Tuesday, January 26, 2021

Your AV is Trying to Tell You Something: tralog.log

tralog_Format.md

Network and Host Exploit Midigation Traffic Log

The traffic log contains network traffic that occur on the endpoint. This log is populated when there is a hit on one of the firewall rules. The things of interest that are missing from the Windows client inlude: the MD5/SHA256 hash of the executable that triggered the firewall rule and the rule id.

Traffic Log File Format

The traffic log for SEP can be found at the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\tralog.log

Field Type Size Description
Log Type hex 8 Always 00000002
Max Log Size hex 8 Maximum log file size in bytes
Unknown hex 8 ?
Number of Entries hex 8 Number of entries in log
Unknown hex 8 ?
Running Total Entries hex 16 Total number of events generated
Max Log Days hex 8 Maximun days to save log entries

Log Entries

The log is in TSV format, meaning, each field is separated by a tab character.

Field Type Size Description
Entry Length hex 8 Length of log entry
Date and Time Windows: 64 bit Hex Value - Big Endian 16 The time of the generated event (GMT).
Event ID hex 8 An event ID from the sending agent:
301 = TCP initiated
302 = UDP datagram
303 = Ping request
304 = TCP completed
305 = Traffic (other)
306 = ICMPv4 packet
307 = Ethernet packet
308 = IP packet
309 = ICMPv6 packet *
Local Host hex 8 The IP address of the local computer (IPv4).
Remote Host hex 8 The IP address of the remote computer (IPv4).
Local Port hex 8 The TCP/UDP port of the local computer (host byte-order). It is only valid on
TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. For other events, it is always zero.
Remote Port hex 8 The TCP/UDP port of the remote computer (host byte-order). It is only valid on
TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. For other events, it is always zero.
Direction hex 8 The direction of traffic. (Unknown = 0; inbound = 1; outbound = 2)
Begin Time Windows: 64 bit Hex Value - Big Endian 16 The start time of the security issue.
End Time Windows: 64 bit Hex Value - Big Endian 16 The end time of the security issue. This field is an optional field because the exact
end time of traffic may not be detected; for example, as with UDP traffic. If the end
time is not detected, it is set to equal the start time.
Repetition hex 8 The number of attacks. Sometime, when a hacker launches a mass attack, it may
be reduced to one event by the log system, depending on the damper period.
Action hex 8 Specifies if the traffic was blocked. (Yes = 1, no = 0)
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Severity hex 8 Severity as defined in the security rule.
Critical = 0 - 3
Major = 4 - 7
Minor = 8 - 11
Info = 12 - 15
Rule ID char 32 The ID of the rule that is triggered by the event. It is always 0 if the rule ID is not
specified in the security rule. This field is helpful to security rule troubleshooting. If
multiple rules match, it logs the rule that has the final decision on PacketProc
(pass/block/drop).
Remote Host Name nvarchar 128 The host name of the remote computer. This field may be empty if the name resolution failed.
Rule nvarchar 512 The name of the rule that was triggered by the event. If the rule name is not
specified in the security rule, then this field is empty. Having the rule name can
be useful for troubleshooting. You may recognize a rule by the rule ID, but rule
name can help you recognize it more quickly.
Application nvarchar 512 The full path of application involved. It may be empty if an unknown application
is involved or if no application is involved. For example, the ping of death DoS
attack does not have AppName because it attacks the operating system itself.
Local MAC binary 32 The MAC address of the local computer.
Remote MAC binary 32 The MAC address of the remote computer.
Location nvarchar 512 The location used when the event occured.
User nvarchar 512 The logon user name.
User Domain nvarchar 512 The logon domain name.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Remote Host IPV6 hex 32 The IP address of the remote host (IPv6).
Local Host IPV6 hex 32 The IP address of the local comuter (IPv6).
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
MD5 char 32 The MD5 hash of the executable that triggered the firewall rule.
SHA-256 char 64 The SHA256 hash of the executable that triggered the firewall rule.
Unknown ? ? Will require further investigation as to the purpose of this log entry.
Unknown ? ? Will require further investigation as to the purpose of this log entry.
Unknown ? ? Will require further investigation as to the purpose of this log entry.

* SEP14.2.1

NTOSKRNL is a special SYSTEM process with PID 4. Due to how Windows locks the file, SEP is unable to get the hash, so it was hard-coded with a static value.
MD5: 53797320000000000000000000000000
SHA-256: 5379732000000000000000000000000000000000000000000000000000000000

This value is a hexadecimal representation of text:
Hex: 53 79 73 20
Ascii: "Sys "

The reported hash on NTSOKRNL.exe is by design.

Tuesday, January 19, 2021

Your AV is Trying to Tell You Something: seclog.log

seclog_Format.md

Client Management Security Log

The security log contains security events that occur on the endpoint. These include compliance, firewall and IPS, application and device control, and memory exploit mitigation events. Majority of the entries will be related to IPS. There are too many differences to list but, the Windows client will only show you 23 of the 42 fields available. As you can see, this log needs quite a bit of interpretation to figure out what it is trying to say.

Security Log File Format

The security log for SEP can be found at the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\seclog.log

Field Type Size Description
Log Type hex 8 Always 00000001
Max Log Size hex 8 Maximum log file size in bytes
Unknown hex 8 ?
Number of Entries hex 8 Number of entries in log
Unknown hex 8 ?
Running Total Entries hex 16 Total number of events generated
Max Log Days hex 8 Maximun days to save log entries

Log Entries

The log is in TSV format, meaning, each field is separated by a tab character.

Field Type Size Description
Entry Length hex 8 Length of log entry
Date and Time Windows: 64 bit Hex Value - Big Endian 16 The time of the generated event (GMT).
Event ID hex 8 Compliance events:
209 = Host Integrity failed.
210 = Host Integrity passed.
221 = Host Integrity failed, but reported as passed.
237 = Host Integrity custom log entry.

Firewall and IPS events:
201 = Invalid traffic by rule. *
202 = Port scan. *
203 = Denial of service. *
204 = Trojan. *
205 = Executable file was changed. *
206 = Intrusion Prevention System Intrusion was detected. *
207 = Active Response.
208 = MAC spoofing. *
211 = Active Response was disengaged.
216 = Executable file change was detected.
217 = Executable file change was accepted.
218 = Executable file change was denied.
219 = Active Response was cancelled. *
220 = Application hijacking.
249 = Browser Protection event.

