Download SymDiag v3 Beta
search cancel

Download SymDiag v3 Beta


Article ID: 281571


Updated On:


Data Loss Prevention Endpoint Protection Endpoint Protection Cloud Protection Engine for NAS Protection Engine for Cloud Services Generic Non Product Support Portal Global Customer Assistance


Download and learn about SymDiag v3  the Symantec Diagnostic Tool — which identifies common issues, and gathers data and logs for support-assisted troubleshooting.


SymDiag for Windows v3 (3.0.48)

  1. Download SymDiag for Windows v3.
    Save the file to the Windows desktop.
  2. On the Windows desktop, double-click the SymDiagWin.exe icon.
  3. Follow the on-screen instructions to collect data.

Note: Requires Microsoft .NET 4.6.2 or greater.

SymDiag Viewer for Windows v3 (3.0.48)

  1. Download SymDiag Viewer for Windows v3.
    Save the file to the Windows desktop.
  2. On the Windows desktop, double-click the SymDiagViewer3.msi icon.
  3. Follow the on-screen instructions to install the SymDiag Viewer
  4. Double click on any *.sdz3 file and the file will be opened in the SymDiag Viewer v3
  5. If .Net v8 is not installed, when the SymDiag Viewer v3 runs it will prompt you to download and install .Net v8.

Note: Requires Microsoft .NET 8.

New features

What's new for SymDiag v3 for Windows?

  • Data collection can be up to 14 times faster.  The average collection time should be about 30 seconds.
  • Resolves v2 issues
  • The UI workflow and performance has been updated.
  • All data collection commands are multi-threaded with the ability to cancel a command after 90 seconds
  • Viewer, Database, and Archive tabs have been added
  • Reports have been redesigned as Facts
  • Product logging UI selections, logs and errors are displayed
  • The WPP logging options and filtering have been updated
  • The Command line options have been updated
  • The archive and database collections have been updated
  • All updates and fixes since v2.1.320.11285 (Released 10/31/2023) are in v3.

What's new for SymDiag v3 for Windows Viewer Tab?

  • Updated the display of product data
  • Updated the query UI
  • Updated the tree view for all products
  • SQLite databases are displayed as tables and columns with filtering capability
  • Files larger than 2 MB are displayed
  • New for Symantec Endpoint Protection
    • Logs are parsed in real-time and displayed similar to SEP UI
    • Exceptions output has been updated
    • Names and data have been synchronized with SEP UI
    • All NTR data is grouped within the SEP views
    • NTR .stats file is displayed as a SQLite database
    • The output from checking the SEP and SEPM URLs is displayed
  • New for Web Security Service
    • Product data is grouped by the installed product
    • The .stats file is displayed as a SQlite database
    • The Web Gateway’s event logs are displayed
  • New for Data Loss Prevention
    • Google and Edge DLP Browser extension Fact
    • An immediate error is given when entering an incorrect Enforce database password
    • Captures WinCap or Npcap directory and logs
    • Updated product detection
  • New for Symantec Enterprise Agent
    • Collects BASH, IPS and IRON files
    • Displays log entries
    • Collects all RocksDb files
  • New for Protection Engine
    • Supports v9

What's new for SymDiag v3 for Windows Viewer

  • .Net v8.0 application
  • The v2 and v3 Viewers can be installed together.  The v2 Viewer will only display v2 (.sdbz) files and the v3 Viewer will only display v3 (.sdz3) files.
  • Includes all of the viewing capability of SymDiag for Windows
  • Updated data collection version check
  • Includes the latest LogJoint for rich log viewing
  • Initial Facts editor with examples

Issues resolved in SymDiag v2 for Windows

  • Slow data collection
  • Database is locked error
  • Data collection hangs
  • Large file collections can fail
  • Runs out of memory while collecting some database data
  • UI is slow or stops responding
  • WPP logging errors are not displayed when they happen
  • Windows 64bit OS data may not be collected
  • Viewer will not display files that are larger than 2MB
  • Viewer is slow to open when a large number of file contents have been stored in the database
  • Data is stored in multiple formats
  • Old Windows UI folder selector

What SymDiag v2 for Windows features will not be included?

  • Malware detection and removal as it is no longer under development
  • Language Support
  • License Overview
  • Resources section
  • Real time display of cpu and memory
  • Wolken integration
  • Facts linking to KBs
  • The following reports will not be in v3
    • Latest Version
    • System Requirements
    • Security Advisories

Supported products

These are the initial products that are supported.  Additional v2 products will be added in the future:

  • Data Loss Prevention 11.0 and later Agent, Enforce, and Detection Servers
  • Endpoint Protection 14.0 and later Agent and Console
  • Endpoint Protection Cloud
  • Enterprise Agent
  • Protection Engine Agent and Console
  • Web Gateway
  • Web Security Service Agent
  • Web Security Service
  • Web Gateway

SymDiag command line

The command line format has been updated. An action will start with ‘sd-x’ where x is the action to take.  An action can have options and arguments.  An argument is denoted by 2 dashes: ‘-- ‘.  Spaces delimit options and arguments.  If spaces are needed in the option or argument, then quotes are put around the option or argument.

