Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

attack internal network

Created: 03 Aug 2012 • Updated: 26 Aug 2012 | 5 comments
Fabiano.Pessoa's picture
This issue has been solved. See solution.

Dear, good afternoon.

There is not any solution for data capture in an attack internal network?

Looking forward

Sincerely,

Fabian

Comments 5 CommentsJump to latest comment

Mohan Babu's picture

How to debug the Symantec Endpoint Protection client

http://www.symantec.com/docs/TECH102412

Enable debugging 

TSE debugging

To enable Extended TSE Debugging for Network Threat Protection, stop the SMC process (smc -stop) and import this registry setting.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\TSE]
"ExtendedDebug"=dword:00000001

Start the SMC service (smc –start)

     Example from debug.log: 

01/25 16:46:17 [304:960] TSE extended debugging is turned on. Flag = 

01/25 16:48:43 [304:592] TSE2415: *********DROP PACKET*********

01/25 16:48:43 [304:592] TSE: SecurityRule = Block Local File Sharin

01/25 16:48:43 [304:592] TSE: ApplicationName = C:\WINNT\system32\ntoskrnl.ex

01/25 16:48:43 [304:592] TSE2417: *** DROP PACKET **

01/25 16:48:43 [304:592] ======== TsPacket ====== BA: 1 == protocol: 2 === === EtherII Packet=== len:92==== nic:0===== 00-0c-29-4e-d7-c7 ---> ff-ff-ff-ff-ff-ff , protocol = 0x800 ===== IP Packet==== len:78==== 192.168.20.12 --> 192.168.20.255, type: 0x11, Id: 2629, Frg: 0x0 ========= UDP datagram, len: 78==== 192.168.20.12:137 -> 192.168.20.255:137 , DataLen: 5

01/25 16:48:43 [304:592] TSE2415: *********DROP PACKET********** 

01/25 16:48:43 [304:592] TSE: SecurityRule = Block and Log Unchecked IP Packets 

01/25 16:48:43 [304:592] TSE2417: *** DROP PACKET *** 

01/25 16:48:43 [304:592] ======== TsPacket ====== BA: 1 == protocol: 2 === === EtherII Packet=== len:74==== nic:0===== 00-50-56-c0-00-02 ---> 00-0c-29-4e-d7-c7 , protocol = 0x800 ===== IP Packet==== len:60==== 192.168.20.1 --> 192.168.20.12, type: 0x1, Id: 28535, Frg: 0x0 ===== ICMP Packet==== len:40==== , type: 0x8, Code: 0, Checksum: 0x5a3a

Check this video yo will get a good view.

Symantec Endpoint Network Activity Tool

https://www-secure.symantec.com/connect/videos/symantec-endpoint-network-activity-tool

https://www-secure.symantec.com/connect/forums/need-help-policies-and-network-activity#comment-2713641

Hope this helps..........

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

SOLUTION
Fabiano.Pessoa's picture

Muhan, good morning.

Thank you for your help.

Sincerely, Fabiano Pessoa

Fabiano Pessoa

Systems Analyst - Forensic Expert

Ajit Jha's picture

Use the Network Activity Tool

Regard's

Ajit Jha

Technical Consultant

ASC & STS

Fabiano.Pessoa's picture

Hi Thanks for the help. I am already making arrangements. hugs

Fabiano Pessoa

Systems Analyst - Forensic Expert

Mohan Babu's picture

Update me if  you require any further assistance..

Mark the best answers which resolved your issue...

Thanks in advance....

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)