Application and Device control:
238 = Device control disabled the device.
239 = Buffer Overflow event.
240 = Software protection has thrown an exception.
241 = Not used. *
242 = Device control enabled the device. *

Memory Exploit Mitigation events: *
250 = Memory Exploit Mitigation blocked an event. *
251 = Memory Exploit Mitigation allowed an event. *
Severity hex 8 The severity as defined in the security rule.
Critical = 0 - 3
Major = 4 - 7
Minor = 8 - 11
Info = 12 - 15
Local Host hex 8 The IP address of the local computer (IPv4).
Remote Host hex 8 The IP address of the remote computer (IPv4).
Protocol hex 8 The protocol type. (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)
Hack Type hex 8 If event ID = 209, Host Integrity failed (TSLOG_SEC_NO_AV), the reason for the failure
If Event ID = 206, Intrusion Prevention System( Intrusion Detected, TSLOG_SEC_INTRUSION_DETECTED), the intrusion ID
If event ID = 210, Host Integrity passed( TSLOG_SEC_AV), additional information

Possible reasons are as follows:

Process is not running - Bit0 is 1
Signature is out of date - Bit1 is 1
Recovery was attempted - Bit2 is 1
Direction hex 8 The direction of traffic. (Unknown = 0; inbound = 1; outbound = 2)
Begin Time Windows: 64 bit Hex Value - Big Endian 16 The start time of the security issue.
End Time Windows: 64 bit Hex Value - Big Endian 16 The end time of the security issue. This field is an optional field
because the exact end time of traffic may not be detected; for example,
as with UDP traffic. If the end time is not detected, it is set to equal the
start time.
Occurences hex 8 The number of attacks. Sometime, when a hacker launches a mass
attack, it may be reduced to one event by the log system, depending
on the damper period.
Log Data Size hex 8
Description nvarchar 4000 Description of the event. Usually, the first line of the description is
treated as the summary.
Unknown ? ? Will require further investigation as to the purpose of this log entry.
Application nvarchar 512 The full path of the application involved. This field may be empty if
an unknown application is involved, or no application is involved. For
example, the ping of death DoS attack does not have an application
name because it attacks the OS itself.
Log Data varbinary 3000 Additional data in binary format. This field is optional.
Local MAC binary 32 The MAC address of the local computer.
Remote MAC binary 32 The MAC address of the remote computer.
Location nvarchar 512 The location used when the event occured.
User nvarchar 512 The logon user name.
User Domain nvarchar 512 The logon domain name.
Signature ID hex 8 The signature ID.
Signature Sub ID hex 8 The signature sub ID.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Remote Port hex 8 The remote port.
Locacl Port hex 8 The local port.
Local Host IPV6 hex 32 The IP address of the local computer (IPv6).
Remote Host IPV6 hex 32 The IP address of the remote computer (IPv6).
Signature Name nvarchar 520 The signature name.
X Intrusion Payload nvarchar 4200 The URL that hosted the payload.
Intrusion URL nvarchar 4200 The URL from the detection
Unknown ? ? Will require further investigation as to the purpose of this log entry.
Symantec Version Number nvarchar 128 The agent version number on the client.
Profile Serial Number varchar 64 The policy serial number.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
MD5 Hash char 32 The MD5 hash value.
SHA-256 Hash char 64 The SHA-256 hash value.
URL_HID_LEVEL hex 8 Added for future release. Not used now.
URL_RISK_SCORE hex 8 Added for future release. Not used now.
URL_CATEGORIES char 64 1 = Adult/Mature Content
3 = Pornography
4 = Sex Education
5 = Intimate Apparel/Swimsuit
6 = Nudity
7 = Gore/Extreme
9 = Scam/Questionable Legality
11 = Gambling
14 = Violence/Intolerance
15 = Weapons
16 = Abortion
17 = Hacking
18 = Phishing
20 = Entertainment
21 = Business/Economy
22 = Alternative Spirituality/Belief
23 = Alcohol
24 = Tobacco
25 = Controlled Substances
26 = Child Pornography
27 = Education
29 = Charitable/Non-Profit
30 = Art/Culture
31 = Finance
32 = Brokerage/Trading
33 = Games
34 = Government/Legal
35 = Military
36 = Political/Social Advocacy
37 = Health
38 = Technology/Internet
40 = Search Engines/Portals
43 = Malicious Sources/Malnets
44 = Malicious Outbound Data/Botnets
45 = Job Search/Careers
46 = News
47 = Personals/Dating
49 = Reference
50 = Mixed Content/Potentially Adult
51 = Chat (IM)/SMS
52 = Email
53 = Newsgroups/Forums
54 = Religion
55 = Social Networking
56 = File Storage/Sharing
57 = Remote Access
58 = Shopping
59 = Auctions
60 = Real Estate
61 = Society/Daily Living
63 = Personal Sites
64 = Restaurants/Food
65 = Sports/Recreation
66 = Travel
67 = Vehicles
68 = Humor/Jokes
71 = Software Downloads
83 = Peer-to-Peer (P2P)
84 = Audio/Video Clips
85 = Office/Business Applications
86 = Proxy Avoidance
87 = For Kids
88 = Web Ads/Analytics
89 = Web Hosting
90 = Uncategorized
92 = Suspicious
93 = Sexual Expression
95 = Translation
96 = Web Infrastructure
97 = Content Delivery Networks
98 = Placeholders
101 = Spam
102 = Potentially Unwanted Software
103 = Dynamic DNS Host
104 = URL Shorteners
105 = Email Marketing
106 = E-Card/Invitations
107 = Informational
108 = Computer/Information Security
109 = Internet Connected Devices
110 = Internet Telephony
111 = Online Meetings
112 = Media Sharing
113 = Radio/Audio Streams
114 = TV/Video Streams
116 = Cloud Infrastructure
117 = Cryptocurrency
118 = Piracy/Copyright Concerns
121 = Marijuana
124 = Compromised Sites

* SEP14.2.1
† SEP14.3.0.1

Tuesday, January 12, 2021

Your AV is Trying to Tell You Something: syslog.log

syslog_Format.md

Client Management System Log

The system log contains system traffic that occur on the endpoint. This includes installation, service, configuration, host integrity, import, client, server, policy, antivirus engine, licensing, security, submission, and other events. The Windows client will show you the Date and Time, Severity, Summary, and Description. But what you are missing is the Event ID, Event Source, Location, and the log line. On the plus side though, it is one of the more human readable logs.

