The McAfee EPO agent reports back quite a few system details out of the box, however you may run into a situation where a piece of data is not being collected that may be critical to your system management. For example you wish to obtain the service tag or hardware serial number using WMI. If your in a large organization that is not coherently managed or you manage a bunch of distributed locations, EPO agents maybe able help you gather this information.
I provide managed EPO services to multiple businesses and I also have dealt with large EPO installs. For me one big data point that I would find useful in EPO is to know the public IP of NAT’d devices, whether users are hiding behind a router on a large network or at a remote site, this information would help locate to some degree a device for sorting or investigation. One feature McAfee has provided within the agent is the ability to add custom properties (up to 4, why would you need more?) which can be set on the client and then periodically sent to the EPO server.
To update these custom properties you have a few options:
FrmInst.exe – Agent installer
Intiates the agent installer to reconfigure the agent, causes the agent to stop and would be noticeable by the user, however this is the recommended method by McAfee for Windows.
Example: FrmInst.exe /CustomProps1=”Property 1″
msaconfig.exe – McAfee agent configuration
Accomplishes the same as the agent installer without disrupting the agent and is transparent to the user, my choice the setting custom properties.
Example: msaconfig -CustomProps1 “Property 1″
Registry modification
You can also create the registry keys necessary using your script and directly add the data required.
Varies based on OS/Agent version:
Create HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\CustomProps\
Add a string value with name CustomProps1 and set the value to whatever is needed
Regardless of method, once the value is set and the agent communicates back to the EPO server, you should see the value your script provided,
So, we now have the ability to use a script to update these custom property values but what next? Well if you have no easy way to deploy your script to update this value then this is all really pointless, luckily EPO has a couple easy ways to run your script remote on any system with an agent. Both ways require an executable, in my case I wrote some quick code and built it with visual studio as an executable. To get the public IP I called out to an external service such as whatismyIP or checkip.dyndns.com, converted the value they returned to a string and then used msaconfig to set one of the custom properties to this value.
Once you have the executable you can either register it with the EPO server and use a server task to deploy, or you can actually use agent policy to run an executable after updates occur on the client system. I prefer the later as I find this policy method easier to manage, I just reference a UNC path where the executable is located. The executable runs, updates the value and now I got the IP of the device a computer is hiding behind.
This is a very primitive method of finding this data however using the agent custom properties was the least painful method for the environments I deal with. Based on this example you can easily go and create other custom property values.
One common problem I come across when conducting vulnerability assessments is the lack of a host firewall or understanding on its configuration. IPTables is the standard firewall on most linux based OSes and once understood is a simple to configure and powerful packet filtering firewall. Often I see unnecessarily complex IPTables rules and the use of automated tools without fully understanding what they are doing. So, lets walk through IPTables and develop a simple set of base rules that could be used on pretty much any server.
IPTables is a packet filtering firewall based on ipfw and IPChains of the past. Pretty much every linux flavour has IPTables available, usually installed with a default ACCEPT everything and no particular ruleset. The simplest way to see what is being applied to a box is by using the command iptables -L, you should see something like this on most vanilla installs,
root@tank:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destinationChain FORWARD (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destination
If you do see some preexisting rules you can clear these out and start fresh by flushing these rules with iptables -F. (Don’t do this on production boxes or they maybe left exposed) Now we have a blank slate of IPTables default chains INPUT, FORWARD and OUTPUT all with a default policy of ACCEPT. This basically means that if a packet is processed either coming to, from or through (forwarded) the server and does not match any of our rules it will be allowed to proceed.
As we will be mainly dealing with filtering packets coming to the server, lets begin with the INPUT chain and a few basic rules. First of all we should put in some anti-spoofing rules so local loopback traffic can’t be spoofed by traffic coming in on external interfaces.
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
We will also need to add a rule so that IPTables accepts traffic related to or part of an already established connection, this is one of the powerful features of IPTables in that it can track connections and associated packets.
