How to debug the Symantec Endpoint Protection client

Article:TECH102412  |  Created: 2007-01-06  |  Updated: 2014-03-13  |  Article URL http://www.symantec.com/docs/TECH102412
Article Type
Technical Solution


Subject

Issue



How to debug the Symantec Endpoint Protection (SEP) 11.0 or 12.1 client.


Solution



Symantec Management Client Debugging

The default debug logging can be enabled with the following registry setting. Enabling this debug logging will create a file called "debug.log". With SEP 11.0 the file is located in the Symantec Endpoint Protection program installation directory, with SEP 12.1 in the CurrentVersion\Data\Logs subfolder of SEP's AllUsersProfile directory.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"smc_debuglog_on"=dword:00000001

The size of the "debug.log" file is, by default, limited to 256KB. After reaching this limit, the current log will be moved to "debug.log.bak" and a fresh debug.log file will be re-created.

NOTE: In SEP 12.1, Tamper Protection is enabled by default on the SEP Client. This will prevent you from editing the registry to enable debugging unless it is disabled or changed from "Block and log the event" to "Log only". You adjust Tamper Protection settings by opening the Client GUI, navigating to Change Settings, clicking on "Configure Settings" under Client Management and then selecting the Tamper Protection tab. If your Tamper Protection settings are locked by the server, you can still enable debugging through the GUI by using the instructions later in this document.

NOTE: When using the default limit of 256 KB, the log file can rollover in a short period of time. Because of this, you may need to adjust the log size limit to a higher value (i.e., somewhere between 20,000 to 100,000 KB.) To modify the log file size limit, add the following "Log" key and "debug_log_filesize" value:

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Log]
debug_log_filesize=dword:00004e20
 

In the above example, the value of "debug_log_filesize" is the maximum amount of space (measured in bytes) that the "debug.log" file can consume. The number is written in hexadecimal (i.e., 00004e20 = 20,000 KB). The Symantec Endpoint Protection user interface allows an upper limit on the log size of 100,000 KB. If necessary, you can force the value higher by setting it here in the registry.

The SMC.exe process (the executable for the Symantec Management Client service) must be stopped and restarted for changes in debug logging to take effect. Execute the following commands from a command line interface to stop and start the process:

  • smc -stop
  • smc -start

NOTE: The default location for the SMC.exe executable is %ProgramFiles%\Symantec\Symantec Endpoint Protection

If needed, the granularity of the logging can be configured by creating two values in the registry.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"smc_debug_level"=dword:00000000
"smc_debug_log_level"=dword:00000000

"smc_debug_level" affects the logging of AntiVirus/AntiSpyware events. "smc_debug_log_level" affects the logging of firewall events.

The options for both are: 0 - debug, 1 - info, 2 - warning, and 3 - fatal. "0" is the default value and usually recommended for troubleshooting.

The above settings can also be configured from the client user interface using the following steps:

  1. Open the Symantec Endpoint Protection client user interface
  2. Click Help and Support
  3. Click Troubleshooting
  4. Click Debug Logs
  5. Click Edit Debug Log Settings under Client Management
  6. Checkmark the Debug On box
  7. Set the desired settings
  8. Click OK
  9. Click Close
  10. Click Start
  11. Click Run
  12. Type: smc -stop
  13. Click OK
  14. Click Start
  15. Click Run
  16. Type: smc -start
  17. Click OK

 To view the debug log from the client user interface: 

  1. Open the Symantec Endpoint Protection user interface
  2. Click the Help and Support
  3. Click Troubleshooting
  4. Click Debug Logs
  5. Click View Log under Client Management

The following optional settings enable more detailed logging of various components in the Symantec Endpoint Protection client. Before enabling them, enable Symantec Management Client debugging as discussed above.

Sylink Debugging

Sylink is the client component responsible for communication with the Symantec Endpoint Protection Manager (SEPM) server. The following debug setting is an alternative to running the SylinkWatcher/SylinkMonitor tool to log client-server communication.

To enable the logging, following these steps:

  1. Open the following Registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
  2. Create a new String Value with a value name DumpSylink
  3. Set the value data for the DumpSylink entry to the location to place the Sylink log file (e.g., C:\Sylink.log)
  4. Click Start
  5. Click Run
  6. Type: smc -stop
  7. Click OK
  8. Click Start
  9. Click Run
  10. Type: smc -start
  11. Click OK

Note: Default SMC Debugging (described above) must also be enabled.

