Tuesday, February 23, 2021

Your AV is Trying to Tell You Something: VBN's Part 1

Symantec VBN (quarantine) files have been rather troublesome for most people. I've read what articles I could find and looked at various tools on the subject but at some point, they all failed. There had to be something everyone was missing. And there was! As a community, we figured out that there were two types of VBN files. Depending on where they were in the folder structure determined whether they contained the quarantined file, or so we thought.

Shane King had shared his research into VBN's which laid the groundwork for the majority of my research. His methodology into extracting the quarantined content worked majority of the time, but not always. I was looking though Symantec's quarantine location one day and noticed some rather large VBN's in the location where they should only contain metadata and not quarantined content. When I XORed the data, I soon realized these larger files too contained quarantined content. A third VBN type!

Quarantine folder structure








Focusing back on the first structure in the VBN, they all looked the same. There had to be something in this structure that indicated what type of VBN we are dealing with. Back to Shane's work, there were a lot of unknowns in this structure. Looking through the unknown parts of the structure, I was able to figure out what the timestamps meant and various other things, but no indication on what would come next after this structure. It wasn't until I started playing around with Symantec's Qextract tool that I found my answer.

Qextract gives detailed output of the VBN files in the quarantine folder. By looking through this output, I was able to find the majority of the locations in the VBN file where Qextract was getting its information from. There was one part of the output that stood out to me, Record Type.  With this information, it confirmed my hypotheses that there were three different types of VBN. 






















Now that we know there are different types of VBN's and a way to identify them, we can figure out what structures come next in the VBN file. I am going to stop here for now. I will cover the different structures of each record type in the next series of posts. In the mean time, below is the layout for the first structure. The VBN Metadata structure. *Note: This applies to VBN files found on Windows. Linux layout is still a work in progress.

test.md

VBN file format V1 (Windows - SEP 11)

VBN Metadata

Offset Length Field Description
0 4 Size Size of the VBN Metadata section, 0xe5c
4 384 Description FQP of Quarantine File
388 984 Log Line Information on event.
1372 4 Data Type Value which can describe the subsequent data. (0x1 = No dates, 0x2 = Dates)
1376 4 Record ID VBin ID/VBN Name
1380 8 Date Created Indicates a time of creation of object on the file system. (Windows Filetime)
1388 8 Date Accessed Indicates a time of last access of an object. (Windows Filetime)
1396 8 Date Modified Indicates a time of last modification of content. (Windows Filetime)
1404 4 Data Type Value which can describe the subsequent data. (0x0 = No storage info, 0x2 = Storage info)
1408 484 Unknown Will require further investigation as to the purpose of this entry.
1892 48 Storage Name Where threat was found (FileSystem/InternetMail/LotusNotes/MicrosoftExchange)
1940 4 Storage Instance ID Will require further investigation as to the purpose of this entry.
1944 384 Storage Key Will require further investigation as to the purpose of this entry.
2328 4 Data Type Value which can describe the subsequent data.
2332 4 Unknown Will require further investigation as to the purpose of this entry.
2336 8 Unknown Will require further investigation as to the purpose of this entry.
2344 4 Data Type Value which can describe the subsequent data.
2348 4 Quarantine Data Size Size of Quarantined Data (bytes)
2352 4 Date Accessed Indicates a time of last access of an object. (Unix: 32 bit Hex)
2356 4 Date Modified Indicates a time of last modification of content. (Unix: 32 bit Hex)
2360 4 Date Created Indicates a time of creation of object on the file system. (Unix: 32 bit Hex)
2364 4 VBin Time Time data was quarantined. (Unix: 32 bit Hex)
2368 8 Unknown Will require further investigation as to the purpose of this entry.
2376 16 Unique ID Unique GUID
2392 260 Unknown Will require further investigation as to the purpose of this entry.
2652 4 Unknown Will require further investigation as to the purpose of this entry.
2656 4 Record Type 0x0 = Hybrid, 0x1 = Meta, 0x2 = Quarantine
2660 4 Quarantine Session ID Name of subfolder where VBN is stored
2664 4 Remediation Type Type of remediation

