How to debug the Symantec Endpoint Protection client

Article:TECH102412  |  Created: 2007-01-06  |  Updated: 2014-12-18  |  Article URL http://www.symantec.com/docs/TECH102412
Article Type
Technical Solution


Subject

Issue



You want to know how to debug the Symantec Endpoint Protection (SEP) client, and the different types of debugging available.


Solution



The following debugging options are available:

 
The following optional settings enable more detailed logging of various components in the Symantec Endpoint Protection client. Before you enable them, you must first enable Symantec Management Client debugging.

 
Note:
You must restart the Symantec Management Client (SMC) service for any changes in debug logging to take effect. To stop and start the SMC service, enter the following commands from a command line interface, from Start Menu > Run, or from Start Menu > Search programs and files:

  • smc -stop
  • smc -start

 


Symantec Management Client (SMC) debugging

The default debug logging can be enabled with the following registry setting:

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"smc_debuglog_on"=dword:00000001

NOTE: In Symantec Endpoint Protection 12.1, Tamper Protection is enabled by default on the Symantec Endpoint Protection client. Tamper Protection prevents you from editing the registry to enable debugging unless you first disable it or change it from Block and log the event to Log only. To adjust Tamper Protection settings, open the Symantec Endpoint protection client user interface (GUI), click Change Settings > Client Management > Configure Settings > Tamper Protection tab. If the administrator has locked the Tamper Protection, you can still enable debugging through the GUI by using instructions later in this document.

Enabling this debug logging creates a file called debug.log. For the Symantec Endpoint Protection 12.1, debug.log is in the CurrentVersion\Data\Logs subfolder of SEP's AllUsersProfile or ProgramData directory. For example, for Windows 7, C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs. For Symantec Endpoint Protection 11.0, it is in the Symantec Endpoint Protection program installation directory.

The size of the debug.log file is, by default, limited to 256KB. After reaching this limit, the current log moves to debug.log.bak, and a new debug.log file is created. When you use the default limit of 256 KB, the log file can roll over in a short period of time. You may need to adjust the log size limit to a higher value (i.e., somewhere between 20,000 to 100,000 KB.) To modify the log file size limit, add the Log key and debug_log_filesize value, as follows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Log]
debug_log_filesize=dword:00004e20
 

In the above example, the value of debug_log_filesize is the maximum amount of space (measured in KB) that the debug.log file can consume. The number is written in hexadecimal (i.e., 00004e20 = 20,000 KB). The Symantec Endpoint Protection user interface allows an upper limit on the log size of 100,000 KB. If necessary, you can force the value higher by setting it here in the registry.

NOTE: The default location for the SMC.exe executable is %ProgramFiles%\Symantec\Symantec Endpoint Protection.

If needed, you can configure the granularity of the logging by creating two values in the registry.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"smc_debug_level"=dword:00000000
"smc_debug_log_level"=dword:00000000

smc_debug_level affects the logging of virus and spyware events:

  • 2 - system debugger
  • 4 - transaction logs
  • 6 - everything

 
smc_debug_log_level
affects the logging of firewall events:

  • 0 - debug
  • 1 - info
  • 2 - warning
  • 3 - fatal

 
0 is the default value and usually recommended for troubleshooting.

The above settings can also be configured from the client user interface using the following steps:

  1. Open the Symantec Endpoint Protection client user interface.
  2. Click Help > Troubleshooting > Debug Logs.
  3. Under Client Management, click Edit Debug Log Settings.
  4. Click the box next to Debug On, and then configure the settings.
  5. Click OK, and then click Close.

 
You must then restart the SMC service as noted above.

To view the debug log from the client user interface: 

  1. Open the Symantec Endpoint Protection user interface.
  2. Click the Help > Troubleshooting > Debug Logs.
  3. Under Client Management, click View Log.

 


Sylink debugging

Sylink is the client component responsible for communication with the Symantec Endpoint Protection Manager (SEPM) server. The following debug setting is an alternative to running the SylinkWatcher/SylinkMonitor tool to log client-server communication.

To enable Sylink logging, following these steps:

Note: You must first also enable default SMC debugging (described above).

  1. Open the following registry location:
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
  2. Create a new String Value with a value name DumpSylink.
  3. Set the value data for the DumpSylink entry to the location to place the Sylink log file (e.g., C:\Sylink.log)

 
You must then restart the SMC service as noted above.