System Log File Format

The system log for SEP can be found at the following location:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\syslog.log

The syslog.log file contains a tab separated header containing the following information:

Field Type Size Description
Log Type hex 8 Always 00000000
Max Log Size hex 8 Maximum log file size in bytes
Unknown hex 8 ?
Number of Entries hex 8 Number of entries in log
Unknown hex 8 ?
Running Total Entries hex 16 Total number of events generated
Max Log Days hex 8 Maximun days to save log entries

Log Entries

The log is in TSV format, meaning, each field is separated by a tab character. The following information can be found in the event entries:

Field Type Size Description
Entry Length hex 8 Length of log entry
Date and Time Windows: 64 bit Hex Value - Big Endian 16 The time of the generated event (GMT).
Event ID hex 8 An event ID sent by a managed client.

Installation events
Possible values are:
0x12070001 = Internal error
0x12070101 = Install complete
0x12070102 = Restart recommended
0x12070103 = Restart required
0x12070104 = Installation failed
0x12070105 = Uninstallation complete
0x12070106 = Uninstallation failed
0x12071037 = Symantec Endpoint Protection installed
0x12071038 = Symantec Firewall installed
0x12071039 = Uninstall
0x1207103A = Uninstall rolled-back

Service events
Possible values are:
0x12070201 = Service starting
0x12070202 = Service started
0x12070203 = Service start failure
0x12070204 = Service stopped
0x12070205 = Service stop failure
0x1207021A = Attempt to stop service

Configuration events
Possible values are:
0x12070206 = Config import complete
0x12070207 = Config import error
0x12070208 = Config export complete
0x12070209 = Config export error

Host Integrity events
Possible values are:
0x12070210 = Host Integrity disabled
0x12070211 = Host Integrity enabled
0x12070220 = NAP integration enabled

Import events
Possible values are:
0x12070214 = Successfully imported advanced rule
0x12070215 = Failed to import advanced rule
0x12070216 = Successfully exported advanced rule
0x12070217 = Failed to export advanced rule
0x1207021B = Imported sylink

Client events
Possible values are:
0x12070218 = Client Engine enabled
0x12070219 = Client Engine disabled
0x12071046 = Proactive Threat Scanning is not supported on this platform
0x12071047 = Proactive Threat Scanning load error
0x12071048 = SONAR content load error
0x12071049 = Allow application

Server events
Possible values are:
0x12070301 = Server connected
0x12070302 = No server response
0x12070303 = Server connection failed
0x12070304 = Server disconnected
0x120B0001 = Cannot reach server
0x120B0002 = Reconnected to the server
0x120b0003 = Automatic upgrade complete

Policy events
Possible values are:
0x12070306 = New policy received
0x12070307 = New policy applied
0x12070308 = New policy failed
0x12070309 = Cannot download policy
0x120B0005 = Cannot download policy
0x1207030A = Have latest policy
0x120B0004 = Have latest policy

Antivirus engine events
Possible values are:
0x12071006 = Scan omission
0x12071007 = Definition file loaded
0x1207100B = Virus behavior detected
0x1207100C = Configuration changed
0x12071010 = Definition file download
0x12071012 = Sent to quarantine server
0x12071013 = Delivered to Symantec
0x12071014 = Security Response backup
0x12071015 = Scan aborted
0x12071016 = Symantec Endpoint Protection Auto-Protect Load error
0x12071017 = Symantec Endpoint Protection Auto-Protect enabled
0x12071018 = Symantec Endpoint Protection Auto-Protect disabled
0x1207101A = Scan delayed
0x1207101B = Scan restarted
0x12071027 = Symantec Endpoint Protection is using old virus definitions
0x12071041 = Scan suspended
0x12071042 = Scan resumed
0x12071043 = Scan duration too short
0x12071045 = Scan enhancements failed

Licensing events
Possible values are:
0x1207101E = License warning
0x1207101F = License error
0x12071020 = License in grace period
0x12071023 = License installed
0x12071025 = License up-to-date

Security events
Possible values are:
0x1207102B = Computer not compliant with security policy
0x1207102C = Computer compliant with security policy
0x1207102D = Tamper attempt
0x12071034 = Login failed
0x12071035 = Login succeeded

Submission events
Possible values are:
0x12120001 = System message from centralized reputation
0x12120002 = Authentication token failure
0x12120003 = Reputation failure
0x12120004 = Reputation network failure
0x12130001 = System message from Submissions
0x12130002 = Submissions failure
0x12130003 = Intrusion prevention submission
0x12130004 = Antivirus detection submission
0x12130005 = Antivirus advanced heuristic detection submission
0x12130006 = Manual user submission
0x12130007 = SONAR heuristic submission
0x12130008 = SONAR detection submission
0x12130009 = File Reputation submission
0x1213000A = Client authentication token request
0x1213000B = LiveUpdate error submission
0x1213000C = Process data submission
0x1213000D = Configuration data submission
0x1213000E = Network data submission

Other events
Possible values are:
0x1207020A = Email post OK
0x1207020B = Email post failure
0x1207020C = Update complete
0x1207020D = Update failure
0x1207020E = Manual location change
0x1207020F = Location changed
0x12070212 = Old rasdll version detected
0x12070213 = Auto-update postponed
0x12070305 = Mode changed
0x1207030B = Cannot apply HI script
0x1207030C = Content Update Server
0x1207030D = Content Update Packet
0x12070500 = System message from device control
0x12070600 = System message from anti-buffer overflow driver
0x12070700 = System message from network access component
0x12070800 = System message from LiveUpdate
0x12070900 = System message from GUP
0x12072000 = System message from Memory Exploit Mitigation
0x12072009 = Intensive Protection disabled
0x1207200A = Intensive Protection enabled
0x12071021 = Access denied warning
0x12071022 = Log forwarding error
0x12071044 = Client moved
0x12071036 = Access denied warning
0x12071000 = Message from Intrusion Prevention
0x12071050 = SONAR disabled
0x12071051 = SONAR enabled
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Severity hex 8 The type of event. (0 = Info, 1 = Warning, 2 = Error, 3 = Fatal)
Data Size hex 8 Length of data field
Summary/Description nvarchar 2048 Description of the event. Usually, the first line of the description is treated as the summary.
Event Source nvarchar 32 Type of event (CVE, Smc, IPS, SONAR, REP)
Data/Log Line varbinary 2000 Additional data in binary format. This field is optional.
Location nvarchar 512 The location used when the event occured.

