Focus on Virus
RE: Symantec AV reporting metrics. Jun 23 2006 10:53AM
paul murgatroyd org uk
I have managed to get a publicly available reporter installation up and running, which people will be able to take a look at via the web.

However, I need some logs for it! If anyone would like to share some AV logs for the good of the community you will all see what reporter can do for you.

If anyone wants to volunteer, please email me @ paul_murgatroyd<at>symantec.com

Otherwise I'll have to try and get some samples over the weekend.

p.

-------- Original Message --------

> Return-Path: <focus-virus-return-3643-bugtraq=murgatroyd.org.uk (at) securityfocus (dot) com [email concealed]> Thu Jun 22 21:12:00 2006

> Received: from outgoing.securityfocus.com [205.206.231.27] by padme.x-entiahost.com with SMTP;

> Thu, 22 Jun 2006 21:12:00 +0100

> Received: from outgoing.securityfocus.com by outgoing.securityfocus.com

> via smtpd (for [72.232.29.58] [72.232.29.58]) with ESMTP; Thu, 22 Jun 2006 13:11:12 -0700

> Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])

> by outgoing3.securityfocus.com (Postfix) with QMQP

> id 7E9AE237252; Thu, 22 Jun 2006 13:14:35 -0600 (MDT)

> Received: (qmail 17176 invoked from network); 22 Jun 2006 14:48:25 -0000

> Mailing-List: contact focus-virus-help (at) securityfocus (dot) com [email concealed]; run by ezmlm

> Precedence: bulk

> List-Id: <focus-virus.list-id.securityfocus.com>

> List-Post: <mailto:focus-virus (at) securityfocus (dot) com [email concealed]>

> List-Help: <mailto:focus-virus-help (at) securityfocus (dot) com [email concealed]>

> List-Unsubscribe: <mailto:focus-virus-unsubscribe (at) securityfocus (dot) com [email concealed]>

> List-Subscribe: <mailto:focus-virus-subscribe (at) securityfocus (dot) com [email concealed]>

> Delivered-To: mailing list focus-virus (at) securityfocus (dot) com [email concealed]

> Delivered-To: moderator for focus-virus (at) securityfocus (dot) com [email concealed]

> Subject: RE: Symantec AV reporting metrics.

> To: Tobin.Turney (at) bcbsfl (dot) com [email concealed]

> Cc: "Adams, Rhuel" <AdamsR (at) ctc (dot) com [email concealed]>, focus-virus (at) securityfocus (dot) com [email concealed],

> nduda (at) VistaPrint (dot) com [email concealed], "sekure" <sekure (at) gmail (dot) com [email concealed]>,

> "Serge Vondandamo" <serge.vondandamo (at) wanadoo (dot) fr [email concealed]>

> X-Mailer: Lotus Notes Release 5.0.10 March 22, 2002

> Message-ID: <OF6F112A5D.20A3558C-ON86257195.004C9A12-86257195.004C8D68 (at) email (dot) zuri [email concealed]ch.
com>

> From: Ted Senn <ted.senn (at) zurichna (dot) com [email concealed]>

> Date: Thu, 22 Jun 2006 08:58:44 -0500

> X-MIMETrack: Serialize by Router on USZNH023/Zurich-Internet(Release 6.5.4FP2 HF81|November

> 17, 2005) at 06/22/2006 08:59:06 AM

> MIME-Version: 1.0

> Content-type: text/plain; charset=ISO-8859-1

> Content-transfer-encoding: quoted-printable

> X-SmarterMail-Spam: BAYESIAN FILTERING, SPF_Pass

> X-Rcpt-To: <bugtraq (at) murgatroyd.org (dot) uk [email concealed]>

>

> The agents will only run on Windows 2000 and above, Not on NT

>

> FYI In my experience the reporting server is a managers toll. It is

> difficult to actually get working information from it. ie report of

> infection and I haven't be able to find a way to determine if the infection

> is still active, cleaned etc with out going to the SSC.

