Tuesday, January 5, 2021

Your AV is Trying to Tell You Something: Log Lines

Symantec Endpoint Protection (SEP) contains a wealth of information. Unfortunately, when dealing with a disk image/collection, there is not a feasible way of accessing this data. You could query the Symantec Endpoint Protection Management (SEPM) server, but you still will not get all of the information contained on the endpoint. Furthermore, what if there is not a SEPM server in place or the endpoint has not sent its logs to the SEPM server yet? In this series, I will be going through how to decipher the various logs and files that make up SEP. 

I have not seen a lot of information out there on antivirus forensics. Hopefully, this will encourage others to start investigating other antivirus software and the secrets they can hold. So lets up your digital forensics game by examining what your antivirus is trying to tell you, but more importantly, what it is not telling you.

I am going to start out this series with what I have come to know as the log line. This is an important piece to understand because it can be found in the entries of the Antivirus Management Plug-in log, Client Management Security log, Client Management System log, Daily Antivirus logs, and the quarantine files. The log line is a comma separated list (the Extra Data 1 and Extra Data 2 fields contain data in a tab separated list). Although you can view the log line (and the various logs that contain it) in a text editor, it is not human readable. Time to break down the various fields and how to interpret them.

1. Version 1 has the following fields:

Time,Event,Category,Logger,Computer,User,Virus,File,Wanted Action 1,Wanted Action 2,Real Action,Virus Type,Flags,Description,ScanID,New_Ext,Group ID,Event Data,VBin_ID,Virus ID,Quarantine Forward Status,Access,SND_Status,Compressed,Depth,Still Infected,Def Info,Def Sequence Number,Clean Info,Delete Info,Backup ID,Parent,GUID,Client Group,Address,Domain Name,NT Domain,MAC Address,Version,Remote Machine,Remote Machine IP,Action 1 Status,Action 2 Status,License Feature Name,License Feature Version,License Serial Number,License Fulfillment ID,License Start Date,License Expiration Date,License LifeCycle,License Seats Total,License Seats,Error Code,License Seats Delta,Status,Domain GUID,Log Session GUID,VBin Session ID,Login Domain,Event Data 2

Version 2 has the same fields as version 1 plus some extras:

Time,Event,Category,Logger,Computer,User,Virus,File,Wanted Action 1,Wanted Action 2,Real Action,Virus Type,Flags,Description,ScanID,New_Ext,Group ID,Event Data,VBin_ID,Virus ID,Quarantine Forward Status,Access,SND_Status,Compressed,Depth,Still Infected,Def Info,Def Sequence Number,Clean Info,Delete Info,Backup ID,Parent,GUID,Client Group,Address,Domain Name,NT Domain,MAC Address,Version,Remote Machine,Remote Machine IP,Action 1 Status,Action 2 Status,License Feature Name,License Feature Version,License Serial Number,License Fulfillment ID,License Start Date,License Expiration Date,License LifeCycle,License Seats Total,License Seats,Error Code,License Seats Delta,Status,Domain GUID,Log Session GUID,VBin Session ID,Login Domain,Event Data 2,Eraser Category ID,Dynamic Categoryset ID,Dynamic Subcategoryset ID,Display Name To Use,Reputation Disposition,Reputation Confidence,First Seen,Reputation Prevalence,Downloaded URL,Creator For Dropper,CIDS State,Behavior Risk Level,Detection Type,Acknowledge Text,VSIC State,Scan GUID,Scan Duration,Scan Start Time,TargetApp Type,Scan Command GUID

Time/Scan Start Time

The Time and Scan Start Time fields contain a 12 digit hex number. To figure out the time stamp, we need to break it into two digit numbers, convert them to their decimal counterparts, and do a little math. Example: 300012062631 

