Monday, April 1, 2019

All things Symantec

This post contains information on my research into Symantec logs and quarantine files. Content will be updated regularly.

Symantec Endpoint Protection Logs

Symantec Management Client (smc) does not show the entire contents of the log. smc.exe has an -exportlog commandline switch where you can select a log type to export.  Log_type numbers are as follows:
  • 0 = System Log
  • 1 = Security Log
  • 2 = Traffic Log
  • 3 = Packet Log
  • 4 = Control Log 
These numbers also correlate to an entry in the header of the logs found in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs.
  • 0 = syslog.log
  • 1 = seclog.log
  • 2 = tralog.log
  • 3 = rawlog.log
  • 4 = processlog.log

Log File Structure

Symantec Endpoint Protection VBN Files

Folder structure makes a difference in what is contained in the vbn file. SEP quarantine files are located in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Quarantine. In the quarantine folder, there is a vbn file and a folder with the same name as the vbn file.

No comments:

Post a Comment