The built-in network subsystem doesn't include any support for viewing TCP connections and therefore won't display the data you want. On the other hand, Sysinternals' networking utility has a feature that allows you to specify an arbitrary number of connection 'stuck' ports. You can then open up TCPView to view the names of the sockets associated with those ports, plus the status of each one.
The first thing was to simulate a network connection like Symantec does which is not hard.But when you use the command-line version of the program, you can't view the names of the TCP sockets and thus won't be able to select them with ease. What about if I could do my tests, without clearing any logs but stopping Symantec from telling the server about it ? In my case Symantec used port 8014 for the client to server connection, I just need to drop this connection. The only thing that can solve is to find a vulnerable driver that will load before Symantec.Īt this point I decided that I don’t have enough time to go deeply on this and another idea was popping to my head.
Restarting with safe mode wasn’t possible, nor adding USB with different OS. Using MoveFileEx with the flag MOVEFILE_DELAY_UNTIL_REBOOT also won’t help because it seems that the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManagerPendingFileRenameOperations is also being protected and this API call is trying to modify it.
If I will succeed to clean the logs, my activity won’t be reported to the main server.Įven with the fact that I had SYSTEM privileges, it is not an easy task to clean the logs because Symantec has an open handle to its logs and you can’t stop it from working. All started when I was doing some penetration testing on a customer, trying to manipulate one application and Symantec “shout” on it and quarantined my malicious DLL :(Īt that moment I was curious to see if there is a way to clear Symantec logs which are saved in: C:\ProgramData\Symantec\Symantec Endpoint Protection\ \Data\Logs
0 kommentar(er)
