Tuesday, January 14, 2020

One of these VBNs is not like the other

In a previous post Symantec Endpoint Protection VBN files, I described the file structure of VBN files that contained quarantined files and the process to extract them. It turns out, there is another VBN file with a different structure, that can contain quarantined files. These files reside in the Quarantine file folder, but not in a sub directory. The easiest way to tell that they hold quarantined files is by there size compared to the other VBNs in the folder. In the screenshot below, we can see that something is not quite right with 1C980000.VBN.

These VBN files start off like any other VBN. We can grab the first four bytes to find the offset to the Quarantine File Meta header (QFM). Instead of finding the QFM header, we find a different structure instead. This structure is also xored with 5A. (Note. This is one example. I have other files that do not follow this format. Further investigation is needed)

Examining the structure, we can see that there is another offset that leads to the beginning of the quarantined file and another offset showing the end of the file. With this information, we can extract the quarantined file for further examination. All we need to do is take the QFM offset and add our new offset to it. This will be the beginning of the file. To find the size of the file, we subtract the QFM offset form the file offset and subtract that from the EOF offset. Now that we know where the file starts and ends, we can extract the contents and XOR it with 5A.

I have also updated DeXRAY to handle these files.

Friday, June 14, 2019

Introducing SEPparser

SEPparser was created because I could not find anything to parse Symantec's Endpoint Protection logs into a human readable form. I was fairly successful with MS Logparser but it couldn't parse all the logs correctly. It did not make sense to me to have to go into SEPMC to query logs when they were right on the endpoint. These logs  contain a wealth of untapped information that can be used during an investigation. I hope you find it useful.

SEPparser is a command line tool for parsing Symantec Endpoint Protection logs. You can either feed it a single file or an entire directory. This even works remotely. SEPparser will figure out what log it is and parse it correctly.

Symantec logs are in the following locations:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs
C:\Users\%user%\AppData\Local\Symantec\Symantec Endpoint Protection\Logs

SEPparser.py -h
usage: SEPparser.py [-h] [-f FILE] [-d DIR] [-o OUTPUT] [-a]

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  file to be parsed
  -d DIR, --dir DIR     directory to be parsed
  -o OUTPUT, --output OUTPUT
                        directory to output files to. Default is current
  -a, --append          append to output files.

By default, all csv files will be placed in the directory SEPparser is run from. You can also designate a folder to store them in with the -o option.

After running, the directory should look like this:
The csv files correspond to the logs you would find in the SEP gui on the endpoint. SEPparser also parses additional information out of the log that you would not see in the gui. The Symantec_Timeline.csv is the combined results of the daily AV logs and the AVMan.log. As an example, lets look at a risk entry in the SEP gui. This all the information you will get.
Lets see what additional information we ca get with SEPparser. SEPparser will give us information like company name, file size, file hash, product version, and product name.

We can also find the signing certificate information.

In addition to the log files, a packet.txt file is created. This file is a hex dump of all packets from the packet log and can be viewed with Wireshark.
In Wireshark go to File > Import from Hex Dump...

Select the paclet.txt file and click Import

You can now view the packets and save them in a pcap if you choose


Tuesday, April 2, 2019

Copying locked OST files

When trying to copy ost files that were in use I was running into the following error:

esentutl.exe /y /vss <file_to_copy> /d <file_to_save_as>

Operation terminated with error -1 (JET_wrnNyi, Function Not Yet Implemented) after 4.390 seconds.

The reason being, Windows VSS engine ignores Outlook's .OST files.

To work around this, the OutlookOST value must be deleted from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot.

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot /v OutlookOST /f

Once this is done, the file can be copied.

esentutl.exe /y /vss <file_to_copy> /d <file_to_save_as>

And then the value can be restored when the file is done being copied.

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot /v OutlookOST /t REG_MULTI_SZ /d $UserProfile$\AppData\Local\Microsoft\Outlook\*.ost /f

Monday, April 1, 2019

All things Symantec

This post contains information on my research into Symantec logs and quarantine files. Content will be updated regularly.

Symantec Endpoint Protection Logs

Symantec Management Client (smc) does not show the entire contents of the log. smc.exe has an -exportlog commandline switch where you can select a log type to export.  Log_type numbers are as follows:
  • 0 = System Log
  • 1 = Security Log
  • 2 = Traffic Log
  • 3 = Packet Log
  • 4 = Control Log 
These numbers also correlate to an entry in the header of the logs found in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs.
  • 0 = syslog.log
  • 1 = seclog.log
  • 2 = tralog.log
  • 3 = rawlog.log
  • 4 = processlog.log

Log File Structure

Symantec Endpoint Protection VBN Files

Folder structure makes a difference in what is contained in the vbn file. SEP quarantine files are located in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Quarantine. In the quarantine folder, there is a vbn file and a folder with the same name as the vbn file.

Wednesday, December 5, 2018

Comparing Packet Captures to Procmon Traces Revisited

In my previous post, Comparing Packet Captures to Procmon Traces, I demonstrated how to match Procmon to pcap data. When I looked at this again, I noticed something peculiar. When Procmon's shows a length of 3760, everything gets thrown off.

Looking at the output from Procmon and TCPdump, everything matches up until we hit a length of 3760. So what is happening here? It turns out, if you want to match the packets up, one of them needs to be split.

So it turns out there is an exception to the rule. If the length equals 3760, we have to add the length of the next entry to it. The packets in TCPdump should add up to this combined number. Looking at the example, the third packet will be split between the two Procmon entries.

Friday, August 3, 2018

Windows 10 Notification WAL database

David Cowen recently wrote and article about revisiting the Windows 10 Notification database. From my observations, the database is in Write-Ahead Logging mode. The wpndatabase.db-wal file can contain deleted entries. I came up with a way to view the wal file.

I forked a python script (Walitean) because the endianness of the integers was wrong. With my forked version, you can convert the wal file into a sql database to view by doing the following:

Once the wal file is converted, you can run the following sql query to parse the database:

SELECT unknown0 AS Id, unknown1 AS HandlerId, unknown2 AS ActiveId, unknown3 AS Type, unknown4 AS Payload, unknown5 AS Tag, unknown6 AS 'Group',
 datetime((unknown7/10000000)-11644473600, 'unixepoch') AS ExpiryTime, datetime((unknown8/10000000)-11644473600, 'unixepoch') AS ArrivalTime ,
unknown9 AS DataVersion

My forked version of  Walitean can be found here:


Wednesday, May 16, 2018

ProcDOT GeoIP plugin

Today I would like to introduce to you my first event handler plugin. The plugin is designed to run after you click on the refresh button in ProcDOT. You will need an Internet connection on first run because GeoIP needs to download the MindMax databases to get the location information on the IP address. The GeoIP information is then added to the details view on a server node.

Details view without GeoIP plugin

Details view with GeoIP plugin

There is a pretty interesting side effect that I happened to come across. The plugin also creates variables that you can call with other plugins.

Variables without plugin

Variables with plugin

Because of this discovery, I currently developing a clone of Christian's Server List plugin that includes the GeoIP information. 

GeoIP binaries can be found here for easy install.