Introducing SEPparser

SEPparser was created because I could not find anything to parse Symantec's Endpoint Protection logs into a human readable form. I was fairly successful with MS Logparser but it couldn't parse all the logs correctly. It did not make sense to me to have to go into SEPMC to query logs when they were right on the endpoint. These logs  contain a wealth of untapped information that can be used during an investigation. I hope you find it useful.

SEPparser is a command line tool for parsing Symantec Endpoint Protection logs. You can either feed it a single file or an entire directory. This even works remotely. SEPparser will figure out what log it is and parse it correctly.

Symantec logs are in the following locations:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs
C:\Users\%user%\AppData\Local\Symantec\Symantec Endpoint Protection\Logs


SEPparser.py -h
usage: SEPparser.py [-h] [-f FILE] [-d DIR] [-o OUTPUT] [-a]

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  file to be parsed
  -d DIR, --dir DIR     directory to be parsed
  -o OUTPUT, --output OUTPUT
                        directory to output files to. Default is current
                        directory.
  -a, --append          append to output files.

By default, all csv files will be placed in the directory SEPparser is run from. You can also designate a folder to store them in with the -o option.

After running, the directory should look like this:

The csv files correspond to the logs you would find in the SEP gui on the endpoint. SEPparser also parses additional information out of the log that you would not see in the gui. The Symantec_Timeline.csv is the combined results of the daily AV logs and the AVMan.log. As an example, lets look at a risk entry in the SEP gui. This all the information you will get.

Lets see what additional information we ca get with SEPparser. SEPparser will give us information like company name, file size, file hash, product version, and product name.

We can also find the signing certificate information.

In addition to the log files, a packet.txt file is created. This file is a hex dump of all packets from the packet log and can be viewed with Wireshark.

In Wireshark go to File > Import from Hex Dump...

Select the paclet.txt file and click Import

You can now view the packets and save them in a pcap if you choose

Download
https://github.com/Beercow/SEPparser
https://github.com/Beercow/SEPparser/releases

Copying locked OST files

When trying to copy ost files that were in use I was running into the following error:

esentutl.exe /y /vss <file_to_copy> /d <file_to_save_as>

Operation terminated with error -1 (JET_wrnNyi, Function Not Yet Implemented) after 4.390 seconds.

The reason being, Windows VSS engine ignores Outlook's .OST files.

To work around this, the OutlookOST value must be deleted from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot.

reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot /v OutlookOST /f

Once this is done, the file can be copied.

esentutl.exe /y /vss <file_to_copy> /d <file_to_save_as>

And then the value can be restored when the file is done being copied.

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot /v OutlookOST /t REG_MULTI_SZ /d $UserProfile$\AppData\Local\Microsoft\Outlook\*.ost /f

All things Symantec

This post contains information on my research into Symantec logs and quarantine files. Content will be updated regularly.

Symantec Endpoint Protection Logs

Symantec Management Client (smc) does not show the entire contents of the log. smc.exe has an -exportlog commandline switch where you can select a log type to export.  Log_type numbers are as follows:

• 0 = System Log
• 1 = Security Log
• 2 = Traffic Log
• 3 = Packet Log
• 4 = Control Log 

These numbers also correlate to an entry in the header of the logs found in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs.

• 0 = syslog.log
• 1 = seclog.log
• 2 = tralog.log
• 3 = rawlog.log
• 4 = processlog.log

Log File Structure

• Client Management System Log
• Client Management Security Log
• Network and Host Exploit Mitigation Traffic Log
• Network and Host Exploit Mitigation Packet Log
• Client Management Control Log

Symantec Endpoint Protection VBN Files

Folder structure makes a difference in what is contained in the vbn file. SEP quarantine files are located in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Quarantine. In the quarantine folder, there is a vbn file and a folder with the same name as the vbn file.

• Symantec Endpoint Protection VBN Files
• VBN file format v1 (containing quarantine file)
• VBN file format v2 (containing quarantine file)
• VBN log line information