VB Program on Every PC 2010.01.25 1.)bka.vbp a.)Sync system with Ko b.)Start Up Report c.)Delete History Old Log File d.)Waiting for AV Catch Event e.)Call Next mka.vbp 2.)mka.vbp a.)Change/Modidication Report b.)Check another 2 VBs Keep Alive c.)Check if Registry>Run Changing d.)Waiting for Storage Drive File Create/Delete e.)Call Next ska.vbp 3.)ska.vbp a.)PCid + MAC+ HWid Keep Alive Report b.)Check another 2 VBs Keep Alive c.)Check if Registry>Run Changing d.)Using Winsock to Send Start Up bkm.log to KO Server e.)Using Winsock to Send bkm.log to KO Server per 5 sec ================================================================================== PHP Program on Komodo Server 2010.01.10 1.)bkm-1.php a.)Receive bkm-XXX.log from PC bka.vbp b.)Update bkm-XXX.log on KO Server by day 2.)mkm-1.php a.)Receive mkm-XXX.log from PC bka.vbp b.)Update mkm-XXX.log on KO Server by day 3.)skm-1.php a.)Receive PCid + MAC + HWid Report b.)Update skm-XXX.log on KO Server by hour ----------- ???? ------------ b.)Check Received MAC + H/WID Legal Table c.)Check if Pre-Approved MAC d.)Trim + Update + Append MAC White List with Timemark e.)Trim + Update + Append MAC Black List with Timemark ================================================================================== PC User 反監控行為及對策 2010.01.09 1.)改自動取得IP為指定固定IP --> (無效) --> KO:iptable 直接使用MAC table 管理 2.)改變MAC --> (可監控) --> ska.vbp回報h/w id+mac 透過hwt-1.sys可發現非法MAC 3.)改變h/w id --> (無法改變) --> 目前尚未發現改變CPU id + HDD id 的方法 4.)換網線 --> (無效) --> 理由如1.) 5.)改變PC名稱 --> (無效) --> 理由如1.) 6.)停止單一ska.vpb執行 --> (可監控) --> mka.vpb回報 7.)同時停止ska.vbp + mka.vbp執行 --> (可監控) --> Shell 處理白名單-1時 必須比對整個名單是否有效 8.)先停用網路/拔網線再停止單一ska.vpb執行 --> (可監控) --> 理由如7.) 9.)先停用網路/拔網線再同時停止ska.vbp + mka.vbp執行 --> (可監控) --> 理由如7.) 10.)先改註冊表run再移除all vbp再重開機 --> (可監控) --> mka.vbp ska.vbp回報更改註冊表run 11.)先停用網路/拔網線再改註冊表移除all vbp再重開機 --> (無效) --> MAC不會出現白名單 12.)COPY他人ska.vbp or mka.vbp用在自己機上 --> (無效) --> ska.vbp回報h/w id+mac 不會改變 13.)用防毒軟體 --> ????? ================================================================================== KAA Sys Files (On Server Site) Specification 2010.01.13 1.)hwt-1.sys (Legal MAC by H/W ID Table) a.)MAC-.-CPUID-.-HDDID-.- example: 00:11:F5:4E:9C:49-.-AFE9FBFF000006D8-.-2073084829-.- 2.)wlt-0.sys (Pre-Approved Connectting White List Table by Administrator) a.)MAC of Pre-Approved Connectting PCs by Seperate Mark example: 00:81:85:45:93:BE-.-00:11:F5:4E:9C:49-.- 3.)wlt-1.sys (Approved Connectting White List Table by Check HWT-1 and WLT-0) a.)Line 1 : Uniq Last Update MAC of Approved Connectting PCs by Seperate Mark (Lastest Fisrt) Now-->ago XX:XX:XX:XX:XX:XX example: 00:81:85:45:93:BE-.-00:11:F5:4E:9C:49-.- b.)Line 2 : TimeMark for Line 1 MAC by Seperate Mark YYYYMMDD:hhmmss example: 20100108-110521-.-20100108-110510-.