Data Center Security 6.7 - Using the API to add File Scan Exclusions to a policy.

book

Article ID: 170025

calendar_today

Updated On:

Products

Data Center Security Server

Issue/Introduction

You are finetuning your Data Center Security (DCS) policy and want to add many File Scan Exclusions to the Virtual Machine AV policy. This can be done manually but can also be automated using the API. This Technote shows how that can be done in a step-by-step example.

 

Environment

In this example:

Symantec Data Center Security 6.7MP1 

Chome 60.0.3112.101

postman (https://www.getpostman.com/ )

 

Resolution

This is a step-by-step guide by example how to add many File Scan Exclusions to the Virtual Machine AV policy using the API - this is not a replacement for the manuals like: Symantec™ Data Center Security: Server, Server Advanced, and Monitoring Edition - REST API Reference Guide on https://support.symantec.com/en_US/article.DOC9220.html

It is highly recommend to use the "postman" rest API chrome app (in this example postman & chrome was used). 

#### step 0 - look at the API manual (need token thats acquired in step 1) ####

http request ==> https://dcsman01.yourdomain.local:4443/sis-ui/api/
method ==> get
raw headers ==>  Authorization: Bearer a990e2dc-b231-4a01-acad-7295cc909faf


#### step 1 - get token  ####

http request ==> https://dcsman01.yourdomain.local:8443/umcservices/rest/v1.0/auth/token
method ==> post
raw headers ==>  Content-Type: application/json
body (raw)  ==>  {"username":"dcsadmin","password":"Symc123#"}

result ==> 

"accessToken": "a990e2dc-b231-4a01-acad-7295cc909faf",
"tokenType": "bearer",
"expiresIn": 1800,
...

it's the "a990e2dc-b231-4a01-acad-7295cc909faf" token value we need, the token is valid for up to 30 minutes to execute API requests.

#### step 2 - get list of AV policies (using token from step 1) ####

http request ==> https://dcsman01.yourdomain.local:4443/sis-ui/api/v1/manage/sva/?filter=elementtype::wrk.sva.av.pol
method ==> get
raw headers ==>  Authorization: Bearer a990e2dc-b231-4a01-acad-7295cc909faf

result ==>

[
    {
        "ismodified": false,
        "ispublished": true,
        "description": "Configuration settings for Symantec AV policy. The files or folders in the specified GVM are protected whenever there is an attempt to access.",
        "comment": "Configuration settings for Symantec AV policy. The files or folders in the specified GVM are protected whenever there is an attempt to access.",
        "elementtype": "wrk.sva.av.pol",
        "revision": "1",
        "policycacheerror": "",
        "afversion": "6.6.0",
        "appliedcount": 0,
        "ostype": "Windows",
        "name": "AV Policy Windows - Scan On Access",
        "rid": 1986,
        "modtime": 1495106820080,
        "createtime": 1495106820080,
        "builtin": false,
        "deleted": false,
        "packinfo": {}
    },
    {
        "ismodified": false,
        "ispublished": false,
        "description": "Configuration settings for Symantec AV policy. The files or folders in the specified GVM are protected whenever there is an attempt to access.",
        "comment": "Configuration settings for Symantec AV policy. The files or folders in the specified GVM are protected whenever there is an attempt to access.",
        "elementtype": "wrk.sva.av.pol",
        "revision": "3",
        "policycacheerror": "",
        "afversion": "6.6.0",
        "appliedcount": 0,
        "ostype": "Windows",
        "name": "Testing123",
        "rid": 2185,
        "modtime": 1503481550140,
        "createtime": 1503480670870,
        "builtin": false,
        "deleted": false,
        "packinfo": {}
    }
]

in this example we're using the policy "name": "Testing123" with "rid": 2185 (last one on the list)

#### step 3 - get details of just 1 policy (use rid of policy from step 2) ####

http request ==> https://dcsman01.yourdomain.local:4443/sis-ui/api/v1/manage/sva/2185
method ==> get
raw headers ==>  Authorization: Bearer a990e2dc-b231-4a01-acad-7295cc909faf

result ==>

{
    "ismodified": false,
    "ispublished": false,
    "description": "Configuration settings for Symantec AV policy. The files or folders in the specified GVM are protected whenever there is an attempt to access.",
    "comment": "Configuration settings for Symantec AV policy. The files or folders in the specified GVM are protected whenever there is an attempt to access.",
    "elementtype": "wrk.sva.av.pol",
    "revision": "3",
    "policycacheerror": "",
    "afversion": "6.6.0",
    "appliedcount": 0,
    "ostype": "Windows",
    "name": "Testing123",
    "rid": 2185,
    "modtime": 1503481550140,
    "createtime": 1503480670870,
    "builtin": false,
    "deleted": false,
    "packinfo": {}
}

