AV Managment Plugin Log
The AV Managment Plugin log contains copies of all AV events that occured on the endpint. AVMan's entries consist of data, in the form of the log line format, with some additional timestamps.
Antivirus Management Log File Format
The antivirus managment log for SEP can be found at the following location:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\AVMan.log
Header
| Field | Type | Size | Description |
|---|---|---|---|
| Max Log Size | hex | 8 | Maximum log file size in bytes |
| Unknown | hex | 8 | ? |
| Number of Entries | hex | 8 | Number of entries in log |
| Unknown | hex | 8 | ? |
| Unknown | hex | 8 | ? |
| Max Log Days | hex | 8 | Maximun days to save log entries |
Log Entries
The log is in TSV format, meaning, each field is separated by a tab character.
| Field | Type | Size | Description |
|---|---|---|---|
| Entry Length | hex | 8 | Length of log entry |
| Date and Time 1 | Windows: 64 bit Hex Value - Big Endian | 16 | Will require further investigation as to the purpose of this log entry. |
| Date and Time 2 | Windows: 64 bit Hex Value - Big Endian | 16 | Will require further investigation as to the purpose of this log entry. |
| Date and Time 3 | Windows: 64 bit Hex Value - Big Endian | 16 | Will require further investigation as to the purpose of this log entry. |
| Unknown | hex | 8 | Will require further investigation as to the purpose of this log entry. |
| Data | varbinary | 2000 | Additional data in binary format. |
Daily AV Log
The daily AV log also contains copies of AV events tha occured on the endpoint. These logs are broken down by day and consist of log line entries and do not contain a header. The daily AV logs stored in the users appdata folder go back to when Symantec was first installed and pertain only to that user. The ones in the programdata folder contain all users AV events but only go back thirty days or what the Symantec policy dictates.
The daily AV logss for SEP can be found in the following loactions:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\AV
C:\Users\<user>\AppData\Local\Symantec\Symantec Endpoint Protection\Logs
No comments:
Post a Comment