Thursday, March 1, 2018

Symantec Endpoint Protection VBN files

My goal originally, was to improve the way DeXRAYextracted files from Symantec Endpoint Protection (SEP) vbn quarantine files. I decided to dig a little deeper into the vbn format because it is not documented well. What I ended up finding out is that there is a lot of information contained inside vbn files. All vbn files are not created equal. Some contain the quarantined files, while others do not. It all depends on where they are in the quarantine folder structure. The vbn file structure has undergone two revisions, from what I can tell. Version 1 of the format was used up to SEP 11. Version 2 is used in SEP 12 and 14.

I would like to give a special thank you to @Hexacorn for getting me some older samples to work with.

The file format for version 1 can be found here. Version 2 here. There is still quit a bit that is unknown. If you find any mistakes or know what some of the structures are, please let me know and I will update them.

Quarantine File Folder Structure


Folder structure makes a difference in what is contained in the vbn file. SEP quarantine files are located in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Quarantine. In the quarantine folder, there is a vbn file and a folder with the same name as the vbn file.


The vbn files and folders get their name from the Vbin Session ID/Record ID in hex format.

VBN V1


VBN V2

I have not dug into these vbn files too much yet. If we search for Vbin Session ID/Record ID, depending on version, we come across a series of values that start with 01 07 03. The first one, in green, is our folder name. The second one, in blue, is the name of the vbn file in the folder. This is the vbn that will contain the quarantined file.


VBN V1


VBN V2
The vbn files that contain the quarantined file get their name from the unix 32-bit time value (0x560 in v1, 0x7D0 in v2).

Log Line


Inside the vbn, there is a comma delimited list at 0x184. This list is the log line. It may not be clear at first but, there is a wealth of information in this list. We'll start by taking a look at version 1. Version 1 has the following fields:

Time,Event,Category,Logger,Computer,User,Virus,File,Wanted Action 1,Wanted Action 2,Real Action,Virus Type,Flags,Description,ScanID,New_Ext,Group ID,Event Data,VBin_ID,Virus ID,Quarantine Forward Status,Access,SND_Status,Compressed,Depth,Still Infected,Def Info,Def Sequence Number,Clean Info,Delete Info,Backup ID,Parent,GUID,Client Group,Address,Domain Name,NT Domain,MAC Address,Version,Remote Machine,Remote Machine IP,Action 1 Status,Action 2 Status,License Feature Name,License Feature Version,License Serial Number,License Fulfillment ID,License Start Date,License Expiration Date,License LifeCycle,License Seats Total,License Seats,Error Code,License Seats Delta,Status,Domain GUID,Log Session GUID,VBin Session ID,Login Domain,Event Data 2

Version 2 has the same fields as version 1 plus some extras:

Time,Event,Category,Logger,Computer,User,Virus,File,Wanted Action 1,Wanted Action 2,Real Action,Virus Type,Flags,Description,ScanID,New_Ext,Group ID,Event Data,VBin_ID,Virus ID,Quarantine Forward Status,Access,SND_Status,Compressed,Depth,Still Infected,Def Info,Def Sequence Number,Clean Info,Delete Info,Backup ID,Parent,GUID,Client Group,Address,Domain Name,NT Domain,MAC Address,Version,Remote Machine,Remote Machine IP,Action 1 Status,Action 2 Status,License Feature Name,License Feature Version,License Serial Number,License Fulfillment ID,License Start Date,License Expiration Date,License LifeCycle,License Seats Total,License Seats,Error Code,License Seats Delta,Status,Domain GUID,Log Session GUID,VBin Session ID,Login Domain,Event Data 2,Eraser Category ID,Dynamic Categoryset ID,Dynamic Subcategoryset ID,Display Name To Use,Reputation Disposition,Reputation Confidence,First Seen,Reputation Prevalence,Downloaded URL,Creator For Dropper,CIDS State,Behavior Risk Level,Detection Type,Acknowledge Text,VSIC State,Scan GUID,Scan Duration,Scan Start Time,TargetApp Type,Scan Command GUID

The information on how to decipher what the various fields mean can be found here. There was too much information to put into this article.

Decryption

Finding and decrypting the quarantined file in version1 is fairly straight forward. Grab the first four bytes from the beginning of the file. It is in little endian. In this example, the hex value translates to E5C. This is the offset to the quarantined file.


If we go to this offset, we will fined our quarantined file XORed with 5A.


Version 2 is a little trickier. We start off the same way, by grabbing the first four bytes of the file. Again, little endian.


Instead of finding the quarantined file, we find the Quarantine File Meda (QFM) Header XORed with 5A.


Once the XOR is removed, we can see some values in the QFM header. At offset 0x1298 is the size of the QFM Header. 0x12A0 is the QFM size and 0x12B8 is the total size of the QFM and the QFM Header.


If we take the value at 0x12A0 (897) and add it to 1290, we come up with another offset, 0x1B27 in this case. The structure of this section is as follows:

0x1B27(6951) = 0x03030000000A010852000000
    • 0x1B2E(6958) = 0x8 datatype representing unicode
    • 0x1B2F(6959) = Unicode string size
    • 0x1B33(6963) = Unicode hash SHA1
0x1B85(7045) = 0x030200000003020000000908000000
0x1B94(7060) = Original quarantined file size


Following the quarantine file size will either be 0x08 or 0x09. If it is 0x09, we have arrived at the quarantined file. If it is 0x08, the following optional section is present. 

0x1B9C(7068) = 0x08
    • 0x1B9D(7069) = Size of Security Descriptor string
    • 0x1BA1(7073) = Security Descriptor
    • 0x1C5B(7259) = Unknown
    • 0x1C60(7264) = 0x4
    • 0x1C61(7265) = Original quarantined file size
    • 0x1C69(7273) = 0x9



The quarantine file is broken up into chunks. The size of the chunks can be figured out by looking at the chunk dividers. The chunk dividers start with 0x09. The next four bytes after are the size of the chunk.






The chunk itself is XORed with A5. Continue to the next chunk divider, get the size and wash, rinse, repeat.


If there is anything you would like me to expand upon or explain better, let me know and I will add it.

Sources 

http://www.securitybraindump.com/2011/08/carving-symantec-vbn-files.html
http://dofir.net/post/81425257003/a-study-of-symantecs-vbn-file-format
http://www.hexacorn.com/blog/2012/09/21/dexray-decrypting-vbn-files-part-2/
https://support.symantec.com/en_US/article.TECH100099.html

1 comment: