You want to know how to debug the Symantec Endpoint Protection (SEP) client, and the different types of debugging available.
Sylink debugging /logging is applicable to SEP 14 RU1 MP2 and earlier versions.
For 14.2+ versions, The communication module logging replaces Sylink logging functionality.
Configuring Endpoint Protection Communication Module Logging in 14.2 and later
The following debugging options are available:
The following optional settings enable more detailed logging of various components in the Symantec Endpoint Protection client. Before you enable them, you must first enable Symantec Management Client debugging.
Note: You must restart the Symantec Management Client (SMC) service for any changes in debug logging to take effect. To stop and start the SMC service, enter the following commands from a command line interface, from Start Menu > Run, or from Start Menu > Search programs and files:
Symantec Management Client (SMC) debugging
The default debug logging can be enabled with the following registry setting:
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"smc_debuglog_on"=dword:00000001
NOTE: Tamper Protection is enabled by default on the Symantec Endpoint Protection client. Tamper Protection prevents you from editing the registry to enable debugging unless you first disable it or change it from Block and log the event to Log only. To adjust Tamper Protection settings, open the Symantec Endpoint protection client user interface (GUI), click Change Settings > Client Management > Configure Settings > Tamper Protection tab. If the administrator has locked the Tamper Protection, you can still enable debugging through the GUI by using instructions later in this document.
Enabling this debug logging creates a file called debug.log. For the Symantec Endpoint Protection, debug.log is in the CurrentVersion\Data\Logs subfolder of SEP's AllUsersProfile or ProgramData directory. For example, for Windows 7, C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs.
The size of the debug.log file is, by default, limited to 256KB. After reaching this limit, the current log moves to debug.log.bak, and a new debug.log file is created. When you use the default limit of 256 KB, the log file can roll over in a short period of time. You may need to adjust the log size limit to a higher value (i.e., somewhere between 20,000 to 100,000 KB.) To modify the log file size limit, add the Log key and debug_log_filesize value, as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Log]
debug_log_filesize=dword:00004e20
In the above example, the value of debug_log_filesize is the maximum amount of space (measured in KB) that the debug.log file can consume. The number is written in hexadecimal (i.e., 00004e20 = 20,000 KB). The Symantec Endpoint Protection user interface allows an upper limit on the log size of 100,000 KB. If necessary, you can force the value higher by setting it here in the registry.
NOTE: The default location for the SMC.exe executable is %ProgramFiles%\Symantec\Symantec Endpoint Protection.
If needed, you can configure the granularity of the logging by creating two values in the registry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"smc_debug_level"=dword:00000000
"smc_debug_log_level"=dword:00000000
smc_debug_level affects the logging of virus and spyware events:
smc_debug_log_level affects the logging of firewall events:
0 is the default value and usually recommended for troubleshooting.
The above settings can also be configured from the client user interface using the following steps:
You must then restart the SMC service as noted above.
To view the debug log from the client user interface:
Sylink is the client component responsible for communication with the Symantec Endpoint Protection Manager (SEPM) server.
To enable Sylink logging, following these steps:
Note: You must first also enable default SMC debugging (described above).
You must then restart the SMC service as noted above.
To enable extended TSE debugging for Network Threat Protection, follow these steps:
Example from debug.log:
01/25 16:46:17 [304:960] TSE extended debugging is turned on. Flag =
01/25 16:48:43 [304:592] TSE2415: *********DROP PACKET*********
01/25 16:48:43 [304:592] TSE: SecurityRule = Block Local File Sharing
01/25 16:48:43 [304:592] TSE: ApplicationName = C:\WINNT\system32\ntoskrnl.exe
01/25 16:48:43 [304:592] TSE2417: *** DROP PACKET **
01/25 16:48:43 [304:592] ======== TsPacket ====== BA: 1 == protocol: 2 === === EtherII Packet=== len:92==== nic:0===== <mac_address> ---> ff-ff-ff-ff-ff-ff , protocol = 0x800 ===== IP Packet==== len:78==== <ipaddress> --> <ipaddress>, type: 0x11, Id: 2629, Frg: 0x0 ========= UDP datagram, len: 78==== <ipaddress> -> <ipaddress>:137 , DataLen: 5
01/25 16:48:43 [304:592] TSE2415: *********DROP PACKET**********
01/25 16:48:43 [304:592] TSE: SecurityRule = Block and Log Unchecked IP Packets
01/25 16:48:43 [304:592] TSE2417: *** DROP PACKET ***
01/25 16:48:43 [304:592] ======== TsPacket ====== BA: 1 == protocol: 2 === === EtherII Packet=== len:74==== nic:0===== <macaddress> ---> <macaddress> , protocol = 0x800 ===== IP Packet==== len:60==== <ipaddress> --> <ipaddress>, type: 0x1, Id: 28535, Frg: 0x0 ===== ICMP Packet==== len:40==== , type: 0x8, Code: 0, Checksum: 0x5a3a
This debug setting makes the Symantec Endpoint Protection agent write AutoLocation switching information to the standard debug.log file.
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Trident]
"AutoLocationDump"=dword:00000001
(If the Trident registry key does not exist, then create it.)
Example from debug.log:
05/07 16:31:33 [916:828] ***** AL begin get wins ip *****
05/07 16:31:33 [916:828] ***** AL begin get DNS ip
05/07 16:31:33 [916:828] ***** AL DNS Ip : <ipaddress>
05/07 16:31:33 [916:828] ***** AL begin get gateway ip
05/07 16:31:33 [916:828] ***** AL begin get local ip and dhcp ip
05/07 16:31:33 [916:828] ***** AL local ip : <ipaddress>
05/07 16:31:33 [916:828] ***** AL DHCP ip : <ipaddress>
05/07 16:31:33 [916:828] ***** AL Dhcp ip :<ipaddress> Mac :00-00-00-00-00-00
05/07 16:31:33 [916:828] ***** AL begin get dns name *****
The Host Integrity is performed on the agent machine by a JavaScript file included in the policies downloaded from the policy manager. Normally this script is deleted once Host Integrity is done, but by setting this registry key the file is not deleted. Then you can review the script for troubleshooting.
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SSHelper]
"EnableScriptDebug"=dword:00000001
The Host Integrity script file AVScript.js can now be found in the Symantec Endpoint Protection folder once Host Integrity has run.
This debug setting is used to help isolate EAP 802.1x issues. The registry key causes the 802.1x EAP information to write to the standard debug.log file.
[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"EnableDebug802.1x"=dword:00000001