of reprocessing of the same field (message). But currently customers do not have perfomance issues.
  2. a hell of a spam in agent.log with the swearing about "does not match regular expression". Non lethal but annoying in case you try to troubleshoot something via that log
  3. parser works only with the events which have value in flexString1 field. The most of interesting events do have flexString1, but I believe something may be missed.
  4. regex0 is the main parser for most of the events. regex1 is additional parser for host status change events only.

My question is: does somebody have any ideas or KAV parser implementations which he wants to share too? I believe my approach can be redesigned, improved or changed. But I'm sooo lazy

P.S. Unfortunately I work with russian localization of KAV only, so example events in configs are cyrillic. But I think other localizations use the same EventIDs and event format so it's easy to adopt.

Labels (2)
0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.