Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How to generate log message like "Symantec Endpoint Protection\SnacNp.dll SNACNP Attached! "C:\Windows\system32\notepad.exe" in SEP?

Created: 11 Jul 2012 • Updated: 18 Dec 2012 | 2 comments

 

I have installed Endpoint Protection Client version 11.0.5002.333 on a Windows 7 SP1 32bits system
 
After I launched Notepad by using Windbg, below is the whole message in the command window of Windbg after I perform a File->Open operation in Notapad. Please pay attention to the message in bold, they are generated after the File ->Open operation
 
 
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
 
*** wait with pending attach
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
ModLoad: 00e70000 00ea0000   C:\Windows\system32\notepad.exe
ModLoad: 777f0000 7792c000   C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 75f60000 76034000   C:\Windows\system32\kernel32.dll
ModLoad: 75a00000 75a4a000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 10000000 10063000   C:\Windows\SYSTEM32\SYSFER.DLL
ModLoad: 774d0000 77570000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 76320000 763cc000   C:\Windows\system32\msvcrt.dll
ModLoad: 761f0000 76209000   C:\Windows\SYSTEM32\sechost.dll
ModLoad: 77020000 770c1000   C:\Windows\system32\RPCRT4.dll
ModLoad: 76140000 7618e000   C:\Windows\system32\GDI32.dll
ModLoad: 77400000 774c9000   C:\Windows\system32\USER32.dll
ModLoad: 77940000 7794a000   C:\Windows\system32\LPK.dll
ModLoad: 76280000 7631d000   C:\Windows\system32\USP10.dll
ModLoad: 779a0000 77a1b000   C:\Windows\system32\COMDLG32.dll
ModLoad: 76190000 761e7000   C:\Windows\system32\SHLWAPI.dll
ModLoad: 747e0000 7497e000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
ModLoad: 763d0000 7701a000   C:\Windows\system32\SHELL32.dll
ModLoad: 6fac0000 6fb11000   C:\Windows\system32\WINSPOOL.DRV
ModLoad: 77690000 777ec000   C:\Windows\system32\ole32.dll
ModLoad: 77570000 775ff000   C:\Windows\system32\OLEAUT32.dll
ModLoad: 74e70000 74e79000   C:\Windows\system32\VERSION.dll
ModLoad: 770d0000 770ef000   C:\Windows\system32\IMM32.DLL
ModLoad: 76070000 7613c000   C:\Windows\system32\MSCTF.dll
ModLoad: 00140000 00157000   C:\Windows\system32\AMINIT32.dll
ModLoad: 75900000 7590c000   C:\Windows\system32\CRYPTBASE.dll
ModLoad: 74650000 74690000   C:\Windows\system32\uxtheme.dll
ModLoad: 74360000 74373000   C:\Windows\system32\dwmapi.dll
(3a8.118c): Break instruction exception - code 80000003 (first chance)
eax=7ffde000 ebx=00000000 ecx=00000000 edx=7788f17d esi=00000000 edi=00000000
eip=7782410c esp=008afa80 ebp=008afaac iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - 
ntdll!DbgBreakPoint:
7782410c cc              int     3
0:001> g
ModLoad: 77600000 77683000   C:\Windows\system32\CLBCatQ.DLL
ModLoad: 6bf40000 6bf98000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 6d560000 6d6cf000   C:\Windows\system32\explorerframe.dll
ModLoad: 743d0000 743ff000   C:\Windows\system32\DUser.dll
ModLoad: 74400000 744b2000   C:\Windows\system32\DUI70.dll
ModLoad: 74230000 7432b000   C:\Windows\system32\WindowsCodecs.dll
ModLoad: 758b0000 758fc000   C:\Windows\system32\apphelp.dll
ModLoad: 6d880000 6d8b1000   C:\Windows\system32\EhStorShell.dll
ModLoad: 77260000 773fd000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 75a80000 75aa7000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 75b40000 75b52000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 746a0000 74795000   C:\Windows\system32\PROPSYS.dll
ModLoad: 6cd40000 6d14a000   GrooveEX.DLL
ModLoad: 6cd40000 6d14a000   C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
ModLoad: 71ae0000 71b83000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dll
ModLoad: 6d7f0000 6d87e000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCP90.dll
ModLoad: 6d910000 6d93b000   C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\ATL90.DLL
ModLoad: 6c920000 6cd3a000   C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