 
Log_Line_info.md

Entries

Field Description
Time Time of event.
Event
Event Event # Raw Event Code Description
1 IS_ALERT
Scan Stopped 2 SCAN_STOP Occurs when antivirus scanning completes.
Scan Started 3 SCAN_START Occurs when antivirus scanning starts.
Definition File Sent To Server 4 PATTERN_UPDATE Occurs when a parent server sends a .vdb file to a secondary server.
Virus Found 5 INFECTION Occurs when scanning detects a virus.
Scan Omission 6 FILE_NOT_OPEN Occurs when scanning fails to gain access to a file or directory.
Definition File Loaded 7 LOAD_PATTERN Occurs when Symantec AntiVirus loads a new .vdb file.
8 MESSAGE_INFO
9 MESSAGE_ERROR
Checksum 10 CHECKSUM Occurs when a checksum error occurs when verifying a digitally signed file.
Auto-Protect 11 TRAP Occurs when Auto-Protect is not fully operational.
Configuration Changed 12 CONFIG_CHANGE Occurs when a server updates its configurations according to the changes made from the console, excluding configuration changes made in the PRODUCTCONTROL or DOMAINDATA registry keys.
Symantec AntiVirus Shutdown 13 SHUTDOWN Occurs when the ccSvcHst.exe service is unloaded.
Symantec AntiVirus Startup 14 STARTUP Occurs when the ccSvcHst.exe service is loaded.
Definition File Download 16 PATTERN_DOWNLOAD Occurs when new definitions are downloaded by a scheduled definitions update.
Scan Action Auto-Changed 17 TOO_MANY_VIRUSES Occurs when Symantec AntiVirus has deleted or quarantined more than 5 infected files within the last minute. The number of files quarantined or deleted and the time interval are configurable from the registry. The defaults are 5 files in 60 seconds.
Sent To Quarantine Server 18 FWD_TO_QSERVER Occurs when quarantined files are sent to a Quarantine Server.
Delivered To Symantec Security Response 19 SCANDLVR Occurs when a file is delivered to Symantec Security Response.
Backup Restore Error 20 BACKUP Occurs when Symantec AntiVirus cannot back up a file or restore a file from Quarantine.
Scan Aborted 21 SCAN_ABORT Occurs when a scan is stopped before it completes. Symantec AntiVirus Auto-Protect.
Load Error 22 RTS_LOAD_ERROR Occurs when Auto-Protect fails to load.
Symantec AntiVirus Auto-Protect Loaded 23 RTS_LOAD Occurs when Auto-Protect loads successfully.
Symantec AntiVirus Auto-Protect Unloaded 24 RTS_UNLOAD Occurs when Auto-Protect is unloaded.
Scan Delayed 26 SCAN_DELAYED Occurs when a scheduled scan is snoozed/paused (delayed).
Scan Re-started 27 SCAN_RESTART Occurs when a snoozed/paused scan is restarted.
28 ADD_SAVROAMCLIENT_TOSERVER
29 REMOVE_SAVROAMCLIENT_FROMSERVER
30 LICENSE_WARNING
31 LICENSE_ERROR
32 LICENSE_GRACE
33 UNAUTHORIZED_COMM
Log Forwarding Error 34 LOG_FWD_THRD_ERR Occurs when there is a problem with the log forwarding process. Also logs when Event and Settings Manager are started.
35 LICENSE_INSTALLED
36 LICENSE_ALLOCATED
37 LICENSE_OK
38 LICENSE_DEALLOCATED
Definitions Rollback 39 BAD_DEFS_ROLLBACK Occurs when definitions are rolled back.
Definitions Unprotected 40 BAD_DEFS_UNPROTECTED Occurs when a computer is not protected with definitions.
Auto-Protect Error 41 SAV_PROVIDER_PARSING_ERROR Occurs when an error occurs with Auto-Protect.
Configuration Error 42 RTS_ERROR General error. Primarily occurs when a configuration file cannot be read.
43 COMPLIANCE_FAIL
44 COMPLIANCE_SUCCESS
SymProtect Action 45 SECURITY_SYMPROTECT_POLICYVIOLATION Occurs when SymProtect blocks a tamper attempt.