>

> Ted Senn

> Security Engineer

> Distributed Security

> 847-605-6837

>

> "Turney, Tobin"

> <Tobin.Turney@bc To: "Adams, Rhuel" <AdamsR (at) ctc (dot) com [email concealed]>, nduda (at) VistaPrint (dot) com [email concealed]

> bsfl.com> cc: focus-virus (at) securityfocus (dot) com [email concealed], "sekure" <sekure (at) gmail (dot) com [email concealed]>, "Serge

> Vondandamo" <serge.vondandamo (at) wanadoo (dot) fr [email concealed]>, "Ted Senn" <ted.senn (at) zurichna (dot) com [email concealed]>

> 06/22/2006 08:48 Subject: RE: Symantec AV reporting metrics.

> AM

>

>

>

>

>

>

> I implemented SAVCE 10.1 with reporting on 11,000 clients with no issues.

> We have two primary servers. One of the primary servers is running IIS to

> host the reporting site. The SQL reporting DB is a shared instance on

> separate SQL server. The reporting agents and website are free as long as

> you own SAVCE 10.x licenses. The reporting agents will run also on SAVCE

> 9.x servers.

> -T

>

> -----Original Message-----

> From: Adams, Rhuel [mailto:AdamsR (at) ctc (dot) com [email concealed]]

> Sent: Tuesday, June 20, 2006 11:49 AM

> To: nduda (at) VistaPrint (dot) com [email concealed]

> Cc: focus-virus (at) securityfocus (dot) com [email concealed]; sekure; Serge Vondandamo; Ted Senn

> Subject: RE: Symantec AV reporting metrics.

>

>

> Not quite sure where you're getting the misinformation from, but SAVCE 10.1

> with Gold Support includes reporting.

>

> I had to contact the licensing dept. to get an updated license so that the

> latest version was "available" for me to download, but it definitely has

> reporting in the package.

>

>

> So far, I've implemented it in a lab and it worked great. We'll be enabling

> reporting in the production environment soon.

>

> The documentation has some very nice screen shots of the reporting

> interface.

>

> Rhuel

>

>

> -----Original Message-----

> From: Ted Senn [mailto:ted.senn (at) zurichna (dot) com [email concealed]]

> Sent: Tuesday, June 20, 2006 7:26 AM

> To: nduda (at) VistaPrint (dot) com [email concealed]

> Cc: focus-virus (at) securityfocus (dot) com [email concealed]; sekure; Serge Vondandamo

> Subject: RE: Symantec AV reporting metrics.

>

> Interesting. I'm running Ver 10.1.0.401 Corp Edition and reporting server

> works just fine.

>

> Ted Senn

> Security Engineer

> Distributed Security

> 847-605-6837

>

> "Nick Duda"

>

> <nduda@VistaPrin To: "Serge Vondandamo"

> <serge.vondandamo (at) wanadoo (dot) fr [email concealed]>, "Ted Senn"

> t.com> <ted.senn (at) zurichna (dot) com [email concealed]>

>

> cc:

> <focus-virus (at) securityfocus (dot) com [email concealed]>, "sekure" <sekure (at) gmail (dot) com [email concealed]>

>

> 06/19/2006 08:59 Subject: RE: Symantec AV

> reporting metrics.

> AM

>

>

>

>

>

>

>

>

> I'm jumping into this late, but We are a SAV 10.1 Corp Edition company for

> end users. I've done some basic research and found that Corp Edition cant

> run a reporting server. Should I say, the reporting server does not come

> with Corp Edition. Does a reporting server generate reports that are better

> than was the SAV 10.1 corp console gives you. I can get good info from the

> console, but no good reports can be generated from it.

>

> I would be curious to see some screen grabs myself.

>

> - Nick

>

> -----Original Message-----

> From: Serge Vondandamo [mailto:serge.vondandamo (at) wanadoo (dot) fr [email concealed]]

>

> Sent: Sunday, June 18, 2006 2:15 AM

> To: 'Ted Senn'

> Cc: focus-virus (at) securityfocus (dot) com [email concealed]; 'sekure'

> Subject: RE: Symantec AV reporting metrics.

>

> I forgot to add that,

>

> I have up to 6000 Clients located WW (Europe, Americas, APAC, and

> Middle-east).

