Download SymDiag v3 Beta
search cancel

Download SymDiag v3 Beta

book

Article ID: 281571

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Protection Endpoint Protection Cloud Protection Engine for NAS Protection Engine for Cloud Services Generic Non Product Support Portal Global Customer Assistance

Issue/Introduction

Download and learn about SymDiag v3 — the Symantec Diagnostic Tool — which identifies common issues, and gathers data and logs for support-assisted troubleshooting.

Resolution

Table of Contents

SymDiag for Windows v3 (3.0.61)

  1. Download SymDiag for Windows v3.
    Save the file to the Windows desktop.
  2. On the Windows desktop, double-click the SymDiagWin.exe icon.
  3. Follow the on-screen instructions to collect data.

Note: Requires Microsoft .NET 4.6.2 or greater.

SymDiag Viewer for Windows v3 (3.0.61)

  1. Download SymDiag Viewer for Windows v3.
    Save the file to the Windows desktop.
  2. On the Windows desktop, double-click the SymDiagViewer3.msi icon.
  3. Follow the on-screen instructions to install the SymDiag Viewer
  4. Double click on any *.sdz3 file and the file will be opened in the SymDiag Viewer v3
  5. If .Net v8 is not installed, when the SymDiag Viewer v3 runs it will prompt you to download and install .Net v8.

Note: Requires Microsoft .NET 8.

New features

What's new for SymDiag v3 for Windows?

  • Data collection can be up to 14 times faster.  The average collection time should be about 30 seconds.
  • Resolves v2 issues
  • The UI workflow and performance has been updated.
  • All data collection commands are multi-threaded with the ability to cancel a command after 90 seconds
  • Viewer, Database, and Archive tabs have been added
  • Reports have been redesigned as Facts
  • Product logging UI selections, logs and errors are displayed
  • The WPP logging options and filtering have been updated
  • The Command line options have been updated
  • The archive and database collections have been updated
  • All updates and fixes since v2.1.320.11285 (Released 10/31/2023) are in v3.

What's new for SymDiag v3 for Windows Viewer Tab?

  • Updated the display of product data
  • Updated the query UI
  • Updated the tree view for all products
  • SQLite databases are displayed as tables and columns with filtering capability
  • Files larger than 2 MB are displayed
  • New for Symantec Endpoint Protection
    • Logs are parsed in real-time and displayed similar to SEP UI
    • Exceptions output has been updated
    • Names and data have been synchronized with SEP UI
    • All NTR data is grouped within the SEP views
    • NTR .stats file is displayed as a SQLite database
    • The output from checking the SEP and SEPM URLs is displayed
  • New for Web Security Service
    • Product data is grouped by the installed product
    • The .stats file is displayed as a SQlite database
    • The Web Gateway’s event logs are displayed
  • New for Data Loss Prevention
    • Google and Edge DLP Browser extension Fact
    • An immediate error is given when entering an incorrect Enforce database password
    • Captures WinCap or Npcap directory and logs
    • Updated product detection
  • New for Symantec Enterprise Agent
    • Collects BASH, IPS and IRON files
    • Displays log entries
    • Collects all RocksDb files
  • New for Protection Engine
    • Supports v9

What's new for SymDiag v3 for Windows Viewer

  • .Net v8.0 application
  • The v2 and v3 Viewers can be installed together.  The v2 Viewer will only display v2 (.sdbz) files and the v3 Viewer will only display v3 (.sdz3) files.
  • Includes all of the viewing capability of SymDiag for Windows
  • Updated data collection version check
  • Includes the latest LogJoint for rich log viewing
  • Initial Facts editor with examples

Issues resolved in SymDiag v2 for Windows

  • Slow data collection
  • Database is locked error
  • Data collection hangs
  • Large file collections can fail
  • Runs out of memory while collecting some database data
  • UI is slow or stops responding
  • WPP logging errors are not displayed when they happen
  • Windows 64bit OS data may not be collected
  • Viewer will not display files that are larger than 2MB
  • Viewer is slow to open when a large number of file contents have been stored in the database
  • Data is stored in multiple formats
  • Old Windows UI folder selector

What SymDiag v2 for Windows features will not be included?

  • Malware detection and removal as it is no longer under development
  • Language Support
  • License Overview
  • Resources section
  • Real time display of cpu and memory
  • Wolken integration
  • Facts linking to KBs
  • The following reports will not be in v3
    • Latest Version
    • System Requirements
    • Security Advisories

Supported products

These are the initial products that are supported.  Additional v2 products will be added in the future:

  • Data Loss Prevention 11.0 and later Agent, Enforce, and Detection Servers
  • Endpoint Protection 14.0 and later Agent and Console
  • Endpoint Protection Cloud
  • Enterprise Agent
  • Protection Engine Agent and Console
  • Web Gateway
  • Web Security Service Agent
  • Web Security Service
  • Web Gateway

SymDiag command line

The command line format has been updated. An action will start with ‘sd-x’ where x is the action to take.  An action can have options and arguments.  An argument is denoted by 2 dashes: ‘-- ‘.  Spaces delimit options and arguments.  If spaces are needed in the option or argument, then quotes are put around the option or argument.