Detection Start 46 ANOMALY_START Occurs when a threat is found. This is the first of a series of steps describing the action taken.
Detection Action 47 DETECTION_ACTION_TAKEN Describes an action taken when a threat is found.
Pending Remediation Action 48 REMEDIATION_ACTION_PENDING Occurs when Auto-Protect is ready to perform a side-effects repair for adware or spyware.
Failed Remediation Action 49 REMEDIATION_ACTION_FAILED Occurs when Auto-Protect fails to perform a successful side-effects repair for adware or spyware.
Successful Remediation Action 50 REMEDIATION_ACTION_SUCCESSFUL Occurs when Auto-Protect performs a successful side-effects repair for adware or spyware.
Detection Finish 51 ANOMALY_FINISH Occurs when Auto-Protect finishes handling a threat.
52 COMMS_LOGIN_FAILED
53 COMMS_LOGIN_SUCCESS
54 COMMS_UNAUTHORIZED_COMM
55 CLIENT_INSTALL_AV
56 CLIENT_INSTALL_FW
57 CLIENT_UNINSTALL
58 CLIENT_UNINSTALL_ROLLBACK
59 COMMS_SERVER_GROUP_ROOT_CERT_ISSUE
60 COMMS_SERVER_CERT_ISSUE
61 COMMS_TRUSTED_ROOT_CHANGE
62 COMMS_SERVER_CERT_STARTUP_FAILED
63 CLIENT_CHECKIN
64 CLIENT_NO_CHECKIN
Scan Stopped 65 SCAN_SUSPENDED Occurs when adware and spyware scans stop.
Scan Started 66 SCAN_RESUMED Occurs when adware and spyware scans start.
67 SCAN_DURATION_INSUFFICIENT
68 CLIENT_MOVE
69 SCAN_FAILED_ENHANCED
70 COMPLIANCE_FAILEDAUDIT
Threat Now Whitelisted 71 HEUR_THREAT_NOW_WHITELISTED The Administrator has added what SONAR previously detected as a threat to the Centralized Exception list, or Symantec has added it to the internal known white listed applications list.
Interesting Process Found Start 72 INTERESTING_PROCESS_DETECTED_START SONAR detection start. The first step of a series describing the action taken on the process.
SONAR engine load error 73 LOAD_ERROR_BASH Failed to load SONAR engine.
SONAR definitions load error 74 LOAD_ERROR_BASH_DEFINITIONS Failed to load SONAR definitions.
Interesting Process Found Finish 75 INTERESTING_PROCESS_DETECTED_FINISH SONAR detection has finished handling the process.
SONAR operating system not supported 76 HPP_SCAN_NOT_SUPPORTED_FOR_OS SONAR is enabled, but it is not supported on the platform.
SONAR Detected Threat Now Known 77 HEUR_THREAT_NOW_KNOWN A SONAR process detection is now a confirmed signature-based security risk.
SONAR engine is disabled 78 DISABLE_BASH SONAR is enabled.
SONAR engine is enabled 79 ENABLE_BASH SONAR is disabled.
Definition load failed 80 DEFS_LOAD_FAILED Failed to apply AV definitions.
Cache server error 81 LOCALREP_CACHE_SERVER_ERROR Cache server error.
Reputation check timed out 82 REPUTATION_CHECK_TIMEOUT Reputation check timed out.
83 SYMEPSECFILTER_DRIVER_ERROR
84 VSIC_COMMUNICATION_WARNING
85 VSIC_COMMUNICATION_RESTORED
86 ELAM_LOAD_FAILED
87 ELAM_INVALID_OS
88 ELAM_ENABLE
89 ELAM_DISABLE
90 ELAM_BAD
91 ELAM_BAD_REPORTED_AS_UNKNOWN
92 DISABLE_SYMPROTECT
93 ENABLE_SYMPROTECT
94 NETSEC_EOC_PARSE_FAILED
Category 1 Infection
2 Summary
3 Pattern
4 Security
Logger 0 Scheduled
1 Manual
2 Real_Time
3 Integrity_Shield
6 Console
7 VPDOWN
8 System
9 Startup
10 Idle
11 DefWatch
12 Licensing
13 Manual_Quarantine
14 SymProtect
15 Reboot_Processing
16 Bash
17 SymElam
18 PowerEraser
19 EOCScan
100 LOCAL_END
101 Client
102 Forwarded
256 Transport_Client
Computer Computer name.
User User name.
Virus Virus Name (Virus Found event only)
File Virus's Location (Virus Found event only)
Wanted Action 1 Primary Action (Virus Found event only)