- 4.)blt-1.sys (Denied Connectting Black List Table by Check HWT-1 and WLT-0) a.)Line 1 : Uniq Last Update MAC of Denied Connectting PCs by Seperate Mark (Lastest Fisrt) Now-->ago XX:XX:XX:XX:XX:XX example: 00:81:85:45:93:BE-.-00:11:F5:4E:9C:49-.- b.)Line 2 : TimeMark for Line 1 MAC by Seperate Mark YYYYMMDD-hhmmss example: 20100108-110521-.-20100108-110510-.- ================================================================================== KAA Log Files (Both On PC and KO Server Site) Spec 2010.01.25 1.)bkm-YYYYMMDD.log by day a.)Start Up Report by bka.vbp by date b.)Sent Mark Line means Report Already 2.)mkm-YYYYMMDD.log by day a.)Change/Modidication Report by mka.vbp by date b.)Sent Mark Line means Report Already 2.)mkm-YYYYMMDD-HHMM.log (Ko Only) by mins a.)Change/Modidication Report by ska.vbp by mins b.)Sent every 5 seconds ================================================================================== KAA Report Spec V 2.0 2010.01.25 Example: 20091223-232053-.-kci302128-.-kpt004-.-kic01/01-.-abcdefg-.-kic01/02-.-12345-.--.- 0.)GENERAL Mark a.)Seperate Mark -.- b.)SubSeperate Mark (for same item diff factors =.= c.)Addition Mark *** b.)Reduction Mark --- e.)Sent/Done Mark ^^^ f.)Shut Down Mark !!! 1.)Header a.)Date/TimeMark YYYYMMDD-HHMMSS //":" change into "-" Cause Win do not allow filename : b.)Customer ID (5 digits) XXXXX c.)PC ID (4 digits) XXXX d.)Report ID(Initial Star Up Information) kicXX/XX e.)Report ID (Change) kecXX/XX 2.)Initial Star Up (VB=bka PcLOG=bka.log PHP=bkm.php KoLOG=bkm.log) kic01.)Star Up Hardware Spec kic01/01.)CPU Name kic01/02.)CPU ID kic01/03.)CPU Core kic01/04.)RAM Size (in MB) kic01/05.)1st HDD Name kic01/06.)1st HDD Size (in GB) kic01/07.)1st HDD ID kic01/08.)2nd HDD Name kic01/09.)2nd HDD Size (in GB) kic01/10.)2nd HDD ID kic01/11.)PC XP Name kic02.)Star Up Network Spec kic02/01.)Physical Address kic02/02.)IP Address kic02/03.)DHCP Enable(True = Auto/False = Menaul) kic02/04.)DHCP Server kic02/05.)LAN Card Spec //=========== v.2.2 2010 04 25 =============================== kic02/11.)StartUp Adapter Hardware Spec + Configure (per Real Card and Connectted Flase Card) (Index/Description/Type/Mac/Ip/GatewayIp/DhcpEnable)True = Auto/False = Menaul Example: kic02/11-.-17=.=Atheros AR5005GS Wireless Network Adapter=.=WIFI=.=00:11:F5:4E:9C:49=.=192.168.1.100=.=192.168.1.1=.=True=.= //========================================================== kic03.)Star Up Install SoftwareName kic03/01.)Installed SoftwareNames(StartUp Report All) (Addition Mark) SoftwareName Example: kic03/01-.-Adobe Air1=.=Adobe Air2=.= kic04.)Star Up Executed SoftwareName kic04/01.)Execute SoftwareNames (StartUp Report All) (Addition Mark Means Executed) SoftwareName Example: kic04/01-.-QQ.exe Air1=.=calc.exe=.= kic05.)Star Up Plug In Extension USB Storage kic05/01.)Plug In Extension USB Storages Device Drive Character (StartUp Report All) (Addition Mark Means Plug In)Device Drive Character If USB Device Drive then Mark (U) Example: kic05/01-.