Symantec Developer Group

 View Only
Back to discussions
Expand all | Collapse all

How to generate log message like "Symantec Endpoint Protection\SnacNp.dll SNACNP Attached! "C:\Windows\system32\notepad.exe" in SEP?

  • 1.  How to generate log message like "Symantec Endpoint Protection\SnacNp.dll SNACNP Attached! "C:\Windows\system32\notepad.exe" in SEP?

    Posted Jul 15, 2012 09:07 PM

     

    I have installed Endpoint Protection Client version 11.0.5002.333 on a Windows 7 SP1 32bits system
     
    After I launched Notepad by using Windbg, below is the whole message in the command window of Windbg after I perform a File->Open operation in Notapad. Please pay attention to the message in bold, they are generated after the File ->Open operation
     
     
    Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
    Copyright (c) Microsoft Corporation. All rights reserved.
     
    *** wait with pending attach
    Symbol search path is: *** Invalid ***
    ****************************************************************************
    * Symbol loading may be unreliable without a symbol search path.           *
    * Use .symfix to have the debugger choose a symbol path.                   *
    * After setting your symbol path, use .reload to refresh symbol locations. *
    ****************************************************************************
    Executable search path is: 
    ModLoad: 00e70000 00ea0000   C:\Windows\system32\notepad.exe
    ModLoad: 777f0000 7792c000   C:\Windows\SYSTEM32\ntdll.dll
    ModLoad: 75f60000 76034000   C:\Windows\system32\kernel32.dll
    ModLoad: 75a00000 75a4a000   C:\Windows\system32\KERNELBASE.dll
    ModLoad: 10000000 10063000   C:\Windows\SYSTEM32\SYSFER.DLL
    ModLoad: 774d0000 77570000   C:\Windows\system32\ADVAPI32.dll
    ModLoad: 76320000 763cc000   C:\Windows\system32\msvcrt.dll
    ModLoad: 761f0000 76209000   C:\Windows\SYSTEM32\sechost.dll
    ModLoad: 77020000 770c1000   C:\Windows\system32\RPCRT4.dll
    ModLoad: 76140000 7618e000   C:\Windows\system32\GDI32.dll
    ModLoad: 77400000 774c9000   C:\Windows\system32\USER32.dll
    ModLoad: 77940000 7794a000   C:\Windows\system32\LPK.dll
    ModLoad: 76280000 7631d000   C:\Windows\system32\USP10.dll
    ModLoad: 779a0000 77a1b000   C:\Windows\system32\COMDLG32.dll
    ModLoad: 76190000 761e7000   C:\Windows\system32\SHLWAPI.dll
    ModLoad: 747e0000 7497e000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
    ModLoad: 763d0000 7701a000   C:\Windows\system32\SHELL32.dll
    ModLoad: 6fac0000 6fb11000   C:\Windows\system32\WINSPOOL.DRV
    ModLoad: 77690000 777ec000   C:\Windows\system32\ole32.dll
    ModLoad: 77570000 775ff000   C:\Windows\system32\OLEAUT32.dll
    ModLoad: 74e70000 74e79000   C:\Windows\system32\VERSION.dll
    ModLoad: 770d0000 770ef000   C:\Windows\system32\IMM32.DLL
    ModLoad: 76070000 7613c000   C:\Windows\system32\MSCTF.dll
    ModLoad: 00140000 00157000   C:\Windows\system32\AMINIT32.dll
    ModLoad: 75900000 7590c000   C:\Windows\system32\CRYPTBASE.dll
