#------------------------------------------------------------------------------- # File: mcafee85.eps # Description: Checks the status of McAfee Framework Services 8.5 and logging # # v0.1 2007-08-22 Initial creation # v0.2 2007-10-11 Modified to take advantage of new "grep" include # v0.3 2007-10-19 Added registry checks and additional warning outputs # v0.4 2008-10-16 Added checks for AntiSpyware Module # v0.5 2009-01-07 Fixed code to account for "bug" in grep function #------------------------------------------------------------------------------- @include "PerlFunctions.epm"; @include "PSPHelpers.epm"; #string $root = GetEnv("_SYSDIRROOT"); string $system32 = GetEnv("SYSPATH"); string $rootDrive = split(":",$system32); int $major = GetEnv("OSMAJOR"); int $minor = GetEnv("OSMINOR"); int $fsize; string $mDate; string $mTime; echo "\r+++++++++++++++++++\r"; echo "Pulling registry values to help determine current enforcement settings.\rThe default value is: AccessProtection{..}\r"; @echo off; @record on; `regquery -hive L -subkey "software\\McAfee\\VSCore\\On Access Scanner\\BehaviourBlocking" -value AccessProtectionUserRules`; string $regResults = GetCmdData("value_data"); @record off; @echo on; #crazy hex hash string %lookFor; %lookFor{'55736572456E666F7263652041564F30342031'} = "BLOCK remote creation/modification of executable and configuration files\r !!!WILL PREVENT ZB ATTEMPT; USE ZZ!!!"; #%lookFor{'55736572456E666F7263652041564F30342030'} = "FALSE = Block remote creation/modification of executable and configuration files"; %lookFor{'557365725265706F72742041564F30342031'} = "LOG Remote creation/modification of executable and configuration files\r !!!WILL LOG ZB ATTEMPT; USE ZZ!!!"; #%lookFor{'557365725265706F72742041564F30342030'} = "FALSE = Log remote creation/modification of executable and configuration files"; %lookFor{'55736572456E666F7263652041564F30372031'} = "BLOCK Svchost executing non-Windows executables\r !!!WILL LOG DRIVERS -LIST IN DSZ!!!"; #%lookFor{'55736572456E666F7263652041564F30372030'} = "FALSE = Block svchost executing non-Windows executables"; %lookFor{'557365725265706F72742041564F30372031'} = "LOG Svchost executing non-Windows executables\r !!!WILL LOG DRIVERS -LIST IN DSZ!!!"; #%lookFor{'557365725265706F72742041564F30372030'} = "FALSE = Log svchost executing non-Windows executables"; %lookFor{'55736572456E666F7263652043573031612031'} = "BLOCK Programs registering to autorun\r !!!WILL PREVENT PC INSTALL!!!"; #%lookFor{'55736572456E666F7263652043573031612030'} = "FALSE = Block programs registering to autorun"; %lookFor{'557365725265706F72742043573031612031'} = "LOG Programs registering to autorun\r !!!WILL LOG PC INSTALL!!!"; #%lookFor{'557365725265706F72742043573031612030'} = "FALSE = Log programs registering to autorun"; %lookFor{'55736572456E666F7263652043573031622031'} = "BLOCK Programs registering as a service\r !!!WILL PREVENT DG/FLAV/ST/OLY/YAK/DS INSTALL!!!"; #%lookFor{'55736572456E666F7263652043573031622030'} = "FALSE = Block programs registering as a service"; %lookFor{'557365725265706F72742043573031622031'} = "LOG Programs registering as a service\r !!!WILL LOG DG/FLAV/ST/OLY/YAK/DS INSTALL!!!"; #%lookFor{'557365725265706F72742043573031622030'} = "FALSE = Log programs registering as a service"; %lookFor{'55736572456E666F7263652043573032612031'} = "BLOCK Creation of new EXE/DLL in the Windows folder\r !!!WILL PREVENT PC/OLY/UR/YAK