This post contains information on my research into Symantec Endpoint Protection logs, quarantine, and ccSubSDK files. Content will be updated regularly.
Log Line
This is an important piece to understand because it can be found in the entries of the Antivirus Management Plug-in log, Client Management Security log, Client Management System log, Daily Antivirus logs, and the quarantine files.
Symantec Endpoint Protection Logs
Symantec Management Client (SMC) does not show the entire contents of the log. smc.exe has an -exportlog command line switch where you can select a log type to export. Log_type numbers are as follows:
- 0 = System Log
- 1 = Security Log
- 2 = Traffic Log
- 3 = Packet Log
- 4 = Control Log
These numbers also correlate to an entry in the header of the logs found in the following locations:
Windows:
C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs.
Linux:
/var/symantec/Logs/syslog.log
- 0 = syslog.log
- 1 = seclog.log
- 2 = tralog.log
- 3 = rawlog.log
- 4 = processlog.log
Log File Structure
- Client Management System Log
- Client Management Security Log
- Network and Host Exploit Mitigation Traffic Log
- Network and Host Exploit Mitigation Packet Log
- Client Management Control Log
- Antivirus Management Log
Symantec Endpoint Protection VBN Files
There are three different types of VBN files. Some contain the actual data that was quarantined while others only contain metadata. Other information is also collected such as SDDL, Detection Data, and Extended Attributes.
