Monday, May 3, 2021

SEPparser Released

What is SEPparser?

SEPparser is a command line tool examine artifacts from Symantec Endpoint Protection (SEP). SEPparser can be ran against a single file, directory, dead box system (write-blocked hard drive of mounted collection), or for live response.


Capabilities

  • Parse settings for log files
  • Parse the following log files:
    • Security log
    • System log
    • Firewall Traffic log
    • Firewall Packet log
    • Application and Device Control log
    • AV Management plugin log
    • Daily AV logs
  • Extract packets from Firewall Packet log
  • Parse ccSubSDK database into csv reports
  • Extract potential binary blobs from ccSubSDK
  • Parse VBN files into csv reports
  • Extract quarantine data to file or hex dump
  • Preform hex dump of VBN for research

Using SEPparser

SEPparser can be ran on Windows or Linux. Running SEPparser by itself shows all the available options.



















There are quite a few options, but it is straight forward to use.


Basic usage

To run SEPparser, all you need to do is point it to a file (-f) or a directory (-d) and SEPparser will take care of the rest. Output will be stored in the current directory SEPparser is ran from. This can be changed using OUTPUT (-o) option.



















But what if we don't know the location of the Symantec files? The -d option can be used at the base directory and all files will be scanned from that path recursively. To speed up the process, or if we are using a script, we can use KAPE mode (-k) in conjunction with -d. What this does is SEPparser will only scan files in locations where SEP data is stored instead of every file.

If we want to append data to output files that SEPparser already created, the append (-a) option can be used.

Once SEPparser is finished a series of csv files will be created.













Time Zones

Some of the time stamps in SEP's data are in UTC and others are recorded in the time zone set on the device they came from. There are a couple of ways to get all the time stamps to be in UTC.  

  1. If the registrationInfo.xml file is found during the scan; the offset will be automatically applied.
  2. The -r option can be used to point to the location of the registrationInfo.xml file so the offset can be automatically applied.
  3. The -tz option can be used to manually enter a time zone offset.


Logging

SEPparser has a logging feature (-l) that can be used to save the console output to a log file. This can be useful to check for errors during parsing. If an error occurred, the -v option can be used to get a more verbose output of what went wrong.


Quarantine Files (VBN)

When it comes to quarantine files, SEPparser has some additional features that can be useful.  

SEPparser has the ability to extract (-e) the quarantined data or it can dump the data to the console in hex format with the -qd option.
















SEPparser can also produce a hex dump of the VBN itself. While SEPparser does a rather excellent job of parsing VBN's into the csv report, there is still data that it cannot. There are some parts of the VBN format that are unknown. The hex dump can help researchers to understand and figure out what these unknown parts of the file format mean.










SEPparser also contains hash-file (-hf) option. This can be used when parsing VBN files for reports. Because there can be extra data in the VBN file, the hash reported is not always the hash of the actual file. With the -hf option, SEPparser will record the MD5, SHA1, and SHA256 of the actual quarantined data.


ccSubSDK Database

SEPparser has an extract-blob (-eb) option that can be used when parsing the ccSubSDK database. With this option enabled, SEPparser will extract anything that could be an executable contained in the ccSubSDK database.















Packets

SEPparser has one more trick up its sleeve. When parsing the raw.log (packet log), SEPparser will extract the packets from the log into a text file. This text file can then be loaded into a tool, like Wireshark, to examine the packets. SEP only captures the headers and not the data associated with it.







































There is a public GitHub repository, located at https://github.com/Beercow/SEPparser, containing SEPparser and a wiki with the file formats for the SEP artifacts. KAPE also includes targets and modules for Symantec Endpoint Protection and SEPparser. If you find any errors or would like to contribute, issues/pull requests are always welcome. 

Tuesday, March 30, 2021

Your AV is Trying to Tell You Something: Registry

registry_keys.md

What research is complete without looking at the registry. There are a few interesting keys that can be found here. There is one that will tell you the worst infection type that occured on the endpoint, files that were quarantined and various other settings. This list is not complete but I tried to hit on some of the more interessting ones.