Command Details

-?, -h, --help

  

sd-base <DIR>
  • The directory in which all SymDiag generated files and directories will be created.
  • Example: sd-base c:\basedir
sd-dest --dir <DIR> --file <FILE>
  • Set the destination directory and/or file and skips file save in ui
  • Example to set output directory only: sd-dest --dir c:\outputdir
sd-log <TYPE>

Creates the type of log file and all others in this order (PPPP indicates a pid number):

  • sfx: Logs self-extractor operations in a file with the name SymDiag.SdSfxPPPP.log with cert and log types
  • cert: Logs the certificate checking in a file with the name SymDiag.CertPPPP.log with log type
  • log: Logs the SymDiag operations in a file with the name <COMPUTER>__<YEAR>-<MONTH>-<DAY>__HH-MM-SS.log. If the SymDiag.PPPP.log exists, it is renamed to the log file name.
  • Example: sd-log log
sd-logging <ProductShortName(s)> --for <Minutes>

Enables product logging when running SymDiag silently.

  • <ProductShortName(s)>
    • A comma delimited list of product shortnames to enable product logging for if the product(s) are detected.
    • If not specified, then any detected products that support product logging will be enabled.
  • --for <Minutes>
    • If specified, the number of minutes the product logging will run for
    • If not specified, this defaults to 5
  • Example: sd-logging --for 1

 

Currently the supported products are: Sea (which will enable Sea, WssBlade and SepBlade), WssAgent, WssCloud
sd-open <FILE>
  • Open the file
  • Example: sd-open “c:\data\file.sdz3”
sd-prod <ProductShortName(s)> A comma delimited list of product shortnames to collect data for if the product is detected. If specified, then data is not collected for unlisted detected products.
sd-noup
  • Does not check for an update
  • Example: sd-noup
sd-optional --run <COMMANDS> --notrun <COMMANDS>

Specify to run or not run optional collection commands. COMMANDS is a comma delimited list of commands which are listed in Pascal Case for easier reading.  The command is case insensitive.

  • GroupPolicy
sd-s Run silently
  • Will run SymDiag silently
  • Example: sd-s
sd-skip <OPTIONS>

A comma delimited list of options to skip past ui screens. The options are in Pascal Case for easier reading.  The option is case insensitive.

  • AcceptEula: Skips pressing the "I accept the EULA" button
  • TaskCollect: Selects the "Collect and Analyze Product Data task
  • TaskCollectSave: Selects the "Collect and Analyze Product Data" task and proceeds through a product logging and collection to the the Save screen.  If "sd-dest --dir" is present, the output will be saved.  If both conditions are true, SymDiag will exit after the ave.
sd-update-only

Update to the latest version and then exit

Example command line with multiple options to set the base dir, output dir and SymDiag logging:

sd-base c:\basedir sd-dest --dir "c:\output dir" sd-log log

 

Product short names

Short Name

Product Name

DlpAgent

Data Loss Prevention Agent

DlpDetection

Data Loss Prevention Detection

DlpEnforce

Data Loss Prevention Enforce

Sea

Enterprise Agent

SpeServer

Protection Engine Server

SpeConsole

Protection Engine Console

SepAgent

Endpoint Protection Agent

SepConsole

Endpoint Protection Console

WssAgent

Web Security Service Agent

WssBlade

Web Gateway

WssCloud

Web Security Service

Files and directories created by SymDiag

SymDiag uses a base directory, which can be set by the command line option sd-base.  Within that base directory, SymDiag creates files and directories.  The file name’s format is: [computer name]__yyyy-mm-dd__hh-mm-ss.

If the sfx or cert argument is provide to the sd-log command, then a SymDiag.PPPPP.log where PPPPP is the initial pid is created.  Once SymDiag starts running, if the SymDiag.PPPP.log exists, it is renamed to [computer name]__yyyy-mm-dd__hh-mm-ss.log.

 

Extension

Type

SymDiag.PPPPP.log

Log of the self-extractor operations and/or the certificate checks prior to SymDiag starting

.log

Log of SymDiag's operation

.realm

Mongo Realm database file

.realm.lock

Mongo Realm database lock file

.sdz3.tmp

SymDiag archive file

 

In the base directory, the following directories are created (PPPP is a common pid):

Name

Purpose

[Name].realm.management

Mongo Realm’s directory

SdSfxPPPP

SymDiag's self-extractor extracts the SymDiag files to this directory

TempPPPP

Directory that is used for creating temporary files while SymDiag is running

TempPPPP\Archive\x

As files are archived, numbered directories are created and the files are compressed into them before being written into the archive

TempPPPP\RebootState

If SymDiag is rebooting the computer, then various state files are written to this directory

TempPPPP\TraceSessions\x

If product logging is running, then separate directories are used for each product and log type

 

Frequently asked questions

Q: Why is the performance slower than expected?