 


Extended TSE debugging

To enable extended TSE debugging for Network Threat Protection, follow these steps:

  1. Stop the SMC service. Click Start (or Start > Run) and enter smc -stop.
  2. Open the registry editor. Click Start (or Start > Run) and enter regedit.
  3. Navigate to the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\TSE
    Note: For 64-bit systems that run a version of Symantec Endpoint Protection earlier than 12.1.5 (12.1 RU5), including Symantec Endpoint Protection 11, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC
  4. If the following DWORD value does not exist, create it: ExtendedDebug
  5. Set the value data of ExtendedDebug to 1
  6. Start the SMC service. Click Start (or Start > Run) and enter smc -start.

 
Example from debug.log: 

01/25 16:46:17 [304:960] TSE extended debugging is turned on. Flag = 
01/25 16:48:43 [304:592] TSE2415: *********DROP PACKET*********
01/25 16:48:43 [304:592] TSE: SecurityRule = Block Local File Sharing
01/25 16:48:43 [304:592] TSE: ApplicationName = C:\WINNT\system32\ntoskrnl.exe
01/25 16:48:43 [304:592] TSE2417: *** DROP PACKET **
01/25 16:48:43 [304:592] ======== TsPacket ====== BA: 1 == protocol: 2 === === EtherII Packet=== len:92==== nic:0===== 00-0c-29-4e-d7-c7 ---> ff-ff-ff-ff-ff-ff , protocol = 0x800 ===== IP Packet==== len:78==== 192.168.20.12 --> 192.168.20.255, type: 0x11, Id: 2629, Frg: 0x0 ========= UDP datagram, len: 78==== 192.168.20.12:137 -> 192.168.20.255:137 , DataLen: 5
01/25 16:48:43 [304:592] TSE2415: *********DROP PACKET********** 
01/25 16:48:43 [304:592] TSE: SecurityRule = Block and Log Unchecked IP Packets 
01/25 16:48:43 [304:592] TSE2417: *** DROP PACKET *** 
01/25 16:48:43 [304:592] ======== TsPacket ====== BA: 1 == protocol: 2 === === EtherII Packet=== len:74==== nic:0===== 00-50-56-c0-00-02 ---> 00-0c-29-4e-d7-c7 , protocol = 0x800 ===== IP Packet==== len:60==== 192.168.20.1 --> 192.168.20.12, type: 0x1, Id: 28535, Frg: 0x0 ===== ICMP Packet==== len:40==== , type: 0x8, Code: 0, Checksum: 0x5a3a

 


AutoLocation 

This debug setting makes the Symantec Endpoint Protection agent write AutoLocation switching information to the standard debug.log file.

Note: In 12.1.5 (12.1 RU2) and later, this level of debugging was moved to WPP logging.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Trident]
"AutoLocationDump"=dword:00000001
  

(If the Trident registry key does not exist, then create it.)

Example from debug.log: 

05/07 16:31:33 [916:828]  ***** AL begin get wins ip *****
05/07 16:31:33 [916:828] ***** AL begin get DNS ip
05/07 16:31:33 [916:828] ***** AL DNS Ip : 192.168.147.1
05/07 16:31:33 [916:828] ***** AL begin get gateway ip
05/07 16:31:33 [916:828] ***** AL begin get local ip and dhcp ip
05/07 16:31:33 [916:828] ***** AL local ip : 192.168.147.129
05/07 16:31:33 [916:828] ***** AL DHCP ip : 192.168.147.254
05/07 16:31:33 [916:828] ***** AL Dhcp ip :192.168.147.254 Mac :00-00-00-00-00-00
05/07 16:31:33 [916:828]  ***** AL begin get dns name *****

 


Host Integrity

The Host Integrity is performed on the agent machine by a JavaScript file included in the policies downloaded from the policy manager. Normally this script is deleted once Host Integrity is done, but by setting this registry key the file is not deleted. Then you can review the script for troubleshooting.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SSHelper]
"EnableScriptDebug"=dword:00000001

The Host Integrity script file AVScript.js can now be found in the Symantec Endpoint Protection folder once Host Integrity has run.

 


802.1x

This debug setting is used to help isolate EAP 802.1x issues. The registry key causes the 802.1x EAP information to write to the standard debug.log file.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"EnableDebug802.1x"=dword:00000001


See Related Articles for more information.

 




Legacy ID



2007090611252048


Article URL http://www.symantec.com/docs/TECH102412


Terms of use for this information are found in Legal Notices