Interpreting the log files for Symantec AntiVirus Corporate Edition and Symantec Endpoint Protection

Article:TECH100099  |  Created: 2002-01-19  |  Updated: 2012-03-29  |  Article URL http://www.symantec.com/docs/TECH100099
Article Type
Technical Solution

Product(s)

Environment

Issue



You need to know what the headers are for each column in the log file(s), usually located in the following directory:
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs, for either Symantec AntiVirus (SAV) or Symantec Endpoint Protection (SEP).

 


Solution



The Logs folder contains a series of log files, one file for each day of log entries. The files are named MMDDYYYY.log, where MMDDYYYY indicates the date of the log entries. Each log file is a plain text file that can be viewed in Notepad. The log files are comma-delimited, with 39 fields in Symantec AntiVirus Corporate Edition 8.x and 59 fields in Symantec AntiVirus Corporate Edition 9.x and later.

The logs are kept in the following locations, depending on the version and operating system:

  • Symantec Endpoint Protection 11.0
    • Windows 2003/XP/2000
      \Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs
  • Symantec AntiVirus Corporate Edition 10.x
    • Windows 2003/XP/2000
      \Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs
    • NetWare
      Sys:\SAV\Logs
  • Symantec AntiVirus Corporate Edition 9.x
    • Windows 2003/XP/2000
      \Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs
    • Windows 98
      \Program Files\Program Files\Symantec Client Security\Symantec AntiVirus\Logs
    • Windows NT
      \WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs
    • NetWare
      Sys:\SAV\Logs
  • Symantec AntiVirus Corporate Edition 8.x
    • Windows 2003/XP/2000
      \Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs
    • Windows 98
      \Program Files\Program Files\Symantec_Client_Security\Symantec AntiVirus\Logs
    • Windows NT
      \WINNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs
    • NetWare
      Sys:\NAV\Logs


Example entry
200A13080122,23,2,8,TRAVEL00,SYSTEM,,,,,,,16777216,"Symantec AntiVirus Realtime Protection Loaded.",0,,0,,,,,0,,,,,,,,,,SAMPLE_COMPUTER,,,,Parent,GROUP,,8.0.93330


Description of the fields

00) LI_TIME: Time of event

    The timestamp consists of six hexadecimal octets. They represent the following:
      First octet: Number of years since 1970
      Second octet: Month, where January = 0
      Third octet: Day
      Fourth octet: Hour
      Fifth octet: Minute
      Sixth octet: Second
      For example, 200A13080122 represents November 19, 2002, 8:01:34 AM.

01) LI_EVENT: Indicates the Event Number.
1 - GL_EVENT_IS_ALERT
2 - GL_EVENT_SCAN_STOP

    3 - GL_EVENT_SCAN_START
    4 - GL_EVENT_PATTERN_UPDATE
    5 - GL_EVENT_INFECTION
    6 - GL_EVENT_FILE_NOT_OPEN
    7 - GL_EVENT_LOAD_PATTERN
    8 - //GL_STD_MESSAGE_INFO NOT USED
    9 - //GL_STD_MESSAGE_ERROR NOT USED
    10 - GL_EVENT_CHECKSUM
    11 - GL_EVENT_TRAP
    12 - GL_EVENT_CONFIG_CHANGE
    13 - GL_EVENT_SHUTDOWN

