Finding the URL that triggers Web.Reputation.1 during Protection Engine file scans
search cancel

Finding the URL that triggers Web.Reputation.1 during Protection Engine file scans

book

Article ID: 396933

calendar_today

Updated On:

Products

Protection Engine for NAS Protection Engine for Cloud Services

Issue/Introduction

How to identify the URL(s) that trigger a Web.Reputation.1 detection when scanning files with Symantec Protection Engine (SPE).

Environment

SPE 9.2.1

Cause

The SPE does not currently have functionality to show the URL(s) that triggered a Web.Reputation.1 detection.

Resolution

The Broadcom Engineering team has committed to fixing this issue in a future build. 

As a temporary workaround a hot fix can be installed, using the steps below, which will show the URL(s) that triggered a Web.Reputation.1 detection.

  1. Ensure that SPE 9.2.1 is installed **REQUIRED**
  2. Download the file HF_9_2_1.zip attached to this KB
  3. Upload HF_9_2_1.zip to the SPE and unzip the file
  4. Stop the SPE services using the following command:
    • Linux: 
      sudo /etc/init.d/symcscan stop;sudo /etc/init.d/symcrestapiservice stop
    • Windows:
      net stop symcscan && net stop symcrestapiservice
  1. Navigate to SPE install location
    cd /<SPE_INSTALL_LOCATION>
  1. Make a backup of the following files
    • symcscan
    • libcsapi.so
    • logconverter
    • xmlmodifier
  2. Copy the following files from the hotfix directory (HF_9_2_1/<OS>/<SPE_TYPE>) to the SPE Install folder:
    • symcscan
    • libcsapi.so
    • logconverter
    • xmlmodifier
  3. Copy the following file from HF_9_2_1 to the SPE Install folder:
    • category3.xml
  4. Ensure the permission and ownership of the copied files are identical to backed-up file
  5. Edit the category3.xml file and set 'LogSuspiciousURL' to 'true'
  6. Navigate to the RestAPI folder
    cd /<SPE_INSTALL_LOCATION>/RestAPI
  7. Make a backup of the following file:
    • sperestapi.jar
  8. Copy the sperestapi.jar from the HF_9_2_1 folder to the RestAPI folder
  9. Ensure the permission and ownership of the copied file is identical to backed-up file
  10. Restart the SPE services using the following command:
    • Linux: 
      sudo /etc/init.d/symcscan stop;sudo /etc/init.d/symcrestapiservice stop
    • Windows:
      net stop symcscan && net stop symcrestapiservice
  1. Use the SPE to scan a file that is known to trigger the URLInsight feature
  2. Review /<SPE_INSTALL_LOCATION>/log/SSE########.log to verify that the URL(s) show in the log

 

Attachments

HF_9_2_1_02.zip get_app
Powered by Wolken Software