Endpoint Protection Log Collection for SymSubmit Submissions
search cancel

Endpoint Protection Log Collection for SymSubmit Submissions

book

Article ID: 409589

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security Endpoint Security Complete

Issue/Introduction

Symantec Endpoint Protection (SEP) Log Collection for SymSubmit Submissions

Resolution

Table of Contents

 

If you choose File submission, please follow this section to collect related details 

SEP Endpoint logs collection from the file system (only for SEP 14 and below)

To manually collect Symantec Endpoint Protection (SEP) logs from an endpoint, you need to navigate to the correct log file location on the machine and copy them. The primary location for SEP client logs is "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs". Within this folder, you'll find various log files, including: AVMan.log, CVE.log, CVE-actions.log, GUProxy.log, and LUMan.log, among others. Additionally, the system log file is located at "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\syslog.log". 

Here's a step-by-step guide: 

  1.  Locate the log directory: Open File Explorer and navigate to "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs".
  2. Identify and copy relevant logs:
    1. Scan logs can be found under "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\"
    2. Look for a log filename AVMan.log
    3. AVMan.log - Antivirus Management plug-in log (contains copies of all antivirus events). This log contains the details of the file that was detected as malicious. 
    4. You can send this log over to Broadcom. 
    5. In case you do not wish to send this file over to Broadcom for any reason, you can send the specific log entry for your submitted file from this file. 
      1. Here is how you can get it
      2. Open the log and search for your file name. Copy the whole string and paste it on the details box of the submit portal. If you have multiple files to submit. Please send entries for each detection. The log string looks like this
      3. 0000049c    01dbef2909b1ed4e    01dbef29038f9280    01dbef29038f9280    00000001    3706070A1611,51,1,2,AWI-SEP,Administrator,Backdoor.Ratenjay,C:\Users\Administrator\Downloads\13c5cabdb28c7d0a56631b45507340ccf4db9458f8fc448bf594cab8ae451030\13c5cabdb28c7d0a56631b45507340ccf4db9458f8fc448bf594cab8ae451030.exe,5,1,1,256,37748804,"",1751881556,,0,101    {4B58273F-6F90-4406-B521-41CC6064416C}    0    2                Backdoor.Ratenjay    1;0    0    0    eea2a391-097c-46d8-8597-cede2490c6c5    0,730333184,54578,0,0,0,,,0,,0,0,1,0,,{043367F3-ACD6-422E-9FA7-0727998DD223},,,,WORKGROUP,42:01:0A:E1:81:F9,14.3.12154.10000,,,,,,,,,,,,,,,,999,,c2f5bfbd-0266-441b-8a42-c61c33a116f0,730333184,,506        105472    2    13C5CABDB28C7D0A56631B45507340CCF4DB9458F8FC448BF594CAB8AE451030        127    127        127    0    0    13c5cabdb28c7d0a56631b45507340ccf4db9458f8fc448bf594cab8ae451030.exe    1    0    0,,1,,1,1,105,2,0,https://bazaar.abuse.ch/download/5bfd1afc61b984f9ae1e/,msedge.exe,1,127,0,,,,0,3706070A1611,0,,0,Default,100,,,,1099511627776,,0,,0,eyJoaWRfc3RhdHVzIjp7ImhpZF9hdWRpdF9tb2RlIjpmYWxzZSwiaGlkX2VuYWJsZWQiOnRydWV9LCJwb2xpY3kiOnsibmFtZSI6IkRlZmF1bHQgQW50aW1hbHdhcmUgUG9saWN5IiwidWlkIjoiMThhYjU5NTctZWIzNy00NmFjLWI0MzAtOTczNTA0ZWQyOGNlIiwidmVyc2lvbiI6IjI2In19,

 

===============================================================================================

SEP Endpoint logs collection from the GUI

Logs contain records about client configuration changes, security-related activities, and errors. These records are called events. The logs display these events with any relevant additional information. Security-related activities include information about virus detections, computer status, and the traffic that enters or exits the client computer.

To manually collect Symantec Endpoint Protection (SEP) logs from an endpoint GUI, you need to launch the SEP from the taskbar or from the program menu and go to the logs option, and export the logs from the GUI.

