ccSubSDK
"Symantec Endpoint Protection clients automatically submit pseudonymous information about detections, network, and configuration to Symantec Security Response. Symantec uses this pseudonymous information to address new and changing threats as well as to improve product performance. Pseudonymous data is not directly identified with a particular user.
The detection information that clients send includes information about antivirus detections, intrusion prevention, SONAR, and file reputation detections." [1]
These files can be found at the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\CmnClnt\ccSubSDK
Inside this folder is the submissions.idx file and series of GUID files. Lets look at the submissions.idx file first.
 |
| ccSubSDK folder structure |
submissions.idx
The submissions.idx file appears to be a type of index for the GUID files. Symantec had a database and word processing software called Q&A form 1985-1998. It just so happens that one of the database extensions was idx. My hypothesis is Symantec is either using their old database format, or parts of it, to index and send submission data back to their servers.
The format of the file is fairly simple. It contains a header and a series of indexed data that points back the GUID files. The header starts with 0x3216144C and contains the size of the submissions.idx file. After the header comes the indexes.
Each index contains a header starting with 0x4099C689. This header contains information on the offset of the current and previous index, the size of the data, and the Blowfish key to decrypt the data. Once the data is decrypted, we can see the information that it contains.
The data is in the same ASN.1 format that the VBN files use. If we start following the tags, the first 0x0F we come to is the name of the GUID file this index references.
 |
| GUID in index |
 |
| GUID file in ccSubSDK |
Depending on what type of submission it is, the index will contain information like MD5, SHA256 and some type of report.
{GUID} file
The GUID files hold the information that was submitted to Symantec. The file consists of three parts: the GUID for the dll responsible for the submission, Blowfish key, and the data encrypted with the Blowfish algorithm.
The following dll GUID's have been identified.
- 2B5CA624B61E3F408B994BF679001DC2 = BHSvcPlg
- 334FC1F5F2DA574E9BE8A16049417506 = SubmissionsEim
- 38ACED4CA8B2134D83ED4D35F94338BD = SubmissionsEim
- 5E6E81A4A77338449805BB2B7AB12FB4 = AtpiEim, ReportSubmission
- 6AB68FC93C09E744B828A598179EFC83 = IDSxpx86
- 95AAE6FD76558D439889B9D02BE0B850 = IDSxpx86
- 6A007A980A5B0A48BDFC4D887AEACAB0 = IDSxpx86
- D40650BD02FDE745889CB15F0693C770 = IDSxpx86
- 3DC1B6DEBAE889458213D8B252C465FC = IDSxpx86
- 8EF95B94E971E842BAC952B02E79FB74 = AVModule
- A72BBCC1E52A39418B8BB591BDD9AE76 = RepMgtTim
- F2ECB3F7D763AE4DB49322CF763FC270 = ccSubEng
Once the submission has been decrypted, we can look at the data. This can hold anything from the detection information, network data, attack data, detection digest, and even the file itself!
submissions.idx
Header
| Offset | Length | Field | Description |
|---|---|---|---|
| 0 | 4 | Header | Always 0x3216144C |
| 4 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 8 | 4 | Size | Size of submissions.idx |
| 12 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 16 | 4 | Unknown | Will require further investigation as to the purpose of this entry. |
| 20 | 8 | Unknown | Will require further investigation as to the purpose of this entry. |
| 28 | 20 | Unknown | Will require further investigation as to the purpose of this entry. |
Index
Continues to end of file.
| Offset | Length | Field | Description | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | 4 | Header | Always 0x4099C689 | |||||||||||||||||||||||||||||||||
| 4 | 4 | Unknown | Will require further investigation as to the purpose of this entry. | |||||||||||||||||||||||||||||||||
| 8 | 8 | Start of Index | Offset to begining of Index | |||||||||||||||||||||||||||||||||
| 16 | 8 | Start of Last Index | Offset to begining of previous Index | |||||||||||||||||||||||||||||||||
| 24 | 4 | Lenght 1 | Total size of Data including Blowfish Key | |||||||||||||||||||||||||||||||||
| 28 | 4 | Lenght 2 | Actual size of Data including Blowfish Key *If length is 0, record is deleted. |
|||||||||||||||||||||||||||||||||
| 32 | 8 | Unknown | Will require further investigation as to the purpose of this entry. | |||||||||||||||||||||||||||||||||
| 40 | 16 | Blowfish Key | Symmetric-key for Blowfish | |||||||||||||||||||||||||||||||||
| 56 | Length 1 - 16 | Data | Data appears to be in ASN.1 format. It is comprised of a series of tags.
|
{GUID} Files
{GUID} files can be found in the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\CmnClnt\ccSubSDK\{GUID}
| Offset | Length | Field | Description | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0 | 16 | GUID | GUID of dll responsible for submission. | |||||||||||||||||||||||||||||||||
| 16 | 16 | Blowfish Key | Symmetric-key for Blowfish | |||||||||||||||||||||||||||||||||
| 32 | varies | Data | Data appears to be in ASN.1 format. It is comprised of a series of tags.
|
No comments:
Post a Comment