Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Removing Symantec Antivirus events from Windows Event Viewer

Status
Not open for further replies.
Trana

Trana

Technical User
Nov 2, 2002
76
AU
Hi,

Using Symantec Antivirus Corporate 10.1.6.6000 in a Windows 2003 server environment with Win2k/XP clients.

I know there’s a way to have all the Symantec events not show up in Windows Event Viewer, but I can’t remember how.

I don’t want to remove the event history from the actual Symantec application, I just don’t want those events showing up in the regular windows event viewer. I'm not interested in filtering them out, I don’t want them to go into that log file at all.

Any ideas or tips would be greatly appreciated.
 
Sort by date Sort by votes
I am looking for the same answer. Or does anyone know a way to filter Symantec events to a seperate event log?
 
Upvote 0 Downvote
I also had this problem - I got all sorts of notifications and LiveUpdate jamming up the Application log.

I did find a way around this, but I'm hesitant to post it here: I had to do some fairly labour-intensive changes to the Windows Registry to create Symantec it's own log file. I did this when the machine in question was not in production, so I wasn't terribly worried about mucking up the machine. I could probably draw up a faq or something, but it surely wouldn't be supported by Symantec if you ever had a problem...

The way I did it was to create Symantec it's own "folder" in the event viewer. I'd attach a screenshot but it seems that it only takes URLs.
 
Upvote 0 Downvote
Check it out, it didn't let you post the url either. Can you re-post? I'm curious to see what registry hack you made to pipe the messages to it's own file.

Thank you for your help
 
Upvote 0 Downvote
Amazing.. it shouldn't be this difficult, but apparently that url is not accessible. I've even created myself an account at pb and still could not access it. Perhaps because you have to intentionally share it out?

How about you type the key here. Will that be possible? For example.. HKLM\blah blah blah?

Thank you so much. This help is very much appreciated.
 
Upvote 0 Downvote
The key(s) in question are in HKLM/SYSTEM/CurrentControlSet/Services/Eventlog.

The trick is you have to create a key with a unique ID and then go down and create keys below it for Symantec's services. When that's done, you need to remove Symantec's services from the Application section (it's in 2 places.)

When you're done you can't just restart the event logging service, you'll have to reboot.

My screenshot just showed the folder I created for Symantec, nothing real special there.

I tried the link from another computer where I wasn't logged into PB, and it worked just fine for me? [ponder]

I'll try to put together more detailed instructions. It was a lot of editing and rearranging to get it to work.
 
Upvote 0 Downvote
You've given me enough info to go forward with. Thank you so much for all of your help. After testing on a few different machines, here are the details I worked out to accomplish my goal successfully. Such a big improvement for our logs.


B. Run the following syntax to create a new log file called Symantec:
a. strLOG = "Symantec"
b. Const NO_VALUE = Empty
c. Set WshReg = WScript.CreateObject("WScript.Shell")
d. WshReg.RegWrite "HKLM\System\CurrentControlSet\Services\EventLog\" & strLOG & "\", NO_VALUE
C. Document settings on paper and export the following registry keys:
a. HKLM/SYSTEM/CurrentControlSet/Services/Eventlog/Application/Symantec Antivirus
D. Go to HKLM/SYSTEM/CurrentControlSet/Services/Eventlog/Symantec and create an Expandable String Value called File. Right click on it and add the following into the data field.
a. %SystemRoot%\system32\config\Symantec.evt
E. Next create a new key (in the Symantec Event Log registry area). Call it Symantec AntiVirus. Within that key, create a string value called EentMessageFile. Right click on it and select modify. Enter the path to the rtvscan.exe on the machine you are working on.
F. Go back to the Application Event Log key and delete the one that says Symantec AntiVirus.
G. Exit regedit.
H. Reboot machine because it’s not possible to stop and start the event log service.

8. Test Plan:
A. Run antivirus on the machine you completed the configuration change on. If all of the SCAN messages write to this file and you’ve successfully created the log file correctly. LiveUpdate and other messages will still be recorded in the Application log.


Thank you again for your help.

r/Marie Hansler
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

shivajiboss
  • Locked
  • Question
I am getting a problem while opening up my windows
Replies
1
Views
258
2ffat
2ffat
Henry Pence
  • Locked
  • Question
Is Norton Antivirus Necessary?
Replies
2
Views
203
Henry Pence
Henry Pence
xit
  • Locked
  • News
New beta product from Malwarebytes 1
Replies
4
Views
204
kjv1611
kjv1611
Sentrif
  • Locked
  • Question
New laptop win7, antivirus needed 2
2
Replies
21
Views
380
goombawaho
goombawaho
cajuntank
  • Locked
  • Helpful tip
Avast gives their Enterprise Antivirus free to EDU
Replies
2
Views
108
sggaunt
sggaunt

Part and Inventory Search

Sponsor

Back
Top