Dwarfsoft [GPA]

SEP11 Scan Logs

by on Mar.03, 2011, under Scripting, Tweet, Work


Print This Post Print This Post

I will start out by simply stating how much I HATE SEP11, and how it handles client scan logs. For some reason there is NO way of getting a client scan log out of the Central Management Console. The whole point of Central Management is being able to … manage CENTRALLY.

Anyway, enough rant. I wrote a batch file to pull the latest (or specified) log file from a list of servers (in a file called Servers.txt). More Source:

@echo off
if not exist "SEP11Logs" mkdir SEP11Logs
 
for /f "tokens=*" %%A IN (Servers.txt) DO (
  IF /I "%~1" EQU "" (
    CALL :GetLatestLog "%%A"
    CALL :CopyLog "%%A" "%%_LogFile%%"
    ) ELSE (
    CALL :CopyLog "%%A" "%~1"
    )
  )
 
GOTO:EOF
 
:GetLatestLog
SET _ServerName=%~1
FOR /F "tokens=* delims=" %%B IN ('dir "\\%_ServerName%\C$\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\*.log" /b /o:-d') DO (
  SET _LogFile=%%B
  ECHO "Logfile is %%B"
  GOTO:EOF
  )
GOTO:EOF
 
:CopyLog
ECHO Copying "%~2" on "%~1"
COPY /Y "\\%~1\C$\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\%~2" "SEP11Logs\%~1-%~2"
:EOF

This script goes through the list of servers copying the logs into a folder called SEP11Logs and renaming them to “<ServerName>-<Logname>” so they come out as something like “SERVER-02262011.log”.

Once I received the logs I was then struck with a problem of not being able to easily determine the date and time of each finding. After a short search I managed to track down a description of the SEP11 log file format. I wrote a quick and [very] dirty script to add a little more detail to the original log.

' See http://www.symantec.com/business/support/index?page=content&id=TECH100099&locale=en_US
On Error Resume Next
Const ForReading = 1
Const ForWriting = 2
 
Dim fso, folder, files, NewsFile,sFolder
 
Set fso = CreateObject("Scripting.FileSystemObject")
sFolder = Wscript.Arguments.Item(0)
If sFolder = "" Then
    Wscript.Echo "No Folder parameter was passed"
    Wscript.Quit
End If
Set folder = fso.GetFolder(sFolder)
Set files = folder.Files
 
For each folderIdx In files
 
  Set LogFile = fso.OpenTextFile(folderIdx.Path, ForReading)
  Set LogFileCsv = fso.CreateTextFile(folderIdx.Path& ".csv", True)
  Do While not LogFile.AtEndOfStream
    line = LogFile.ReadLine
	Splt=Split(line,",")
	hTime = Splt(0)
	hTimeYear  = Right("0000" & (1970 + CLng("&H"&Mid(hTime,1,2))),4)
	hTimeMonth = Right("00" & CLng("&H"&Mid(hTime,3,2))+1,2)
	hTimeDay   = Right("00" & CLng("&H"&Mid(hTime,5,2)), 2)
	hTimeHour  = Right("00" & CLng("&H"&Mid(hTime,7,2)), 2)
	hTimeMin   = Right("00" & CLng("&H"&Mid(hTime,9,2)), 2)
	hTimeSec   = Right("00" & CLng("&H"&Mid(hTime,11,2)), 2)
 
	hDateAndTime = hTimeYear & "-" & hTimeMonth & "-" & hTimeDay & " " & hTimeHour & ":" & hTimeMin & ":" & hTimeSec
	hDate = hTimeYear & "-" & hTimeMonth & "-" & hTimeDay
	hTime = hTimeHour & ":" & hTimeMin & ":" & hTimeSec
 
