Interpret Endpoint Protection Scan Logs

book

Article ID: 178975

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 

Resolution

This document provides guidance and information on interpreting the scan logs generated by the Symantec Endpoint Protection (SEP) client, and Symantec Endpoint Protection Manager (SEPM).

Client Scan Logs

The Scan log uses data from the System log to provide a complete picture of the scans that have been performed on your computer. The information shows how frequently your computer has been scanned and which types of scans are run on your computer. Actions that are inappropriate or that your administrator does not allow are unavailable.

 

You can use this log to see if a scan was stopped or interrupted in some way.

You can use this information to find infection trends, which you can respond to with better detection tactics. For example, your job might involve a lot of time on the Internet on Fridays, and you might notice that infections occur most often on Monday morning. You can then schedule a full scan to run every Monday at 8:00 A.M.

You can perform the following tasks in the Scan log:

  • View a list of the scans that have occurred on your computer over time. Scans are displayed with additional relevant information about the scans.

  • Export the data in the log to a comma-delimited text file, for use in other applications.

  • Right-click an entry and view its properties.

Table: Scan log columns

Column name Description
Started On The date and time that the scan started.
Completed The date and time that the scan ended.
Logged By The type of scan that was run. For example, if this scan is a Startup scan, this column says Startup.
Computer The computer from which the scan was run. For example, if you scan a network drive from your local computer, this field contains the name of your local computer. It is not the computer on which the drive is physically located.
Status The current status of the scan, such as Scan Complete, Scanning, or Scan Aborted.
Total Files The total number of files that were scanned.
Infected The number of infections or anomalies that were found.
Trusted The number of files noted as trusted by Insight.
Manager Scan logs and reports

The Scan logs and reports provide information about virus and spyware scan activity. Information available includes items such as the computer name, IP address, status, scan time, duration, and scan results.

You can use the default filter to view the logs and reports or you can configure the filter options to limit the data view. You can save a filter that you have customized so that you can use it in the future.

Table: Basic Settings filter options for views of the Scan logs

Option

Description

Log type

Species that you want to view the Scan log.

Use a saved filter

Specifies the filter that you want to use to create the view.

You can use the default filter or a custom filter that you have named and saved for viewing scan information

Time range

Specifies the time range of events that you want to view in the log. For example, you can select Past week or Past year.

If you select Set specific dates, you must set the Start date and an End date.

Start date

Specifies the start date for the time range.

Available only when you select Set specific dates for the time range.

End date

Specifies the end date for the time range.

Available only when you select Set specific dates for the time range.

Additional Settings

Displays the additional configuration options that are available for this view.

Click Additional Settings and Basic Settings to toggle back and forth between them.

Table: Additional Settings filter options for views of the Scan logs

Option

Description

Scan type

Specifies whether to filter the report by events for manual scans, system or startup scans, Power Eraser, or all scans. You can also filter by scans that run when new definitions arrive.

Duration greater or equal

Specifies that you only want to see information about scans where the scan length was equal to or greater than this value in seconds.

Files scanned greater or equal

Specifies that you only want to see information about scans where the number of files scanned was equal to or greater than this value.

Risks greater or equal

Specifies that you only want to see information about scans where the number of risks found was equal to or greater than this value.

Files with detections greater or equal

Specifies that you only want to see information about scans where the number of infections found was equal to or greater than this value.

Status

Specifies which kind of scans to include.

You can select one of the following statuses:

  • All

  • Completed

  • Canceled

  • Started

Domain

Specifies the domains that you want to see scan information about.

You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. For example, to specify the domain names that begin with "je," type je* and separate each entry with a comma. By default, all domains are included. You can also click the dots to select from a list of known domains.

Group

Specifies the groups that you want to see scan information about.

The question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters, are accepted as wildcards. You can also click the dots to select from a list of known groups.

Note:

All groups are subgroups of the default parent group. Therefore, when this filter searches for groups, it searches hierarchically starting with the name of the default group. Unless the name of your group starts with the same letter, you should precede the search string with an asterisk when using wildcards.

For example, if you have a group named Purchasing, and you type p* into this box, no group is found and used in the view. To find a group named Purchasing, you need to use *p* instead.

Server

Specifies the servers that you want to see scan information about.

You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. For example, to specify the server names that have the string "tion" in them, type *tion* and separate each entry with a comma. By default, all servers are included. You can also click the dots to select from a list of known servers.

Computer

Specifies the computers that you want to see scan information about.

You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. For example, to specify the computers that are called 1system, 2system, 3system, etc., type *system and separate each entry with a comma. By default, all computers are included.

IP address

Specifies the IP addresses that you want to see scan information about. When you want to filter logs or reports by using an IP address, use the IP address that appears in the Computer Status log view.

