Friday, June 14, 2019

Introducing SEPparser

SEPparser was created because I could not find anything to parse Symantec's Endpoint Protection logs into a human readable form. I was fairly successful with MS Logparser but it couldn't parse all the logs correctly. It did not make sense to me to have to go into SEPMC to query logs when they were right on the endpoint. These logs  contain a wealth of untapped information that can be used during an investigation. I hope you find it useful.

SEPparser is a command line tool for parsing Symantec Endpoint Protection logs. You can either feed it a single file or an entire directory. This even works remotely. SEPparser will figure out what log it is and parse it correctly.

Symantec logs are in the following locations:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs
C:\Users\%user%\AppData\Local\Symantec\Symantec Endpoint Protection\Logs -h
usage: [-h] [-f FILE] [-d DIR] [-o OUTPUT] [-a]

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  file to be parsed
  -d DIR, --dir DIR     directory to be parsed
  -o OUTPUT, --output OUTPUT
                        directory to output files to. Default is current
  -a, --append          append to output files.

By default, all csv files will be placed in the directory SEPparser is run from. You can also designate a folder to store them in with the -o option.

After running, the directory should look like this:
The csv files correspond to the logs you would find in the SEP gui on the endpoint. SEPparser also parses additional information out of the log that you would not see in the gui. The Symantec_Timeline.csv is the combined results of the daily AV logs and the AVMan.log. As an example, lets look at a risk entry in the SEP gui. This all the information you will get.
Lets see what additional information we ca get with SEPparser. SEPparser will give us information like company name, file size, file hash, product version, and product name.

We can also find the signing certificate information.

In addition to the log files, a packet.txt file is created. This file is a hex dump of all packets from the packet log and can be viewed with Wireshark.
In Wireshark go to File > Import from Hex Dump...

Select the paclet.txt file and click Import

You can now view the packets and save them in a pcap if you choose


1 comment:

  1. This is an awesome idea, thanks for sharing your work!