4294967295 Invalid
1 Quarantine
2 Rename
3 Delete
4 Leave Alone
5 Clean
6 Remove Macros
7 Save file as...
8 Sent to backend
9 Restore from Quarantine
10 Rename Back (unused)
11 Undo Action
12 Error
13 Backup to quarantine (backup view)
14 Pending Analysis
15 Partially Fixed
16 Terminate Process Required
17 Exclude from Scanning
18 Reboot Processing
19 Clean by Deletion
20 Access Denied
21 TERMINATE PROCESS ONLY
22 NO REPAIR
23 FAIL
24 RUN POWERTOOL
25 NO REPAIR POWERTOOL
110 INTERESTING PROCESS CAL
111 INTERESTING PROCESS DETECTED
1000 INTERESTING PROCESS HASHED DETECTED
1001 DNS HOST FILE EXCEPTION
Wanted Action 2 Secondary Action (Virus Found event only)

4294967295 Invalid
1 Quarantine
2 Rename
3 Delete
4 Leave Alone
5 Clean
6 Remove Macros
7 Save file as...
8 Sent to backend
9 Restore from Quarantine
10 Rename Back (unused)
11 Undo Action
12 Error
13 Backup to quarantine (backup view)
14 Pending Analysis
15 Partially Fixed
16 Terminate Process Required
17 Exclude from Scanning
18 Reboot Processing
19 Clean by Deletion
20 Access Denied
21 TERMINATE PROCESS ONLY
22 NO REPAIR
23 FAIL
24 RUN POWERTOOL
25 NO REPAIR POWERTOOL
110 INTERESTING PROCESS CAL
111 INTERESTING PROCESS DETECTED
1000 INTERESTING PROCESS HASHED DETECTED
1001 DNS HOST FILE EXCEPTION
Real Action Action Taken (Virus Found event only)

4294967295 Invalid
1 Quarantine
2 Rename
3 Delete
4 Leave Alone
5 Clean
6 Remove Macros
7 Save file as...
8 Sent to backend
9 Restore from Quarantine
10 Rename Back (unused)
11 Undo Action
12 Error
13 Backup to quarantine (backup view)
14 Pending Analysis
15 Partially Fixed
16 Terminate Process Required
17 Exclude from Scanning
18 Reboot Processing
19 Clean by Deletion
20 Access Denied
21 TERMINATE PROCESS ONLY
22 NO REPAIR
23 FAIL
24 RUN POWERTOOL
25 NO REPAIR POWERTOOL
110 INTERESTING PROCESS CAL
111 INTERESTING PROCESS DETECTED
1000 INTERESTING PROCESS HASHED DETECTED
1001 DNS HOST FILE EXCEPTION
Virus Type 48 Heuristic
64 Reputation
80 Hack Tools
96 Spyware
112 Trackware
128 Dialers
144 Remote Access
160 Adware
176 Joke Programs
224 Heuristic Application
Flags Indicates what kind of action the Eventblock is.