>

> Thanks,

> Serge

>

> -----Message d'origine-----

> De : Serge Vondandamo [mailto:serge.vondandamo (at) wanadoo (dot) fr [email concealed]]

> Envoyé : dimanche 18 juin 2006 08:11

> À : 'Ted Senn'

> Cc : 'focus-virus (at) securityfocus (dot) com [email concealed]'; 'sekure'

> Objet : RE: Symantec AV reporting metrics.

>

> All,

>

> Thank you for your pointers.

>

> I have tried the manual process but it doesn't give good metrics for my

> audience (CTO, CSO, CIOs, IT Managers).

>

> I have tried to convince IT folks to upgrade to 10.1 so I can use the

> reporting module but no one want to upgrade to a vulnerable version of the

> AV.

>

> They don't believe in the patch provided by Symantec since I am not able to

> test it and provide a technical report - patch the app and try to exploit

> the vulnerability and report.

>

> Please, could you help me on the following?

>

> 1. Do you have a screenshot of the reporting module? Graphs, type of

> metrics it can provide, etc?

>

> 2. Do you know how I can patch 10.1 and test the effectiveness of the

> patch?

>

> Thanks,

> Serge

>

>

> -----Message d'origine-----

> De : Ted Senn [mailto:ted.senn (at) zurichna (dot) com [email concealed]] Envoyé : vendredi 9 juin 2006

> 15:58 À : serge.vondandamo (at) wanadoo (dot) fr [email concealed] Cc : focus-virus (at) securityfocus (dot) com [email concealed];

> 'sekure'

> Objet : RE: Symantec AV reporting metrics.

>

> Installing the reporting server is the start. Unless you have a small

> number of clients I would recommend a separate system. The reporting server

> is somewhat CPU intensive in my experience.

>

> Each AV server will need to have reporting agents installed on them.

> However for testing you can set up the reporting server and only those AV

> servers that you want to test with would need the reporting agents

> installed. You will need the SAV 10.1 SSC to configure the agents

>

> Yes 10.1 needs to be maintenance patched to 10.1.0.400 and point patched to

> 10.1.0.401

>

>

> Ted Senn

> Security Engineer

> Distributed Security

> 847-605-6837

>

>

>

> "Serge Vondandamo"

>

> <serge.vondandamo@ To: "'Ted Senn'"

> <ted.senn (at) zurichna (dot) com [email concealed]>

>

> wanadoo.fr> cc:

> <focus-virus (at) securityfocus (dot) com [email concealed]>, "'sekure'" <sekure (at) gmail (dot) com [email concealed]>

>

> Subject: RE: Symantec AV

> reporting metrics.

>

> 06/08/2006 09:26

>

> PM

>

>

>

>

>

>

>

>

>

>

>

> Thanks Ted,

>

> If I understand, I just need to install the 10.1 and the reporting server

> in one of my primary and that is it?

>

> Is there any eval version of it? I will like to test it on my lab first.

> BTW, is the 10.1 affected by the recent Symantec products vulnerability?

>

> Thanks,

> Serge

>

> -----Message d'origine-----

> De : Ted Senn [mailto:ted.senn (at) zurichna (dot) com [email concealed]] Envoyé : mardi 6 juin 2006

> 14:24 À : serge.vondandamo (at) wanadoo (dot) fr [email concealed] Cc : focus-virus (at) securityfocus (dot) com [email concealed];

> 'sekure'

> Objet : RE: Symantec AV reporting metrics.

>

> I am running Reporting server without any problem on version 10, and 9

> servers. The agent installs and reports back to the reporting server. You

> may need a special group with 10.1 for the reporting server only, but the

> reporting will work with the lower version AV servers ( agent will not

> install on NT systems)

>

>

> Ted Senn

> Distributed Security

>

>

> "Serge Vondandamo"

>

> <serge.vondandamo@ To: "'sekure'"

> <sekure (at) gmail (dot) com [email concealed]>

> wanadoo.fr> cc:

> <focus-virus (at) securityfocus (dot) com [email concealed]>

> Subject: RE: Symantec AV

> reporting metrics.