Command Details

-?, -h, --help


sd-base <DIR>

  • The directory in which all SymDiag generated files and directories will be created.
  • Example: sd-base c:\basedir
sd-collect <ProductShortName(s)> A comma delimited list of product shortnames to collect data for if the product is detected. If specified, then data is not collected for unlisted detected products.
sd-dest --dir <DIR> --file <FILE>
  • Set the destination directory and/or file and skips file save in ui
  • Example to set output directory only: sd-dest --dir c:\outputdir
sd-log <TYPE>

Creates the type of log file and all others in this order (PPPP indicates a pid number):

  • sfx: Logs self-extractor operations in a file with the name SymDiag.SdSfxPPPP.log with cert and log types
  • cert: Logs the certificate checking in a file with the name SymDiag.CertPPPP.log with log type
  • log: Logs the SymDiag operations in a file with the name <COMPUTER>__<YEAR>-<MONTH>-<DAY>__HH-MM-SS.log. If the SymDiag.PPPP.log exists, it is renamed to the log file name.
  • Example: sd-log log
sd-open <FILE>
  • Open the file
  • Example: sd-open “c:\data\file.sdz3”
  • Does not check for an update
  • Example: sd-noup
sd-s Run silently
  • Will run SymDiag silently
  • Example: sd-s

Example command line with multiple options to set the base dir, output dir and SymDiag logging:

sd-base c:\basedir sd-dest --dir "c:\output dir" sd-log log


Product short names

Short Name

Product Name


Data Loss Prevention Agent


Data Loss Prevention Detection


Data Loss Prevention Enforce


Enterprise Agent


Protection Engine Server


Protection Engine Console


Endpoint Protection Agent


Endpoint Protection Console


Web Security Service Agent


Web Gateway


Web Security Service

Files and directories created by SymDiag

SymDiag uses a base directory, which can be set by the command line option sd-base.  Within that base directory, SymDiag creates files and directories.  The file name’s format is: [computer name]__yyyy-mm-dd__hh-mm-ss.

If the sfx or cert argument is provide to the sd-log command, then a SymDiag.PPPPP.log where PPPPP is the initial pid is created.  Once SymDiag starts running, if the SymDiag.PPPP.log exists, it is renamed to [computer name]__yyyy-mm-dd__hh-mm-ss.log.





Log of the self-extractor operations and/or the certificate checks prior to SymDiag starting


Log of SymDiag's operation


Mongo Realm database file


Mongo Realm database lock file


SymDiag archive file


In the base directory, the following directories are created (PPPP is a common pid):




Mongo Realm’s directory


SymDiag's self-extractor extracts the SymDiag files to this directory


Directory that is used for creating temporary files while SymDiag is running


As files are archived, numbered directories are created and the files are compressed into them before being written into the archive


If SymDiag is rebooting the computer, then various state files are written to this directory


If product logging is running, then separate directories are used for each product and log type


Frequently asked questions

Q: Why is the performance slower than expected?

  • Data collection will be slower on systems with less than 4 CPUs as compared to systems with 4 or more CPUs. The fastest collection times are when the number of active commands are 50%-75% of the virtual CPUs. The number of active commands defaults to 50% of the virtual CPUs.

    This is set in the Scan Options by selecting the number of active commands.

  • Memory usage above 50% before SymDiag runs can increase the data collection time. This is due to the large number of objects that are created, saved to the database and then released.  

Q: How do I extract the files from the .sdz3 file?

  • The .sdz3 file uses a Zip format.  The initial .sdz3 file will have 1 file with the same name.  This file can be extracted using a Zip program.  The files within the extracted .sdz3 have been compressed using LZ4, which most Zip programs do not support.

    You will need to use SymDiagWin, SymDiag Viewer, or an application that supports LZ4 compression.

Release Notes

Build 3.0.48 (4/29/2024)

Issue key Component Summary
SUPOPS-1159 DLP DbJdbc ArgumentException: Object of type 'System.DBNull' cannot be converted to type 'System.DateTimeOffset'
SUPOPS-1165 SEP Enabling product logging for sep with ntr results in a blank reproduce screen
SUPOPS-1007 SEP Update sep agent and console url checks for latest version
SUPOPS-1172 SEP Sep14.3 RU8 exceptions are not displayed
SUPOPS-819 SPE Spe Server 9 has new logging options
SUPOPS-777 SymDiag [14.3-RU8 and above][SDBZ] For GEH policy in PMS, please collect Client and Server node
SUPOPS-1183 SymDiag Save decryption information in a file so that files can be decrypted without the database
SUPOPS-1070 Viewer Viewer shortcut path is incorrect to launch it
SUPOPS-1185 Viewer Opening a .sdz3 with no database file the UI is stuck at the 'extracting database file' modal
SUPOPS-1182 Viewer Viewer can display and extract files without the database file

Build 3.0.47 (4/15/2024)

Issue key Component Summary
SUPOPS-1039 SEP Add Sep Client to Manager communication Fact
SUPOPS-1156 SymDiag WindowsFirewall1.Store RealmException: Realm accessed from incorrect thread
SUPOPS-1158 SymDiag OsBitLocker System.Management.ManagementException: Invalid namespace 
SUPOPS-1170 SymDiag Updating ScCmd causes SymDiag to exit with the exception: System.Runtime.InteropServices.SEHException

Build 3.0.46 (4/8/2024)

Issue key Component Summary
SUPOPS-1146 SEP Error or crash when viewing SEP Cloud policies or Cc Settings
SUPOPS-1153 SEP Improve sep 14.3 ru 5 detection and data collection
SUPOPS-1154 SymDiag Def Explorer view displays 'unable to display defs' error
SUPOPS-1151 SymDiag RealmException: Realm accessed from incorrect thread for SdArchive
SUPOPS-1152 SymDiag Exception: System.Runtime.InteropServices.SEHException
SUPOPS-1059 WSS Detect Web Gateway version from file wssad.exe

Build 3.0.45 (4/4/2024)

Initial release.