TSE debugging

To enable Extended TSE Debugging for Network Threat Protection, stop the SMC process (smc -stop) and import this registry setting.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\TSE]
"ExtendedDebug"=dword:00000001

Start the SMC service (smc –start)

     

Example from debug.log: 

01/25 16:46:17 [304:960] TSE extended debugging is turned on. Flag = 

01/25 16:48:43 [304:592] TSE2415: *********DROP PACKET*********

01/25 16:48:43 [304:592] TSE: SecurityRule = Block Local File Sharin

01/25 16:48:43 [304:592] TSE: ApplicationName = C:\WINNT\system32\ntoskrnl.ex

01/25 16:48:43 [304:592] TSE2417: *** DROP PACKET **

01/25 16:48:43 [304:592] ======== TsPacket ====== BA: 1 == protocol: 2 === === EtherII Packet=== len:92==== nic:0===== 00-0c-29-4e-d7-c7 ---> ff-ff-ff-ff-ff-ff , protocol = 0x800 ===== IP Packet==== len:78==== 192.168.20.12 --> 192.168.20.255, type: 0x11, Id: 2629, Frg: 0x0 ========= UDP datagram, len: 78==== 192.168.20.12:137 -> 192.168.20.255:137 , DataLen: 5

01/25 16:48:43 [304:592] TSE2415: *********DROP PACKET********** 

01/25 16:48:43 [304:592] TSE: SecurityRule = Block and Log Unchecked IP Packets 

01/25 16:48:43 [304:592] TSE2417: *** DROP PACKET *** 

01/25 16:48:43 [304:592] ======== TsPacket ====== BA: 1 == protocol: 2 === === EtherII Packet=== len:74==== nic:0===== 00-50-56-c0-00-02 ---> 00-0c-29-4e-d7-c7 , protocol = 0x800 ===== IP Packet==== len:60==== 192.168.20.1 --> 192.168.20.12, type: 0x1, Id: 28535, Frg: 0x0 ===== ICMP Packet==== len:40==== , type: 0x8, Code: 0, Checksum: 0x5a3a

AutoLocation 

This debug setting makes the Symantec Endpoint Protection agent write AutoLocation switching information to the standard "debug.log" file.

Note: In 12.1 RU2 and above, this level of debugging was moved to WPP logging.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Trident]
"AutoLocationDump"=dword:00000001  

(If the "Trident" registry key does not exist, then create it.)

Example from debug.log: 

05/07 16:31:33 [916:828]  ***** AL begin get wins ip *****

05/07 16:31:33 [916:828] ***** AL begin get DNS ip

05/07 16:31:33 [916:828] ***** AL DNS Ip : 192.168.147.1

05/07 16:31:33 [916:828] ***** AL begin get gateway ip

05/07 16:31:33 [916:828] ***** AL begin get local ip and dhcp ip

05/07 16:31:33 [916:828] ***** AL local ip : 192.168.147.129

05/07 16:31:33 [916:828] ***** AL DHCP ip : 192.168.147.254

05/07 16:31:33 [916:828] ***** AL Dhcp ip :192.168.147.254 Mac :00-00-00-00-00-00

05/07 16:31:33 [916:828]  ***** AL begin get dns name *****

Host Integrity

The Host Integrity is performed on the agent machine by a .JS javascript file included in the policies downloaded from the policy manager. Normally this script is deleted once HI is done, but by setting this registry key the file will not be deleted so that you can review the script for troubleshooting.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SSHelper]
"EnableScriptDebug"=dword:00000001

The Host Integrity script file AVScript.js can now be found in the "Symantec Endpoint Protection" folder once Host Integrity has run.

802.1x

This debug setting is used to help isolate EAP 802.1x issues. The registry key will cause the 802.1x EAP information to be written to the standard "debug.log" file.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"EnableDebug802.1x"=dword:00000001

See also

 




Legacy ID



2007090611252048


Article URL http://www.symantec.com/docs/TECH102412


Terms of use for this information are found in Legal Notices