ModLoad: 6c0b0000 6c915000   C:\PROGRA~1\MICROS~1\Office14\1033\GrooveIntlResource.dll
ModLoad: 6d780000 6d7ea000   C:\Windows\System32\cscui.dll
ModLoad: 70310000 70319000   C:\Windows\System32\CSCDLL.dll
ModLoad: 71d10000 71d1b000   C:\Windows\system32\CSCAPI.dll
ModLoad: 6d710000 6d780000   C:\Windows\system32\ntshrui.dll
ModLoad: 757f0000 75809000   C:\Windows\system32\srvcli.dll
ModLoad: 73c10000 73c1a000   C:\Windows\system32\slc.dll
ModLoad: 70500000 70506000   C:\Windows\system32\IconCodecService.dll
ModLoad: 74330000 7435f000   C:\Windows\system32\xmllite.dll
ModLoad: 6bc50000 6bce4000   C:\Windows\system32\MsftEdit.dll
ModLoad: 6d180000 6d1ab000   C:\Windows\system32\msls31.dll
ModLoad: 75920000 7592b000   C:\Windows\system32\profapi.dll
ModLoad: 74330000 7435f000   C:\Windows\system32\xmllite.dll
ModLoad: 753d0000 753e6000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 75180000 751bb000   C:\Windows\system32\rsaenh.dll
ModLoad: 75910000 7591e000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 6db90000 6dbec000   C:\Windows\System32\StructuredQuery.dll
ModLoad: 75870000 75878000   C:\Windows\System32\Secur32.dll
ModLoad: 75890000 758ab000   C:\Windows\system32\SSPICLI.DLL
ModLoad: 6d8c0000 6d90e000   C:\Windows\system32\actxprxy.dll
ModLoad: 67390000 673c3000   C:\Program Files\Internet Explorer\ieproxy.dll
ModLoad: 74d00000 74d21000   C:\Windows\system32\ntmarta.dll
ModLoad: 77210000 77255000   C:\Windows\system32\WLDAP32.dll
ModLoad: 73b10000 73b26000   C:\Windows\system32\thumbcache.dll
ModLoad: 76270000 76275000   C:\Windows\system32\PSAPI.DLL
ModLoad: 6d250000 6d27e000   C:\Windows\system32\SHDOCVW.dll
ModLoad: 68cd0000 6961d000   C:\Windows\system32\ieframe.DLL
ModLoad: 73f60000 73f9c000   C:\Windows\system32\OLEACC.dll
ModLoad: 75c80000 75e38000   C:\Windows\system32\iertutil.dll
ModLoad: 674c0000 67560000   C:\Windows\system32\SearchFolder.dll
ModLoad: 6bda0000 6bf38000   C:\Windows\system32\NetworkExplorer.dll
ModLoad: 70340000 70349000   C:\Windows\system32\LINKINFO.dll
ModLoad: 73690000 736a2000   C:\Windows\system32\MPR.dll
ModLoad: 60f80000 60f86000   C:\Program Files\Symantec\Symantec Endpoint Protection\SnacNp.dll
SNACNP Attached!  "C:\Windows\system32\notepad.exe" SNACNP::NPGetCaps::WNNC_NET_TYPE
SNACNP::NPGetCaps::WNNC_USER
SNACNP::NPGetCaps::WNNC_CONNECTION
SNACNP::NPGetCaps::WNNC_ENUMERATION
SNACNP::NPGetCaps::WNNC_ADMIN
SNACNP::NPGetCaps::WNNC_DIALOG
ModLoad: 70350000 70358000   C:\Windows\System32\drprov.dll
ModLoad: 754f0000 75519000   C:\Windows\System32\WINSTA.dll
ModLoad: 6d160000 6d174000   C:\Windows\System32\ntlanman.dll
ModLoad: 6bd80000 6bd97000   C:\Windows\System32\davclnt.dll
ModLoad: 6bd70000 6bd78000   C:\Windows\System32\DAVHLPR.dll
SNACNP::NPGetCaps::WNNC_START
ModLoad: 740e0000 740ef000   C:\Windows\system32\wkscli.dll
ModLoad: 740f0000 740f9000   C:\Windows\system32\netutils.dll
ModLoad: 5c800000 5ca38000   C:\Windows\system32\wpdshext.dll
ModLoad: 73bd0000 73c02000   C:\Windows\system32\WINMM.dll
ModLoad: 744c0000 74650000   C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll
ModLoad: 70120000 701a9000   C:\Windows\system32\PortableDeviceApi.dll
ModLoad: 75a50000 75a7d000   C:\Windows\system32\WINTRUST.dll
ModLoad: 75b60000 75c7e000   C:\Windows\system32\CRYPT32.dll
ModLoad: 759f0000 759fc000   C:\Windows\system32\MSASN1.dll
ModLoad: 65930000 6596f000   C:\Windows\system32\audiodev.dll
ModLoad: 682e0000 68547000   C:\Windows\system32\WMVCore.DLL
ModLoad: 738e0000 7391d000   C:\Windows\system32\WMASF.DLL
ModLoad: 64390000 643b2000   C:\Windows\system32\EhStorAPI.dll
ModLoad: 740d0000 740df000   C:\Windows\system32\samcli.dll
ModLoad: 747a0000 747b2000   C:\Windows\system32\SAMLIB.dll
SNACNP Detached!  "C:\Windows\system32\notepad.exe" eax=001dfda8 ebx=00000000 ecx=7ffdf000 edx=7ffd7000 esi=778c7380 edi=778c7340
eip=77837094 esp=001dfdf0 ebp=001dfe0c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
77837094 c3              ret
 
