Dallas Security-DLP User Group

 View Only
Back to Library

How to Integrate Symantec Endpoint Recovery Tool (SERT) with other Tools within the WinPE Environment 

Jul 15, 2011 12:28 PM

Prerequisites

  1. Install Windows OPK tools or Windows AIK tools on your computer.

Introduction

The Symantec Endpoint Recovery Tool (SERT) is a great tool for scanning systems offline. If you are a current Symantec Endpoint Protection customer this is a must have utility and it should be incorporated into your Malware fighting and cleanup arsenal of tools. By default SERT is ready to be used once you download the ISO and extract it to a bootable USB or CD.

The SERT tool runs in a WinPE environment (32bit) and allows you to launch 3rd party tools prior the the scanner. This article will explain the process of integrating SERT in your existing WinPE build that may already include other 3rd party tools such as utilities to unlock 3rd party FDE drives, Symantec Ghost, custom tools/scripts, etc....

Note: This article assumes you already have a custom WinPE image created.

Integrating SERT to an existing WinPE build

Step 1 (Download SERT ISO and Custom WinPE Build)

1. Download the latest version of SERT from File Connect to your PC.
2. Copy/Download your custom WinPE build to your PC (WinPE must be built on 32bit not 64bit).

Step 2 (Extract Contents from ISO)

1. Mount the SERT ISO to prepare for the extraction of the SERT utility. (i.e. MagicISO)
2. Once mounted copy everything to a directory on your PC.
3. Unmount the SERT ISO.

Step 3 (Extract SERT Utilities, Pca directory, by using ImageX and copy over the Symantec_NBRT Directory)

1. Create three directories named Image, Mount, SERT-Files. For this example let's assume c:\Image | c:\Mount | c:\SERT-Files are the working directories.
2. Navigate to the SERT files extracted from the ISO. Copy the BOOT.WIM file located in the Sources directory to c:\Image
3. Open a command prompt (Windows Vista/Win7 users need to right-click > run as administrator).
4. Open the Image X directory: C:\Program Files\<version>\Tools\x86  (<version> = OPK or Windows AIK)
5. Mount the SERT WIM file by typing the following at the command prompt: imagex /mountrw c:\Image\BOOT.WIM <volume number> c:\Mount

(<volume number> is the specific reference number of the specific volume in the .wim file. Usually the value of 1 or 2 is used).

6. Navigate to the c:\Mount directory and copy the Utilities and Pca directories and all of files within the directories to the c:\SERT-Files directory.
7. Unmount the SERT WIM file by typing the following at the command prompt: imagex /unmount c:\Mount
8. Leave Command Prompt open for Step 4 below.
8. Delete the BOOT.WIM file in the c:\Image directory.
9. Navigate to the SERT files extracted from the ISO. Copy the SYMANTEC_NBRT file located in the Sources directory to c:\SERT-Files

Step 4 (Mount Custom WinPE image to add SERT Utility and/or other 3rd party tools and scripts)

1. Navigate to the custom WinPE build you copied to your system and locate the WIM.BOOT file under the sources directory. Copy it to c:\Image
2. Mount the Custom WinPE WIM file by typing the following at the command prompt: imagex /mountrw c:\Image\BOOT.WIM <volume number> c:\Mount

(<volume number> is the specific reference number of the specific volume in the .wim file. Usually the value of 1 or 2 is used).

3. Navigate to the c:\SERT-Files directory and copy the Utilities, Pca, and SYMANTEC_NBRT directories to the root of c:\Mount
4. Assuming this is your companies custom WinPE build it may already have the other 3rd party tools or custom scripts included. If not copy over the 3rd party tools or scripts to the c:\Mount directory.
5. Unmount the custom WinPE WIM file by typing the following at the command prompt: imagex /unmount /commit c:\Mount
6. Navigate to the custom WinPE build you downloaded and replace the BOOT.WIM with the BOOT.WIM in the c:\Image directory.

