Symantec ATP (Advance Threat Protection) EDR Configuration Notes - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Friday, May 1, 2020

Symantec ATP (Advance Threat Protection) EDR Configuration Notes

I am working on Symantec ATP , which new name is EDR. Here lists some of experience I learned from this set up. It is still updating.


YouTube Video:


Web GUI








Command Line : Commands


Check Date:

localhost> show --date
Mon Jun 03 13:40:41 GMT 2019

localhost> show
usage: show [--help] [--date] [--version] [--info]
    --help,-h    More extensive help
    --date,-d    Show the current date and time
    --version,-v Show the appliance version number
    --info,-i    Show system information



check Appliance Status:
localhost> status_check
This is the admin tool which verifies the following things.
1) Management Port Status
                                - This verifies if the management port is UP and                                                                                                              Running.
                                This will show 'Active' if its UP and Running,
                                otherwise 'Inactive'.
2) Connection to Symantec
                                - This verifies if the appliance can reach www.s                                                                                                             ymantec.com.
3) Scanner  => Management Server Connectivity
                                - This verifies if the scanner is able to connec                                                                                                             t to the
                                management server or not. On the management serv                                                                                                             er,
                                displays the list of scanners associated with th                                                                                                             e
                                management server. Use this tool on the scanner                                                                                                              to test
                                connectivity between the scanner and the managem                                                                                                             ent server.
4) Service Running
                                - This verifies the status of all services in Sy                                                                                                             mantec EDR. If all
                                services are working properly, 'Success' is retu                                                                                                             rned.
                                Otherwise, process names that are not working pr                                                                                                             operly are
                                displayed.
5) Scanning Status
                                - This verifies if scanning on Symantec EDR is e                                                                                                             nabled or not.
6) Interface Status
                                - This verifies whether interfaces in the curren                                                                                                             t environment
                                are active, such as mgmt_port, wan1_tap1, and la                                                                                                             n1_tap2 in
                                a virtual environment.
                                - This displays traffic received and transmitted                                                                                                              by the
                                active interfaces.
7) Data Inspection Status
                                - This verifies if the packet inspection engine                                                                                                              of Symantec EDR is
                                receiving traffic.
                                - This displays packet processed by the packet i                                                                                                             nspection
                                engine of Symantec EDR.
8) Proxy Server Info
                                - This returns information about the proxy serve                                                                                                             r, if one
                                exists in the management network. This informati                                                                                                             on can be
                                used to test the connectivity to the Symantec se                                                                                                             rvers in
                                the Cloud.
9) Connectivity to Servers
                                - This shows the connectivity to the Symantec se                                                                                                             rvers in the
                                Cloud.

NTP:                                            Synchronised.
Management Port Status:                         Active!
Connection to Symantec:                         Success!
Scanner => Management Server  Connectivity:     The AMQP broker is healthy.
                                                Please use status_check on the s                                                                                                             canners to
                                                test connectvity to the manageme                                                                                                             nt server.
                                                List of connected Scanners is as                                                                                                              below:
                                                172.3.1.13
                                                10.3.1.14
Service Running:                                Success!
Scanning Status:                                This is a management server . Sc                                                                                                             anning status is not applicable for this.
Interface Status:
                                                Interface mgmt_port is active!
                                                Received Bytes= 15.4 MiB  Transm                                                                                                             itted Bytes=34.7 MiB
                                                Interface wan1_tap1 is inactive!
                                                Interface lan1_tap2 is inactive!
                                                Interface wan2_tap3 is inactive!
                                                Interface lan2_tap4 is inactive!
Data Inspection Status:                         This is a management server. Dat                                                                                                             a inspection status is not applicable to this.
Is there a corporate proxy server in the management network? (yes:no)
  no
Connectivity to Servers:
  Accessed Cynic license server [https://licensing.dmas.symantec.com].
  Accessed Cynic API server [https://api.us.dmas.symantec.com].
  Accessed LiveUpdate server [http://liveupdate.symantec.com].
  Accessed AV Detection ping server [https://stnd-avpg.crsi.symantec.com/postDet                                                                                                             ectionEvent].
  Accessed IPS Detection ping server [https://stnd-ipsg.crsi.symantec.com/postIn                                                                                                             trusionEvent].
  Accessed Aztec server [https://register.brightmail.com].
  Accessed Software Update server [https://swupdate.brightmail.com].
  Accessed Insight server [https://shasta-rrs.symantec.com/mrclean].
   Accessed Mobile Insight server [https://shasta-mrs.symantec.com/partner].
  Accessed Roaming and Email Security.Cloud Correlation server [https://datafeedapi.symanteccloud.com].
  Accessed Telemetry: Statistics server [https://stats.norton.com/n/p].
  Accessed Telemetry: File server [https://telemetry.symantec.com].
  Accessed Breach Detection server [https://api-gateway.symantec.com].
  Accessed Symantec EDR Cloud server [https://edrc.symantec.com].
Connectivity to Repository:
  Accessed repository.
localhost>