Registry Key Entries

Registry key entries are found in the following location:

  • Hive: HKLM\SOFTWARE
  • File: C:\Windows\System32\config\SOFTWARE

All registry subkeys are placed in the following location: HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion, or under HKLM\SOFTWARE\Wow6432Node\Symantec... on a 64-bit OS.

Key Name Description
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV VirusEngine DLL of virus engine
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV LocalMAC MAC address of the computer
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV MyProcessID Proccess ID of ccSvcHst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV LogFileRollOverDays Number of days logs are kept
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV WorstInfectionType "Severity of the worst detection that was made:
0 = (Severity 0) Viral
1 = (Severity 1) Non-viral malicious
2 = (Severity 2) Malicious
3 = (Severity 3) Antivirus - Heuristic
5 = (Severity 5) Hack tool
6 = (Severity 6) Spyware
7 = (Severity 7) Trackware
8 = (Severity 8) Dialer
9 = (Severity 9) Remote access
10 = (Severity 10) Adware
11 = (Severity 11) Jokeware
12 = (Severity 12) Client compliancy
13 = (Severity 13) Generic load point
14 = (Severity 14) Proactive Threat Scan - Heuristic
15 = (Severity 15) Cookie
9999 = No detections"
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV TimeOfLastVirus The last time a virus was detected on the client computer (GMT)
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV TimeOfLastScan The last scan time for this agent (GMT).
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine BackupItemPurgeAgeLimit Maximum days to hold onto backup items
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine BackupItemPurgeEnabled To enable backup item purge:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine BackupPurgeBySizeDirLimit Maximum size in Megabytes of the backup folder
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine BackupPurgeBySizeEnabled To enable Sizing of backup folder:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine ForwardingEnabled Enable forwarding of quarantine to central server:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine ForwardingPort Port of forwarding server
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine ForwardingProtocol Protocol of forwarding server
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine ForwardingServer Path to forwarding server
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine QuarantinePurgeAgeLimit Maximum days to hold onto quarantine files
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine QuarantinePurgeBySizeDirLimit Maximum size in Megabytes of the quarantine folder
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine QuarantinePurgeBySizeEnabled To enable Sizing of quarantine folder:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine QuarantinePurgeEnabled To enable quarantine purge:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine RepairedItemPurgeAgeLimit Maximum days to hold onto repaired items
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine RepairedItemPurgeEnabled To enable repaired item purge:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine RepairedPurgeBySizeDirLimit Maximum size in Megabytes of the repaired folder
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine RepairedPurgeBySizeEnabled To enable Sizing of repaired folder:
0 = OFF
1 = ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\QRecords(10 digit numerical folder) FName Name of file that was quarantined
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate AVRunningStatus Registers whether Virus and Spyware Protection is enabled or disabled.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate LatestVirusDefsDate Virus Definition date in use by client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate LatestVirusDefsRevision Virus Definition Revision number in use by client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate Infected "Registers whether the client computer is infected with one or more risks that are detected by Virus and Spyware Protection.
0 = Not infected
1 = Infected"
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate snac_enabled Registers whether Symantec Network Access Control is enabled or disabled.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate FWRunningStatus Registers whether firewall protection is enabled or disabled.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate LastServerIP Registers the IP address of the most recent Symantec Endpoint Protection management server that the client connected to.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate ComputerID Computer ID
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate RebootReason "Registers the reason for a restart of the client computer.
0=No reboot required.
1=Reboot required for threat remediation.
2=Reboot required for product patch.
3=Reboot required for content update.
4=Reboot required for install completion.
5=Reboot required by SEP manager command.
6=Reboot required due to catastrophic install failure.
7=Reboot required for driver config change."
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate ASRunningStatus "Registers whether Virus and Spyware Protection is enabled or disabled.
Note: This subkey appears to be redundant with the following subkey."
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate DeployStatus "Registers details about the status of client software download, installation, upgrade, or patch.
This is an integer sent by the client to represent the current deployment status. It can be generated by the client itself or by the installer.
302448896=Symantec Endpoint Protection Manager indicated an upgrade package for the client.
302448897=The client decided to accept the upgrade package.
302448898=The client decided to reject the upgrade package.
302449152=The client has requested package information for the upgrade.
302449153=The client has received package information for the upgrade.
302449408=The client hasn't allowed the download of the upgrade package to start.
302449409=The client has successfully downloaded and verified the upgrade package.
302449664=The client failed to apply the upgrade package.
302449665=The client failed to patch the delta.
302449666=The client failed to launch the upgrade installer.
302449667=The client successfully launched the final upgrade installer.
302449920=The client is requesting the full version of the upgrade package due to the delta's failure.
302456832=Install successful.
302460928=Install repair successful.
302465024=Uninstall successful.
302469120=Install failed and rolled back.
302469121=Install failed due to insufficient disk space.
302469122=Install failed due to a launch condition.
302469123=Install failed; a consumer product was found.
302469124=Restart pending.
302456833=Files copied.
302469125=Install failed; a legacy enterprise edition was found.
302469126=Install failed due to non-elevated privileges.
302469127=Install failed due to an incompatible operating system."
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate InstallType "Registers the type of installed client.
0=Standard
1=Embedded or VDI
2=Dark network"
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate DeployMessage This is a freeform, detailed message sent by the client to elaborate on the deployment status.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate DeployPreviousVersion Registers the four-part version number of the Symantec Endpoint Protection client software that was previously installed on the client computer.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate DeployTargetVersion Registers the four-part version number of the Symantec Endpoint Protection client software that is planned for future installation on the client computer.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate DeployRunningVersion Registers the four-part version number of the Symantec Endpoint Protection client software that is currently installed on the client computer.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate DeployTimestamp The time of the deployment action.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\public-opstate LastSuccessfulScanDateTime Date and Time of last successful scan
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\ACDefs AC Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\BASHDef BASH Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\ccSubSDK_SCD_Defs ccSubSDK_SCD Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\EDRDefs EDR Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\EfaVTDefs SymEFA Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\HIDefs HI Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\IPSDefs Internet Security Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\IronRevocationDefs IronRevocation Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\IronSettingsDefs IronSettings Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\IronWhitelistDefs IronWhitelist Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\PCHDefs PCH Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs APSCandShim56 Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs DEFWATCH_10 Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs NAVCORP_70 Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SDSDefs SRTSP Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SMDefs SMR Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SRTSPSettingsDefs SRTSPSettings Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\STICDefs STIC Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\STICDefs STIC_SCAN Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\SymPlatformDefs SymPlatform Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\CurrentVersion\SharedDefs\TDADDefs TDAD Version of definition the client is currently using.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC CurLocation Currrent location of device
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC EnableDebug802.1x This debug setting is used to help isolate EAP 802.1x issues. The registry key causes the 802.1x EAP information to write to the standard debug.log file.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC smc_debug_level "smc_debug_level affects the logging of virus and spyware events:

• 2 - system debugger
• 4 - transaction logs
• 6 - everything"
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC smc_debug_log_level "smc_debug_log_level affects the logging of firewall events:

• 0 - debug
• 1 - info
• 2 - warning
• 3 - fatal"
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC smc_engine_status To check if Network Threat Protection is installed and is Turned ON.
0 – means turned OFF
1- turned ON
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SSHelper EnableScriptDebug The Host Integrity is performed on the agent machine by a JavaScript file included in the policies downloaded from the policy manager. Normally this script is deleted once Host Integrity is done, but by setting this registry key the file is not deleted. Then you can review the script for troubleshooting.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink DumpSylink Sylink is the client component responsible for communication with the Symantec Endpoint Protection Manager (SEPM) server. The following debug setting is an alternative to running the SylinkWatcher/SylinkMonitor tool to log client-server communication.
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink HardwareID To know the Hardware ID for the Client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink PolicyMode Client is communicating with SEPM or is OFFLINE
1 – means communicating
0- means offline
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink Preferredgroup Which Group the client is pointing to
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink SerialNumber Policy Serial Number on Client
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\TSE ExtendedDebug Extended TSE debugging for Network Threat Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Trident AutoLocationDump This debug setting makes the Symantec Endpoint Protection agent write AutoLocation switching information to the standard debug.log file.

