Create Antivirus Reports Using Symantec Antivirus Corporate Edition

Create AntiVirus Reports Using Symantec AntiVirus Corporate Edition

“First off, credit where credit is due! I got most all of this info compliments of Chris Mosby! Thanks, Chris!

This is a quick overview of how I capture AV alerts that are generated by my managed AV clients using the Alert Management System (AMS) that is included with the AV “Parent” installation. It assumes the reader has a basic understanding of that tool, including its setup and configuration.

Background: Any seasoned Symantec AV admin is very familiar with the SSC. We see all those bright red icons alongside our clients on a regular basis. Trying to find out exactly which virus (or virii – is that a real word??) is the root cause of the problem is the real challenge. Enter AMS and a Microsoft tool called EventCombMT!

Requirements: AMS must be installed on at least one server in the Symantec group. This is the Parent server that will now assume the task of collecting and forwarding the red alerts generated by clients assigned to (or under) this folder. You also need a system to designate as the recipient of the events collected by AMS.


Configure AMS to generate an alert based on VIRUS FOUND. Configure this alert action to “Write to EVENT Log”. Specify the desired machine to receive these alerts. Be sure to configure the Application Event Log on that system to be large enough to hold all the data that will be sent from AMS

Download and install EventCombMT from Microsoft DOWNLOADS page at:

This tool is used to parse the designated event log to retrieve desired alerts, and write the results to a delimited text file. Configure the tool to pull alerts from the source “Intel AMS II”. (TIP: once configured and tested, SAVE your search setup for future use!)

Once you have AMS set up and sending alerts to the event log of the designated system, and EventCombMT is pulling in the desired data as expected, fire up Excel!


1. Run EventCombMT
2. Open Excel and import the comma-delimited TXT file created in Step 1
3. Delete columns A-E (they are junk)
4. do a SEARCH/REPLACE using [space][space] as the source; and a “comma” as the replacement. Replace ALL
5. Select Column “A”
6. Select DATA/Text-to-Columns tool
7. Select data type DELIMITED/Comma; then
8. Select column “E” – format as data type DATE (mm/dd/yyyy)
9. Select column “F” – Format as data type TIME (hh:mm:sec AM)
10. Deal with any overflow into column “I” – delete data or edit USER name info and move into adjacent column value in column “H” (I simply delete it as needless info)
11. ADD a row “1″ for column headers
13. Create a PIVOT TABLE report
a – select DATA/Pivot Table & Chart Report to launch the wizard
b – on screen 1 of 3 in the wizard
c – Select (or verify that it’s already selected) the entire worksheet data range on screen 2 of 3
d – Select a location for the pivot table result set. I use cell “I2″ in the current worksheet
e – Select “Layout” button on screen 3 of 3
f – drag the object “VIRUS” (assuming this is the name you gave the virus name column) to DATA area to get a COUNT of each virus; and to the ROW location to get the virus name into the result table
g – click on 3 of 3 to place the pivot table into cell I2, and the resulting chart into a new worksheet
14. Doctor up the chart as desired (Bar, pie, etc)

You are DONE!! I suggest capturing this data on a weekly and monthly basis. When the desired data is collected into Excel, feel free to purge the original event log entries from the designated machine to keep the log size to a manageable size, for example on the 1st of the month. You can then start collecting data anew for the next month”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s