How to use DTrace to log SAV/SEP for Macintosh file operations

Article:TECH145293  |  Created: 2010-11-30  |  Updated: 2011-02-02  |  Article URL http://www.symantec.com/docs/TECH145293
Article Type
Technical Solution



Issue



DTrace is a troubleshooting tool available on several Unix-like operating systems (including Mac OS X). DTrace can log and provide statistics for many application and kernel-level operations. DTrace is a command-line tool, similar to Microsoft's sysinternals procmon/filemon/regmon tools. How can I use DTrace to log SAV/SEP for Macintosh file operations?


Solution



For the purpose of troubleshooting SAV or SEP for Macintosh, DTrace can be used to log all file open operations by AutoProtect or manual/scheduled scans. See command-line examples below.

To log all file open operations by AutoProtect:

sudo dtrace -n 'syscall::open*:entry / execname=="SymAutoProtect" / { printf("%s %s",execname,copyinstr(arg0)); }'

To log all file open operations by a manual/scheduled scan:

sudo dtrace -n 'syscall::open*:entry / execname=="navx" / { printf("%s %s",execname,copyinstr(arg0)); }'

These are very simple examples of DTrace usage. For general DTrace info, examples, and links to more documentation, see http://en.wikipedia.org/wiki/Dtrace

For a more user-friendly GUI that uses DTrace, see How to use Macintosh Xcode's Instruments application to trace antivirus CPU usage and file activity





Article URL http://www.symantec.com/docs/TECH145293


Terms of use for this information are found in Legal Notices