Symantec Endpoint Protection 11.x event log entries
| Article:TECH105571 | | | Created: 2008-01-07 | | | Updated: 2008-01-07 | | | Article URL http://www.symantec.com/docs/TECH105571 |
Problem
You would like to know what the possible event log entries are and their definition.
Solution
Below is a list of events that are logged on the local client and forwarded on to the Symantec Endpoint Protection Manager. Many, but not all, of these events appear in the Windows Application Log.
Event | Event Number | Raw Event Code | Description |
| Scan Stopped | 2 | GL_EVENT_SCAN_STOP | Occurs when antivirus scanning completes. |
| Scan Started | 3 | GL_EVENT_SCAN_START | Occurs when antivirus scanning starts. |
| Definition File Sent To Server | 4 | GL_EVENT_PATTERN_UPDATE | Occurs when a parent server sends a .vdb file to a secondary server. |
| Virus Found | 5 | GL_EVENT_INFECTION | Occurs when scanning detects a virus. |
| Scan Omission | 6 | GL_EVENT_FILE_NOT_OPEN | Occurs when scanning fails to gain access to a file or directory. |
| Definition File Loaded | 7 | GL_EVENT_LOAD_PATTERN | Occurs when Symantec AntiVirus loads a new .vdb file. |
| Checksum | 10 | GL_EVENT_CHECKSUM | Occurs when a checksum error occurs when verifying a digitally signed file. |
| Auto-Protect | 11 | GL_EVENT_TRAP | Occurs when Auto-Protect is not fully operational. |
| Configuration Changed | 12 | GL_EVENT_CONFIG_CHANGE | Occurs when a server updates its configurations according to the changes made from the console, excluding configuration changes made in the PRODUCTCONTROL or DOMAINDATA registry keys. |
| Symantec AntiVirus Shutdown | 13 | GL_EVENT_SHUTDOWN | Occurs when the Rtvscan.exe service is unloaded. |
| Symantec AntiVirus Startup | 14 | GL_EVENT_STARTUP | Occurs when the Rtvscan.exe service is loaded. |
| Definition File Download | 16 | GL_EVENT_PATTERN_DOWNLOAD | Occurs when new definitions are downloaded by a scheduled definitions update. |
| Scan Action Auto-Changed | 17 | GL_EVENT_TOO_MANY_VIRUSES | Occurs when Symantec AntiVirus has deleted or quarantined more than 5 infected files within the last minute. The number of files quarantined or deleted and the time interval are configurable from the registry. The defaults are 5 files in 60 seconds. |
| Sent To Quarantine Server | 18 | GL_EVENT_FWD_TO_QSERVER | Occurs when quarantined files are sent to a Quarantine Server. |
| Delivered To Symantec Security Response | 19 | GL_EVENT_SCANDLVR | Occurs when a file is delivered to Symantec Security Response. |
| Backup Restore Error | 20 | GL_EVENT_BACKUP | Occurs when Symantec AntiVirus cannot back up a file or restore a file from Quarantine. |
| Scan Aborted | 21 | GL_EVENT_SCAN_ABORT | Occurs when a scan is stopped before it completes. Symantec AntiVirus Auto-Protect. |
| Load Error | 22 | GL_EVENT_RTS_LOAD_ERROR | Occurs when Auto-Protect fails to load. |
| Symantec AntiVirus Auto-Protect Loaded | 23 | GL_EVENT_RTS_LOAD | Occurs when Auto-Protect loads successfully. |
| Symantec AntiVirus Auto-Protect Unloaded | 24 | GL_EVENT_RTS_UNLOAD | Occurs when Auto-Protect is unloaded. |
| Scan Delayed | 26 | GL_EVENT_SCAN_DELAYED | Occurs when a scheduled scan is snoozed/paused (delayed). |
| Scan Re-started | 27 | GL_EVENT_SCAN_RESTART | Occurs when a snoozed/paused scan is restarted. |
| Log Forwarding Error | 34 | GL_EVENT_LOG_FWD_THRD_ERR | Occurs when there is a problem with the log forwarding process. Also logs when Event and Settings Manager are started. |
| Definitions Rollback | 39 | GL_EVENT_BAD_DEFS_ROLLBACK | Occurs when definitions are rolled back. |
| Definitions Unprotected | 40 | GL_EVENT_BAD_DEFS_UNPROTECTED | Occurs when a computer is not protected with definitions. |
| Auto-Protect Error | 41 | GL_EVENT_SAV_PROVIDER_PARSING_ERROR | Occurs when an error occurs with Auto-Protect. |
| Configuration Error | 42 | GL_EVENT_RTS_ERROR | General error. Primarily occurs when a configuration file cannot be read. |
| SymProtect Action | 45 | GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION | Occurs when SymProtect blocks a tamper attempt. |
| Detection Start | 46 | GL_EVENT_ANOMALY_START | Occurs when a threat is found. This is the first of a series of steps describing the action taken. |
| Detection Action | 47 | GL_EVENT_DETECTION_ACTION_TAKEN | Describes an action taken when a threat is found. |
| Pending Remediation Action | 48 | GL_EVENT_REMEDIATION_ACTION_PENDING | Occurs when Auto-Protect is ready to perform a side-effects repair for adware or spyware. |
| Failed Remediation Action | 49 | GL_EVENT_REMEDIATION_ACTION_FAILED | Occurs when Auto-Protect fails to perform a successful side-effects repair for adware or spyware. |
| Successful Remediation Action | 50 | GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL | Occurs when Auto-Protect performs a successful side-effects repair for adware or spyware. |
| Detection Finish | 51 | GL_EVENT_ANOMALY_FINISH | Occurs when Auto-Protect finishes handling a threat. |
| Scan Stopped | 65 | GL_EVENT_SCAN_SUSPENDED | Occurs when adware and spyware scans stop. |
| Scan Started | 66 | GL_EVENT_SCAN_RESUMED | Occurs when adware and spyware scans start. |
| Threat Now Whitelisted | 71 | GL_EVENT_HEUR_THREAT_NOW_WHITELISTED | The Administrator has added what TruScan previously detected as a threat to the Centralized Exception list, or Symantec has added it to the internal known white listed applications list. |
| Interesting Process Found Start | 72 | GL_EVENT_INTERESTING_PROCESS_DETECTED_START | TruScan detection start. The first step of a series describing the action taken on the process. |
| TruScan known applications load error | 73 | GL_EVENT_LOAD_ERROR_COH | TruScan component could not be started. |
| TruScan engine load error | 74 | GL_EVENT_LOAD_ERROR_SYKNAPPS | TruScan could not be started. |
| Interesting Process Found Finish | 75 | GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH | TruScan detection has finished handling the process. |
| TruScan operating system not supported | 76 | GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS | TruScan is enabled, but it is not supported on the platform. |
| TruScan Detected Threat Now Known | 77 | GL_EVENT_HEUR_THREAT_NOW_KNOWN | A TruScan process detection is now a confirmed signature-based security risk. |
|
|
Legacy ID
2008080711443448
Article URL http://www.symantec.com/docs/TECH105571
Terms of use for this information are found in Legal Notices
Thank you.