PC User 反監控行為及對策 2010.01.09 1.)改自動取得IP為指定固定IP --> (無效) --> KO:iptable 直接使用MAC table 管理 2.)改變MAC --> (可監控) --> ska.vbp回報h/w id+mac 透過hwt-1.sys可發現非法MAC 3.)改變h/w id --> (無法改變) --> 目前尚未發現改變CPU id + HDD id 的方法 4.)換網線 --> (無效) --> 理由如1.) 5.)改變PC名稱 --> (無效) --> 理由如1.) 6.)停止單一ska.vpb執行 --> (可監控) --> mka.vpb回報 7.)同時停止ska.vbp + mka.vbp執行 --> (可監控) --> Shell 處理白名單-1時 必須比對整個名單是否有效 8.)先停用網路/拔網線再停止單一ska.vpb執行 --> (可監控) --> 理由如7.) 9.)先停用網路/拔網線再同時停止ska.vbp + mka.vbp執行 --> (可監控) --> 理由如7.) 10.)先改註冊表run再移除all vbp再重開機 --> (可監控) --> mka.vbp ska.vbp回報更改註冊表run 11.)先停用網路/拔網線再改註冊表移除all vbp再重開機 --> (無效) --> MAC不會出現白名單 12.)COPY他人ska.vbp or mka.vbp用在自己機上 --> (無效) --> ska.vbp回報h/w id+mac 不會改變 13.)用防毒軟體 --> ????? ================================================================================== PHP Program on Komodo Server 2010.01.08 1.)skm-1.php a.)Receive MAC + H/WID Report b.)Check Received MAC + H/WID Legal Table c.)Check if Pre-Approved MAC d.)Trim + Update + Append MAC White List with Timemark e.)Trim + Update + Append MAC Black List with Timemark 2.) ================================================================================== KAA Sys Files (On Server Site) Specification 2010.01.08 1.)hwt-1.sys (Legal MAC by H/W ID Table) a.)MAC-.-CPUID-.-HDDID-.- example: 00:11:F5:4E:9C:49-.-AFE9FBFF000006D8-.-2073084829-.- 2.)wlt-0.sys (Pre-Approved Connectting White List Table by Administrator) a.)MAC of Pre-Approved Connectting PCs by Seperate Mark example: 00:81:85:45:93:BE-.-00:11:F5:4E:9C:49-.- 3.)wlt-1.sys (Approved Connectting White List Table by Check HWT-1 and WLT-0) a.)Line 1 : Uniq Last Update MAC of Approved Connectting PCs by Seperate Mark (Lastest Fisrt) Now-->ago XX:XX:XX:XX:XX:XX example: 00:81:85:45:93:BE-.-00:11:F5:4E:9C:49-.- b.)Line 2 : TimeMark for Line 1 MAC by Seperate Mark YYYYMMDD:hhmmss example: 20100108:110521-.-20100108:110510-.- 4.)blt-1.sys (Denied Connectting Black List Table by Check HWT-1 and WLT-0) a.)Line 1 : Uniq Last Update MAC of Denied Connectting PCs by Seperate Mark (Lastest Fisrt) Now-->ago XX:XX:XX:XX:XX:XX example: 00:81:85:45:93:BE-.-00:11:F5:4E:9C:49-.- b.)Line 2 : TimeMark for Line 1 MAC by Seperate Mark YYYYMMDD:hhmmss example: 20100108:110521-.-20100108:110510-.- ================================================================================== KAA Log Files (On PC Site) Spec 2010.01.07 1.)bkm-YYYYMMDD.log a.)Start Up Report by kka.vbp by date 2.)mkm-YYYYMMDD.log a.)Change/Modidication Report by kka.vbp by date 3.)skm-YYYYMMDD.log a.)Network Setting Report by kka.vbp by date 4.)stoppc.log ================================================================================== VB Program on Every PC 2010.01.07 1.)bka.vbp a.)Start Up Report b.)Creat New Log File c.)Delete History Old Log File d.)Waiting for AV Catch Event 2.)mka.vbp a.)Change/Modidication Report b.)Check another 2 VBs Keep Alive c.)Waiting for Storage Drive File Create/Delete 3.)ska.vbp a.)MAC+H/W ID Keep Alive Report b.)Check another 2 VBs Keep Alive c.)Using Winsock to Send All Log Files to KO Server ================================================================================== KAA Report Spec V.01.2 2010.01.07 Example: 20091223:232053-.