#### step 4 - get policy settings (use rid of policy from step 2) ####

http request ==> https://dcsman01.yourdomain.local:4443/sis-ui/api/v1/manage/sva/2185/settings
method ==> get
raw headers ==>  Authorization: Bearer a990e2dc-b231-4a01-acad-7295cc909faf

result ==>

{
"oacachingexclude": [],
"scanfolderslist": [],
"oacachinginclude": [],
"odcachingexclude": [],
"defaultpolicy": false,
"oacachingflag": "off",
"replookupsflag": "on",
"oacachingusnflag": "off",
"quarmaxentries": 1000,
"filterextslist": [],
"deletethreat": "off",
"scanfileslist": [],
"filterfldrslist": [
  {
"folderPath": "\\",
"recursive": true
}
],
"odcachingflag": "off",
"addavtaggvm": "on",
"filterfileslist": [
  {"filePath":"F:\Program Files\Microsoft SQL Server\MSAS11.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe"
},
  {
"filePath": "F:\Program Files\Microsoft SQL Server\MSAS12.MSSQLSERVER\OLAP\Bin\MSMDSrv.exe"
},
  {
"filePath": "F:\Program Files\Microsoft SQL Server\MSAS11.INSTANCE01\OLAP\Bin\MSMDSrv.exe"
},
  {
"filePath": "F:\Program Files\Microsoft SQL Server\MSAS12.INSTANCE01\OLAP\Bin\MSMDSrv.exe"
},
....

Some manually added exceptions could show up.

#### step 5 - add more files to filterfilelist (use rid of policy from step 2) ####

http request ==> https://dcsman01.yourdomain.local:4443/sis-ui/api/v1/manage/sva/2185
method ==> put
raw headers ==>  Authorization: Bearer a990e2dc-b231-4a01-acad-7295cc909faf
body (raw) ==>

{"settings":{"filterfileslist":[
{"filePath":"C:\\Program Files\\Microsoft SQL Server\\MSSQL11.MSSQLSERVER\\MSSQL\\Binn\\SQLServr.exe"},
{"filePath":"D:\\Program Files\\Microsoft SQL Server\\MSSQL12.MSSQLSERVER\\MSSQL\\Binn\\SQLServr.exe"},
{"filePath":"C:\\Program Files\\Microsoft SQL Server\\MSSQL11.SQLINS01\\MSSQLBinn\\SQLServr.exe"},
{"filePath":"D:\\Program Files\\Microsoft SQL Server\\MSSQL11.SQLINS01\\MSSQL\\Binn\\SQLServr.exe"},
{"filePath":"C:\\Program Files\\Microsoft SQL Server\\MSRS11.ASINS01\\Reporting Services\\ReportServer\\bin\\ReportingServicesService.exe"},
{"filePath":"D:\\Program Files\\Microsoft SQL Server\\MSRS12.ASINS01\\Reporting Services\\ReportServer\\bin\\ReportingServicesService.exe"},
{"filePath":"C:\\Program Files\\Microsoft SQL Server\\MSAS11.MSSQLSERVER\\OLAP\\Bin\\MSMDSrv.exe"},
{"filePath":"D:\\Program Files\\Microsoft SQL Server\\MSAS12.MSSQLSERVER\\OLAP\\Bin\\MSMDSrv.exe"},
{"filePath":"C:\\Program Files\\Microsoft SQL Server\\MSAS11.ASINS01\\OLAP\\Bin\\MSMDSrv.exe"},
{"filePath":"D:\\Program Files\\Microsoft SQL Server\\MSAS12.ASINS01\\OLAP\\Bin\\MSMDSrv.exe"},
]}}


result ==>

{
    "ismodified": false,
    "ispublished": false,
    "description": "Configuration settings for Symantec AV policy. The files or folders in the specified GVM are protected whenever there is an attempt to access.",
    "comment": "Configuration settings for Symantec AV policy. The files or folders in the specified GVM are protected whenever there is an attempt to access.",
    "elementtype": "wrk.sva.av.pol",
    "revision": "3",
    "policycacheerror": "",
    "afversion": "6.6.0",
    "appliedcount": 0,
    "ostype": "Windows",
    "name": "Testing123",
    "rid": 2185,
    "modtime": 1503481550140,
    "createtime": 1503480670870,
    "builtin": false,
    "deleted": false,
    "packinfo": {}
}


