How to read / parse what the current defs are on SAV / SEP, and vdb , xdb and jdb

Article:TECH131952  |  Created: 2010-01-23  |  Updated: 2011-01-21  |  Article URL http://www.symantec.com/docs/TECH131952
Article Type
Technical Solution

Product(s)

Environment

Languages

Problem



You are trying to determine the definition date being used by the information in the registry, Windows event log, or from the virus definition file itself (.vdb, .xdb, or .jdb) but the data you see doesn't make sense.


Cause



The information you are viewing is in Hexidecimal format and needs to be converted to be read properly.


Solution



This is the C++ code:
Year = (unsigned short)((version >> 18) + 1998),
Month = (unsigned short)((version >> 14) & 0x0f),
Day = (unsigned short)((version >> 9) & 0x1f),
Revision = (unsigned short)(version & 0x1FF);

AutoIT Source


Local $BS_Year, $BS_Montha, $BS_Month, $BS_Day,$BS_Daya, $BS_Revision, $SepRegRead

$SepRegRead = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\","UsingPattern")

$BS_Year = (BitShift($SepRegRead,18) + 1998)
$BS_Month = BitShift($SepRegRead,14)
$BS_Montha = BitAND($BS_Month,0x0f)
$BS_Day = BitShift($SepRegRead,9)
$BS_Daya = BitAND($BS_Day,0x1f)
$BS_Revision = BitAND($SepRegRead, 0x1FF)

ConsoleWrite(@CRLF & "Year: " & $BS_Year & @CRLF & "Month: " & $BS_Montha & @CRLF & "Day: " & $BS_Daya & @CRLF & "Revesion: " & $BS_Revision & @CRLF)
MsgBox(4096,"Your Defs",@CRLF & "Year: " & $BS_Year & @CRLF & "Month: " & $BS_Montha & @CRLF & "Day: " & $BS_Daya & @CRLF & "Revesion: " & $BS_Revision & @CRLF)



OR

Using Calc:
Copy (hex) from HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\UsingPattern (Todays) 312e02 (Hex)

Into the display on the Calc

Then convert to Binary (BIN)


File Edit: COPY
Goto Notepad and paste 1100010010111000000010
Count 18 spots left (bitshift right) 1100 ( 1100 0100 10111 000000010)
1100
Clear out calc and copy back in (bin setting)
Convert to Dec
Add 1998 = 2010




Go back to your notepad and count 14 to the left (bitshift right) ( 1100 0100 10111 000000010)
You get 0100
Report the copy into Calc and convert from Bin to Dec
You get 4


Go back to notepad and again count from right to left count 9 (1100 0100 10111 000000010)
You get 10111 . Copy paste to Cal (Bin to Dec)
You get 23


Go back to notepad and take the last digits. 000000010 ( 1100 0100 10111 000000010 )
Copy and paste back in to cal (Bin to Dec)
You get 2



So the defs are
2010/4/23 Rev 2





To convert jdb,xdb, vdb remove the prefix names and then covert just like the above (using calc).

Legacy ID



2010042313582048


Article URL http://www.symantec.com/docs/TECH131952


Terms of use for this information are found in Legal Notices

Please Sign In

Login using SymAccount.

Knowledge Base Search

Knowledge Base Search

Rate this Article

Help us improve your support experience.

MySymantec

MySymantec

Contacting Support

Contacting Support