Finding the URL that triggers Web.Reputation.1 during Protection Engine file scans
search cancel

Finding the URL that triggers Web.Reputation.1 during Protection Engine file scans

book

Article ID: 396933

calendar_today

Updated On:

Products

Protection Engine for NAS Protection Engine for Cloud Services

Issue/Introduction

How to identify the URL(s) that trigger a Web.Reputation.1 detection when scanning files with Symantec Protection Engine (SPE).

Environment

SPE 9.2.1 and older

Cause

SPE versions 9.2.1 and older do not include functionality to show the URL(s) that triggered a Web.Reputation.1 detection.

Resolution

SPE 9.3 and newer:

As of SPE 9.3 the SSE########.log file includes the URL(s) that triggered a Web.Reputation.1 detection.  Broadcom support recommends customers upgrade to SPE version 9.3 or newer to enable this functionality.  To enable this feature on SPE 9.3 and newer, perform the following steps:

  1. Download the category3.xml file attached to this article
  2. Open the category3.xml and verify the version in the second line is correct (i.e. if you are using version 9.3.0, then the version should be "090300")
  3. Save the category3.xml
  4. Move the category3.xml to the appropriate folder
    • Linux:
      <SPE_INSTALL_FOLDER>/bin
    • Windows:
      <SPE_INSTALL_FOLDER>/
  5. Restart the SPE services using the following command:
    • Linux: 
      sudo /etc/init.d/symcscan stop;sudo /etc/init.d/symcrestapiservice stop
    • Windows:
      net stop symcscan && net stop symcrestapiservice

SPE 9.2.1:

If you are on SPE 9.2.1 and can not upgrade to SPE 9.3 or newer, please use the steps listed below.

  1. Ensure that SPE 9.2.1 is installed **REQUIRED**
  2. Download the file HF_9_2_1.zip attached to this KB
  3. Upload HF_9_2_1.zip to the SPE and unzip the file
  4. Stop the SPE services using the following command:
    • Linux: 
      sudo /etc/init.d/symcscan stop;sudo /etc/init.d/symcrestapiservice stop
    • Windows:
      net stop symcscan && net stop symcrestapiservice
  1. Navigate to SPE install location
    cd /<SPE_INSTALL_LOCATION>
  1. Make a backup of the following files
    • symcscan
    • libcsapi.so
    • logconverter
    • xmlmodifier
  2. Copy the following files from the hotfix directory (HF_9_2_1/<OS>/<SPE_TYPE>) to the SPE Install folder:
    • symcscan
    • libcsapi.so
    • logconverter
    • xmlmodifier
  3. Copy the following file from HF_9_2_1 to the SPE Install folder:
    • category3.xml
  4. Ensure the permission and ownership of the copied files are identical to backed-up file
  5. Edit the category3.xml file and set 'LogSuspiciousURL' to 'true'
  6. Navigate to the RestAPI folder
    cd /<SPE_INSTALL_LOCATION>/RestAPI
  7. Make a backup of the following file:
    • sperestapi.jar
  8. Copy the sperestapi.jar from the HF_9_2_1 folder to the RestAPI folder
  9. Ensure the permission and ownership of the copied file is identical to backed-up file
  10. Restart the SPE services using the following command:
    • Linux: 
      sudo /etc/init.d/symcscan stop;sudo /etc/init.d/symcrestapiservice stop
    • Windows:
      net stop symcscan && net stop symcrestapiservice
  1. Use the SPE to scan a file that is known to trigger the URLInsight feature
  2. Review /<SPE_INSTALL_LOCATION>/log/SSE########.log to verify that the URL(s) show in the log

 

Attachments

category3.xml get_app
HF_9_2_1_02.zip get_app
Powered by Wolken Software