INSTALL!!!"; #%lookFor{'55736572456E666F7263652043573032612030'} = "FALSE = Block creation of new EXE/DLL in the Windows folder"; %lookFor{'557365725265706F72742043573032612031'} = "LOG Creation of new EXE/DLL in the Windows folder\r !!!WILL LOG PC/OLY/UR/YAK INSTALL!!!"; #%lookFor{'557365725265706F72742043573032612030'} = "FALSE = Log creation of new EXE/DLL in the Windows folder"; %lookFor{'55736572456E666F7263652041564F30382031'} = "BLOCK Windows process spoofing\r !!!DONT USE COMMON WINDOWS NAMES!!!"; #%lookFor{'55736572456E666F7263652041564F30382030'} = "FALSE = Block Windows process spoofing"; %lookFor{'557365725265706F72742041564F30382031'} = "LOG Windows process spoofing\r !!!DONT USE COMMON WINDOWS NAMES!!!"; #%lookFor{'557365725265706F72742041564F30382030'} = "FALSE = Log Windows process spoofing"; %lookFor{'55736572456E666F7263652041565730322031'} = "BLOCK Cached files from password and email address stealers \r !!!WILL PREVENT UR/MB RUNNING!!!"; #%lookFor{'55736572456E666F7263652041565730322030'} = "FALSE = Block cached files from password and email address stealers"; %lookFor{'557365725265706F72742041565730322031'} = "LOG Cached files from password and email address stealers\r !!!WILL PREVENT UR/MB RUNNING!!!"; #%lookFor{'557365725265706F72742041565730322030'} = "FALSE = Log cached files from password and email address stealers"; %lookFor{'557365725265706f72742041534f30312031'} = "LOG Protect Internet Explorer favorites and settings \r !!!WILL LOG ANY VAL/OLY/UR CONNECTIONS!!!"; #%lookFor{'557365725265706f72742041534f30312030'} = "FALSE = Log Protect Internet Explorer favorites and settings \rWas enabled at some point. Would have logged ANY VAL/OLY/UR connections"; %lookFor{'55736572456e666f7263652041534f30312031'} = "BLOCK Protect Internet Explorer favorites and settings \r !!!WILL BLOCK AND LOG ANY VAL/OLY/UR CONNECTIONS!!!"; #%lookFor{'55736572456e666f7263652041534f30312030'} = "FALSE = Block Protect Internet Explorer favorites and settings \rWas enabled at some point. Would have blocked/logged ANY VAL/OLY/UR connections"; %lookFor{'557365725265706f72742041535730322031'} = "LOG Prevent all programs from running files from the Temp folder\r !!!WILL LOG DMW RUNNING!!!"; #%lookFor{'557365725265706f72742041535730322030'} = "FALSE = Log Prevent all programs from running files from the Temp folder"; %lookFor{'55736572456e666f7263652041535730322031'} = "BLOCK Prevent all programs from running files from the Temp folder\r !!!WILL LOG DMW RUNNING!!!"; #%lookFor{'55736572456e666f7263652041535730322030'} = "FALSE = Block Prevent all programs from running files from the Temp folder"; %lookFor{'55736572456e666f7263652043573032622031'} = "BLOCK Creation of new EXE/DLL in the Program Files folder\r !!!WATCH WHERE YOU DROP FILES!!!"; #%lookFor{'55736572456e666f7263652043573032622030'} = "FALSE = Block creation of new EXE/DLL in the Program Files folder\r Was enabled at some time."; %lookFor{'557365725265706f72742043573032622031'} = "LOG Creation of new EXE/DLL in the Program Files folder\r !!!WATCH WHERE YOU DROP FILES!!!"; #%lookFor{'557365725265706f72742043573032622030'} = "FALSE = Log creation of new EXE/DLL in the Program Files folder\r !!!Watch where you drop files!!!"; %lookFor{'55736572456e666f72636520435730362031'} = "BLOCK HTTP Communication\r !!!AVOID PORTS 80/443/CANGETOUT!!!"; %lookFor{'557365725265706f727420435730362031'} = "LOG HTTP Communication\r !!!AVOID PORTS 80/443/CANGETOUT!!!"; #%lookFor{'55736572456e666f72636520435730362030'} = "FALSE = Block HTTP Communication"; #%lookFor{'557365725265706f727420435730362030'} = "FALSE = Log HTTP Communication"; %lookFor{'55736572456e666f72636520435730352031'} = "BLOCK FTP Communication\r !!!AVOID PORT 20!!!"; %lookFor{'557365725265706f727420435730352031'} = "LOG FTP Communication\r !!!AVOID PORT 20!!!"; #%lookFor{'55736572456e666f72636520435730352030'} = "FALSE = Block FTP Communication"; #%lookFor{'557365725265706f727420435730352030'} = "FALSE = Log FTP Communication"; %lookFor{'55736572456e666f72636520434f30362031'} = "BLOCK Installation of Browser Helper Objects and Shell Extensions"; %lookFor{'557365725265706f727420434f30362031'} = "LOG Installation of Browser Helper Objects and Shell Extensions"; #%lookFor{'55736572456e666f72636520434f30362030'} = "FALSE = Block installation of Browser Helper Objects and Shell Extensions"; #%lookFor{'557365725265706f727420434f30362030'} = "FALSE = Log installation of Browser Helper Objects and Shell Extensions"; %lookFor{'55736572456e666f72636520434f31322031'} = "BLOCK Protect Network Settings\r !!!WILL BLOCK PC2 INSTALL!!!"; #%lookFor{'55736572456e666f72636520434f31322030'} = "FALSE = (Block) Protect Network Setting"; %lookFor{'557365725265706f727420434f31322031'} = "LOG Protect Network Settings\r !!!WILL LOG PC2 INSTALL!!!"; #%lookFor{'557365725265706f727420434f31322030'} = "FALSE = Log Protect Network Setting"; %lookFor{'55736572456E666F726365204153573031'} = "BLOCK Prevent installation of new CLSIDs, APPIDs and TYPELIBs\r !!!WILL BLOCK VAL INSTALL!!!"; %lookFor{'557365725265706F72742041535730312031'} = "LOG Prevent installation of new CLSIDs, APPIDs and TYPELIBs\r !!!WILL LOG VAL INSTALL!!!"; %lookFor{'55736572456E666F7263652041564F31302031'} = "BLOCK Prevent mass mailing worm from sending mail\r !!!AVOID PORT 25/110/587!!!"; %lookFor{'557365725265706F72742041564F31302031'} = "LOG Prevent mass mailing worm from sending mail\r !!!AVOID PORT 25/110/587!!!"; %lookFor{'557365725265706F7274204F4230312031'} = "LOG Make shares read-only\r !!!WILL LOG ZB ATTEMPT!!!"; %lookFor{'55736572456E666F726365204F4230312031'} = "BLOCK Make shares read-only\r !!!WILL BLOCK ZB ATTEMPT!!!"; %lookFor{'557365725265706F7274204F4230312031'} = "BLOCK Block read and write access to all shares\r !!!WILL BLOCK ZB ATTEMPT!!!"; %lookFor{'55736572456E666F726365204F4230312031'} = "LOG Block read and write access to all shares\r !!!WILL LOG ZB ATTEMPT!!!"; %lookFor{'55736572537472696E67'} = "!!!POSSIBLE CUSTOM RULES. REVIEW ASCII IN REGISTRY KEY!!!"; string $key; #if they have the default value, don't even bother checking string $defaultSettings = "41636365737350726f74656374696f6e207b0d0a7d0d0a"; if( $defaultSettings == $regResults){ echo "They are using the default settings for a McAfee 8.5 install.\rYou should be good"; }else{ #let the fun begin. echo "They are not using the default settings.\rAttempting to display any troublesome settings. No output = safe\r"; @echo off ; bool $status = TRUE; foreach $key(keys %lookFor){ if(grep($key,$regResults,$status)){ echo "%lookFor{'$key'}\n"; } } #did any of the call's to grep crash the function due to string size? ifnot($status){ #struct defined in PSPHelpers.epm metaData @metaData; init(@metaData); string $scripts = GetEnv("SCRIPTSDIR"); @echo on; echo "!!!Targets registry value is very large, indicitive of custom rule sets. Review custom rules before proceeding!!!\rAttempting to parse known values..."; ifnot(WriteFile("@metaData.$logdir\\mcafee-reg-overflow.txt",TRUE,$regResults)){ echo "\r!!!I couldn't write the registry values to disk!!!\r"; } @echo off; @record on; `local run -command "perl $scripts\\PSP\\mcafee-parse.pl @metaData.$logdir\\mcafee-reg-overflow.txt" -redirect`; #when called via checkpsp, you must manually force the output from the run -command to print string $perlOut = GetCmdData("output"); string $tmpVar; @echo on; foreach $tmpVar($perlOut){ echo $tmpVar; } @echo off; @record on; `local run -command "perl $scripts\\PSP\\mcafee_hex2ascii.pl @metaData.$logdir\\mcafee-reg-overflow.txt" -redirect`; string $perlOut3 = GetCmdData("output"); WriteFile("@metaData.$logdir\\mcafeecustomrules.txt",TRUE,$perlOut3); echo "***********************************************************************"; echo "!!!!!!Wrote mcafeecustomrules.txt...open to review custom settings!!!!!!"; echo "***********************************************************************"; } } echo "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"; pause; echo "\rChecking to see if we are calling home to an ePO server..."; #what OS are we on? Found out 2k3 boxes may put things in different locations than XP boxes. #Not only does OS matter, other mcafee software changes things. just check both locations... string $2k3Path = "Documents and Settings\\All Users\\Application Data\\Network Associates\\Common Framework"; string $xpPath = "Documents and Settings\\All Users\\Application Data\\McAfee\\Common Framework"; string $sslist = "$rootDrive[0]:\\$2k3Path\\ServerSiteList.xml"; string $sslist2 = "$rootDrive[0]:\\$xpPath\\ServerSiteList.xml"; string $smlist = "$rootDrive[0]:\\$2k3Path\\SiteMapList.xml"; string $smlist2 = "$rootDrive[0]:\\$xpPath\\SiteMapList.xml"; string $agent = "$rootDrive[0]:\\$2k3Path\\Agent.ini"; string $agent2 = "$rootDrive[0]:\\$xpPath\\Agent.ini"; string $xmlDir = "$rootDrive[0]:\\$2k3Path\\AgentEvents"; string $xmlDir2 = "$rootDrive[0]:\\$xpPath\\AgentEvents"; @echo off; @record on; bool $ssl = `getfileattribs -file "$sslist"`; bool $sml = `getfileattribs -file "$smlist"`; bool $aml = `getfileattribs -file "$agent"`; bool $ssl2 = `getfileattribs -file "$sslist2"`; bool $sml2 = `getfileattribs -file "$smlist2"`; bool $aml2 = `getfileattribs -file "$agent2"`; bool $xmlDirCheck = `getfileattribs -file "$xmlDir"`; bool $xmlDirCheck2 = `getfileattribs -file "$xmlDir2"`; @record off; @echo on; #ServerSiteList.xml tells us where the ePO server lives #SiteMapList.xml is created when the software tries to update itself for the first time #Agent.ini should aways exist, if we can't find it, we are looking in the wrong place #If we can't find one of the .xml files, this is a very recent install @echo on; if ( ($ssl && $sml) || ($ssl2 && $sml2) ) { echo "\r***********\rServerSiteList.xml file exists\rLooks like we have an ePO server somewhere.\r***********\r"; if( prompt "Try to grep out the ePO Server IP?" ) { `grep -mask "$sslist" -pattern ServerIP`; } if( prompt "Would you like to pull back the configuration file for inspection?" ) { `copyget "$sslist"`; } pause; }else if ( ($sml && ($ssl != true) ) || ($sml2 && ($ssl2 != true) ) ){ #Stand alone echo "\rSiteMapList.xml = True\rServerSiteList.xml = False\rLooks like a stand alone install.\r"; }else if( ( ($ssl != true) && ($sml != true) && ($aml != true) ) && ( ($ssl2 != true) && ($sml2 != true) && ($aml2 != true) ) ){ #Wrong path? echo "\r***************\rCannot Verify Status!\rMost likely cause is the files are not in the default location.\rI checked:\r"; echo "$sslist"; echo "$smlist"; echo "$sslist2"; echo "$smlist2 \r***************\r"; if (prompt "The rest of these checks will probably fail. Should I stop?") { return false; } }else if( ($aml && $ssl) || ($aml2 && $ssl2) ){ #Fresh agent install? Needs manual verification echo "\r***********\rServerSiteList.xml file exists but SiteMapList.xml does not.\rLooks like we have an ePO server somewhere.\rThis may be a very recently installed box.\rPAY ATTENTION! NETWORK SECURITY MAY BE INCREASING!\r***********\r"; if( prompt "Try to grep out the ePO Server IP?" ) { `grep -mask "$sslist" -pattern ServerIP`; } if( prompt "Would you like to pull back the configuration file for inspection?" ) { `copyget "$sslist"`; } pause; }else if( $aml || $aml2 ){ #We are looking in the right spot echo "\r***********\rThis looks like a brand new install. No ePO server found.\rPAY ATTENTION! NETWORK SECURITY MAY BE INCREASING!\r***********\r"; }else{ echo "\r*************\rIf you are reading this, you've found some weird state. I'm of no use to you. Good luck!\r***********"; return false; } echo "\rCurrent target time for reference is:"; @record on; `remotelocaltime`; @record off; #Any chance we are in the logs? string $aplog = "$rootDrive[0]:\\Documents and Settings\\All Users\\Application Data\\McAfee\\DesktopProtection\\AccessProtectionLog.txt"; string $bolog = "$rootDrive[0]:\\Documents and Settings\\All Users\\Application Data\\McAfee\\DesktopProtection\\BufferOverflowProtectionLog.txt"; @echo off; echo "\r+++++++++++++++++++\rChecking out AccessProtectionLog\r+++++++++++++++++++\r"; @record on; bool $check = `getfileattribs -file "$aplog"`; @record off; @echo on; if ($check) { $fsize = GetCmdData("Size"); $mDate = GetCmdData("ModifiedDate"); $mTime = GetCmdData("ModifiedTime"); echo "AccessProtectionLog details:\rLast modified on $mDate at $mTime \rFile size of $fsize bytes.\r"; if($fsize == 3){ echo "It appears the file is empty"; } else { if( prompt "Would you like to copyget the file?" ) { `copyget "$aplog"`; } } }else{ echo "Sorry, I cannot find AccessProtectionLog in the default location. I looked in:\r\"$aplog\"\r"; } @echo off; echo "\r+++++++++++++++++++\rChecking out BufferOverflowProtectionLog\r+++++++++++++++++++\r"; @record on; $check = `getfileattribs -file "$bolog"`; @record off; @echo on; if ($check) { $fsize = GetCmdData("Size"); $mDate = GetCmdData("ModifiedDate"); $mTime = GetCmdData("ModifiedTime"); echo "BufferOverFlowProtectionLog details:\rLast modified on $mDate at $mTime \rFile size of $fsize bytes.\r"; if($fsize == 3){ echo "It appears the file is empty"; } else { if( prompt "Would you like to copyget the file?" ) { `copyget "$bolog"`; } } }else{ echo "Sorry, I cannot find BufferOverflowProtectionLog in the default location. I looked in:\r\"$bolog\"\r"; } pause; @echo on; echo "\r\rNo longer displaying .xml files on 8.5 boxes. No need.\r\r"; #echo "\r+++++++++++++++++++\rPreparing to list any .xml event files.\rIf you have been logged, you may see evidence of that here.\r+++++++++++++++++++\r"; #echo "This listing has the potential to be very large.\rYou can always background it if it gets out of hand."; #pause; #if($xmlDirCheck){ # `dir "$xmlDir\\*"`; #}else if($xmlDirCheck2){ # `dir "$xmlDir2\\*"`; #}else{ # echo "Sorry, I can't find where the xml files might live. I checked\r$xmlDir\r$xmlDir2"; #}