Configuring SPE to quarantine files to an AWS s3 Bucket
search cancel

Configuring SPE to quarantine files to an AWS s3 Bucket

book

Article ID: 389137

calendar_today

Updated On:

Products

Protection Engine for Cloud Services

Issue/Introduction

The process of configuring SPE to quarantine files to s3 Buckets is not as well documented as configuring to quarantine to local drives.  The following configuration example is intended to help make it simpler.

Environment

Symantec Protection Engine 9.x

Resolution

  1. Determine the correct Region, Name and Destination folder.

    The following is a generic AWS configuration example for Symantec Protection Engine (SPE) for Cloud Services to send quarantined files to an s3 Bucket instead of a local volume. They are color coded to match where they go in the xmlmodifier commands below.

    * The region the bucket exists in is : us-west-2

    * The Bucket name is: “s3-BucketName

    * The name of the folder to which quarantined files will be sent: “QuarantineFolder

    The following xmlmodifier command will need to be modified to fit your own custom settings.

    Windows:  Run the commands from an administrator command prompt pointing to “:\Program Files\Symantec\Scan Engine

    Linux:  Run the command from “/opt/SYMCScan/bin”

    Note: If the OS is Windows remove  “./” from the beginning of the command.

     

    ./xmlmodifier -s //configuration/QuarantineServerSettings/CloudStore/@location "Region=us-west-2::Bucketname=-s3-BucketName" configuration.xml

    ./xmlmodifier -s //configuration/QuarantineServerSettings/CloudStore/@relativepath "QuarantineFolder" configuration.xml

     

    Note:  If the folder Quarantine Folder does not exist it will be created automatically.

  2.  Enable Quarantine Settings

    ./xmlmodifier -s //configuration/QuarantineServerSettings/@enabled true configuration.xml

  3. Configure SPE to quarantine all files determined to be threats

    ./xmlmodifier -s //policies/ThreatPolicies/Actions/Quarantine/@value true policy.xml

  4. Restart SPE services

    Windows:  net stop symcscan && net start symcscan

    Linux: /etc/init.d/symcscan restart

  5. Verify that metadata setting “IMDSv2” is set to “Optional”.  

    In the AWS portal select the EC2 Instance and then select “Actions > Instance Settings > Modify instance metadata options”



    IMDSv2 is a security setting in AWS which allows “Optional” and “Required”.  The current version of SPE (9.2) does not work for this configuration if this setting is Required.  This will be addressed in a future version.

Powered by Wolken Software