{"id":3822,"date":"2016-09-15T22:49:38","date_gmt":"2016-09-15T22:49:38","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3822"},"modified":"2016-09-19T00:47:29","modified_gmt":"2016-09-19T00:47:29","slug":"dexray-1-6-ccsubsdk-files","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/09\/15\/dexray-1-6-ccsubsdk-files\/","title":{"rendered":"DeXRAY 1.6 &#8211; ccSubSdk files"},"content":{"rendered":"<p>Yesterday <a href=\"https:\/\/twitter.com\/bbaskin\">Brian Baskin<\/a> pinged me on Twitter asking about <a href=\"http:\/\/www.symantec.com\/connect\/forums\/what-could-account-more-15000-files-folder\">ccSubSdk files<\/a> that Symantec solutions store on the system in the following location:<\/p>\n<ul>\n<li>C:\\ProgramData\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\&lt;product&gt;\\CmnClnt\\ccSubSDK<\/li>\n<\/ul>\n<p>f.ex.<\/p>\n<ul>\n<li>C:\\ProgramData\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NIS_21.5.0.19\\CmnClnt\\ccSubSDK<\/li>\n<\/ul>\n<p>The SEP may store similar files in different location:<\/p>\n<ul>\n<li>C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\&lt;SEP version&gt;\\Data\\CmnClnt\\ccSubSDK<\/li>\n<li>C:\\ProgramData\\Symantec\\Common Client\\ccSubSDK<\/li>\n<li>C:\\Documents and Settings\\All Users\\Application Data\\Symantec\\Symantec Endpoint Protection\\&lt;SEP version&gt;\\Data\\CmnClnt\\ccSubSDK<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/category\/software-releases\/dexray\/\">DeXRAY<\/a> didn&#8217;t support them and it triggered my interest. I pretty quickly identified the algorithm as Blowfish, but for some reason it didn&#8217;t work. Eventually, after struggling with it for a while I ended up understanding the issue: it was a problem of little vs. big endianess &#8211; unfortunately, the same algorithms can be implemented to work with different data -ness.<\/p>\n<p>Once I figured it out, I added a basic support for both {GUID} files and the submissions.idx. Now, when I say &#8216;support&#8217; I mean the decryption of the outer layer only and a basic interpretation of what I can deduct from the file structure inside submissions.idx. Once you look at the decrypted files you will realize that the files contain some sort of container to store a lot of information about the suspected files \/ network data and possibly other data sets sent to the AV Reputation engines + actual files. On top of that, in some instances the content of the files is not encrypted (with a second layer), and in some it is.<\/p>\n<p>It&#8217;s quite a headache.<\/p>\n<p>Still, it&#8217;s worth pursuing further as it seems to be a great forensic artifact that may help to identify a lot of file-system and network activities that may not be recorded anywhere else, or long forgotten. We can retrieve metadata and the content of long lost files. And since the reputation engine intercepts pretty much all unknown suspicious files, as well as some network artifacts a lucky forensic investigator may actually find a smoking gun there&#8230;<\/p>\n<p>Here are a few examples:<\/p>\n<ul>\n<li><strong>A suspicious file (PE file can be retrieved)<\/strong><\/li>\n<\/ul>\n<p><strong><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/pefile.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3823\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/pefile-238x300.png\" alt=\"pefile\" width=\"450\" height=\"566\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/pefile-238x300.png 238w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/pefile.png 655w\" sizes=\"(max-width: 450px) 100vw, 450px\" \/><\/a><\/strong><\/p>\n<ul>\n<li><strong>Silent\/heuristic AV detections<\/strong><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/suspfile1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3826\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/suspfile1-300x224.png\" alt=\"suspfile1\" width=\"450\" height=\"336\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/suspfile1-300x224.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/suspfile1.png 650w\" sizes=\"(max-width: 450px) 100vw, 450px\" \/><\/a><\/p>\n<ul>\n<li><strong>A download of a PE file (HTTP PE Download):<\/strong><\/li>\n<\/ul>\n<pre><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/httppefile1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3824\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/httppefile1-272x300.png\" alt=\"httppefile1\" width=\"450\" height=\"495\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/httppefile1-272x300.png 272w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/httppefile1-768x846.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/httppefile1.png 792w\" sizes=\"(max-width: 450px) 100vw, 450px\" \/><\/a>\r\n<a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/httppefile2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-3825\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/httppefile2-300x234.png\" alt=\"httppefile2\" width=\"300\" height=\"234\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/httppefile2-300x234.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/httppefile2.png 658w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/pre>\n<p>There are also file metadata submissions with forensically interesting bits in a form of XML-like report:<\/p>\n<pre style=\"padding-left: 30px;\">&lt;Report \r\n\u00a0Type=\"File Vote Report\" \r\n\u00a0Count=\"#NUM OF FILES#\"&gt;\r\n\u00a0&lt;File \r\n\u00a0 Index=\"#INDEX#\" \r\n\u00a0 Active_timestamp=\"#EPOCH#\" \r\n\u00a0 File_MD5=\"#MD5#\" \r\n\u00a0 File_SHA256=\"#SHA256#\" \r\n\u00a0 FileName=\"#FILENAME#\" \r\n\u00a0 Path=\"#PATH#\" \r\n\u00a0 Signature=\"#SIG#\" \r\n\u00a0 Issuer=\"#ISSUER#\" \r\n\u00a0 Version=\"#VERSION#\" \r\n\u00a0 File_Type=\"#FILETYPE#\" \r\n\u00a0 AVE_Blob=\"#AVEBLOB#\"\/&gt;<\/pre>\n<p>The Epoch, file path, file name, and hashes can support investigation in many ways. I believe there is a lot to explore here + in similar files from other vendors (if such files exist).<\/p>\n<p><strong>If you have ccSubSdk files available and want to share them with me for research, I&#8217;d appreciate it.<\/strong><\/p>\n<p>Coming back to DeXRAY &#8211; the full list of supported or recognized file formats is listed below:<\/p>\n<ul>\n<li>AhnLab (V3B)<\/li>\n<li>ASquared (EQF)<\/li>\n<li>Avast (Magic@0=\u2019-chest- \u2018)<\/li>\n<li>Avira (QUA)<\/li>\n<li>Baidu (QV)<\/li>\n<li>BitDefender (BDQ)<\/li>\n<li>CMC Antivirus (CMC)<\/li>\n<li>Comodo &lt;GUID&gt; (not really; Quarantined files are not encrypted &#x1f642; )<\/li>\n<li>ESafe (VIR)<\/li>\n<li>ESET (NQF)<\/li>\n<li>F-Prot (TMP) (Magic@0=\u2019KSS\u2019)<\/li>\n<li>Kaspersky (KLQ)<\/li>\n<li>Lavasoft AdAware (BDQ) \/BitDefender files really\/<\/li>\n<li>MalwareBytes Data files (DATA)<\/li>\n<li>MalwareBytes Quarantine files (QUAR)<\/li>\n<li>McAfee Quarantine files (BUP)<\/li>\n<li>Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) \u2013 D3 45 C5 99 header handled<\/li>\n<li>Panda &lt;GUID&gt; Zip files<\/li>\n<li>Spybot \u2013 Search &amp; Destroy 2 \u2018recovery\u2019<\/li>\n<li>SUPERAntiSpyware (SDB)<\/li>\n<li>Symantec ccSubSdk files: {GUID} files and submissions.idx<\/li>\n<li>Symantec Quarantine Data files (QBD)<\/li>\n<li>Symantec Quarantine files (VBN)<\/li>\n<li>Symantec Quarantine Index files (QBI)<\/li>\n<li>TrendMicro (Magic@0=A9 AC BD A7 which is \u2018VSBX\u2019 string ^ 0xFF)<\/li>\n<li>QuickHeal &lt;hash&gt; files<\/li>\n<li>Vipre (&lt;GUID&gt;_ENC2)<\/li>\n<li>Any binary file (using X-RAY scanning)<\/li>\n<\/ul>\n<p>Thanks to Brian for raising the interesting challenge and patiently listening to my questions and comments \ud83d\ude42<\/p>\n<p>The latest version of <a href=\"https:\/\/hexacorn.com\/download.php?f=DeXRAY.pl\">DeXRAY can be found here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday Brian Baskin pinged me on Twitter asking about ccSubSdk files that Symantec solutions store on the system in the following location: C:\\ProgramData\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\&lt;product&gt;\\CmnClnt\\ccSubSDK f.ex. C:\\ProgramData\\Norton\\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\\NIS_21.5.0.19\\CmnClnt\\ccSubSDK The SEP may store similar files in different location: C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\&lt;SEP version&gt;\\Data\\CmnClnt\\ccSubSDK C:\\ProgramData\\Symantec\\Common Client\\ccSubSDK &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/09\/15\/dexray-1-6-ccsubsdk-files\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,15,12,21,19,46,9,5],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3822"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3822"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3822\/revisions"}],"predecessor-version":[{"id":3836,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3822\/revisions\/3836"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3822"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3822"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3822"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}