January 7, 2012

LoD - Norton AntiVirus source- Investigation -SSC


--   --------  -----
  _   /  /
  _  / _
/  _/_/  _  _ _,,,^++^,,,
/__/TEAM++The Lords of Dharmaraja++
Releze 003+

+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
As of now we start sharing with all our brothers and followers information from the Indian Militaty Intelligence servers, so far we have discovered within the Indian Spy Programme source codes of a dozen software companies which have signed agreements with Indian TANCS programme and CBI.
Now we release confidential documentation we encountered of Symantec corporation and it's Norton AntiVirus source code which we are going to publish later on, we are working out mirrors as of now since we experience extreme pressure and censorship from US and India government agencies.
Tancs spy programme preview:
http://imgur.com/a/8XoGf
Our first release with the Indian MI in Paris owneed like shit:
http://pastebin.com/0U4dWcUX

And now first portion of Symantec docs:
We want to ask Symantec WTF Indian MI have them at?
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Definition Generation Service API specifications
fourth draft

Edward Pring, pring@watson.ibm.com
Senthil Velayudham, sen@us.ibm.com

This document describes the application programming interface specifications required for
generating virus definitions automatically from the Immune System analysis center.

This is a working draft. Do not code to this document.

IBM/Symantec Confidential

April 28, 1999

Introduction

The samples submitted for virus analysis will be processed inside the Immune System analysis center by a core set of tasks as shown below.

Classifier
Controller
Replicator
Analyzer
Incremental build
Incremental unit test
Full build
Full unit test

In addition to the above tasks, there will also be a program that asynchronously imports the new definition packages generated by human analysts outside the analysis center.

If all the tasks are successful for a given sample, a fully unit tested definition will be the end result of the automated analysis. In order to generate the virus definitions, the analysis center will be using the Symantec’s Definition Generation Service located outside the analysis center firewall as shown below.

The ‘Incremental build’ and ‘Full build’ tasks inside the analysis center will use the API (provided by Symantec) to generate a new definition. The specifications for the API are described in the following sections. The API set will be provided in the form of a PERL module (SDGS.PM).

Unless otherwise stated in the API description, the standard error codes will be:
“0” -       OK
“1” -       Error
“2” -       Fail
“3” -       In Progress
“4” -       Lock Broken

When a function returns Error, the analysis center may re-try the function after an interval.

When a function returns Fail, the analysis center will defer the current sample and may then continue with the next sample.

When a function returns Lock Broken, the analysis center may re-start the current sample after an interval.

1.       Lock
$status = SDGS::Lock ();

Description
This function acquires an exclusive lock for the source library and definition generation system located outside the analysis center firewall. The locking is required to serialize access to the source library and definition generation system so that virus signatures are checked in and built atomically, whether by the automated analysis center or by the SARC engineers.

Arguments
There are no arguments for this function.

Return values
This function returns the result as shown below.

OK - If an exclusive lock is obtained.
In Progress  - If the definition generation system is busy generating some other definition.
Error - All other errors. (HTTP server down, Perforce system down etc.)

See Also
Unlock

2.       StartIncrementalDataBuild
($status, $previousSequence) =
SDGS::StartIncrementalDataBuild ($source);

Description
This function starts the incremental data build in the definition generation system and returns immediately without waiting for the build to complete. The incremental build uses the output files from a previously finished FULL build and modifies only the necessary data files (virscanX.dat).

Arguments
$source  is the full path to the directory and filename where the ‘Input Source Definition Packet’ is available. This file may be located on a local or a remote file system. It can also be specified in the UNC format, such as “avserver5samples0000100outputdefsource.isdp”. The directory or file name could have spaces or special characters in it. The format of this file is specified in the Symantec’s “Automated Definition Generation for the Digital Immune System Architectural Document”.

Return values
This function returns the result as a list. The returned list will have two values in it. The first value $status in the list will be the status of the performed operation as shown below.

In Progress  - If the incremental data build has been successfully started.
Fail – the IDSP is invalid
Lock Broken – the exclusive lock has been broken by some other process
Error - All other errors. (HTTP server down, Perforce system down etc.)

The second value $previousSequence in the list will be the AVIS sequence number of the definitions from the previous FULL build that is used in the current incremental build.

See Also
StartFullDataBuild

3.       IncrementalDataBuildStatus
$status = SDGS::IncrementalDataBuildStatus ();

Description
This function returns the status of the current incremental definition build.

Arguments
There are no arguments for this function.

Return values
This function returns the value $status of the definition build as shown below.

In Progress  - If the data build is still running.
OK  - If the data build has finished successfully.
Fail – If the data build has finished unsuccessfully.
Lock Broken – the exclusive lock has been broken by some other process
Error  - All other errors. (HTTP server down, Perforce system down etc.)

4.       GetBuiltPackage
$status = SDGS::GetBuiltPackage ($packageType, $packageFilename);

Description
This function gets the recently built definition package after a successful data build.

Arguments
$packageType  is the type of the definition package to get. For the initial release of the Immune System, this argument will always be a literal string called “FatAlbert”.

$packageFilename  is the full path to the directory and filename where the newly built package should be stored. This file may be stored on a local or a remote file system. It can also be specified in the UNC format, such as “avserver5defpackages0000256temp.exe”. The directory or file name could have spaces or special characters in it.

Return values
This function returns the value $status as shown below.

OK - If the definition package has been successfully obtained.
Lock Broken – the exclusive lock has been broken by some other process
Error - All other errors. (HTTP server down, Perforce system down etc.)

See Also
GetNewestPackage, GetBlessedPackage

5.       StartFullDataBuild
($status, $newestSequence) = SDGS::StartFullDataBuild ($sourceFilename);

Description
This function starts the full data build in the definition generation system and returns immediately without waiting for the build to complete. Before starting the full build, the AVIS sequence number is incremented and the new definition source is committed to the Perforce source control management system.

Arguments
$sourceFilename  is the full path to the directory and filename where the ‘Input Source Definition Packet’ is available. This file will be made available on a local or a remote file system. It can also be specified in the UNC format, such as “avserver5samples0000100outputdefsource.isdp”. The directory or file name could have spaces or special characters in it.

Return values
This function returns the result as a list. The returned list will have two values in it.

The first value $status in the list will be the status of the performed operation as shown below.

In Progress  - If the full data build has been successfully started.
Fail – IDSP is invalid
Lock Broken – the exclusive lock has been broken by some other process
Error - All other errors. (HTTP server down, Perforce system down etc.)

The second value $newestSequence in the list will be the newly incremented AVIS sequence number assigned to this committed full build. This sequence number is incremented on every automatic and manual build. This number is always in ascending order and never reset. It is not same as the daily version number. It ranges from 1 to 99,999,999. Duplicate sequence numbers are not allowed and skipping some sequence numbers is allowed.

See Also
StartIncrementalDataBuild

6.       FullDataBuildStatus
$status = SDGS::FullDataBuildStatus();

Description
This function returns the status of the current full definition build.

Arguments
There are no arguments for this function.

Return values
This function returns the value $status of the definition build as shown below.

In Progress  - If the data build is still running.
OK  - If the data build has finished successfully.
Fail – If the data build has finished unsuccessfully.
Lock Broken – the exclusive lock has been broken by some other process
Error  - All other errors. (HTTP server down, Perforce system down etc.)

7.       Unlock
$status = SDGS::Unlock ();

Description
This function relinquishes the exclusive lock obtained for the definition generation system located outside the analysis center firewall. The user of the definition generation system will be responsible for calling this function after the ‘Data Build’ operation is completed.

Arguments
There are no arguments for this function.

Return values
This function returns the value $status as shown below.

OK - If the exclusive lock is released for the definition generation system.
Error - All other errors. (HTTP server down, Perforce system down etc.)

See Also
Lock

8.       GetNewestPackage
($status, $newerSequence) =
SDGS::GetNewestPackage ($packageType, $packageFilename, $olderSequence);

Description
This function gets the newest definition package available, if it is different from the newest package already in the analysis center. This function will be used periodically to get newer definition packages generated by human analysts outside the analysis center firewall. This function does not build a definition package, it just gets a package that has previously been built.  This function does not require exclusive access to the source library or definition generation system, and may be called with or without the lock.

This function specifies as an argument the sequence number of an older package previously gotten.  If there are no newer packages available with sequence numbers higher than the specified older sequence number, this function will not get any definition package. If there are newer packages available with sequence numbers higher than the specified older sequence number, this function will get the newest package.

Arguments
$packageType  is the type of the definition package to get. For the initial release of the Immune System, this argument will always be a literal string called “FatAlbert”.

