OSI layer

We all study about OSI layer, its 7 layers and the protocols used in each layer, but I personally believe the theory of OSI layer does not give a real picture how exactly it work so my this blog will try to give you a picture of how OSI layer work.

As we know that OSI model work on the principal of encapsulation, it means when data is formatted processed and changed in one layer, other layer does not have matter of it.

 

For Ex. If data change at layer 3 layer 4 do not have to do anything.

When data transfer from one layer to other it adds its header similarly when data is received by receiver at each layer header get removed. we can understand this with below example. In the below table, we have given an example how header is getting removed at each layer at receiver side.

 

							Data
						Layer 7 Header	Data	7
					Layer 6 Header	Layer 7 Header	Data	6
				Layer 5 Header	Layer 6 Header	Layer 7 Header	Data	5
			Layer 4 Header	Layer 5 Header	Layer 6 Header	Layer 7 Header	Data	4
		Layer 3 Header	Layer 4 Header	Layer 5 Header	Layer 6 Header	Layer 7 Header	Data	3
	Layer 2 Header	Layer 3 Header	Layer 4 Header	Layer 5 Header	Layer 6 Header	Layer 7 Header	Data	2
Layer 1 Header	Layer 2 Header	Layer 3 Header	Layer 4 Header	Layer 5 Header	Layer 6 Header	Layer 7 Header	Data	1

 

At Receiver side (Decapsulation)

Now we will see how data transfer work in OSI model with below example.

 

 

Step 1: At Sender side Encapsulation happened and we get data with header 2, so we have data with Layer 2 Header.

Step 2: data reach at switch 1 it check layer 2 header, now S1 find that data is looking for R Router so it send to Router R,

Here Switch (S1) check that data is looking for Router (R) only so it remove header 2 (data link header) from the data so here de-encapsulation happens.

Step 3: Now Switch (S1) has removed layer 2 header and Router (R) checks for layer 3 header (Network layer). Layer 3 device has information of receiver, so here Router again add”data link layer header” so that it can be send it to network cable (Note: here encapsulation also happened here so in the process of data transfer encapsulation and de-capsulation takes place at many place).

Step 4: Now switch 2 (S2) get data it check layer 2 header and find that data want to  reach at receiver.

Step 6: Now data reach at receiver and receiver check L2 header and after that all layer data removed one by one.

So data move across a network and each device looks at specific header information to determine if the data belongs to itself or if it should forward the data on to another device  

SQL Injection

What is SQL injection?

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.

In other words it is a technique by which an unauthorized user tries to take advantage of the vulnerability or loop hole of a website or application to insert arbitrary SQL commands to login, or to get data from it.

For Example: Suppose you do not know the username and password of a website and you want to login without user name and password, this is an example of SQL injection.

Types of SQL injection

There are mainly three types of SQL injection.

1.  In-band SQLi (Classic)

There is two types of sql injection under In- band SQLi

                        A) Error-based SQL Injection

                        B) UNION-based SQL Injection

2. Inferential SQLi (Blind)

3. Out-of-band SQLi.

We will understand SQL injection with an example:

This is Inferential SQLi (Blind) Example:

When we login in a website we need to enter user name and password, when we enter user name or password it compare that from the user name and password stored in the database if entered user name and password is correct it return true value and allow us to login otherwise it does not allow to login with false value, it simply block us.

If a website is vulnerable how can we perform SQL injection.

Ex. Suppose a website has a table user with below details of 2 users:

User Name	Password
Rahul	Password123
Swati	Password456

  

Now when user enter user name rahul  and password “Password123” a query run

SETECT * FROM user WHERE User Name =”rahul”  AND Password = “Password123”

Now here user name and password both are correct so query will return the vale 1 and user will login in the page.

Now if we do not know the user name and password how we can login, if website is vulnerable  then it is possible to login without user name and password, let try and enter the user name “" OR ""="

Then the new query will be

SELECT * FROM user where User name= "OR ""=" AND Password= “" OR ""="

This query will return true value and user will pass the login page successfully without any issue.