Here's a step-by-step guide with Screenshots for SEP 14 and below: 

  1. Launch the SEP GUI from the taskbar or the Program menu
  2. For file detections



A. Navigate to the logs option and click on "View Logs" for "Virus and Spyware Protection."

 

B. Click on Risk Log

 

C. Once the risk log opens, click on export and save the exported file onto the disk, and send it to Broadcom

 

3. If your detections have keywords like "SONAR"

A. Navigate to the Logs option and click on "View Logs" for "Virus and Spyware Protection" and click on "Threat Log"

 

B. Once the threat log opens, click on export and save the exported file onto the disk, and send it to Broadcom

 

Here's a step-by-step guide with Screenshots for SEP 16:

  1. Launch the SEP GUI from the taskbar or the Program menu
  2. For file detections

A. Click on the "information" icon in the GUI.

 

B. Click on "Logs"

C. From the drop-down, choose "Security Log"

D. Click on export and save the exported file onto the disk, and send it to Broadcom

 

==============================================================================================

SEP Endpoint logs collection from the command line

For SEP 14 and below

To collect SEP (Symantec Endpoint Protection) logs using smc.exe, you can utilize the command smc -exportlog. This command triggers the client to gather and potentially package the logs, depending on how the system is configured.

Here's a more detailed breakdown:

  1. Locate smc.exe:
    1. The smc.exe executable is typically found in the Symantec Endpoint Protection installation directory, often located at C:\Program Files\Symantec\Symantec Endpoint Protection. 
  2. Open Command Prompt as Administrator:
    1. You'll need to run the command prompt with elevated privileges to execute the command successfully. 
  3. Execute the command: 
    1. smc -exportlog 0 0 -1 C:\temp\SystemLog
    2. This will save the file in .txt format
    3. Send this exported file to Broadcom

For Carbon Black

  1. Launch CMD.exe
  2. Run this command for collecting the logs 
    1. C:\Program Files\Confer\repcli.exe capture <FolderPath>
    2. e.g. replcli.exe capture c:\temp
  3. Collect the output file and upload

     

    ==============================================================================================


    If you choose URL submission, please follow this section to collect related details 

    SEP Endpoint logs collection from the file system (only for SEP 14 and below)

    To manually collect Symantec Endpoint Protection (SEP) logs from an endpoint, you need to navigate to the correct log files location on the machine and copy them. The primary location for SEP client logs is "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs". Within this folder, you'll find various log files, including: AVMan.log, CVE.log, CVE-actions.log, GUProxy.log, and LUMan.log, among others. Additionally, the system log file is located at "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\syslog.log". 

    Here's a step-by-step guide: 

