Interpret Endpoint Protection Scan Logs
Article ID: 178975
Updated On:
Products
Issue/Introduction
Resolution
This document provides guidance and information on interpreting the scan logs generated by the Symantec Endpoint Protection (SEP) client, and Symantec Endpoint Protection Manager (SEPM).
The Scan log uses data from the System log to provide a complete picture of the scans that have been performed on your computer. The information shows how frequently your computer has been scanned and which types of scans are run on your computer. Actions that are inappropriate or that your administrator does not allow are unavailable.
You can use this log to see if a scan was stopped or interrupted in some way.
You can use this information to find infection trends, which you can respond to with better detection tactics. For example, your job might involve a lot of time on the Internet on Fridays, and you might notice that infections occur most often on Monday morning. You can then schedule a full scan to run every Monday at 8:00 A.M.
You can perform the following tasks in the Scan log:
-
View a list of the scans that have occurred on your computer over time. Scans are displayed with additional relevant information about the scans.
-
Export the data in the log to a comma-delimited text file, for use in other applications.
-
Right-click an entry and view its properties.
Table: Scan log columns
| Column name | Description |
|---|---|
| Started On | The date and time that the scan started. |
| Completed | The date and time that the scan ended. |
| Logged By | The type of scan that was run. For example, if this scan is a Startup scan, this column says Startup. |
| Computer | The computer from which the scan was run. For example, if you scan a network drive from your local computer, this field contains the name of your local computer. It is not the computer on which the drive is physically located. |
| Status | The current status of the scan, such as Scan Complete, Scanning, or Scan Aborted. |
| Total Files | The total number of files that were scanned. |
| Infected | The number of infections or anomalies that were found. |
| Trusted | The number of files noted as trusted by Insight. |
The Scan logs and reports provide information about virus and spyware scan activity. Information available includes items such as the computer name, IP address, status, scan time, duration, and scan results.
You can use the default filter to view the logs and reports or you can configure the filter options to limit the data view. You can save a filter that you have customized so that you can use it in the future.
Table: Basic Settings filter options for views of the Scan logs
|
Option |
Description |
|---|---|
|
Log type |
Species that you want to view the Scan log. |
|
Use a saved filter |
Specifies the filter that you want to use to create the view. You can use the default filter or a custom filter that you have named and saved for viewing scan information |
|
Time range |
Specifies the time range of events that you want to view in the log. For example, you can select Past week or Past year. If you select Set specific dates, you must set the Start date and an End date. |
|
Start date |
Specifies the start date for the time range. Available only when you select Set specific dates for the time range. |
|
End date |
Specifies the end date for the time range. Available only when you select Set specific dates for the time range. |
|
Additional Settings |
Displays the additional configuration options that are available for this view. Click Additional Settings and Basic Settings to toggle back and forth between them. |
Table: Additional Settings filter options for views of the Scan logs
|
Option |
Description |
||
|---|---|---|---|
|
Scan type |
Specifies whether to filter the report by events for manual scans, system or startup scans, Power Eraser, or all scans. You can also filter by scans that run when new definitions arrive. |
||
|
Duration greater or equal |
Specifies that you only want to see information about scans where the scan length was equal to or greater than this value in seconds. |
||
|
Files scanned greater or equal |
Specifies that you only want to see information about scans where the number of files scanned was equal to or greater than this value. |
||
|
Risks greater or equal |
Specifies that you only want to see information about scans where the number of risks found was equal to or greater than this value. |
||
|
Files with detections greater or equal |
Specifies that you only want to see information about scans where the number of infections found was equal to or greater than this value. |
||
|
Status |
Specifies which kind of scans to include. You can select one of the following statuses:
|
||
|
Domain |
Specifies the domains that you want to see scan information about. You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. For example, to specify the domain names that begin with "je," type je* and separate each entry with a comma. By default, all domains are included. You can also click the dots to select from a list of known domains. |
||
|
Group |
Specifies the groups that you want to see scan information about. The question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters, are accepted as wildcards. You can also click the dots to select from a list of known groups.
|
||
|
Server |
Specifies the servers that you want to see scan information about. You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. For example, to specify the server names that have the string "tion" in them, type *tion* and separate each entry with a comma. By default, all servers are included. You can also click the dots to select from a list of known servers. |
||
|
Computer |
Specifies the computers that you want to see scan information about. You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. For example, to specify the computers that are called 1system, 2system, 3system, etc., type *system and separate each entry with a comma. By default, all computers are included. |
||
|
IP address |
Specifies the IP addresses that you want to see scan information about. When you want to filter logs or reports by using an IP address, use the IP address that appears in the Computer Status log view. You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. Separate each entry with a comma. By default, all IP addresses are included. |
||
|
User |
Specifies the users that you want to see scan information about. You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. Separate each entry with a comma. By default, all users are included.
|
||
|
Operating system |
Specifies to include only those computers with this operating system. For example, you can select Windows 7 or All Windows. |
||
|
Limit |
Specifies how many entries to display on each page of the view. You can select one of 20, 100, 200, and 1000 entries. The default limit is 20 entries. |
Table: Options in the Scan logs - describes the options that are available in the log window after you view the log.
|
Option |
Description |
|---|---|
|
Auto-refresh |
Specifies the rate at which this log refreshes. |
|
Back |
Returns to the log filter. |
|
Export |
Exports the log data in this filtered list to a comma-separated file. |
|
Details |
Displays the available details about the selected entry. |
|
Detections |
Displays Risk log results for the selected scans. The difference between the Detections view and the Risk log is that the Detections view can indicate that scan results are pending. The Risk log does not indicate if any scan results are pending. The Detections view also cannot be filtered. For information about the options, see the Risk log help. |
|
View Applied Filters (N) |
Displays the filter applied to this log view and lets you change the filter applied to this log view. |
Table: Basic Settings filter options for the Scan quick reports
|
Option |
Description |
|---|---|
|
Report type |
Specifies that you want to view a Scan report. |
|
Select a report |
Specifies the specific Scan report that you want to view. Report options include:
|
|
Use a saved filter |
Specifies the filter that you want to use to create the view. You can use the default filter or a custom filter that you have named and saved for viewing scan information. |
|
Group by |
Specifies how you want the information grouped. For example, you can select Number of risks detected or Number of files scanned. This option is only available for the Scan Statistics Histogram report. |
|
Bin width |
Specifies the width of the bin to use to form the histogram. This option is only available for the Scan Statistics Histogram report. The default width is 60. |
|
Number of bins |
Specifies the number of bins you want used to form the bars of the histogram. This option is only available for the Scan Statistics Histogram report. The default number of bins is 100. |
|
Time range |
Specifies the time range of events that you want to view in the report. For example, you can select Past week or Past year. If you choose Set specific dates, you must set a Start date and an End date. The default Time range is Past 24 hours. |
|
Start date |
Specifies the start date for the time range. Available only when you select Set specific dates for the time range. |
|
End date |
Specifies the end date for the time range. Available only when you select Set specific dates for the time range. |
|
Additional Settings |
Displays the additional configuration options that are available for this view. Click Additional Settings and Basic Settings to toggle back and forth between them. |
Table: Additional Settings filter options for Scan quick reports
|
Option |
Description |
||
|---|---|---|---|
|
Duration greater or equal |
Specifies that only the scans where the scan duration exceeds this value are included in the report. This option is not available for the Computers Not Scanned report. |
||
|
Files scanned greater or equal |
Specifies that only scans where the number of files that were scanned is greater than or equal to this value are included in the report. This option is not available for the Computers Not Scanned report. |
||
|
Risks greater or equal |
Specifies that only scans where the number of risks that were found is greater than or equal to this value are included in the report. This option is not available for the Computers Not Scanned report. |
||
|
Files with detections greater or equal |
Specifies the number of infected files that you want to view information about. This option is not available for the Computers Not Scanned report. Limits the data to scans that found a number of infections that is greater than this value. |
||
|
Status |
Specifies the status of the scans that you want to view information about. For example, you can select Completed or Canceled. This option is not available for the Computers Not Scanned report. |
||
|
Domain |
Specifies the domain that you want to view information about. This field accepts a comma-separated list as input. You can use the question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters, as wildcards. You can also click the dots to select from a list of known domains. |
||
|
Group |
Specifies the groups that you want to view information about. This field accepts a comma-separated list as input. You can use the question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters, as wildcards. You can also click the dots to select from a list of known groups.
|
||
|
Server |
Specifies the servers that you want to view information about. This field accepts a comma-separated list as input. You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. You can also click the dots to select from a list of known servers. |
||
|
Computer |
Specifies the name of the computers that you want to view information about. You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. It also accepts a comma-separated list as input. |
||
|
IP address |
Specifies the IP addresses of the computers that you want to view information about. When you want to filter logs or reports by using an IP address, use the IP address that appears in the Computer Status log view. You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. It also accepts a comma-separated list as input. |
||
|
User |
Specifies the names of the users that you want to view information about. You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. It also accepts a comma-separated list as input. |
||
|
Operating system |
Specifies to include only those computers with this operating system. For example, you can select Windows 7 or All Windows. This option is available only for the Computers Not Scanned report. |
Feedback