14 - GL_EVENT_STARTUP

    16 - GL_EVENT_PATTERN_DOWNLOAD
    17 - GL_EVENT_TOO_MANY_VIRUSES
    18 - GL_EVENT_FWD_TO_QSERVER
    19 - GL_EVENT_SCANDLVR
    20 - GL_EVENT_BACKUP
    21 - GL_EVENT_SCAN_ABORT
    22 - GL_EVENT_RTS_LOAD_ERROR
    23 - GL_EVENT_RTS_LOAD
    24 - GL_EVENT_RTS_UNLOAD
    25 - GL_EVENT_REMOVE_CLIENT
    26 - GL_EVENT_SCAN_DELAYED
    27 - GL_EVENT_SCAN_RESTART
    28 - GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER
    29 - GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER
    30 - GL_EVENT_LICENSE_WARNING
    31 - GL_EVENT_LICENSE_ERROR
    32 - GL_EVENT_LICENSE_GRACE
    33 - GL_EVENT_UNAUTHORIZED_COMM
    34 - GL_EVENT_LOG_FWD_THRD_ERR
    35 - GL_EVENT_LICENSE_INSTALLED
    36 - GL_EVENT_LICENSE_ALLOCATED
    37 - GL_EVENT_LICENSE_OK
    38 - GL_EVENT_LICENSE_DEALLOCATED
    Events added in Symantec AntiVirus 10.x
    39 - GL_EVENT_BAD_DEFS_ROLLBACK
    40 - GL_EVENT_BAD_DEFS_UNPROTECTED
    41 - GL_EVENT_SAV_PROVIDER_PARSING_ERROR
    42 - GL_EVENT_RTS_ERROR
    43 - GL_EVENT_COMPLIANCE_FAIL
    44 - GL_EVENT_COMPLIANCE_SUCCESS
    45 - GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION
    46 - GL_EVENT_ANOMALY_START
    47 - GL_EVENT_DETECTION_ACTION_TAKEN
    48 - GL_EVENT_REMEDIATION_ACTION_PENDING
    49 - GL_EVENT_REMEDIATION_ACTION_FAILED
    50 - GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL
    51 - GL_EVENT_ANOMALY_FINISH
    52 - GL_EVENT_COMMS_LOGIN_FAILED
    53 - GL_EVENT_COMMS_LOGIN_SUCCESS
    54 - GL_EVENT_COMMS_UNAUTHORIZED_COMM
    55 - GL_EVENT_CLIENT_INSTALL_AV
    56 - GL_EVENT_CLIENT_INSTALL_FW
    57 - GL_EVENT_CLIENT_UNINSTALL
    58 - GL_EVENT_CLIENT_UNINSTALL_ROLLBACK
    59 - GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE
    60 - GL_EVENT_COMMS_SERVER_CERT_ISSUE
    61 - GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE
    62 - GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED
    63 - GL_EVENT_CLIENT_CHECKIN
    64 - GL_EVENT_CLIENT_NO_CHECKIN
    65 - GL_EVENT_SCAN_SUSPENDED
    66 - GL_EVENT_SCAN_RESUMED
    67 - GL_EVENT_SCAN_DURATION_INSUFFICIENT
    68 - GL_EVENT_CLIENT_MOVE
    69 - GL_EVENT_SCAN_FAILED_ENHANCED
    70 - GL_EVENT_MAX_EVENT_NUMBER
    Events added in Symantec Endpoint Protection 11.0
      71 - GL_EVENT_HEUR_THREAT_NOW_WHITELISTED
      72 - GL_EVENT_INTERESTING_PROCESS_DETECTED_START
      73 - GL_EVENT_LOAD_ERROR_COH
      74 - GL_EVENT_LOAD_ERROR_SYKNAPPS
      75 - GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH
      76 - GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS
      77 - GL_EVENT_HEUR_THREAT_NOW_KNOWN

#define GL_EVENT_MAX_EVENT_NUMBER 80
02) LI_CAT: Category number.
1 - GL_CAT_INFECTION
2 - GL_CAT_SUMMARY
3 - GL_CAT_PATTERN
4 - GL_CAT_SECURITY
03) LI_LOGGER: Indicates the logger of the event.