Let understand In-band SQLi (Classic):

In this I will explain Error-based SQL Injection

Suppose there is a login page where we suppose to enter user ID to get data of student,

Let’s take an example: URL: localhost:80/toppercollage/sql/?id=10%111Submit

Suppose this is the URL of the that page where we enter ID and get student details, Here we can see that id=10 is the submit value in the sql query

Note: We suppose to hide database information from the user who is trying to get data from the database so that user only gets data for which he is allowed and should not connect directly with database to check this other details like database structure.

We can use the hackbar tool to connect with database from the website

We will enter a command from the hackbar tool and we will check are we able to connect directly with database or not, to do that, install hackbar tool in your computer first.

Then in the URL page you will be able to see the the hackbar tool icon.

Click on it, you will see an input box will open where you suppose to enter url

Just enter url and at the place of id=10 use id=’10’

The command will be like localhost:80/toppercollage/sql/?id=’10’%111

Note: here 10 is in inverted comma

If it gives an error like “ You have error in sql syntax; check the manual that corresponds to your database……

It means site is not secure and unauthorized people can login and modify the data in the database. The error supposed to show like “404 error” which is an administrator error.

UNION-based SQL Injection

Above we checked the site is vulnerable or not by using the hackbar tool now we can use UNION command in sql to get data from the database even if we do not know the user ID or password.

We can get table name by using below queary.

SELECT table_name FROM user_tables;

And use union operator, to get list of tables

UNION SELECT 1,concat(user,':',password) FROM users;

It will show the list of user name with password. The password may be in hash form so hash for may be in MD5 form so hacker need to convert that into plain text.

  

Symantec Endpoint protection manager

This blog is for Symantec Endpoint protection manager, below are the few important question answers which can be helpful for those who want to work as an SEPM administrator.

1. What is Symantec Endpoint protection manager

Symantec Endpoint Protection, developed by Broadcom Inc., is a security software suite that consists of anti-malware, intrusion prevention and firewall features for server and desktop computers.

Symantec Endpoint Protection provides advanced threat protection that protects your endpoints (laptops, desktops, and servers) from both known threats and those threats that have not been seen before.

2. What is LUA

Answer: LUA is an enterprise web application that lets you manage Symantec updates on an internal LiveUpdate (LU) server, it downloads definition signatures and other contains and distribute the updates to client’s computers.

3. What is GUP

Answer: It helps to distribute contains update within the organization, it is very useful at remote location with minimum bandwidth. 

4. Difference between GUP and LUA

Answer:

GUP	LUA
We can use a windows work station as GUP	We need extra software and hardware
It work on windows OS	It work on any OS like linux
It support 10,000 machines	It support unlimited machines depends on bandwidth
It give definition update to workstations and servers where clients is install , If workstation is not able to take update from GUP due to any issue than it takes update from SEPM	It give definition update to SEPM, and workstations take update from SEPM.

5. How to make a machine as a GUP

Answer:

Step1. Go to the Policies of that Group where that Systems are Stored in Symantec Console.

Step2. Click on Live Update Setting Policy

Live Update Policy Screen Display. Choose the Server Setting

Step3. There three option displays

a)                   Internal & External Live Update Setting

b)                  Group Updater Provider

c)                   Third Party Management

Step 4. Check on the Use of Group Updater Provider. Now Group Updater Provider is Enable. Click on it.

Step 5. Two options are available in Group Updater Provider

a)                   Group Updater Provider Selection for Clients.

b)                  Group Update Provider Setting

Step 6. Choose Single Group Update Provider / Multiple Group Update Providers as per required and Update the Hostname/IP of Group Updater System.

Step 7. Click Ok.

6. Ports used for GUP

Answer: Port: 2967 user for GUP update

7. What is Virus and Spyware protection in SEPM

Answer:  Antivirus and AntiSpyware has been renamed to Virus and Spyware. Virus and spyware scans identify and neutralize or eliminate viruses and security risks on your computers.

Function of virus and spyware:

Administrator can define the scan weekly or daily or san specify as per their requirements

We can give permission to user they can stop scan or not

We can defend start-up scan  ( what files it scan when computer starts)

There is auto protect features in virus scan spyware (scan files)

We can define what kind of files it scan for ex. Scan all files or selected files

virus and spyware gives us option called “Download protection” in which we can define first Action and second action or antivirus ( what action it take when a malicious file get downloaded) ex. Clean in first Action and delete in second action.

