Not exactly sure what you're wanting to do here?

Yes, I agree, should have been more descriptive

2008-10-04 00:01:15 192.168.1.1 GET /secars/secars.dll h=A11AAD19352CCE55EF306D605786D8C8CA224C2F45AC3FDDA63D2196981BE5461C4C189D47DAEA8A0B9A59981C45FA0E2C2FBC6DDFDD6B6B934E625468E6F2E020C67A8266A0C03

[Random log entry off the Internet]

See the "h=" string stands for something. It is some web service-like way for the clients to communicate with the SEPM

What I m trying to do here is get it back in readable form.

Good luck with that.

I'm not really interested. I can imagine it says something like 'currently I am using def x. what is the latest def? what must I download?' and a few entries later I see 2008-10-04 00:01:20 GET *.dax which shows me it needed to know what definitions to download.

Why are you so interested? Do you think Symantec is practicing security through obscurity? Or is this merely for your own benefit? Seeing as you have Partner status, I hope you are not a black hat asking the willing community to unknowingly help with your nefarious intentions!

Please mark the post that best solves your problem as the answer to this thread.

Luck has nothing to do with my work :)

Computers are not good with random, therefore with luck as well

As I started, I want a live monitoring system -> the moment a station reports a detection, I want to know about it, the moment a server reports out of date, I want to know about it.

"Do you think Symantec is practicing security through obscurity?" - I have been automating SEPM for over half an year, so I know that one for a fact. The thing is that with this kind of application, there is not much you can do anyway.

I m no black hate mate, I m front line defence. 

SEPM is a great app, It is simple and if you know malware, you have all the features you need to track it down. On the other hand if you are a sys admin, with no knowledge of malware what so ever, you will be looking at it as if it was a large stone.

I m excited to try the 12.1.2 and play around with the SDK, but it is still interval based monitoring. (NOT what I m trying to do here)

if you want live monitoring you can check out the Symantec Security Information Manager:

https://www.symantec.com/security-information-manager

I don't see why you have to hack the secars.dll to get that sort of information. Just plug into the database and collect the information from there? It's a simple, organized database and with a few script you can easily get the info you are looking for.

Alot of the information can also easly  be sent realtime from the Monitor notification feature, you can also use the syslog feature to export the data to where ever.

Keep it simple ;)

Torb

First guy to make sense, thank you Torb!

In addition to the DB i can use some of the reporting services features to get me quite close to what I need, but not 100%.

Monitor notifications were also considered, but e-mail notifications are not fast enough and with certain overhead.

I m preparing my test environment, which is what I was trying to avoid, so I should have my answer soon

In the Monitior Notification you can also trigger scripts and executebles. Are these fast enough?

I can't really see how you can get any messages faster than E-mail? Unless you have someone that 100% of their time sit infront of a monitor waiting for alerts. How were you planning to send the messages you got from secars.dll ?

Torb

it depends on clients communication.

if its in pull mode, they send the logs moment the scan is over ( or by real time scan)

faster will be the email notification

wow I just knew it that Symantec had such features :-)