    ModLoad: 74650000 74690000   C:\Windows\system32\uxtheme.dll
    ModLoad: 74360000 74373000   C:\Windows\system32\dwmapi.dll
    (3a8.118c): Break instruction exception - code 80000003 (first chance)
    eax=7ffde000 ebx=00000000 ecx=00000000 edx=7788f17d esi=00000000 edi=00000000
    eip=7782410c esp=008afa80 ebp=008afaac iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - 
    ntdll!DbgBreakPoint:
    7782410c cc              int     3
    0:001> g
    ModLoad: 77600000 77683000   C:\Windows\system32\CLBCatQ.DLL
    ModLoad: 6bf40000 6bf98000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
    ModLoad: 6d560000 6d6cf000   C:\Windows\system32\explorerframe.dll
    ModLoad: 743d0000 743ff000   C:\Windows\system32\DUser.dll
    ModLoad: 74400000 744b2000   C:\Windows\system32\DUI70.dll
    ModLoad: 74230000 7432b000   C:\Windows\system32\WindowsCodecs.dll
    ModLoad: 758b0000 758fc000   C:\Windows\system32\apphelp.dll
    ModLoad: 6d880000 6d8b1000   C:\Windows\system32\EhStorShell.dll
    ModLoad: 77260000 773fd000   C:\Windows\system32\SETUPAPI.dll
    ModLoad: 75a80000 75aa7000   C:\Windows\system32\CFGMGR32.dll
    ModLoad: 75b40000 75b52000   C:\Windows\system32\DEVOBJ.dll
    ModLoad: 746a0000 74795000   C:\Windows\system32\PROPSYS.dll
    ModLoad: 6cd40000 6d14a000   GrooveEX.DLL
    ModLoad: 6cd40000 6d14a000   C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
    ModLoad: 71ae0000 71b83000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dll
    ModLoad: 6d7f0000 6d87e000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCP90.dll
    ModLoad: 6d910000 6d93b000   C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.6161_none_51cd0a7abbe4e19b\ATL90.DLL
    ModLoad: 6c920000 6cd3a000   C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
    ModLoad: 6c0b0000 6c915000   C:\PROGRA~1\MICROS~1\Office14\1033\GrooveIntlResource.dll
    ModLoad: 6d780000 6d7ea000   C:\Windows\System32\cscui.dll
    ModLoad: 70310000 70319000   C:\Windows\System32\CSCDLL.dll
    ModLoad: 71d10000 71d1b000   C:\Windows\system32\CSCAPI.dll
    ModLoad: 6d710000 6d780000   C:\Windows\system32\ntshrui.dll
    ModLoad: 757f0000 75809000   C:\Windows\system32\srvcli.dll
    ModLoad: 73c10000 73c1a000   C:\Windows\system32\slc.dll
    ModLoad: 70500000 70506000   C:\Windows\system32\IconCodecService.dll
    ModLoad: 74330000 7435f000   C:\Windows\system32\xmllite.dll
    ModLoad: 6bc50000 6bce4000   C:\Windows\system32\MsftEdit.dll
    ModLoad: 6d180000 6d1ab000   C:\Windows\system32\msls31.dll
    ModLoad: 75920000 7592b000   C:\Windows\system32\profapi.dll
    ModLoad: 74330000 7435f000   C:\Windows\system32\xmllite.dll
    ModLoad: 753d0000 753e6000   C:\Windows\system32\CRYPTSP.dll
    ModLoad: 75180000 751bb000   C:\Windows\system32\rsaenh.dll
    ModLoad: 75910000 7591e000   C:\Windows\system32\RpcRtRemote.dll
    ModLoad: 6db90000 6dbec000   C:\Windows\System32\StructuredQuery.dll
    ModLoad: 75870000 75878000   C:\Windows\System32\Secur32.dll