 
 
And I have installed the same version of SEP on another Windows 7 32bits system, but there will NOT be the message like 'C:\Program Files\Symantec\Symantec Endpoint Protection\SnacNp.dll SNACNP Attached!  "C:\Windows\system32\notepad.exe" SNACNP::NPGetCaps::WNNC_NET_TYPE . . .' when I do the same operation
 
What I want to know is how to make SEP generate the message like C:\Program Files\Symantec\Symantec Endpoint Protection\SnacNp.dll
SNACNP Attached! ..., is there any settings in SEP?
 
Below is the whole message from the second system if you need
 
 
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
 
*** wait with pending attach
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
ModLoad: 00650000 00680000   C:\Windows\system32\notepad.exe
ModLoad: 77510000 7764d000   C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 77140000 77214000   C:\Windows\system32\kernel32.dll
ModLoad: 75930000 7597a000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 77410000 774b0000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 77690000 7773c000   C:\Windows\system32\msvcrt.dll
ModLoad: 77660000 77679000   C:\Windows\SYSTEM32\sechost.dll
ModLoad: 75cf0000 75d91000   C:\Windows\system32\RPCRT4.dll
ModLoad: 76cf0000 76d3e000   C:\Windows\system32\GDI32.dll
ModLoad: 77070000 77139000   C:\Windows\system32\USER32.dll
ModLoad: 77680000 7768a000   C:\Windows\system32\LPK.dll
ModLoad: 77220000 772bd000   C:\Windows\system32\USP10.dll
ModLoad: 76ed0000 76f4b000   C:\Windows\system32\COMDLG32.dll
ModLoad: 76d40000 76d97000   C:\Windows\system32\SHLWAPI.dll
ModLoad: 74380000 7451e000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\COMCTL32.dll
ModLoad: 760a0000 76ce9000   C:\Windows\system32\SHELL32.dll
ModLoad: 73450000 734a1000   C:\Windows\system32\WINSPOOL.DRV
ModLoad: 75f40000 7609c000   C:\Windows\system32\ole32.dll
ModLoad: 76e30000 76ebf000   C:\Windows\system32\OLEAUT32.dll
ModLoad: 74ba0000 74ba9000   C:\Windows\system32\VERSION.dll
ModLoad: 75bb0000 75bcf000   C:\Windows\system32\IMM32.DLL
ModLoad: 76f60000 7702c000   C:\Windows\system32\MSCTF.dll
ModLoad: 755f0000 755fc000   C:\Windows\system32\CRYPTBASE.dll
ModLoad: 74300000 74340000   C:\Windows\system32\uxtheme.dll
ModLoad: 73ea0000 73eb3000   C:\Windows\system32\dwmapi.dll
ModLoad: 76da0000 76e23000   C:\Windows\system32\CLBCatQ.DLL
(ae4.814): Break instruction exception - code 80000003 (first chance)
eax=7ffde000 ebx=00000000 ecx=00000000 edx=775ad7eb esi=00000000 edi=00000000
eip=77543370 esp=014ef8b4 ebp=014ef8e0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - 
ntdll!DbgBreakPoint:
77543370 cc              int     3
0:001> g
ModLoad: 6d800000 6d858000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 6e200000 6e36f000   C:\Windows\system32\explorerframe.dll
ModLoad: 73ff0000 7401f000   C:\Windows\system32\DUser.dll
ModLoad: 74020000 740d2000   C:\Windows\system32\DUI70.dll
ModLoad: 73d70000 73e6b000   C:\Windows\system32\WindowsCodecs.dll
ModLoad: 755a0000 755eb000   C:\Windows\system32\apphelp.dll
ModLoad: 6fcb0000 6fce1000   C:\Windows\system32\EhStorShell.dll
