Endpoint SWAT: Protect the Endpoint Community

 View Only

  • 1.  Finding PID of application

    Posted Dec 30, 2015 03:12 PM

    I'm running SEP version 12.1.6 RU6 MP1.  When looking at my firewall logs I'm seeing traffic from certain PC's out to different external resources and I have know idea what application is generating the traffic.  If I run a netstat -ano from the PC in question I could find the pid that is generating the traffic but the odds of being on the PC while this traffic is generated is small.  Is there a way that SEP can log this type of information for me so I could find it that way?



  • 2.  RE: Finding PID of application

    Posted Dec 30, 2015 03:15 PM

    The network activity tool will show the process number, see this article:

    https://www-secure.symantec.com/connect/articles/overview-sep-network-activity-tool

    The 'Process' column in the network activity tool matches that of what's in process explorer and the task manager so it should be accurate.

    Other than that you're limited to what's already in the SEP logs.



  • 3.  RE: Finding PID of application

    Posted Dec 30, 2015 03:33 PM

    Thank you I didn't know that network activity tool existed.  Unfortunatley what I'm looking for isn't in the logs either and the traffic occured within the last two hours.  I'm getting email events from my edge based IPS of a workstation sending traffic on a specific IP that is firing an IPS signature and the IPS is dropping the traffic,  on port 80 and I found that the IP belongs to Amazon but would really like to know what App is generating this traffic.  When searching through the logs on the local SEP client is doesn't seem to log anything port 80 traffic, any ideas on this one?



  • 4.  RE: Finding PID of application

    Posted Dec 30, 2015 03:51 PM

    Aside from being able to narrow it down to what workstation it is, this will be more difficult. Sounds like the SEP IPS does not have a signature otherwise you'd be seeing it in the Security log on the SEP client.

    At this point you'll probably need to enable a packet capture on your edge IPS as well as the workstation then compare them to narrow it down.

    You could also create a firewall rule to log/allow all application traffic and see what applications are sending traffic and identify any "weird" ones.



  • 5.  RE: Finding PID of application

    Posted Dec 30, 2015 04:06 PM

    Thanks for the help



  • 6.  RE: Finding PID of application

    Posted Dec 30, 2015 04:08 PM

    You're welcome.



  • 7.  RE: Finding PID of application

    Posted Dec 30, 2015 06:11 PM

    By default, logging of traffic will be enable only on rules that are set to block certain traffic. In this case the traffic is allowed. I would suggest enabling the logging (to traffic log) on all the rules in the firewall policy and then recreate the issue (or wait for the issue to be automatically recreated) and then check the traffic log again for the concernet trafic in the log.

     

    To enable logging on all rules, open the firewall policy (assigned to this PC) in SEPM and got to Rules page and look for "Log" column. right click on each rule and select "Write to traffic log" and save the policy.

     

    Note: I would suggest not to create a new rule to allow and log all traffic, as it will allow all the traffic. Once a traffic is allowed by one rule, it will not be inspected by the other rules. Rather enabling the logging on all the existing rules will be more effective.