Symantec Endpoint Protection 12.1.x event log entries

Article:TECH186925  |  Created: 2012-04-20  |  Updated: 2013-09-10  |  Article URL http://www.symantec.com/docs/TECH186925
Article Type
Technical Solution


Issue



You would like to know what the possible event log entries are and their definition.


Solution



Below is a list of events that are logged on the local client and forwarded on to the Symantec Endpoint Protection Manager. Many, but not all, of these events appear in the Windows Application Log. Note that raw event codes normally appear as a single string of text, but sometimes display on two lines in this table due to space constraints.

Event
Event Number
Raw Event Code
Description
Scan Stopped
2
GL_EVENT_SCAN_STOP
Occurs when antivirus scanning completes.
Scan Started
3
GL_EVENT_SCAN_START
Occurs when antivirus scanning starts.
Definition File Sent To Server
4
GL_EVENT_PATTERN_UPDATE
Occurs when a parent server sends a .vdb file to a secondary server.
Virus Found
5
GL_EVENT_INFECTION
Occurs when scanning detects a virus.
Scan Omission
6
GL_EVENT_FILE_NOT_OPEN
Occurs when scanning fails to gain access to a file or directory.
Definition File Loaded
7
GL_EVENT_LOAD_PATTERN
Occurs when Symantec AntiVirus loads a new .vdb file.
Checksum
10
GL_EVENT_CHECKSUM
Occurs when a checksum error occurs when verifying a digitally signed file.
Auto-Protect
11
GL_EVENT_TRAP
Occurs when Auto-Protect is not fully operational.
Configuration Changed
12
GL_EVENT_CONFIG_CHANGE
Occurs when a server updates its configurations according to the changes made from the console, excluding configuration changes made in the PRODUCTCONTROL or DOMAINDATA registry keys.
Symantec AntiVirus Shutdown
13
GL_EVENT_SHUTDOWN
Occurs when the ccSvcHst.exe service is unloaded.
Symantec AntiVirus Startup
14
GL_EVENT_STARTUP
Occurs when the ccSvcHst.exe service is loaded.
Definition File Download
16
GL_EVENT_PATTERN_DOWNLOAD
Occurs when new definitions are downloaded by a scheduled definitions update.
Scan Action Auto-Changed
17
GL_EVENT_TOO_MANY_VIRUSES
Occurs when Symantec AntiVirus has deleted or quarantined more than 5 infected files within the last minute. The number of files quarantined or deleted and the time interval are configurable from the registry. The defaults are 5 files in 60 seconds.
Sent To Quarantine Server
18
GL_EVENT_FWD_TO_QSERVER
Occurs when quarantined files are sent to a Quarantine Server.
Delivered To Symantec Security Response
19
GL_EVENT_SCANDLVR
Occurs when a file is delivered to Symantec Security Response.
Backup Restore Error
20
GL_EVENT_BACKUP
Occurs when Symantec AntiVirus cannot back up a file or restore a file from Quarantine.
Scan Aborted
21
GL_EVENT_SCAN_ABORT
Occurs when a scan is stopped before it completes. Symantec AntiVirus Auto-Protect.
Load Error
22
GL_EVENT_RTS_LOAD_ERROR
Occurs when Auto-Protect fails to load.
Symantec AntiVirus Auto-Protect Loaded
23
GL_EVENT_RTS_LOAD
Occurs when Auto-Protect loads successfully.
Symantec AntiVirus Auto-Protect Unloaded
24
GL_EVENT_RTS_UNLOAD
Occurs when Auto-Protect is unloaded.
Scan Delayed
26
GL_EVENT_SCAN_DELAYED
Occurs when a scheduled scan is snoozed/paused (delayed).
Scan Re-started
27
GL_EVENT_SCAN_RESTART
Occurs when a snoozed/paused scan is restarted.
Log Forwarding Error
