Data Center Security

 View Only
  • 1.  Using HIDS

    Posted Jun 18, 2018 07:28 PM

    Hey guys,

    In the middle of managing a fairly big rollut and upgrade of DCSSA where there are a number of administrators and people who prefer to use the commands to put DCS in to a buikltin mode instead of tuning or using the override.exe tool.

    Is there a way to create a detection event to track who runs sisipsconfig -r ? Looking to create an event which can report the usr name that has run the command.



  • 2.  RE: Using HIDS

    Posted Jun 20, 2018 09:14 AM

    Hello Mark

    I don't know how to monitor running of specific command but I have idea how to help you. 

    sisipsconfig -r change line use.builtin.policy=false to use.builtin.policy=true in agent.ini file

    So you need to create file watch rule that monitor 

    C:\Program Files (x86)\Symantec\Data Center Security Server\Agent\IPS\agent.ini

    You can also add use.builtin.policy=false to "ignore string" in the policy or modify "select string" to monitor only this modification.

    I can see that runing this command wil create the event with right username with the rule.

    It also helpful as someone can edit file directly without running command.



  • 3.  RE: Using HIDS

    Posted Jul 04, 2018 10:40 PM

    Thanks Alexander S this works a treat

     

    Regards,

    Lindsay



  • 4.  RE: Using HIDS

    Posted Aug 30, 2020 09:39 AM
    Hey.
    When you start Sisipsconfig on the agent with any flag, the agent associates the Sisipsconfig process with the "FullOpen_PS" Sandbox and the Assignment Process event is created with the action create and Severity "Information" 
    Change in "Default Prevention Config" in the rule for "Process Assignment" Severity to "Information".