        1.  Locate the log directory: Open File Explorer and navigate to "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs"
        2. Identify and copy relevant logs:
          1. Here is how you can get it
          2. Open the log and search for your URL. copy the whole string and paste it on the details box of submit portal. if you have multiple URL to submit. please send entries for each detections. The log string looks like this
          3. 00000cbf    01dbef2bf0f499f3    000000f9    00000003    f981e10a    00000000    00000001    00000001    00000002    01dbef2be12742b3    01dbef2be12742b3    00000001    00000a00    [SID: 60501] URL reputation: Browser navigation to known bad URL attack blocked. Traffic has been blocked for this application: C:\Program Files\Google\Chrome\Application\chrome.exe        C:\Program Files\Google\Chrome\Application\chrome.exe    eyJhY3RvciI6eyJjbWRfbGluZSI6IlwiQzpcXFByb2dyYW0gRmlsZXNcXEdvb2dsZVxcQ2hyb21lXFxBcHBsaWNhdGlvblxcY2hyb21lLmV4ZVwiICIsImZpbGUiOnsiY29tcGFueV9uYW1lIjoiR29vZ2xlIExMQyIsImNyZWF0ZWQiOjE2ODM1MjQ0NzcxMzgsImZvbGRlciI6ImM6XFxwcm9ncmFtIGZpbGVzXFxnb29nbGVcXGNocm9tZVxcYXBwbGljYXRpb25cXCIsIm1kNSI6IkI5QjVEOTc1NDEyQkI2OEM4MDBFREM1RTM2RUY2QTIyIiwibmFtZSI6ImNocm9tZS5leGUiLCJwYXRoIjoiYzpcXHByb2dyYW0gZmlsZXNcXGdvb2dsZVxcY2hyb21lXFxhcHBsaWNhdGlvblxcY2hyb21lLmV4ZSIsInByb2R1Y3RfbmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJzaGExIjoiOTdFRTRENzkyQkZDQzhCOEE0M0Y3OEZEQjQ3QTRGMDQ4RjQ3RUQ0RSIsInNoYTIiOiI1MkVGODMwNDhEODQwMjVFNjZFMTM1NTNCRDFCMjhERkZDOTAyMDQxNjg3ODgxMzE5OUVDQ0RFQjUzOTBBMjEyIiwic2lnbmF0dXJlX2NvbXBhbnlfbmFtZSI6Ikdvb2dsZSBMTEMiLCJzaWduYXR1cmVfY3JlYXRlZF9kYXRlIjoxNzUwMTMxNjcwMDAwLCJzaWduYXR1cmVfaXNzdWVyIjoiRGlnaUNlcnQgVHJ1c3RlZCBHNCBDb2RlIFNpZ25pbmcgUlNBNDA5NiBTSEEzODQgMjAyMSBDQTEiLCJzaWduYXR1cmVfdmFsdWUiOjEwOTk1MjA2Mzg5ODMsInNpZ25hdHVyZV92YWx1ZV9pZHMiOlsxLDIsMywxNiwxNywyMF0sInZlcnNpb24iOiIxMzcuMC43MTUxLjEyMCIsInhhdHRyaWJ1dGVzIjp7InBvcnRhbCI6ZmFsc2V9fSwicGlkIjoxMTYwMCwic2Vzc2lvbl9pZCI6MSwic3RhcnRfdGltZSI6MTc1MTg4NDcxMzgxNCwidWlkIjoiMDNEMkYxOEQtNUIxNy1GMUYwLTg1Q0EtM0M1QzlCNDBBRjhEIn0sImNvbm5lY3Rpb24iOnsiY29ubmVjdGlvbl9kaXJlY3Rpb25faWQiOjJ9LCJjb250ZW50X3ZlciI6IlZlcnNpb246IDIwMjUtMDctMDQgcmV2LiAwMDE7IFNlcXVlbmNlOiAyNTA3MDQwMDEiLCJwYXJlbnQiOnsiY21kX2xpbmUiOiJDOlxcV2luZG93c1xcRXhwbG9yZXIuRVhFIiwiZmlsZSI6eyJjb21wYW55X25hbWUiOiJNaWNyb3NvZnQgQ29ycG9yYXRpb24iLCJjcmVhdGVkIjoxNzQzNDgwMzQ5MzU5LCJmb2xkZXIiOiJjOlxcd2luZG93c1xcIiwibWQ1IjoiQkIyRDI5NTEwN0RFRjE1MUU2NkUwRjQ3OTM5RUYwN0EiLCJuYW1lIjoiZXhwbG9yZXIuZXhlIiwicGF0aCI6ImM6XFx3aW5kb3dzXFxleHBsb3Jlci5leGUiLCJwcm9kdWN0X25hbWUiOiJNaWNyb3NvZnTCriBXaW5kb3dzwq4gT3BlcmF0aW5nIFN5c3RlbSIsInNoYTEiOiIzQTlGQTM5MTU2QTAxMTdEMzk5MDRBMUNERkFCRjA0NzMyMkVCMzQ1Iiwic2hhMiI6IjIzMzUzMkM1OTU5RUU1QTU2RkYwRjVCM0ExRkUyQUFENUY1ODlFRDJCQkQ5RERGMjBGRDZBRTYwMTkwRjgzMEIiLCJzaWduYXR1cmVfY29tcGFueV9uYW1lIjoiTWljcm9zb2Z0IENvcnBvcmF0aW9uIiwic2lnbmF0dXJlX2NyZWF0ZWRfZGF0ZSI6MTc0MTA2Nzc2OTAwMCwic2lnbmF0dXJlX2lzc3VlciI6Ik1pY3Jvc29mdCBXaW5kb3dzIFByb2R1Y3Rpb24gUENBIDIwMTEiLCJzaWduYXR1cmVfdmFsdWUiOjEwOTk1MjA3NzAxMDMsInNpZ25hdHVyZV92YWx1ZV9pZHMiOlsxLDIsMyw1LDYsMTYsMTcsMTgsMjBdLCJ2ZXJzaW9uIjoiMTAuMC4xOTA0MS41NjA3IiwieGF0dHJpYnV0ZXMiOnsicG9ydGFsIjpmYWxzZX19LCJwaWQiOjY0NDgsInNlc3Npb25faWQiOjEsInN0YXJ0X3RpbWUiOjE3NTE4ODE1NzQ5NTQsInVpZCI6IjAzRDJFMUZELTVCMTctRjFGMC04NUNBLTNDNUM5QjQwQUY4RCJ9LCJyZW1lZGlhdGVkIjp0cnVlLCJ0aHJlYXQiOnsiaWQiOjYwNTAxLCJuYW1lIjoiVVJMIHJlcHV0YXRpb246IEJyb3dzZXIgbmF2aWdhdGlvbiB0byBrbm93biBiYWQgVVJMIiwicmlza19pZCI6MTAwLCJ0eXBlX2lkIjo2fX0=                                            Default    USER    <hostname>    0000ec55    00000000    00000002    00000002    00000000    00000000    00000000000000000000000000000000    00000000000000000000000000000000    URL reputation: Browser navigation to known bad URL    http://xx.xx.xx.xx/02.xx.2022.exe            14.3.12154.10000        00000001            00000064    00000000    43
          4. The most important detail we need to process the URL correctly is the SID number. You can find it logs inside of square brackets. for e.g. [SID: 60501]
          1. Scan logs can be found under "C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\"
          2. Look for a log filename seclog.log
          3. seclog.log - WebPulse and IPS events. this log contains the details of URL that was detected as malicious. 
          4. You can send this log over to Broadcom. 
          5. In case you do not wish to send this file over to Broadcom for any reasons, you can send the specific log entry for your submitted file from this file. 