Enable SSH Access:
localhost> sshconfig enable

Enabling SSH server...Redirecting to /bin/systemctl start sshd.service
done
Enabling SSH server by default (will start at boot)...Note: Forwarding request to 'systemctl enable sshd.service'.
done
localhost>


Check Software Version:
The management server software version has to match scanner version. If not, scanner will not show in the management server's web GUI.
localhost> show --version
Version: 4.1.0-951
Install Date: Mon 25 Mar 2019 01:49:14 PM GMT
localhost>

scanner:
localhost> show --version
Version: 3.1.0-678
Install Date: Mon 03 Jun 2019 01:31:47 PM GMT
localhost>

Update ATP (EDR) to latest version:

  • update download
  • update status
  • update install


localhost> update
Usage: update download|install|list|clean_all|clean_metadata|clean_packages|clea                                                                                                             r_update_state|rpmdb_repair|status
    download:           download latest available version to local cache
    install:            install latest available version from local cache
    list:               list all available versions
    clean_all:          clean up cached packages, metadata and other software up                                                                                                             date data
    clean_metadata:     clean up cached metadata
    clean_packages:     clean up cached packages
    clear_update_state: reset update state
    rpmdb_repair:       repair rpm database.
    clear_lock:         clear out old lockfile
    status:             print current update command status. run 'status_check'                                                                                                              command to check repository access





Backup / Restore



From Command Line:

localhost> backup --user=testuser1 --password='password1234' --protocol=scp --port=22 --host=172.21.2.111 --path=/tmp/
2019-06-21 11:30:34,170 INFO Validating remote storage.
2019-06-21 11:30:34,170 INFO index value is None
2019-06-21 11:30:38,395 INFO EDR commands have been backed up successfully
2019-06-21 11:30:38,465 INFO Performing ES snapshot, could take a while...
2019-06-21 11:30:39,955 INFO Done with snapshot.
2019-06-21 11:30:39,955 INFO Snapshot succeeded.
2019-06-21 11:30:39,955 INFO Archiving backup.
2019-06-21 11:30:39,989 INFO Building config_export.txt
2019-06-21 11:30:44,830 INFO Sending backup archive to remote storage via scp.
2019-06-21 11:30:46,317 INFO Succeed running backup, backupfile=sedr_backup_4.1.0-951_20190621113039.tar.gz
localhost>






Troubleshooting

Two errors found recently:
1. No Network Traffic is observed on monitored networks in last 24 hours - This usually relates to Switch SPAN port configuration.
2. An error occurred during software update. - This can be resolved by status_check to see which Symantec website is not reachable. It usually relates to your Firewall SSL Decryption.




login as: admin
Pre-authentication banner message from server:
| #######################################################
| # Access is restricted to authorized users.           #
| # If you are logging on to this system in error,      #
| # please log off now.                                 #
| # Unauthorized access will be prosecuted.             #
| #######################################################
End of banner message from server
[email protected]'s password:
     ┌────────────────────────────────────────────────────────────────────┐
     │                        • MobaXterm 12.3 •                          │
     │            (SSH client, X-server and networking tools)             │
     │                                                                    │
     │ ➤ SSH session to [email protected]                                 │
     │   • SSH compression : ✔                                            │
     │   • SSH-browser     : ✔                                            │
     │   • X11-forwarding  : ✘  (disabled or not supported by server)     │
     │   • DISPLAY         : 192.168.2.72:0.0                             │
     │                                                                    │
     │ ➤ For more info, ctrl+click on help or visit our website           │
     └────────────────────────────────────────────────────────────────────┘

