Symantec Endpoint Protection 11.x event log entries

Article:TECH105571  |  Created: 2008-01-07  |  Updated: 2008-01-07  |  Article URL http://www.symantec.com/docs/TECH105571
Article Type
Technical Solution


Environment

Issue



You would like to know what the possible event log entries are and their definition.


Solution



Below is a list of events that are logged on the local client and forwarded on to the Symantec Endpoint Protection Manager. Many, but not all, of these events appear in the Windows Application Log.

Event
Event Number
Raw Event Code
Description
Scan Stopped
2
GL_EVENT_SCAN_STOPOccurs when antivirus scanning completes.
Scan Started
3
GL_EVENT_SCAN_STARTOccurs when antivirus scanning starts.
Definition File Sent To Server
4
GL_EVENT_PATTERN_UPDATEOccurs when a parent server sends a .vdb file to a secondary server.
Virus Found
5
GL_EVENT_INFECTIONOccurs when scanning detects a virus.
Scan Omission
6
GL_EVENT_FILE_NOT_OPENOccurs when scanning fails to gain access to a file or directory.
Definition File Loaded
7
GL_EVENT_LOAD_PATTERNOccurs when Symantec AntiVirus loads a new .vdb file.
Checksum
10
GL_EVENT_CHECKSUMOccurs when a checksum error occurs when verifying a digitally signed file.
Auto-Protect
11
GL_EVENT_TRAPOccurs when Auto-Protect is not fully operational.
Configuration Changed
12
GL_EVENT_CONFIG_CHANGEOccurs when a server updates its configurations according to the changes made from the console, excluding configuration changes made in the PRODUCTCONTROL or DOMAINDATA registry keys.
Symantec AntiVirus Shutdown
13
GL_EVENT_SHUTDOWNOccurs when the Rtvscan.exe service is unloaded.
Symantec AntiVirus Startup
14
GL_EVENT_STARTUPOccurs when the Rtvscan.exe service is loaded.
Definition File Download
16
GL_EVENT_PATTERN_DOWNLOADOccurs when new definitions are downloaded by a scheduled definitions update.
Scan Action Auto-Changed
17
GL_EVENT_TOO_MANY_VIRUSESOccurs when Symantec AntiVirus has deleted or quarantined more than 5 infected files within the last minute. The number of files quarantined or deleted and the time interval are configurable from the registry. The defaults are 5 files in 60 seconds.
Sent To Quarantine Server
18
GL_EVENT_FWD_TO_QSERVEROccurs when quarantined files are sent to a Quarantine Server.
Delivered To Symantec Security Response
19
GL_EVENT_SCANDLVROccurs when a file is delivered to Symantec Security Response.
Backup Restore Error
20
GL_EVENT_BACKUPOccurs when Symantec AntiVirus cannot back up a file or restore a file from Quarantine.
Scan Aborted
21
GL_EVENT_SCAN_ABORTOccurs when a scan is stopped before it completes. Symantec AntiVirus Auto-Protect.
Load Error
22
GL_EVENT_RTS_LOAD_ERROROccurs when Auto-Protect fails to load.
Symantec AntiVirus Auto-Protect Loaded
23
GL_EVENT_RTS_LOADOccurs when Auto-Protect loads successfully.
Symantec AntiVirus Auto-Protect Unloaded
24
GL_EVENT_RTS_UNLOADOccurs when Auto-Protect is unloaded.
Scan Delayed
26
GL_EVENT_SCAN_DELAYEDOccurs when a scheduled scan is snoozed/paused (delayed).
Scan Re-started
27
GL_EVENT_SCAN_RESTARTOccurs when a snoozed/paused scan is restarted.
Log Forwarding Error
34
GL_EVENT_LOG_FWD_THRD_ERROccurs when there is a problem with the log forwarding process. Also logs when Event and Settings Manager are started.
Definitions Rollback
39
GL_EVENT_BAD_DEFS_ROLLBACKOccurs when definitions are rolled back.
Definitions Unprotected
40
GL_EVENT_BAD_DEFS_UNPROTECTEDOccurs when a computer is not protected with definitions.
Auto-Protect Error
41
GL_EVENT_SAV_PROVIDER_PARSING_ERROROccurs when an error occurs with Auto-Protect.
Configuration Error
42
GL_EVENT_RTS_ERRORGeneral error. Primarily occurs when a configuration file cannot be read.
SymProtect Action
45
GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATIONOccurs when SymProtect blocks a tamper attempt.
Detection Start
46
GL_EVENT_ANOMALY_STARTOccurs when a threat is found. This is the first of a series of steps describing the action taken.
Detection Action
47
GL_EVENT_DETECTION_ACTION_TAKENDescribes an action taken when a threat is found.
Pending Remediation Action
48
GL_EVENT_REMEDIATION_ACTION_PENDINGOccurs when Auto-Protect is ready to perform a side-effects repair for adware or spyware.
Failed Remediation Action
49
GL_EVENT_REMEDIATION_ACTION_FAILEDOccurs when Auto-Protect fails to perform a successful side-effects repair for adware or spyware.
Successful Remediation Action
50
GL_EVENT_REMEDIATION_ACTION_SUCCESSFULOccurs when Auto-Protect performs a successful side-effects repair for adware or spyware.
Detection Finish
51
GL_EVENT_ANOMALY_FINISHOccurs when Auto-Protect finishes handling a threat.
Scan Stopped
65
GL_EVENT_SCAN_SUSPENDEDOccurs when adware and spyware scans stop.
Scan Started
66
GL_EVENT_SCAN_RESUMEDOccurs when adware and spyware scans start.
Threat Now Whitelisted
71
GL_EVENT_HEUR_THREAT_NOW_WHITELISTEDThe Administrator has added what TruScan previously detected as a threat to the Centralized Exception list, or Symantec has added it to the internal known white listed applications list.
Interesting Process Found Start
72
GL_EVENT_INTERESTING_PROCESS_DETECTED_STARTTruScan detection start. The first step of a series describing the action taken on the process.
TruScan known applications load error
73
GL_EVENT_LOAD_ERROR_COHTruScan component could not be started.
TruScan engine load error
74
GL_EVENT_LOAD_ERROR_SYKNAPPSTruScan could not be started.
Interesting Process Found Finish
75
GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISHTruScan detection has finished handling the process.
TruScan operating system not supported
76
GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OSTruScan is enabled, but it is not supported on the platform.
TruScan Detected Threat Now Known
77
GL_EVENT_HEUR_THREAT_NOW_KNOWNA TruScan process detection is now a confirmed signature-based security risk.





    Legacy ID



    2008080711443448


    Article URL http://www.symantec.com/docs/TECH105571


    Terms of use for this information are found in Legal Notices