    This is a bit-encoded 32-bit number. On a client only the lower 16-bits are used, and the value specifies what type of scan logged the event:
    0 - LOGGER_Scheduled

1 - LOGGER_Manual
2 - LOGGER_Real_Time

    6 - LOGGER_Console

7 - LOGGER_VPDOWN
8 - LOGGER_System

    9 - LOGGER_Startup
    When the event is sent from a client to a server, the lower 16-bits are copied to the upper 16-bits, and the lower 16-bits are reset to specify the origin of the event:

101 - LOGGER_Client - the event was received from a client

    102 - LOGGER_Forwarded - the event was received (forwarded) from another server
    65637 - Manual Scan

131173 - Realtime
524389 - System
720997 - Defwatch
6619237 - Client

    This process is repeated when the event is sent from a secondary server to a primary server, so the first scan type is overwritten, and the parent server will only know the origin.
    Examples:
    Value (DEC)
    Value (Hex)
    Upper 16-bits (dec)
    Lower 16-bits (dec)
    SCAN TYPE
    2
    0000 0002
    0
    2
    Realtime scan
    131173
    0002 0065
    2
    101
    Realtime scan
    6619237
    0065 0065
    101
    101
    Client

04) LI_COMPUTER: Computer's name (or IP / IPX address)
05) LI_USER: Username
06) LI_VIRUS: Virus Name (Virus Found event only)
07) LI_FILE: Virus's Location (Virus Found event only)
08) LI_ACTION1: Primary Action configuration (Virus Found event only)
1 - Quarantine infected file
2 - Rename infected file
3 - Delete infected file
4 - Leave alone (log only)
5 - Clean virus from file
6 - Clean or delete macros
Anything else - Unknown Action
09) LI_ACTION2: Secondary Action configuration (Virus Found event only)
1 - Quarantine infected file
2 - Rename infected file
3 - Delete infected file
4 - Leave alone (log only)
5 - Clean virus from file
6 - Clean or delete macros
Anything else - Unknown Action
10) LI_ACTION0: Action Taken (Virus Found event only)
1 - Quarantined
2 - Renamed
3 - Deleted
4 - Left alone
5 - Cleaned
6 - Cleaned or macros deleted (no longer used as of Symantec AntiVirus 9.x)
7 - Saved file as...
8 - Sent to Intel (AMS)
9 - Moved to backup location
10 - Renamed backup file
11 - Undo action in Quarantine View
12 - Write protected or lack of permissions - Unable to act on file
13 - Backed up file

Additional actions were added to LI_ACTION0 in Symantec AntiVirus 10.0. Read the section Additional changes for Symantec AntiVirus 10.0 for more information.

11) LI_VIRUSTYPE: Virus Type listed below in hex (Virus Found event only). Most Viruses found are either 1280 (0x00000500), a macro virus, or 256 (0x00000100), a regular file virus.

    0x00000001 - VEBOOTVIRUS
    0x00000003 - VEBOOT1VIRUS
    0x00000005 - VEBOOT2VIRUS
    0x00000009 - VEBOOT3VIRUS
    0x00000100 - VEFILEVIRUS
    0x00000300 - VEMUTATIONVIRUS
    0x00000500 - VEFILEMACROVIRUS
    0x00000900 - VEFILE2VIRUS
    0x00001100 - VEFILE3VIRUS
    0x00010000 - VEMEMORYVIRUS
    0x00030000 - VEMEMOSVIRUS
    0x00050000 - VEMEMMCBVIRUS
    0x00090000 - VEMEMHIGHESTVIRUS
    0x01000000 - VEVIRUSBEHAVIOR
    0x03000000 - VEVIRUS1BEHAVIOR

0x08000000 - VEFILECOMPRESSED
0x10000000 - VEHURISTIC

When expanded threats are encountered, the table below is used to further identify the threat type.
Ex: When W32.Remadmin is detected, this column will have a value of 400 (hex 190) which is the combination of VEFILEVIRUS + VE_REMOTE_ACCESS.
 

