You want to know what the possible Symantec Endpoint Protection event log entries are and their definition.
Below is a list of events that are logged on the local client and forwarded on to the Symantec Endpoint Protection Manager. Many, but not all, of these events, appear in the Windows Application Log. Note that raw event codes normally appear as a single string of text, but sometimes display on two lines in this table due to space constraints.
Event
|
Event Number
|
Raw Event Code
|
Description
|
Scan Stopped
|
2
|
GL_EVENT_SCAN_STOP
|
Occurs when antivirus scanning completes.
|
Scan Started
|
3
|
GL_EVENT_SCAN_START
|
Occurs when antivirus scanning starts.
|
Definition File Sent To Server
|
4
|
GL_EVENT_PATTERN_UPDATE
|
Occurs when a parent server sends a .vdb file to a secondary server.
|
Virus Found
|
5
|
GL_EVENT_INFECTION
|
Occurs when scanning detects a virus.
|
Scan Omission
|
6
|
GL_EVENT_FILE_NOT_OPEN
|
Occurs when scanning fails to gain access to a file or directory.
|
Definition File Loaded
|
7
|
GL_EVENT_LOAD_PATTERN
|
Occurs when Symantec AntiVirus loads a new .vdb file.
|
Checksum
|
10
|
GL_EVENT_CHECKSUM
|
Occurs when a checksum error occurs when verifying a digitally signed file.
|
Auto-Protect
|
11
|
GL_EVENT_TRAP
|
Occurs when Auto-Protect is not fully operational.
|
Configuration Changed
|
12
|
GL_EVENT_CONFIG_CHANGE
|
Occurs when a server updates its configurations according to the changes made from the console, excluding configuration changes made in the PRODUCTCONTROL or DOMAINDATA registry keys.
|
Symantec AntiVirus Shutdown
|
13
|
GL_EVENT_SHUTDOWN
|
Occurs when the ccSvcHst.exe service is unloaded.
|
Symantec AntiVirus Startup
|
14
|
GL_EVENT_STARTUP
|
Occurs when the ccSvcHst.exe service is loaded.
|
Definition File Download
|
16
|
GL_EVENT_PATTERN_DOWNLOAD
|
Occurs when new definitions get downloaded by a scheduled definitions update.
|
Scan Action Auto-Changed
|
17
|
GL_EVENT_TOO_MANY_VIRUSES
|
Occurs when Symantec AntiVirus has deleted or quarantined more than five infected files within the last minute. The number of files quarantined or deleted and the time interval is configurable from the registry. The defaults are 5 files in 60 seconds.
|
Sent To Quarantine Server
|
18
|
GL_EVENT_FWD_TO_QSERVER
|
Occurs when quarantined files are sent to a Quarantine Server.
|
Delivered To Symantec Security Response
|
19
|
GL_EVENT_SCANDLVR
|
Occurs when a file is delivered to Symantec Security Response.
|
Backup Restore Error
|
20
|
GL_EVENT_BACKUP
|
Occurs when Symantec AntiVirus cannot back up a file or restore a file from Quarantine.
|
Scan Aborted
|
21
|
GL_EVENT_SCAN_ABORT
|
Occurs when a scan is stopped before it completes. Symantec AntiVirus Auto-Protect.
|
Load Error
|
22
|
GL_EVENT_RTS_LOAD_ERROR
|
Occurs when Auto-Protect fails to load.
|
Symantec AntiVirus Auto-Protect Loaded
|
23
|
GL_EVENT_RTS_LOAD
|
Occurs when Auto-Protect loads successfully.
|
Symantec AntiVirus Auto-Protect Unloaded
|
24
|
GL_EVENT_RTS_UNLOAD
|
Occurs when Auto-Protect is unloaded.
|
Scan Delayed
|
26
|
GL_EVENT_SCAN_DELAYED
|
Occurs when a scheduled scan is snoozed/paused (delayed).
|
Scan restarted
|
27
|
GL_EVENT_SCAN_RESTART
|
Occurs when a snoozed/paused scan is restarted.
|
Log Forwarding Error
|
34
|
GL_EVENT_LOG_FWD_THRD_ERR
|
Occurs when there is a problem with the log forwarding process. Also logs when Event and Settings Manager is started.
|
Definitions Rollback
|
39
|
GL_EVENT_BAD_DEFS_ROLLBACK
|
Occurs when definitions are rolled back.
|
Definitions Unprotected
|
40
|
GL_EVENT_BAD_DEFS_UNPROTECTED
|
Occurs when a computer is not protected with definitions.
|
Auto-Protect Error
|
41
|
GL_EVENT_SAV_PROVIDER_
PARSING_ERROR |
Occurs when an error occurs with Auto-Protect.
|
Configuration Error
|
42
|
GL_EVENT_RTS_ERROR
|
General error. Primarily occurs when a configuration file cannot be read.