    ModLoad: 75890000 758ab000   C:\Windows\system32\SSPICLI.DLL
    ModLoad: 6d8c0000 6d90e000   C:\Windows\system32\actxprxy.dll
    ModLoad: 67390000 673c3000   C:\Program Files\Internet Explorer\ieproxy.dll
    ModLoad: 74d00000 74d21000   C:\Windows\system32\ntmarta.dll
    ModLoad: 77210000 77255000   C:\Windows\system32\WLDAP32.dll
    ModLoad: 73b10000 73b26000   C:\Windows\system32\thumbcache.dll
    ModLoad: 76270000 76275000   C:\Windows\system32\PSAPI.DLL
    ModLoad: 6d250000 6d27e000   C:\Windows\system32\SHDOCVW.dll
    ModLoad: 68cd0000 6961d000   C:\Windows\system32\ieframe.DLL
    ModLoad: 73f60000 73f9c000   C:\Windows\system32\OLEACC.dll
    ModLoad: 75c80000 75e38000   C:\Windows\system32\iertutil.dll
    ModLoad: 674c0000 67560000   C:\Windows\system32\SearchFolder.dll
    ModLoad: 6bda0000 6bf38000   C:\Windows\system32\NetworkExplorer.dll
    ModLoad: 70340000 70349000   C:\Windows\system32\LINKINFO.dll
    ModLoad: 73690000 736a2000   C:\Windows\system32\MPR.dll
    ModLoad: 60f80000 60f86000   C:\Program Files\Symantec\Symantec Endpoint Protection\SnacNp.dll
    SNACNP Attached!  "C:\Windows\system32\notepad.exe" SNACNP::NPGetCaps::WNNC_NET_TYPE
    SNACNP::NPGetCaps::WNNC_USER
    SNACNP::NPGetCaps::WNNC_CONNECTION
    SNACNP::NPGetCaps::WNNC_ENUMERATION
    SNACNP::NPGetCaps::WNNC_ADMIN
    SNACNP::NPGetCaps::WNNC_DIALOG
    ModLoad: 70350000 70358000   C:\Windows\System32\drprov.dll
    ModLoad: 754f0000 75519000   C:\Windows\System32\WINSTA.dll
    ModLoad: 6d160000 6d174000   C:\Windows\System32\ntlanman.dll
    ModLoad: 6bd80000 6bd97000   C:\Windows\System32\davclnt.dll
    ModLoad: 6bd70000 6bd78000   C:\Windows\System32\DAVHLPR.dll
    SNACNP::NPGetCaps::WNNC_START
    ModLoad: 740e0000 740ef000   C:\Windows\system32\wkscli.dll
    ModLoad: 740f0000 740f9000   C:\Windows\system32\netutils.dll
    ModLoad: 5c800000 5ca38000   C:\Windows\system32\wpdshext.dll
    ModLoad: 73bd0000 73c02000   C:\Windows\system32\WINMM.dll
    ModLoad: 744c0000 74650000   C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll
    ModLoad: 70120000 701a9000   C:\Windows\system32\PortableDeviceApi.dll
    ModLoad: 75a50000 75a7d000   C:\Windows\system32\WINTRUST.dll
    ModLoad: 75b60000 75c7e000   C:\Windows\system32\CRYPT32.dll
    ModLoad: 759f0000 759fc000   C:\Windows\system32\MSASN1.dll
    ModLoad: 65930000 6596f000   C:\Windows\system32\audiodev.dll
    ModLoad: 682e0000 68547000   C:\Windows\system32\WMVCore.DLL
    ModLoad: 738e0000 7391d000   C:\Windows\system32\WMASF.DLL
    ModLoad: 64390000 643b2000   C:\Windows\system32\EhStorAPI.dll
    ModLoad: 740d0000 740df000   C:\Windows\system32\samcli.dll
    ModLoad: 747a0000 747b2000   C:\Windows\system32\SAMLIB.dll
    SNACNP Detached!  "C:\Windows\system32\notepad.exe" eax=001dfda8 ebx=00000000 ecx=7ffdf000 edx=7ffd7000 esi=778c7380 edi=778c7340
    eip=77837094 esp=001dfdf0 ebp=001dfe0c iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    ntdll!KiFastSystemCallRet:
    77837094 c3              ret
     