Last failed login: Tue Apr 21 15:54:44 GMT 2020 from 10.10.1.4 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Thu Jun 27 13:52:24 2019 from 10.10.13.2
#######################################################
# Access is restricted to authorized users.           #
# If you have logged on to this system in error,      #
# please log off now.                                 #
# Unauthorized access will be prosecuted.             #
#######################################################
localhost>
localhost>
localhost> update status
2020/04/19 02:58:31 UTC : Last software update status - Prepatch failed to apply patch due to errors from proxy.
Next steps:
1.Check the proxy configuration in Symantec EDR  on the Settings -> Appliances page.
2.Then from command line, run 'update download' to try the download again.'
3. If the problem persists, at the command line, run 'gather_logs' command to send information to Symantec support.
localhost> status_check
This is the admin tool which verifies the following things.
1) Management Port Status
                                - This verifies if the management port is UP and Running.
                                This will show 'Active' if its UP and Running,
                                otherwise 'Inactive'.
2) Connection to Symantec
                                - This verifies if the appliance can reach www.symantec.com.
3) Scanner  => Management Server Connectivity
                                - This verifies if the scanner is able to connect to the
                                management server or not. On the management server,
                                displays the list of scanners associated with the
                                management server. Use this tool on the scanner to test
                                connectivity between the scanner and the management server.
4) Service Running
                                - This verifies the status of all services in Symantec EDR. If all
                                services are working properly, 'Success' is returned.
                                Otherwise, process names that are not working properly are
                                displayed.
5) Scanning Status
                                - This verifies if scanning on Symantec EDR is enabled or not.
6) Interface Status
                                - This verifies whether interfaces in the current environment
                                are active, such as mgmt_port, wan1_tap1, and lan1_tap2 in
                                a virtual environment.
                                - This displays traffic received and transmitted by the
                                active interfaces.
7) Data Inspection Status
                                - This verifies if the packet inspection engine of Symantec EDR is
                                receiving traffic.
                                - This displays packet processed by the packet inspection
                                engine of Symantec EDR.
8) Proxy Server Info
                                - This returns information about the proxy server, if one
                                exists in the management network. This information can be
                                used to test the connectivity to the Symantec servers in
                                the Cloud.
9) Connectivity to Servers
                                - This shows the connectivity to the Symantec servers in the
                                Cloud.

NTP:                                            Synchronised.
Management Port Status:                         Active!
Connection to Symantec:                         Success!
Scanner => Management Server  Connectivity:     The AMQP broker is healthy.
                                                Please use status_check on the scanners to
                                                test connectvity to the management server.
                                                List of connected Scanners is as below:
                                                172.2.1.1
                                                10.1.1.14
Service Running:                                Success!
Scanning Status:                                This is a management server . Scanning status is not applicable for this.
Interface Status:
                                                Interface mgmt_port is active!
                                                Received Bytes= 243.1 GiB  Transmitted Bytes=764.0 GiB
                                                Interface wan1_tap1 is inactive!
                                                Interface lan1_tap2 is inactive!
                                                Interface wan2_tap3 is inactive!
                                                Interface lan2_tap4 is inactive!
Data Inspection Status:                         This is a management server. Data inspection status is not applicable to this.
Is there a corporate proxy server in the management network? (yes:no)
no
Connectivity to Servers:
  Accessed Cynic license server [https://licensing.dmas.symantec.com/1/regions].
  Accessed Cynic API server [https://api.global.dmas.symantec.com].
  Accessed LiveUpdate server [http://liveupdate.symantec.com].
  Accessed AV Detection ping server [https://stnd-avpg.crsi.symantec.com/postDetectionEvent].
  Accessed IPS Detection ping server [https://stnd-ipsg.crsi.symantec.com/postIntrusionEvent].
  Accessed Aztec server [https://register.brightmail.com].
  Accessed Software Update server [https://swupdate.brightmail.com].
  Accessed Insight server [https://shasta-rrs.symantec.com/mrclean].
  Accessed Mobile Insight server [https://shasta-mrs.symantec.com/partner].
  Accessed Roaming and Email Security.Cloud Correlation server [https://datafeedapi.symanteccloud.com].
  Accessed Telemetry: Statistics server [https://stats.norton.com/n/p].
  Could not access Telemetry: File server [https://telemetry.symantec.com].
  Accessed Breach Detection server [https://api-gateway.symantec.com].
  Accessed Symantec EDR Cloud server [https://edrc.symantec.com].
Connectivity to Repository:
  Accessed repository.
localhost>

Critical Error Message:





References:




No comments:

Post a Comment