Using Symantec Network Access Control (SNAC) to Move Infected Hosts to Quarantine Virtual Local Area Network (VLAN)

book

Article ID: 178123

calendar_today

Updated On:

Products

Network Access Control

Issue/Introduction

How to identify and move infected hosts from a LAN to a quarantine VLAN using Symantec Sygate Enterprise Protection (SSEP) 5.x or SNAC 11?

Symptoms
Some or all network hosts have been infected with a threat requiring remediation by placing them on a quarantine VLAN.


Cause

N/A

Resolution

* It is important to note that using a Host Integrity policy that runs a script parsing log files to identify and quarantine hosts infected with an active threat has the potential to move large numbers of hosts to a quarantine VLAN, so it is imperative that exhaustive testing be conducted prior to implementation.

Essentially, it is possible to create a SNAC Host Integrity (HI) policy that runs a script designed to determine if a particular threat has been detected and logged on the host. Of course, if for some reason the threat wasn't detected by antivirus, those hosts would still pass HI and be allowed on the network. The main causes for AntiVirus (AV) not detecting a threat are that the AV application has been shutdown or disabled, definitions are not up-to-date, or the threat is new. If the AV application has been disabled or if the definitions are not up-to-date, a simple HI policy to detect this will force the host to be remediated, move to the quarantine VLAN or prevent the host from accessing the LAN all together. For that reason it is imperative that the AV HI policy be configured to run first, before any HI policy script to parse detections from the AV logs. New threats, if the viral application can be identified, can also be detected by creating a script that searches for the threat application (if it can be determined which file is associated with the threat), and if present, pushes the host to the quarantine VLAN. This document will provide a basic example of this script for the purpose of demonstration only.

The following steps assumes that the environment contains a LAN or DHCP Enforcer (Enforcer), and that a quarantine VLAN has been configured.

Steps:

1. Create an AV HI policy. This policy can be vender-specific (i.e., SEP11) or "Any Antivirus Product" if you have a mixed environment. The key here is to make sure that AV is installed, running and up-to-date on every host requesting access to the network. This must be the first HI policy checked, so it will be first on the list of applied HI policies in the management console.
a. Log into the management console and click on the "Policies" tab
b. Click on "Host Integrity" in the left panel under "View Policies".
c. Now click on "Add a Host Integrity Policy..." located under "Tasks" also located in the left panel.
d. Add a name for the policy and click on "Requirements" in the "Host Integrity" box located in the upper left-hand corner.
e. Make sure "Always do Host Integrity checking" is checked and click the "Add" button in the lower left-hand corner.
f. The "Add Requirement" box will come up. "Antivirus requirement" is activated by default, so just click "Ok".
g. Add a name for the Antivirus policy, then select the Antivirus application option from the drop-down on the second line.
h. Select the appropriate "Antivirus Signature File Checking" option, then click "Ok".


2. Create a custom HI policy that checks for a known file that is associated with a threat. If the file "exists", then HI will fail and the host will be moved to the Quarantine VLAN by the Enforcer.
a. Perform steps "a" through "e" in Step 1.
b. The "Add Requirement" box will come up. Click the dropdown and choose "Custom requirement". Click "Ok".
c. Enter the name for this custom requirement (i.e., "Detect_Eicar") and click "Add" at the bottom of the left panel.
d. Select "If...Then...". This will bring up the option to "Select a condition" in the right column and populate the "Customized Requirement Script" If...Then logic.
e. Click on the "Select a condition" dropdown, scroll down to "File: File exists" and click on it. This will bring up the box that allows the file path to be entered. System environment variables can be used (i.e., %WINDIR%, etc).
f. Enter the path to the suspected/known virus file.
g. Click on "//Insert statements here:" ( below "THEN") to highlight it, then click on "Add" and select "Return". In the right-hand panel the result will default to "Pass". Change the result to "Fail" and click "Ok".