-E(U)=.=F(U)=.= kic06.)New Plug In USB Device kic06/01.)Plug In Extension USB Storages Device Names and Manufactor (StartUp Report All) (Addition Mark Means Plug In)Device name (Manufactor) Example: kic06/01-.-USB Audio(Creative)=.=USB Mouse(Micro softe)=.= 3.)Modificating Evenet Notification (VB=mka PcLOG=mka.log PHP=mkm.php KoLOG=mkm.log) kec02.)New/Changed/Deleted Network Spec //=========== v.2.2 2010 04 26 =============================== kec02/12.)New Adapter Hardware Spec + Configure (per Real Card and Connectted Flase Card) (Index/Description/Type/Mac/Ip/GatewayIp/DhcpEnable)True = Auto/False = Menaul Example: kec02/12-.-17=.=Atheros AR5005GS Wireless Network Adapter=.=WIFI=.=00:11:F5:4E:9C:49=.=192.168.1.100=.=192.168.1.1=.=True=.= kec02/13.)Changed Adapter Hardware Spec + Configure (per Real Card and Connectted Flase Card) (Index/Description/Type/Mac/Ip/GatewayIp/DhcpEnable)True = Auto/False = Menaul Example: kec02/13-.-17=.=Atheros AR5005GS Wireless Network Adapter=.=WIFI=.=00:11:F5:4E:9C:49=.=192.168.1.100=.=192.168.1.1=.=True=.= kec02/14.)Deleted Adapter Hardware Spec + Configure (per Real Card and Connectted Flase Card) (Index/Description/Type/Mac/Ip/GatewayIp/DhcpEnable)True = Auto/False = Menaul Example: kec02/14-.-17=.=Atheros AR5005GS Wireless Network Adapter=.=WIFI=.=00:11:F5:4E:9C:49=.=192.168.1.100=.=192.168.1.1=.=True=.= //========================================================== kec03.)New Install/Remove SoftwareName Notification kec03/01.)Installed/Removed SoftwareNames by Seperate Mark (Addition Mark Means Install/ Reduction Mark Means Removed)SoftwareName Example: kec03/01-.-***Adobe Air1=.=---Adobe Air2=.= kec04.)Execute/Stop SoftwareName Notification kec04/01.)Execute/Stop SoftwareNames by Seperate Mark (Addition Mark Means Execute/ Reduction Mark Means Stop)SoftwareName Example: kec04/01-.-***QQ.exe Air1=.=---calc.exe=.= kec05.)New Plug In/Remove Extension USB Storage Notification kec05/01.)Plug In/Remove Extension USB Storages Device Drive Characters by Seperate Mark (Addition Mark Means Plug In/ Reduction Mark Means Remove)Device Drive Character If USB Device Drive then Mark (U) Example: kic05/01-.-***E(U)=.=---F(U)=.= kec06.)PlugIn/Remove USB Device Notification kec06/01.)PlugIn/Remove Extension USB Storages Device Names and Manufactor by Seperate Mark (Addition Mark Means Plug In / Reduction Mark Means Remove)Device name (Manufactor) Example: kec06/01-.-***USB Audio(Creative)=.=---USB Mouse(Micro softe)=.= kec07.)Check COPY/DELETE Filename onto Extension Storage kec07/01.)FileName by IE English Vision 6.0 by Seperate Mark (Addition Mark Means Copy/ Reduction Mark Means Delete)Full FileName Example: kec07/01-.-***E:\ABC\123\XXX.DAT=.