  • Data collection will be slower on systems with less than 4 CPUs as compared to systems with 4 or more CPUs. The fastest collection times are when the number of active commands are 50%-75% of the virtual CPUs. The number of active commands defaults to 50% of the virtual CPUs.

    This is set in the Scan Options by selecting the number of active commands.

  • Memory usage above 50% before SymDiag runs can increase the data collection time. This is due to the large number of objects that are created, saved to the database and then released.  

Q: How do I extract the files from the .sdz3 file?

  • The .sdz3 file uses a Zip format.  The initial .sdz3 file will have 1 file with the same name.  This file can be extracted using a Zip program.  The files within the extracted .sdz3 have been compressed using LZ4, which most Zip programs do not support.

    You will need to use SymDiagWin, SymDiag Viewer, or an application that supports LZ4 compression.

Release Notes

Build 3.0.61 (10/28/2024)

Issue key Component Summary
SUPOPS-1484 Sep Improve decryption performance

Build 3.0.60 (10/28/2024)

Issue key Component Summary
SUPOPS-1124 SymDiag, Viewer Show message if try to export a file that was not collected
SUPOPS-1371 Sep Country.dat is null
SUPOPS-1476 SymDiag, Viewer Remove arrows on left side of DataGrid
SUPOPS-1477 SymDiag, Viewer Use the Extractor dialog while extracting files using the archive tab
SUPOPS-1478 Sea Sea Logs will exception if use Copy selected row(s) to clipboard menu option
SUPOPS-1482 Sep Improve the performance of encrypting data
SUPOPS-1483 Sep Information Cloud Policies is not displaying the date received
SUPOPS-1485 Sep Cloud policy view shows encrypted json unless first view ccsettings
SUPOPS-1486 SymDiag, Viewer DataGrid Date columns display utc time
SUPOPS-1487 SymDiag, Viewer DataGrid query filter with backslash exceptions
SUPOPS-1488 Sep Sep's Install Logs view does not show size and created for the files
SUPOPS-1489 Win Windows Event Viewer does not display the EventID
SUPOPS-1490 SymDiag, Viewer Secs are not displayed in DataGrid Date columns
SUPOPS-1491 SymDiag, Viewer DataGrid rows are sized to fit content height, resulting in some rows taking the entire screen

Build 3.0.59 (10/21/2024)

Issue key Component Summary
SUPOPS-1473 Sea Sea System log can have lines with invalid chars
SUPOPS-1370 Sep Verify sep file collection
SUPOPS-1467 SymDiag Create sd-update-only command line option
SUPOPS-1471 SymDiag Handle Out of Disk Space during data collection
SUPOPS-1472 SymDiag sd-logging --for x with sd-s does not start and stop product logging time
SUPOPS-1475 SymDiag System Information has some duplicated information

Build 3.0.58 (10/14/2024)

Issue key Component Summary
SUPOPS-1437 SymDiag Check and error for low disk space when unable to run
SUPOPS-1448 SymDiag JSON EXCEPTION, Exception: System.NotSupportedException: Using the dynamic API to access a RealmObject
SUPOPS-1468 Viewer Viewer exits when try to export from Mini Dumps View

Build 3.0.57 (9/28/2024)

Issue key Component Summary
SUPOPS-1445 Sea Display all parsed Sea logs in Sea as well as under the plugin
SUPOPS-1447 Viewer Viewer crashes exporting files from File Explorer view if there is an error during the export

Build 3.0.56 (9/26/2024)

Issue key Component Summary
SUPOPS-1442 Sea Capture Mini or Full Dumps for running SEA processes
SUPOPS-1441 SymDiag Allow data collection to compress files on its thread or on the archiver thread
SUPOPS-1435 SymDiag, Viewer Remove the 'Full Row Selection', 'Cell or Row Selection' from the DataGrid Views

Build 3.0.55 (9/20/2024)

Issue key Component Summary
SUPOPS-1423 Sea, Web Gateway Unable to open some Sea logs as 0 byte files are not archived
SUPOPS-1433 Sea, Web Gateway Capture RocksDb files immediately by an order and date
SUPOPS-1430  SymDiag Have ArchiveWriter compress before the item is queued for archiving
SUPOPS-1420 SymDiag, Viewer Unable to extract a trace file from ...\Product Logging\Trace Session view
SUPOPS-1427 SymDiag, Viewer Public SymDiag Decryption Service UI does not close

Build 3.0.54 (9/12/2024)