Finding the current info, including definition dates, for Endpoint Protection in the registry
Symantec Endpoint Protection –Few Registry Tweaks..

Tuesday, March 23, 2021

Your AV is Trying to Tell You Something: Submission Engine

ccSubSDK

"Symantec Endpoint Protection clients automatically submit pseudonymous information about detections, network, and configuration to Symantec Security Response. Symantec uses this pseudonymous information to address new and changing threats as well as to improve product performance. Pseudonymous data is not directly identified with a particular user.

The detection information that clients send includes information about antivirus detections, intrusion prevention, SONAR, and file reputation detections." [1]

These files can be found at the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\CmnClnt\ccSubSDK

Inside this folder is the submissions.idx file and series of GUID files. Lets look at the submissions.idx file first.

ccSubSDK folder structure














submissions.idx

The submissions.idx file appears to be a type of index for the GUID files. Symantec had a database and word processing software called Q&A form 1985-1998. It just so happens that one of the database extensions was idx. My hypothesis is Symantec is either using their old database format, or parts of it, to index and send submission data back to their servers.

The format of the file is fairly simple. It contains a header and a series of indexed data that points back the GUID files. The header starts with 0x3216144C and contains the size of the submissions.idx file. After the header comes the indexes.







Each index contains a header starting with 0x4099C689. This header contains information on the offset of the current and previous index, the size of the data, and the Blowfish key to decrypt the data. Once the data is decrypted, we can see the information that it contains.







The data is in the same ASN.1 format that the VBN files use. If we start following the tags, the first 0x0F we come to is the name of the GUID file this index references.

GUID in index




GUID file in ccSubSDK







Depending on what type of submission it is, the index will contain information like MD5, SHA256 and some type of report.





















{GUID} file

The GUID files hold the information that was submitted to Symantec. The file consists of three parts: the GUID for the dll responsible for the submission, Blowfish key, and the data encrypted with the Blowfish algorithm.








The following dll GUID's have been identified.

  • 2B5CA624B61E3F408B994BF679001DC2 = BHSvcPlg
  • 334FC1F5F2DA574E9BE8A16049417506 = SubmissionsEim
  • 38ACED4CA8B2134D83ED4D35F94338BD = SubmissionsEim
  • 5E6E81A4A77338449805BB2B7AB12FB4 = AtpiEim, ReportSubmission
  • 6AB68FC93C09E744B828A598179EFC83 = IDSxpx86
  • 95AAE6FD76558D439889B9D02BE0B850 = IDSxpx86
  • 6A007A980A5B0A48BDFC4D887AEACAB0 = IDSxpx86
  • D40650BD02FDE745889CB15F0693C770 = IDSxpx86
  • 3DC1B6DEBAE889458213D8B252C465FC = IDSxpx86
  • 8EF95B94E971E842BAC952B02E79FB74 = AVModule
  • A72BBCC1E52A39418B8BB591BDD9AE76 = RepMgtTim
  • F2ECB3F7D763AE4DB49322CF763FC270 = ccSubEng

Once the submission has been decrypted, we can look at the data. This can hold anything from the detection information, network data, attack data, detection digest, and even the file itself!

Information was derived from @hexicorn
ccSubSDK.md

submissions.idx

Offset Length Field Description
0 4 Header Always 0x3216144C
4 4 Unknown Will require further investigation as to the purpose of this entry.
8 4 Size Size of submissions.idx
12 4 Unknown Will require further investigation as to the purpose of this entry.
16 4 Unknown Will require further investigation as to the purpose of this entry.
20 8 Unknown Will require further investigation as to the purpose of this entry.
28 20 Unknown Will require further investigation as to the purpose of this entry.

Index

Continues to end of file.