0 None
2000 Registry
2001 File
2002 Process
2003 Batch File
2004 INI File
2005 Service
2006 Infected File
2007 COM Object
2008 Host File Entry
2009 Directory
2010 Layered Service Provider
2011 Internet Browser Cache
2668 4 Unknown Will require further investigation as to the purpose of this entry.
2672 4 Unknown Will require further investigation as to the purpose of this entry.
2676 4 Unknown Will require further investigation as to the purpose of this entry.
2680 4 Unknown Will require further investigation as to the purpose of this entry.
2684 4 Unknown Will require further investigation as to the purpose of this entry.
2688 4 Unknown Will require further investigation as to the purpose of this entry.
2692 4 Unknown Will require further investigation as to the purpose of this entry.
2696 768 Wide Description FQP of Quarantine File (Unicode)
3464 212 Unknown Will require further investigation as to the purpose of this entry.

VBN file format V2 (Windows - SEP 12 +)

VBN Metadata

Offset Length Field Description
0 4 Size Size of the VBN Metadata section, 0x1290
4 384 Description FQP of Quarantine File
388 2048 Log Line Information on event.
2436 4 Data Type Value which can describe the subsequent data. (0x1 = No dates, 0x2 = Dates)
2440 4 Record ID VBin ID/VBN Name
2444 8 Date Created Indicates a time of creation of object on the file system. (Windows Filetime)
2452 8 Date Accessed Indicates a time of last access of an object. (Windows Filetime)
2460 8 Date Modified Indicates a time of last modification of content. (Windows Filetime)
2468 4 Data Type Value which can describe the subsequent data. (0x0 = No storage info, 0x2 = Storage info)
2472 484 Unknown Will require further investigation as to the purpose of this entry.
2956 48 Storage Name Where threat was found (FileSystem/InternetMail/LotusNotes/MicrosoftExchange)
3004 4 Storage Instance ID Will require further investigation as to the purpose of this entry.
3008 384 Storage Key Will require further investigation as to the purpose of this entry.
3392 4 Data Type Value which can describe the subsequent data.
3396 4 Unknown Will require further investigation as to the purpose of this entry.
3400 8 Unknown Will require further investigation as to the purpose of this entry.
3408 4 Data Type Value which can describe the subsequent data.
3412 4 Quarantine Data Size Size of Quarantined Data (bytes)
3416 4 Date Accessed Indicates a time of last access of an object. (Unix: 32 bit Hex)
3420 4 Unknown Will require further investigation as to the purpose of this entry.
3424 4 Date Modified Indicates a time of last modification of content. (Unix: 32 bit Hex)
3428 4 Unknown Will require further investigation as to the purpose of this entry.
3432 4 Date Created Indicates a time of creation of object on the file system. (Unix: 32 bit Hex)
3436 4 Unknown Will require further investigation as to the purpose of this entry.
3440 4 VBin Time Time data was quarantined. (Unix: 32 bit Hex)
3444 4 Unknown Will require further investigation as to the purpose of this entry.
3448 4 Unknown Will require further investigation as to the purpose of this entry.
3452 16 Unique ID Unique GUID
3468 260 Unknown Will require further investigation as to the purpose of this entry.
3728 4 Unknown Will require further investigation as to the purpose of this entry.
3732 4 Record Type 0x0 = Hybrid, 0x1 = Meta, 0x2 = Quarantine
3736 4 Quarantine Session ID Name of subfolder where VBN is stored
3740 4 Remediation Type Type of remediation

0 None
2000 Registry
2001 File
2002 Process
2003 Batch File
2004 INI File
2005 Service
2006 Infected File
2007 COM Object
2008 Host File Entry
2009 Directory
2010 Layered Service Provider
2011 Internet Browser Cache
3744 4 Unknown Will require further investigation as to the purpose of this entry.
3748 4 Unknown Will require further investigation as to the purpose of this entry.
3752 4 Unknown Will require further investigation as to the purpose of this entry.
3756 4 Unknown Will require further investigation as to the purpose of this entry.
3760 4 Unknown Will require further investigation as to the purpose of this entry.
3764 4 Unknown Will require further investigation as to the purpose of this entry.
3768 4 Unknown Will require further investigation as to the purpose of this entry.
3772 768 Wide Description FQP of Quarantine File (Unicode)
4540 212 Unknown Will require further investigation as to the purpose of this entry.