      0x00000010L - VE_NON_VIRAL_MALICIOUS
      0x00000020L - VE_RESERVED_MALICIOUS
      0x00000030L - VE_HEURISTIC
      0x00000040L - VE_SECURITY_RISK_ON
      0x00000050L - VE_HACKER_TOOLS
      0x00000060L - VE_SPYWARE
      0x00000070L - VE_TRACKWARE
      0x00000080L - VE_DIALERS
      0x00000090L - VE_REMOTE_ACCESS
      0x000000A0L - VE_ADWARE
      0x000000B0L - VE_JOKE_PROGRAMS
      0x000000C0L - VE_SECURITY_RISK_OFF

12) LI_FLAGS: Indicates what kind of action the Eventblock is. Most of the time, it will be 16777216. However, in the case of events logged as a Virus Found, the number is set to 33570852 for some reason, although that doesn't correspond to any of the numbers given below...

    4194304 - EB_ACCESS_DENIED

8388608 - EB_REPORT
16777216 - EB_LOG
33554432 - EB_REAL_CLIENT
67108864 - EB_FIRST_ITEM
134217728 - EB_LAST_ITEM
0x10000000 - EB_NO_LOG (listed in hex)
0x20000000 - EB_FROM_CLIENT (listed in hex)
4095 - EB_FA_OVERLAYS
4190208 - EB_N_OVERLAYS
13) LI_DESCRIPTION: Message that will be found on the "Properties" page (Event Log events only) or message indicating Scan start or Scan stop along with results. (Scan History events only.) Error 00000002 is ERROR_FILE_NOT_FOUND. Either the server could not find the file to push to the client, or the server could not determine where on the client to put the file.
14) LI_SCANID: ID number of associated scan (for Scan History events and Virus Found events)
15) LI_NEW_EXT: Will require further investigation as to the purpose of this log entry.
16) LI_GROUPID: Indicates the Group ID.
17) LI_EVENT_DATA: Results of a scan => Viruses : Infected : Total Files : Files Omitted (Scan Complete events only)
18) LI_VBIN_ID: Stores the ID of the file in Quarantine if it is Quarantined.
19) LI_VIRUS_ID: ID of the particular virus.
20) LI_QUARFWD_STATUS: Indicates the status of the Quarantine attempt.
0 - QF_NONE
1 - QF_FAILED
2 - QF_OK
21) LI_ACCESS: This stores the "operation flags" but is almost always equal to 0. Just for completeness, here are the flags listed below, but all listed in hex.

    0x00000001 - FA_READ
    0x00000002 - FA_WRITE
    0x00000004 - FA_EXEC
    0x00000008 - FA_IN_TABLE
    0x00000010 - FA_REJECT_ACTION
    0x00000020 - FA_ACTION_COMPLETE
    0x00000040 - FA_DELETE_WHEN_COMPLETE
    0x00000080 - FA_CLIENT_REQUEST
    0x00000100 - FA_OWNED_BY_USER
    0x00000200 - FA_DELETE
    0x00000800 - FA_OWNED_BY_QUEUE
    0x00001000 - FA_FILE_IN_CACHE
    0x00002000 - FA_SCAN
    0x00004000 - FA_GET_TRAP_DATA
    0x00008000 - FA_USE_TRAP_DATA
    0x00010000 - FA_FILE_NEEDS_SCAN
    0x00020000 - FA_BEFORE_OPEN
    0x00040000 - FA_AFTER_OPEN
    0x00080000 - FA_SCAN_BOOT_SECTOR
    0x10000000 - FA_COMING_FROM_NAVAP
    0x20000000 - FA_BACKUP_TO_QUARANTINE

22) LI_SND_STATUS:
23) LI_COMPRESSED: Indicated whether it is or is in a compressed file or not.
0 - No
1 - Yes
24) LI_DEPTH: Indicated at what depth IN a compressed file the virus was found.
25) LI_STILL_INFECTED: Indicates how many files in a compressed container are still infected after a manual or scheduled scan.
26) LI_DEFINFO: Version of Virus Definitions Used (Virus Found event only)
27) LI_DEFSEQNUMBER: The Definition Sequence Number of the Virus Definitions used.
28) LI_CLEANINFO: Indicates whether file is cleanable or not.
0 - VECLEANABLE
1 - VENOCLEANPATTERN
2 - VENOTCLEANABLE
29) LI_DELETEINFO: Indicates whether the file can be deleted.
4 - VEDELETABLE
5 - VENOTDELETABLE
30) LI_BACKUP_ID: Stores the ID of the file stored in Backup if it is backed up.
31) LI_PARENT: Name of Parent if is a Managed Client
32) LI_GUID: GUID of the machine (Virus Found event only)
33) LI_CLIENTGROUP: Stores the client group, if set.
34) LI_ADDRESS: IP or IPX address in the form IP-xxx.xxx.xxx.xxx
35) LI_DOMAINNAME: Server group. Set servers only.
36) LI_NTDOMAIN: Windows domain or workgroup
37) LI_MACADDR: Hardware address
38) LI_VERSION: Software version


