How to read / parse what the current definitions are on Symantec Endpoint Protection, and vdb, xdb and jdb
Last Updated November 17, 2014
You are trying to determine the Symantec Endpoint Protection (SEP) definition date being used by the information in the registry, Windows event log, or from the virus definition file itself (.vdb, .xdb, or .jdb) but the data you see is not readily human-readable.
The information you are viewing is in Hexadecimal format and needs to be converted to be read properly.
This is the C++ code: Year = (unsigned short)((version >> 18) + 1998), Month = (unsigned short)((version >> 14) & 0x0f), Day = (unsigned short)((version >> 9) & 0x1f), Revision = (unsigned short)(version & 0x1FF);
Local $BS_Year, $BS_Montha, $BS_Month, $BS_Day,$BS_Daya, $BS_Revision, $SepRegRead
Using Calc: Copy (hex) from HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\UsingPattern (Todays) 312e02 (Hex)
Into the display on the Calc
Then convert to Binary (BIN)
File Edit: COPY Goto Notepad and paste 1100010010111000000010 Count 18 spots left (bitshift right) 1100 ( 1100 0100 10111 000000010) 1100 Clear out calc and copy back in (bin setting) Convert to Dec Add 1998 = 2010
Go back to your notepad and count 14 to the left (bitshift right) ( 1100 0100 10111 000000010) You get 0100 Report the copy into Calc and convert from Bin to Dec You get 4
Go back to notepad and again count from right to left count 9 (1100 0100 10111 000000010) You get 10111 . Copy paste to Cal (Bin to Dec) You get 23
Go back to notepad and take the last digits. 000000010 ( 1100 0100 10111 000000010 ) Copy and paste back in to cal (Bin to Dec) You get 2
So the definitions are: 2010/4/23 Rev 2
To convert jdb,xdb, vdb remove the prefix names and then covert just like the above (using calc).
The legacy VDB Date Decoder Utility DecodeVDB.exe tool, attached below, may also prove useful. Simply remove the "vd" prefix and the file extension, then enter the remaining characters into the tool.
For example, from the file vd413c25.jdb, enter 413c25 into the tool. The resulting output is human-readable: 4/30/2014 Rev.37
The "Defs Version" of an update, often displayed in Windows Event Logs, can most easily be translated into human-readable format by searching symantec.com. For example, site:symantec.com 160430b will result in several hits in the search engine which bring up the relevant Certified Definitions page. That page displays the corresponding human-readable date and other details.