Early Launch Anti-Malware ( We can enable it or disabled it )

Early launch anti-malware (ELAM) protects client computers from threats that load at startup. Symantec Endpoint Protection includes an early launch anti-malware driver that works with the Microsoft early launch anti-malware driver to provide the protection. The settings are supported on Microsoft Windows 8 and Windows Server 2012.

The early launch anti-malware driver is a special type of driver that initializes first and inspects other startup drivers for malicious code. When the Symantec Endpoint Protection driver detects a startup driver, it determines whether the driver is good, bad, or unknown. The Symantec Endpoint Protection driver then passes the information to Windows to decide to allow or block the detected driver.

The Symantec Endpoint Protection settings provide an option to treat bad drivers and bad critical drivers as unknown. Bad critical drivers are the drivers that are identified as malware but are required for computer startup. By default, Windows allows unknown drivers to load. You might want to select the override option if you get any false positive detection that block an important driver. If you block an important driver, you might prevent client computers from starting up.

The Windows early launch anti-malware driver must be enabled for the Symantec Endpoint Protection settings to take effect. You use the Windows Group Policy editor to view and modify the Windows ELAM settings. See your Windows documentation for more information.

SONAR

SONAR is the real-time protection that detects potentially malicious applications when they run on your computers. SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats.

In Sonar we can define high risk detection and low risk detection

DNS change detection and host file change detection.

Internet Email Auto-Protect

We can define all files scan or not

We have global scan option in which we can enable Insight and bloodhound

Insight

Insight allows scans to skip digitally signed files and trusted good files. Some files contain typical vulnerabilities. After those files are scanned initially, subsequent scans can skip the files since vulnerability definitions rarely change. Insight also uses file reputation data to skip trusted files. You can configure the level of trust. If you select Symantec and Community Trusted, scans skip more files (less secure). If you select Symantec Trusted, scans skip fewer files (more secure).

Bloodhound

Bloodhound isolates and locates the logical regions of a file to detect a high percentage of unknown viruses. Bloodhound then analyzes the program logic for virus-like behavior.

We have Quarantine option where we can defend what action it should take on quarantine files and which folder it should use for quarantine.

There is miscellaneous option in which we can enable and disable Windows Security Center 

Windows Security Center recognizes that Symantec Endpoint Protection Cloud (SEPC) is installed on the device but it says that "Actions needed in Symantec Endpoint Protection Cloud" or "Actions needed for protection settings" but SEPC is secure when you open it.

We can defined log files Action under miscellaneous

We can enable and disable Virtual Image Exception

8.       What is Virtual Image Exception?

Administrators leverage base images to build virtual machines for their virtual desktop infrastructure (VDI) environment. The Symantec Virtual Image Exception tool lets your clients bypass the scanning of base image files for threats. Bypassing some files reduces the resource load on disk I/O. It also improves CPU scanning process performance in your VDI environment.

Before you enable this feature in Symantec Endpoint Protection Manager, first run the Virtual Image Exception tool against the base image files. The Virtual Image Exception tool marks the base image files by adding an attribute. If the file is modified, this attribute is removed. This tool is located in the /Virtualization/VirtualImageException folder on the Symantec Endpoint Protection Tools installation file.

This feature is disabled by default. Enable the feature so that when your client starts to scan a file, it looks for this attribute. If the base image file is marked and remains unchanged, the client skips scanning the file.

9. What Application and device control

Answer: An Application and Device Control Policy is a powerful tool that lets you create custom enforcement policies for your environment. Configuring Application and Device Control Policies of the Administration.

Application control restrict what an application is permitted to do and what system resource it can use, Application control has many purpose, including preventing malware from hijacking application, protecting confidential data from inadvertently being removed from your company and restricting which application can run.

