Well here we are, first post of my new blog. I've got some interesting posts planned stemming mostly from some of the work I do in cybersecurity.
Before we get started big shout out to TeamDofir who did a lot of the original research for this.
The enterprise I work at uses Symantec Endpoint Protection 12 (SEP 12) for its endpoint...protection. Unfortunately for us, the on site Symantec team has been less than responsive with procedures and policies we'd like changed (I'm a part of a team of contracted incident handlers).
We recently had an idea to analyze quarantine files to better understand what SEP was 'eating' across the enterprise. Knowing that the Symantec team is rather unreliable when asked, we decided to do our own research into how to remove the effects of quarantine, or put the fangs back in the wolf as I like to say.
Before we get started big shout out to TeamDofir who did a lot of the original research for this.
The enterprise I work at uses Symantec Endpoint Protection 12 (SEP 12) for its endpoint...protection. Unfortunately for us, the on site Symantec team has been less than responsive with procedures and policies we'd like changed (I'm a part of a team of contracted incident handlers).
We recently had an idea to analyze quarantine files to better understand what SEP was 'eating' across the enterprise. Knowing that the Symantec team is rather unreliable when asked, we decided to do our own research into how to remove the effects of quarantine, or put the fangs back in the wolf as I like to say.
When SEP quarantines a file, the AV "salts" (see TeamDofir's blog for more info), encrypts and compresses the file and creates two .vbn files in the quarantine directory.
Quarantine files on a host are typically stored in the SEP folder found in ProgramData (hidden folder), the quarantine folder itself can be found at:
C:\ProgramData\Symantec\Symantec Endpoint Protection\%SEP Version%\Data\Quarantine
One point of note to this, I have noticed recently that SEP will create a new "Data" folder for each version of SEP. This can make these files a bit harder to find, especially from the windows command line when trying to retrieve these files from a remote host. If you know the host has some quarantined files due to some other alerts, say from Splunk or Arcsight, be sure to hit tab once or twice in C:\ProgramData\Symantec\Symantec Endpoint Protection\ just for good measure.
Once you arrive at the quarantine directory you will find a file, and a folder for each quarantine event; both with the same name. The folder contains the .vbn file with the malware, the file OUTSIDE of the folder is essentially metadata for Symantec, or as Symantec calls it "VBNINFO"
C:\ProgramData\Symantec\Symantec Endpoint Protection\%SEP Version%\Data\Quarantine
One point of note to this, I have noticed recently that SEP will create a new "Data" folder for each version of SEP. This can make these files a bit harder to find, especially from the windows command line when trying to retrieve these files from a remote host. If you know the host has some quarantined files due to some other alerts, say from Splunk or Arcsight, be sure to hit tab once or twice in C:\ProgramData\Symantec\Symantec Endpoint Protection\ just for good measure.
Once you arrive at the quarantine directory you will find a file, and a folder for each quarantine event; both with the same name. The folder contains the .vbn file with the malware, the file OUTSIDE of the folder is essentially metadata for Symantec, or as Symantec calls it "VBNINFO"
Credit to BugBear for the screen
As you can see from the screen shot above and from other blog and Symantec forum posts, Symantec has a tool call QExtract, this is the tool they use to extract files from a quarantined state. I have heard of many issues with this tool and having a python script that will do the same works better for me.
Once you've found the files you want, I would recommend moving them via either sneakernet or networking to a lab environment where they can be un/de-quarantined (grammer nazi's please help!) the unquarantine script is quite simple:
python unquarantine.py <location of .vbn file containing malware>
After the file has been 're-fanged' you can proceed to analyze it however you wish. I prefer cuckoo or another opensource sandbox.
Comments
Post a Comment