I commonly analyze systems that run Symantec Antivirus Corporate Edition. A common question we have to answer is regarding the last date a scan was run and the date of the definition files. I did some quick research and came up with the following. May it also help others in the same situation.
The registry keeps track of symantec definition dates in:
HKLM\Software\Symantec\SharedDefs
Defwatch_10 is the value and the data contains the path and date of definitions and revision.
EX:
DEFWATCH_10 REG_SZ C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080902.016
Defdate is: 20080902, rev 16.
Log files are located in C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Antivirus Corporation Edition\7.5\Logs
The key to the logfile is here
Files are timedate stamped as follows: mmddyyyy.Log
Pulling out relevant information can be accomplished in many ways.
One simple way is by doing the following:
[root (Logs)]# awk -F, '{print $5" "$6" "$7" "$8" "$35}' 09102008.Log
This returns the following information:
Computer Name, User logged in, Name of the malware identified, File location of the malware, IP Address of the system
A scan starting looks like this:
260A1C0B2618,3,2,9,D98B90D03,Administrator,,,,,,,16777216,"Scan started on selected drives and folders and all extensions.",1227890305,,0,,,,,0,,,,,,,,,,,{C446AF0D-2434-4C32-99F7-
B41DC042A2DC},,(IP)-0.0.0.0,,WORKGROUP,00:0C:29:E6:8C:72,10.1.6.6000,,,,,,,,,,,,,,,,0,,,,D98B90D03
The key to interpretation are fields 1-3. In this case it's 3,2,9 which indicates a realtime scan started. A realtime scan is obviously different than a manual scan in that a realtime scan is initiated by the system and a manual scan is initiated by the user. A manual scan looks like this:
260B1D142927,3,2,1,D98B90D03,Administrator,,,,,,,16777216,"Scan started on selected drives and folders and all extensions.",1230601302,,0,,,,,0,,,,,,,,,,,{C446AF0D-2434-4C32-99F7-B41DC042A2DC},,(IP)-0.0.0.0,,WORKGROUP,00:0C:29:E6:8C:72,10.1.6.6000,,,,,,,,,,,,,,,,0,,,,D98B90D03
The key again are fields 1-3 which in this case are 3,2,1. This is a clear indicator that a manual scan was started by Administrator. When someone says "I didn't run an antivirus scan", you now have a quick way to determine whether or not they are telling the truth.
0 comments:
Post a Comment