Click on Policy à Application and device control à Application Control à Addà Write new rule set name à Click on Add à select “Process name to match” Write process name that you want to block

We can specify type of device we want to block like CD/DVD, RAM drive, network drive, Removable Drive

Device control: It block client from accessing such as USB drive, Bluetooth device, printers and serial and parallel ports

Click on Policy à Application and device control à control device à Click on Add à Enter device ID and class name

10. What is host integrity in SEPM

Answer: Host Integrity (HI) is a feature of Symantec Endpoint Protection (SEP) that can be used to ensure that client computers are protected and compliant with a company's security policies. Host Integrity policies can used to define, enforce, and remediate the security of clients as defined by the policy

Click on policyà Host Integrity à Requirement  à Add à select the requirementà ok

11. What is live update

Answer: Symantec makes the latest updates available to you through LiveUpdate for your product. You can connect to the LiveUpdate server to check for updates, download available updates, and then select from the downloaded updates to install them.

12. Memory Exploit Mitigation

Answer: Memory Exploit Mitigation stops attacks on commonly used software that the vendor has not patched on Windows computers. Memory Exploit Mitigation uses various mitigation techniques to detect the exploit attempt. Each technique then either blocks the exploit or terminates the application that the exploit threatens.

Policy à Memory Exploit Mitigation à Mitigation/ Application Rules

Here you can see the list of Application (under Application Rules ) and list of files and process (under Memory Exploit Mitigation )

13. Integrations

Answer: WSS Traffic Redirection

Web Security Service (WSS) Traffic Redirection lets you protect your endpoints from web-based threats.

·   Redirects to the WSS server

·   Is blocked

·   Continues to its destination

14. Exceptions

Answer: We can exclude file folder from the scan we just need to add that in the exception list

15. What is Proactive threat protection

Answer: It is used to protect computer from unknown attacks, Zero day attacks. We can see it in client at end point and it is linked with sonar.

16. What is virus and spyware protection

Answer: it protect computer from known attacks and it works as per virus and spyware policy

17. What is Network and host exploit mitigation

Answer: It protect against web, Network threats and zero day attack exploits, it is linked with firewall and intrusion prevention and works as per the policy defined in  firewall and intrusion prevention

18. Policy components

Answer:

19. What is network thread protection

Answer:  Network threat protection blocks threats from accessing your computer by using rules and signatures

Network thread protection works according to the policy of firewall and IP  

20. What is temper protection setting

Answer: Tamper Protection provides real-time protection for the Symantec applications that run on servers and clients. It protects Symantec processes and internal objects from the attacks that non-Symantec processes such as worms, trojan horses, viruses, and other security risks may make

Disable Tamper Protection on a single client

Use this method to disable Tamper Protection on a small number of clients. To disable Tamper Protection on multiple clients, use the method below.

1. In the SEP client interface, click Change Settings.
2. Next to Client Management, click Configure Settings.
3. Click the Tamper Protection tab.
4. Perform one of the following actions:
• Uncheck Protection Symantec security software from being tampered with or shutdown. This disables Tamper Protection.
• Change the drop-down menu to Log only.
  
  Note: This setting leaves Tamper Protection enabled. However, Tamper Protection will no longer block attempts to modify SEP files, folders, processes, or Registry values.
   
5. Click OK. Tamper Protection is now disabled for this SEP client.

21. Explain SEPM installation process

Answer:

22. Types of logs and reports

Answer: There are mainly 8 Types of logs and Reports available in SEPM,

1. Audit Log
2. Application and device control
3. Compliance
4. Computer Status
5. Network and host Exploit  mitigation
6. Risk
7. Scan
8. System

Apart from this if user is using SONAR then we can use get SONAR logs from logs files

To get log files click on Monitor à Logs à Select log type

23. What is sylink file

Answer:

Sylink file is an XML file containing communication settings it has following files

- A list of SEPM servers to connect to.