34
GL_EVENT_LOG_FWD_THRD_ERR
Occurs when there is a problem with the log forwarding process. Also logs when Event and Settings Manager are started.
Definitions Rollback
39
GL_EVENT_BAD_DEFS_ROLLBACK
Occurs when definitions are rolled back.
Definitions Unprotected
40
GL_EVENT_BAD_DEFS_UNPROTECTED
Occurs when a computer is not protected with definitions.
Auto-Protect Error
41
GL_EVENT_SAV_PROVIDER_
PARSING_ERROR
Occurs when an error occurs with Auto-Protect.
Configuration Error
42
GL_EVENT_RTS_ERROR
General error. Primarily occurs when a configuration file cannot be read.
SymProtect Action
45
GL_EVENT_SECURITY_SYMPROTECT_
POLICYVIOLATION
Occurs when SymProtect blocks a tamper attempt.
Detection Start
46
GL_EVENT_ANOMALY_START
Occurs when a threat is found. This is the first of a series of steps describing the action taken.
Detection Action
47
GL_EVENT_DETECTION_
ACTION_TAKEN
Describes an action taken when a threat is found.
Pending Remediation Action
48
GL_EVENT_REMEDIATION_
ACTION_PENDING
Occurs when Auto-Protect is ready to perform a side-effects repair for adware or spyware.
Failed Remediation Action
49
GL_EVENT_REMEDIATION_
ACTION_FAILED
Occurs when Auto-Protect fails to perform a successful side-effects repair for adware or spyware.
Successful Remediation Action
50
GL_EVENT_REMEDIATION_ACTION_
SUCCESSFUL
Occurs when Auto-Protect performs a successful side-effects repair for adware or spyware.
Detection Finish
51
GL_EVENT_ANOMALY_FINISH
Occurs when Auto-Protect finishes handling a threat.
Scan Stopped
65
GL_EVENT_SCAN_SUSPENDED
Occurs when adware and spyware scans stop.
Scan Started
66
GL_EVENT_SCAN_RESUMED
Occurs when adware and spyware scans start.
Threat Now Whitelisted
71
GL_EVENT_HEUR_THREAT_
NOW_WHITELISTED
The Administrator has added what SONAR previously detected as a threat to the Centralized Exception list, or Symantec has added it to the internal known white listed applications list.
Interesting Process Found Start
72
GL_EVENT_INTERESTING_PROCESS_
DETECTED_START
SONAR detection start. The first step of a series describing the action taken on the process.
SONAR engine load error
73
GL_EVENT_LOAD_ERROR_BASH
Failed to load SONAR engine.
SONAR definitions load error
74
GL_EVENT_LOAD_ERROR_BASH_
DEFINITIONS
Failed to load SONAR definitions.
Interesting Process Found Finish
75
GL_EVENT_INTERESTING_PROCESS_
DETECTED_FINISH
SONAR detection has finished handling the process.
SONAR operating system not supported
76
GL_EVENT_HPP_SCAN_
NOT_SUPPORTED_FOR_OS
SONAR is enabled, but it is not supported on the platform.
SONAR Detected Threat Now Known
77
GL_EVENT_HEUR_THREAT_
NOW_KNOWN
A SONAR process detection is now a confirmed signature-based security risk.
SONAR engine is disabled
78
GL_EVENT_DISABLE_BASH
SONAR is enabled.
SONAR engine is enabled
79
GL_EVENT_ENABLE_BASH
SONAR is disabled.
Definition load failed
80
GL_EVENT_DEFS_LOAD_FAILED
Failed to apply AV definitions.
Cache server error
81
GL_EVENT_LOCALREP_
CACHE_SERVER_ERROR
Cache server error.
Reputation check timed out
82
GL_EVENT_REPUTATION_
CHECK_TIMEOUT
Reputation check timed out.

 


Supplemental Materials

Description


Legacy ID



2008080711443448


Article URL http://www.symantec.com/docs/TECH186925


Terms of use for this information are found in Legal Notices