About Mobile Security Logs in Symantec Mobile Security 7.2

book

Article ID: 157718

calendar_today

Updated On:

Products

Mobile Security

Issue/Introduction

Detailed information is needed from one individual Android device that is managed by the Symantec Mobile Security 7.2 (SMS 7.2) server.  What details are available? How can data be maximized?

Resolution

Device Information

Additional details on a specific device can be viewed from the Symantec Management Console (SMC)  by right-clicking on a listed Android and selecting Resource Manager, View Device Information.  

The specifics displayed include the Android's last connection time, list of threats and blocked websites, the last known location, agent version, device type, policy status and so on.

 

Mobile Security Logs

It is possible to drill into the archived logs from this device for additional information.  From the Resource Manager screen, click on View Mobile Security Logs.

The Mobile Security Logs screen display archived log event data stored on the hard drive under C:\ProgramData\Symantec\MobileSecurity\EventArchives.  Detailed events from recent communications may not be displayed here.  (Other screens, such as View Inventory, show an up-to-date status.)  Please note that the amount of log data archived and available for display is determined by the configured purge schedule

These logs can be viewed on-screen or saved as a webpart or in xml, html or csv format for advanced manipulation.

Scanning and Malware entries are under Module 1, Policy-related entries are under Module 6, Google Cloud Messaging (GCM) entries under Module 9, and so on.

For an example: it is possible to use these logs to check the version of definitions that are present on the device. To view the sequence number of the definitions present on the device, filter for Event Type 4013.  There will be resulting entries such as "Anti-Malware application definitions updated to version: 20130207016" and "Scan Engine application definitions updated to version: 2012111301."  Those dates translate to "February 7 2013, revision 16" and "November 12 2012, revision 1" 

To view all LiveUpdate activity, filter the exported data for Module 4.  An example:

 

[Date and Time] 1 4 4002 LiveUpdate session completed.
[Date and Time] 1 4 4002 2 update(s) downloaded, 2 installed
[Date and Time] 1 4 4013 null Anti-Malware application definitions updated to version: 20130207016
[Date and Time] 1 4 4014 null Anti-Malware application definitions updated to version: 20130207016
[Date and Time] 1 4 4012 null Anti-Malware application definitions updated to version: 20130207016
[Date and Time] 1 4 4007 Norton Mobile Security Virus Definitions LiveUpdate successfully downloaded content {0.EN_US}.
[Date and Time] 1 4 4010 Norton Mobile Security Virus Definitions LiveUpdate successfully validated content norton$20mobile$20security$20virus$20definitions_2.5_symalllanguages_livetri.zip.
[Date and Time] 1 4 4009 Norton Mobile Security Virus Definitions LiveUpdate is validating content norton$20mobile$20security$20virus$20definitions_2.5_symalllanguages_livetri.zip.
[Date and Time] 1 4 4003 Norton Mobile Security Virus Definitions LiveUpdate is downloading content {0.EN_US}.
[Date and Time] 1 4 4013 null Scan Engine application definitions updated to version: 2012111301
[Date and Time]    1 4 4014 null Scan Engine application definitions updated to version: 2012111301
[Date and Time] 1 4 4012 null Scan Engine application definitions updated to version: 2012111301
11 February 2013 1 4 4007 Norton Mobile Security Engine LiveUpdate successfully downloaded content {0.EN_US}.
11 February 2013 1 4 4010 Norton Mobile Security Engine LiveUpdate successfully validated content norton$20mobile$20security$20engine_2.5_symalllanguages_livetri.zip.
11 February 2013 1 4 4009 Norton Mobile Security Engine LiveUpdate is validating content norton$20mobile$20security$20engine_2.5_symalllanguages_livetri.zip.
11 February 2013 1 4 4003 Norton Mobile Security Engine LiveUpdate is downloading content {0.EN_US}.
11 February 2013 1 4 0 LiveUpdate session started. The server address is: http://[IP and Port of internal LiveUpdate Administrator 2.x server]
11 February 2013 1 4 4001 LiveUpdate started.
11 February 2013 1 4 4019 Rerun LiveUpdate when the network is available.
11 February 2013 1 4 4017 Scheduled LiveUpdate session canceled: no network available.

 

In similar ways it is possible to view a list of all filenames that were scanned on the phone or the URL's of all websites evaluated for safety by the web protection module.

  

View Inventory

Another method to determine in-depth information about the device is by viewing its inventory listings.

 

  1. On the console, go to Home > Mobile Security > Device Management > Manage Android Devices.
  2. Right-click on the device in question and select Resource Manager
  3. On the Resource Manager, click View > Inventory
  4. In the middle pane, expand Data Classes and click on Mobile Security Android Device and the other available options.

 

 

Enabling Debug Communications

If it is desired to maximize the amount of information that is available, open the policy that is assigned to the device.  On the Communications tab, there are options for Other Communications.  Place a check in the box for Enable Debug Logging.  

Note that this option will result in additional resource usage (bandwidth, storage space required).   

 

 


Attachments