我正在使用Symantec ATP,新名称为EDR。这里列出了我从此设置中学到的一些经验。它仍在更新。
YouTube视频:
Web GUI:
一些命令行故障排除命令:
检查日期:
localhost> show --date
Mon Jun 03 13:40:41 GMT 2019
localhost> show
usage: show [--help] [--date] [--version] [--info]
--help,-h More extensive help
--date,-d Show the current date and time
--version,-v Show the appliance version number
--info,-i Show system information
检查设备状态:
localhost> status_check
This is the admin tool which verifies the following things.
1) Management Port Status
- This verifies if the management port is UP and Running.
This will show 'Active' if its UP and Running,
otherwise 'Inactive'.
2) Connection to 赛门铁克
- This verifies if the appliance can reach www.s ymantec.com.
3) Scanner => Management Server Connectivity
- This verifies if the scanner is able to connec t to the
management server or not. On the management serv er,
displays the list of scanners associated with th e
management server. Use this tool 上 the scanner to test
connectivity between the scanner and the managem ent server.
4) Service Running
- This verifies the status of all services in Sy mantec EDR. If all
services are working properly, 'Success' is retu rned.
Otherwise, process names that are not working pr operly are
displayed.
5) Scanning Status
- This verifies if scanning 上 赛门铁克 EDR is e nabled or not.
6) Interface Status
- This verifies whether interfaces in the curren t environment
are active, such as mgmt_port, wan1_tap1, and la n1_tap2 in
a virtual environment.
- This displays traffic received and transmitted by the
active interfaces.
7) Data Inspection Status
- This verifies if the packet inspection engine of 赛门铁克 EDR is
receiving traffic.
- This displays packet processed by the packet i nspection
engine of 赛门铁克 EDR.
8) Proxy Server Info
- This returns information about the proxy serve r, if 上e
exists in the management network. This informati 上 can be
used to test the connectivity to the 赛门铁克 se rvers in
the 云.
9) Connectivity to Servers
- This shows the connectivity to the 赛门铁克 se rvers in the
云.
NTP: Synchronised.
Management Port Status: Active!
Connection to 赛门铁克: Success!
Scanner => Management Server Connectivity: The AMQP broker is healthy.
Please use status_check 上 the s canners to
test connectvity to the manageme nt server.
List of connected Scanners is as below:
172.3.1.13
10.3.1.14
Service Running: Success!
Scanning Status: This is a management server . Sc anning status is not applicable for this.
Interface Status:
Interface mgmt_port is active!
Received 通过 tes= 15.4 MiB Transm itted 通过 tes=34.7 MiB
Interface wan1_tap1 is inactive!
Interface lan1_tap2 is inactive!
Interface wan2_tap3 is inactive!
Interface lan2_tap4 is inactive!
Data Inspection Status: This is a management server. Dat a inspection status is not applicable to this.
Is there a corporate proxy server in the management network? (yes:no)
no
Connectivity to Servers:
Accessed Cynic license server [//licensing.dmas.symantec.com].
Accessed Cynic API server [//api.us.dmas.symantec.com].
Accessed LiveUpdate server [http://liveupdate.symantec.com].
Accessed AV Detection ping server [//stnd-avpg.crsi.symantec.com/postDet ectionEvent].
Accessed IPS Detection ping server [//stnd-ipsg.crsi.symantec.com/postIn trusionEvent].
Accessed Aztec server [//register.brightmail.com].
Accessed 软件 Update server [//swupdate.brightmail.com].
Accessed Insight server [//shasta-rrs.symantec.com/mrclean].
Accessed Mobile Insight server [//shasta-mrs.symantec.com/partner].
Accessed Roaming and Email 安全.Cloud Correlation server [//datafeedapi.symanteccloud.com].
Accessed Telemetry: Statistics server [//stats.norton.com/n/p].
Accessed Telemetry: File server [//telemetry.symantec.com].
Accessed Breach Detection server [//api-gateway.symantec.com].
Accessed 赛门铁克 EDR 云 server [//edrc.symantec.com].
Connectivity to Repository:
Accessed repository.
localhost>
启用SSH访问:
localhost> sshconfig enable Enabling SSH server...Redirecting to /bin/systemctl start sshd.service done Enabling SSH server by default (will start at boot)...Note: Forwarding request to 'systemctl enable sshd.service'. done localhost>
检查软件版本:
管理服务器软件版本必须与扫描仪版本匹配。否则,扫描仪将不会显示在管理服务器的Web GUI中。
localhost> show --version Version: 4.1.0-951 Install Date: Mon 25 Mar 2019 01:49:14 PM GMT localhost>
扫描器:
localhost> show --version
Version: 3.1.0-678
Install Date: Mon 03 Jun 2019 01:31:47 PM GMT
localhost>
UpdateATP EDR版本:
- 更新下载
- 更新状态
- 更新安装
localhost> update
Usage: 更新下载|install|list|clean_all|clean_metadata|clean_packages|clea r_update_state|rpmdb_repair|status
download: download latest available version to local cache
install: install latest available version from local cache
list: list all available versions
clean_all: clean up cached packages, metadata and other software up date data
clean_metadata: clean up cached metadata
clean_packages: clean up cached packages
clear_update_state: reset update state
rpmdb_repair: repair rpm database.
clear_lock: clear out old lockfile
status: print current update command status. run 'status_check' command to check repository access
备份/还原
从命令行:
localhost> backup --user=testuser1 --password='password1234' --protocol=scp --port=22 --host=172.21.2.111 --path=/tmp/
2019-06-21 11:30:34,170 INFO Validating remote storage.
2019-06-21 11:30:34,170 INFO index value is None
2019-06-21 11:30:38,395 INFO EDR commands have been backed up successfully
2019-06-21 11:30:38,465 INFO Performing ES snapshot, could take a while...
2019-06-21 11:30:39,955 INFO Done with snapshot.
2019-06-21 11:30:39,955 INFO Snapshot succeeded.
2019-06-21 11:30:39,955 INFO Archiving backup.
2019-06-21 11:30:39,989 INFO Building config_export.txt
2019-06-21 11:30:44,830 INFO Sending backup archive to remote storage via scp.
2019-06-21 11:30:46,317 INFO Succeed running backup, backupfile=sedr_backup_4.1.0-951_20190621113039.tar.gz
localhost>
参考文献:
- ATP的基本故障排除步骤
- 视窗服务器上的Endpoint Protection最佳做法
- 选择要在客户端上安装的安全功能
- 关于Endpoint Protection中的应用程序和设备控制策略
- 主机完整性如何工作
- 关于主机完整性要求
- 设置主机完整性
- 创建和测试主机完整性策略
- 将预定义要求添加到主机完整性策略