	Select Case Splt(1)
	  Case 1
	    hEvent = "GL_EVENT_IS_ALERT"
      Case 2
        hEvent = "GL_EVENT_SCAN_STOP"
      Case 3
        hEvent = "GL_EVENT_SCAN_START"
      Case 4
        hEvent = "GL_EVENT_PATTERN_UPDATE"
      Case 5
        hEvent = "GL_EVENT_INFECTION"
      Case 6
        hEvent = "GL_EVENT_FILE_NOT_OPEN"
      Case 7
        hEvent = "GL_EVENT_LOAD_PATTERN"
      Case 8
        hEvent = "//GL_STD_MESSAGE_INFO NOT USED"
      Case 9
        hEvent = "//GL_STD_MESSAGE_ERROR NOT USED"
      Case 10
        hEvent = "GL_EVENT_CHECKSUM"
      Case 11
        hEvent = "GL_EVENT_TRAP"
      Case 12
        hEvent = "GL_EVENT_CONFIG_CHANGE"
      Case 13
        hEvent = "GL_EVENT_SHUTDOWN"
      Case 14
        hEvent = "GL_EVENT_STARTUP"
      Case 16
        hEvent = "GL_EVENT_PATTERN_DOWNLOAD"
      Case 17
        hEvent = "GL_EVENT_TOO_MANY_VIRUSES"
      Case 18
        hEvent = "GL_EVENT_FWD_TO_QSERVER"
      Case 19
        hEvent = "GL_EVENT_SCANDLVR"
      Case 20
        hEvent = "GL_EVENT_BACKUP"
      Case 21
        hEvent = "GL_EVENT_SCAN_ABORT"
      Case 22
        hEvent = "GL_EVENT_RTS_LOAD_ERROR"
      Case 23
        hEvent = "GL_EVENT_RTS_LOAD"
      Case 24
        hEvent = "GL_EVENT_RTS_UNLOAD"
      Case 25
        hEvent = "GL_EVENT_REMOVE_CLIENT"
      Case 26
        hEvent = "GL_EVENT_SCAN_DELAYED"
      Case 27
        hEvent = "GL_EVENT_SCAN_RESTART"
      Case 28
        hEvent = "GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER"
      Case 29
        hEvent = "GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER"
      Case 30
        hEvent = "GL_EVENT_LICENSE_WARNING"
      Case 31
        hEvent = "GL_EVENT_LICENSE_ERROR"
      Case 32
        hEvent = "GL_EVENT_LICENSE_GRACE"
      Case 33
        hEvent = "GL_EVENT_UNAUTHORIZED_COMM"
      Case 34
        hEvent = "GL_EVENT_LOG_FWD_THRD_ERR"
      Case 35
        hEvent = "GL_EVENT_LICENSE_INSTALLED"
      Case 36
        hEvent = "GL_EVENT_LICENSE_ALLOCATED"
      Case 37
        hEvent = "GL_EVENT_LICENSE_OK"
      Case 38
        hEvent = "GL_EVENT_LICENSE_DEALLOCATED"
      Case 39
        hEvent = "GL_EVENT_BAD_DEFS_ROLLBACK"
      Case 40
        hEvent = "GL_EVENT_BAD_DEFS_UNPROTECTED"
      Case 41
        hEvent = "GL_EVENT_SAV_PROVIDER_PARSING_ERROR"
      Case 42
        hEvent = "GL_EVENT_RTS_ERROR"
      Case 43
        hEvent = "GL_EVENT_COMPLIANCE_FAIL"
      Case 44
        hEvent = "GL_EVENT_COMPLIANCE_SUCCESS"
      Case 45
        hEvent = "GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION"
      Case 46
        hEvent = "GL_EVENT_ANOMALY_START"
      Case 47
        hEvent = "GL_EVENT_DETECTION_ACTION_TAKEN"
      Case 48
        hEvent = "GL_EVENT_REMEDIATION_ACTION_PENDING"
      Case 49
        hEvent = "GL_EVENT_REMEDIATION_ACTION_FAILED"
      Case 50
        hEvent = "GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL"
      Case 51
        hEvent = "GL_EVENT_ANOMALY_FINISH"
      Case 52
        hEvent = "GL_EVENT_COMMS_LOGIN_FAILED"
      Case 53
        hEvent = "GL_EVENT_COMMS_LOGIN_SUCCESS"
      Case 54
        hEvent = "GL_EVENT_COMMS_UNAUTHORIZED_COMM"
      Case 55
        hEvent = "GL_EVENT_CLIENT_INSTALL_AV"
      Case 56
        hEvent = "GL_EVENT_CLIENT_INSTALL_FW"
      Case 57
        hEvent = "GL_EVENT_CLIENT_UNINSTALL"
      Case 58
        hEvent = "GL_EVENT_CLIENT_UNINSTALL_ROLLBACK"
      Case 59
        hEvent = "GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE"
      Case 60
        hEvent = "GL_EVENT_COMMS_SERVER_CERT_ISSUE"
      Case 61
        hEvent = "GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE"
      Case 62
        hEvent = "GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED"
      Case 63
        hEvent = "GL_EVENT_CLIENT_CHECKIN"
      Case 64
        hEvent = "GL_EVENT_CLIENT_NO_CHECKIN"
      Case 65
        hEvent = "GL_EVENT_SCAN_SUSPENDED"
      Case 66
        hEvent = "GL_EVENT_SCAN_RESUMED"
      Case 67
        hEvent = "GL_EVENT_SCAN_DURATION_INSUFFICIENT"
      Case 68
        hEvent = "GL_EVENT_CLIENT_MOVE"
      Case 69
        hEvent = "GL_EVENT_SCAN_FAILED_ENHANCED"
      Case 70
        hEvent = "GL_EVENT_MAX_EVENT_NUMBER"
      Case 71
        hEvent = "GL_EVENT_HEUR_THREAT_NOW_WHITELISTED"
      Case 72
        hEvent = "GL_EVENT_INTERESTING_PROCESS_DETECTED_START"
      Case 73
        hEvent = "GL_EVENT_LOAD_ERROR_COH"
      Case 74
        hEvent = "GL_EVENT_LOAD_ERROR_SYKNAPPS"
      Case 75
        hEvent = "GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH"
      Case 76
        hEvent = "GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS"
      Case 77
        hEvent = "GL_EVENT_HEUR_THREAT_NOW_KNOWN"
	End Select
 