Tuesday, February 16, 2021

Your AV is Trying to Tell You Something: AVMan.log/Daily AV Log

AVMan_Format.md

AV Managment Plugin Log

The AV Managment Plugin log contains copies of all AV events that occured on the endpint. AVMan's entries consist of data, in the form of the log line format, with some additional timestamps.

Antivirus Management Log File Format

The antivirus managment log for SEP can be found at the following location:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\AVMan.log

Field Type Size Description
Max Log Size hex 8 Maximum log file size in bytes
Unknown hex 8 ?
Number of Entries hex 8 Number of entries in log
Unknown hex 8 ?
Unknown hex 8 ?
Max Log Days hex 8 Maximun days to save log entries

Log Entries

The log is in TSV format, meaning, each field is separated by a tab character.

Field Type Size Description
Entry Length hex 8 Length of log entry
Date and Time 1 Windows: 64 bit Hex Value - Big Endian 16 Will require further investigation as to the purpose of this log entry.
Date and Time 2 Windows: 64 bit Hex Value - Big Endian 16 Will require further investigation as to the purpose of this log entry.
Date and Time 3 Windows: 64 bit Hex Value - Big Endian 16 Will require further investigation as to the purpose of this log entry.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Data varbinary 2000 Additional data in binary format.

Daily AV Log

The daily AV log also contains copies of AV events tha occured on the endpoint. These logs are broken down by day and consist of log line entries and do not contain a header. The daily AV logs stored in the users appdata folder go back to when Symantec was first installed and pertain only to that user. The ones in the programdata folder contain all users AV events but only go back thirty days or what the Symantec policy dictates.

The daily AV logss for SEP can be found in the following loactions:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\AV
C:\Users\<user>\AppData\Local\Symantec\Symantec Endpoint Protection\Logs

Tuesday, February 9, 2021

Your AV is Trying to Tell You Something: process.log

processlog_Format.md

Client Management Control Log

The process log contains client activities that occured on the endpoint. The types of events the process log reports on are application control driver, application control rules, or tamper protect. There is little difference from the actual log and the Windows client. The process log is one of the more human readable logs.

Control Log File Format

The control log for SEP can be found at the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\processlog.log

Field Type Size Description
Log Type hex 8 Always 00000004
Max Log Size hex 8 Maximum log file size in bytes
Unknown hex 8 ?
Number of Entries hex 8 Number of entries in log
Unknown hex 8 ?
Running Total Entries hex 16 Total number of events generated
Max Log Days hex 8 Maximun days to save log entries

Log Entries

The log is in TSV format, meaning, each field is separated by a tab character.

Field Type Size Description
Entry Length hex 3 Length of log entry
Date and Time Windows: 64 bit Hex Value - Big Endian 16 The time of the generated event (GMT).
Event ID hex 3 An event ID from the sending agent:
501 = Application Control Driver
502 = Application Control Rules
999 = Tamper Protection
Severity int 1 The seriousness of the event
0 is most serious.
Action int 1 The action that was taken:
0 = allow
1 = block
2 = ask
3 = continue
4 = terminate
Test Mode int 1 Was this rule run in test mode?
0 = No, Else = Yes
Description nvarchar 8000 The behavior that was blocked.

