Interpreting the log files for Symantec AntiVirus Corporate Edition and Symantec Endpoint Protection

Symantec.com > Enterprise > Support > Knowledge Base

Interpreting the log files for Symantec AntiVirus Corporate Edition and Symantec Endpoint Protection

Question/Issue:
You need to know what the headers are for each column in the log file(s), usually located in the following directory: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs

Solution:
The Logs folder contains a series of log files, one file for each day of log entries. The files are named MMDDYYYY.log, where MMDDYYYY indicates the date of the log entries. Each log file is a plain text file that can be viewed in Notepad. The log files are comma-delimited, with 39 fields in Symantec AntiVirus Corporate Edition 8.x and 53 fields in Symantec AntiVirus Corporate Edition 9.x and later.

The logs are kept in the following locations, depending on the version and operating system:

Symantec Endpoint Protection 11.0
- Windows 2003/XP/2000
  \Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs
Symantec AntiVirus Corporate Edition 10.x
- Windows 2003/XP/2000
  \Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs
- NetWare
  Sys:\SAV\Logs
Symantec AntiVirus Corporate Edition 9.x
- Windows 2003/XP/2000
  \Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs
- Windows 98
  \Program Files\Program Files\Symantec Client Security\Symantec AntiVirus\Logs
- Windows NT
  \WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs
- NetWare
  Sys:\SAV\Logs
Symantec AntiVirus Corporate Edition 8.x
- Windows 2003/XP/2000
  \Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs
- Windows 98
  \Program Files\Program Files\Symantec_Client_Security\Symantec AntiVirus\Logs
- Windows NT
  \WINNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Logs
- NetWare
  Sys:\NAV\Logs

Example entry
200A13080122,23,2,8,TRAVEL00,SYSTEM,,,,,,,16777216,"Symantec AntiVirus Realtime Protection Loaded.",0,,0,,,,,0,,,,,,,,,,SAMPLE_COMPUTER,,,,Parent,GROUP,,8.0.93330

Description of the fields

00) LI_TIME: Time of event

01) LI_EVENT: Indicates the Event Number.
1 - GL_EVENT_IS_ALERT
2 - GL_EVENT_SCAN_STOP

14 - GL_EVENT_STARTUP

Events added in Symantec AntiVirus 10.x

Events added in Symantec Endpoint Protection 11.0

#define GL_EVENT_MAX_EVENT_NUMBER 80
02) LI_CAT: Category number.
1 - GL_CAT_INFECTION
2 - GL_CAT_SUMMARY
3 - GL_CAT_PATTERN
4 - GL_CAT_SECURITY
03) LI_LOGGER: Indicates the logger of the event.

1 - LOGGER_Manual
2 - LOGGER_Real_Time

6 - LOGGER_Console 7 - LOGGER_VPDOWN
8 - LOGGER_System

101 - LOGGER_Client - the event was received from a client

131173 - Realtime
524389 - System
720997 - Defwatch
6619237 - Client

Value (DEC)	Value (Hex)	Upper 16-bits (dec)	Lower 16-bits (dec)	SCAN TYPE
2	0000 0002	0	2	Realtime scan
131173	0002 0065	2	101	Realtime scan
6619237	0065 0065	101	101	Client

04) LI_COMPUTER: Computer's name (or IP / IPX address)
05) LI_USER: Username
06) LI_VIRUS: Virus Name (Virus Found event only)
07) LI_FILE: Virus's Location (Virus Found event only)
08) LI_ACTION1: Primary Action configuration (Virus Found event only)
1 - Quarantine infected file
2 - Rename infected file
3 - Delete infected file
4 - Leave alone (log only)
5 - Clean virus from file
6 - Clean or delete macros
Anything else - Unknown Action
09) LI_ACTION2: Secondary Action configuration (Virus Found event only)
1 - Quarantine infected file
2 - Rename infected file
3 - Delete infected file
4 - Leave alone (log only)
5 - Clean virus from file
6 - Clean or delete macros
Anything else - Unknown Action
10) LI_ACTION0: Action Taken (Virus Found event only)
1 - Quarantined
2 - Renamed
3 - Deleted
4 - Left alone
5 - Cleaned
6 - Cleaned or macros deleted (no longer used as of Symantec AntiVirus 9.x)
7 - Saved file as...
8 - Sent to Intel (AMS)
9 - Moved to backup location
10 - Renamed backup file
11 - Undo action in Quarantine View
12 - Write protected or lack of permissions - Unable to act on file
13 - Backed up file

Additional actions were added to LI_ACTION0 in Symantec AntiVirus 10.0. Read the section Additional changes for Symantec AntiVirus 10.0 for more information.