You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. Separate each entry with a comma. By default, all IP addresses are included.

User

Specifies the users that you want to see scan information about.

You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. Separate each entry with a comma. By default, all users are included.

Note:

This filter is available for Windows users only. It is not available for Mac users.

Operating system

Specifies to include only those computers with this operating system. For example, you can select Windows 7 or All Windows.

Limit

Specifies how many entries to display on each page of the view.

You can select one of 20, 100, 200, and 1000 entries. The default limit is 20 entries.

Table: Options in the Scan logs - describes the options that are available in the log window after you view the log.

Option

Description

Auto-refresh

Specifies the rate at which this log refreshes.

Back

Returns to the log filter.

Export

Exports the log data in this filtered list to a comma-separated file.

Details

Displays the available details about the selected entry.

Detections

Displays Risk log results for the selected scans. The difference between the Detections view and the Risk log is that the Detections view can indicate that scan results are pending. The Risk log does not indicate if any scan results are pending. The Detections view also cannot be filtered.

For information about the options, see the Risk log help.

View Applied Filters (N)

Displays the filter applied to this log view and lets you change the filter applied to this log view.

Table: Basic Settings filter options for the Scan quick reports

Option

Description

Report type

Specifies that you want to view a Scan report.

Select a report

Specifies the specific Scan report that you want to view.

Report options include:

  • Scan Statistics Histogram

  • Computers by Last Scan Time

  • Computers Not Scanned

Use a saved filter

Specifies the filter that you want to use to create the view.

You can use the default filter or a custom filter that you have named and saved for viewing scan information.

Group by

Specifies how you want the information grouped. For example, you can select Number of risks detected or Number of files scanned.

This option is only available for the Scan Statistics Histogram report.

Bin width

Specifies the width of the bin to use to form the histogram.

This option is only available for the Scan Statistics Histogram report.

The default width is 60.

Number of bins

Specifies the number of bins you want used to form the bars of the histogram.

This option is only available for the Scan Statistics Histogram report.

The default number of bins is 100.

Time range

Specifies the time range of events that you want to view in the report. For example, you can select Past week or Past year.

If you choose Set specific dates, you must set a Start date and an End date.

The default Time range is Past 24 hours.

Start date

Specifies the start date for the time range.

Available only when you select Set specific dates for the time range.

End date

Specifies the end date for the time range.

Available only when you select Set specific dates for the time range.

Additional Settings

Displays the additional configuration options that are available for this view.

Click Additional Settings and Basic Settings to toggle back and forth between them.

Table: Additional Settings filter options for Scan quick reports

Option

Description

Duration greater or equal

Specifies that only the scans where the scan duration exceeds this value are included in the report.

This option is not available for the Computers Not Scanned report.

Files scanned greater or equal

Specifies that only scans where the number of files that were scanned is greater than or equal to this value are included in the report.

This option is not available for the Computers Not Scanned report.

Risks greater or equal

Specifies that only scans where the number of risks that were found is greater than or equal to this value are included in the report.

This option is not available for the Computers Not Scanned report.

Files with detections greater or equal

Specifies the number of infected files that you want to view information about.

This option is not available for the Computers Not Scanned report.

Limits the data to scans that found a number of infections that is greater than this value.

Status

Specifies the status of the scans that you want to view information about. For example, you can select Completed or Canceled.

This option is not available for the Computers Not Scanned report.

Domain

Specifies the domain that you want to view information about.

This field accepts a comma-separated list as input. You can use the question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters, as wildcards. You can also click the dots to select from a list of known domains.

Group

Specifies the groups that you want to view information about.

This field accepts a comma-separated list as input. You can use the question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters, as wildcards. You can also click the dots to select from a list of known groups.

Note:

Because all groups are subgroups of the default parent group, when this filter searches for groups, it searches hierarchically starting with the name of the default group. Unless the name of your group starts with the same letter, you should precede the search string with an asterisk when using wildcards.

For example, if you have a group named Purchasing, and you type p* into this box, no group is found and used in the view. To find a group named Purchasing, you need to use *p* instead.

Server

Specifies the servers that you want to view information about.

This field accepts a comma-separated list as input. You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. You can also click the dots to select from a list of known servers.

Computer

Specifies the name of the computers that you want to view information about.

You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. It also accepts a comma-separated list as input.

IP address

Specifies the IP addresses of the computers that you want to view information about. When you want to filter logs or reports by using an IP address, use the IP address that appears in the Computer Status log view.

You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. It also accepts a comma-separated list as input.

User

Specifies the names of the users that you want to view information about.

You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. It also accepts a comma-separated list as input.

Operating system

Specifies to include only those computers with this operating system. For example, you can select Windows 7 or All Windows.

This option is available only for the Computers Not Scanned report.