Accenture MDR Quick Start Guide for Symantec™ Endpoint Protection

Owned by KS
Last updated: Sept 28, 2021
6 min read

This quick start guide will help Accenture MDR customers configure Symantec™ Endpoint Protection (SEP) to allow log collection from the Log Collection Platform (LCP).

The document includes the following topics:

 

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source 

Destination

Port

Description

LCP

SEP Database

1433 (TCP)

Default database port

Log collection Methods

Accenture Security provides two options in SEP log collection mechanism.

  1. Database - The LCP can directly connect to the DB server where Microsoft® SQL DB to store SEP events, and collect the logs. 

  2. Syslog - Using Symantec Endpoint Protection Manager, you can configure the external logging to send SEP events to the LCP. Refer the Symantec Endpoint Protection - Syslog for device configuration.

Note: 

  • Accenture Security SEP Collector does not support DB replication to a single DB.

SEPM Deception 

Symantec Endpoint Protection Manager's (SEPM) newest feature called Deception (with v14.1) has been released recently. If Deception is deployed in your environment, please follow the steps below to enable logging and reporting for Deception events.

  1. With a text editor, open SEPM_Install\tomcat\etc\conf.properties, where SEPM_Install is the installation folder for SEPM.

  2. Add the following line: scm.deception.enabled=true

  3. Save and close the file.

  4. Open services.msc and restart the SEPM service.

  5. When you login to SEPM again, the Deception log data appears in the Reports and Monitors tabs.

  6. To disable logging and reporting for Deception events, repeat the procedure, but remove the line that you added.

Configuring SEP

Based on SEP architecture, you can configure the DB with:

  • Microsoft SQL database 

Configuring SEP with Microsoft SQL Database

To configure SEP with Microsoft SQL database for the LCP to collect logs, follow the steps below.

I. Create a read-only database account for Microsoft SQL server.

 To create a read-only user account in CLI:

  1. From the Windows Start menu, choose Run, and then type the following command: cmd

  2. Navigate to the directory that contains the osql.exe file.

  • For Microsoft SQL server 2016, the default directory location for this file is <InstallDir>\Microsoft SQL Server\130\Tools\Binn

  • For Microsoft SQL server 2012, the default directory location for this file is \Microsoft SQL Server\110\Tools\Binn

  • For Microsoft SQL server 2008, the default directory location for this file is \Microsoft SQL Server\100\Tools\Binn

  • For Microsoft SQL server 2005, the default directory location for this file is \Microsoft SQL Server\90\Tools\Binn

  • For Microsoft SQL server 2000, the default directory location for this file is \Microsoft SQL Server\80\Tools\Binn

3. Log in as DB administrator and type the following command: 

sqlcmd -S <ip_address_or_host_name> -U sa -P <sa_user_password>

4. At the command prompt, type the following commands:

For Microsoft SQL servers 2005, 2008, 2012, and 2016:

EXEC sp_addlogin '<account_name>', '<password>', '<database_name>'

USE <database_name>

CREATE USER <account_name> FOR LOGIN <account_name>

EXEC sp_addrolemember 'db_datareader', '<account_name>'

GRANT SELECT ON SEM_COMPUTER to <account_name>;

GRANT SELECT ON V_AGENT_BEHAVIOR_LOG to <account_name>;

GRANT SELECT ON IDENTITY_MAP to <account_name>;

GRANT SELECT ON V_AGENT_PACKET_LOG to <account_name>;

GRANT SELECT ON V_AGENT_SECURITY_LOG to <account_name>;

GRANT SELECT ON V_AGENT_TRAFFIC_LOG to <account_name>;

GRANT SELECT ON V_AGENT_SYSTEM_LOG to <account_name>;

GRANT SELECT ON V_ENFORCER_CLIENT_LOG to <account_name>;

GRANT SELECT ON V_ENFORCER_SYSTEM_LOG to <account_name>;

GRANT SELECT ON V_ENFORCER_TRAFFIC_LOG to <account_name>;

GRANT SELECT ON V_SERVER_ADMIN_LOG to <account_name>;

GRANT SELECT ON V_SERVER_SYSTEM_LOG to <account_name>;

GRANT SELECT ON V_SERVER_CLIENT_LOG to <account_name>;

GRANT SELECT ON V_SERVER_ENFORCER_LOG to <account_name>;

GRANT SELECT ON V_SERVER_POLICY_LOG to <account_name>;

GRANT SELECT ON V_LAN_DEVICE_DETECTED to <account_name>;

GRANT SELECT ON V_ALERTS to <account_name>;

GRANT SELECT ON VIRUS to <account_name>;

GRANT SELECT ON V_SEM_COMPUTER to <account_name>;

GRANT SELECT ON SEM_AGENT to <account_name>;

GRANT SELECT ON PATTERN to <account_name>;

go

If you run SEP version 12 or higher, you must add the following commands:

GRANT SELECT ON HPP_ALERTS to <account_name>;

GRANT SELECT ON SEM_APPLICATION to <account_name>;

GRANT SELECT ON ACTUALACTION to <account_name>;

GRANT SELECT ON ALERTMSG to <account_name>;

GRANT SELECT ON HPP_APPLICATION to <account_name>;

II. Set the Microsoft SQL server security mode to mixed authentication.

To set the Microsoft SQL server security mode to mixed authentication, follow the steps below.

  1. Based on the Microsoft SQL server version, do one of the following:

  • For Microsoft SQL server 2005, from the Start menu, click Programs > Microsoft SQL Server > Microsoft SQL Server Management Studio.

  • For Microsoft SQL server 2008, 2012, and 2016, from the Start menu, click Programs > Microsoft SQL Server > SQL Server Management Studio.