    if Flag & 0x400000:
        Flag = Flag + "EB_ACCESS_DENIED "

    if Flag & 0x800000:
        Flag = Flag + "EB_NO_VDIALOG "

    if Flag & 0x1000000:
        Flag = Flag + "EB_LOG "

    if Flag & 0x2000000:
        Flag = Flag + "EB_REAL_CLIENT "

    if Flag & 0x4000000:
        Flag = Flag + "EB_ENDUSER_BLOCKED "

    if Flag & 0x8000000:
        Flag = Flag + "EB_AP_FILE_WIPED "

    if Flag & 0x10000000:
        Flag = Flag + "EB_PROCESS_KILLED "

    if Flag & 0x20000000:
        Flag = Flag + "EB_FROM_CLIENT "

    if Flag & 0x40000000:
        Flag = Flag + "EB_EXTRN_EVENT "

    if Flag & 0x1FF:

        if Flag & 0x1:
            Flag = Flag + "FA_SCANNING_MEMORY "

        if Flag & 0x2:
            Flag = Flag + "FA_SCANNING_BOOT_SECTOR "

        if Flag & 0x4:
            Flag = Flag + "FA_SCANNING_FILE "

        if Flag & 0x8:
            Flag = Flag + "FA_SCANNING_BEHAVIOR "

        if Flag & 0x10:
            Flag = Flag + "FA_SCANNING_CHECKSUM "

        if Flag & 0x20:
            Flag = Flag + "FA_WALKSCAN "

        if Flag & 0x40:
            Flag = Flag + "FA_RTSSCAN "

        if Flag & 0x80:
            Flag = Flag + "FA_CHECK_SCAN "

        if Flag & 0x100:
            Flag = Flag + "FA_CLEAN_SCAN "

    if Flag & 0x803FFE00:
        Flag = Flag + "EB_N_OVERLAYS("

        if Flag & 0x200:
            Flag = Flag + "N_OFFLINE "

        if Flag & 0x400:
            Flag = Flag + "N_INFECTED "

        if Flag & 0x800:
            Flag = Flag + "N_REPSEED_SCAN "

        if Flag & 0x1000:
            Flag = Flag + "N_RTSNODE "

        if Flag & 0x2000:
            Flag = Flag + "N_MAILNODE "

        if Flag & 0x4000:
            Flag = Flag + "N_FILENODE "

        if Flag & 0x8000:
            Flag = Flag + "N_COMPRESSED "

        if Flag & 0x10000:
            Flag = Flag + "N_PASSTHROUGH "

        if Flag & 0x40000:
            Flag = Flag + "N_DIRNODE "

        if Flag & 0x80000:
            Flag = Flag + "N_ENDNODE "

        if Flag & 0x100000:
            Flag = Flag + "N_MEMNODE "

        if Flag & 0x200000:
            Flag = Flag + "N_ADMIN_REQUEST_REMEDIATION "

        Flag = Flag[:-1] + ")"
Description Message that will be found on the "Properties" page (Event Log events only) or message indicating Scan start or Scan stop along with results. (Scan History events only)
ScanID ID number of associated scan (for Scan History events and Virus Found events)
New_Ext Will require further investigation as to the purpose of this log entry.
Group ID Indicates the Group ID.
Event Data Information varies per event (see below)
VBin_ID Stores the ID of the file in Quarantine if it is Quarantined.
Virus ID ID of the particular virus.
Quarantine Forward Status Indicates the status of the Quarantine attempt.

0 NONE
1 FAILED
2 OK
Access This stores the "operation flags"

0x00000001 READ
0x00000002 WRITE
0x00000004 EXEC
0x00000008 IN_TABLE
0x00000010 REJECT_ACTION
0x00000020 ACTION_COMPLETE
0x00000040 DELETE_WHEN_COMPLETE
0x00000080 CLIENT_REQUEST
0x00000100 OWNED_BY_USER
0x00000200 DELETE
0x00000800 OWNED_BY_QUEUE
0x00001000 FILE_IN_CACHE
0x00002000 SCAN
0x00004000 GET_TRAP_DATA
0x00008000 USE_TRAP_DATA
0x00010000 FILE_NEEDS_SCAN
0x00020000 BEFORE_OPEN
0x00040000 AFTER_OPEN
0x00080000 SCAN_BOOT_SECTOR
0x10000000 COMING_FROM_NAVAP
0x20000000 BACKUP_TO_QUARANTINE
SND_Status Will require further investigation as to the purpose of this log entry.
Compressed Indicated whether it is or is in a compressed file or not.

0 No
1 Yes
Depth Indicated at what depth IN a compressed file the virus was found.
Still Infected Tells whether file is still infected or not.

0 No
1 Yes
Def Info Version of Virus Definitions Used (Virus Found event only)
Def Sequence Number The Definition Sequence Number of the Virus Definitions used.
Clean Info Indicates whether file is cleanable or not.

0 CLEANABLE
1 NO CLEAN PATTERN
2 NOT CLEANABLE
Delete Info Indicates whether file is deletable or not.

0 Unknown
1 Unknonw
4 DELETABLE
5 NOT DELETABLE
Backup ID Stores the ID of the file stored in Backup if it is backed up.
Parent Name of Parent if is a Managed Client
GUID GUID of the machine (Virus Found event only)
Client Group Stores the client group, if set.
Address IP or IPX address in the form IP-xxx.xxx.xxx.xxx
Domain Name Server group. Set servers only.
NT Domain Windows domain or workgroup
MAC Address Hardware address
Version Software version
Remote Machine Will require further investigation as to the purpose of this log entry.
Remote Machine IP Will require further investigation as to the purpose of this log entry.
Action 1 Status Will require further investigation as to the purpose of this log entry.
Action 2 Status Will require further investigation as to the purpose of this log entry.
License Feature Name The product name and license type.
License Feature Version The product code, indicating product type, version, and suffix. This information is read from the license file.
License Serial Number The license serial number, which is read from the license file.
License Fulfillment ID The license fulfillment ID, which is read from the license file.
License Start Date The license start date time, which is read from the license file.
License Expiration Date The end date of the license period.
License LifeCycle Will require further investigation as to the purpose of this log entry.
License Seats Total Will require further investigation as to the purpose of this log entry.
License Seats Will require further investigation as to the purpose of this log entry.
Error Code Will require further investigation as to the purpose of this log entry.
License Seats Delta Will require further investigation as to the purpose of this log entry.
Eraser Status 0 Success
1 Reboot Required
2 Nothing To Do
3 Repaired
4 Deleted
5 False
6 Abort
7 Continue
8 Service Not Stopped
9 Application Heuristic Scan Failure
10 Cannot Remediate
11 Whitelist Failure
12 Driver Failure
13 Reserved01
13 Commercial Application List Failure
13 Application Heuristic Scan Invalid OS
13 Content Manager Data Error
999 Leave Alone
1000 Generic Failure
1001 Out Of Memory
1002 Not Initialized
1003 Invalid Argument
1004 Insufficient Buffer
1005 Decryption Error
1006 File Not Found
1007 Out Of Range
1008 COM Error
1009 Partial Failure
1010 Bad Definitions
1011 Invalid Command
1012 No Interface
1013 RSA Error
1014 Path Not Empty
1015 Invalid Path
1016 Path Not Empty
1017 File Still Present
1018 Invalid OS
1019 Not Implemented
1020 Access Denied
1021 Directory Still Present
1022 Inconsistent State
1023 Timeout
1024 Action Pending
1025 Volume Write Protected
1026 Not Reparse Point
1027 File Exists
1028 Target Protected
1029 Disk Full
1030 Shutdown In Progress
1031 Media Error
1032 Network Defs Error
Domain GUID Domain ID
Log Session GUID This is an ID used by the client to keep track of related threat events.
VBin Session ID Will require further investigation as to the purpose of this log entry.
Login Domain The Windows domain.
Event Data 2 * Information varies per event (see below)
Eraser Category ID * 1 HeuristicTrojanWorm
2 HeuristicKeyLogger
100 CommercialRemoteControl
101 CommercialKeyLogger
200 Cookie
300 Shields
Dynamic Categoryset ID * 1 MALWARE
2 SECURITY_RISK
3 POTENTIALLY_UNWANTED_APPLICATIONS
4 EXPERIMENTAL_HEURISTIC
5 LEGACY_VIRAL
6 LEGACY_NON_VIRAL
7 CATEGORY_CRIMEWARE
8 ADVANCED_HEURISTICS
9 REPUTATION_BACKED_ADVANCED_HEURISTICS
10 PREVALENCE_BACKED_ADVANCED_HEURISTICS
Dynamic Subcategoryset ID * Will require further investigation as to the purpose of this log entry.
Display Name To Use * 0 Application Name
1 VID Virus Name
Reputation Disposition * 0 Good
1 Bad
127 Unknown
Reputation Confidence * The Confidence level that produced the conviction.

