How to debug the Symantec Endpoint Protection client
search cancel

How to debug the Symantec Endpoint Protection client

book

Article ID: 151291

calendar_today

Updated On:

Products

Endpoint Protection Network Access Control Endpoint Security

Issue/Introduction

You want to know how to debug the Symantec Endpoint Protection (SEP) client, and the different types of debugging available.

Environment

Sylink debugging /logging is applicable to SEP 14 RU1 MP2 and earlier versions.

For 14.2+ versions, The communication module logging replaces Sylink logging functionality.

Configuring Endpoint Protection Communication Module Logging in 14.2 and later

Resolution

The following debugging options are available:

 

The following optional settings enable more detailed logging of various components in the Symantec Endpoint Protection client. Before you enable them, you must first enable Symantec Management Client debugging.

 
Note:
You must restart the Symantec Management Client (SMC) service for any changes in debug logging to take effect. To stop and start the SMC service, enter the following commands from a command line interface, from Start Menu > Run, or from Start Menu > Search programs and files:

  • smc -stop
  • smc -start

 


Symantec Management Client (SMC) debugging

The default debug logging can be enabled with the following registry setting:

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"smc_debuglog_on"=dword:00000001

NOTE: Tamper Protection is enabled by default on the Symantec Endpoint Protection client. Tamper Protection prevents you from editing the registry to enable debugging unless you first disable it or change it from Block and log the event to Log only. To adjust Tamper Protection settings, open the Symantec Endpoint protection client user interface (GUI), click Change Settings > Client Management > Configure Settings > Tamper Protection tab. If the administrator has locked the Tamper Protection, you can still enable debugging through the GUI by using instructions later in this document.

Enabling this debug logging creates a file called debug.log. For the Symantec Endpoint Protection, debug.log is in the CurrentVersion\Data\Logs subfolder of SEP's AllUsersProfile or ProgramData directory. For example, for Windows 7, C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs.

The size of the debug.log file is, by default, limited to 256KB. After reaching this limit, the current log moves to debug.log.bak, and a new debug.log file is created. When you use the default limit of 256 KB, the log file can roll over in a short period of time. You may need to adjust the log size limit to a higher value (i.e., somewhere between 20,000 to 100,000 KB.) To modify the log file size limit, add the Log key and debug_log_filesize value, as follows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Log]
debug_log_filesize=dword:00004e20  

In the above example, the value of debug_log_filesize is the maximum amount of space (measured in KB) that the debug.log file can consume. The number is written in hexadecimal (i.e., 00004e20 = 20,000 KB). The Symantec Endpoint Protection user interface allows an upper limit on the log size of 100,000 KB. If necessary, you can force the value higher by setting it here in the registry.

NOTE: The default location for the SMC.exe executable is %ProgramFiles%\Symantec\Symantec Endpoint Protection.

If needed, you can configure the granularity of the logging by creating two values in the registry.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"smc_debug_level"=dword:00000000
"smc_debug_log_level"=dword:00000000

smc_debug_level affects the logging of virus and spyware events:

  • 2 - system debugger
  • 4 - transaction logs
  • 6 - everything

 
smc_debug_log_level affects the logging of firewall events:

  • 0 - debug
  • 1 - info
  • 2 - warning
  • 3 - fatal

 
0 is the default value and usually recommended for troubleshooting.

The above settings can also be configured from the client user interface using the following steps:

  1. Open the Symantec Endpoint Protection client user interface.
  2. Click Help > Troubleshooting > Debug Logs.
  3. Under Client Management, click Edit Debug Log Settings.
  4. Click the box next to Debug On, and then configure the settings.
  5. Click OK, and then click Close.

 
You must then restart the SMC service as noted above.

To view the debug log from the client user interface: 

  1. Open the Symantec Endpoint Protection user interface.
  2. Click the Help > Troubleshooting > Debug Logs.
  3. Under Client Management, click View Log.

 

 

Sylink debugging

Sylink is the client component responsible for communication with the Symantec Endpoint Protection Manager (SEPM) server. The following debug setting is an alternative to running the SylinkWatcher/SylinkMonitor tool to log client-server communication.

To enable Sylink logging, following these steps:

Note: You must first also enable default SMC debugging (described above).

