Endpoint Protection

We've been having some issues with our WPAD and I was doing some proactive research to determine if SEP might be involved.

I found this article on the web: http://tech.givemethe.net/node/1

and it referenced a SEP message that stated:

"[SID: 22689] HTTP MSIE WPAD Spoofing detected."

My question is this, where/how would I search the SEPM logs to see if this alert has been generated on any of our managed clients.

So far I've tried MONITORS -> LOGS -> RISK -> "HTTP MSIE WPAD" in the "Risk Name"

Searching logs on the SEPM has always been a challenge for me.

Thanks,

-Mike

Where are Intrusion Prevention events logged on the Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager?'
Document ID: 2009081113563248
Web URL: http://service1.symantec.com/support/ent-security....

This would be an intrusion prevention detection. If you are receiving it, it will be listed in the IPS logs.

You can read about this detection here: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22689

You can examine the IPS logs here:

Where are Intrusion Prevention events logged on the Symantec Endpoint Protection Client and Symantec Endpoint Protection Manager?

http://www.symantec.com/docs/TECH95477

Regards,

James

Monitors > Logs > set log type to Network Threat Protection > set log content to Attacks > click Advanced Settings > filter by IP address or Computer and select View Logs

This get's me to the right place to look for the logs.

Now, if I don't know the IP Address or Computer Name, how can I do a search for that specific popup message? "HTTP MSIE WPAD Spoofing"

I would like to see if it has popped up on ANYONE's machine over the past year.

-Mike

For the Event type in the filtering section set it to Intrusion Prevention

You would probably do best to export the logs from the client or SEPM (depending upon what you're working with) and open them in Excel. They are in .csv format which makes working with them in Excel a breeze.

You can use Excel's filtering abilities to restrict the logs to the event type you want. At that point in time, use the Pivot Table feature in Excel in order to see what clients have experienced the events in question.

Regards,

James

P.S. Don't forget to mark the post which answered your original question as the solution to the thread.

Since there is no way that I can see to query the "Event Description" column directly...I exported 1000 records and opened the report in Excel and searched for WPAD.

Ugly work around, I would much rather that "Event Description" was one of the queryable fields in the GUI. Oh well, only 4000 more records to export until I have my answer. But hey, at least there is a way to get my answer.

Maybe I'll look at querying the DB directly.

Too bad I can't split the points between all three of you.

-Mike

Tips on using Excel:

TIP 1:

Make sure that when you import the log into Excel you tell Excel that it is delimited by commas. If Excel doesn't automatically open the "Convert Text to Columns Wizard" when you open the file, you can open it manually by selecting all of column A, clicking the Data tab (assuming Excel 2007), and choosing Text to Columns. At that point, put a dot in Delimited, click Next, remove all checkmarks, put a checkmark in Comma, and click Finish. You can then adjust the width of the columns to fit your needs.

Once this is done, highlight your entire TABLE (not the entire spreadsheet, just the data in the table). Go to Home and click Format as Table. Select any preset table (depending on your color preferences). Leave the checkmark in My table has headers and click OK. Your data will now be a table and you can easily filter it by clicking on the filter button next to each header.

TIP 2:

If you want to get a list of what computers experienced a particular detection, you really need to learn how to use Excel's Pivot Table feature. It is EXTREMELY powerful and would easily merit a half-hour or learning how to use it. (You will probably end up using it for more than just SEP logs.) I recommend a video tutorial. This one may very well work: http://www.youtube.com/watch?v=7zHLnUCtfUk

Regards,

James

Yes, I plan to watch the video and see how Piviot Tables could help in this and other situations.

Because I have 4500+ Intrusion Prevention records for the past year...exporting them all, combining them and creating a piviot table is low on my list of fun things to do...querying the "Event Description" column directly would really be my preference.

Have a great day!

-Mike

P.S. Here is how I did it (got my original answer) in SQL:

SELECT [EVENT_TIME]
      ,[HOST_NAME]
      ,[EVENT_DESC]
FROM [sem5].[dbo].[AGENT_SECURITY_LOG_1]
WHERE [EVENT_ID] = '206' and [EVENT_DESC] LIKE '%WPAD%'