     

    SEP Endpoint logs collection from GUI.

    Logs contain records about client configuration changes, security-related activities, and errors. These records are called events. The logs display these events with any relevant additional information. Security-related activities include information about virus detections, computer status, and the traffic that enters or exits the client computer.

    To manually collect Symantec Endpoint Protection (SEP) logs from an endpoint GUI, you need to launch the SEP from task bar or from program menu and go to logs option and export the logs from GUI

     

    Here's a step-by-step guide with Screenshots for SEP 14 and below:  

    1. Launch the SEP GUI from taskbar or Program menu
    2. For file detections


    A. Navigate to the Logs option and click on "View Logs" for "Virus and Spyware Protection" and click on "Security Log"

    B. Once the security log opens, click on File > Export and save the exported file onto the disk and send it to Broadcom

     

    C. The most important detail we need to process the URL correctly is the SID number. You can find it logs inside square brackets. for e.g. [SID: 60501]

     

    ==============================================================================================

     

    Here's a step-by-step guide with Screenshots for SEP 16: 

    1. Launch the SEP GUI from the taskbar or the Program menu
    2. For file detections

     

    A. Click on the "Information" icon in the GUI

     

    B. Click on "logs"

     

    C. From the drop-down, choose "Security Log" and locate your block event. It should start with [SID: xxxxx]

     

    ==============================================================================================

    SEP Endpoint logs collection from the command line

    For SEP 14 and below

    To collect SEP logs using smc.exe, you can utilize the command smc -exportlog. This command triggers the client to gather and potentially package the logs, depending on how the system is configured.

    Here's a more detailed breakdown:

    1. Locate smc.exe:
      1. The smc.exe executable is typically found in the Symantec Endpoint Protection installation directory, often located at "C:\Program Files\Symantec\Symantec Endpoint Protection"
    2. Open Command Prompt as Administrator: You'll need to run the command prompt with elevated privileges to execute the command successfully. 
    3. Execute the command:
      1. smc -exportlog 1 0 -1 C:\temp\SecLog
      2. This will save the file in .txt format
      3. Send this exported file to Broadcom

     

Powered by Wolken Software