Tuesday, January 5, 2021

Your AV is Trying to Tell You Something: Log Lines

Symantec Endpoint Protection (SEP) contains a wealth of information. Unfortunately, when dealing with a disk image/collection, there is not a feasible way of accessing this data. You could query the Symantec Endpoint Protection Management (SEPM) server, but you still will not get all of the information contained on the endpoint. Furthermore, what if there is not a SEPM server in place or the endpoint has not sent its logs to the SEPM server yet? In this series, I will be going through how to decipher the various logs and files that make up SEP. 

I have not seen a lot of information out there on antivirus forensics. Hopefully, this will encourage others to start investigating other antivirus software and the secrets they can hold. So lets up your digital forensics game by examining what your antivirus is trying to tell you, but more importantly, what it is not telling you.

I am going to start out this series with what I have come to know as the log line. This is an important piece to understand because it can be found in the entries of the Antivirus Management Plug-in log, Client Management Security log, Client Management System log, Daily Antivirus logs, and the quarantine files. The log line is a comma separated list (the Extra Data 1 and Extra Data 2 fields contain data in a tab separated list). Although you can view the log line (and the various logs that contain it) in a text editor, it is not human readable. Time to break down the various fields and how to interpret them.

1. Version 1 has the following fields:

Time,Event,Category,Logger,Computer,User,Virus,File,Wanted Action 1,Wanted Action 2,Real Action,Virus Type,Flags,Description,ScanID,New_Ext,Group ID,Event Data,VBin_ID,Virus ID,Quarantine Forward Status,Access,SND_Status,Compressed,Depth,Still Infected,Def Info,Def Sequence Number,Clean Info,Delete Info,Backup ID,Parent,GUID,Client Group,Address,Domain Name,NT Domain,MAC Address,Version,Remote Machine,Remote Machine IP,Action 1 Status,Action 2 Status,License Feature Name,License Feature Version,License Serial Number,License Fulfillment ID,License Start Date,License Expiration Date,License LifeCycle,License Seats Total,License Seats,Error Code,License Seats Delta,Status,Domain GUID,Log Session GUID,VBin Session ID,Login Domain,Event Data 2

Version 2 has the same fields as version 1 plus some extras:

Time,Event,Category,Logger,Computer,User,Virus,File,Wanted Action 1,Wanted Action 2,Real Action,Virus Type,Flags,Description,ScanID,New_Ext,Group ID,Event Data,VBin_ID,Virus ID,Quarantine Forward Status,Access,SND_Status,Compressed,Depth,Still Infected,Def Info,Def Sequence Number,Clean Info,Delete Info,Backup ID,Parent,GUID,Client Group,Address,Domain Name,NT Domain,MAC Address,Version,Remote Machine,Remote Machine IP,Action 1 Status,Action 2 Status,License Feature Name,License Feature Version,License Serial Number,License Fulfillment ID,License Start Date,License Expiration Date,License LifeCycle,License Seats Total,License Seats,Error Code,License Seats Delta,Status,Domain GUID,Log Session GUID,VBin Session ID,Login Domain,Event Data 2,Eraser Category ID,Dynamic Categoryset ID,Dynamic Subcategoryset ID,Display Name To Use,Reputation Disposition,Reputation Confidence,First Seen,Reputation Prevalence,Downloaded URL,Creator For Dropper,CIDS State,Behavior Risk Level,Detection Type,Acknowledge Text,VSIC State,Scan GUID,Scan Duration,Scan Start Time,TargetApp Type,Scan Command GUID

Time/Scan Start Time

The Time and Scan Start Time fields contain a 12 digit hex number. To figure out the time stamp, we need to break it into two digit numbers, convert them to their decimal counterparts, and do a little math. Example: 300012062631 