3. Create a custom HI policy that checks for Symantec logs located by default in "C:\Documents and Settings\[User Profile]\Local Settings\Application Data\Symantec\Symantec Endpoint Protection\Logs" and "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs". If logs are present, run a script to parse the logs searching for a recent virus event. If an event is found, HI fails and the host is moved to the Quarantine VLAN by the Enforcer.
a, Perform steps "a" through "d" in Step 2.
b. Click on the "Select a condition" dropdown, scroll down to "Registry: Registry key exists" and select it.
c. Enter the following registry key: "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection"
d. Click on "//Insert statements here:" (Below "THEN") to highlight it, then click on "Add" and select "Function", then select "Utility: Run a script".
e. Enter the name of the script being written (i.e., Threat.vbs).
f. Enter the text of the script in the "Script content" box (sample script below). Be careful using environment variables in the script *.

* Please note: Because HI is executed via cscript using the "system" account, it is unable to return values for user-level environment variables such as %HOMEDRIVE% or %HOMEPATH%, so this information will have to be hard-coded or returned from a registry query or some other alternative source.


g. After the script is completed, type %F% in the "Execute the command (use %F% to specify the script file name):"
f. Now click "Add" again and select "If...Then..."
g. Select the following condition: "Compare file size to".
h. Enter the file name and path (i.e., "c:\search.log").
i. Select the last radio button next to: "The number of bytes in the file is greater than" and enter the number "0".
j. Click on "//Insert statements here:" located below the second "THEN" and click "Add".
k. Select "Return" and change the result to "Fail".
l. Click "Ok", then "Ok" and apply the policy to either a group or an agent by right clicking the policy and selecting "Assign..."


Screenshots of sample policy and VBScript:

cover.JPG

threat_policy0.JPG

threat_policy1.JPG

threat_policy2.JPG

threat_policy3.JPG

threat_policy4.JPG


Sample Script:

Dim objFSO
Dim ofolder
Dim objStream
Dim objOut

Set objFSO = CreateObject("scripting.filesystemobject")

'************************************************************************************************
'Create the output file

Set objStream = objFSO.createtextfile("c:\search.log", True)

'************************************************************************************************
'Define location of log files

CheckFolder (objFSO.getfolder("C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs")), objStream
'MsgBox "File Search Completed." + vbCr + "Please check c:\search.log for details."

'************************************************************************************************
'Create "CheckFolder" function

Sub CheckFolder(objCurrentFolder, objLogFile)

Dim strTemp
Dim strSearch
Dim strOutput
Dim objNewFolder
Dim objFile
Dim objStream
Dim currentPath
Dim pattern
Const ForReading = 1
' pattern = InputBox("Please enter your search string: ")
strSearch = ".log"

For Each objFile In objCurrentFolder.Files

strTemp = Right(objFile.Name, 4)
If UCase(strTemp) = UCase(strSearch) Then
strOutput = CStr(objFile.Path)
Set objRegEx = CreateObject("VBScript.RegExp")
objRegEx.Global = True

'**************************************************************************************************
'Define search pattern criteria

objRegEx.Pattern = "eicar"

'**************************************************************************************************
'Open log file

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strOutput, ForReading)
strSearchString = objFile.ReadAll
objFile.Close

Set colMatches = objRegEx.Execute(strSearchString)

If colMatches.Count <> 0 Then
strMessage = "The following user accounts were found in file "& strOutput & ":" & vbCrlf
For Each strMatch in colMatches
strMessage = strMessage & strMatch.Value & " (character position " & _
strMatch.FirstIndex & ")" & vbCrLf
Next
End If

if colMatches.Count <> 0 Then
' Wscript.Echo strMessage

'**************************************************************************************************'
'Write results to log file

objLogFile.writeline strOutput

end if

end if
Next
End Sub


Finally, while the preceding script only parses detections, it shows how scripts can be used to move hosts into a quarantine VLAN using HI. The purpose of providing this information is to show the basic code structure with the hope that this information will provide a starting off point for custom solutions development. To request a custom solution from Symantec, please contact Consulting Services ( http://www.symantec.com/business/services/consulting_services.jsp ).






Attachments

threat_policy4.JPG get_app
threat_policy3.JPG get_app
threat_policy2.JPG get_app
threat_policy1.JPG get_app
threat_policy0.JPG get_app
cover.JPG get_app