Offset Length Field Description
0 4 Header Always 0x4099C689
4 4 Unknown Will require further investigation as to the purpose of this entry.
8 8 Start of Index Offset to begining of Index
16 8 Start of Last Index Offset to begining of previous Index
24 4 Lenght 1 Total size of Data including Blowfish Key
28 4 Lenght 2 Actual size of Data including Blowfish Key
*If length is 0, record is deleted.
32 8 Unknown Will require further investigation as to the purpose of this entry.
40 16 Blowfish Key Symmetric-key for Blowfish
56 Length 1 - 16 Data Data appears to be in ASN.1 format. It is comprised of a series of tags.
Code Value Length Extra Data
0x01 1 None
0x0A 1 None
0x03 4 None
0x06 4 None
0x04 8 None
0x07 4 NUL-terminated ASCII String (of length controlled by dword following 0x07 code)
0x08 4 NUL-terminated Unicode String (of length controlled by dword following 0x08 code)
0x09 4 Container (of length controlled by dword following 0x09 code)
0x0F 16 None
0x10 16 None

{GUID} Files

{GUID} files can be found in the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\CmnClnt\ccSubSDK\{GUID}

Offset Length Field Description
0 16 GUID GUID of dll responsible for submission.
16 16 Blowfish Key Symmetric-key for Blowfish
32 varies Data Data appears to be in ASN.1 format. It is comprised of a series of tags.
Code Value Length Extra Data
0x01 1 None
0x0A 1 None
0x03 4 None
0x06 4 None
0x04 8 None
0x07 4 NUL-terminated ASCII String (of length controlled by dword following 0x07 code)
0x08 4 NUL-terminated Unicode String (of length controlled by dword following 0x08 code)
0x09 4 Container (of length controlled by dword following 0x09 code)
0x0F 16 None
0x10 16 None

Tuesday, March 16, 2021

Your AV is Trying to Tell You Something: VBN's Part 4

In this post, we will cover record type 1 VBN's. This will be fairly short because there is not much to these types of VBN's. They contain one structure that is not XORed after the VBN Metadata. This is the Quarantine Metadata structure. It contains the same kind of data as in record type 2's Quarantine Metadata, minus the header information.













new 1

Record Type 1

Quarantine Metadata

The quarantine metadata appears to be in ASN.1 format. It is comprised of a series of tags.

Code Value Length Extra Data
0x01 1 None
0x0A 1 None
0x03 4 None
0x06 4 None
0x04 8 None
0x07 4 NUL-terminated ASCII String (of length controlled by dword following 0x07 code)
0x08 4 NUL-terminated Unicode String (of length controlled by dword following 0x08 code)
0x09 4 Container (of length controlled by dword following 0x09 code)
0x0F 16 None
0x10 16 None

Tuesday, March 9, 2021

Your AV is Trying to Tell You Something: VBN's Part 3

This post will focus on record type 0 VBN's. Record type 0 VBN's also contain quarantine data. I recently discovered these files which lead to figuring out how to tell the different VBN files apart. I am unsure of what causes the different record types. Record type 0 starts out like any other VBN with the VBN Metadata structure. After that, they contain their own unique structures as follows:

  • QData Location (XORed with 0x5A) *Optional
  • Quarantine Data (XORed with 0x5A)
  • QData Info (XORed with 0x5A) *Optional
As before, if we grab the first four bytes of the VBN Metadata, it will bring us to the next structure. If the structure starts with 0xCE20AAAA06000000, The QData Location structure is present.

QData Location

The QData Location structure contains the offset to the quarantine data, size of the structure, the size of the QData Info structure and some unknown data that has always been all 0's, in my case.














If we add together the the first four bytes of the VBN Metadata and the Quarantine Data Offset, this will bring us to the Quarantine Data. (Unless QData Location is not present, we would already be there)

Quarantine Data

Unlike with record type 2 VBN's, the quarantine data is not divided into chunks. The data will be stored as it was on disk. Making it much easier to extract the data.

QData Info

QData Info will be present if the QData Location structure is also present. QData Info contains data which appears to be in ASN.1 format but I have had a harder time parsing it out into individual sections.




















new 1

Record Type 0

QData Location (Optional)

Offset Length Field Description
0 8 Header QData location header, 00000006aaaa20ce
8 8 Quarantine Data Offset Offset to start of quarantine data
16 8 QData Location Size Size of QData Location
24 4 QData Info Size Size of QData Info from end of quarantine data to EOF
28 Data Offset - 28 Unknown Will require further investigation as to the purpose of this entry.