 
Log_Line_info.md

Entries

Field Description
Time Time of event.
Event
Event Event # Raw Event Code Description
1 IS_ALERT
Scan Stopped 2 SCAN_STOP Occurs when antivirus scanning completes.
Scan Started 3 SCAN_START Occurs when antivirus scanning starts.
Definition File Sent To Server 4 PATTERN_UPDATE Occurs when a parent server sends a .vdb file to a secondary server.
Virus Found 5 INFECTION Occurs when scanning detects a virus.
Scan Omission 6 FILE_NOT_OPEN Occurs when scanning fails to gain access to a file or directory.
Definition File Loaded 7 LOAD_PATTERN Occurs when Symantec AntiVirus loads a new .vdb file.
8 MESSAGE_INFO
9 MESSAGE_ERROR
Checksum 10 CHECKSUM Occurs when a checksum error occurs when verifying a digitally signed file.
Auto-Protect 11 TRAP Occurs when Auto-Protect is not fully operational.
Configuration Changed 12 CONFIG_CHANGE Occurs when a server updates its configurations according to the changes made from the console, excluding configuration changes made in the PRODUCTCONTROL or DOMAINDATA registry keys.
Symantec AntiVirus Shutdown 13 SHUTDOWN Occurs when the ccSvcHst.exe service is unloaded.
Symantec AntiVirus Startup 14 STARTUP Occurs when the ccSvcHst.exe service is loaded.
Definition File Download 16 PATTERN_DOWNLOAD Occurs when new definitions are downloaded by a scheduled definitions update.
Scan Action Auto-Changed 17 TOO_MANY_VIRUSES Occurs when Symantec AntiVirus has deleted or quarantined more than 5 infected files within the last minute. The number of files quarantined or deleted and the time interval are configurable from the registry. The defaults are 5 files in 60 seconds.
Sent To Quarantine Server 18 FWD_TO_QSERVER Occurs when quarantined files are sent to a Quarantine Server.
Delivered To Symantec Security Response 19 SCANDLVR Occurs when a file is delivered to Symantec Security Response.
Backup Restore Error 20 BACKUP Occurs when Symantec AntiVirus cannot back up a file or restore a file from Quarantine.
Scan Aborted 21 SCAN_ABORT Occurs when a scan is stopped before it completes. Symantec AntiVirus Auto-Protect.
Load Error 22 RTS_LOAD_ERROR Occurs when Auto-Protect fails to load.
Symantec AntiVirus Auto-Protect Loaded 23 RTS_LOAD Occurs when Auto-Protect loads successfully.
Symantec AntiVirus Auto-Protect Unloaded 24 RTS_UNLOAD Occurs when Auto-Protect is unloaded.
Scan Delayed 26 SCAN_DELAYED Occurs when a scheduled scan is snoozed/paused (delayed).
Scan Re-started 27 SCAN_RESTART Occurs when a snoozed/paused scan is restarted.
28 ADD_SAVROAMCLIENT_TOSERVER
29 REMOVE_SAVROAMCLIENT_FROMSERVER
30 LICENSE_WARNING
31 LICENSE_ERROR
32 LICENSE_GRACE
33 UNAUTHORIZED_COMM
Log Forwarding Error 34 LOG_FWD_THRD_ERR Occurs when there is a problem with the log forwarding process. Also logs when Event and Settings Manager are started.
35 LICENSE_INSTALLED
36 LICENSE_ALLOCATED
37 LICENSE_OK
38 LICENSE_DEALLOCATED
Definitions Rollback 39 BAD_DEFS_ROLLBACK Occurs when definitions are rolled back.
Definitions Unprotected 40 BAD_DEFS_UNPROTECTED Occurs when a computer is not protected with definitions.
Auto-Protect Error 41 SAV_PROVIDER_PARSING_ERROR Occurs when an error occurs with Auto-Protect.
Configuration Error 42 RTS_ERROR General error. Primarily occurs when a configuration file cannot be read.
43 COMPLIANCE_FAIL
44 COMPLIANCE_SUCCESS
SymProtect Action 45 SECURITY_SYMPROTECT_POLICYVIOLATION Occurs when SymProtect blocks a tamper attempt.
Detection Start 46 ANOMALY_START Occurs when a threat is found. This is the first of a series of steps describing the action taken.
Detection Action 47 DETECTION_ACTION_TAKEN Describes an action taken when a threat is found.
Pending Remediation Action 48 REMEDIATION_ACTION_PENDING Occurs when Auto-Protect is ready to perform a side-effects repair for adware or spyware.
Failed Remediation Action 49 REMEDIATION_ACTION_FAILED Occurs when Auto-Protect fails to perform a successful side-effects repair for adware or spyware.
Successful Remediation Action 50 REMEDIATION_ACTION_SUCCESSFUL Occurs when Auto-Protect performs a successful side-effects repair for adware or spyware.
Detection Finish 51 ANOMALY_FINISH Occurs when Auto-Protect finishes handling a threat.
52 COMMS_LOGIN_FAILED
53 COMMS_LOGIN_SUCCESS
54 COMMS_UNAUTHORIZED_COMM
55 CLIENT_INSTALL_AV
56 CLIENT_INSTALL_FW
57 CLIENT_UNINSTALL
58 CLIENT_UNINSTALL_ROLLBACK
59 COMMS_SERVER_GROUP_ROOT_CERT_ISSUE
60 COMMS_SERVER_CERT_ISSUE
61 COMMS_TRUSTED_ROOT_CHANGE
62 COMMS_SERVER_CERT_STARTUP_FAILED
63 CLIENT_CHECKIN
64 CLIENT_NO_CHECKIN
Scan Stopped 65 SCAN_SUSPENDED Occurs when adware and spyware scans stop.
Scan Started 66 SCAN_RESUMED Occurs when adware and spyware scans start.
67 SCAN_DURATION_INSUFFICIENT
68 CLIENT_MOVE
69 SCAN_FAILED_ENHANCED
70 COMPLIANCE_FAILEDAUDIT
Threat Now Whitelisted 71 HEUR_THREAT_NOW_WHITELISTED The Administrator has added what SONAR previously detected as a threat to the Centralized Exception list, or Symantec has added it to the internal known white listed applications list.
Interesting Process Found Start 72 INTERESTING_PROCESS_DETECTED_START SONAR detection start. The first step of a series describing the action taken on the process.
SONAR engine load error 73 LOAD_ERROR_BASH Failed to load SONAR engine.
SONAR definitions load error 74 LOAD_ERROR_BASH_DEFINITIONS Failed to load SONAR definitions.
Interesting Process Found Finish 75 INTERESTING_PROCESS_DETECTED_FINISH SONAR detection has finished handling the process.
SONAR operating system not supported 76 HPP_SCAN_NOT_SUPPORTED_FOR_OS SONAR is enabled, but it is not supported on the platform.
SONAR Detected Threat Now Known 77 HEUR_THREAT_NOW_KNOWN A SONAR process detection is now a confirmed signature-based security risk.
SONAR engine is disabled 78 DISABLE_BASH SONAR is enabled.
SONAR engine is enabled 79 ENABLE_BASH SONAR is disabled.
Definition load failed 80 DEFS_LOAD_FAILED Failed to apply AV definitions.
Cache server error 81 LOCALREP_CACHE_SERVER_ERROR Cache server error.
Reputation check timed out 82 REPUTATION_CHECK_TIMEOUT Reputation check timed out.
83 SYMEPSECFILTER_DRIVER_ERROR
84 VSIC_COMMUNICATION_WARNING
85 VSIC_COMMUNICATION_RESTORED
86 ELAM_LOAD_FAILED
87 ELAM_INVALID_OS
88 ELAM_ENABLE
89 ELAM_DISABLE
90 ELAM_BAD
91 ELAM_BAD_REPORTED_AS_UNKNOWN
92 DISABLE_SYMPROTECT
93 ENABLE_SYMPROTECT
94 NETSEC_EOC_PARSE_FAILED
Category 1 Infection
2 Summary
3 Pattern
4 Security
Logger 0 Scheduled
1 Manual
2 Real_Time
3 Integrity_Shield
6 Console
7 VPDOWN
8 System
9 Startup
10 Idle
11 DefWatch
12 Licensing
13 Manual_Quarantine
14 SymProtect
15 Reboot_Processing
16 Bash
17 SymElam
18 PowerEraser
19 EOCScan
100 LOCAL_END
101 Client
102 Forwarded
256 Transport_Client
Computer Computer name.
User User name.
Virus Virus Name (Virus Found event only)
File Virus's Location (Virus Found event only)
Wanted Action 1 Primary Action (Virus Found event only)