11) LI_VIRUSTYPE: Virus Type listed below in hex (Virus Found event only). Most Viruses found are either 1280 (0x00000500), a macro virus, or 256 (0x00000100), a regular file virus.

0x08000000 - VEFILECOMPRESSED
0x10000000 - VEHURISTIC

When expanded threats are encountered, the table below is used to further identify the threat type.
Ex: When W32.Remadmin is detected, this column will have a value of 400 (hex 190) which is the combination of VEFILEVIRUS + VE_REMOTE_ACCESS.

12) LI_FLAGS: Indicates what kind of action the Eventblock is. Most of the time, it will be 16777216. However, in the case of events logged as a Virus Found, the number is set to 33570852 for some reason, although that doesn't correspond to any of the numbers given below...

4194304 - EB_ACCESS_DENIED 8388608 - EB_REPORT
16777216 - EB_LOG
33554432 - EB_REAL_CLIENT
67108864 - EB_FIRST_ITEM
134217728 - EB_LAST_ITEM
0x10000000 - EB_NO_LOG (listed in hex)
0x20000000 - EB_FROM_CLIENT (listed in hex)
4095 - EB_FA_OVERLAYS
4190208 - EB_N_OVERLAYS
13) LI_DESCRIPTION: Message that will be found on the "Properties" page (Event Log events only) or message indicating Scan start or Scan stop along with results. (Scan History events only.) Error 00000002 is ERROR_FILE_NOT_FOUND. Either the server could not find the file to push to the client, or the server could not determine where on the client to put the file.
14) LI_SCANID: ID number of associated scan (for Scan History events and Virus Found events)
15) LI_NEW_EXT: Will require further investigation as to the purpose of this log entry.
16) LI_GROUPID: Indicates the Group ID.
17) LI_EVENT_DATA: Results of a scan => Viruses : Infected : Total Files : Files Omitted (Scan Complete events only)
18) LI_VBIN_ID: Stores the ID of the file in Quarantine if it is Quarantined.
19) LI_VIRUS_ID: ID of the particular virus.
20) LI_QUARFWD_STATUS: Indicates the status of the Quarantine attempt.
0 - QF_NONE
1 - QF_FAILED
2 - QF_OK
21) LI_ACCESS: This stores the "operation flags" but is almost always equal to 0. Just for completeness, here are the flags listed below, but all listed in hex.

22) LI_SND_STATUS:
23) LI_COMPRESSED: Indicated whether it is or is in a compressed file or not.
0 - No
1 - Yes
24) LI_DEPTH: Indicated at what depth IN a compressed file the virus was found.
25) LI_STILL_INFECTED: Indicates how many files in a compressed container are still infected after a manual or scheduled scan.
26) LI_DEFINFO: Version of Virus Definitions Used (Virus Found event only)
27) LI_DEFSEQNUMBER: The Definition Sequence Number of the Virus Definitions used.
28) LI_CLEANINFO: Indicates whether file is cleanable or not.
0 - VECLEANABLE
1 - VENOCLEANPATTERN
2 - VENOTCLEANABLE
29) LI_DELETEINFO: Indicates whether the file can be deleted.
4 - VEDELETABLE
5 - VENOTDELETABLE
30) LI_BACKUP_ID: Stores the ID of the file stored in Backup if it is backed up.
31) LI_PARENT: Name of Parent if is a Managed Client
32) LI_GUID: GUID of the machine (Virus Found event only)
33) LI_CLIENTGROUP: Stores the client group, if set.
34) LI_ADDRESS: IP or IPX address in the form IP-xxx.xxx.xxx.xxx
35) LI_DOMAINNAME: Server group. Set servers only.
36) LI_NTDOMAIN: Windows domain or workgroup
37) LI_MACADDR: Hardware address
38) LI_VERSION: Software version

Additional fields for Symantec AntiVirus Corporate Edition 9.x
Symantec AntiVirus Corporate Edition 9.x adds the following fields:

39) LI_REMOTE_MACHINE: Name of remote computer that attempted to copy a threat locally
40) LI_REMOTE_MACHINE_IP: IP address of remote computer that attempted to copy a threat locally
41) LI_ACTION1_STATUS: Status of Requested Primary Action
42) LI_ACTION2_STATUS: Status of Requested Secondary Action

Value	Meaning
0x00000000	No information
0x00000001	The file could not be opened
0x00000002	The file was wiped clean of data
0x00000004	The file was truncated to 0 bytes
0x00000008	The file could not be deleted
0x00000100	Flag created files due to special handling
0x00000200	The just created infected file was deleted
0x00000400	Dir2-type infected files are not quarantined
0x00000800	Dir2-type infected files are deleted if the file is being created
0x00001000	Dir2-type infected files are not deleted
0x00010000	File was deleted due to the DESTROY flag

"The file was quarantined successfully."
"The process was terminated and the file was quarantined successfully."
"The file was locked by another program and could not be deleted, but was successfully copied to Quarantine."
"The file was locked by another program and could not be deleted at this time, but was successfully copied to Quarantine."
"The file was in use by another program and could not be deleted, but it's contents were destroyed to render it harmless. It was successfully copied to Quarantine."

43) LI_LICENSE_FEATURE_NAME
44) LI_LICENSE_FEATURE_VER
45) LI_LICENSE_SERIAL_NUM
46) LI_LICENSE_FULFILLMENT_ID
47) LI_LICENSE_START_DT
48) LI_LICENSE_EXPIRATION_DT
49) LI_LICENSE_LIFECYCLE
50) LI_LICENSE_SEATS_TOTAL
51) LI_LICENSE_SEATS
52) LI_ERR_CODE
53) LI_LICENSE_SEATS_DELTA

The LI_LICENSE fields are used in the Business Pack products and any other products with enforced electronic licensing.
54) LI_STATUS
55) LI_DOMAIN_GUID
56) LI_LOG_SESSION_GUID
57) LI_VBIN_SESSION_ID
58) LI_LOGIN_DOMAIN

Additional changes for Symantec AntiVirus 10.0
The following additional actions were added to LI_ACTION0 for Symantec AntiVirus 10.0:

10) LI_ACTION0: Action Taken (Virus Found event only)
14 - Pending analysis
15 - First action was partially successful; second action was Leave Alone. Results of the second action are not mentioned.
16 - A process needs to be terminated to remove a risk
17 - Prevent a risk from being loggged or a user interface from being displayed
18 - Performing a request to restart the computer
19 - Shows as Cleaned by Deletion in the Risk History in the UI and the Logs in the SSC
20 - Auto-Protect prevented a file from being created; reported "Access denied."

References:
This document is available in the following languages:

Available Translations:

Document ID: 2002111911231448
Last Modified: 11/05/2009
Date Created: 11/19/2002
Operating System(s): Windows 2000, Windows XP Home, Windows XP Professional Edition, Windows XP Tablet PC, NetWare 5.1, NetWare 6.0, NetWare 6.5, Windows XP 64-Bit Edition 2003, Windows Server 2003 32-bit Edition, Windows Server 2003 64-bit Edition, Windows XP Media Center Edition 2005, Windows 98, Windows Me, Windows NT 4.0 SP6a, NetWare 5.0
Product(s): Endpoint Protection 11, Symantec AntiVirus 10.1, Symantec AntiVirus Corporate Edition 10.0, Symantec AntiVirus Corporate Edition 8.0, Symantec AntiVirus Corporate Edition 9.0, Symantec Client Security 3.0, Symantec Client Security 3.1
Release(s): Endpoint Protection 11 [All Releases], SAV 10.0 [All Releases], SAV 8.0 [All Releases], SAV 9.0 [All Releases], Symantec AntiVirus 10.1, Symantec Client Security 3.1, Symantec Client Security 3.x [All versions]