Additional fields for Symantec AntiVirus Corporate Edition 9.x
Symantec AntiVirus Corporate Edition 9.x adds the following fields:

39) LI_REMOTE_MACHINE: Name of remote computer that attempted to copy a threat locally
40) LI_REMOTE_MACHINE_IP: IP address of remote computer that attempted to copy a threat locally
41) LI_ACTION1_STATUS: Status of Requested Primary Action
42) LI_ACTION2_STATUS: Status of Requested Secondary Action
 

    The STATUS value provides a descriptive text string describing whether the action completed or not, and provides specifics. The value can be any combination of the following values:

    Value

    Meaning

    0x00000000

    No information

    0x00000001

    The file could not be opened

    0x00000002

    The file was wiped clean of data

    0x00000004

    The file was truncated to 0 bytes

    0x00000008

    The file could not be deleted

    0x00000100

    Flag created files due to special handling

    0x00000200

    The just created infected file was deleted

    0x00000400

    Dir2-type infected files are not quarantined

    0x00000800

    Dir2-type infected files are deleted if the file is being created

    0x00001000

    Dir2-type infected files are not deleted

    0x00010000

    File was deleted due to the DESTROY flag
    The values are combined to return various standard strings that appear when viewing the logs, such as the following:
    • "The file was quarantined successfully."
    • "The process was terminated and the file was quarantined successfully."
    • "The file was locked by another program and could not be deleted, but was successfully copied to Quarantine."
    • "The file was locked by another program and could not be deleted at this time, but was successfully copied to Quarantine."
    • "The file was in use by another program and could not be deleted, but it's contents were destroyed to render it harmless. It was successfully copied to Quarantine."


43) LI_LICENSE_FEATURE_NAME
44) LI_LICENSE_FEATURE_VER
45) LI_LICENSE_SERIAL_NUM
46) LI_LICENSE_FULFILLMENT_ID
47) LI_LICENSE_START_DT
48) LI_LICENSE_EXPIRATION_DT
49) LI_LICENSE_LIFECYCLE
50) LI_LICENSE_SEATS_TOTAL
51) LI_LICENSE_SEATS
52) LI_ERR_CODE
53) LI_LICENSE_SEATS_DELTA
 

    The LI_LICENSE fields are used in the Business Pack products and any other products with enforced electronic licensing.


54) LI_STATUS
55) LI_DOMAIN_GUID
56) LI_LOG_SESSION_GUID
57) LI_VBIN_SESSION_ID
58) LI_LOGIN_DOMAIN


Additional changes for Symantec AntiVirus 10.0
The following additional actions were added to LI_ACTION0 for Symantec AntiVirus 10.0:

10) LI_ACTION0: Action Taken (Virus Found event only)
14 - Pending analysis
15 - First action was partially successful; second action was Leave Alone. Results of the second action are not mentioned.
16 - A process needs to be terminated to remove a risk
17 - Prevent a risk from being loggged or a user interface from being displayed
18 - Performing a request to restart the computer
19 - Shows as Cleaned by Deletion in the Risk History in the UI and the Logs in the SSC
20 - Auto-Protect prevented a file from being created; reported "Access denied."





References
This document is available in the following languages:




 



Legacy ID



2002111911231448


Article URL http://www.symantec.com/docs/TECH100099


Terms of use for this information are found in Legal Notices