SymDiag for Windows v3 (3.0.48)
- Download SymDiag for Windows v3.
Save the file to the Windows desktop.
- On the Windows desktop, double-click the SymDiagWin.exe icon.
- Follow the on-screen instructions to collect data.
Note: Requires Microsoft .NET 4.6.2 or greater.
SymDiag Viewer for Windows v3 (3.0.48)
- Download SymDiag Viewer for Windows v3.
Save the file to the Windows desktop.
- On the Windows desktop, double-click the SymDiagViewer3.msi icon.
- Follow the on-screen instructions to install the SymDiag Viewer
- Double click on any *.sdz3 file and the file will be opened in the SymDiag Viewer v3
- If .Net v8 is not installed, when the SymDiag Viewer v3 runs it will prompt you to download and install .Net v8.
Note: Requires Microsoft .NET 8.
New features
What's new for SymDiag v3 for Windows?
- Data collection can be up to 14 times faster. The average collection time should be about 30 seconds.
- Resolves v2 issues
- The UI workflow and performance has been updated.
- All data collection commands are multi-threaded with the ability to cancel a command after 90 seconds
- Viewer, Database, and Archive tabs have been added
- Reports have been redesigned as Facts
- Product logging UI selections, logs and errors are displayed
- The WPP logging options and filtering have been updated
- The Command line options have been updated
- The archive and database collections have been updated
- All updates and fixes since v2.1.320.11285 (Released 10/31/2023) are in v3.
What's new for SymDiag v3 for Windows Viewer Tab?
- Updated the display of product data
- Updated the query UI
- Updated the tree view for all products
- SQLite databases are displayed as tables and columns with filtering capability
- Files larger than 2 MB are displayed
- New for Symantec Endpoint Protection
- Logs are parsed in real-time and displayed similar to SEP UI
- Exceptions output has been updated
- Names and data have been synchronized with SEP UI
- All NTR data is grouped within the SEP views
- NTR .stats file is displayed as a SQLite database
- The output from checking the SEP and SEPM URLs is displayed
- New for Web Security Service
- Product data is grouped by the installed product
- The .stats file is displayed as a SQlite database
- The Web Gateway’s event logs are displayed
- New for Data Loss Prevention
- Google and Edge DLP Browser extension Fact
- An immediate error is given when entering an incorrect Enforce database password
- Captures WinCap or Npcap directory and logs
- Updated product detection
- New for Symantec Enterprise Agent
- Collects BASH, IPS and IRON files
- Displays log entries
- Collects all RocksDb files
- New for Protection Engine
What's new for SymDiag v3 for Windows Viewer
- .Net v8.0 application
- The v2 and v3 Viewers can be installed together. The v2 Viewer will only display v2 (.sdbz) files and the v3 Viewer will only display v3 (.sdz3) files.
- Includes all of the viewing capability of SymDiag for Windows
- Updated data collection version check
- Includes the latest LogJoint for rich log viewing
- Initial Facts editor with examples
Issues resolved in SymDiag v2 for Windows
- Slow data collection
- Database is locked error
- Data collection hangs
- Large file collections can fail
- Runs out of memory while collecting some database data
- UI is slow or stops responding
- WPP logging errors are not displayed when they happen
- Windows 64bit OS data may not be collected
- Viewer will not display files that are larger than 2MB
- Viewer is slow to open when a large number of file contents have been stored in the database
- Data is stored in multiple formats
- Old Windows UI folder selector
What SymDiag v2 for Windows features will not be included?
- Malware detection and removal as it is no longer under development
- Language Support
- License Overview
- Resources section
- Real time display of cpu and memory
- Wolken integration
- Facts linking to KBs
- The following reports will not be in v3
- Latest Version
- System Requirements
- Security Advisories
Supported products
These are the initial products that are supported. Additional v2 products will be added in the future:
- Data Loss Prevention 11.0 and later Agent, Enforce, and Detection Servers
- Endpoint Protection 14.0 and later Agent and Console
- Endpoint Protection Cloud
- Enterprise Agent
- Protection Engine Agent and Console
- Web Gateway
- Web Security Service Agent
- Web Security Service
- Web Gateway
SymDiag command line
The command line format has been updated. An action will start with ‘sd-x’ where x is the action to take. An action can have options and arguments. An argument is denoted by 2 dashes: ‘-- ‘. Spaces delimit options and arguments. If spaces are needed in the option or argument, then quotes are put around the option or argument.
Command |
Details |
-?, -h, --help
|
|
sd-base <DIR>
|
- The directory in which all SymDiag generated files and directories will be created.
- Example: sd-base c:\basedir
|
sd-collect <ProductShortName(s)> |
A comma delimited list of product shortnames to collect data for if the product is detected. If specified, then data is not collected for unlisted detected products. |
sd-dest --dir <DIR> --file <FILE> |
- Set the destination directory and/or file and skips file save in ui
- Example to set output directory only: sd-dest --dir c:\outputdir
|
sd-log <TYPE> |
Creates the type of log file and all others in this order (PPPP indicates a pid number):
- sfx: Logs self-extractor operations in a file with the name SymDiag.SdSfxPPPP.log with cert and log types
- cert: Logs the certificate checking in a file with the name SymDiag.CertPPPP.log with log type
- log: Logs the SymDiag operations in a file with the name <COMPUTER>__<YEAR>-<MONTH>-<DAY>__HH-MM-SS.log. If the SymDiag.PPPP.log exists, it is renamed to the log file name.