Quarantine Data

Offset Length Field Description
0 Varies Data Quarantine data

QData Info (Optional)

Offset Length Field Description
0 8 Header QData info header
8 8 QData Info Size Size of QData info
16 QData Info Size - 16 QData Additional information about the quarantine data

Tuesday, March 2, 2021

Your AV is Trying to Tell You Something: VBN's Part 2

From the previous post, we learned that there are three VBN record types. I want to start with record type 2 because this is what people think of when examining VBN's. Record type 2 VBN's consist of the following structures:

  • VBN Metadata
  • Quarantine Metadata (XORed with 0x5A)
  • Quarantine Hash (XORED with 0x5A)
  • Quarantine SDDL (XORed with 0x5A) *Optional
  • Unknown (XORed with 0xA5) *Optional
  • Quarantine Data (XORed with 0xA5) *Optional
  • Quarantine Attribute (XORed with 0xA5) *Optional
These VBN's contain quarantine files/data except if the malicious data was cleaned by deletion. Type 2 are by far, the hardest to extract data from. If we grab the first four bytes (Quarantine Metadata Header offset) from the VBN Metadata, this will bring us to the beginning of the Quarantine Metadata Header.





Quarantine Metadata

The Quarantine Metadata starts out with a header that contains the size of the Quarantine Metadata and the size from the end of the Quarantine Metadata to the end of the VBN. 







The Quarantine Metadata itself, appears to be in ASN.1 format. A series of tags are used to differentiate the size and type of data. 

















If we add together the Quarantine Metadata Header offset (from the VBN Metadata) and the QM Size Header Size together, we find ourselves at the next structure. What structure comes next depends on the tag. If it is 0x03, the Quarantine Hash structure is present. If it is 0x06, there is an unknown structure that appears to be a continuation of the Quarantine Metadata.

0x03 Quarantine Hash

The Quarantine Hash structure can contain the SHA1 hash and size of the quarantine data. This is all depends on the value of the second tag. If the value is 0x00, the hash will not be present and the VBN will end here. If it is 0x01, the hash and the rest of the fields will be present. If all fields are present in this structure, the next tag will either be 0x08 or 0x09. If the tag is 0x08, the Quarantine SDDL structure is present.

No hash data

Hash data

Quarantine SDDL

The Quarantine SDDL contains the security descriptor for the data that was quarantined and the size of  the quarantine data.























Unknown

If the Quarantine SDDL is not present, this structure will prepended the the quarantine data. I am unsure of what this structure represents at this time. The structure consists of a header, size of the unknown data, and the size of the data to follow.


















Quarantine Data

If the Quarantine SDDL is present, the Quarantine Data will come next, without the unknown data prepended to it. The Quarantine Data is broken into chunks of data XORed with A5 until there are no chunks left. If the unknown data was prepended to the Quarantine Data, the Attribute structure may follow.












Quarantine Attribute

The Quarantine Attribute structure holds any attributes associated with the data. I have come across $EA_INFORMATION, $OBJECT_ID, and $DATA stored in this structure so far.

$OBJECT_ID example




new 1

Record Type 2

Quarantine Metadata

Offset Length Field Description
0 8 QM Header Header is always 0000000000000000
8 8 QM Header Size Size, in bytes, of the QM header
16 8 QM Size Size, in bytes, of the QM
24 8 QM Size + Header Size Size, in bytes, of the QM and header
32 8 End of QM to End of VBN Size, in bytes, from end of QM to end of VBN
40 QM Size Quarntine Metadata Quarantine Metadata

The quarantine metadata appears to be in ASN.1 format. It is comprised of a series of tags.

ASN.1 Tags

Code Value Length Extra Data
0x01 1 None
0x0A 1 None
0x03 4 None
0x06 4 None
0x04 8 None
0x07 4 NUL-terminated ASCII String (of length controlled by dword following 0x07 code)
0x08 4 NUL-terminated Unicode String (of length controlled by dword following 0x08 code)
0x09 4 Container (of length controlled by dword following 0x09 code)
0x0F 16 None
0x10 16 None

The Tag determines what comes next.