-kci302128-.-kpt004-.-kic01/01-.-abcdefg-.-kic01/02-.-12345-.--.- 0.)GENERAL Mark a.)Seperate Mark -.- b.)Ending Mark -.--.- c.)Addition Mark +++ b.)Reduction Mark --- 1.)Header a.)Date/TimeMark YYYYMMDD:HHMMSS b.)Customer ID kctXXXXXX c.)PC ID kptXXX d.)Report ID(Initial Star Up Information) kicXX/XX e.)Report ID (Event) kecXX/XX d.)Report ID (Continuing Keep Live) kklXX/XX 2.)Initial Star Up (VB=bka PHP=bkm.php LOG=bkm.log) kic01.)Star Up Hardware Spec kic01/01.)CPU Name kic01/02.)CPU ID kic01/03.)CPU Core kic01/04.)RAM Size (in MB) kic01/05.)HDD Name kic01/06.)HDD Size (in GB) kic01/07.)HDD ID kic02.)Star Up Network Spec kic02/01.)Physical Address kic02/02.)IP Address kic02/03.)DHCP Enable(True = Auto/False = Menaul) kic02/04.)DHCP Server kic02/05.)LAN Card Spec kic03.)Star Up Install SoftwareName kic03/01.)Installed SoftwareNames(StartUp Report All) (Addition Mark) SoftwareName Example: kic03/01-.-+++Adobe Air1+++Adobe Air2-.- kic04.)Star Up Executed SoftwareName kic04/01.)Execute SoftwareNames (StartUp Report All) (Addition Mark Means Executed) SoftwareName Example: kic04/01-.-+++QQ.exe Air1+++calc.exe-.- kic05.)Star Up Plug In Extension USB Storage kic05/01.)Plug In Extension USB Storages Device Drive Character (StartUp Report All) (Addition Mark Means Plug In)Device Drive Character If USB Device Drive then Mark (U) Example: kic05/01-.-+++E(U)+++F(U)-.- kic06.)New Plug In USB Device kic06/01.)Plug In Extension USB Storages Device Names and Manufactor (StartUp Report All) (Addition Mark Means Plug In)Device name (Manufactor) Example: kic06/01-.-+++USB Audio(Creative)+++USB Mouse(Micro softe)-.- 3.)Modificating Evenet Notification (VB=mka PHP=mkm.php LOG=mkm.log) kec02.)Network Spec Change Event kec02/01.)Physical Address kec02/02.)IP Address kec02/03.)DHCP Enable(True = Auto/False = Menaul) kec02/04.)DHCP Server kec02/05.)LAN Card Spec kec03.)New Install/Remove SoftwareName Notification kec03/01.)Installed/Removed SoftwareNames by Seperate Mark (Addition Mark Means Install/ Reduction Mark Means Removed)SoftwareName Example: kec03/01-.-+++Adobe Air1-.----Adobe Air2-.- kec04.)Execute/Stop SoftwareName Notification kec04/01.)Execute/Stop SoftwareNames by Seperate Mark (Addition Mark Means Execute/ Reduction Mark Means Stop)SoftwareName Example: kec04/01-.-+++QQ.exe Air1-.----calc.exe-.- kec05.)New Plug In/Remove Extension USB Storage Notification kec05/01.)Plug In/Remove Extension USB Storages Device Drive Characters by Seperate Mark (Addition Mark Means Plug In/ Reduction Mark Means Remove)Device Drive Character If USB Device Drive then Mark (U) Example: kic05/01-.