     
     
    And I have installed the same version of SEP on another Windows 7 32bits system, but there will NOT be the message like 'C:\Program Files\Symantec\Symantec Endpoint Protection\SnacNp.dll SNACNP Attached!  "C:\Windows\system32\notepad.exe" SNACNP::NPGetCaps::WNNC_NET_TYPE . . .' when I do the same operation
     
    What I want to know is how to make SEP generate the message like C:\Program Files\Symantec\Symantec Endpoint Protection\SnacNp.dll
    SNACNP Attached! ..., is there any settings in SEP?
     
    Below is the whole message from the second system if you need
     
     
    Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
    Copyright (c) Microsoft Corporation. All rights reserved.
     
    *** wait with pending attach
    Symbol search path is: *** Invalid ***
    ****************************************************************************
    * Symbol loading may be unreliable without a symbol search path.           *
    * Use .symfix to have the debugger choose a symbol path.                   *
    * After setting your symbol path, use .reload to refresh symbol locations. *
    ****************************************************************************
    Executable search path is: 
    ModLoad: 00650000 00680000   C:\Windows\system32\notepad.exe
    ModLoad: 77510000 7764d000   C:\Windows\SYSTEM32\ntdll.dll
    ModLoad: 77140000 77214000   C:\Windows\system32\kernel32.dll
    ModLoad: 75930000 7597a000   C:\Windows\system32\KERNELBASE.dll
    ModLoad: 77410000 774b0000   C:\Windows\system32\ADVAPI32.dll
    ModLoad: 77690000 7773c000   C:\Windows\system32\msvcrt.dll
    ModLoad: 77660000 77679000   C:\Windows\SYSTEM32\sechost.dll
    ModLoad: 75cf0000 75d91000   C:\Windows\system32\RPCRT4.dll
    ModLoad: 76cf0000 76d3e000   C:\Windows\system32\GDI32.dll
    ModLoad: 77070000 77139000   C:\Windows\system32\USER32.dll
    ModLoad: 77680000 7768a000   C:\Windows\system32\LPK.dll
    ModLoad: 77220000 772bd000   C:\Windows\system32\USP10.dll
    ModLoad: 76ed0000 76f4b000   C:\Windows\system32\COMDLG32.dll
    ModLoad: 76d40000 76d97000   C:\Windows\system32\SHLWAPI.dll
    ModLoad: 74380000 7451e000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\COMCTL32.dll
    ModLoad: 760a0000 76ce9000   C:\Windows\system32\SHELL32.dll
    ModLoad: 73450000 734a1000   C:\Windows\system32\WINSPOOL.DRV
    ModLoad: 75f40000 7609c000   C:\Windows\system32\ole32.dll
    ModLoad: 76e30000 76ebf000   C:\Windows\system32\OLEAUT32.dll
    ModLoad: 74ba0000 74ba9000   C:\Windows\system32\VERSION.dll
    ModLoad: 75bb0000 75bcf000   C:\Windows\system32\IMM32.DLL
    ModLoad: 76f60000 7702c000   C:\Windows\system32\MSCTF.dll
    ModLoad: 755f0000 755fc000   C:\Windows\system32\CRYPTBASE.dll
    ModLoad: 74300000 74340000   C:\Windows\system32\uxtheme.dll
    ModLoad: 73ea0000 73eb3000   C:\Windows\system32\dwmapi.dll
    ModLoad: 76da0000 76e23000   C:\Windows\system32\CLBCatQ.DLL
    (ae4.814): Break instruction exception - code 80000003 (first chance)
    eax=7ffde000 ebx=00000000 ecx=00000000 edx=775ad7eb esi=00000000 edi=00000000
    eip=77543370 esp=014ef8b4 ebp=014ef8e0 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\SYSTEM32\ntdll.dll - 
    ntdll!DbgBreakPoint:
    77543370 cc              int     3
    0:001> g
    ModLoad: 6d800000 6d858000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
    ModLoad: 6e200000 6e36f000   C:\Windows\system32\explorerframe.dll
    ModLoad: 73ff0000 7401f000   C:\Windows\system32\DUser.dll
    ModLoad: 74020000 740d2000   C:\Windows\system32\DUI70.dll