4294967295 Invalid
1 Quarantine
2 Rename
3 Delete
4 Leave Alone
5 Clean
6 Remove Macros
7 Save file as...
8 Sent to backend
9 Restore from Quarantine
10 Rename Back (unused)
11 Undo Action
12 Error
13 Backup to quarantine (backup view)
14 Pending Analysis
15 Partially Fixed
16 Terminate Process Required
17 Exclude from Scanning
18 Reboot Processing
19 Clean by Deletion
20 Access Denied
21 TERMINATE PROCESS ONLY
22 NO REPAIR
23 FAIL
24 RUN POWERTOOL
25 NO REPAIR POWERTOOL
110 INTERESTING PROCESS CAL
111 INTERESTING PROCESS DETECTED
1000 INTERESTING PROCESS HASHED DETECTED
1001 DNS HOST FILE EXCEPTION
Wanted Action 2 Secondary Action (Virus Found event only)

4294967295 Invalid
1 Quarantine
2 Rename
3 Delete
4 Leave Alone
5 Clean
6 Remove Macros
7 Save file as...
8 Sent to backend
9 Restore from Quarantine
10 Rename Back (unused)
11 Undo Action
12 Error
13 Backup to quarantine (backup view)
14 Pending Analysis
15 Partially Fixed
16 Terminate Process Required
17 Exclude from Scanning
18 Reboot Processing
19 Clean by Deletion
20 Access Denied
21 TERMINATE PROCESS ONLY
22 NO REPAIR
23 FAIL
24 RUN POWERTOOL
25 NO REPAIR POWERTOOL
110 INTERESTING PROCESS CAL
111 INTERESTING PROCESS DETECTED
1000 INTERESTING PROCESS HASHED DETECTED
1001 DNS HOST FILE EXCEPTION
Real Action Action Taken (Virus Found event only)

4294967295 Invalid
1 Quarantine
2 Rename
3 Delete
4 Leave Alone
5 Clean
6 Remove Macros
7 Save file as...
8 Sent to backend
9 Restore from Quarantine
10 Rename Back (unused)
11 Undo Action
12 Error
13 Backup to quarantine (backup view)
14 Pending Analysis
15 Partially Fixed
16 Terminate Process Required
17 Exclude from Scanning
18 Reboot Processing
19 Clean by Deletion
20 Access Denied
21 TERMINATE PROCESS ONLY
22 NO REPAIR
23 FAIL
24 RUN POWERTOOL
25 NO REPAIR POWERTOOL
110 INTERESTING PROCESS CAL
111 INTERESTING PROCESS DETECTED
1000 INTERESTING PROCESS HASHED DETECTED
1001 DNS HOST FILE EXCEPTION
Virus Type 48 Heuristic
64 Reputation
80 Hack Tools
96 Spyware
112 Trackware
128 Dialers
144 Remote Access
160 Adware
176 Joke Programs
224 Heuristic Application
Flags Indicates what kind of action the Eventblock is.

    if Flag & 0x400000:
        Flag = Flag + "EB_ACCESS_DENIED "

    if Flag & 0x800000:
        Flag = Flag + "EB_NO_VDIALOG "

    if Flag & 0x1000000:
        Flag = Flag + "EB_LOG "

    if Flag & 0x2000000:
        Flag = Flag + "EB_REAL_CLIENT "

    if Flag & 0x4000000:
        Flag = Flag + "EB_ENDUSER_BLOCKED "

    if Flag & 0x8000000:
        Flag = Flag + "EB_AP_FILE_WIPED "

    if Flag & 0x10000000:
        Flag = Flag + "EB_PROCESS_KILLED "

    if Flag & 0x20000000:
        Flag = Flag + "EB_FROM_CLIENT "

    if Flag & 0x40000000:
        Flag = Flag + "EB_EXTRN_EVENT "

    if Flag & 0x1FF:

        if Flag & 0x1:
            Flag = Flag + "FA_SCANNING_MEMORY "

        if Flag & 0x2:
            Flag = Flag + "FA_SCANNING_BOOT_SECTOR "

        if Flag & 0x4:
            Flag = Flag + "FA_SCANNING_FILE "

        if Flag & 0x8:
            Flag = Flag + "FA_SCANNING_BEHAVIOR "

        if Flag & 0x10:
            Flag = Flag + "FA_SCANNING_CHECKSUM "

        if Flag & 0x20:
            Flag = Flag + "FA_WALKSCAN "

        if Flag & 0x40:
            Flag = Flag + "FA_RTSSCAN "

        if Flag & 0x80:
            Flag = Flag + "FA_CHECK_SCAN "

        if Flag & 0x100:
            Flag = Flag + "FA_CLEAN_SCAN "

    if Flag & 0x803FFE00:
        Flag = Flag + "EB_N_OVERLAYS("

        if Flag & 0x200:
            Flag = Flag + "N_OFFLINE "

        if Flag & 0x400:
            Flag = Flag + "N_INFECTED "

        if Flag & 0x800:
            Flag = Flag + "N_REPSEED_SCAN "

        if Flag & 0x1000:
            Flag = Flag + "N_RTSNODE "

        if Flag & 0x2000:
            Flag = Flag + "N_MAILNODE "

        if Flag & 0x4000:
            Flag = Flag + "N_FILENODE "

        if Flag & 0x8000:
            Flag = Flag + "N_COMPRESSED "

        if Flag & 0x10000:
            Flag = Flag + "N_PASSTHROUGH "

        if Flag & 0x40000:
            Flag = Flag + "N_DIRNODE "

        if Flag & 0x80000:
            Flag = Flag + "N_ENDNODE "

        if Flag & 0x100000:
            Flag = Flag + "N_MEMNODE "

        if Flag & 0x200000:
            Flag = Flag + "N_ADMIN_REQUEST_REMEDIATION "

        Flag = Flag[:-1] + ")"
Description Message that will be found on the "Properties" page (Event Log events only) or message indicating Scan start or Scan stop along with results. (Scan History events only)
ScanID ID number of associated scan (for Scan History events and Virus Found events)
New_Ext Will require further investigation as to the purpose of this log entry.
Group ID Indicates the Group ID.
Event Data Information varies per event (see below)
VBin_ID Stores the ID of the file in Quarantine if it is Quarantined.
Virus ID ID of the particular virus.
Quarantine Forward Status Indicates the status of the Quarantine attempt.

0 NONE
1 FAILED
2 OK
Access This stores the "operation flags"

0x00000001 READ
0x00000002 WRITE
0x00000004 EXEC
0x00000008 IN_TABLE
0x00000010 REJECT_ACTION
0x00000020 ACTION_COMPLETE
0x00000040 DELETE_WHEN_COMPLETE
0x00000080 CLIENT_REQUEST
0x00000100 OWNED_BY_USER
0x00000200 DELETE
0x00000800 OWNED_BY_QUEUE
0x00001000 FILE_IN_CACHE
0x00002000 SCAN
0x00004000 GET_TRAP_DATA
0x00008000 USE_TRAP_DATA
0x00010000 FILE_NEEDS_SCAN
0x00020000 BEFORE_OPEN
0x00040000 AFTER_OPEN
0x00080000 SCAN_BOOT_SECTOR
0x10000000 COMING_FROM_NAVAP
0x20000000 BACKUP_TO_QUARANTINE
SND_Status Will require further investigation as to the purpose of this log entry.
Compressed Indicated whether it is or is in a compressed file or not.

0 No
1 Yes
Depth Indicated at what depth IN a compressed file the virus was found.
Still Infected Tells whether file is still infected or not.

0 No
1 Yes
Def Info Version of Virus Definitions Used (Virus Found event only)
Def Sequence Number The Definition Sequence Number of the Virus Definitions used.
Clean Info Indicates whether file is cleanable or not.

0 CLEANABLE
1 NO CLEAN PATTERN
2 NOT CLEANABLE
Delete Info Indicates whether file is deletable or not.

0 Unknown
1 Unknonw
4 DELETABLE
5 NOT DELETABLE
Backup ID Stores the ID of the file stored in Backup if it is backed up.
Parent Name of Parent if is a Managed Client
GUID GUID of the machine (Virus Found event only)
Client Group Stores the client group, if set.
Address IP or IPX address in the form IP-xxx.xxx.xxx.xxx
Domain Name Server group. Set servers only.
NT Domain Windows domain or workgroup
MAC Address Hardware address
Version Software version
Remote Machine Will require further investigation as to the purpose of this log entry.
Remote Machine IP Will require further investigation as to the purpose of this log entry.
Action 1 Status Will require further investigation as to the purpose of this log entry.
Action 2 Status Will require further investigation as to the purpose of this log entry.
License Feature Name The product name and license type.
License Feature Version The product code, indicating product type, version, and suffix. This information is read from the license file.
License Serial Number The license serial number, which is read from the license file.
License Fulfillment ID The license fulfillment ID, which is read from the license file.
License Start Date The license start date time, which is read from the license file.
License Expiration Date The end date of the license period.
License LifeCycle Will require further investigation as to the purpose of this log entry.
License Seats Total Will require further investigation as to the purpose of this log entry.
License Seats Will require further investigation as to the purpose of this log entry.
Error Code Will require further investigation as to the purpose of this log entry.
License Seats Delta Will require further investigation as to the purpose of this log entry.
Eraser Status 0 Success
1 Reboot Required
2 Nothing To Do
3 Repaired
4 Deleted
5 False
6 Abort
7 Continue
8 Service Not Stopped
9 Application Heuristic Scan Failure
10 Cannot Remediate
11 Whitelist Failure
12 Driver Failure
13 Reserved01
13 Commercial Application List Failure
13 Application Heuristic Scan Invalid OS
13 Content Manager Data Error
999 Leave Alone
1000 Generic Failure
1001 Out Of Memory
1002 Not Initialized
1003 Invalid Argument
1004 Insufficient Buffer
1005 Decryption Error
1006 File Not Found
1007 Out Of Range
1008 COM Error
1009 Partial Failure
1010 Bad Definitions
1011 Invalid Command
1012 No Interface
1013 RSA Error
1014 Path Not Empty
1015 Invalid Path
1016 Path Not Empty
1017 File Still Present
1018 Invalid OS
1019 Not Implemented
1020 Access Denied
1021 Directory Still Present
1022 Inconsistent State
1023 Timeout
1024 Action Pending
1025 Volume Write Protected
1026 Not Reparse Point
1027 File Exists
1028 Target Protected
1029 Disk Full
1030 Shutdown In Progress
1031 Media Error
1032 Network Defs Error
Domain GUID Domain ID
Log Session GUID This is an ID used by the client to keep track of related threat events.
VBin Session ID Will require further investigation as to the purpose of this log entry.
Login Domain The Windows domain.
Event Data 2 * Information varies per event (see below)
Eraser Category ID * 1 HeuristicTrojanWorm
2 HeuristicKeyLogger
100 CommercialRemoteControl
101 CommercialKeyLogger
200 Cookie
300 Shields
Dynamic Categoryset ID * 1 MALWARE
2 SECURITY_RISK
3 POTENTIALLY_UNWANTED_APPLICATIONS
4 EXPERIMENTAL_HEURISTIC
5 LEGACY_VIRAL
6 LEGACY_NON_VIRAL
7 CATEGORY_CRIMEWARE
8 ADVANCED_HEURISTICS
9 REPUTATION_BACKED_ADVANCED_HEURISTICS
10 PREVALENCE_BACKED_ADVANCED_HEURISTICS
Dynamic Subcategoryset ID * Will require further investigation as to the purpose of this log entry.
Display Name To Use * 0 Application Name
1 VID Virus Name
Reputation Disposition * 0 Good
1 Bad
127 Unknown
Reputation Confidence * The Confidence level that produced the conviction.

>= 100: Extremely High [100..]
>= 65: High [65..99]
>= 25: Medium [25..64]
>= 10: Low [10..24]
>=1: Symantec knows very little about the file/unknown [1..9]
0 is not a valid value. We can say unknown also for 0.
Default is 0
First Seen * When the threat was first discovered by Symantec, as downloaded from Symantec's web site.
Reputation Prevalence * The prevalence data for the application

0: Unknown.
1-50: Very low
51-100: Low
101-150: Moderate
151-200: High
201-255: Very high
> 255: Very high
Default is 0
Downloaded URL * The source URL of the first drop on this computer.
Creator For Dropper * The creator process of the dropper threat.
CIDS State * Network intrusion prevention status:

0 = Off
1 = On
2 = Not installed
3 = Off by administrator policy
127 = Unknown.
Default is 127.
Behavior Risk Level * The risk level (high, med, low) for the convicted threat.

0 -- Unknown
1 or 2 -- Low
3 -- Medium
4 -- High
Default is 0.
Detection Type * 0 Traditional
1 Heuristic
Acknowledge Text * Will require further investigation as to the purpose of this log entry.
VSIC State * 0 Off
1 On
2 Failed
Scan GUID * Will require further investigation as to the purpose of this log entry.
Scan Duration * Length of the scan
Scan Start Time * The time that the scan started.
TargetApp Type * 0 Normal
1 Modern (Metro)
Scan Command GUID * Will require further investigation as to the purpose of this log entry.
Field 113 † Will require further investigation as to the purpose of this log entry.
Location † The location used when the event occured.
Field 115 † Will require further investigation as to the purpose of this log entry.
Digital Signatures Signer † The subject of the certificate.
Digital Signatures Issuer † If an executable from a detection event is signed, this field indicates its certificate authority.
Digital Signatures Certificate Thumbprint † The unique ID (or thumbprint) of the digital certificate.
Field 119 † Will require further investigation as to the purpose of this log entry.
Digital Signatures Serial Number † The identification (certificate serial number) of the certificate issued by the certificate authority for the executable.
Digital Signatures Signing Time † Will require further investigation as to the purpose of this log entry.
Field 122 † Will require further investigation as to the purpose of this log entry.
Field 123 † Will require further investigation as to the purpose of this log entry.
Field 124 † Will require further investigation as to the purpose of this log entry.
Field 125 † Will require further investigation as to the purpose of this log entry.
Field 126 † Will require further investigation as to the purpose of this log entry.

Event Data

Event data can be distinguished by the first field. This field can be blank or contain 101, 201, 302, or scan data.

101

If Field 1 = 101, the coresponding fields are as follows:

Field Description
Field 1 101
GUID This is an ID used by the client to keep track of related threat events.
Field 3 Will require further investigation as to the purpose of this log entry.
Num Side Effects Repaired Will require further investigation as to the purpose of this log entry.
Anomaly Action Type Type of remediation. (Human readable form)
Anomaly Action Operation Remediation action. (Human readable form)
Field 7 Will require further investigation as to the purpose of this log entry.
Anomaly Name Virus Name
Anomaly Categories Combination of Categoryset\Subcategoryset ID separated by semicolon
Anomaly Action Type ID Type of remediation.
Anomaly Action OperationID Remediation action.
Previous Log GUID This is an ID used by the client to keep track of related threat events.
Field 13 Will require further investigation as to the purpose of this log entry.

201

If Field 1 = 201, the coresponding fields are as follows:

Field Description
Field 1 201
Field 2 Will require further investigation as to the purpose of this log entry.
Field 3 Will require further investigation as to the purpose of this log entry.
Field 4 Will require further investigation as to the purpose of this log entry.
Field 5 Will require further investigation as to the purpose of this log entry.
Field 6 Will require further investigation as to the purpose of this log entry.
Field 7 Will require further investigation as to the purpose of this log entry.
Field 8 Will require further investigation as to the purpose of this log entry.
Field 9 Will require further investigation as to the purpose of this log entry.
Field 10 Will require further investigation as to the purpose of this log entry.
Field 11 Will require further investigation as to the purpose of this log entry.
Field 12 Will require further investigation as to the purpose of this log entry.
Field 13 Will require further investigation as to the purpose of this log entry.

301

If Field 1 = 301, the coresponding fields are as follows:

Field Description
Field 1 301
Actor PID Process ID for acting process
Actor Process performing the action
Event 1 File Create
2 File Delete
3 File Open
6 Directory Create
7 Directory Delete
14 Registry Key Create
15 Registry Key Delete
16 Registry Value Delete
17 Registry Value Set
18 Registry Key Rename
19 Registry Key Set Security
45 File Set Security
46 Directory Set Security
55 Process Open
56 Process Duplicate
Target PID Process ID for target process
Target What is being targeted
Target Process The process that is being targeted
Field 8 Will require further investigation as to the purpose of this log entry.
Field 9 Will require further investigation as to the purpose of this log entry.
Field 10 N/A
Field 11 N/A
Field 12 N/A
Field 13 N/A

Scan Entries

If Field 1 contains a : separated string, the coresponding fields are as follows:

Field Entry Description
Field 1 Scan Status Will require further investigation as to the purpose of this log entry.
Risks The number of threats that the scan found.
Scanned The number of files scanned.
Files/Folders/Drives Omitted The number of files that were omitted.
Trusted Files Skipped Will require further investigation as to the purpose of this log entry.
Field 2 N/A N/A
Field 3 N/A N/A
Field 4 N/A N/A
Field 5 N/A N/A
Field 6 N/A N/A
Field 7 N/A N/A
Field 8 N/A N/A
Field 9 N/A N/A
Field 10 N/A N/A
Field 11 N/A N/A
Field 12 N/A N/A
Field 13 N/A N/A

Event Data 2

Field Description
Field 1 Will require further investigation as to the purpose of this log entry.
Company Name The company name.
Size The file size
Hash Type The hash algorithm used:

0 = MD5
1 = SHA-1
2 = SHA-256
Hash The hash for this application.
Product Version The application version.
Field 7 Will require further investigation as to the purpose of this log entry.
Field 8 Will require further investigation as to the purpose of this log entry.
Field 9 Will require further investigation as to the purpose of this log entry.
Field 10 Will require further investigation as to the purpose of this log entry.
Field 11 Will require further investigation as to the purpose of this log entry.
Field 12 Will require further investigation as to the purpose of this log entry.
Product Name The application name.
Field 14 Will require further investigation as to the purpose of this log entry.
Field 15 Will require further investigation as to the purpose of this log entry.
Field 16 Will require further investigation as to the purpose of this log entry.
Field 17 Will require further investigation as to the purpose of this log entry.

Information was derived from https://support.symantec.com/en_US/article.TECH100099.html