Create Bootable USB Drive

Step 1 (Steps below require the use of Windows Vista or Windows 7)

1. Open Command Prompt with "run as administrator" and type "diskpart" which let's you format and create partitions on active disks.
2. Type "list disk" to reveal a list of all your active disks which are associated with a number. Make note of which one is your USB key.
3. Type "Select Disk #" (# is the number of your USB disk)
4. Type "Clean" (removes any existing partitions from the USB disk, including hidden sectors)
5. Type "Create Partition Primary" (Focus on the newly created partition)
6. Type "Select Partition 1" (This is for the newly created partition created in step 5)
7. Type "Active" (Sets the in-focus partition to active, informing the disk firmware that this is a valid system partition)
8. Type "Format FS=NTFS" (Formats the partition with NTFS file system)
9. Type "Assign" (Gives the USB drive a Windows volume and next available drive letter)
10. Type "Exit" (Quits the DiskPart tool)
11. Copy all of the directories and files from the updated custom WinPE build you downloaded earlier to the root of the USB Drive.
12. Follow the instructions provided by Symantec to use the latest Virus Defintions for SERT http://www.symantec.com/business/support/index?page=content&id=TECH131732
13. You are now ready to use WinPE with SERT and/or other 3rd party utilities and scripts.

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Migration User
Mar 18, 2014 09:22 AM

I realize that the post above is almost a year old, but if that poster had a problem, others might too, so to answer his question:

How do I find the specific reference number for the .WIM image?

Use the /info switch of IMAGEX.EXE

Example:

IMAGEX /info c:\image\boot.WIM

Example output:

Available Image Choices:
------------------------
<WIM>
  <TOTALBYTES>215815191</TOTALBYTES>
  <IMAGE INDEX="1">
    <DIRCOUNT>2072</DIRCOUNT>
    <FILECOUNT>3987</FILECOUNT>
    <TOTALBYTES>578671325</TOTALBYTES>
    <HARDLINKBYTES>3247212</HARDLINKBYTES>
    <CREATIONTIME>
      <HIGHPART>0x01CA042E</HIGHPART>
      <LOWPART>0x01208AB9</LOWPART>
    </CREATIONTIME>
    <LASTMODIFICATIONTIME>
      <HIGHPART>0x01CBE4FF</HIGHPART>
      <LOWPART>0x4FF3B8CC</LOWPART>
    </LASTMODIFICATIONTIME>
    <WINDOWS>
      <ARCH>0</ARCH>
      <PRODUCTNAME>Microsoftr Windowsr Operating System</PRODUCTNAME>
      <EDITIONID>WindowsPE</EDITIONID>
      <INSTALLATIONTYPE>WindowsPE</INSTALLATIONTYPE>
      <PRODUCTTYPE>WinNT</PRODUCTTYPE>
      <PRODUCTSUITE></PRODUCTSUITE>
      <LANGUAGES>
        <LANGUAGE>en-US</LANGUAGE>
        <DEFAULT>en-US</DEFAULT>
      </LANGUAGES>
      <VERSION>
        <MAJOR>6</MAJOR>
        <MINOR>1</MINOR>
        <BUILD>7600</BUILD>
        <SPBUILD>16385</SPBUILD>
        <SPLEVEL>0</SPLEVEL>
      </VERSION>
      <SYSTEMROOT>WINDOWS</SYSTEMROOT>
    </WINDOWS>
    <NAME>Microsoft Windows PE (x86)</NAME>
    <DESCRIPTION>Microsoft Windows PE (x86)</DESCRIPTION>
  </IMAGE>
</WIM>

In this case, there was only one image, and it's index does happen to be one, but your custom image may vary. Use the XML output of the command to find the appropriate number to insert into Section 3, step 5.

Migration User
Feb 26, 2013 11:36 AM

Hi,

How do I find the specific reference number for the .WIM image? I keep on getting the error:

Mounting: [c:\Image\BOOT.WIM, 1] -> [C:\Mount]...

Error opening file [c:\Image\BOOT.WIM].


The system cannot find the file specified.

I've tried 1 and 2 but neither seem to work.

 

Thanks!

Related Entries and Links

No Related Resource entered.