|
SymProtect Action
|
45
|
GL_EVENT_SECURITY_SYMPROTECT_
POLICYVIOLATION |
Occurs when SymProtect blocks a tamper attempt.
|
Detection Start
|
46
|
GL_EVENT_ANOMALY_START
|
Occurs when a threat is found. This is the first of a series of steps describing the action taken.
|
Detection Action
|
47
|
GL_EVENT_DETECTION_
ACTION_TAKEN |
Describes an action that's taken when a threat is found.
|
Pending Remediation Action
|
48
|
GL_EVENT_REMEDIATION_
ACTION_PENDING |
Occurs when Auto-Protect is ready to perform a side-effects repair for adware or spyware.
|
Failed Remediation Action
|
49
|
GL_EVENT_REMEDIATION_
ACTION_FAILED |
Occurs when Auto-Protect fails to perform a successful side-effects repair for adware or spyware.
|
Successful Remediation Action
|
50
|
GL_EVENT_REMEDIATION_ACTION_
SUCCESSFUL |
Occurs when Auto-Protect performs a successful side-effects repair for adware or spyware.
|
Detection Finish
|
51
|
GL_EVENT_ANOMALY_FINISH
|
Occurs when Auto-Protect finishes handling a threat.
|
Scan Stopped
|
65
|
GL_EVENT_SCAN_SUSPENDED
|
Occurs when adware and spyware scans stop.
|
Scan Started
|
66
|
GL_EVENT_SCAN_RESUMED
|
Occurs when adware and spyware scans start.
|
Threat Now Whitelisted
|
71
|
GL_EVENT_HEUR_THREAT_
NOW_WHITELISTED |
The Administrator has added what SONAR previously detected as a threat to the Centralized Exception list, or Symantec has added it to the internal known white listed applications list.
|
Interesting Process Found Start
|
72
|
GL_EVENT_INTERESTING_PROCESS_
DETECTED_START |
SONAR detection start. The first step of a series describing the action taken on the process.
|
SONAR engine load error
|
73
|
GL_EVENT_LOAD_ERROR_BASH
|
Failed to load SONAR engine.
|
SONAR definitions load error
|
74
|
GL_EVENT_LOAD_ERROR_BASH_
DEFINITIONS
|
Failed to load SONAR definitions.
|
Interesting Process Found Finish
|
75
|
GL_EVENT_INTERESTING_PROCESS_
DETECTED_FINISH |
SONAR detection has finished handling the process.
|
SONAR operating system not supported
|
76
|
GL_EVENT_HPP_SCAN_
NOT_SUPPORTED_FOR_OS |
SONAR is enabled, but it is not supported on the platform.
|
SONAR Detected Threat Now Known
|
77
|
GL_EVENT_HEUR_THREAT_
NOW_KNOWN |
A SONAR process detection is now a confirmed signature-based security risk.
|
SONAR engine is disabled
|
78
|
GL_EVENT_DISABLE_BASH
|
SONAR is enabled.
|
SONAR engine is enabled
|
79
|
GL_EVENT_ENABLE_BASH
|
SONAR is disabled.
|
Definition load failed
|
80
|
GL_EVENT_DEFS_LOAD_FAILED
|
Failed to apply AV definitions.
|
Cache server error
|
81
|
GL_EVENT_LOCALREP_
CACHE_SERVER_ERROR |
Cache server error.
|
Reputation check timed out
|
82
|
GL_EVENT_REPUTATION_
CHECK_TIMEOUT |
Reputation check timed out.
|
ELAM load failed | 86 | GL_EVENT_ELAM_LOAD_FAILED | SymELAM load failure |
An invalid OS for ELAM | 87 | GL_EVENT_ELAM_INVALID_OS | SymELAM requires Windows 8 to function |
ELAM enabled | 88 | GL_EVENT_ELAM_ENABLE | SymELAM Protection enabled |
ELAM disabled | 89 | GL_EVENT_ELAM_DISABLE | SymELAM Protection disabled |
ELAM repair failed | 90 | GL_EVENT_ELAM_BAD | SymELAM unable to repair file |
ELAM blocked driver | 91 | GL_EVENT_ELAM_BAD_REPORTED_AS_UNKNOWN | SymELAM blocked driver |
SymProtect enabled | 92 | GL_EVENT_DISABLE_SYMPROTECT | SymProtect enabled |
SymProtect disabled | 93 | GL_EVENT_ENABLE_SYMPROTECT | SymProtect disabled |
EOC scan parse failed | 94 | GL_EVENT_NETSEC_EOC_PARSE_FAILED | EOC scan initiated from ATP can not be parsed by the client |
File is restored | 95 | GL_EVENT_FILE_RESTORED | The file is restored from quarantine |