> 06/05/2006 03:30

>

> PM

>

>

>

>

>

>

>

>

>

> Sekure and all,

>

> Thanks but we don't have version 10.1 and unfortunately, I have to find a

> way to report with the versions we have. I may suggest to upgrade but that

> will not be possible now - IT Ops folks and other IS Managers will be

> difficult to convince - given the heavy IT Governance and change process we

> have in place.

>

> We currently have version 8 in few sites, version 9 and 10 in the majority

> of the sites.

>

> Paul, your pointers are more than welcome!!!

>

> Thanks,

> Serge

>

>

>

> -----Message d'origine-----

> De : sekure [mailto:sekure (at) gmail (dot) com [email concealed]]

> Envoyé : lundi 5 juin 2006 20:51

> À : Serge Vondandamo

> Cc : focus-virus (at) securityfocus (dot) com [email concealed]

> Objet : Re: Symantec AV reporting metrics.

>

> Symantec Corp AV 10.1 has a reporting server module, which provides pretty

> pictures for lots of these metrics.

>

> On 6/3/06, Serge Vondandamo <serge.vondandamo (at) wanadoo (dot) fr [email concealed]> wrote:

> > All,

> >

> > I have been tasked to develop Symantec AV reporting metrics.

> > The metrics should help provide visual information (graphs, tables,

>

> > etc)

> to

> > Senior management on weekly, monthly, quarterly and annual basis per

> region

> > and WW if needed.

> >

> > I am focusing on providing the followings:

> >

> > - Number of AV clients per region,

> > - Number of AV engines, versions, per region,

> > - Information on AV defs per region, frequency of updates, versions of

>

> > AV definitions, age of AV definitions (i.e. two weeks old, two months

>

> > old,

> very

> > old, etc).

> > - Status of AV clients per region - i.e. auto-protect enabled or

> disabled,

> > threat found, old definitions, etc.

> > - Any other information that will be useful for big boss not

>

> > interested

> on

> > technical data.

> >

> >

> > I am looking for pointers, idea and suggestion from those who have

> already

> > done so; I will not try to re-invent the wheel ;)

> >

> > Thanks for your inputs.

> >

> > Regards,

> > Serge Vondandamo, HND, CISSP, CCNA.

> >

> >

> >

>

>

>

>

>

>

>

>

> ******************* PLEASE NOTE ******************* This E-Mail/telefax

> message and any documents accompanying this transmission may contain

> privileged and/or confidential information and is intended solely for the

> addressee(s) named above. If you are not the intended addressee/recipient,

> you are hereby notified that any use of, disclosure, copying, distribution,

> or reliance on the contents of this E-Mail/telefax information is strictly

> prohibited and may result in legal action against you. Please reply to the

> sender advising of the error in transmission and immediately delete/destroy

> the message and any accompanying documents. Thank you.

>

>

>

>

>

>

>

>

>

> ---------------------

> Confidentiality note

> The information in this email and any attachment may contain confidential

> and proprietary information of

>

> VistaPrint and/or its affiliates and may be privileged or otherwise

> protected from disclosure. If you are

>

> not the intended recipient, you are hereby notified that any review,

> reliance or distribution by others

>

> or forwarding without express permission is strictly prohibited and may

> cause liability. In case you have

>

> received this message due to an error in transmission, please notify the

> sender immediately and to delete

>

> this email and any attachment from your system.

> ---------------------

>

>

>

>

>

>

>

>

> Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate

> companies are not responsible for errors or omissions in this e-mail

> message. Any personal comments made in this e-mail do not reflect the views

> of Blue Cross Blue Shield of Florida, Inc. The information contained in

> this document may be confidential and intended solely for the use of the

> individual or entity to whom it is addressed. This document may contain

> material that is privileged or protected from disclosure under applicable

> law. If you are not the intended recipient or the individual responsible

> for delivering to the intended recipient, please (1) be advised that any

> use, dissemination, forwarding, or copying of this document IS STRICTLY

> PROHIBITED; and (2) notify sender immediately by telephone and destroy the

> document. THANK YOU.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus