Thursday, March 7, 2019

Symantec DCS 6.8 new feature demonstration “Anti-Malware”

Symantec DCS 6.8 new feature demonstration “Anti-Malware”

In January 2019, Symantec released a new version for DCS with a great feature for Linux RHEL and Ubuntu. The Linux administrator will not be asked to install AV along with DCS agent anymore! as both are bundled in one agent. The feature still limited to two Linux distribution and limited to release version as well, and I believe this is just the startup and Symantec going to support more version with the later release.
I’m going to do some hands-on activity on this feature and review the policy behind It. This demonstration is held in a small lab using VirtualBox for image hosting, also the EICAR test file will be used to see the event and how DCS will protect the system in real time.

In the lab, I have DCS server running under Windows 2016, The testing Linux system is ubuntu 16.04.5.

From the Dashboard, we can see virus detected is migrated from the previous version. However, the virus detection widget was related to the agentless feature that is developed to be used for VM NSX solution.

I installed DCS agent “agent64-linux-ubuntu16.bin” in Ubuntu Linux and then perform a restart. Then I use a text editor to create a file name called

Here is the file content…

Then I use winscp utility to move the test virus from host machine to Linux image in /home/amir/ folder

I noticed that Malware Protection feature affected immediately, even before configuring a policy or enabling prevention mode. I create a gif file to simulate this activity

And here is the event from DCS portal

Event details

This feature can be customized using DCS java console and it allows administrators to add exclude list as well as configuring local Live update server “LUA”. To customize this setting, from DCS Java console, (1) under configs tab, (2) detection tab, (3) Symantec Folder, (4) then double click on the “Default Detection Parameters”. as shown below

We will get the default detection parameters Window and under AV config tab we will see the setting related to the Malware Protection feature. 
(A) is the general setting that can enable the auto-protect or enable scan of the external drive. 
(B) is the quarantine path to store the detected file. “I add some little details below”. 
(C) is the inclusion path, if no value is added then it will scan all folders. 
(D) is the exclusion list
(E) is the Live update URL, it uses Symantec standard LiveUpdate servers if the URL is blank, or it could use the internal LiveUpdate server if the URL is mentioned.

Malware setting in Linux

The configured setting in the java console is reflecting in AntiMalware.ini file under  /opt/Symantec/sdcssagent/AMD/system

Restore file from quarantine

First, we have to add the file into the exclude list under the DCS java console, then restore the file by using the AMDRestoreTool file under /opt/Symantec/sdcssagent/AMD/tools

As you can see the file name "158989114370783ee.qur" is randomly named and it will be hard to know the exact file in case you have many files in the quarantine as shown in below (A). so the best step to know the exact file is to use grep command by type 

grep -r “” /var/log/sdcsslog/quarantine/  as shown below in (B).

Note: is part of the file name that required to be restored

Then you will see as shown in (C) the exact file name that needs to be used in the restore command above

Issue found during the testing

While doing the test, I noticed that malware function suddenly stopped working. Then I remove DCS agent and reinstall it with no luck. However, I found this error during the installation which means this feature will not work probably if the machine has than 4GB as RAM.

here is all that I have today, I will keep demonstrating new valuable feature in the next posts.

Please leave a comment if you find this valuable for you


No comments:

Post a Comment