-+++E(U)-.----F(U)-.- kec06.)PlugIn/Remove USB Device Notification kec06/01.)PlugIn/Remove Extension USB Storages Device Names and Manufactor by Seperate Mark (Addition Mark Means Plug In / Reduction Mark Means Remove)Device name (Manufactor) Example: kec06/01-.-+++USB Audio(Creative)-.----USB Mouse(Micro softe)-.- kec07.)Check COPY/DELETE Filename onto Extension Storage kec07/01.)FileName by IE English Vision 6.0 by Seperate Mark (Addition Mark Means Copy/ Reduction Mark Means Delete)Full FileName Example: kec07/01-.-+++E:\ABC\123\XXX.DAT---F:\qqq\zzzz\999\YYY.exe-.- kec08.)Upload FileName by Broser/InstantMessanger kec08/01.)FileName by IE English Vision 6.0 kec08/02.)FileName by Yahoo English Vision 9.0 kec09.)Play Audio/Video File by Application kec09/01.)FileName with Flash 10d 4.)Continuning Keep Alive Reporting (VB=ska PHP=skm.php LOG=skm.log stop.log) kkl02.)Network Spec Keep Alive Reporting kkl02/01.)Physical Address kkl02/02.)IP Address kkl02/03.)DHCP Enable(True = Auto/False = Menaul) kkl02/04.)DHCP Server kkl02/05.)LAN Card Spec kkl03.)VB KAA Stopped Removed Alerm kkl03/01.)Stopped/Rmoved FileName with Reduction Mark example: kkl03/01-.----bka---mka---ska-.--.- kkl04.)PC Reg Run Changed Alerm kkl04/01.)Changed/Rmoved PC Registry Run filename example: kkl04/01-.----c:/bka.exe-.--.- ================================================================================== iptable Routing Rule 2010/01/05 1-deny all 2-Accept white list table1 (wlt-1): 回報ok表 by ip+mac (ska.vb) 3-Accept white list table2: log in ok表 by id+psw 4-Deny Black list table1 (blt-1): 回報中斷+移除回報 stop表 by (mka.vb + ska.vb) ??- ?1.) 3 X LAN CARD (1WAN+2LAN or 1LAN+1WAN+1Wireless LAN) ?2.) 不可以連外網 直接出現log in id psw 畫面 ?3.) 用shell 直接改ip table 的rule ================================================================================== KAA=Komodo Alarm Agent Function List 2009.11.03 SUR=Start Up Report (連續 5 min 以上 沒有 STS LTS 視同 STU STS=Short Time Scanning = 5 Sec LTS=Long Time Scanning = 1 min SUR 1.)開機時回報單機硬體內容(CPU/RAM/HDD) SUR+STS 2.)定時回報目前單機使用網路相關設定(IP/MAC/DNS/Gateway) SUR+LTS 3.)回報單機安裝新軟體 SUR+LTS 4.)回報單機執行指定軟體 SUR+STS 5.)回報單機新增外接媒體(USB Drive/HDD/CD-ROM) SUR+LTS 6.)回報單機新增外接Camera STS 7.)回報單機複製/貼上外接媒體檔案(檔名/大小/時間) STS 8.)回報單機使用網頁上傳檔案(檔名/大小/時間) LTS 9.)回報單機使用網頁播放多媒體(URL/檔名/時間) // KAA10 併入 KAA08 1.)開機時回報單機硬體內容(CPU/RAM/HDD/CD-ROM) 2.)定時回報目前單機使用網路相關設定(IP/MAC/DNS/Gateway) 3.)回報單機安裝新軟體 4.)回報單機執行指定軟體 5.)回報單機新增外接媒體(USB Drive/HDD/CD-ROM) 6.)回報單機新增外接Camera 7.)回報單機複製/貼上外接媒體檔案(檔名/大小/時間) 8.)回報單機使用網頁上傳檔案(檔名/大小/時間) 9.)回報單機使用網頁播放多媒體(URL/檔名/時間) 10.)回報單機使用指定通訊軟體傳送檔案(檔名/大小/時間) ================================================================================== REMARK: 1.) 2個以上VB可以同時OPEN同一File for APPEND 先Close的會先新增到file 可是後Close的會把先前新增的部分覆蓋掉 只剩後close的新增部分 2.) PHP:fputs/fgets 都在行尾包括 "/r/n"