    ModLoad: 73d70000 73e6b000   C:\Windows\system32\WindowsCodecs.dll
    ModLoad: 755a0000 755eb000   C:\Windows\system32\apphelp.dll
    ModLoad: 6fcb0000 6fce1000   C:\Windows\system32\EhStorShell.dll
    ModLoad: 75da0000 75f3d000   C:\Windows\system32\SETUPAPI.dll
    ModLoad: 75720000 75747000   C:\Windows\system32\CFGMGR32.dll
    ModLoad: 75980000 75992000   C:\Windows\system32\DEVOBJ.dll
    ModLoad: 74810000 74905000   C:\Windows\system32\PROPSYS.dll
    ModLoad: 6c3c0000 6c7cb000   GrooveEX.DLL
    ModLoad: 6c3c0000 6c7cb000   C:\PROGRA~1\MIF5BA~1\Office14\GROOVEEX.DLL
    ModLoad: 6e150000 6e1f3000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\MSVCR90.dll
    ModLoad: 6e0c0000 6e14e000   C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\MSVCP90.dll
    ModLoad: 6ffc0000 6ffeb000   C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4148_none_51ca66a2bbe76806\ATL90.DLL
    ModLoad: 6bfb0000 6c3bf000   C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
    ModLoad: 6b740000 6bfa4000   C:\PROGRA~1\MIF5BA~1\Office14\1033\GrooveIntlResource.dll
    ModLoad: 6dd40000 6ddaa000   C:\Windows\System32\cscui.dll
    ModLoad: 70570000 70579000   C:\Windows\System32\CSCDLL.dll
    ModLoad: 722a0000 722ab000   C:\Windows\system32\CSCAPI.dll
    ModLoad: 6dc60000 6dccf000   C:\Windows\system32\ntshrui.dll
    ModLoad: 754c0000 754d9000   C:\Windows\system32\srvcli.dll
    ModLoad: 73930000 7393a000   C:\Windows\system32\slc.dll
    ModLoad: 73e70000 73e9f000   C:\Windows\system32\xmllite.dll
    ModLoad: 6d450000 6d4e4000   C:\Windows\system32\MsftEdit.dll
    ModLoad: 6d860000 6d88b000   C:\Windows\system32\msls31.dll
    ModLoad: 74a60000 74a81000   C:\Windows\system32\ntmarta.dll
    ModLoad: 759a0000 759e5000   C:\Windows\system32\WLDAP32.dll
    ModLoad: 73e70000 73e9f000   C:\Windows\system32\XmlLite.dll
    ModLoad: 6dae0000 6dae9000   C:\Windows\system32\LINKINFO.dll
    ModLoad: 75120000 75136000   C:\Windows\system32\CRYPTSP.dll
    ModLoad: 74ec0000 74efb000   C:\Windows\system32\rsaenh.dll
    ModLoad: 75690000 7569e000   C:\Windows\system32\RpcRtRemote.dll
    ModLoad: 6b6a0000 6b73f000   C:\Windows\system32\SearchFolder.dll
    ModLoad: 756a0000 756ab000   C:\Windows\system32\profapi.dll
    ModLoad: 6b5f0000 6b64c000   C:\Windows\System32\StructuredQuery.dll
    ModLoad: 75540000 75548000   C:\Windows\System32\Secur32.dll
    ModLoad: 75580000 7559a000   C:\Windows\system32\SSPICLI.DLL
    ModLoad: 6f8c0000 6f8d6000   C:\Windows\system32\thumbcache.dll
    ModLoad: 76ec0000 76ec5000   C:\Windows\system32\PSAPI.DLL
    ModLoad: 6db00000 6db2e000   C:\Windows\system32\SHDOCVW.dll
    ModLoad: 68970000 692bd000   C:\Windows\system32\ieframe.DLL
    ModLoad: 73a80000 73abc000   C:\Windows\system32\OLEACC.dll
    ModLoad: 759f0000 75ba8000   C:\Windows\system32\iertutil.dll
    ModLoad: 700c0000 700cc000   C:\Windows\system32\mssprxy.dll
    ModLoad: 69ac0000 69b66000   mssup.DLL
    ModLoad: 696c0000 69766000   C:\Windows\system32\mssvp.dll
    ModLoad: 6f8e0000 6f8f6000   C:\Windows\system32\MAPI32.dll
    ModLoad: 6d620000 6d7b8000   C:\Windows\system32\NetworkExplorer.dll
    ModLoad: 6b650000 6b69e000   C:\Windows\system32\actxprxy.dll
    ModLoad: 70990000 709c2000   C:\Windows\system32\WINMM.dll
    ModLoad: 73c90000 73c99000   C:\Windows\system32\netutils.dll
    eax=00292338 ebx=00000000 ecx=00292338 edx=00000001 esi=775e8380 edi=775e8340
    eip=77556344 esp=000ef8b4 ebp=000ef8d0 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    ntdll!KiFastSystemCallRet:
    77556344 c3              ret
     
     
    Thanks in advance!