我正在使用Symantec ATP,新名称为EDR。这里列出了我从此设置中学到的一些经验。它仍在更新。

YouTube视频:


Web GUI:

一些命令行故障排除命令:
检查日期:

localhost> show --date
Mon Jun 03 13:40:41 GMT 2019

localhost> show
usage: show [--help] [--date] [--version] [--info]
    --help,-h    More extensive help
    --date,-d    Show the current date and time
    --version,-v Show the appliance version number
    --info,-i    Show system information

检查设备状态:

localhost> status_check
This is the admin tool which verifies the following things.
1) Management Port Status
                                - This verifies if the management port is UP and                                                                                                              Running.
                                This will show 'Active' if its UP and Running,
                                otherwise 'Inactive'.
2) Connection to 赛门铁克
                                - This verifies if the appliance can reach www.s                                                                                                             ymantec.com.
3) Scanner  => Management Server Connectivity
                                - This verifies if the scanner is able to connec                                                                                                             t to the
                                management server or not. On the management serv                                                                                                             er,
                                displays the list of scanners associated with th                                                                                                             e
                                management server. Use this tool 上 the scanner                                                                                                              to test
                                connectivity between the scanner and the managem                                                                                                             ent server.
4) Service Running
                                - This verifies the status of all services in Sy                                                                                                             mantec EDR. If all
                                services are working properly, 'Success' is retu                                                                                                             rned.
                                Otherwise, process names that are not working pr                                                                                                             operly are
                                displayed.
5) Scanning Status
                                - This verifies if scanning 上 赛门铁克 EDR is e                                                                                                             nabled or not.
6) Interface Status
                                - This verifies whether interfaces in the curren                                                                                                             t environment
                                are active, such as mgmt_port, wan1_tap1, and la                                                                                                             n1_tap2 in
                                a virtual environment.
                                - This displays traffic received and transmitted                                                                                                              by the
                                active interfaces.
7) Data Inspection Status
                                - This verifies if the packet inspection engine                                                                                                              of 赛门铁克 EDR is
                                receiving traffic.
                                - This displays packet processed by the packet i                                                                                                             nspection
                                engine of 赛门铁克 EDR.
8) Proxy Server Info
                                - This returns information about the proxy serve                                                                                                             r, if 上e
                                exists in the management network. This informati                                                                                                             上 can be
                                used to test the connectivity to the 赛门铁克 se                                                                                                             rvers in
                                the 云.
9) Connectivity to Servers
                                - This shows the connectivity to the 赛门铁克 se                                                                                                             rvers in the
                                云.

NTP:                                            Synchronised.
Management Port Status:                         Active!
Connection to 赛门铁克:                         Success!
Scanner => Management Server  Connectivity:     The AMQP broker is healthy.
                                                Please use status_check 上 the s                                                                                                             canners to
                                                test connectvity to the manageme                                                                                                             nt server.
                                                List of connected Scanners is as                                                                                                              below:
                                                172.3.1.13
                                                10.3.1.14
Service Running:                                Success!
Scanning Status:                                This is a management server . Sc                                                                                                             anning status is not applicable for this.
Interface Status:
                                                Interface mgmt_port is active!
                                                Received 通过 tes= 15.4 MiB  Transm                                                                                                             itted 通过 tes=34.7 MiB
                                                Interface wan1_tap1 is inactive!
                                                Interface lan1_tap2 is inactive!
                                                Interface wan2_tap3 is inactive!
                                                Interface lan2_tap4 is inactive!
Data Inspection Status:                         This is a management server. Dat                                                                                                             a inspection status is not applicable to this.
Is there a corporate proxy server in the management network? (yes:no)
  no
Connectivity to Servers:
  Accessed Cynic license server [//licensing.dmas.symantec.com].
  Accessed Cynic API server [//api.us.dmas.symantec.com].
  Accessed LiveUpdate server [http://liveupdate.symantec.com].
  Accessed AV Detection ping server [//stnd-avpg.crsi.symantec.com/postDet                                                                                                             ectionEvent].
  Accessed IPS Detection ping server [//stnd-ipsg.crsi.symantec.com/postIn                                                                                                             trusionEvent].
  Accessed Aztec server [//register.brightmail.com].
  Accessed 软件 Update server [//swupdate.brightmail.com].
  Accessed Insight server [//shasta-rrs.symantec.com/mrclean].
   Accessed Mobile Insight server [//shasta-mrs.symantec.com/partner].
  Accessed Roaming and Email 安全.Cloud Correlation server [//datafeedapi.symanteccloud.com].
  Accessed Telemetry: Statistics server [//stats.norton.com/n/p].
  Accessed Telemetry: File server [//telemetry.symantec.com].
  Accessed Breach Detection server [//api-gateway.symantec.com].
  Accessed 赛门铁克 EDR 云 server [//edrc.symantec.com].
Connectivity to Repository:
  Accessed repository.
localhost>


启用S​​SH访问:

localhost> sshconfig enable

Enabling SSH server...Redirecting to /bin/systemctl start sshd.service
done
Enabling SSH server by default (will start at boot)...Note: Forwarding request to 'systemctl enable sshd.service'.
done
localhost>

检查软件版本:
管理服务器软件版本必须与扫描仪版本匹配。否则,扫描仪将不会显示在管理服务器的Web GUI中。

localhost> show --version
Version: 4.1.0-951
Install Date: Mon 25 Mar 2019 01:49:14 PM GMT
localhost>

扫描器:

localhost> show --version
Version: 3.1.0-678
Install Date: Mon 03 Jun 2019 01:31:47 PM GMT
localhost>

UpdateATP EDR版本:

  • 更新下载
  • 更新状态
  • 更新安装
localhost> update
Usage: 更新下载|install|list|clean_all|clean_metadata|clean_packages|clea                                                                                                             r_update_state|rpmdb_repair|status
    download:           download latest available version to local cache
    install:            install latest available version from local cache
    list:               list all available versions
    clean_all:          clean up cached packages, metadata and other software up                                                                                                             date data
    clean_metadata:     clean up cached metadata
    clean_packages:     clean up cached packages
    clear_update_state: reset update state
    rpmdb_repair:       repair rpm database.
    clear_lock:         clear out old lockfile
    status:             print current update command status. run 'status_check'                                                                                                              command to check repository access


备份/还原 

从命令行:


localhost> backup --user=testuser1 --password='password1234' --protocol=scp --port=22 --host=172.21.2.111 --path=/tmp/
2019-06-21 11:30:34,170 INFO Validating remote storage.
2019-06-21 11:30:34,170 INFO index value is None
2019-06-21 11:30:38,395 INFO EDR commands have been backed up successfully
2019-06-21 11:30:38,465 INFO Performing ES snapshot, could take a while...
2019-06-21 11:30:39,955 INFO Done with snapshot.
2019-06-21 11:30:39,955 INFO Snapshot succeeded.
2019-06-21 11:30:39,955 INFO Archiving backup.
2019-06-21 11:30:39,989 INFO Building config_export.txt
2019-06-21 11:30:44,830 INFO Sending backup archive to remote storage via scp.
2019-06-21 11:30:46,317 INFO Succeed running backup, backupfile=sedr_backup_4.1.0-951_20190621113039.tar.gz
localhost>

参考文献:

通过 约翰扬

发表评论