        I.            The public SEPM certificate for all servers.

      II.            The KCS, or encryption key.

    III.            The Domain ID that the client belongs to

The default locations of the Sylink.xml file for SEP clients are as follows:

1. Windows Vista/7/8/10, 2008 and above: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config
2. Windows XP and 2003: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config

To get sylink file from SEPM follow the below path:

Click on Client à select the group à right clickà Export communication setting à Select the browser where you want to export à Click on Export

24. How to integrate active directory

1. Answer: Login to the SEPM console.
2. Click Admin > Servers.
3. Right-click on the server name and select Edit the server properties.
4. Click Directory Servers tab.
5. Click Add.
6. Add Directory Server window will pop up.
7. In the General tab type the domain name.
8. For Server Type select Active Directory.
9. In Server IP Address or Name enter IP
10. Enter the username and password for a domain user or dedicated service account.
11. Click OK
12. In Server Properties window the Directory Server gets listed after credentials are successfully verified.
13. Under Synchronized Directory Settings check Synchronize with Directory Servers.
14. Select Schedule as per your convenience.
15. Click OK.

25. What is Application control and device control

Answer: An Application and Device Control Policy is a powerful tool that lets you create custom enforcement policies for your environment.

Application control restricts what an application is permitted to do and which system resource it can use. Application control has many purpose, including preventing malware from hijacking application, protecting confidential data from inadvertently being removed from your company, and restricting which application can run.

Device Control: by using Device Control, a client computer is blocked from accessing, such as USB drives, Bluetooth device, printer, and serial parallel ports.

26. What is Symantec getway security

Answer: Symantec Gateway Security 5400 Series is a next-generation firewall appliance that integrates full packet inspection firewall technology with intrusion prevention intelligence at the gateway between the Internet and corporate network or between network segments

27. Explain services of SEPM

Answer:

1. Symantec Endpoint Protection

Provide Malware and threat protection for Symantec Endpoint Protection

2. System Events Broker

Coordinates execution of background work for winRT application. If this service is stopped or disabled, then background work might not be triggered. 

3. Symantec Critical System protection Server

Application server which communicates with SCSP console, Agent and database.

4. Symantec Endpoint Protection launcher

Launch service which can invoke special processes for SEMP

5. Symantec Endpoint protection local proxy service

Proxies the web Traffic, for WSS traffic Redirection to allow for more granular web traffic management

6. Symantec Endpoint Protection Manager

Application server which communicates with Symantec Endpoint protection manager, SEP client and database

7. Symantec Endpoint protection manager API services

Application services provides Web services.  

8. SEPM Web server

Webserver which communicate with SEPM Endpoint protection client and database

9. Symantec Network Access Control

Checks that the computer complies with the defined security policy and communicates with the symantec enforces to allow your computer to access

10. Symantec Event Notification services

Monitors events and notifies subscribers to COM + Events systems of these events.

28. What is SEPCC (SEP cloud console)

Answer: Symantec Endpoint Protection Cloud (SEP Cloud) is an easy to use security-as-a-service that protects and manages PC, Mac, mobile devices and servers from a single console, making it the ideal solution for organizations with limited IT security resources. SEP Cloud effectively stops today’s ransomware, zero-day threats and other sophisticated attacks using advanced multi-layered technologies including advanced machine learning and behavior analysis.

29. How to update definition in SEPM and workstation

Answer: to update definition on SEPM we can run a command on server “luall.exe” which will update the definition of SEPM server.

It may be possible that there is no communication from client to server and due to that definition is not getting updated, to resolve this we need to download sylink file from the SEPM and past that at location “ c:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config “

To do this first stop the smc.exe services and after copy you start the service

It will re-stabilized the communication

You can download intelligent updater and run the file by double click, it will update the definition

30. How to make a client package and apply in a group.

Answer:

Click Adminà Install Packageà Add a client install package à Write name à select the package from the browser à ok

Apply package on group

 Click on Client à Install packages à Right clickà Addà select the package from the drop down list à Select download source

31. What is heartbeat of Symantec

Answer: default, clients connect to the management server every 5 minutes

32. How to apply a policy Application and device control to a group

How to block device control

Answer: we can block by using The class ID (The class ID refers to the Windows GUID.)

Click on Policy-> Application and device control à right click à add

For windows setting select windows setting à Device control à here you can block device

33. Which component of SEPM provide protection from buffer over flow?

Answer: SEPM Protect provide buffer over flow by Network Intrusion privation systems.