	Select Case Splt(2)
	  Case 1
	    hCategory = "GL_CAT_INFECTION"
	  Case 2
	    hCategory = "GL_CAT_SUMMARY"
	  Case 3
	    hCategory = "GL_CAT_PATTERN"
	  Case 4
	    hCategory = "GL_CAT_SECURITY"
	End Select
 
    hLogger = Splt(3)
	hComputer = Splt(4)
	hUser = Splt(5)
	hVirus = Splt(6)
	hFile = Splt(7)
 
	Select Case Splt(8)
	  Case 1
	    hAction = "Quarantine"
      Case 2
	    hAction = "Rename"
	  Case 3
	    hAction = "Delete"
	  Case 4
	    hAction = "Leave Alone"
	  Case 5
	    hAction = "Clean File"
	  Case 6
	    hAction = "Clean Macros"
	  Case Else
	    hAction = "Unknown Action"
	End Select
 
	Select Case Splt(9)
	  Case 1
	    hAction2 = "Quarantine"
      Case 2
	    hAction2 = "Rename"
	  Case 3
	    hAction2 = "Delete"
	  Case 4
	    hAction2 = "Leave Alone"
	  Case 5
	    hAction2 = "Clean File"
	  Case 6
	    hAction2 = "Clean Macros"
	  Case Else
	    hAction2 = "Unknown Action"
	End Select
 
	Select Case Splt(10)
	  Case 1
	    hAction3 = "Quarantine"
      Case 2
	    hAction3 = "Rename"
	  Case 3
	    hAction3 = "Delete"
	  Case 4
	    hAction3 = "Leave Alone"
	  Case 5
	    hAction3 = "Clean File"
	  Case 6
	    hAction3 = "Clean Macros"
	  Case 7
	    hAction3 = "Saved file as..."
      Case 8
	    hAction3 = "Sent to Intel (AMS)"
      Case 9
	    hAction3 = "Moved to backup location"
      Case 10
        hAction3 = "Renamed backup file"
      Case 11
        hAction3 = "Undo action in Quarantine View"
      Case 12
        hAction3 = "Write protected or lack of permissions - Unable to act on file"
      Case 13
	    hAction3 = "Backed up file"
	  Case Else
	    hAction3 = "Unknown Action"
	End Select
 
	hVirusType = Splt(11)
	hFlags = Splt(12)
	hDescription = Splt(13)
	hScanId = Splt(14)
	hNewExt = Splt(15)
	hGroupId = Splt(16)
	hEventData = Splt(17)
	hQuarantineID = Splt(18)
	hVirusID = Splt(19)
	hQuarantineStatus = Splt(20)
	hAccess = Splt(21)
 
	outline = hDate & "," & hTime & "," & Splt(1) & "," & hEvent & "," & Splt(2) & "," & hCategory & "," & Splt(3) & "," & Splt(4) & "," & Splt(5) & "," & Splt(6) & ","
	outline = outline & Splt(7) & "," & Splt(8) & "," & hAction & "," & Splt(9) & "," & hAction2 & "," & Splt(10) & "," & hAction3
	For i = 11 to UBound(Splt)
	  outline=outline&","&Splt(i)
	Next
 
	LogFileCsv.WriteLine(outline)
  Loop
  LogFileCsv.Close
  LogFile.Close
 
Next

I know, not exactly brimming with comments. I leave this code here, as is. Worked for me… Just take note, that in these logs there are a lot of files that get picked up that have 3 actions listed as  “Leave Alone” but (if opened in Excel) under column X it lists a File Remediation and a Delete action. The log file format is abysmal and the above linked description of the format does not accurately explain the remediation information… I have as yet been unable to determine which field of the description the remediation is supposed to be in.

So, Run the Batch File to copy the logs into the SEP11Logs folder. Run the VBScript with the path to SEP11Logs and it will create a copy of the log files with a .csv extension that has a bit more information.

Enjoy.

Cheers, Chris.

:, , , , , , ,

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!