Because of a character limit, actual values may be longer than the values that
are displayed in Symantec Endpoint Protection Manager. You can verify the full text on the client that reports this data.
API nvarchar 512 The API that was blocked.
Unknown hex 16 Will require further investigation as to the purpose of this log entry.
Begin Time Windows: 64 bit Hex Value - Big Endian 16 The start time of the security issue.
End Time Windows: 64 bit Hex Value - Big Endian 16 The end time of the security issue. This field is an optional field because the
exact end time of traffic may not be detected; for example, as with UDP traffic.
If the end time is not detected, it is set to equal the start time.
Rule Name nvarchar 512 The name of the rule that was triggered by the event. If the rule name is not
specified in the security rule, then this field is empty. Having the rule name can
be useful for troubleshooting.
Caller Process ID hex 4 The ID of the process that triggers the logging.
Caller Process nvarchar 512 The full path name of the application involved. It may be empty if the
application is unknown, or if OS itself is involved, or if no application is involved.
Also, it may be empty if profile says, "don't log application name in raw traffic log".
Unknown int 1 Will require further investigation as to the purpose of this log entry.
Caller Return Module Name nvarchar 512 The module name of the caller. See CallerReturnAddress for more information.
Target nvarchar ? Name of file
Location nvarchar 512 The location used when the event occured.
User nvarchar 512 The logon user name.
User Domain nvarchar 512 The logon (Windows) domain name.
Unknown int 1 Will require further investigation as to the purpose of this log entry.
Unknown int 1 Will require further investigation as to the purpose of this log entry.
IPV4 Address hex 8 The IP address of the computer associated with the application control violation.
Device Instance ID varchar 256 The GUID of an external device (floppy disk, DVD, USB device, etc.).
File Size hex 2 The size of the file associated with the application control violation, in bytes.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
IPV6 Address hex 32 The IP address of the computer associated with the application control violation. (IPV6)

Tuesday, February 2, 2021

Your AV is Trying to Tell You Something: rawlog.log

rawlog_Format.md

Network and Host Exploit Mitigation Packet Log

The raw log contains packet traffic that occured on the endpoint. This log is populated if the firewall rule is set to capture a packet. The only thing the Windows client is missing is the rule id. This log is not very human readable due to the packet data it contains. One shortcoming to the smc commandline tool is that it will not export the packet data even though it is in the log and the Windows GUI client.

Packet Log File Format

The packet log for SEP can be found at the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\rawlog.log

Field Type Size Description
Log Type hex 8 Always 00000003
Max Log Size hex 8 Maximum log file size in bytes
Unknown hex 8 ?
Number of Entries hex 8 Number of entries in log
Unknown hex 8 ?
Running Total Entries hex 16 Total number of events generated
Max Log Days hex 8 Maximun days to save log entries

Log Entries

The log is in TSV format, meaning, each field is separated by a tab character.

Field Type Size Description
Entry Length hex 8 Length of log entry
Date and Time Windows: 64 bit Hex Value - Big Endian 16 The time of the generated event (GMT).
Event ID hex 8 An event ID from the sending agent:
401 = Raw Ethernet
Local Host hex 8 The IP address of the local computer (IPv4).
Remote Host hex 8 The IP address of the remote computer (IPv4).
Local Port hex 8 The TCP/UDP port of the local computer (host byte-order). It is only valid on
TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. For other events, it is always zero.
Remote Port hex 8 The TCP/UDP port of the remote computer (host byte-order). It is only valid on
TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. For other events, it is always zero.
Packet Length hex 8 Lenght of packet data
Direction hex 8 The direction of traffic (unknown = 0; inbound = 1; outbound = 2).
Action hex 8 Specifies if the traffic was blocked (yes = 1, no = 0).
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Remote Host Name nvarchar 128 The host name of the remote computer. This field may be empty if the name resolution failed.
Application nvarchar 512 The full path name of the application involved. It may be empty if an unknown
application is involved or if no application is involved. For example, the ping of
death DoS attack does not have an AppName because it attacks the operating
system.
Packet varbinary 2000
Rule nvarchar 512 The name of the rule that was triggered by the event. If the rule name is not
specified in the security rule, then this field is empty. Having the rule name can
be useful for troubleshooting. You may recognize a rule by the rule ID, but rule
name can help you recognize it more quickly.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Remote Host IPV6 hex 32 The IP address of the remote host (IPv6).
Local Host IPV6 hex 32 The IP address of the local computer (IPv6).
Rule ID cahr 32 The ID of the rule that is triggered by the event. It is always 0 if the rule ID is not
specified in the security rule. This field is helpful to security rule troubleshooting.
If multiple rules match, it logs the rule that has the final decision on PacketProc
(pass/block/drop).