symantec.logs¶
$ target-query <path/to/target> -f symantec.logs
Module |
|
Output |
|
Module documentation
Symantec Endpoint Security Suite Plugin, based on https://malwaremaloney.blogspot.com/2021/01/
Function documentation
Return log records.
Yields SEPLogRecord with the following fields:
ts (datetime): Timestamp associated with the event.
virus (string): Name of the virus.
user (string): Name of the user associated with the event.
source_file (path): File that contains the virus.
action_taken (string): Action taken by SEP.
virus_type (string): Description of the type of virus.
scan_id (varint): ID of the scan associated with the event.
event_data (string): String or bytes from a virus event.
quarantine_id (varint): ID associated with the quarantined virus.
still_infected (boolean): Whether the system is still infected.
quarantined (boolean): True if the virus has been quarantined succesfully.
compressed (boolean): True if the virus was in a compressed file.
depth (varint): How many layers of compression the virus was hidden in.
cleanable (boolean): Whether the virus is cleanable.
deletable (boolean): Whether the virus can be deleted.
confidence (varint): Confidence level about threat verdict (higher is more confident).
prevalence (varint): Prevalence of the threat (higher is more prevalent).
risk (varint): Risk level of the threat (1-4, higher is more dangerous, 0 = unknown).
download_url (uri): Source of the virus (if available).
line_no (varint): Reference line number in log file.