>= 100: Extremely High [100..]
>= 65: High [65..99]
>= 25: Medium [25..64]
>= 10: Low [10..24]
>=1: Symantec knows very little about the file/unknown [1..9]
0 is not a valid value. We can say unknown also for 0.
Default is 0
First Seen * When the threat was first discovered by Symantec, as downloaded from Symantec's web site.
Reputation Prevalence * The prevalence data for the application

0: Unknown.
1-50: Very low
51-100: Low
101-150: Moderate
151-200: High
201-255: Very high
> 255: Very high
Default is 0
Downloaded URL * The source URL of the first drop on this computer.
Creator For Dropper * The creator process of the dropper threat.
CIDS State * Network intrusion prevention status:

0 = Off
1 = On
2 = Not installed
3 = Off by administrator policy
127 = Unknown.
Default is 127.
Behavior Risk Level * The risk level (high, med, low) for the convicted threat.

0 -- Unknown
1 or 2 -- Low
3 -- Medium
4 -- High
Default is 0.
Detection Type * 0 Traditional
1 Heuristic
Acknowledge Text * Will require further investigation as to the purpose of this log entry.
VSIC State * 0 Off
1 On
2 Failed
Scan GUID * Will require further investigation as to the purpose of this log entry.
Scan Duration * Length of the scan
Scan Start Time * The time that the scan started.
TargetApp Type * 0 Normal
1 Modern (Metro)
Scan Command GUID * Will require further investigation as to the purpose of this log entry.
Field 113 † Will require further investigation as to the purpose of this log entry.
Location † The location used when the event occured.
Field 115 † Will require further investigation as to the purpose of this log entry.
Digital Signatures Signer † The subject of the certificate.
Digital Signatures Issuer † If an executable from a detection event is signed, this field indicates its certificate authority.
Digital Signatures Certificate Thumbprint † The unique ID (or thumbprint) of the digital certificate.
Field 119 † Will require further investigation as to the purpose of this log entry.
Digital Signatures Serial Number † The identification (certificate serial number) of the certificate issued by the certificate authority for the executable.
Digital Signatures Signing Time † Will require further investigation as to the purpose of this log entry.
Field 122 † Will require further investigation as to the purpose of this log entry.
Field 123 † Will require further investigation as to the purpose of this log entry.
Field 124 † Will require further investigation as to the purpose of this log entry.
Field 125 † Will require further investigation as to the purpose of this log entry.
Field 126 † Will require further investigation as to the purpose of this log entry.

Event Data

Event data can be distinguished by the first field. This field can be blank or contain 101, 201, 302, or scan data.