$packageFileName  is the full path to the directory and filename where the newest package should be stored. This file may be stored on a local or a remote file system. It can also be specified in the UNC format, such as “avserver5defpackages0000257temp.exe”. The directory or file name could have spaces or special characters in it.

$olderSequence  is the sequence number of the definition package which is already available in the analysis center. This function will try to get a definition package that is newer than this value.

Return values
This function returns the result as a list. The returned list will have two values in it.

The first value $status in the list will be the status of the performed operation as shown below.

OK  - If the newest definition package has been successfully obtained.
Fail  - If no newer definition package is available.
Error - All other errors. (HTTP server down, Perforce system down etc.)

The second value $newerSequence in the list will be the sequence number of the definition package gotten, or NULL if no newer packages are available.

See Also
GetBuiltPackage, GetBlessedPackage

9.       GetBlessedPackage
($status, $blessedSequence) =
SDGS::GetBlessedPackage ($packageType, $packageFilename, $previousSequence);

Description
This function gets the current blessed definition package, if it is different from the blessed package that is already in the analysis center. This function will be used periodically to get a definition package that has been blessed outside the analysis center firewall. This is same as the definition package that is published to the LiveUpdate server after a successful quality assurance test. This function does not build a definition package, it just gets a package that has previously been built and blessed.  This function does not require exclusive access to the source library or definition generation system, and may be called with or without the lock.

This function specifies as an argument the sequence number of an older blessed package previously gotten.  If the current blessed package does not have a sequence number higher than the specified older sequence number, this function will not get any definition package. If the current blessed package does have a sequence number higher than the specified older sequence number, this function will get the current blessed package.

Arguments
$packageType  is the type of the definition package to get. For the initial release of the Immune System, this argument will always be a literal string called “FatAlbert”.

$packageFileName  is the full path to the directory and filename where the blessed package should be stored. This file may be stored on a local or a remote file system. It can also be specified in the UNC format, such as “avserver5defpackages0000257temp.exe”. The directory or file name could have spaces or special characters in it.

$previousSequence  is the sequence number of the blessed definition package which is already available in the analysis center. This function will try to get a blessed definition package that has superceded this value.

Return values
This function returns the result as a list. The returned list will have two values in it.
The first value $status in the list will be the status of the performed operation as shown below.

OK  - If the blessed definition package has been successfully obtained.
Fail  - If the current blessed definition package has not changed.
Error - All other errors. (HTTP server down, Perforce system down etc.)

The second value $blessedSequence in the list will be the sequence number of the current blessed definition package gotten, or NULL if the current blessed package has not changed.

See Also
GetBuiltPackage, GetNewestPackage
Miscellaneous

This section briefly describes the steps involved in generating definitions from the Immune System analysis center.

i)      Whenever a definition build needs to be done for a sample, the analysis center client will make a ‘lock’ request to lock the definition generation service.  If a lock has been obtained successfully, the analysis center client will issue a ‘Incremental build’ request to the Symantec definition generation service. This request will provide the definition source strings as input to the definition generation service. For the Incremental build, the output files of the previously finished full build will be used as the base.

ii)     Analysis center client will query the definition generation service periodically to get the incremental build results.

iii)    When the incremental build is done, the analysis center client will get the newly built definition package using the GetBuiltPackage () function. For the initial release of the Immune System release, the analysis center client will get a package (Fat Albert) containing the modified ‘virscanX.dat’ files and all other files from the most recent FULL build.

iv)     After receiving the incremental build results, a unit test will be done inside the analysis center.

v)      Based on the unit test results, analysis center client will issue a ‘Full build’ request to the definition generation service. At this time, the definition generation service will increment the definition sequence number, commit the unit tested definitions to the Perforce source control management system and do a final FULL build using the successfully unit tested definition source strings.

vi)     The analysis center client will query the definition generation service periodically for the final build results.

vii)    When the final build is complete, the analysis center client will get the definition package resulting from the full build.

viii)   The analysis center client will unit test the final FULL build results. If the unit test succeeds, the lock acquired on the definition generation service will be released and the newly built definition package will be distributed to the customers. If the unit test fails, the analysis center client sends an alert and stops holding the definition generation service lock until the SARC engineers handle this error manually.

http://pastebin.com/ncUXAgWG

No comments:

Post a Comment

-