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
Now we can get into what we want to allow and this can vary based on the purpose of the server, for a web server you will probably want to allow ping ICMP traffic, web traffic on 80 and 443 and ssh (preferably on a different port then 22).
iptables -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW –dport 22 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
Now lets block everything else, set a rule to reject any packet that doesn’t match our other input rules and also change the default policy of the input chain to drop as a precaution.
iptables -A INPUT -j REJECT
iptables -P INPUT DROP
The FORWARD and OUTPUT chains may need some attention too however if your not forwarding packets through your server it should be set to drop, OUTPUT on the other hand is usually unrestricted.
iptables -A FORWARD -j DROP
iptables -P FORWARD DROP
iptables -A OUTPUT -j ACCEPT
This is our basic ruleset, now lets run iptables -L again,
root@tank:~# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere
REJECT all – anywhere loopback/8 reject-with icmp-port-unreachable
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere icmp echo-request
ACCEPT tcp – anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp – anywhere anywhere tcp dpt:www
ACCEPT tcp – anywhere anywhere tcp dpt:https
REJECT all – anywhere anywhere reject-with icmp-port-unreachableChain FORWARD (policy DROP)
target prot opt source destination
DROP all – anywhere anywhereChain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere
Now that we have our rules we will need to make sure they are loaded at startup each time, this varies between OSes however for Debian,
Output the rules to a file using iptables-save > /etc/iptables.rules
Now edit /etc/networking/interfaces to load this file when bringing up the network interface, add pre-up iptables-restore < /etc/iptables.rules after iface lo inet loopback.
In my next post I will talk about logging and some more complex rules to protect your servers. Also, becareful when flushing your rules with iptables -F because this will now drop all your connections with a default policy of drop for INPUT.
Not fully understanding a malware threat before eradicating it can sometimes be a grave mistake. Formatting or re-imaging a computer without fully understanding the threat will only lead back to that computer being infected again and a continued threat to other computers on your network may still be present. Even a small amount of effort can dramatically help protect your organization from further infection or targeting.
If you use a corporate AV product, send samples to your vendor for malware that is not being detected. They will often come back with a custom update for your organization which can be pushed out to all installs on your network. Analyze firewall and system logs to see where the malware came from and what it is connecting to. This data can be fed into your firewall to block future connections and also can turn up other computers that may be infected.
A number of tools are now available to quickly analyze malware samples and give you the most information for little effort. Below are a few tools which I have found useful in analyzing different malware samples,
- Basic AV Data – VirusTotal
- Super fast way to scan a file or URL against 40+ different AV engines, can help indicate if your AV vendor has detection for a file and to assist in finding further details based on what an AV detects a file as. Also provides lots of extended details and metadata that can be useful in determining the source of a file without having to setup a test environment to get this information.
- Sample report of a EICAR test file http://bit.ly/h4zl0f
- Can forward samples from email to scan@virustotal.com with subject SCAN.
- In-depth Analysis – Xandora & Anubis
- More advanced tools, Panda offers Xandora as a free service to upload binaries for analysis. It generates a lot of useful data by running the malware in a VM. Outputs file/registry changes and network connections which can be extremely valuable in blocking emerging malware threats.
- Sample report from Xandora of Palevo http://bit.ly/h1WRdy
- Anubis is another free tool similar to Xandora, this tool not only shows network connections but provides you a pcap file.
- Example report from Anubis http://bit.ly/g6aOsz
- Network Data Analysis – Cloudshark
- Now you may have some network captures collected while analyzing your samples, Cloudshark offers a quick service to view these captures without having to fire up wireshark (not a replacement but is quick.)
- Sample report from Cloudshark, http://bit.ly/ksLsaU
- Javascript/PDF/Flash – Wepawet
- A lot of malware makes use of one of these vectors, Wepawet allows you to upload or provide a URL where all these vectors can be analyzed.
- Really valuable in picking code out of PDFs and making sense of obfuscated Javascript code
- Sample Report http://bit.ly/lsrn2N
- Malware Trackers - Zeus Tracker, SANS, MalwareGroup, Clean MX
- Lots of great blacklists run by security professionals that can tell you if a computer is connecting out a known malware server, Zeus Tracker provides multiple malware lists and the creator actively works with service providers to blackhole or disconnect C&C networks. SANS also provides a list with multiple levels of sensitivity combining multiple sources such as Zeus Tracker.
- MalwareGroup and CleanMX are correlation sites that analyze servers with automation and using a number of services listed in this post to analyze a servers contents and decide its reputation. Can be really useful in determining if a site is the source of a malware infection, both offer reports on downloadable files and run them through services such as VirusTotal.
This is not an exhaustive list by any means, however these are tools I found useful and have saved me a lot of time and pain.