How to read / parse what the current definitions are on Symantec Endpoint Protection, and vdb, xdb and jdb
search cancel

How to read / parse what the current definitions are on Symantec Endpoint Protection, and vdb, xdb and jdb


Article ID: 152404


Updated On:


Endpoint Protection


You are trying to determine the Symantec Endpoint Protection (SEP) definition date being used by the information in the registry, Windows event log, or from the virus definition file itself (.vdb, .xdb, or .jdb) but the data you see is not readily human-readable.


The information you are viewing is in Hexadecimal format and needs to be converted to be read properly.


This is the C++ code:
Year = (unsigned short)((version >> 18) + 1998),
Month = (unsigned short)((version >> 14) & 0x0f),
Day = (unsigned short)((version >> 9) & 0x1f),
Revision = (unsigned short)(version & 0x1FF);

AutoIT Source

Local $BS_Year, $BS_Montha, $BS_Month, $BS_Day,$BS_Daya, $BS_Revision, $SepRegRead

$SepRegRead = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\","UsingPattern")

$BS_Year = (BitShift($SepRegRead,18) + 1998)
$BS_Month = BitShift($SepRegRead,14)
$BS_Montha = BitAND($BS_Month,0x0f)
$BS_Day = BitShift($SepRegRead,9)
$BS_Daya = BitAND($BS_Day,0x1f)
$BS_Revision = BitAND($SepRegRead, 0x1FF)

ConsoleWrite(@CRLF & "Year: " & $BS_Year & @CRLF & "Month: " & $BS_Montha & @CRLF & "Day: " & $BS_Daya & @CRLF & "Revesion: " & $BS_Revision & @CRLF)
MsgBox(4096,"Your Defs",@CRLF & "Year: " & $BS_Year & @CRLF & "Month: " & $BS_Montha & @CRLF & "Day: " & $BS_Daya & @CRLF & "Revesion: " & $BS_Revision & @CRLF)


Using Calc:
Copy (hex) from HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\UsingPattern (Todays) 312e02 (Hex)

Into the display on the Calc

Then convert to Binary (BIN)

File Edit: COPY
Goto Notepad and paste 1100010010111000000010
Count 18 spots left (bitshift right) 1100 ( 1100 0100 10111 000000010)
Clear out calc and copy back in (bin setting)
Convert to Dec
Add 1998 = 2010

Go back to your notepad and count 14 to the left (bitshift right) ( 1100 0100 10111 000000010)
You get 0100
Report the copy into Calc and convert from Bin to Dec
You get 4

Go back to notepad and again count from right to left count 9 (1100 0100 10111 000000010)
You get 10111 . Copy paste to Cal (Bin to Dec)
You get 23

Go back to notepad and take the last digits. 000000010 ( 1100 0100 10111 000000010 )
Copy and paste back in to cal (Bin to Dec)
You get 2

So the definitions are: 2010/4/23 Rev 2

To convert jdb,xdb, vdb remove the prefix names and then covert just like the above (using calc).


Additional Information

The legacy VDB Date Decoder Utility DecodeVDB.exe tool, attached below, may also prove useful.  Simply remove the "vd" prefix and the file extension, then enter the remaining characters into the tool.  

For example, from the file vd413c25.jdb, enter 413c25 into the tool.  The resulting output is human-readable: 4/30/2014 Rev.37 

That date and revision can be consulted in the pages for Multiple Daily Definitions or Rapid Release Definitions to learn the Sequence Number and other information.

The "Defs Version" of an update, often displayed in Windows Event Logs, can most easily be translated into human-readable format by searching  For example, 160430b will result in several hits in the search engine which bring up the relevant Certified Definitions page.  That page displays the corresponding human-readable date and other details.



DecodeVDB.exe get_app