101

If Field 1 = 101, the coresponding fields are as follows:

Field Description
Field 1 101
GUID This is an ID used by the client to keep track of related threat events.
Field 3 Will require further investigation as to the purpose of this log entry.
Num Side Effects Repaired Will require further investigation as to the purpose of this log entry.
Anomaly Action Type Type of remediation. (Human readable form)
Anomaly Action Operation Remediation action. (Human readable form)
Field 7 Will require further investigation as to the purpose of this log entry.
Anomaly Name Virus Name
Anomaly Categories Combination of Categoryset\Subcategoryset ID separated by semicolon
Anomaly Action Type ID Type of remediation.
Anomaly Action OperationID Remediation action.
Previous Log GUID This is an ID used by the client to keep track of related threat events.
Field 13 Will require further investigation as to the purpose of this log entry.

201

If Field 1 = 201, the coresponding fields are as follows:

Field Description
Field 1 201
Field 2 Will require further investigation as to the purpose of this log entry.
Field 3 Will require further investigation as to the purpose of this log entry.
Field 4 Will require further investigation as to the purpose of this log entry.
Field 5 Will require further investigation as to the purpose of this log entry.
Field 6 Will require further investigation as to the purpose of this log entry.
Field 7 Will require further investigation as to the purpose of this log entry.
Field 8 Will require further investigation as to the purpose of this log entry.
Field 9 Will require further investigation as to the purpose of this log entry.
Field 10 Will require further investigation as to the purpose of this log entry.
Field 11 Will require further investigation as to the purpose of this log entry.
Field 12 Will require further investigation as to the purpose of this log entry.
Field 13 Will require further investigation as to the purpose of this log entry.

301

If Field 1 = 301, the coresponding fields are as follows:

Field Description
Field 1 301
Actor PID Process ID for acting process
Actor Process performing the action
Event 1 File Create
2 File Delete
3 File Open
6 Directory Create
7 Directory Delete
14 Registry Key Create
15 Registry Key Delete
16 Registry Value Delete
17 Registry Value Set
18 Registry Key Rename
19 Registry Key Set Security
45 File Set Security
46 Directory Set Security
55 Process Open
56 Process Duplicate
Target PID Process ID for target process
Target What is being targeted
Target Process The process that is being targeted
Field 8 Will require further investigation as to the purpose of this log entry.
Field 9 Will require further investigation as to the purpose of this log entry.
Field 10 N/A
Field 11 N/A
Field 12 N/A
Field 13 N/A

Scan Entries

If Field 1 contains a : separated string, the coresponding fields are as follows:

Field Entry Description
Field 1 Scan Status Will require further investigation as to the purpose of this log entry.
Risks The number of threats that the scan found.
Scanned The number of files scanned.
Files/Folders/Drives Omitted The number of files that were omitted.
Trusted Files Skipped Will require further investigation as to the purpose of this log entry.
Field 2 N/A N/A
Field 3 N/A N/A
Field 4 N/A N/A
Field 5 N/A N/A
Field 6 N/A N/A
Field 7 N/A N/A
Field 8 N/A N/A
Field 9 N/A N/A
Field 10 N/A N/A
Field 11 N/A N/A
Field 12 N/A N/A
Field 13 N/A N/A

Event Data 2

Field Description
Field 1 Will require further investigation as to the purpose of this log entry.
Company Name The company name.
Size The file size
Hash Type The hash algorithm used:

0 = MD5
1 = SHA-1
2 = SHA-256
Hash The hash for this application.
Product Version The application version.
Field 7 Will require further investigation as to the purpose of this log entry.
Field 8 Will require further investigation as to the purpose of this log entry.
Field 9 Will require further investigation as to the purpose of this log entry.
Field 10 Will require further investigation as to the purpose of this log entry.
Field 11 Will require further investigation as to the purpose of this log entry.
Field 12 Will require further investigation as to the purpose of this log entry.
Product Name The application name.
Field 14 Will require further investigation as to the purpose of this log entry.
Field 15 Will require further investigation as to the purpose of this log entry.
Field 16 Will require further investigation as to the purpose of this log entry.
Field 17 Will require further investigation as to the purpose of this log entry.

Information was derived from https://support.symantec.com/en_US/article.TECH100099.html

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)