= kec08.)Upload FileName by Broser/InstantMessanger kec08/01.)FileName by IE English Vision 6.0 kec08/02.)FileName by Yahoo English Vision 9.0 kec09.)Play Audio/Video File by Browser kec09/01.)FileName with Flash 10d kec10.)VB KAA Stopped Alerm kec10/01.)Stopped FileName with Reduction Mark example: kec10/01-.----bka.exe---mka.exe---ska.exe-.- kec10/02.)Changed/Rmoved Registry>Run setup KAA filename example: kec10/02-.----c:/bka.exe-.- 4.)Continuning Keep Alive Reporting (VB=ska PHP=skm.php KoLOG=skm.log) a.)TimeStamping + PCID + MAC + CPU ID + 1st HDD ID Example: 20100123:100501-.-480821908460590351-.-00:E0:4C:10:AA:00-.-0383F9FF00000686-.--2027687366-.- ================================================================================== iptable Routing Rule 2010/01/05 1-deny all 2-Accept white list table1 (wlt-1): 回報ok表 by ip+mac (ska.vb) 3-Accept white list table2: log in ok表 by id+psw 4-Deny Black list table1 (blt-1): 回報中斷+移除回報 stop表 by (mka.vb + ska.vb) ??- ?1.) 3 X LAN CARD (1WAN+2LAN or 1LAN+1WAN+1Wireless LAN) ?2.) 不可以連外網 直接出現log in id psw 畫面 ?3.) 用shell 直接改ip table 的rule ================================================================================== KAA=Komodo Alarm Agent Function List 2009.11.03 SUR=Start Up Report (連續 5 min 以上 沒有 STS LTS 視同 STU STS=Short Time Scanning = 5 Sec LTS=Long Time Scanning = 1 min SUR 1.)開機時回報單機硬體內容(CPU/RAM/HDD) SUR+STS 2.)定時回報目前單機使用網路相關設定(IP/MAC/DNS/Gateway) SUR+LTS 3.)回報單機安裝新軟體 SUR+LTS 4.)回報單機執行指定軟體 SUR+STS 5.)回報單機新增外接媒體(USB Drive/HDD/CD-ROM) SUR+LTS 6.)回報單機新增外接Camera STS 7.)回報單機複製/貼上外接媒體檔案(檔名/大小/時間) STS 8.)回報單機使用網頁上傳檔案(檔名/大小/時間) LTS 9.)回報單機使用網頁播放多媒體(URL/檔名/時間) // KAA10 併入 KAA08 1.)開機時回報單機硬體內容(CPU/RAM/HDD/CD-ROM) 2.)定時回報目前單機使用網路相關設定(IP/MAC/DNS/Gateway) 3.)回報單機安裝新軟體 4.)回報單機執行指定軟體 5.)回報單機新增外接媒體(USB Drive/HDD/CD-ROM) 6.)回報單機新增外接Camera 7.)回報單機複製/貼上外接媒體檔案(檔名/大小/時間) 8.)回報單機使用網頁上傳檔案(檔名/大小/時間) 9.)回報單機使用網頁播放多媒體(URL/檔名/時間) 10.)回報單機使用指定通訊軟體傳送檔案(檔名/大小/時間) ================================================================================== REMARK: 1.) 2個以上VB可以同時OPEN同一File for APPEND 先Close的會先新增到file 可是後Close的會把先前新增的部分覆蓋掉 只剩後close的新增部分 2.) PHP:fputs/fgets 都在行尾包括 "/r/n" ================================================================================== IE 開放臨時上網 1.)定期更新登入密碼 1a.)由客戶ko>cron 固定時間向85/test1/genipt.php 取得登入密碼 格式為 [custid]-temppsw=\r\n [PSW]\r\n ending\r\n 1b.)將取得密碼直接存在客戶ko\temppsw 2.)定期(每十秒)更新臨時白名單 2a.)Rename 客戶ko\tempip -> 客戶ko\tempip-0 2b.)從客戶ko\tempip-0讀取白名單 格式為 [ip]\r\n [ip]\r\n .... 2c.)刪除客戶ko\tempip-0 3.)客戶登入php 為客戶ko\tmp.php 登入後會連結到tmp-1.php 作密碼檢查 ================================================================================== event_desc_0317.txt 发生电脑验证码错误 停止运行监控软件 更改监控软件注册表设置 自行变动电脑硬件 自行安装USB设备 自行插入U盘或行动硬盘 复制文件至U盘或行动硬盘 使用浏览器向外发送文件 使用通讯软件向外发送文件 更改取得IP设置 更改DHCP服务器设置 自行安装软件 使用REGEDIT 使用系统优化软件 使用P2P下载软件 使用下载器软件 使用浏览器上网 使用软件播放影音 在线播放影音 在线玩游戏软件 使用即时通信软件 例外即时通信软件 ======================================== 软件 "regedit.exe" "360.exe" "bt.exe" "ShLe.exe" "IE.exe" "Yahoo.exe"