  1. While still in the Windows Registry Editor, navigate to the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SMC\SYLINK\SyLink
  2. Click Edit > New > String Value.
  3. Name the new value DumpSylink.
  4. Double-click DumpSylink.
  5. In the Value data field, specify the name and location for the log file. For example, C:\Sylink.log would place the file Sylink.log at the root of the C: drive.
  6. Click Edit > New > DWORD
  7. Name the new value DumpSylinkLevel
  8. Double-click DumpSylinkLevel
  9. Change the Value data to 4 and click OK.
  10. Close the Registry Editor.
     

You must then restart the SMC service as noted above.

 


Extended TSE debugging

To enable extended TSE debugging for Network Threat Protection, follow these steps:

  1. Stop the SMC service. Click Start (or Start > Run) and enter smc -stop.
  2. Open the registry editor. Click Start (or Start > Run) and enter regedit.
  3. Navigate to the following registry subkey:
    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\TSE
  4. If the following DWORD value does not exist, create it: ExtendedDebug
  5. Set the value data of ExtendedDebug to 1
  6. Start the SMC service. Click Start (or Start > Run) and enter smc -start.

 
Example from debug.log: 

01/25 16:46:17 [304:960] TSE extended debugging is turned on. Flag = 
01/25 16:48:43 [304:592] TSE2415: *********DROP PACKET*********
01/25 16:48:43 [304:592] TSE: SecurityRule = Block Local File Sharing
01/25 16:48:43 [304:592] TSE: ApplicationName = C:\WINNT\system32\ntoskrnl.exe
01/25 16:48:43 [304:592] TSE2417: *** DROP PACKET **
01/25 16:48:43 [304:592] ======== TsPacket ====== BA: 1 == protocol: 2 === === EtherII Packet=== len:92==== nic:0===== <mac_address> ---> ff-ff-ff-ff-ff-ff , protocol = 0x800 ===== IP Packet==== len:78==== <ipaddress> --> <ipaddress>, type: 0x11, Id: 2629, Frg: 0x0 ========= UDP datagram, len: 78==== <ipaddress> -> <ipaddress>:137 , DataLen: 5
01/25 16:48:43 [304:592] TSE2415: *********DROP PACKET********** 
01/25 16:48:43 [304:592] TSE: SecurityRule = Block and Log Unchecked IP Packets 
01/25 16:48:43 [304:592] TSE2417: *** DROP PACKET *** 
01/25 16:48:43 [304:592] ======== TsPacket ====== BA: 1 == protocol: 2 === === EtherII Packet=== len:74==== nic:0===== <macaddress> ---> <macaddress> , protocol = 0x800 ===== IP Packet==== len:60==== <ipaddress> --> <ipaddress>, type: 0x1, Id: 28535, Frg: 0x0 ===== ICMP Packet==== len:40==== , type: 0x8, Code: 0, Checksum: 0x5a3a

 


AutoLocation 

This debug setting makes the Symantec Endpoint Protection agent write AutoLocation switching information to the standard debug.log file.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\Trident]
"AutoLocationDump"=dword:00000001  

(If the Trident registry key does not exist, then create it.)

Example from debug.log: 

05/07 16:31:33 [916:828]  ***** AL begin get wins ip *****
05/07 16:31:33 [916:828] ***** AL begin get DNS ip
05/07 16:31:33 [916:828] ***** AL DNS Ip : <ipaddress>
05/07 16:31:33 [916:828] ***** AL begin get gateway ip
05/07 16:31:33 [916:828] ***** AL begin get local ip and dhcp ip
05/07 16:31:33 [916:828] ***** AL local ip : <ipaddress>
05/07 16:31:33 [916:828] ***** AL DHCP ip : <ipaddress>
05/07 16:31:33 [916:828] ***** AL Dhcp ip :<ipaddress> Mac :00-00-00-00-00-00
05/07 16:31:33 [916:828]  ***** AL begin get dns name *****

 


Host Integrity

The Host Integrity is performed on the agent machine by a JavaScript file included in the policies downloaded from the policy manager. Normally this script is deleted once Host Integrity is done, but by setting this registry key the file is not deleted. Then you can review the script for troubleshooting.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC\SSHelper]
"EnableScriptDebug"=dword:00000001

The Host Integrity script file AVScript.js can now be found in the Symantec Endpoint Protection folder once Host Integrity has run.

 


802.1x

This debug setting is used to help isolate EAP 802.1x issues. The registry key causes the 802.1x EAP information to write to the standard debug.log file.

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"EnableDebug802.1x"=dword:00000001