Issue key Component Summary
SUPOPS-1401 SymDiag When saving, the folder path and file name are not showing completely
SUPOPS-1402 SymDiag The screen shows incorrect information, collecting 107 of 106
SUPOPS-1422 SymDiag Use sdz3.tmp archive extension while collecting data
SUPOPS-1400 SymDiag, Viewer About box is blank
SUPOPS-1398 Wss Collect PAC file for WSS
SUPOPS-1405 Wss Enable WSS silent product logging

Build 3.0.53 (8/28/2024)

Issue key Component Summary
SUPOPS-1394 SymDiag Improve performance and hangs when running on 1-3 cpus
SUPOPS-1395 SymDiag Silent data collection does not set Scan Start
SUPOPS-1389 SymDiag, Viewer Copy Fact to clipboard

Build 3.0.52 (8/21/2024)

Issue key Component Summary
SUPOPS-1365 Dlp Unable to pick the correct version of DLP after a migration
SUPOPS-1366 SymDiag, Viewer An ArchiveGroup view with 2 or more groups can display the same file multiple times

Build 3.0.51 (8/6/2024)

Issue key Component Summary
SUPOPS-1255 Sea Capture the manifest.json from SymPlatform dir
SUPOPS-1349 SymDiag Allow the user a choice to continue collecting data after a product logging failure
SUPOPS-1356 SymDiag Unable to collect data when SymDiagWin launched by a service

Build 3.0.50 (7/29/2024)

Issue key Component Summary
SUPOPS-1347 SEA Collect SEA migration logs

Build 3.0.49 (7/25/2024)

Issue key Component Summary
SUPOPS-1337 SEA Add SEA*.* from TEMP directories to data collection
SUPOPS-1261 SEP Capture the FSD logs
SUPOPS-1331 SymDiag Command line option to enable product logging
SUPOPS-1333 SymDiag "Error starting up..." when setting sd-base command line to c:\Windows\system32
SUPOPS-1330 SymDiag .sdz3 file is deleted when using sd-base and sd-dest with the same directory 
SUPOPS-1302 Viewer Unable to open realm file
SUPOPS-1325 Viewer After opening a Realm file, correctly handle that the archive file is not present in various views
SUPOPS-1287 Viewer Viewer exits from memory when exporting files from File Explorer\All
SUPOPS-1332 Viewer Display a file contents not collected dialog for files which were not collected
SUPOPS-1339 Viewer Unable to update Realm file due to a lower format version


Build 3.0.48 (4/29/2024)

Issue key Component Summary
SUPOPS-1159 DLP DbJdbc ArgumentException: Object of type 'System.DBNull' cannot be converted to type 'System.DateTimeOffset'
SUPOPS-1165 SEP Enabling product logging for sep with ntr results in a blank reproduce screen
SUPOPS-1007 SEP Update sep agent and console url checks for latest version
SUPOPS-1172 SEP Sep14.3 RU8 exceptions are not displayed
SUPOPS-819 SPE Spe Server 9 has new logging options
SUPOPS-777 SymDiag [14.3-RU8 and above][SDBZ] For GEH policy in PMS, please collect Client and Server node
SUPOPS-1183 SymDiag Save decryption information in a file so that files can be decrypted without the database
SUPOPS-1070 Viewer Viewer shortcut path is incorrect to launch it
SUPOPS-1185 Viewer Opening a .sdz3 with no database file the UI is stuck at the 'extracting database file' modal
SUPOPS-1182 Viewer Viewer can display and extract files without the database file

Build 3.0.47 (4/15/2024)

Issue key Component Summary
SUPOPS-1039 SEP Add Sep Client to Manager communication Fact
SUPOPS-1166 SPE Rename SPE CASPI to CSAPI
SUPOPS-1156 SymDiag WindowsFirewall1.Store RealmException: Realm accessed from incorrect thread
SUPOPS-1158 SymDiag OsBitLocker System.Management.ManagementException: Invalid namespace 
SUPOPS-1170 SymDiag Updating ScCmd causes SymDiag to exit with the exception: System.Runtime.InteropServices.SEHException

Build 3.0.46 (4/8/2024)

Issue key Component Summary
SUPOPS-1146 SEP Error or crash when viewing SEP Cloud policies or Cc Settings
SUPOPS-1153 SEP Improve sep 14.3 ru 5 detection and data collection
SUPOPS-1154 SymDiag Def Explorer view displays 'unable to display defs' error
SUPOPS-1151 SymDiag RealmException: Realm accessed from incorrect thread for SdArchive
SUPOPS-1152 SymDiag Exception: System.Runtime.InteropServices.SEHException
SUPOPS-1059 WSS Detect Web Gateway version from file wssad.exe

Build 3.0.45 (4/4/2024)

Initial release.

Powered by Wolken Software