Video Screencast Help

Has anyone decrypted the SECARS.DLL log entries ?

Created: 12 Nov 2012 • Updated: 05 Dec 2012 | 17 comments
Bozhinov's picture
This issue has been solved. See solution.

Hi,

I am was wondering if anyone has decrypted the SACARS.DLL apache log entries (12.1) ?

I am interested in the idea of live monitoring and am willing to spend the time and reverse it if necessary.

Regards,

Momchil

Comments 17 CommentsJump to latest comment

.Brian's picture

Not exactly sure what you're wanting to do here?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Bozhinov's picture

Yes, I agree, should have been more descriptive

2008-10-04 00:01:15 192.168.1.1 GET /secars/secars.dll h=A11AAD19352CCE55EF306D605786D8C8CA224C2F45AC3FDDA63D2196981BE5461C4C189D47DAEA8A0B9A59981C45FA0E2C2FBC6DDFDD6B6B934E625468E6F2E020C67A8266A0C03

[Random log entry off the Internet]

See the "h=" string stands for something. It is some web service-like way for the clients to communicate with the SEPM

What I m trying to do here is get it back in readable form.

Ian_C.'s picture

Good luck with that.

I'm not really interested. I can imagine it says something like 'currently I am using def x. what is the latest def? what must I download?' and a few entries later I see 2008-10-04 00:01:20 GET *.dax which shows me it needed to know what definitions to download.

Why are you so interested? Do you think Symantec is practicing security through obscurity? Or is this merely for your own benefit? Seeing as you have Partner status, I hope you are not a black hat asking the willing community to unknowingly help with your nefarious intentions!

Please mark the post that best solves your problem as the answer to this thread.
Bozhinov's picture

Luck has nothing to do with my work :)

Computers are not good with random, therefore with luck as well

As I started, I want a live monitoring system -> the moment a station reports a detection, I want to know about it, the moment a server reports out of date, I want to know about it.

"Do you think Symantec is practicing security through obscurity?" - I have been automating SEPM for over half an year, so I know that one for a fact. The thing is that with this kind of application, there is not much you can do anyway.

I m no black hate mate, I m front line defence. 

SEPM is a great app, It is simple and if you know malware, you have all the features you need to track it down. On the other hand if you are a sys admin, with no knowledge of malware what so ever, you will be looking at it as if it was a large stone.

I m excited to try the 12.1.2 and play around with the SDK, but it is still interval based monitoring. (NOT what I m trying to do here)

 

.Brian's picture

if you want live monitoring you can check out the Symantec Security Information Manager:

https://www.symantec.com/security-information-manager

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

TORB's picture

I don't see why you have to hack the secars.dll to get that sort of information. Just plug into the database and collect the information from there? It's a simple, organized database and with a few script you can easily get the info you are looking for.

Alot of the information can also easly  be sent realtime from the Monitor notification feature, you can also use the syslog feature to export the data to where ever.

Keep it simple ;)

Torb

 

Bozhinov's picture

First guy to make sense, thank you Torb!

In addition to the DB i can use some of the reporting services features to get me quite close to what I need, but not 100%.

Monitor notifications were also considered, but e-mail notifications are not fast enough and with certain overhead.

I m preparing my test environment, which is what I was trying to avoid, so I should have my answer soon

 

 

Ian_C.'s picture

TORB makes sense by saying?

 Just plug into the database and collect the information from there

Then I really do question HOW and WHAT you are trying to achieve.

  1. If you rely on what's in the DB, why even worry about what the client is sending using SECARS.DLL
  2. If you rely on the DB your clients will have to be on-line & connected to the SEPM which is not always possible
  3. If you are relying on the DB, then SEPM has already processed the event
  4. If you are relying on the DB, then let the SEPM continue processing and send out a notification
  5. If you are relying on the DB, the only thing faster than SEPM processing the event is if you are using SQL triggers that monitor the DB. That's as close to the metal as your going to get when relying on the DB.
  6. If e-mail relaying is to slow / troublesome, SMS and IM generally are faster, but also can be delayed.
  7. If you want front line defence by understanding the encrypted string, your monitoring has to run on every client. Now it makes sense to monitor the DB because it's one centrally managed location.
  8. Using the SDK has the same limitations as relying on the DB. At least you can craft your own custom message string.

Reading this thread, it still is not very clear what you are trying to achieve. Can you please explain yourself?

Please mark the post that best solves your problem as the answer to this thread.
Bozhinov's picture

Hi Ian,

Torb, made sense not because of the DB thing, but the notification functionality to execute scripts.

about point 7, I intend to sniff SEPM and not every client.

I spent a day reversing just to find out it is not straightforward decryption .. there is character replacement and stuff ( e.g. 3 == } ). I m not that good at this.

The next thing I m gonna try is sniff the ODBC. Seems that secars is using the DSN to send the data directly to the DB without going through the SEPM first.

"Reading this thread, it still is not very clear what you are trying to achieve. Can you please explain yourself?

Sorry, probably my english ain't that good, but the idea is clear to me.I want to process the raw events comming from the stations to the SEPM

 

Ian_C.'s picture

.I want to process the raw events comming from the stations

OK, that explain what you want to do not the why though.

Regardless, the SEPM is already processing those events, so you would be doing what Symantec have already implemented. This does raise the question of why you want to re-invent the wheel? What ever your reason, you do know that the client & SEPM communicate using a certificate, even when your HTTP server is not HTTPS?

Have you approached Symantec about an SDK?

Please mark the post that best solves your problem as the answer to this thread.
Bozhinov's picture

Hi Ian,

HTTP or HTTPS is all the same if you read the log entry. This should answer your about my reason.

SDK is an overkill + I dont do Java. Never have, never will

FYI SEPM is not processing all events.

TORB's picture

In the Monitior Notification you can also trigger scripts and executebles. Are these fast enough?

I can't really see how you can get any messages faster than E-mail? Unless you have someone that 100% of their time sit infront of a monitor waiting for alerts. How were you planning to send the messages you got from secars.dll ?

Torb

 

 

 

 

 

 

Bozhinov's picture

"In the Monitior Notification you can also trigger scripts and executebles. Are these fast enough? "

Indeed they are. Will explore the posibility.

"I can't really see how you can get any messages faster than E-mail?" - eliminating the SMTP and the entire chain and filtering until the e-mail gets to me. Anyone that has ever parsed an e-mail will tell you that it is tricky getting what you need. It was you who said keep it simple :)

"how were you planning to send the messages you got from secars.dll ?" - will hook the apache logger and send it to a message queue (hopefully SEPM will not notice the tiny delay in processing the request)

Rafeeq's picture

it depends on clients communication.

if its in pull mode, they send the logs moment the scan is over ( or by real time scan)

faster will be the email notification

Bozhinov's picture

Thank you Rafeeq, I should have the mode in mind.

Dushan Gomez's picture

wow I just knew it that Symantec had such features :-)

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

Bozhinov's picture

Found it!

http://www.symantec.com/business/support/index?page=content&id=TECH131843

Data transmitted between Symantec Endpoint Protection Manager and Clients are always obfuscated using an encryption password (a.k.a. KCS key), thereby preventing malicious users from seeing the data content easily. We use the Twofish tool to encrypt the data. 

C:\Users\bozhinov\Desktop\SEPM_DECRYPT>php decrypt.php
l=252&action=128&hostid=08CF2D4410352E3C0137D115244037FC&chk=36E011EF32025F1B2EC
D8FE518F4C3FD&ck=EAAB7C298E59EC668F1E4B0F54F96847&uchk=437E05685C8586CC9192F3ECF
AADA2FD&uck=53B42D7377206C9064AE2DD9E8381CF2&groupid=9FEC28F710352AB30196A464206
     de=0&as&as=60 

Just got to map the IDs I guess. Bye guys.

Momchil

 

 

 

SOLUTION