0x03 Quarantine Hash

0x06 Unknown

Quarantine Hash

Offset Length Field Description
0 1 Tag1 0x03
1 4 Tag1 Value Tag1 Value
5 1 Tag2 Tag2
6 1 Tag2 Value Tag2 Value (value can be 0x00 or 0x01)
7 1 Tag3 (Optional) Tag3 (if Tag2 Value is 0x01, Tag3 is 0x08
8 4 SHA1 Hash Length (Optional) Length of SHA1 (if Tag3 is 0x08, data will be present)
12 SHA1 Hash Length SHA1 (Optional) SHA1 of quarantine data
94 1 Tag4 (Optional) Tag4, always 0x03
95 4 Tag4 Value (Optional) Tag4 Value
99 1 Tag5 (Optional) Tag5, always 0x03
100 4 Tag5 Value (Optional) Tag5 Value
104 1 Tag6 (Optional) Tag6, always 0x09
105 4 Quarantine Data Size Length (Optional) Length of quarantine data size
109 Quarantine Data Size Length Quarantine Data Size 2 (Optional) Size of quarantine data

Quarantine SDDL (Optional)

(may not be present)

Offset Lenght Field Description
0 1 Tag7 Tag7, always 0x08
1 4 Security Descriptor Size Variable length
5 Security Descriptor Size Security Descriptor Security descriptor of file
Varies 1 Tag8 Tag8
Varies 4 Tag8 Value Tag8 Value
Varies 1 Tag9 Tag9
Varies 8 Quarantine Data Size 3 Size of quarntine data

If the Quarantine SDDL tag is not present, there can be two additional structures included with the quarantine data.

Unknown (Optional)

If the Quarantine Data Size in VBN Metadata is Smaller than the Quarantine Data Size in Quarantine Info, this structure will be present.

Offset Lenght Field Description
0 1 Tag ASN.1 tag, 0x09
1 4 Chunk Size Variable length
5 8 Unknown Will require further investigation as to the purpose of this entry. (XORed with A5)
13 4 Unknown Data Size Size of unknown data (XORed with A5)
17 8 Unknown Will require further investigation as to the purpose of this entry. (XORed with A5)
25 Unknown Data Size Unknown Will require further investigation as to the purpose of this entry. (XORed with A5)
Varies 8 Unknown Will require further investigation as to the purpose of this entry. (XORed with A5)
Varies 4 Quarantine Data Size Size of quarantined data (XORed with A5)
Varies 8 Unknown Will require further investigation as to the purpose of this entry. (XORed with A5)
Varies Chunk Size Data Quarantine data (XORed with A5)

Quarantine Data (Optional)

The quarantine data is broken into chunks of data XORed with 0xA5. This continues until the last chunk divider.

Offset Lenght Field Description
0 1 Tag ASN.1 tag, 0x09
1 4 Chunk Size Variable length
5 Chunk Size Data Quarantine data (XORed with A5)

Attribute (Optional)

The followinf data is XORed with A5

Offset Lenght Field Description
Varies 8 Attribute Data Type (Optional) 0x02 = $EA, 0x04 = $DATA, 0x07 = $OBJECT_ID
Varies 8 Attribute Data Size (Optional) Size of attribute data
Varies 4 Attribute Name Size (Optional) Size of attribute name field
Varies Attribute Name Size Attribute Name (Optional) Name of attribute
Varies Attribute Data Size Attribute Data (Optional) Data, varies by type

The Unknown appears to be in ASN.1 format. It is comprised of a series of tags.

ASN.1 Tags

Code Value Length Extra Data
0x01 1 None
0x0A 1 None
0x03 4 None
0x06 4 None
0x04 8 None
0x07 4 NUL-terminated ASCII String (of length controlled by dword following 0x07 code)
0x08 4 NUL-terminated Unicode String (of length controlled by dword following 0x08 code)
0x09 4 Container (of length controlled by dword following 0x09 code)
0x0F 16 None
0x10 16 None