ccSubSDK Files

ccSubSDK.md

ccSubSDK

Symantec Endpoint Protection clients automatically submit pseudonymous information about detections, network, and configuration to Symantec Security Response. Symantec uses this pseudonymous information to address new and changing threats as well as to improve product performance. Pseudonymous data is not directly identified with a particular user. The detection information that clients send includes information about antivirus detections, intrusion prevention, SONAR, and file reputation detections.

submissions.idx

submissions.idx can be found in the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\CmnClnt\ccSubSDK\submissions.idx

Offset Length Field Description
0 4 Header Always 0x3216144C
4 4 Unknown Will require further investigation as to the purpose of this entry.
8 4 Size Size of submissions.idx
12 4 Unknown Will require further investigation as to the purpose of this entry.
16 4 Unknown Will require further investigation as to the purpose of this entry.
20 8 Unknown Will require further investigation as to the purpose of this entry.
28 20 Unknown Will require further investigation as to the purpose of this entry.

Index

Continues to end of file.

Offset Length Field Description
0 4 Header Always 0x4099C689
4 4 Unknown Will require further investigation as to the purpose of this entry.
8 8 Start of Index Offset to begining of Index
16 8 Start of Last Index Offset to begining of previous Index
24 4 Lenght 1 Total size of Data including Blowfish Key
28 4 Lenght 2 Actual size of Data including Blowfish Key
*If length is 0, record is deleted.
32 8 Unknown Will require further investigation as to the purpose of this entry.
40 16 Blowfish Key Symmetric-key for Blowfish
56 Length 1 - 16 Data Data appears to be in ASN.1 format. It is comprised of a series of tags.
Code Value Length Extra Data
0x01 1 None
0x0A 1 None
0x03 4 None
0x06 4 None
0x04 8 None
0x07 4 NUL-terminated ASCII String (of length controlled by dword following 0x07 code)
0x08 4 NUL-terminated Unicode String (of length controlled by dword following 0x08 code)
0x09 4 Container (of length controlled by dword following 0x09 code)
0x0F 16 None
0x10 16 None

{GUID} Files

{GUID} files can be found in the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\CmnClnt\ccSubSDK\{GUID}

Offset Length Field Description
0 16 GUID GUID of dll responsible for submission.
16 16 Blowfish Key Symmetric-key for Blowfish
32 varies Data Data appears to be in ASN.1 format. It is comprised of a series of tags.
Code Value Length Extra Data
0x01 1 None
0x0A 1 None
0x03 4 None
0x06 4 None
0x04 8 None
0x07 4 NUL-terminated ASCII String (of length controlled by dword following 0x07 code)
0x08 4 NUL-terminated Unicode String (of length controlled by dword following 0x08 code)
0x09 4 Container (of length controlled by dword following 0x09 code)
0x0F 16 None
0x10 16 None

No comments:

Post a Comment