- Example: sd-log log
|
sd-open <FILE> |
- Open the file
- Example: sd-open “c:\data\file.sdz3”
|
sd-noup |
- Does not check for an update
- Example: sd-noup
|
sd-s Run silently |
- Will run SymDiag silently
- Example: sd-s
|
Example command line with multiple options to set the base dir, output dir and SymDiag logging:
sd-base c:\basedir sd-dest --dir "c:\output dir" sd-log log
Product short names
Short Name
|
Product Name
|
DlpAgent
|
Data Loss Prevention Agent
|
DlpDetection
|
Data Loss Prevention Detection
|
DlpEnforce
|
Data Loss Prevention Enforce
|
Sea
|
Enterprise Agent
|
SpeServer
|
Protection Engine Server
|
SpeConsole
|
Protection Engine Console
|
SepAgent
|
Endpoint Protection Agent
|
SepConsole
|
Endpoint Protection Console
|
WssAgent
|
Web Security Service Agent
|
WssBlade
|
Web Gateway
|
WssCloud
|
Web Security Service
|
Files and directories created by SymDiag
SymDiag uses a base directory, which can be set by the command line option sd-base. Within that base directory, SymDiag creates files and directories. The file name’s format is: [computer name]__yyyy-mm-dd__hh-mm-ss.
If the sfx or cert argument is provide to the sd-log command, then a SymDiag.PPPPP.log where PPPPP is the initial pid is created. Once SymDiag starts running, if the SymDiag.PPPP.log exists, it is renamed to [computer name]__yyyy-mm-dd__hh-mm-ss.log.
Extension
|
Type
|
SymDiag.PPPPP.log
|
Log of the self-extractor operations and/or the certificate checks prior to SymDiag starting
|
.log
|
Log of SymDiag's operation
|
.realm
|
Mongo Realm database file
|
.realm.lock
|
Mongo Realm database lock file
|
.sdz3
|
SymDiag archive file
|
In the base directory, the following directories are created (PPPP is a common pid):
Name
|
Purpose
|
[Name].realm.management
|
Mongo Realm’s directory
|
SdSfxPPPP
|
SymDiag's self-extractor extracts the SymDiag files to this directory
|
TempPPPP
|
Directory that is used for creating temporary files while SymDiag is running
|
TempPPPP\Archive\x
|
As files are archived, numbered directories are created and the files are compressed into them before being written into the archive
|
TempPPPP\RebootState
|
If SymDiag is rebooting the computer, then various state files are written to this directory
|
TempPPPP\TraceSessions\x
|
If product logging is running, then separate directories are used for each product and log type
|
Frequently asked questions
Q: Why is the performance slower than expected?
- Data collection will be slower on systems with less than 4 CPUs as compared to systems with 4 or more CPUs. The fastest collection times are when the number of active commands are 50%-75% of the virtual CPUs. The number of active commands defaults to 50% of the virtual CPUs.
This is set in the Scan Options by selecting the number of active commands.
- Memory usage above 50% before SymDiag runs can increase the data collection time. This is due to the large number of objects that are created, saved to the database and then released.
Q: How do I extract the files from the .sdz3 file?
- The .sdz3 file uses a Zip format. The initial .sdz3 file will have 1 file with the same name. This file can be extracted using a Zip program. The files within the extracted .sdz3 have been compressed using LZ4, which most Zip programs do not support.
You will need to use SymDiagWin, SymDiag Viewer, or an application that supports LZ4 compression.
Release Notes
Build 3.0.48 (4/29/2024)
Issue key |
Component |
Summary |
SUPOPS-1159 |
DLP |
DbJdbc ArgumentException: Object of type 'System.DBNull' cannot be converted to type 'System.DateTimeOffset' |
SUPOPS-1165 |
SEP |
Enabling product logging for sep with ntr results in a blank reproduce screen |
SUPOPS-1007 |
SEP |
Update sep agent and console url checks for latest version |
SUPOPS-1172 |
SEP |
Sep14.3 RU8 exceptions are not displayed |
SUPOPS-819 |
SPE |
Spe Server 9 has new logging options |
SUPOPS-777 |
SymDiag |
[14.3-RU8 and above][SDBZ] For GEH policy in PMS, please collect Client and Server node |
SUPOPS-1183 |
SymDiag |
Save decryption information in a file so that files can be decrypted without the database |
SUPOPS-1070 |
Viewer |
Viewer shortcut path is incorrect to launch it |
SUPOPS-1185 |
Viewer |
Opening a .sdz3 with no database file the UI is stuck at the 'extracting database file' modal |
SUPOPS-1182 |
Viewer |
Viewer can display and extract files without the database file |
Build 3.0.47 (4/15/2024)
Issue key |
Component |
Summary |
SUPOPS-1039 |
SEP |
Add Sep Client to Manager communication Fact |
SUPOPS-1166 |
SPE |
Rename SPE CASPI to CSAPI |
SUPOPS-1156 |
SymDiag |
WindowsFirewall1.Store RealmException: Realm accessed from incorrect thread |
SUPOPS-1158 |
SymDiag |
OsBitLocker System.Management.ManagementException: Invalid namespace |
SUPOPS-1170 |
SymDiag |
Updating ScCmd causes SymDiag to exit with the exception: System.Runtime.InteropServices.SEHException |
Build 3.0.46 (4/8/2024)
Issue key |
Component |
Summary |
SUPOPS-1146 |
SEP |
Error or crash when viewing SEP Cloud policies or Cc Settings |
SUPOPS-1153 |
SEP |
Improve sep 14.3 ru 5 detection and data collection |
SUPOPS-1154 |
SymDiag |
Def Explorer view displays 'unable to display defs' error |
SUPOPS-1151 |
SymDiag |
RealmException: Realm accessed from incorrect thread for SdArchive |
SUPOPS-1152 |
SymDiag |
Exception: System.Runtime.InteropServices.SEHException |
SUPOPS-1059 |
WSS |
Detect Web Gateway version from file wssad.exe |
Build 3.0.45 (4/4/2024)
Initial release.