All things Symantec

This post contains information on my research into Symantec logs and quarantine files. Content will be updated regularly.

Symantec Endpoint Protection Logs

Symantec Management Client (smc) does not show the entire contents of the log. smc.exe has an -exportlog commandline switch where you can select a log type to export.  Log_type numbers are as follows:

• 0 = System Log
• 1 = Security Log
• 2 = Traffic Log
• 3 = Packet Log
• 4 = Control Log 

These numbers also correlate to an entry in the header of the logs found in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs.

• 0 = syslog.log
• 1 = seclog.log
• 2 = tralog.log
• 3 = rawlog.log
• 4 = processlog.log

Log File Structure

• Client Management System Log
• Client Management Security Log
• Network and Host Exploit Mitigation Traffic Log
• Network and Host Exploit Mitigation Packet Log
• Client Management Control Log

Symantec Endpoint Protection VBN Files

Folder structure makes a difference in what is contained in the vbn file. SEP quarantine files are located in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Quarantine. In the quarantine folder, there is a vbn file and a folder with the same name as the vbn file.

• Symantec Endpoint Protection VBN Files
• VBN file format v1 (containing quarantine file)
• VBN file format v2 (containing quarantine file)
• VBN log line information