Video Screencast Help

Where are TruScan logs at SEPM 12 ?

Created: 15 Oct 2012 • Updated: 23 Jan 2013 | 12 comments
FbacchinZF's picture
This issue has been solved. See solution.

Hello folks,

Does anybody know how to find legacy SEP11 client Truscan logs on SEPM12 console ?

I know that TruScan was replaced by SONAR at SEP12 Monitors/Logs page, but TruScan events from my SEP11 clients are not there !

Comments 12 CommentsJump to latest comment

Ashish-Sharma's picture

Migration from Symantec Endpoint Protection (SEP) 11.x to SEP 12.x - TruScan and SONAR exceptions

Configuring Exceptions for Symantec Endpoint Protection (SEP) 12.

Thanks In Advance

Ashish Sharma

FbacchinZF's picture

Ashish & Oykun,

Thank you for sharing but none of the articles have answered my question.

I need to find where are TruScan detection events on SEP12 management console !?!?

oykunsatis's picture


In the article,

You can see that there's no option to see details in the Monitor, one of that is also Logs. So you can vote for an enhancment from the following document;


This is as designed and there is no options to see PTP details in the monitors.

If you need this feature enabled in SEP 11, you may vote for this enhancement request at



Ashish-Sharma's picture


Check This may be help

SONAR is part of Proactive Threat Protection on your client computers. You manage SONAR settings as part of a Virus and Spyware Protection policy.

You configure SONAR settings for the clients that run Symantec Endpoint Protection version 12.1. SONAR settings also include TruScan proactive threat scan settings for legacy clients. Many of the settings can be locked so that users on client computers cannot change the settings.

Configuring TruScan proactive threat scan settings for legacy clients

About adjusting TruScan settings for legacy clients

Thanks In Advance

Ashish Sharma

ᗺrian's picture

Monitors >> Logs >> SONAR

This doesn't show here for you?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture


When did you migrate the SEPM from 11.x to 12.1?

Did you select the Correct "Time Range" of Logs from Monitors >> Logs >> SONAR??

When you Migration takes place the Previous TrueScan ProActive Threat Scan (PTP) events would be still stored within the Database as the Database Schema migration takes place and not the purging of Database logs.

So, In your case of you pull the SONAR Logs, you may see those events.

Note: The Condition here is these Logs are Expires by default after 60 days.

You could check these settings from - 

SEPM >> Admin >> Servers >> Local Host >> Edit Database properties >> Log settings.

Hope that helps!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

FbacchinZF's picture

Thank you all for your replies but the problem remains.

I haven't migrated from SEPM11 to SEPM12 .
I created a new database for SEPM12 but I added clients running SEP version 11 MR5.
For these clients, Truscan event are not being forwarded to SEPM12, at least, I could not find it.

SONAR events from SEP12 clients are present as well on the Monitors >> Logs >> SONAR page.

ᗺrian's picture

I would suggest a call in to support.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ajit Jha's picture

Follow the steps To monitor SONAR detection results to check for false positives

  1. In the console, click Monitors > Logs.

  2. On the Logs tab, in the Log type drop-down list, click SONAR.

  3. Select a time from the Time range list box closest to when you last changed a scan setting.

  4. Click Advanced Settings.

  5. In the Event type drop-down list, select one of the following log events:

    • To view all detected processes, make sure All is selected.

    • To view the processes that have been evaluated as security risks, click Security risk found.

    • To view the processes that have been evaluated and logged as potential risks, click Potential risk found.

  6. Click View Log.

If still you are  unable to generate  the call, there could be many reasons, i would advice to Open a case with Symantec Support.


Ajit Jha

Technical Consultant


pete_4u2002's picture

truscan will be applicable for SEP 11 clients. did you see any events on the SEP 11 clients (client side)?

FbacchinZF's picture

Yes ! I can see the logs on the client-side , but not on the SEPM-side !

So I've opened the case : 03373742

Here's the technician answer :

Issue #2 - TruScan logs not being displayed in a 12.1 SEPM

As you know, SONAR has replaced TruScan in 12.1.  It is expected behavior, working as designed, that the TruScan logs are not viewable in 12.1 SEPM.  The advice would be to migrate your clients to 12.1 so that they are running SONAR which can be viewed from the SEPM as expected.  Another unsupported workaround would be, once again, to run a SQL query to pull this information from the database, as it should still be processed from the information the client has sent to the SEPM

My reaction on that was:

  • Disable TruScan policy until every client is upgraded to SEP12 version , becase right now I cannot see Truscan False-positives on SEP11 clients.
  • Submit idea to Symantec for including this feature on the next product releases, since SEPM12 supports SEP11 clients, it must support also the log handling.

If you agreed, please vote !