Endpoint Protection

 View Only

  • 1.  How to detect using SEP / VBScript if a virus has been received

    Posted Jul 01, 2010 10:56 AM

    Hi!
    I have a requirement for a tar file to be relayed via a server located in a DMZ. The contents of that tar file should be checked to ensure they don't contain any viruses or malware before forwarding. The file transfer mechanism / protocol is proprietary so using some form of appliance is not possible. 

    I have written a little routine in VBScript which is called upon file receipt to 'untar' the file contents into a Scratch folder and then check the last line of the AVMan.log file for any malware being detected following the untar

    Unfortunately in some circumstances the AVMan.log file writes are apparently cached, so potentially virus ridden data is being relayed on rather than quarantined.

    Short of calling a doscan.exe is there any other way of getting AVMan.log to be updated or is there a better way of programmatically telling if SEP has spotted something nasty?

    Target system = Windows 2003 standard with Symantec Endpoint Protection 11
    Development system = Windows XP with Symantec Endpoint Protection 11.0

    Thanks

    Kevin


  • 2.  RE: How to detect using SEP / VBScript if a virus has been received

    Posted Jul 01, 2010 11:01 AM
    read the event log to see if SEP  has detected virus or not

    Symantec Endpoint Protection 11.x event log entries


    http://service1.symantec.com/support/ent-security.nsf/docid/2008080711443448?Open&seg=ent


  • 3.  RE: How to detect using SEP / VBScript if a virus has been received

    Posted Jul 01, 2010 11:49 AM

    SEP can scan compressed files, even TAR files, and should not need to be uncompressed first... except of course that you can only be alerted to a threat in a compressed file; it cannot be remediated (upon extraction Auto-Protect would take care of it as it tries to write the contents to the drive).

    It seems like you're trying to duplicate what Reporting between SEP/SEPM is already doing.  Is there some reason that won't work for you (i.e. not fast enough of a process)?

    sandra


  • 4.  RE: How to detect using SEP / VBScript if a virus has been received

    Posted Jul 06, 2010 07:49 AM

    Rafeeq / Sandra :-
    Thanks for the replies, they are appreciated.

    Regarding tar files;I was told by another symantec consultant that the contents could not be scanned on windows platforms. That certainly appears to be the case as if you try writing a file with the EICAR test signature SEP will raise an alert whereas the same file in a tar file can be written to the same (local) location with no alert. I've tried this on a number of systems and it seems consistent behaviour within our estate.

    As for using the event log for monitoring whether a virus has been detected - that is certainly a more elegant way of doing it. However there is an appreciable delay after a server / VM has been rebooted between the attempt to write an infected file to disk and it being recorded in the event log. Following attempts to write an infected file are reported alot quicker, but as a work around I am having to add a 15 second delay after the tar -xf / write in order to ensure any problems are recorded in the event log.

    Thanks again

    Kevin