#### step 6 - get policy settings again (use rid of policy from step 2) ####

http request ==> https://dcsman01.yourdomain.local:4443/sis-ui/api/v1/manage/sva/2185/settings
method ==> get
raw headers ==>  Authorization: Bearer a990e2dc-b231-4a01-acad-7295cc909faf

result ==>

{
    "oacachingexclude": [],
    "scanfolderslist": [],
    "oacachinginclude": [],
    "odcachingexclude": [],
    "defaultpolicy": false,
    "oacachingflag": "off",
    "replookupsflag": "on",
    "oacachingusnflag": "off",
    "quarmaxentries": 1000,
    "filterextslist": [],
    "deletethreat": "off",
    "scanfileslist": [],
    "filterfldrslist": [
        {
            "folderPath": "\\\\",
            "recursive": true
        }
    ],
    "odcachingflag": "off",
    "addavtaggvm": "on",
    "filterfileslist": [
        {
            "filePath": "C:\\Program Files\\Microsoft SQL Server\\MSSQL11.MSSQLSERVER\\MSSQL\\Binn\\SQLServr.exe"
        },
        {
            "filePath": "D:\\Program Files\\Microsoft SQL Server\\MSSQL11.MSSQLSERVER\\MSSQL\\Binn\\SQLServr.exe"
        },
        {
            "filePath": "C:\\Program Files\\Microsoft SQL Server\\MSSQL12.MSSQLSERVER\\MSSQL\\Binn\\SQLServr.exe"
        },
        {
            "filePath": "D:\\Program Files\\Microsoft SQL Server\\MSSQL12.MSSQLSERVER\\MSSQL\\Binn\\SQLServr.exe"
        },
        {
            "filePath": "C:\\Program Files\\Microsoft SQL Server\\MSSQL11.SQLINS01\\MSSQLBinn\\SQLServr.exe"
        },
        {
            "filePath": "D:\\Program Files\\Microsoft SQL Server\\MSSQL11.SQLINS01\\MSSQL\\Binn\\SQLServr.exe"
        },
        {
            "filePath": "C:\\Program Files\\Microsoft SQL Server\\MSRS11.ASINS01\\Reporting Services\\ReportServer\\bin\\ReportingServicesService.exe"
        },
        {
            "filePath": "D:\\Program Files\\Microsoft SQL Server\\MSRS12.ASINS01\\Reporting Services\\ReportServer\\bin\\ReportingServicesService.exe"
        },
        {
            "filePath": "C:\\Program Files\\Microsoft SQL Server\\MSAS11.MSSQLSERVER\\OLAP\\Bin\\MSMDSrv.exe"
        },
        {
            "filePath": "D:\\Program Files\\Microsoft SQL Server\\MSAS12.MSSQLSERVER\\OLAP\\Bin\\MSMDSrv.exe"
        }       
    ],
    "quarmaxsize": 500,
    "quarrescanflag": "off",
    "onaccessflag": "on",
    "quaritemmaxsize": 100,
    "scanflags": {
        "scanUsingAppliedGroupPolicy": false,
        "scanAll": true,
        "scanShadowCopyVolumes": false
    },
    "odcachinginclude": [],
    "quarpurgeintvl": 43200,
    "removeavtaggvm": "on",
    "odcachingusnflag": "off",
    "scanpolappflag": "off",
    "quarantinefile": "off"
}

 

Finally, the result in the UMC GUI:

#### step 7 - Publish the policy (use rid of policy from step 2) ####

http request ==> https://dcsman01.yourdomain.local:4443/sis-ui/api/v1/manage/sva/2185/publish

method ==> put
raw headers ==>  Authorization: Bearer a990e2dc-b231-4a01-acad-7295cc909faf

result ==>

{
    "pubsvaconflist": null,
    "pubsvanetseclist": null,
    "wrkpolicyrefrid": 1986,
    "vcnspolid": "f756487d-43ac-4738-977b-d40388549351",
    "pubsvaavlist": null,
    "description": "Configuration settings for Symantec AV policy. The files or folders in the specified GVM are protected whenever there is an attempt to access.",
    "comment": "Configuration settings for Symantec AV policy. The files or folders in the specified GVM are protected whenever there is an attempt to access.",
    "policycacheerror": "",
    "afversion": "6.6.0",
    "revision": "4",
    "elementtype": "pub.sva.av.pol",
    "ostype": "Windows",
    "appliedcount": 0,
    "name": "AV Policy Windows - Scan On Access",
    "rid": 2185,
    "modtime": 1507574638820,
    "createtime": 1507574638820,
    "builtin": false,
    "deleted": false,
    "packinfo": {}
}

### end ###

Attachments