ModLoad: 75da0000 75f3d000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 75720000 75747000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 75980000 75992000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 74810000 74905000   C:\Windows\system32\PROPSYS.dll
ModLoad: 6c3c0000 6c7cb000   GrooveEX.DLL
ModLoad: 6c3c0000 6c7cb000   C:\PROGRA~1\MIF5BA~1\Office14\GROOVEEX.DLL
ModLoad: 6e150000 6e1f3000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\MSVCR90.dll
ModLoad: 6e0c0000 6e14e000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\MSVCP90.dll
ModLoad: 6ffc0000 6ffeb000   C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_51ca66a2bbe76806\ATL90.DLL
ModLoad: 6bfb0000 6c3bf000   C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
ModLoad: 6b740000 6bfa4000   C:\PROGRA~1\MIF5BA~1\Office14\1033\GrooveIntlResource.dll
ModLoad: 6dd40000 6ddaa000   C:\Windows\System32\cscui.dll
ModLoad: 70570000 70579000   C:\Windows\System32\CSCDLL.dll
ModLoad: 722a0000 722ab000   C:\Windows\system32\CSCAPI.dll
ModLoad: 6dc60000 6dccf000   C:\Windows\system32\ntshrui.dll
ModLoad: 754c0000 754d9000   C:\Windows\system32\srvcli.dll
ModLoad: 73930000 7393a000   C:\Windows\system32\slc.dll
ModLoad: 73e70000 73e9f000   C:\Windows\system32\xmllite.dll
ModLoad: 6d450000 6d4e4000   C:\Windows\system32\MsftEdit.dll
ModLoad: 6d860000 6d88b000   C:\Windows\system32\msls31.dll
ModLoad: 74a60000 74a81000   C:\Windows\system32\ntmarta.dll
ModLoad: 759a0000 759e5000   C:\Windows\system32\WLDAP32.dll
ModLoad: 73e70000 73e9f000   C:\Windows\system32\XmlLite.dll
ModLoad: 6dae0000 6dae9000   C:\Windows\system32\LINKINFO.dll
ModLoad: 75120000 75136000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 74ec0000 74efb000   C:\Windows\system32\rsaenh.dll
ModLoad: 75690000 7569e000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 6b6a0000 6b73f000   C:\Windows\system32\SearchFolder.dll
ModLoad: 756a0000 756ab000   C:\Windows\system32\profapi.dll
ModLoad: 6b5f0000 6b64c000   C:\Windows\System32\StructuredQuery.dll
ModLoad: 75540000 75548000   C:\Windows\System32\Secur32.dll
ModLoad: 75580000 7559a000   C:\Windows\system32\SSPICLI.DLL
ModLoad: 6f8c0000 6f8d6000   C:\Windows\system32\thumbcache.dll
ModLoad: 76ec0000 76ec5000   C:\Windows\system32\PSAPI.DLL
ModLoad: 6db00000 6db2e000   C:\Windows\system32\SHDOCVW.dll
ModLoad: 68970000 692bd000   C:\Windows\system32\ieframe.DLL
ModLoad: 73a80000 73abc000   C:\Windows\system32\OLEACC.dll
ModLoad: 759f0000 75ba8000   C:\Windows\system32\iertutil.dll
ModLoad: 700c0000 700cc000   C:\Windows\system32\mssprxy.dll
ModLoad: 69ac0000 69b66000   mssup.DLL
ModLoad: 696c0000 69766000   C:\Windows\system32\mssvp.dll
ModLoad: 6f8e0000 6f8f6000   C:\Windows\system32\MAPI32.dll
ModLoad: 6d620000 6d7b8000   C:\Windows\system32\NetworkExplorer.dll
ModLoad: 6b650000 6b69e000   C:\Windows\system32\actxprxy.dll
ModLoad: 70990000 709c2000   C:\Windows\system32\WINMM.dll
ModLoad: 73c90000 73c99000   C:\Windows\system32\netutils.dll
eax=00292338 ebx=00000000 ecx=00292338 edx=00000001 esi=775e8380 edi=775e8340
eip=77556344 esp=000ef8b4 ebp=000ef8d0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
77556344 c3              ret
 
 
Thanks in advance!
Discussion Filed Under: