Symantec Endpoint Protection (SEP) contains a wealth of information. Unfortunately, when dealing with a disk image/collection, there is not a feasible way of accessing this data. You could query the Symantec Endpoint Protection Management (SEPM) server, but you still will not get all of the information contained on the endpoint. Furthermore, what if there is not a SEPM server in place or the endpoint has not sent its logs to the SEPM server yet? In this series, I will be going through how to decipher the various logs and files that make up SEP.
I have not seen a lot of information out there on antivirus forensics. Hopefully, this will encourage others to start investigating other antivirus software and the secrets they can hold. So lets up your digital forensics game by examining what your antivirus is trying to tell you, but more importantly, what it is not telling you.
I am going to start out this series with what I have come to know as the log line. This is an important piece to understand because it can be found in the entries of the Antivirus Management Plug-in log, Client Management Security log, Client Management System log, Daily Antivirus logs, and the quarantine files. The log line is a comma separated list (the Extra Data 1 and Extra Data 2 fields contain data in a tab separated list). Although you can view the log line (and the various logs that contain it) in a text editor, it is not human readable. Time to break down the various fields and how to interpret them.
1. Version 1 has the following fields:
Time,Event,Category,Logger,Computer,User,Virus,File,Wanted Action 1,Wanted Action 2,Real Action,Virus Type,Flags,Description,ScanID,New_Ext,Group ID,Event Data,VBin_ID,Virus ID,Quarantine Forward Status,Access,SND_Status,Compressed,Depth,Still Infected,Def Info,Def Sequence Number,Clean Info,Delete Info,Backup ID,Parent,GUID,Client Group,Address,Domain Name,NT Domain,MAC Address,Version,Remote Machine,Remote Machine IP,Action 1 Status,Action 2 Status,License Feature Name,License Feature Version,License Serial Number,License Fulfillment ID,License Start Date,License Expiration Date,License LifeCycle,License Seats Total,License Seats,Error Code,License Seats Delta,Status,Domain GUID,Log Session GUID,VBin Session ID,Login Domain,Event Data 2
Version 2 has the same fields as version 1 plus some extras:
Time,Event,Category,Logger,Computer,User,Virus,File,Wanted Action 1,Wanted Action 2,Real Action,Virus Type,Flags,Description,ScanID,New_Ext,Group ID,Event Data,VBin_ID,Virus ID,Quarantine Forward Status,Access,SND_Status,Compressed,Depth,Still Infected,Def Info,Def Sequence Number,Clean Info,Delete Info,Backup ID,Parent,GUID,Client Group,Address,Domain Name,NT Domain,MAC Address,Version,Remote Machine,Remote Machine IP,Action 1 Status,Action 2 Status,License Feature Name,License Feature Version,License Serial Number,License Fulfillment ID,License Start Date,License Expiration Date,License LifeCycle,License Seats Total,License Seats,Error Code,License Seats Delta,Status,Domain GUID,Log Session GUID,VBin Session ID,Login Domain,Event Data 2,Eraser Category ID,Dynamic Categoryset ID,Dynamic Subcategoryset ID,Display Name To Use,Reputation Disposition,Reputation Confidence,First Seen,Reputation Prevalence,Downloaded URL,Creator For Dropper,CIDS State,Behavior Risk Level,Detection Type,Acknowledge Text,VSIC State,Scan GUID,Scan Duration,Scan Start Time,TargetApp Type,Scan Command GUID
Time/Scan Start Time
The Time and Scan Start Time fields contain a 12 digit hex number. To figure out the time stamp, we need to break it into two digit numbers, convert them to their decimal counterparts, and do a little math. Example: 300012062631
Log_Line_info.md
Entries
Field |
Description |
Time |
Time of event. |
Event |
Event |
Event # |
Raw Event Code |
Description |
|
1 |
IS_ALERT |
|
Scan Stopped |
2 |
SCAN_STOP |
Occurs when antivirus scanning completes. |
Scan Started |
3 |
SCAN_START |
Occurs when antivirus scanning starts. |
Definition File Sent To Server |
4 |
PATTERN_UPDATE |
Occurs when a parent server sends a .vdb file to a secondary server. |
Virus Found |
5 |
INFECTION |
Occurs when scanning detects a virus. |
Scan Omission |
6 |
FILE_NOT_OPEN |
Occurs when scanning fails to gain access to a file or directory. |
Definition File Loaded |
7 |
LOAD_PATTERN |
Occurs when Symantec AntiVirus loads a new .vdb file. |
|
8 |
MESSAGE_INFO |
|
|
9 |
MESSAGE_ERROR |
|
Checksum |
10 |
CHECKSUM |
Occurs when a checksum error occurs when verifying a digitally signed file. |
Auto-Protect |
11 |
TRAP |
Occurs when Auto-Protect is not fully operational. |
Configuration Changed |
12 |
CONFIG_CHANGE |
Occurs when a server updates its configurations according to the changes made from the console, excluding configuration changes made in the PRODUCTCONTROL or DOMAINDATA registry keys. |
Symantec AntiVirus Shutdown |
13 |
SHUTDOWN |
Occurs when the ccSvcHst.exe service is unloaded. |
Symantec AntiVirus Startup |
14 |
STARTUP |
Occurs when the ccSvcHst.exe service is loaded. |
Definition File Download |
16 |
PATTERN_DOWNLOAD |
Occurs when new definitions are downloaded by a scheduled definitions update. |
Scan Action Auto-Changed |
17 |
TOO_MANY_VIRUSES |
Occurs when Symantec AntiVirus has deleted or quarantined more than 5 infected files within the last minute. The number of files quarantined or deleted and the time interval are configurable from the registry. The defaults are 5 files in 60 seconds. |
Sent To Quarantine Server |
18 |
FWD_TO_QSERVER |
Occurs when quarantined files are sent to a Quarantine Server. |
Delivered To Symantec Security Response |
19 |
SCANDLVR |
Occurs when a file is delivered to Symantec Security Response. |
Backup Restore Error |
20 |
BACKUP |
Occurs when Symantec AntiVirus cannot back up a file or restore a file from Quarantine. |
Scan Aborted |
21 |
SCAN_ABORT |
Occurs when a scan is stopped before it completes. Symantec AntiVirus Auto-Protect. |
Load Error |
22 |
RTS_LOAD_ERROR |
Occurs when Auto-Protect fails to load. |
Symantec AntiVirus Auto-Protect Loaded |
23 |
RTS_LOAD |
Occurs when Auto-Protect loads successfully. |
Symantec AntiVirus Auto-Protect Unloaded |
24 |
RTS_UNLOAD |
Occurs when Auto-Protect is unloaded. |
Scan Delayed |
26 |
SCAN_DELAYED |
Occurs when a scheduled scan is snoozed/paused (delayed). |
Scan Re-started |
27 |
SCAN_RESTART |
Occurs when a snoozed/paused scan is restarted. |
|
28 |
ADD_SAVROAMCLIENT_TOSERVER |
|
|
29 |
REMOVE_SAVROAMCLIENT_FROMSERVER |
|
|
30 |
LICENSE_WARNING |
|
|
31 |
LICENSE_ERROR |
|
|
32 |
LICENSE_GRACE |
|
|
33 |
UNAUTHORIZED_COMM |
|
Log Forwarding Error |
34 |
LOG_FWD_THRD_ERR |
Occurs when there is a problem with the log forwarding process. Also logs when Event and Settings Manager are started. |
|
35 |
LICENSE_INSTALLED |
|
|
36 |
LICENSE_ALLOCATED |
|
|
37 |
LICENSE_OK |
|
|
38 |
LICENSE_DEALLOCATED |
|
Definitions Rollback |
39 |
BAD_DEFS_ROLLBACK |
Occurs when definitions are rolled back. |
Definitions Unprotected |
40 |
BAD_DEFS_UNPROTECTED |
Occurs when a computer is not protected with definitions. |
Auto-Protect Error |
41 |
SAV_PROVIDER_PARSING_ERROR |
Occurs when an error occurs with Auto-Protect. |
Configuration Error |
42 |
RTS_ERROR |
General error. Primarily occurs when a configuration file cannot be read. |
|
43 |
COMPLIANCE_FAIL |
|
|
44 |
COMPLIANCE_SUCCESS |
|
SymProtect Action |
45 |
SECURITY_SYMPROTECT_POLICYVIOLATION |
Occurs when SymProtect blocks a tamper attempt. |
Detection Start |
46 |
ANOMALY_START |
Occurs when a threat is found. This is the first of a series of steps describing the action taken. |
Detection Action |
47 |
DETECTION_ACTION_TAKEN |
Describes an action taken when a threat is found. |
Pending Remediation Action |
48 |
REMEDIATION_ACTION_PENDING |
Occurs when Auto-Protect is ready to perform a side-effects repair for adware or spyware. |
Failed Remediation Action |
49 |
REMEDIATION_ACTION_FAILED |
Occurs when Auto-Protect fails to perform a successful side-effects repair for adware or spyware. |
Successful Remediation Action |
50 |
REMEDIATION_ACTION_SUCCESSFUL |
Occurs when Auto-Protect performs a successful side-effects repair for adware or spyware. |
Detection Finish |
51 |
ANOMALY_FINISH |
Occurs when Auto-Protect finishes handling a threat. |
|
52 |
COMMS_LOGIN_FAILED |
|
|
53 |
COMMS_LOGIN_SUCCESS |
|
|
54 |
COMMS_UNAUTHORIZED_COMM |
|
|
55 |
CLIENT_INSTALL_AV |
|
|
56 |
CLIENT_INSTALL_FW |
|
|
57 |
CLIENT_UNINSTALL |
|
|
58 |
CLIENT_UNINSTALL_ROLLBACK |
|
|
59 |
COMMS_SERVER_GROUP_ROOT_CERT_ISSUE |
|
|
60 |
COMMS_SERVER_CERT_ISSUE |
|
|
61 |
COMMS_TRUSTED_ROOT_CHANGE |
|
|
62 |
COMMS_SERVER_CERT_STARTUP_FAILED |
|
|
63 |
CLIENT_CHECKIN |
|
|
64 |
CLIENT_NO_CHECKIN |
|
Scan Stopped |
65 |
SCAN_SUSPENDED |
Occurs when adware and spyware scans stop. |
Scan Started |
66 |
SCAN_RESUMED |
Occurs when adware and spyware scans start. |
|
67 |
SCAN_DURATION_INSUFFICIENT |
|
|
68 |
CLIENT_MOVE |
|
|
69 |
SCAN_FAILED_ENHANCED |
|
|
70 |
COMPLIANCE_FAILEDAUDIT |
|
Threat Now Whitelisted |
71 |
HEUR_THREAT_NOW_WHITELISTED |
The Administrator has added what SONAR previously detected as a threat to the Centralized Exception list, or Symantec has added it to the internal known white listed applications list. |
Interesting Process Found Start |
72 |
INTERESTING_PROCESS_DETECTED_START |
SONAR detection start. The first step of a series describing the action taken on the process. |
SONAR engine load error |
73 |
LOAD_ERROR_BASH |
Failed to load SONAR engine. |
SONAR definitions load error |
74 |
LOAD_ERROR_BASH_DEFINITIONS |
Failed to load SONAR definitions. |
Interesting Process Found Finish |
75 |
INTERESTING_PROCESS_DETECTED_FINISH |
SONAR detection has finished handling the process. |
SONAR operating system not supported |
76 |
HPP_SCAN_NOT_SUPPORTED_FOR_OS |
SONAR is enabled, but it is not supported on the platform. |
SONAR Detected Threat Now Known |
77 |
HEUR_THREAT_NOW_KNOWN |
A SONAR process detection is now a confirmed signature-based security risk. |
SONAR engine is disabled |
78 |
DISABLE_BASH |
SONAR is enabled. |
SONAR engine is enabled |
79 |
ENABLE_BASH |
SONAR is disabled. |
Definition load failed |
80 |
DEFS_LOAD_FAILED |
Failed to apply AV definitions. |
Cache server error |
81 |
LOCALREP_CACHE_SERVER_ERROR |
Cache server error. |
Reputation check timed out |
82 |
REPUTATION_CHECK_TIMEOUT |
Reputation check timed out. |
|
83 |
SYMEPSECFILTER_DRIVER_ERROR |
|
|
84 |
VSIC_COMMUNICATION_WARNING |
|
|
85 |
VSIC_COMMUNICATION_RESTORED |
|
|
86 |
ELAM_LOAD_FAILED |
|
|
87 |
ELAM_INVALID_OS |
|
|
88 |
ELAM_ENABLE |
|
|
89 |
ELAM_DISABLE |
|
|
90 |
ELAM_BAD |
|
|
91 |
ELAM_BAD_REPORTED_AS_UNKNOWN |
|
|
92 |
DISABLE_SYMPROTECT |
|
|
93 |
ENABLE_SYMPROTECT |
|
|
94 |
NETSEC_EOC_PARSE_FAILED |
|
|
Category |
1 Infection 2 Summary 3 Pattern 4 Security |
Logger |
0 Scheduled 1 Manual 2 Real_Time 3 Integrity_Shield 6 Console 7 VPDOWN 8 System 9 Startup 10 Idle 11 DefWatch 12 Licensing 13 Manual_Quarantine 14 SymProtect 15 Reboot_Processing 16 Bash 17 SymElam 18 PowerEraser 19 EOCScan 100 LOCAL_END 101 Client 102 Forwarded 256 Transport_Client |
Computer |
Computer name. |
User |
User name. |
Virus |
Virus Name (Virus Found event only) |
File |
Virus's Location (Virus Found event only) |
Wanted Action 1 |
Primary Action (Virus Found event only)
4294967295 Invalid 1 Quarantine 2 Rename 3 Delete 4 Leave Alone 5 Clean 6 Remove Macros 7 Save file as... 8 Sent to backend 9 Restore from Quarantine 10 Rename Back (unused) 11 Undo Action 12 Error 13 Backup to quarantine (backup view) 14 Pending Analysis 15 Partially Fixed 16 Terminate Process Required 17 Exclude from Scanning 18 Reboot Processing 19 Clean by Deletion 20 Access Denied 21 TERMINATE PROCESS ONLY 22 NO REPAIR 23 FAIL 24 RUN POWERTOOL 25 NO REPAIR POWERTOOL 110 INTERESTING PROCESS CAL 111 INTERESTING PROCESS DETECTED 1000 INTERESTING PROCESS HASHED DETECTED 1001 DNS HOST FILE EXCEPTION |
Wanted Action 2 |
Secondary Action (Virus Found event only)
4294967295 Invalid 1 Quarantine 2 Rename 3 Delete 4 Leave Alone 5 Clean 6 Remove Macros 7 Save file as... 8 Sent to backend 9 Restore from Quarantine 10 Rename Back (unused) 11 Undo Action 12 Error 13 Backup to quarantine (backup view) 14 Pending Analysis 15 Partially Fixed 16 Terminate Process Required 17 Exclude from Scanning 18 Reboot Processing 19 Clean by Deletion 20 Access Denied 21 TERMINATE PROCESS ONLY 22 NO REPAIR 23 FAIL 24 RUN POWERTOOL 25 NO REPAIR POWERTOOL 110 INTERESTING PROCESS CAL 111 INTERESTING PROCESS DETECTED 1000 INTERESTING PROCESS HASHED DETECTED 1001 DNS HOST FILE EXCEPTION |
Real Action |
Action Taken (Virus Found event only)
4294967295 Invalid 1 Quarantine 2 Rename 3 Delete 4 Leave Alone 5 Clean 6 Remove Macros 7 Save file as... 8 Sent to backend 9 Restore from Quarantine 10 Rename Back (unused) 11 Undo Action 12 Error 13 Backup to quarantine (backup view) 14 Pending Analysis 15 Partially Fixed 16 Terminate Process Required 17 Exclude from Scanning 18 Reboot Processing 19 Clean by Deletion 20 Access Denied 21 TERMINATE PROCESS ONLY 22 NO REPAIR 23 FAIL 24 RUN POWERTOOL 25 NO REPAIR POWERTOOL 110 INTERESTING PROCESS CAL 111 INTERESTING PROCESS DETECTED 1000 INTERESTING PROCESS HASHED DETECTED 1001 DNS HOST FILE EXCEPTION |
Virus Type |
48 Heuristic 64 Reputation 80 Hack Tools 96 Spyware 112 Trackware 128 Dialers 144 Remote Access 160 Adware 176 Joke Programs 224 Heuristic Application |
Flags |
Indicates what kind of action the Eventblock is.
if Flag & 0x400000: Flag = Flag + "EB_ACCESS_DENIED "
if Flag & 0x800000: Flag = Flag + "EB_NO_VDIALOG "
if Flag & 0x1000000: Flag = Flag + "EB_LOG "
if Flag & 0x2000000: Flag = Flag + "EB_REAL_CLIENT "
if Flag & 0x4000000: Flag = Flag + "EB_ENDUSER_BLOCKED "
if Flag & 0x8000000: Flag = Flag + "EB_AP_FILE_WIPED "
if Flag & 0x10000000: Flag = Flag + "EB_PROCESS_KILLED "
if Flag & 0x20000000: Flag = Flag + "EB_FROM_CLIENT "
if Flag & 0x40000000: Flag = Flag + "EB_EXTRN_EVENT "
if Flag & 0x1FF:
if Flag & 0x1: Flag = Flag + "FA_SCANNING_MEMORY "
if Flag & 0x2: Flag = Flag + "FA_SCANNING_BOOT_SECTOR "
if Flag & 0x4: Flag = Flag + "FA_SCANNING_FILE "
if Flag & 0x8: Flag = Flag + "FA_SCANNING_BEHAVIOR "
if Flag & 0x10: Flag = Flag + "FA_SCANNING_CHECKSUM "
if Flag & 0x20: Flag = Flag + "FA_WALKSCAN "
if Flag & 0x40: Flag = Flag + "FA_RTSSCAN "
if Flag & 0x80: Flag = Flag + "FA_CHECK_SCAN "
if Flag & 0x100: Flag = Flag + "FA_CLEAN_SCAN "
if Flag & 0x803FFE00: Flag = Flag + "EB_N_OVERLAYS("
if Flag & 0x200: Flag = Flag + "N_OFFLINE "
if Flag & 0x400: Flag = Flag + "N_INFECTED "
if Flag & 0x800: Flag = Flag + "N_REPSEED_SCAN "
if Flag & 0x1000: Flag = Flag + "N_RTSNODE "
if Flag & 0x2000: Flag = Flag + "N_MAILNODE "
if Flag & 0x4000: Flag = Flag + "N_FILENODE "
if Flag & 0x8000: Flag = Flag + "N_COMPRESSED "
if Flag & 0x10000: Flag = Flag + "N_PASSTHROUGH "
if Flag & 0x40000: Flag = Flag + "N_DIRNODE "
if Flag & 0x80000: Flag = Flag + "N_ENDNODE "
if Flag & 0x100000: Flag = Flag + "N_MEMNODE "
if Flag & 0x200000: Flag = Flag + "N_ADMIN_REQUEST_REMEDIATION "
Flag = Flag[:-1] + ")" |
Description |
Message that will be found on the "Properties" page (Event Log events only) or message indicating Scan start or Scan stop along with results. (Scan History events only) |
ScanID |
ID number of associated scan (for Scan History events and Virus Found events) |
New_Ext |
Will require further investigation as to the purpose of this log entry. |
Group ID |
Indicates the Group ID. |
Event Data |
Information varies per event (see below) |
VBin_ID |
Stores the ID of the file in Quarantine if it is Quarantined. |
Virus ID |
ID of the particular virus. |
Quarantine Forward Status |
Indicates the status of the Quarantine attempt.
0 NONE 1 FAILED 2 OK |
Access |
This stores the "operation flags"
0x00000001 READ 0x00000002 WRITE 0x00000004 EXEC 0x00000008 IN_TABLE 0x00000010 REJECT_ACTION 0x00000020 ACTION_COMPLETE 0x00000040 DELETE_WHEN_COMPLETE 0x00000080 CLIENT_REQUEST 0x00000100 OWNED_BY_USER 0x00000200 DELETE 0x00000800 OWNED_BY_QUEUE 0x00001000 FILE_IN_CACHE 0x00002000 SCAN 0x00004000 GET_TRAP_DATA 0x00008000 USE_TRAP_DATA 0x00010000 FILE_NEEDS_SCAN 0x00020000 BEFORE_OPEN 0x00040000 AFTER_OPEN 0x00080000 SCAN_BOOT_SECTOR 0x10000000 COMING_FROM_NAVAP 0x20000000 BACKUP_TO_QUARANTINE |
SND_Status |
Will require further investigation as to the purpose of this log entry. |
Compressed |
Indicated whether it is or is in a compressed file or not.
0 No 1 Yes |
Depth |
Indicated at what depth IN a compressed file the virus was found. |
Still Infected |
Tells whether file is still infected or not.
0 No 1 Yes |
Def Info |
Version of Virus Definitions Used (Virus Found event only) |
Def Sequence Number |
The Definition Sequence Number of the Virus Definitions used. |
Clean Info |
Indicates whether file is cleanable or not.
0 CLEANABLE 1 NO CLEAN PATTERN 2 NOT CLEANABLE |
Delete Info |
Indicates whether file is deletable or not.
0 Unknown 1 Unknonw 4 DELETABLE 5 NOT DELETABLE |
Backup ID |
Stores the ID of the file stored in Backup if it is backed up. |
Parent |
Name of Parent if is a Managed Client |
GUID |
GUID of the machine (Virus Found event only) |
Client Group |
Stores the client group, if set. |
Address |
IP or IPX address in the form IP-xxx.xxx.xxx.xxx |
Domain Name |
Server group. Set servers only. |
NT Domain |
Windows domain or workgroup |
MAC Address |
Hardware address |
Version |
Software version |
Remote Machine |
Will require further investigation as to the purpose of this log entry. |
Remote Machine IP |
Will require further investigation as to the purpose of this log entry. |
Action 1 Status |
Will require further investigation as to the purpose of this log entry. |
Action 2 Status |
Will require further investigation as to the purpose of this log entry. |
License Feature Name |
The product name and license type. |
License Feature Version |
The product code, indicating product type, version, and suffix. This information is read from the license file. |
License Serial Number |
The license serial number, which is read from the license file. |
License Fulfillment ID |
The license fulfillment ID, which is read from the license file. |
License Start Date |
The license start date time, which is read from the license file. |
License Expiration Date |
The end date of the license period. |
License LifeCycle |
Will require further investigation as to the purpose of this log entry. |
License Seats Total |
Will require further investigation as to the purpose of this log entry. |
License Seats |
Will require further investigation as to the purpose of this log entry. |
Error Code |
Will require further investigation as to the purpose of this log entry. |
License Seats Delta |
Will require further investigation as to the purpose of this log entry. |
Eraser Status |
0 Success 1 Reboot Required 2 Nothing To Do 3 Repaired 4 Deleted 5 False 6 Abort 7 Continue 8 Service Not Stopped 9 Application Heuristic Scan Failure 10 Cannot Remediate 11 Whitelist Failure 12 Driver Failure 13 Reserved01 13 Commercial Application List Failure 13 Application Heuristic Scan Invalid OS 13 Content Manager Data Error 999 Leave Alone 1000 Generic Failure 1001 Out Of Memory 1002 Not Initialized 1003 Invalid Argument 1004 Insufficient Buffer 1005 Decryption Error 1006 File Not Found 1007 Out Of Range 1008 COM Error 1009 Partial Failure 1010 Bad Definitions 1011 Invalid Command 1012 No Interface 1013 RSA Error 1014 Path Not Empty 1015 Invalid Path 1016 Path Not Empty 1017 File Still Present 1018 Invalid OS 1019 Not Implemented 1020 Access Denied 1021 Directory Still Present 1022 Inconsistent State 1023 Timeout 1024 Action Pending 1025 Volume Write Protected 1026 Not Reparse Point 1027 File Exists 1028 Target Protected 1029 Disk Full 1030 Shutdown In Progress 1031 Media Error 1032 Network Defs Error |
Domain GUID |
Domain ID |
Log Session GUID |
This is an ID used by the client to keep track of related threat events. |
VBin Session ID |
Will require further investigation as to the purpose of this log entry. |
Login Domain |
The Windows domain. |
Event Data 2 * |
Information varies per event (see below) |
Eraser Category ID * |
1 HeuristicTrojanWorm 2 HeuristicKeyLogger 100 CommercialRemoteControl 101 CommercialKeyLogger 200 Cookie 300 Shields |
Dynamic Categoryset ID * |
1 MALWARE 2 SECURITY_RISK 3 POTENTIALLY_UNWANTED_APPLICATIONS 4 EXPERIMENTAL_HEURISTIC 5 LEGACY_VIRAL 6 LEGACY_NON_VIRAL 7 CATEGORY_CRIMEWARE 8 ADVANCED_HEURISTICS 9 REPUTATION_BACKED_ADVANCED_HEURISTICS 10 PREVALENCE_BACKED_ADVANCED_HEURISTICS |
Dynamic Subcategoryset ID * |
Will require further investigation as to the purpose of this log entry. |
Display Name To Use * |
0 Application Name 1 VID Virus Name |
Reputation Disposition * |
0 Good 1 Bad 127 Unknown |
Reputation Confidence * |
The Confidence level that produced the conviction.
>= 100: Extremely High [100..] >= 65: High [65..99] >= 25: Medium [25..64] >= 10: Low [10..24] >=1: Symantec knows very little about the file/unknown [1..9] 0 is not a valid value. We can say unknown also for 0. Default is 0 |
First Seen * |
When the threat was first discovered by Symantec, as downloaded from Symantec's web site. |
Reputation Prevalence * |
The prevalence data for the application
0: Unknown. 1-50: Very low 51-100: Low 101-150: Moderate 151-200: High 201-255: Very high > 255: Very high Default is 0 |
Downloaded URL * |
The source URL of the first drop on this computer. |
Creator For Dropper * |
The creator process of the dropper threat. |
CIDS State * |
Network intrusion prevention status:
0 = Off 1 = On 2 = Not installed 3 = Off by administrator policy 127 = Unknown. Default is 127. |
Behavior Risk Level * |
The risk level (high, med, low) for the convicted threat.
0 -- Unknown 1 or 2 -- Low 3 -- Medium 4 -- High Default is 0. |
Detection Type * |
0 Traditional 1 Heuristic |
Acknowledge Text * |
Will require further investigation as to the purpose of this log entry. |
VSIC State * |
0 Off 1 On 2 Failed |
Scan GUID * |
Will require further investigation as to the purpose of this log entry. |
Scan Duration * |
Length of the scan |
Scan Start Time * |
The time that the scan started. |
TargetApp Type * |
0 Normal 1 Modern (Metro) |
Scan Command GUID * |
Will require further investigation as to the purpose of this log entry. |
Field 113 † |
Will require further investigation as to the purpose of this log entry. |
Location † |
The location used when the event occured. |
Field 115 † |
Will require further investigation as to the purpose of this log entry. |
Digital Signatures Signer † |
The subject of the certificate. |
Digital Signatures Issuer † |
If an executable from a detection event is signed, this field indicates its certificate authority. |
Digital Signatures Certificate Thumbprint † |
The unique ID (or thumbprint) of the digital certificate. |
Field 119 † |
Will require further investigation as to the purpose of this log entry. |
Digital Signatures Serial Number † |
The identification (certificate serial number) of the certificate issued by the certificate authority for the executable. |
Digital Signatures Signing Time † |
Will require further investigation as to the purpose of this log entry. |
Field 122 † |
Will require further investigation as to the purpose of this log entry. |
Field 123 † |
Will require further investigation as to the purpose of this log entry. |
Field 124 † |
Will require further investigation as to the purpose of this log entry. |
Field 125 † |
Will require further investigation as to the purpose of this log entry. |
Field 126 † |
Will require further investigation as to the purpose of this log entry. |
Event Data
Event data can be distinguished by the first field. This field can be blank or contain 101, 201, 302, or scan data.
101
If Field 1 = 101, the coresponding fields are as follows:
Field |
Description |
Field 1 |
101 |
GUID |
This is an ID used by the client to keep track of related threat events. |
Field 3 |
Will require further investigation as to the purpose of this log entry. |
Num Side Effects Repaired |
Will require further investigation as to the purpose of this log entry. |
Anomaly Action Type |
Type of remediation. (Human readable form) |
Anomaly Action Operation |
Remediation action. (Human readable form) |
Field 7 |
Will require further investigation as to the purpose of this log entry. |
Anomaly Name |
Virus Name |
Anomaly Categories |
Combination of Categoryset\Subcategoryset ID separated by semicolon |
Anomaly Action Type ID |
Type of remediation. |
Anomaly Action OperationID |
Remediation action. |
Previous Log GUID |
This is an ID used by the client to keep track of related threat events. |
Field 13 |
Will require further investigation as to the purpose of this log entry. |
201
If Field 1 = 201, the coresponding fields are as follows:
Field |
Description |
Field 1 |
201 |
Field 2 |
Will require further investigation as to the purpose of this log entry. |
Field 3 |
Will require further investigation as to the purpose of this log entry. |
Field 4 |
Will require further investigation as to the purpose of this log entry. |
Field 5 |
Will require further investigation as to the purpose of this log entry. |
Field 6 |
Will require further investigation as to the purpose of this log entry. |
Field 7 |
Will require further investigation as to the purpose of this log entry. |
Field 8 |
Will require further investigation as to the purpose of this log entry. |
Field 9 |
Will require further investigation as to the purpose of this log entry. |
Field 10 |
Will require further investigation as to the purpose of this log entry. |
Field 11 |
Will require further investigation as to the purpose of this log entry. |
Field 12 |
Will require further investigation as to the purpose of this log entry. |
Field 13 |
Will require further investigation as to the purpose of this log entry. |
301
If Field 1 = 301, the coresponding fields are as follows:
Field |
Description |
Field 1 |
301 |
Actor PID |
Process ID for acting process |
Actor |
Process performing the action |
Event |
1 File Create 2 File Delete 3 File Open 6 Directory Create 7 Directory Delete 14 Registry Key Create 15 Registry Key Delete 16 Registry Value Delete 17 Registry Value Set 18 Registry Key Rename 19 Registry Key Set Security 45 File Set Security 46 Directory Set Security 55 Process Open 56 Process Duplicate |
Target PID |
Process ID for target process |
Target |
What is being targeted |
Target Process |
The process that is being targeted |
Field 8 |
Will require further investigation as to the purpose of this log entry. |
Field 9 |
Will require further investigation as to the purpose of this log entry. |
Field 10 |
N/A |
Field 11 |
N/A |
Field 12 |
N/A |
Field 13 |
N/A |
Scan Entries
If Field 1 contains a : separated string, the coresponding fields are as follows:
Field |
Entry |
Description |
Field 1 |
Scan Status |
Will require further investigation as to the purpose of this log entry. |
Risks |
The number of threats that the scan found. |
Scanned |
The number of files scanned. |
Files/Folders/Drives Omitted |
The number of files that were omitted. |
Trusted Files Skipped |
Will require further investigation as to the purpose of this log entry. |
Field 2 |
N/A |
N/A |
Field 3 |
N/A |
N/A |
Field 4 |
N/A |
N/A |
Field 5 |
N/A |
N/A |
Field 6 |
N/A |
N/A |
Field 7 |
N/A |
N/A |
Field 8 |
N/A |
N/A |
Field 9 |
N/A |
N/A |
Field 10 |
N/A |
N/A |
Field 11 |
N/A |
N/A |
Field 12 |
N/A |
N/A |
Field 13 |
N/A |
N/A |
Event Data 2
Field |
Description |
Field 1 |
Will require further investigation as to the purpose of this log entry. |
Company Name |
The company name. |
Size |
The file size |
Hash Type |
The hash algorithm used:
0 = MD5 1 = SHA-1 2 = SHA-256 |
Hash |
The hash for this application. |
Product Version |
The application version. |
Field 7 |
Will require further investigation as to the purpose of this log entry. |
Field 8 |
Will require further investigation as to the purpose of this log entry. |
Field 9 |
Will require further investigation as to the purpose of this log entry. |
Field 10 |
Will require further investigation as to the purpose of this log entry. |
Field 11 |
Will require further investigation as to the purpose of this log entry. |
Field 12 |
Will require further investigation as to the purpose of this log entry. |
Product Name |
The application name. |
Field 14 |
Will require further investigation as to the purpose of this log entry. |
Field 15 |
Will require further investigation as to the purpose of this log entry. |
Field 16 |
Will require further investigation as to the purpose of this log entry. |
Field 17 |
Will require further investigation as to the purpose of this log entry. |
Information was derived from https://support.symantec.com/en_US/article.TECH100099.html