2. On the left pane, right-click the appropriate server, and then click Properties.

3. In the Server Properties window, select Security.

4. In the Server Authentication section, select SQL Server and Windows Authentication mode.

5. Click OK and then click Close.

III. Configure the Microsoft SQL server instance to listen on a non-dynamic port.

To configure the Microsoft SQL server instance to listen on a non-dynamic port:

  1. On the Start menu, click Programs > Microsoft SQL Server > SQL Enterprise Manager > SQL Server Configuration Manager.

  2. Based on the Microsoft SQL server version, do one of the following:

  • For Microsoft SQL server 2005, in the left pane, expand SQL Server 2005 Network Configuration.

  • For Microsoft SQL server 2008, in the left pane, expand SQL Server 2008 Network Configuration.

  • For Microsoft SQL server 2012, in the left pane, expand SQL Server 2012 Network Configuration.

  • For Microsoft SQL server 2016, in the left pane, expand SQL Server 2016 Network Configuration.

3. Select Protocols for.

4. In the right pane, click TCP/IP.

  • In the TCP/IP Properties window, on the IP Address tab, ensure that Active and Enabled are set to Yes.

  • Ensure that the TCP Dynamic Ports text box is blank for the IP address to which the LCP connects.

  • In the TCP Port text box, type 1433 for the IP address to which the LCP connects.

  • Click Apply and then click OK.

IV. Configure an SSL connection for the Microsoft SQL server JDBC driver.

 Note: This step is needed only if Secure Sockets Layer (SSL) connection is a requirement.

You can configure a SSL connection for Microsoft SQL server 2005, 2008, 2012, or 2016 database with Microsoft SQL server JDBC driver 4.0.

  1. On the Start menu, click Programs > Microsoft SQL Server > SQL Enterprise Manager > SQL Server Configuration Manager.

  2. Expand SQL Server Network Configuration, right-click the protocols for the required server, and then click Properties.

  3. On the Certificate tab, select the certificate that you want to use to protect your connection.

Note: Self-signed certificates are supported but not recommended because they do not provide adequate security.

4. On the Flags tab, specify the protocol encryption option. The logon packet is always encrypted.

5. Set the ForceEncryption option to Yes. ForceEncryption encrypts all client and server communication. Clients that cannot support encryption are denied access.

6. Click Apply and then click OK.

7. Click SQL Server Services, right-click SQL-SERVER, and then select Restart.

Creating New Request for Monitoring

Once the device is configured as outlined in the steps above and all network pre-requisites have been made, you are now ready to onboard it for MDR monitoring. To complete this process, submit a New Request via the Accenture MDR Portal. This new request should contain the following information:

  1. Reporting LCP Hostname/IP Address:

  2. Database Hostname/IP Address and Database Port:

  3. Username (Read-only):

  4. Password:

If you have any questions about this process, please contact your Onboarding Engineer or Service Manager.

LCP Configuration Parameters

Table 1-2: The SEP event collector (Database -3165)properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Database URL

For Microsoft SQL database:

jdbc:jtds:sqlserver://<hostname>:1433/<dbname>

Note: To configure the SEP event collector properties for an encrypted protocol, add the following property string at the end of the

database URL: ;encrypt=true 

Example: 

jdbc:sqlserver://<ip address>:1433;DatabaseName=database_name;encrypt=true

jdbc:jtds:sqlserver://<hostname>:1433/<dbname>;encrypt=true

If you are using a self-signed certificate, add the following property string at the end of the URL: ;trustServerCertificate=true

Example:

jdbc:sqlserver:// <ip address>:1433;DatabaseName=database_name;encrypt=true;trustServerCertificate=true

jdbc:jtds:sqlserver://<hostname>:1433/<dbname>;encrypt=true;;trustServerCertificate=true

The database URL string that needs to be configured on the collector by MDR.

hostname - Hostname or IP address of the database. 

databasename - The name of the database in which the SEP events are stored.

instance_name - The name of the instance within the specified database.

1433 (TCP port) - The default port number for DB connectivity.

Note: If the database is configured to use a different port number, please advise the MDR

onboarding team.

UserName

Custom Value

The username for the database account mentioned in the Pre-Installation Questionnaire (PIQ).

Password 

Custom Value

The password for the database account mentioned in the PIQ.

Appendix - Known Issue in SEP 12.1 RU4

Problem

"Fast Pathing" is a feature that allows an organization to set a relatively long heartbeat interval to minimize traffic without losing up-to-date information about the security of clients.

Disabling this feature would stop important viral infections to upload only during a heartbeat event. This slows down the organization's response time to an emerging threat.

Cause

In SEPM, there is a check box to enable/disable the Priority Upload Configuration communications settings. This setting is per group and inheritable.

 Figure 1-1:  The Communication Settings window.

In Add Notification Condition window, set the damper section to None. This will enable the security event related SEPM notifications to be evaluated every minute to ensure that they are up-to-date.

 

         Figure 1-2: The Add Notification Condition window.

Solution

With "Fast Pathing" enabled, the client checks if there are new detections (*) or new network security events every minute. If one of these critical events is found, the SEP client uploads all threat-detection and network security related information for the events from the logs (AVMan.log and seclog.log) but not any other log information.

Excluding System Change events and Tracking Cookies The "None" Damper:

Any SEPM notification with a damper of "None" is set to be checked for each minute. The "None" damper setting allows notifications about priority events to happen quickly.

Priority Heartbeat process flow:

  • Every minute, if applicable.

  • Connects - Uploads Security and AV logs (No commands, No OpState, No definition information, No updates).

  • Disconnects

 

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.