Database_Schema_Reference_SEP11RU7MP1 by xiuliliaofz

VIEWS: 49 PAGES: 54

									 Product     Releases      Format Version    Database Version     Comment
                          (SemConfigRoot)   (SemLocalSettings)
SEP 5.0                 5.0.0
SEP 5.1                 5.1.0 - 5.1.X
Hamet 11.0 ET3          11.0.0.0            11.0.0.0
           RTM          11.0.0.1            11.0.0.1
           MR1          11.0.0.3            11.0.0.3
           MR2          11.0.0.4            11.0.0.4
           MR3-Beta     11.0.0.7            11.0.0.7
           MR3-RTM      11.0.1.0            11.0.1.0
           MR4          11.0.2.0            11.0.2.0
           MR4MP1       11.0.2.1            11.0.2.1
           MR4MP2       11.0.2.2            11.0.2.2
           MR4MP3       11.0.2.4            11.0.2.4
           MR5          11.0.3.0            11.0.3.0
           MR6          11.0.6.0            11.0.6.0
           MR7          11.0.7.0            11.0.7.0

SBE 12     DietCoke
SEPM 12    Amber        12.1.0.0            12.1.0.0             Alpha
                        12.1.0.1            12.1.0.1             beta1
                        12.1.0.2            12.1.0.2             beta2
                        12.1.0.3            12.1.0.3             RC
            Symantec Corp Confidential                                                                  SEP Table List                                                                        3/3/2012 Page 2
                                                                                                                  Backup                     Replication                                  File Groups
                                                                                                                           When Log option                 When Log option is             FG_CONTEN FG_LOGINF   FG_RPTINF
Table or View Name           Type
                                     Comment                                                                   Always        is enabled      Always            enabled          Primary         T       O           O
                                     Lists and defines the meanings of the antivirus remediation action
ACTUALACTION                 Table   integers. The action integers are the actions that the antivirus engine     X                                                                X
                                     can take when dealing with a threat.
ADMINUSER                    Table   A list of reporting administrators.                                         X                                                                X
AGENT_BEHAVIOR_LOG_1         Table   Keeps client activities that occur in agents                                                X                                 X                                    X
AGENT_BEHAVIOR_LOG_2         Table   Keeps client activities that occur in agents                                                X                                 X                                    X
AGENT_PACKET_LOG_1           Table   Keeps packet traffic that occur in agents                                                   X                                 X                                    X
AGENT_PACKET_LOG_2           Table   Keeps packet traffic that occur in agents                                                   X                                 X                                    X
AGENT_SECURITY_LOG_1         Table   Keeps security events that occur in agents                                                  X                                 X                                    X
AGENT_SECURITY_LOG_2         Table   Keeps security events that occur in agents                                                  X                                 X                                    X
AGENT_SYSTEM_LOG_1           Table   Keeps system traffic that occur in agents                                                   X                                 X                                    X
AGENT_SYSTEM_LOG_2           Table   Keeps system traffic that occur in agents                                                   X                                 X                                    X
AGENT_TRAFFIC_LOG_1          Table   Keeps network traffic that occur in agents                                                  X                                 X                                    X
AGENT_TRAFFIC_LOG_2          Table   Keeps network traffic that occur in agents                                                  X                                 X                                    X
AGENTCONFIG                  Table   Not used.                                                                   X                                                                X
AGENTSTATUS                  Table   The status of SEPM server tasks.                                            X                                                                                                 X
ALERTFILTER                  Table   The administrator-defined filters for the notification log.                 X                             X                                  X
                                     Lists and defines the meanings of the events possible for the Risk and
ALERTMSG                     Table
                                     Proactive Threat Protection (TruScan) Log                                   X                                                                X
ALERTS                       Table   Keeps the risk and Proactive Threat Protection (TruScan) events                             X                                 X                                    X
ANOMALYDETECTION             Table   Keeps the antivirus detection events                                                        X                                 X                                    X
ANOMALYDETECTIONOPERATION    Table   Lists and defines what a detection can possible find                        X                                                                X
ANOMALYDETECTIONS            Table   Keeps the client to detection event mappings                                                X                                 X                                    X
ANOMALYDETECTIONTYPE         Table   Lists and defines the kinds of objects that detections work on              X                                                                X
ANOMALYREMEDIATION           Table   Keeps the antivirus remediation events                                                      X                                 X                                    X
ANOMALYREMEDIATIONOPERATION Table    Lists and defines what a remediation can possibly do                        X                                                                X
ANOMALYREMEDIATIONS          Table   Keeps the client to remediation event mappings                                              X                                 X                                    X
ANOMALYREMEDIATIONTYPE       Table   Lists and defines the kinds of objects that remediations work on            X                                                                X
AUDIT_REPORT                 Table   Keeps the administrator-defined filters for the Audit log                   X                             X                                  X
BASIC_METADATA               Table   Keeps policy and various server settings                                    X                             X                                  X
BEHAVIOR_REPORT              Table
                                     Keeps the administrator-defined filters for the Application Control log     X                             X                                  X
BINARY_FILE                  Table   Keeps all binary files                                                      X                             X                                              X
COMMAND                      Table   Keeps the Command status for agents                                         X                             X                                                        X
COMMAND_REPORT               Table
                                     Keeps the administrator-defined filters for the Command details log         X                             X                                  X
                                     Keeps the administrator-defined filters for the Device Control log, the
COMPLIANCE_REPORT            Table
                                     NTP Attacks log, and all the Compliance logs                                X                             X                                  X
COMPUTER_APPLICATION         Table   Keeps all applications used in agents                                       X                             X                                  X
DATA_HANDLER                 Table   Keeps the list of registered log handlers                                   X                                                                X
DUMMY                        Table   Dummy table for internal use                                                                                                                 X
ENFORCER_CLIENT_LOG_1        Table   Keeps client activities that occur in Enforcers                                             X                                 X                                    X
ENFORCER_CLIENT_LOG_2        Table   Keeps client activities that occur in Enforcers                                             X                                 X                                    X
ENFORCER_SYSTEM_LOG_1        Table   Keeps client system activities that occur in Enforcers                                      X                                 X                                    X
ENFORCER_SYSTEM_LOG_2        Table   Keeps client system activities that occur in Enforcers                                      X                                 X                                    X
ENFORCER_TRAFFIC_LOG_1       Table   Keeps client traffic activities that occur in Enforcers                                     X                                 X                                    X
ENFORCER_TRAFFIC_LOG_2       Table   Keeps client traffic activities that occur in Enforcers                                     X                                 X                                    X
                                     Keeps the administrator-defined filters for the NTP Traffic and Packets
FIREWALL_REPORT              Table
                                     logs                                                                        X                             X                                  X
GUIPARMS                     Table   Keeps parameters used in the console GUI                                    X                             X                                  X
GUP_LIST                     Table   Keeps the list for Group Update Provider (GUP)                              X                             X                                  X
HISTORY                      Table   Keeps data snapshots used in reporting                                      X                                                                                                 X
HISTORYCONFIG                Table   Keeps scheduled report configuration information                            X                             X                                  X
HOMEPAGECONFIG               Table   Keeps administrator-specific preferences                                    X                             X                                  X
HPP_ALERTS                   Table   Keeps Proactive Threat Protection (TruScan) event information                               X                                 X                                               X
HPP_APPLICATION              Table   Keeps applications detected by TruScan                                      X                             X                                                                   X
IDENTITY_MAP                 Table   Keeps mapping of object ID and its name                                     X                                                                X
INVENTORYCURRENTRISK         Table   Keeps the client to infected threat events mapping                                          X                                 X                                               X
INVENTORYCURRENTVIRUS        Table   Keeps the client to infected virus events mapping                                           X                                 X                                               X
INVENTORYREPORT              Table   Keeps the administrator-defined filters for the Computer Status log         X                             X                                  X
LAN_DEVICE_DETECTED          Table   Keeps LAN devices info detected by LAN sensors                                                            X                                  X
LAN_DEVICE_EXCLUDED          Table   Keeps known LAN devices info                                                                              X                                  X
LEGACY_AGENT                 Table   Keeps legacy agent information                                              X                             X                                  X
LOCAL_METADATA               Table   Keeps various local settings                                                X                                                                X
LOG_CONFIG                   Table   Keeps logs settings for switching log tables                                X                                                                X
NETWORK_SCAN                 Table   Keeps temporary data for network scan                                                                                                        X
NETWORK_SCAN_RESULT          Table   Keeps temporary result data for network scan                                                                                                 X
NOTIFICATION                 Table   Keeps the notification events                                               X                             X                                  X
NOTIFICATIONALERTS           Table   Keeps the notification conditions                                                           X                                 X                                    X
PATTERN                      Table   Keeps the content versions that the clients are using                       X                             X                                  X
PROCESS_STATE                Table   Synchronize SEPM processes                                                                                                                   X
REPORTS                      Table   Not used.                                                                                                                                    X
SCANREPORT                   Table   Keeps the administrator-defined filters for the Scan log                    X                             X                                  X
SCANS                        Table   Keeps the antivirus scan events                                                             X                                 X                                    X
SCFINVENTORY                 Table   Not used.                                                                   X                             X                                  X
SE_GLOBAL                    Table   Keeps system sequence number                                                X                                                                X
SEM_AGENT                    Table   Keeps agents information                                                    X                             X                                  X
SEM_APPLICATION              Table   Keeps all applications information                                          X                             X                                  X
SEM_CLIENT                   Table   Keeps clients information                                                   X                             X                                  X
SEM_COMPLIANCE_CRITERIA      Table   Keeps the host compliance event details                                                     X                                 X                                    X
SEM_COMPUTER                 Table   Keeps computers information                                                 X                             X                                  X
SEM_CONTENT                  Table   Keeps the client to content mapping                                         X                             X                                                                   X
SEM_JOB                      Table   Keeps job name for Command process                                          X                             X                                                                   X
SERIAL_NUMBERS               Table   Internal temporary table                                                                                                                     X
SERVER_ADMIN_LOG_1           Table   Keeps administrator activities that occur in server                                         X                                 X                                    X
           Symantec Corp Confidential                                                                SEP Table List                                                                        3/3/2012 Page 3
                                                                                                               Backup                     Replication                                  File Groups
                                                                                                                        When Log option                 When Log option is             FG_CONTEN FG_LOGINF   FG_RPTINF
Table or View Name          Type
                                    Comment                                                                 Always        is enabled      Always            enabled          Primary         T       O           O
SERVER_ADMIN_LOG_2          Table   Keeps administrator activities that occur in server                                       X                                 X                                    X
SERVER_CLIENT_LOG_1         Table   Keeps client activities that occur in server                                              X                                 X                                    X
SERVER_CLIENT_LOG_2         Table   Keeps client activities that occur in server                                              X                                 X                                    X
SERVER_ENFORCER_LOG_1       Table   Keeps Enforcer activities that occur in server                                            X                                 X                                    X
SERVER_ENFORCER_LOG_2       Table   Keeps Enforcer activities that occur in server                                            X                                 X                                    X
SERVER_POLICY_LOG_1         Table   Keeps policy change activities that occur in server                                       X                                 X                                    X
SERVER_POLICY_LOG_2         Table   Keeps policy change activities that occur in server                                       X                                 X                                    X
SERVER_SYSTEM_LOG_1         Table   Keeps system activities that occur in server                                              X                                 X                                    X
SERVER_SYSTEM_LOG_2         Table   Keeps system activities that occur in server                                              X                                 X                                    X
SYSTEM_REPORT               Table   Keeps the administrator-defined filters for the System logs               X                             X                                  X
SYSTEM_STATE                Table   Keeps administrator and site health status information                    X                             X                                  X
THREATREPORT                Table
                                    Keeps the administrator-defined filters for the Risk and TruScan logs     X                             X                                  X
VERSION                     Table   Keeps the schema version information                                      X                                                                X
VIRUS                       Table   Keeps the list of threats found in the network                            X                                                 X                                               X
VIRUSCATEGORY               Table   Lists and defines all possible kinds of threats                           X                                                                X
V_AGENT_BEHAVIOR_LOG        View    Query client activities for agents
V_AGENT_PACKET_LOG          View    Query packet traffic events for agents
V_AGENT_SECURITY_LOG        View    Query security events for agents
V_AGENT_SYSTEM_LOG          View    Query system events for agents
V_AGENT_TRAFFIC_LOG         View    Query traffic events for agents
                                    Query risk and TruScan events with human-readable IP address
V_ALERTS                    View
                                    information
V_ENFORCER_CLIENT_LOG       View    Query client activities for Enforcers
V_ENFORCER_SYSTEM_LOG       View    Query system activities for Enforcers
V_ENFORCER_TRAFFIC_LOG      View    Query traffic activities for Enforcers

V_LAN_DEVICE_DETECTED       View
                                    Query detected devices with human-readable IP address information

V_LAN_DEVICE_EXCLUDED       View
                                    Query known devices with human-readable IP address information
                                    Query network scan results with human-readable IP address
V_NETWORK_SCAN_RESULT       View
                                    information
V_SECURITY_VIEW             View    Query cross-technology security events
                                    Query computer information with human-readable IP address
V_SEM_COMPUTER              View
                                    information
V_SERVER_ADMIN_LOG          View    Query administrator activities for servers
V_SERVER_CLIENT_LOG         View    Query client activities for servers
V_SERVER_ENFORCER_LOG       View    Query Enforcer activities for servers
V_SERVER_POLICY_LOG         View    Query policy change activities for servers
V_SERVER_SYSTEM_LOG         View    Query system activities for servers
Symantec Corp Confidential                                          SEP Index List                                                                      3/3/2012 Page 4
Table Name                   Index Name                                      index_description                                       index_keys
ACTUALACTION                 PK_ACTUALACTION                                 nonclustered, unique, primary key located on FG_INDEX   ACTUALACTION_IDX
ADMINUSER                    PK_ADMINUSER                                    nonclustered, unique, primary key located on FG_INDEX   USER_ID
AGENT_BEHAVIOR_LOG_1         I_AGENT_BEHAVIOR_LOG_1                          nonclustered located on FG_INDEX                        USN
AGENT_BEHAVIOR_LOG_1         I_AGENT_BEHAVIOR_LOG_1_ID                       nonclustered located on FG_INDEX                        EVENT_ID
AGENT_BEHAVIOR_LOG_1         I_AGENT_BEHAVIOR_LOG_1_LOG_IDX                  nonclustered located on FG_INDEX                        LOG_IDX
AGENT_BEHAVIOR_LOG_1         I_AGENT_BEHAVIOR_LOG_1_TIME                     nonclustered located on FG_INDEX                        EVENT_TIME
AGENT_BEHAVIOR_LOG_1         I_AGENT_BEHAVIOR_LOG_1_TS                       nonclustered located on FG_INDEX                        TIME_STAMP
AGENT_BEHAVIOR_LOG_2         I_AGENT_BEHAVIOR_LOG_2                          nonclustered located on FG_INDEX                        USN
AGENT_BEHAVIOR_LOG_2         I_AGENT_BEHAVIOR_LOG_2_ID                       nonclustered located on FG_INDEX                        EVENT_ID
AGENT_BEHAVIOR_LOG_2         I_AGENT_BEHAVIOR_LOG_2_LOG_IDX                  nonclustered located on FG_INDEX                        LOG_IDX
AGENT_BEHAVIOR_LOG_2         I_AGENT_BEHAVIOR_LOG_2_TIME                     nonclustered located on FG_INDEX                        EVENT_TIME
AGENT_BEHAVIOR_LOG_2         I_AGENT_BEHAVIOR_LOG_2_TS                       nonclustered located on FG_INDEX                        TIME_STAMP
AGENT_PACKET_LOG_1           I_AGENT_PACKET_LOG_1                            nonclustered located on FG_INDEX                        USN
AGENT_PACKET_LOG_1           I_AGENT_PACKET_LOG_1_ALERT                      nonclustered located on FG_INDEX                        ALERT
AGENT_PACKET_LOG_1           I_AGENT_PACKET_LOG_1_ID                         nonclustered located on FG_INDEX                        EVENT_ID
AGENT_PACKET_LOG_1           I_AGENT_PACKET_LOG_1_LOG_IDX                    nonclustered located on FG_INDEX                        LOG_IDX
AGENT_PACKET_LOG_1           I_AGENT_PACKET_LOG_1_TIME                       nonclustered located on FG_INDEX                        EVENT_TIME
AGENT_PACKET_LOG_1           I_AGENT_PACKET_LOG_1_TS                         nonclustered located on FG_INDEX                        TIME_STAMP
AGENT_PACKET_LOG_2           I_AGENT_PACKET_LOG_2                            nonclustered located on FG_INDEX                        USN
AGENT_PACKET_LOG_2           I_AGENT_PACKET_LOG_2_ALERT                      nonclustered located on FG_INDEX                        ALERT
AGENT_PACKET_LOG_2           I_AGENT_PACKET_LOG_2_ID                         nonclustered located on FG_INDEX                        EVENT_ID
AGENT_PACKET_LOG_2           I_AGENT_PACKET_LOG_2_LOG_IDX                    nonclustered located on FG_INDEX                        LOG_IDX
AGENT_PACKET_LOG_2           I_AGENT_PACKET_LOG_2_TIME                       nonclustered located on FG_INDEX                        EVENT_TIME
AGENT_PACKET_LOG_2           I_AGENT_PACKET_LOG_2_TS                         nonclustered located on FG_INDEX                        TIME_STAMP
AGENT_SECURITY_LOG_1         I_AGENT_SECURITY_LOG_1                          nonclustered located on FG_INDEX                        USN
AGENT_SECURITY_LOG_1         I_AGENT_SECURITY_LOG_1_AGENT_SECURITY_LOG_IDX   nonclustered located on FG_INDEX                        AGENT_SECURITY_LOG_IDX
AGENT_SECURITY_LOG_1         I_AGENT_SECURITY_LOG_1_ID                       nonclustered located on FG_INDEX                        EVENT_ID
AGENT_SECURITY_LOG_1         I_AGENT_SECURITY_LOG_1_SEV                      nonclustered located on FG_INDEX                        SEVERITY
AGENT_SECURITY_LOG_1         I_AGENT_SECURITY_LOG_1_TIME                     nonclustered located on FG_INDEX                        EVENT_TIME
AGENT_SECURITY_LOG_1         I_AGENT_SECURITY_LOG_1_TS                       nonclustered located on FG_INDEX                        TIME_STAMP
AGENT_SECURITY_LOG_2         I_AGENT_SECURITY_LOG_2                          nonclustered located on FG_INDEX                        USN
AGENT_SECURITY_LOG_2         I_AGENT_SECURITY_LOG_2_AGENT_SECURITY_LOG_IDX   nonclustered located on FG_INDEX                        AGENT_SECURITY_LOG_IDX
AGENT_SECURITY_LOG_2         I_AGENT_SECURITY_LOG_2_ID                       nonclustered located on FG_INDEX                        EVENT_ID
AGENT_SECURITY_LOG_2         I_AGENT_SECURITY_LOG_2_SEV                      nonclustered located on FG_INDEX                        SEVERITY
AGENT_SECURITY_LOG_2         I_AGENT_SECURITY_LOG_2_TIME                     nonclustered located on FG_INDEX                        EVENT_TIME
AGENT_SECURITY_LOG_2         I_AGENT_SECURITY_LOG_2_TS                       nonclustered located on FG_INDEX                        TIME_STAMP
AGENT_SYSTEM_LOG_1           I_AGENT_SYSTEM_LOG_1                            nonclustered located on FG_INDEX                        USN
AGENT_SYSTEM_LOG_1           I_AGENT_SYSTEM_LOG_1_ID                         nonclustered located on FG_INDEX                        EVENT_ID
AGENT_SYSTEM_LOG_1           I_AGENT_SYSTEM_LOG_1_LOG_IDX                    nonclustered located on FG_INDEX                        LOG_IDX
AGENT_SYSTEM_LOG_1           I_AGENT_SYSTEM_LOG_1_SEV                        nonclustered located on FG_INDEX                        SEVERITY
AGENT_SYSTEM_LOG_1           I_AGENT_SYSTEM_LOG_1_TIME                       nonclustered located on FG_INDEX                        EVENT_TIME
AGENT_SYSTEM_LOG_1           I_AGENT_SYSTEM_LOG_1_TS                         nonclustered located on FG_INDEX                        TIME_STAMP
AGENT_SYSTEM_LOG_2           I_AGENT_SYSTEM_LOG_2                            nonclustered located on FG_INDEX                        USN
AGENT_SYSTEM_LOG_2           I_AGENT_SYSTEM_LOG_2_ID                         nonclustered located on FG_INDEX                        EVENT_ID
AGENT_SYSTEM_LOG_2           I_AGENT_SYSTEM_LOG_2_LOG_IDX                    nonclustered located on FG_INDEX                        LOG_IDX
AGENT_SYSTEM_LOG_2           I_AGENT_SYSTEM_LOG_2_SEV                        nonclustered located on FG_INDEX                        SEVERITY
AGENT_SYSTEM_LOG_2           I_AGENT_SYSTEM_LOG_2_TIME                       nonclustered located on FG_INDEX                        EVENT_TIME
AGENT_SYSTEM_LOG_2           I_AGENT_SYSTEM_LOG_2_TS                         nonclustered located on FG_INDEX                        TIME_STAMP
AGENT_TRAFFIC_LOG_1          I_AGENT_TRAFFIC_LOG_1                           nonclustered located on FG_INDEX                        USN
AGENT_TRAFFIC_LOG_1          I_AGENT_TRAFFIC_LOG_1_ALERT                     nonclustered located on FG_INDEX                        ALERT
AGENT_TRAFFIC_LOG_1          I_AGENT_TRAFFIC_LOG_1_ID                        nonclustered located on FG_INDEX                        EVENT_ID
AGENT_TRAFFIC_LOG_1          I_AGENT_TRAFFIC_LOG_1_LOG_IDX                   nonclustered located on FG_INDEX                        LOG_IDX
AGENT_TRAFFIC_LOG_1          I_AGENT_TRAFFIC_LOG_1_TIME                      nonclustered located on FG_INDEX                        EVENT_TIME
AGENT_TRAFFIC_LOG_1          I_AGENT_TRAFFIC_LOG_1_TS                        nonclustered located on FG_INDEX                        TIME_STAMP
AGENT_TRAFFIC_LOG_2          I_AGENT_TRAFFIC_LOG_2                           nonclustered located on FG_INDEX                        USN
AGENT_TRAFFIC_LOG_2          I_AGENT_TRAFFIC_LOG_2_ALERT                     nonclustered located on FG_INDEX                        ALERT
AGENT_TRAFFIC_LOG_2          I_AGENT_TRAFFIC_LOG_2_ID                        nonclustered located on FG_INDEX                        EVENT_ID
AGENT_TRAFFIC_LOG_2          I_AGENT_TRAFFIC_LOG_2_LOG_IDX                   nonclustered located on FG_INDEX                        LOG_IDX
AGENT_TRAFFIC_LOG_2          I_AGENT_TRAFFIC_LOG_2_TIME                      nonclustered located on FG_INDEX                        EVENT_TIME
AGENT_TRAFFIC_LOG_2          I_AGENT_TRAFFIC_LOG_2_TS                        nonclustered located on FG_INDEX                        TIME_STAMP
AGENTCONFIG                  PK_AGENTCONFIG                                  nonclustered, unique, primary key located on FG_INDEX   IDX
AGENTSTATUS                  PK_AGENTSTATUS                                  nonclustered, unique, primary key located on FG_INDEX   IDX
ALERTFILTER                  PK_ALERTFILTER                                  nonclustered, unique, primary key located on FG_INDEX   ALERTFILTER_IDX
ALERTMSG                     PK_ALERTMSG                                     nonclustered, unique, primary key located on FG_INDEX   ALERT_IDX
ALERTS                       IDX_ACTUALACTIONALERTS                          nonclustered located on FG_INDEX                        ACTUALACTION_IDX
ALERTS                       IDX_ALERT                                       nonclustered located on FG_INDEX                        ALERT_IDX, DELETED
ALERTS                       IDX_ALERTDATETIME                               nonclustered located on FG_INDEX                        ALERTDATETIME
ALERTS                       IDX_ALERTINSERTTIME                             nonclustered located on FG_INDEX                        ALERTINSERTTIME
ALERTS                       IDX_CLIENTGROUP                                 nonclustered located on FG_INDEX                        CLIENTGROUP_IDX
ALERTS                       IDX_COMPUTER                                    nonclustered located on FG_INDEX                        COMPUTER_IDX
ALERTS                       IDX_HPP_APP                                     nonclustered located on FG_INDEX                        HPP_APP_IDX
ALERTS                       IDX_LASTLOGSESSIONGUID                          nonclustered located on FG_INDEX                        LAST_LOG_SESSION_GUID
ALERTS                       IDX_MOTHER                                      nonclustered located on FG_INDEX                        MOTHER_IDX, DELETED
ALERTS                       IDX_PARENTSERVER                                nonclustered located on FG_INDEX                        PARENTSERVER_IDX
ALERTS                       IDX_REQUESTEDACTION                             nonclustered located on FG_INDEX                        REQUESTEDACTION_IDX
ALERTS                       IDX_SERVERGROUP                                 nonclustered located on FG_INDEX                        SERVERGROUP_IDX
ALERTS                       IDX_VIRUSNAME                                   nonclustered located on FG_INDEX                        VIRUSNAME_IDX
ALERTS                       PK_ALERTS                                       nonclustered, unique, primary key located on FG_INDEX   IDX
                                                                                                                                     MOTHER_IDX, DELETED, IDX, COMPUTER_IDX,
ALERTS                       I_ALERTS_FORHOMEPAGE                            nonclustered located on FG_INDEX                        ALERT_IDX, VIRUSNAME_IDX, SERVERGROUP_IDX,
                                                                                                                                     CLIENTGROUP_IDX, NOOFVIRUSES
                                                                                                                                     HPP_APP_IDX, COMPUTER_IDX, MOTHER_IDX,
                                                                                                                                     DELETED, ALERT_IDX, ALERTDATETIME,
ALERTS                       I_ALERTS_HPP_APP_IDX_PLUS                       nonclustered located on FG_INDEX
                                                                                                                                     VIRUSNAME_IDX, SOURCE, SERVERGROUP_IDX,
                                                                                                                                     CLIENTGROUP_IDX, PARENTSERVER_IDX, IDX
                                                                                                                                     VIRUSNAME_IDX, ALERT_IDX, ALERTDATETIME,
ALERTS                       I_ALERTS_VIRUSNAME_IDX_PLUS                     nonclustered located on FG_INDEX
                                                                                                                                     SOURCE
ANOMALYDETECTION             PK_ANOMALYDETECTION                             nonclustered, unique, primary key located on FG_INDEX   ANOMALY_DETECTION_IDX
                                                                                                                                     ANOMALY_DETECTION_OPERATION_ID,
ANOMALYDETECTION             I_ANOMALYDETECTION_ID_TYPE                      nonclustered located on FG_INDEX                        ANOMALY_DETECTION_TYPE_ID,
                                                                                                                                     ACTION_OPERAND_HASH
ANOMALYDETECTIONOPERATION    PK_ANOMALYDETECTIONOPERATION                    nonclustered, unique, primary key located on FG_INDEX   DETECTION_OPERATION_ID
ANOMALYDETECTIONS            IDX_ALERT_ANOMALYDETECTIONS                     nonclustered located on FG_INDEX                        ALERT_EVENT_IDX, ANOMALY_DETECTION_IDX
ANOMALYDETECTIONS            IDX_LOGSESSIONGUID_ANOMALYDETECTIONS            nonclustered located on FG_INDEX                        LOG_SESSION_GUID
ANOMALYDETECTIONS            PK_ANOMALYDETECTIONS                            nonclustered located on FG_INDEX                        ID
ANOMALYDETECTIONTYPE         PK_ANOMALYDETECTIONTYPE                         nonclustered, unique, primary key located on FG_INDEX   DETECTION_TYPE_ID
ANOMALYREMEDIATION           PK_ANOMALYREMEDIATION                           nonclustered, unique, primary key located on FG_INDEX   ANOMALY_REMEDIATION_IDX
Symantec Corp Confidential                                         SEP Index List                                                                   3/3/2012 Page 5
Table Name                    Index Name                                 index_description                                       index_keys
                                                                                                                                 ANOMALY_REMEDIATION_OPERATION_ID,
ANOMALYREMEDIATION            I_ANOMALYREMEDIATION_ID_TYPE               nonclustered located on FG_INDEX                        ANOMALY_REMEDIATION_TYPE_ID,
                                                                                                                                 ACTION_OPERAND_HASH
ANOMALYREMEDIATIONOPERATION   PK_ANOMALYREMEDIATIONOPERATION             nonclustered, unique, primary key located on FG_INDEX   REMEDIATION_OPERATION_ID
ANOMALYREMEDIATIONS           IDX_ALERT_ANOMALYREMEDIATIONS              nonclustered located on FG_INDEX                        ALERT_EVENT_IDX, ANOMALY_REMEDIATION_IDX
ANOMALYREMEDIATIONS           IDX_LOGSESSIONGUID_ANOMALYREMEDIATIONS     nonclustered located on FG_INDEX                        LOG_SESSION_GUID
ANOMALYREMEDIATIONS           PK_ANOMALYREMEDIATIONS                     nonclustered located on FG_INDEX                        ID
ANOMALYREMEDIATIONTYPE        PK_ANOMALYREMEDIATIONTYPE                  nonclustered, unique, primary key located on FG_INDEX   REMEDIATION_TYPE_ID
AUDIT_REPORT                  PK_AUDITREPORT                             nonclustered, unique, primary key located on FG_INDEX   AUDITFILTER_IDX
BASIC_METADATA                I_BASIC_METADATA_OWNER                     nonclustered located on FG_INDEX                        OWNER
BASIC_METADATA                I_BASIC_METADATA_USN                       nonclustered located on FG_INDEX                        USN
BASIC_METADATA                PK_BASIC_METADATA                          nonclustered, unique, primary key located on FG_INDEX   ID
BEHAVIOR_REPORT               PK_BEHAVIORREPORT                          nonclustered, unique, primary key located on FG_INDEX   BEHAVIORFILTER_IDX
BINARY_FILE                   I_BINARY_FILE_USN                          nonclustered located on FG_INDEX                        USN
BINARY_FILE                   PK_BINARY_FILE                             nonclustered, unique, primary key located on FG_INDEX   ID
COMMAND                       PK_COMMAND                                 nonclustered, unique, primary key located on FG_INDEX   HARDWARE_KEY, COMMAND_ID
COMMAND_REPORT                PK_COMMANDREPORT                           nonclustered, unique, primary key located on FG_INDEX   COMMANDFILTER_IDX
COMPLIANCE_REPORT             PK_COMPLIANCEREPORT                        nonclustered, unique, primary key located on FG_INDEX   COMPLIANCEFILTER_IDX
COMPUTER_APPLICATION          I_COMPUTER_APPLICATION_CID                 nonclustered located on FG_INDEX                        COMPUTER_ID
COMPUTER_APPLICATION          I_COMPUTER_APPLICATION_DT                  nonclustered located on FG_INDEX                        DELETED, TIME_STAMP
COMPUTER_APPLICATION          I_COMPUTER_APPLICATION_USN                 nonclustered located on FG_INDEX                        USN
COMPUTER_APPLICATION          PK_COMPUTER_APPLICATION                    nonclustered, unique, primary key located on FG_INDEX   AGENT_ID, DOMAIN_ID, APP_HASH, LOCATION_ID
DATA_HANDLER                  PK_DATA_HANDLER                            nonclustered, unique, primary key located on FG_INDEX   IDX
ENFORCER_CLIENT_LOG_1         I_ENFORCER_CLIENT_LOG_1                    nonclustered located on FG_INDEX                        USN
ENFORCER_CLIENT_LOG_1         I_ENFORCER_CLIENT_LOG_1_ID                 nonclustered located on FG_INDEX                        EVENT_ID
ENFORCER_CLIENT_LOG_1         I_ENFORCER_CLIENT_LOG_1_LOG_IDX            nonclustered located on FG_INDEX                        LOG_IDX
ENFORCER_CLIENT_LOG_1         I_ENFORCER_CLIENT_LOG_1_TIME               nonclustered located on FG_INDEX                        EVENT_TIME
ENFORCER_CLIENT_LOG_2         I_ENFORCER_CLIENT_LOG_2                    nonclustered located on FG_INDEX                        USN
ENFORCER_CLIENT_LOG_2         I_ENFORCER_CLIENT_LOG_2_ID                 nonclustered located on FG_INDEX                        EVENT_ID
ENFORCER_CLIENT_LOG_2         I_ENFORCER_CLIENT_LOG_2_LOG_IDX            nonclustered located on FG_INDEX                        LOG_IDX
ENFORCER_CLIENT_LOG_2         I_ENFORCER_CLIENT_LOG_2_TIME               nonclustered located on FG_INDEX                        EVENT_TIME
ENFORCER_SYSTEM_LOG_1         I_ENFORCER_SYSTEM_LOG_1                    nonclustered located on FG_INDEX                        USN
ENFORCER_SYSTEM_LOG_1         I_ENFORCER_SYSTEM_LOG_1_ID                 nonclustered located on FG_INDEX                        EVENT_ID
ENFORCER_SYSTEM_LOG_1         I_ENFORCER_SYSTEM_LOG_1_LOG_IDX            nonclustered located on FG_INDEX                        LOG_IDX
ENFORCER_SYSTEM_LOG_1         I_ENFORCER_SYSTEM_LOG_1_TIME               nonclustered located on FG_INDEX                        EVENT_TIME
ENFORCER_SYSTEM_LOG_2         I_ENFORCER_SYSTEM_LOG_2                    nonclustered located on FG_INDEX                        USN
ENFORCER_SYSTEM_LOG_2         I_ENFORCER_SYSTEM_LOG_2_ID                 nonclustered located on FG_INDEX                        EVENT_ID
ENFORCER_SYSTEM_LOG_2         I_ENFORCER_SYSTEM_LOG_2_LOG_IDX            nonclustered located on FG_INDEX                        LOG_IDX
ENFORCER_SYSTEM_LOG_2         I_ENFORCER_SYSTEM_LOG_2_TIME               nonclustered located on FG_INDEX                        EVENT_TIME
ENFORCER_TRAFFIC_LOG_1        I_ENFORCER_TRAFFIC_LOG_1                   nonclustered located on FG_INDEX                        USN
ENFORCER_TRAFFIC_LOG_1        I_ENFORCER_TRAFFIC_LOG_1_LOG_IDX           nonclustered located on FG_INDEX                        LOG_IDX
ENFORCER_TRAFFIC_LOG_1        I_ENFORCER_TRAFFIC_LOG_1_TIME              nonclustered located on FG_INDEX                        EVENT_TIME
ENFORCER_TRAFFIC_LOG_2        I_ENFORCER_TRAFFIC_LOG_2                   nonclustered located on FG_INDEX                        USN
ENFORCER_TRAFFIC_LOG_2        I_ENFORCER_TRAFFIC_LOG_2_LOG_IDX           nonclustered located on FG_INDEX                        LOG_IDX
ENFORCER_TRAFFIC_LOG_2        I_ENFORCER_TRAFFIC_LOG_2_TIME              nonclustered located on FG_INDEX                        EVENT_TIME
FIREWALL_REPORT               PK_FIREWALLREPORT                          nonclustered, unique, primary key located on FG_INDEX   FIREWALLFILTER_IDX
GUIPARMS                      PK_GUIPARMS                                nonclustered, unique, primary key located on FG_INDEX   GUIPARMS_IDX
GUP_LIST                      I_GUP_LIST_COMPUTER                        nonclustered located on FG_INDEX                        COMPUTER_ID
GUP_LIST                      I_GUP_LIST_USN                             nonclustered located on FG_INDEX                        USN
GUP_LIST                      PK_GUP_LIST                                nonclustered, unique, primary key located on FG_INDEX   GUP_ID
HISTORY                       PK_HISTORY                                 nonclustered, unique, primary key located on FG_INDEX   HISTORY_IDX
HISTORYCONFIG                 PK_HISTORYCONFIG                           nonclustered, unique, primary key located on FG_INDEX   HISTORYCONFIG_IDX
HOMEPAGECONFIG                IDX_USER_ID                                nonclustered located on FG_INDEX                        USER_NAME
HOMEPAGECONFIG                PK_HOMEPAGECONFIG                          nonclustered, unique, primary key located on FG_INDEX   HOMEPAGECONFIG_IDX
HPP_ALERTS                    PK_HPP_ALERTS                              nonclustered, unique, primary key located on FG_INDEX   IDX
HPP_APPLICATION               I_HPP_APPLICATION_APP_HASH                 nonclustered located on FG_INDEX                        APP_HASH
HPP_APPLICATION               PK_HPP_APPLICATION                         nonclustered, unique, primary key located on FG_INDEX   APP_IDX
IDENTITY_MAP                  PK_IDENTITY_MAP                            nonclustered, unique, primary key located on FG_INDEX   ID
INVENTORYCURRENTRISK          PK_INVENTORYCURRENTRISK                    nonclustered, unique, primary key located on FG_INDEX   COMPUTER_IDX, ALERT_EVENT_IDX
INVENTORYCURRENTVIRUS         PK_INVENTORYCURRENTVIRUS                   nonclustered, unique, primary key located on FG_INDEX   COMPUTER_IDX, ALERT_EVENT_IDX
INVENTORYREPORT               PK_INVENTORYREPORT                         nonclustered, unique, primary key located on FG_INDEX   INVENTORYFILTER_IDX
LAN_DEVICE_DETECTED           I_LAN_DEVICE_DETECTED_USN                  nonclustered located on FG_INDEX                        USN
LAN_DEVICE_DETECTED           PK_LAN_DEVICE_DETECTED                     nonclustered, unique, primary key located on FG_INDEX   HASH, MAC_ADDRESS
LAN_DEVICE_DETECTED           I_LAN_DEVICE_DETECTED_MAC                  nonclustered located on FG_INDEX                        MAC_ADDRESS, DELETED
LAN_DEVICE_EXCLUDED           I_LAN_DEVICE_EXCLUDED_USN                  nonclustered located on FG_INDEX                        USN
LAN_DEVICE_EXCLUDED           PK_LAN_DEVICE_EXCLUDED                     nonclustered, unique, primary key located on FG_INDEX   EXCLUDED_ID
LEGACY_AGENT                  I_LEGACY_AGENT_USN                         nonclustered located on FG_INDEX                        USN
LEGACY_AGENT                  PK_LEGACY_AGENT                            nonclustered, unique, primary key located on FG_INDEX   LEGACY_AGENT_ID
LOCAL_METADATA                PK_LOCAL_METADATA                          nonclustered, unique, primary key located on FG_INDEX   ID
LOG_CONFIG                    PK_LOG_CONFIG                              nonclustered, unique, primary key located on FG_INDEX   LOG_TYPE
NETWORK_SCAN                  PK_NETWORK_SCAN                            nonclustered, unique, primary key located on FG_INDEX   ID
NETWORK_SCAN_RESULT           PK_NETWORK_SCAN_RESULT                     nonclustered, unique, primary key located on FG_INDEX   ID
NOTIFICATION                  PK_NOTIFICATION                            nonclustered, unique, primary key located on FG_INDEX   NOTAG_IDX
NOTIFICATIONALERTS            PK_NOTIFICATIONALERTS                      nonclustered, unique, primary key located on FG_INDEX   IDX
PATTERN                       I_PATTERN_CMONIKER                         clustered located on FG_INDEX                           CLIENT_MONIKER, PATTERN_IDX
PATTERN                       IDX_SEQUENCE                               nonclustered located on FG_INDEX                        SEQUENCE
PATTERN                       PK_PATTERN                                 nonclustered, unique, primary key located on FG_INDEX   PATTERN_IDX
PROCESS_STATE                 PK_PROCESS_STATE                           nonclustered, unique, primary key located on FG_INDEX   ID
REPORTS                       PK_REPORTS                                 nonclustered, unique, primary key located on FG_INDEX   ID
SCANREPORT                    PK_SCANREPORT                              nonclustered, unique, primary key located on FG_INDEX   SCANFILTER_IDX
SCANS                         IDX_CLIENTGROUP                            nonclustered located on FG_INDEX                        CLIENTGROUP_IDX
SCANS                         IDX_COMPUTER                               nonclustered located on FG_INDEX                        COMPUTER_IDX
SCANS                         IDX_PARENTSERVER                           nonclustered located on FG_INDEX                        PARENTSERVER_IDX
SCANS                         IDX_SERVERGROUP                            nonclustered located on FG_INDEX                        SERVERGROUP_IDX
SCANS                         IDX_STATUS                                 nonclustered located on FG_INDEX                        STATUS
SCANS                         PK_SCANS                                   nonclustered, unique, primary key located on FG_INDEX   SCAN_IDX
                                                                                                                                 COMPUTER_IDX, SCAN_ID, SCAN_IDX,
SCANS                         IDX_COMPUTER_SCANID                        nonclustered located on FG_INDEX
                                                                                                                                 STARTDATETIME
SCFINVENTORY                  PK_SCFINVENTORY                            nonclustered, unique, primary key located on FG_INDEX   AGENT_ID
SEM_AGENT                     I_SEM_AGENT_COMP                           nonclustered located on FG_INDEX                        COMPUTER_ID, R_OS_TYPE
SEM_AGENT                     I_SEM_AGENT_GRP                            nonclustered located on FG_INDEX                        GROUP_ID
SEM_AGENT                     I_SEM_AGENT_RT                             nonclustered located on FG_INDEX                        DELETED, LAST_SITE_ID
SEM_AGENT                     I_SEM_AGENT_RT_ON                          nonclustered located on FG_INDEX                        DELETED, LAST_SITE_ID, STATUS
SEM_AGENT                     I_SEM_AGENT_USN                            nonclustered located on FG_INDEX                        USN
SEM_AGENT                     PK_SEM_AGENT                               nonclustered, unique, primary key located on FG_INDEX   AGENT_ID
SEM_AGENT                     I_SEM_AGENT_ID_PLUS                        nonclustered located on FG_INDEX                        AGENT_ID, R_OS_TYPE, DELETED
SEM_APPLICATION               I_SEM_APPLICATION_USN                      nonclustered located on FG_INDEX                        USN
SEM_APPLICATION               PK_SEM_APPLICATION                         nonclustered, unique, primary key located on FG_INDEX   DOMAIN_ID, APP_HASH
SEM_CLIENT                    I_SEM_CLIENT_CNAME                         nonclustered located on FG_INDEX                        COMPUTER_NAME, COMPUTER_DOMAIN_NAME
Symantec Corp Confidential                                     SEP Index List                                                                  3/3/2012 Page 6
Table Name                   Index Name                              index_description                                       index_keys
SEM_CLIENT                   I_SEM_CLIENT_COMP                       nonclustered located on FG_INDEX                        COMPUTER_ID
SEM_CLIENT                   I_SEM_CLIENT_DOM                        nonclustered located on FG_INDEX                        DOMAIN_ID
SEM_CLIENT                   I_SEM_CLIENT_GRP                        nonclustered located on FG_INDEX                        GROUP_ID
SEM_CLIENT                   I_SEM_CLIENT_HWK                        nonclustered located on FG_INDEX                        HARDWARE_KEY
SEM_CLIENT                   I_SEM_CLIENT_UNAME                      nonclustered located on FG_INDEX                        USER_NAME, USER_DOMAIN_NAME
SEM_CLIENT                   I_SEM_CLIENT_USN                        nonclustered located on FG_INDEX                        USN
SEM_CLIENT                   PK_SEM_CLIENT                           nonclustered, unique, primary key located on FG_INDEX   CLIENT_ID
SEM_CLIENT                   I_SEM_CLIENT_HASH                       nonclustered located on FG_INDEX                        HASH
SEM_COMPLIANCE_CRITERIA      I_SEM_COMPLIANCE_CRITERIA               nonclustered located on FG_INDEX                        CRITERIA
SEM_COMPLIANCE_CRITERIA      I_SEM_COMPLIANCE_DT                     nonclustered located on FG_INDEX                        DELETED, TIME_STAMP
SEM_COMPLIANCE_CRITERIA      I_SEM_COMPLIANCE_RESULT                 nonclustered located on FG_INDEX                        RESULT
SEM_COMPLIANCE_CRITERIA      I_SEM_COMPLIANCE_RULE_TYPE              nonclustered located on FG_INDEX                        RULE_TYPE
SEM_COMPLIANCE_CRITERIA      I_SEM_COMPLIANCE_SEC_LOG                nonclustered located on FG_INDEX                        AGENT_SECURITY_LOG_IDX
SEM_COMPLIANCE_CRITERIA      PK_SEM_COMPLIANCE_CRITERIA              nonclustered, unique, primary key located on FG_INDEX   CRITERIA_IDX
SEM_COMPUTER                 I_SEM_COMPUTER_DOM                      nonclustered located on FG_INDEX                        DOMAIN_ID, DELETED
SEM_COMPUTER                 I_SEM_COMPUTER_HWK                      nonclustered located on FG_INDEX                        HARDWARE_KEY
SEM_COMPUTER                 I_SEM_COMPUTER_USN                      nonclustered located on FG_INDEX                        USN
SEM_COMPUTER                 PK_SEM_COMPUTER                         nonclustered, unique, primary key located on FG_INDEX   COMPUTER_ID
                                                                                                                             COMPUTER_ID, COMPUTER_NAME, DELETED,
SEM_COMPUTER                 I_SEM_COMPUTER_ID_PLUS                  nonclustered located on FG_INDEX
                                                                                                                             IP_ADDR1
SEM_COMPUTER                 I_SEM_COMPUTER_MAC_ADDR1                nonclustered located on FG_INDEX                        MAC_ADDR1
SEM_COMPUTER                 I_SEM_COMPUTER_MAC_ADDR2                nonclustered located on FG_INDEX                        MAC_ADDR2
SEM_COMPUTER                 I_SEM_COMPUTER_MAC_ADDR3                nonclustered located on FG_INDEX                        MAC_ADDR3
SEM_COMPUTER                 I_SEM_COMPUTER_MAC_ADDR4                nonclustered located on FG_INDEX                        MAC_ADDR4
SEM_CONTENT                  PK_SEM_CONTENT                          nonclustered, unique, primary key located on FG_INDEX   AGENT_ID, PATTERN_IDX
SEM_JOB                      PK_SEM_JOB                              nonclustered, unique, primary key located on FG_INDEX   COMMAND_ID
SERIAL_NUMBERS               PK_SERIAL_NUMBERS                       nonclustered, unique, primary key located on FG_INDEX   GROUP_ID
SERVER_ADMIN_LOG_1           I_SERVER_ADMIN_LOG_1                    nonclustered located on FG_INDEX                        USN
SERVER_ADMIN_LOG_1           I_SERVER_ADMIN_LOG_1_ID                 nonclustered located on FG_INDEX                        EVENT_ID
SERVER_ADMIN_LOG_1           I_SERVER_ADMIN_LOG_1_SEV                nonclustered located on FG_INDEX                        SEVERITY
SERVER_ADMIN_LOG_1           I_SERVER_ADMIN_LOG_1_TIME               nonclustered located on FG_INDEX                        TIME_STAMP
SERVER_ADMIN_LOG_2           I_SERVER_ADMIN_LOG_2                    nonclustered located on FG_INDEX                        USN
SERVER_ADMIN_LOG_2           I_SERVER_ADMIN_LOG_2_ID                 nonclustered located on FG_INDEX                        EVENT_ID
SERVER_ADMIN_LOG_2           I_SERVER_ADMIN_LOG_2_SEV                nonclustered located on FG_INDEX                        SEVERITY
SERVER_ADMIN_LOG_2           I_SERVER_ADMIN_LOG_2_TIME               nonclustered located on FG_INDEX                        TIME_STAMP
SERVER_CLIENT_LOG_1          I_SERVER_CLIENT_LOG_1                   nonclustered located on FG_INDEX                        USN
SERVER_CLIENT_LOG_1          I_SERVER_CLIENT_LOG_1_ID                nonclustered located on FG_INDEX                        EVENT_ID
SERVER_CLIENT_LOG_1          I_SERVER_CLIENT_LOG_1_LOG_IDX           nonclustered located on FG_INDEX                        LOG_IDX
SERVER_CLIENT_LOG_1          I_SERVER_CLIENT_LOG_1_TIME              nonclustered located on FG_INDEX                        TIME_STAMP
SERVER_CLIENT_LOG_2          I_SERVER_CLIENT_LOG_2                   nonclustered located on FG_INDEX                        USN
SERVER_CLIENT_LOG_2          I_SERVER_CLIENT_LOG_2_ID                nonclustered located on FG_INDEX                        EVENT_ID
SERVER_CLIENT_LOG_2          I_SERVER_CLIENT_LOG_2_LOG_IDX           nonclustered located on FG_INDEX                        LOG_IDX
SERVER_CLIENT_LOG_2          I_SERVER_CLIENT_LOG_2_TIME              nonclustered located on FG_INDEX                        TIME_STAMP
SERVER_ENFORCER_LOG_1        I_SERVER_ENFORCER_LOG_1                 nonclustered located on FG_INDEX                        USN
SERVER_ENFORCER_LOG_1        I_SERVER_ENFORCER_LOG_1_ID              nonclustered located on FG_INDEX                        EVENT_ID
SERVER_ENFORCER_LOG_1        I_SERVER_ENFORCER_LOG_1_LOG_IDX         nonclustered located on FG_INDEX                        LOG_IDX
SERVER_ENFORCER_LOG_1        I_SERVER_ENFORCER_LOG_1_TIME            nonclustered located on FG_INDEX                        TIME_STAMP
SERVER_ENFORCER_LOG_2        I_SERVER_ENFORCER_LOG_2                 nonclustered located on FG_INDEX                        USN
SERVER_ENFORCER_LOG_2        I_SERVER_ENFORCER_LOG_2_ID              nonclustered located on FG_INDEX                        EVENT_ID
SERVER_ENFORCER_LOG_2        I_SERVER_ENFORCER_LOG_2_LOG_IDX         nonclustered located on FG_INDEX                        LOG_IDX
SERVER_ENFORCER_LOG_2        I_SERVER_ENFORCER_LOG_2_TIME            nonclustered located on FG_INDEX                        TIME_STAMP
SERVER_POLICY_LOG_1          I_SERVER_POLICY_LOG_1                   nonclustered located on FG_INDEX                        USN
SERVER_POLICY_LOG_1          I_SERVER_POLICY_LOG_1_ID                nonclustered located on FG_INDEX                        EVENT_ID
SERVER_POLICY_LOG_1          I_SERVER_POLICY_LOG_1_TIME              nonclustered located on FG_INDEX                        TIME_STAMP
SERVER_POLICY_LOG_2          I_SERVER_POLICY_LOG_2                   nonclustered located on FG_INDEX                        USN
SERVER_POLICY_LOG_2          I_SERVER_POLICY_LOG_2_ID                nonclustered located on FG_INDEX                        EVENT_ID
SERVER_POLICY_LOG_2          I_SERVER_POLICY_LOG_2_TIME              nonclustered located on FG_INDEX                        TIME_STAMP
SERVER_SYSTEM_LOG_1          I_SERVER_SYSTEM_LOG_1                   nonclustered located on FG_INDEX                        USN
SERVER_SYSTEM_LOG_1          I_SERVER_SYSTEM_LOG_1_ID                nonclustered located on FG_INDEX                        EVENT_ID
SERVER_SYSTEM_LOG_1          I_SERVER_SYSTEM_LOG_1_SEV               nonclustered located on FG_INDEX                        SEVERITY
SERVER_SYSTEM_LOG_1          I_SERVER_SYSTEM_LOG_1_TIME              nonclustered located on FG_INDEX                        TIME_STAMP
SERVER_SYSTEM_LOG_2          I_SERVER_SYSTEM_LOG_2                   nonclustered located on FG_INDEX                        USN
SERVER_SYSTEM_LOG_2          I_SERVER_SYSTEM_LOG_2_ID                nonclustered located on FG_INDEX                        EVENT_ID
SERVER_SYSTEM_LOG_2          I_SERVER_SYSTEM_LOG_2_SEV               nonclustered located on FG_INDEX                        SEVERITY
SERVER_SYSTEM_LOG_2          I_SERVER_SYSTEM_LOG_2_TIME              nonclustered located on FG_INDEX                        TIME_STAMP
SYSTEM_REPORT                PK_SYSTEMREPORT                         nonclustered, unique, primary key located on FG_INDEX   SYSTEMFILTER_IDX
SYSTEM_STATE                 I_SYSTEM_STATE_USN                      nonclustered located on FG_INDEX                        USN
SYSTEM_STATE                 PK_SYSTEM_STATE                         nonclustered, unique, primary key located on FG_INDEX   ID
THREATREPORT                 PK_THREATREPORT                         nonclustered, unique, primary key located on FG_INDEX   THREATFILTER_IDX
VERSION                      PK_VERSION                              nonclustered, unique, primary key located on FG_INDEX   PRODUCT
VIRUS                        I_VIRUSNAME                             nonclustered located on FG_INDEX                        VIRUSNAME
VIRUS                        PK_VIRUS                                nonclustered, unique, primary key located on FG_INDEX   VIRUSNAME_IDX
VIRUS                        I_VIRUS_TYPE                            nonclustered located on FG_INDEX                        TYPE
VIRUSCATEGORY                PK_VIRUSCATEGORY                        nonclustered, unique, primary key located on FG_INDEX   CATEGORY


Legend
Red Text                     Added.
MSG IDs:
ERROR_MSG_x1 = Unexpected server error.
ERROR_MSG_x2 = Unexpected console error.
ERROR_MSG_x3 = Failed to connect to server.
ERROR_MSG_x4 = Unknown response
ERROR_MSG_x5 = No response code
ERROR_MSG_x6 = Invalid response code
ERROR_MSG_x7 = Invalid session
ERROR_MSG_x8 = Login failed, please try again.
ERROR_MSG_x9 = Invalid action
ERROR_MSG_xA = Cannot connect to database.
ERROR_MSG_xB = Invalid parameter.
ERROR_MSG_xC = Admin name already in use.
ERROR_MSG_xD = Admin not found.
ERROR_MSG_xE = Group not found.
ERROR_MSG_xF = Invalid response data.
ERROR_MSG_x10 = Site not found.
ERROR_MSG_x11 = Query not found.
ERROR_MSG_x12 = The results return more than 100 records.
ERROR_MSG_x13 = Only select query is allowed.
ERROR_MSG_x14 = Invalid query statement.
ERROR_MSG_x15 = The data type you selected on is not supported.
ERROR_MSG_x16 = You cannot delete all the administrators.
ERROR_MSG_x17 = The action type is null.
ERROR_MSG_x18 = The action type is invalid.
ERROR_MSG_x19 = The object GUID is null.
ERROR_MSG_x1A = The object GUID is invalid.
ERROR_MSG_x1B = The transaction GUID is null.
ERROR_MSG_x1C = The transaction GUID is invalid.
ERROR_MSG_x1D = The domain GUID is null.
ERROR_MSG_x1E = The domain GUID is invalid.
ERROR_MSG_x1F = The object type is null.
ERROR_MSG_x20 = The object type is invalid.
ERROR_MSG_x21 = There is no connection.
ERROR_MSG_x22 = The connection is invalid.
ERROR_MSG_x23 = The checksum is null.
ERROR_MSG_x24 = The policy update is invalid.
ERROR_MSG_x25 = Request is Invalid.
ERROR_MSG_x26 = Internal error for null sql.
ERROR_MSG_x27 = The USN is null.
ERROR_MSG_x28 = The USN is invalid.
ERROR_MSG_x29 = This method with Domain parameter can only called by System Administrators.
ERROR_MSG_x2A = Cannot add root.
ERROR_MSG_x2B = The root cannot be deleted.
ERROR_MSG_x2C = Authentication failure, please retry.
ERROR_MSG_x2D = Domain is disabled.
ERROR_MSG_x2E = The administrator account is disabled.
ERROR_MSG_x2F = The administrator account is locked.
ERROR_MSG_x30 = Domain not found.
ERROR_MSG_x31 = The server does not support RSA SecurID Login.
ERROR_MSG_x32 = The transaction does not exist.
ERROR_MSG_x33 = The transaction rollback failed.
ERROR_MSG_x34 = The transaction commit failed.
ERROR_MSG_x35 = The transaction start failed.
ERROR_MSG_x36 = The object cannot be found.
ERROR_MSG_x37 = The object's content corrupted.
ERROR_MSG_x38 = The object is concurrently updating.
ERROR_MSG_x39 = The datastore is not connected.
ERROR_MSG_x3A = Datastore error.
ERROR_MSG_x3B = The target site belongs to different site farm.
ERROR_MSG_x3C = Top level group cannot be deleted.
ERROR_MSG_x3D = Cannot delete this group because there are still objects in the group.
ERROR_MSG_x40 = The license has expired.
ERROR_MSG_x41 = You have reached the limit of your license.
ERROR_MSG_x42 = Your license doesn't support this feature.
ERROR_MSG_x43 = Invalid Site License.
ERROR_MSG_x44 = You cannot access this server from this IP address.
ERROR_MSG_x45 = Invalid certificate file.
ERROR_MSG_x46 = Invalid private key file.
ERROR_MSG_x47 = Invalid keystore file.
ERROR_MSG_x48 = Invalid password.
ERROR_MSG_x49 = Failed to write certificate on server.
ERROR_MSG_x4A = The length of the administrator name is invalid.
ERROR_MSG_x4B = The administrator name contains prohibited characters.
ERROR_MSG_x4C = The administrator name should not be all dots or spaces.
ERROR_MSG_x4D = An Active Directory node cannot be moved.
ERROR_MSG_x4E = Group Global or Temporary cannot be moved.
ERROR_MSG_x4F = The group cannot be moved to any Active Directory node.
ERROR_MSG_x50 = The group cannot be moved to Group Temporary.
ERROR_MSG_x51 = The administrator name contains prohibited characters.
ERROR_MSG_x52 = The host name is empty.
ERROR_MSG_x53 = Connect directory fail.
ERROR_MSG_x54 = Failed to read file.
ERROR_MSG_x55 = The action is null.
ERROR_MSG_x56 = Invalid restore file.
ERROR_MSG_x57 = Failed to create folder for package publish.
ERROR_MSG_x58 = You cannot use the same site name as remote replication site.
ERROR_MSG_x59 = The temporary group is not found.
ERROR_MSG_x5A = The group path is invalid.
ERROR_MSG_x5B = Partner not found.
ERROR_MSG_x5C = Duplicate names failed.
ERROR_MSG_x5D = A Site referenced by the system is not found
ERROR_MSG_x5E = The local Site seems to have been deleted from the system
ERROR_MSG_x5F = The OU group ID is invalid.
ERROR_MSG_x60 = The domain ID is invalid in the session when trying to import OU.
ERROR_MSG_x61 = The destination group is same as the source group.
ERROR_MSG_x62 = The URL you specified cannot be accessed. This may be caused by: 1. Network co
ERROR_MSG_x70 = The domain name is already in use.
ERROR_MSG_x71 = The server can only query users from the domains it belongs to.
ERROR_MSG_x72 = The server can only query users from the domains it belongs to.
ERROR_MSG_x73 = The administrator account does not have permission to perform the requested task
ERROR_MSG_x80 = The group full name is too long.
ERROR_MSG_x81 = Failed to resolve naming conflict.
ERROR_MSG_x82 = No response from the remote server.
ERROR_MSG_x83 = Email sending failed.
ERROR_MSG_x84 = Failed to check duplicate names.
ERROR_MSG_x85 = The legacy client is not found.
ERROR_MSG_x86 = The file is not found.
ERROR_MSG_x87 = An IO exception occurred.
ERROR_MSG_x88 = There is an error when parsing the file. Please check the file format.
ERROR_MSG_x89 = A validation error occurred.
ERROR_MSG_x90 = Unexpected parameter value.
ERROR_MSG_x91 = Missing Named Version.
ERROR_MSG_x92 = Missing PackageLuInfo.
ERROR_MSG_x93 = Missing LuCatalog File.
ERROR_MSG_x94 = Missing LuContentPolicy.
ERROR_MSG_x95 = Failed to connect to Directory Server.
ERROR_MSG_x96 = Failed to connect to the specified replication partner server. Verify that the server n
ERROR_MSG_x97 = Invalid SysLog Server Name.

                                                                                             (
Error message buckets as used in the SYSTEM_REPORT table, field MSG_ID:The values to the right ar
ERR_SERVER' = array('9', 'A', 'B', 'C', 'D', 'E', 'F', '10', '11', '12', '13', '14', '15', '16');
ERR_INVALID_PARAMETER' = array('17', '18', '19', '1A', '1B', '1C', '1D', '1E', '1F', '20', '21', '22', '23', '24')
ERR_GENERAL' = array('1','2','3','4','5','6','7','8');
ERR_ROOT' = array('2A', '2B');
ERR_AUTHENTICATION' = array('2C', '2D', '2E', '2F', '30', '31', '4A', '4B', '4C');
ERR_METADATA' = array('36', '37', '38');
ERR_TRANSACTION' = array('32', '33', '34', '35');
ERR_DATASTORE' = array('39', '3A', '3B');
ERR_LICENSE' = array('40', '41', '42', '43');
ERR_CERTIFICATE' = array('45', '46', '47', '48', '49');
ERR_GROUP' = array('4D', '4E', '4F', '50');
ERR_FILE' = array('86','87', '88', '89', '90');
ERR_LIVEUPDATE' = array('92','93','94','97');
ERR_OTHER' = array('29', '3C', '3D', '44', '54', '57', '58', '59', '5A', '5D', '5E', '5F', '60', '62', '70', '71', '80', '8
ERR_NONE' = array(-1);


Error codes:
ERROR_CODE_x00000000 = OK
ERROR_CODE_x10010000 = Unexpected server error.
ERROR_CODE_x11010000 = Invalid session.
ERROR_CODE_x12010000 = The action type is null.
ERROR_CODE_x12020000 = The action type is invalid.
ERROR_CODE_x12030000 = The object GUID is null.
ERROR_CODE_x12040000 = The object GUID is invalid.
ERROR_CODE_x12050000 = The transaction GUID is null.
ERROR_CODE_x12060000 = The transaction GUID is invalid.
ERROR_CODE_x12070000 = The domain GUID is null.
ERROR_CODE_x12080000 = The domain GUID is invalid.
ERROR_CODE_x12090000 = The object type is null.
ERROR_CODE_x120a0000 = The object type is invalid.
ERROR_CODE_x120b0000 = There is no connection.
ERROR_CODE_x120c0000 = The connection is invalid.
ERROR_CODE_x120d0000 = The checksum is null.
ERROR_CODE_x120e0000 = The policy update is invalid.
ERROR_CODE_x120f0000 = The SQL query is null.
ERROR_CODE_x12100000 = The USN is null.
ERROR_CODE_x12110000 = The USN is invalid.
ERROR_CODE_x12120000 = The request is invalid.
ERROR_CODE_x12130000 = This method with Domain parameter can only called by System Administra
ERROR_CODE_x12140000 = The action is null.
ERROR_CODE_x12150000 = Invalid action.
ERROR_CODE_x12160000 = Client Reg domain name is null.
ERROR_CODE_x12170000 = Client Reg domain ID is null.
ERROR_CODE_x12180000 = Client Reg computer name is null.
ERROR_CODE_x12190000 = Client Reg user name is null.
ERROR_CODE_x121a0000 = The group path is not invalid.
ERROR_CODE_x121b0000 = You have reached the limit of your license.
ERROR_CODE_x121c0000 = Failed to create folder for domain.
ERROR_CODE_x121d0000 = Failed to create folder for package publish.
ERROR_CODE_x121e0000 = The group full name is too long.
ERROR_CODE_x13010000 = Cannot add root.
ERROR_CODE_x13020000 = The root cannot be deleted.
ERROR_CODE_x14010000 = Authentication failure, please retry.
ERROR_CODE_x14020000 = Admin access denied.
ERROR_CODE_x14030000 = Replication access denied.
ERROR_CODE_x15010000 = The transaction does not exist.
ERROR_CODE_x15020000 = The transaction rollback failed.
ERROR_CODE_x15030000 = The transaction commit failed.
ERROR_CODE_x15040000 = The transaction start failed.
ERROR_CODE_x16010000 = The object cannot be found.
ERROR_CODE_x16020000 = The object's content corrupted.
ERROR_CODE_x16030000 = The object is concurrently updating.
ERROR_CODE_x17010000 = The datastore is not connected.
ERROR_CODE_x17020000 = Datastore error.
ERROR_CODE_x17030000 = Failed to connect to database.
ERROR_CODE_x17040000 = SQL query failed.
ERROR_CODE_x18010000 = The target site belongs to different site farm.
ERROR_CODE_x18020000 = Restore file is invalid.
ERROR_CODE_x18030000 = Failed to resolve naming conflict.
ERROR_CODE_x19010000 = Email sending failed.
ERROR_CODE_x80010000 = Unexpected console error.
ERROR_CODE_x80020000 = Failed to connect to server.
ERROR_CODE_x82010000 = Administrator is empty.
ERROR_CODE_x83010000 = Admin name already in use.
ERROR_CODE_x83020000 = Top level group cannot be deleted.
ERROR_CODE_x83030000 = Cannot delete this group because there are still objects in the group.
ERROR_CODE_x83040000 = The domain name is already in use.
ERROR_CODE_x83050000 = The Symantec server can only query users from the domains it belongs to
ERROR_CODE_x83060000 = Domain user query filtered.
ERROR_CODE_x83070000 = License error.
ERROR_CODE_x84010000 = Invalid password.
ERROR_CODE_x84020000 = Invalid password.
ERROR_CODE_x84090000 = Failed to write certificate on server.
ERROR_CODE_x840a0000 = Invalid keystore.
ERROR_CODE_x840b0000 = Invalid private key file.
ERROR_CODE_x840c0000 = Invalid certificate file.
ERROR_CODE_x840d0000 = Invalid certificate file.
ERROR_CODE_x840e0000 = Invalid keystore file.
ERROR_CODE_x85010000 = The length of an administrator name is invalid.
ERROR_CODE_x85020000 = The administrator name contains prohibited characters.
ERROR_CODE_x85030000 = The administrator name should not be all dots or spaces.
ERROR_CODE_x86010000 = An Active Directory node cannot be moved.
ERROR_CODE_x86020000 = Group Global or Temporary cannot be moved.
ERROR_CODE_x86030000 = The group cannot be moved to any Active Directory node.
ERROR_CODE_x86040000 = The group cannot be moved to Group Temporary.
ERROR_CODE_x86050000 = The destination group is same as the source group.
ERROR_CODE_x87010000 = The organization unit is already in use.
ERROR_CODE_x88010000 = Host name is empty.
ERROR_CODE_x88020000 = Connect directory failed.
ERROR_CODE_x89010000 = Failed to read file.
ERROR_CODE_xA0010000 = The temporary group is not found.
ERROR_CODE_xA1010000 = Replication partner not found.
ERROR_CODE_xA1020000 = Duplicate names exist.
ERROR_CODE_xA1030000 = Failed to check duplicate names.
ERROR_CODE_xA2010000 = A Site referenced by the system is not found.
ERROR_CODE_xA2020000 = The local Site seems to have been deleted from the system.
ERROR_CODE_xB0010000 = The OU group ID is invalid.
ERROR_CODE_xB0020000 = The domain ID is invalid in the session when trying to import OU.
ERROR_CODE_xC0010000 = The URL you specified cannot be accessible. This may be caused by: 1. N
ERROR_CODE_xD0010000 = No response from the remote server.
ERROR_CODE_xE0010000 = The legacy client is not found.
ERROR_CODE_xE0050000 = Unknown host name.
ERROR_CODE_xE0110000 = The file is not found.
ERROR_CODE_xE0120000 = An IO exception occurred.
ERROR_CODE_xE0130000 = There is an error when parsing the file. Please check the file format.
ERROR_CODE_xE0140000 = A validation error occurred.
ERROR_CODE_xE0150000 = Unexpected parameter value.
ERROR_CODE_xE0160000 = Invalid parameter.
ERROR_CODE_xE0170000 = Missing Named Version.
ERROR_CODE_xE0180000 = Missing PackageLuInfo.
ERROR_CODE_xE0190000 = Missing LuCatalog File.
ERROR_CODE_xE01A0000 = Missing LuContentPolicy.
ERROR_CODE_xE0210000 = Failed to connect to Directory Server.
ERROR_CODE_xE0220000 = Failed to look up directory server
ERROR_CODE_xE0230000 = Failed to connect to the specified replication partner server. Verify that the
ystem Administrators.
n the group.
e caused by: 1. Network connection problems. 2. The website is down.



 erform the requested task.




  file format.




er. Verify that the server name and port are correct.


(The values to the right are in hex and correspond to the MSG IDs found listed above.)

1F', '20', '21', '22', '23', '24');
, '60', '62', '70', '71', '80', '81', '82', '83', '84', '85','91','95','96');




alled by System Administrators.
objects in the group.

the domains it belongs to.
 the system.

ing to import OU.
his may be caused by: 1. Network connection problem. 2. The website is down.




check the file format.




tner server. Verify that the server name and port are correct.
EVENT_TYPE_x12070001 = Internal error
EVENT_TYPE_x12070101 = Install complete
EVENT_TYPE_x12070102 = Restart recommended
EVENT_TYPE_x12070103 = Restart required
EVENT_TYPE_x12070104 = Installation failed
EVENT_TYPE_x12070105 = Uninstallation complete
EVENT_TYPE_x12070106 = Uninstallation failed
EVENT_TYPE_x12070201 = Service starting
EVENT_TYPE_x12070202 = Service started
EVENT_TYPE_x12070203 = Service start failure
EVENT_TYPE_x12070204 = Service stopped
EVENT_TYPE_x12070205 = Service stop failure
EVENT_TYPE_x12070206 = Config import complete
EVENT_TYPE_x12070207 = Config import error
EVENT_TYPE_x12070208 = Config export complete
EVENT_TYPE_x12070209 = Config export error
EVENT_TYPE_x1207020A = Email post OK
EVENT_TYPE_x1207020B = Email post failure
EVENT_TYPE_x1207020C = Update complete
EVENT_TYPE_x1207020D = Update failure
EVENT_TYPE_x1207020E = Manual location change
EVENT_TYPE_x1207020F = Location changed
EVENT_TYPE_x12070210 = Host Integrity disabled
EVENT_TYPE_x12070211 = Host Integrity enabled
EVENT_TYPE_x12070220 = NAP integration enabled
EVENT_TYPE_x12070212 = Old Rasdll detected
EVENT_TYPE_x12070213 = Auto-update postponed
EVENT_TYPE_x12070214 = Successfully imported advanced rule
EVENT_TYPE_x12070215 = Failed to import advanced rule
EVENT_TYPE_x12070216 = Successfully exported advanced rule
EVENT_TYPE_x12070217 = Failed to export advanced rule
EVENT_TYPE_x12070218 = Client Engine enabled
EVENT_TYPE_x12070219 = Client Engine disabled
EVENT_TYPE_x1207021A = Attempt to stop service
EVENT_TYPE_x12070301 = Server connected
EVENT_TYPE_x12070302 = No server response
EVENT_TYPE_x12070303 = Server connection failed
EVENT_TYPE_x12070304 = Server disconnected
EVENT_TYPE_x12070305 = Mode changed
EVENT_TYPE_x12070306 = New policy received
EVENT_TYPE_x12070307 = New policy applied
EVENT_TYPE_x12070308 = New policy failed
EVENT_TYPE_x12070309 = Cannot download policy
EVENT_TYPE_x120B0005 = Cannot download policy
EVENT_TYPE_x1207030A = Have latest policy
EVENT_TYPE_x120B0004 = Have latest policy
EVENT_TYPE_x1207030B = Cannot apply HI script
EVENT_TYPE_x12070500 = System message from device control
EVENT_TYPE_x12070600 = System message from anti-buffer overflow driver
EVENT_TYPE_x12070700 = System message from network access component
EVENT_TYPE_x12070800 = System message from LiveUpdate
EVENT_TYPE_x12070900 = System message from group update provider
EVENT_TYPE_x120B0001 = Cannot reach server
EVENT_TYPE_x120B0002 = Reconnected server
EVENT_TYPE_x120B0003 = Auto upgrade complete
EVENT_TYPE_x12071006 = Scan Omission
EVENT_TYPE_x12071007 = Definition File Loaded
EVENT_TYPE_x1207100B = Virus Behavior Detected
EVENT_TYPE_x1207100C = Configuration Changed
EVENT_TYPE_x12071010 = Definition File Download
EVENT_TYPE_x12071012 = Sent To Quarantine Server
EVENT_TYPE_x12071013 = Delivered To Symantec
EVENT_TYPE_x12071014 = Security Response Backup
EVENT_TYPE_x12071015 = Scan Aborted
EVENT_TYPE_x12071016 = Symantec AntiVirus Auto-Protect Load Error
EVENT_TYPE_x12071017 = Symantec AntiVirus Auto-Protect Enabled
EVENT_TYPE_x12071018 = Symantec AntiVirus Auto-Protect Disabled
EVENT_TYPE_x1207101A = Scan Delayed
EVENT_TYPE_x1207101B = Scan Re-started
EVENT_TYPE_x1207101E = License Warning
EVENT_TYPE_x1207101F = License Error
EVENT_TYPE_x12071020 = License in Grace Period
EVENT_TYPE_x12071021 = Access Denied Warning
EVENT_TYPE_x12071022 = Log Forwarding Error
EVENT_TYPE_x12071023 = License Installed
EVENT_TYPE_x12071025 = License Up-to-date
EVENT_TYPE_x12071027 = Symantec AntiVirus is using old virus definitions
EVENT_TYPE_x1207102B = Computer not compliant with security policy
EVENT_TYPE_x1207102C = Computer compliant with security policy
EVENT_TYPE_x1207102D = Tamper Attempt
EVENT_TYPE_x12071034 = Login failed
EVENT_TYPE_x12071035 = Login succeeded
EVENT_TYPE_x12071036 = Access Denied Warning
EVENT_TYPE_x12071037 = Symantec AntiVirus installed
EVENT_TYPE_x12071038 = Symantec Firewall installed
EVENT_TYPE_x12071039 = Uninstall
EVENT_TYPE_x1207103A = Uninstall rolled-back
EVENT_TYPE_x12071041 = Scan suspended
EVENT_TYPE_x12071042 = Scan Resumed
EVENT_TYPE_x12071043 = Scan Duration Too Short
EVENT_TYPE_x12071044 = Client moved
EVENT_TYPE_x12071045 = Scan Enhancements Failed
EVENT_TYPE_x12071046 = Proactive Threat Scanning is not supported on this platform
EVENT_TYPE_x12071047 = Proactive Threat Scanning Load Error
EVENT_TYPE_x101 = Server startup successfully
EVENT_TYPE_x102 = Server startup failed
EVENT_TYPE_x103 = Server shutdown gracefully
EVENT_TYPE_x104 = Server created
EVENT_TYPE_x105 = Site created
EVENT_TYPE_x106 = Package published
EVENT_TYPE_x107 = Site license exceeded
EVENT_TYPE_x108 = Organization importing started
EVENT_TYPE_x109 = Organization importing succeeded
EVENT_TYPE_x10A = Organization importing failed
EVENT_TYPE_x10B = Client sweeping started
EVENT_TYPE_x10C = Client sweeping Summary
EVENT_TYPE_x10D = Client sweeping succeeded
EVENT_TYPE_x10E = Client sweeping failed
EVENT_TYPE_x10F = Database logs have been swept
EVENT_TYPE_x110 = Server upgrade success
EVENT_TYPE_x111 = Scheduled reporting failed
EVENT_TYPE_x112 = Security risk rating summary
EVENT_TYPE_x301 = Replication from remote site started
EVENT_TYPE_x302 = Replication failed to login to remote site
EVENT_TYPE_x303 = Unable to fetch changed data from remote site
EVENT_TYPE_x304 = Replication finished successfully
EVENT_TYPE_x305 = Replication failed
EVENT_TYPE_x306 = Replication merge failed
EVENT_TYPE_x307 = Unable to connect to remote site
EVENT_TYPE_x308 = Name Changed for Resolving Merge Conflict
EVENT_TYPE_x309 = Group full path name is too long for replication
EVENT_TYPE_x30A = Retrieval of local changed data for remote site started
EVENT_TYPE_x30B = Retrieval of local changed data for remote site finished successfully
EVENT_TYPE_x30C = Retrieval of local changed data for remote site failed
EVENT_TYPE_x30D = Replication has been chosen as the deadlock victim and killed by database
EVENT_TYPE_x30E = Replication data is received
EVENT_TYPE_x401 = Backup connection failed
EVENT_TYPE_x402 = Backup data fetch failed
EVENT_TYPE_x403 = Backup file write failed
EVENT_TYPE_x404 = Backup unknown failed
EVENT_TYPE_x405 = Backup success
EVENT_TYPE_x406 = Backup started
EVENT_TYPE_x501 = An unexpected exception has occurred
EVENT_TYPE_x502 = Connect mail server failed
EVENT_TYPE_x503 = Failed to start Radius Server. The radius port may be used by another process
EVENT_TYPE_x504 = Failed to start Radius Server. Set non-Block IO socket failed.
EVENT_TYPE_x505 = Failed to start Radius Server. Create socket Error.
EVENT_TYPE_x506 = Server error
EVENT_TYPE_x601 = Added Intrusion Prevention Library
EVENT_TYPE_x602 = Deleted Intrusion
EVENT_TYPE_x603 = Updated Intrusion Prevention Library
EVENT_TYPE_x604 = Intrusion Prevention Library is up to date
EVENT_TYPE_x701 = LiveUpdate started
EVENT_TYPE_x702 = LiveUpdate succeeded
EVENT_TYPE_x703 = LiveUpdate failed
EVENT_TYPE_x704 = LiveUpdate manual task succeeded
EVENT_TYPE_x705 = LiveUpdate manual task failed
EVENT_TYPE_x706 = LiveUpdate retry started
EVENT_TYPE_x707 = LiveUpdate retry succeeded
EVENT_TYPE_x708 = LiveUpdate retry failed and will try again
# EVENT_TYPE_x709 = LiveUpdate content clean up -- not used
EVENT_TYPE_x70A = LiveUpdate manual task started
EVENT_TYPE_x70B = LiveUpdate retry over max window
EVENT_TYPE_x70C = LiveUpdate retry failed and will try again
EVENT_TYPE_x70D = LiveUpdate retry pass scheduled time
EVENT_TYPE_x70E = LiveUpdate All process launched
EVENT_TYPE_x70F = LiveUpdate All process exited abnormally
EVENT_TYPE_x71F = LiveUpdate next server
EVENT_TYPE_x710 = LiveUpdate All process finished
EVENT_TYPE_x711 = LiveUpdate All process failed to launch
EVENT_TYPE_x712 = LiveUpdate uploading content
EVENT_TYPE_x713 = LiveUpdate file path not exist
EVENT_TYPE_x714 = LiveUpdate Content Catalog file has been inserted
EVENT_TYPE_x715 = LiveUpdate Content Catalog file has been updated
EVENT_TYPE_x716 = Client Package has been downloaded
EVENT_TYPE_x717 = Client Package patching failed.
EVENT_TYPE_x718 = New LiveUpdate content has been downloaded
EVENT_TYPE_x719 = LiveUpdate wrong URL parameter
EVENT_TYPE_x720 = Antivirus and antispyware definitions Win64 11.0 MicroDefsB.CurDefs failed to up
EVENT_TYPE_x721 = Download is current
EVENT_TYPE_x722 = LiveUpdate re-run is triggered by content catalog update.
EVENT_TYPE_x71A = Failed to download LiveUpdate content
EVENT_TYPE_x71B = LiveUpdate content cleaned up
EVENT_TYPE_x71C = Host Integrity Template has been updated
EVENT_TYPE_x71D = LiveUpdate timed out
EVENT_TYPE_x71E = LiveUpdate schedule updated
EVENT_TYPE_x801 = Search uncliented hosts started
EVENT_TYPE_x802 = Search uncliented hosts finished normally
EVENT_TYPE_x803 = Search uncliented hosts finished abnormally
EVENT_TYPE_x804 = Client remote started
EVENT_TYPE_x805 = Client remote finished normally
EVENT_TYPE_x806 = Client remote finished abnormally
EVENT_TYPE_x901 = Rapid response content installed successfully
EVENT_TYPE_x902 = Rapid response content failed to install
EVENT_TYPE_x1001 = Certificate matched
EVENT_TYPE_x1002 = Certificate not matched
successfully

d killed by database




sed by another process
DefsB.CurDefs failed to update
      Symantec Corp Confidential                                                                                                                               SEP Table Definition                                                                                         3/3/2012 Page 27 / 54



About the Symantec Endpoint Protection Manager database schema
The Symantec Endpoint Protection Manager database stores all
the information that concerns the Symantec software and
associated security information. The information is stored in a
series of tables, the database schema.

You can use the database schemas to create custom reports to
find information about a large number of clients.

Data types represent the physical make up of the data.

The following data types are used in the database:
bigint
char
datetime
int
nvarchar
tinyint
varchar
varbinary

Some data types include the physical length of the field in
parentheses. For example, char(24) indicates a character field
with a length of 24 characters.

An asterisk (*) beside a field name indicates that the field acts as
a Primary Key in the tables. The Primary Key is a column or a set
of columns that uniquely identify all the rows in a table. Primary
Keys may not contain null values. No two rows can have the
same Primary Key value; therefore, a Primary Key value always
uniquely identifies a single row. More than one key can uniquely
identify rows in a table. Each of these keys is called a Candidate
Key. Only one candidate can be chosen as the Primary Key of a
table; all other Candidate Keys are known as Alternate Keys.

In a normalized table, all of a row's data values depend on the
Primary Key. For example, in a normalized employee table with
EmployeeID as the Primary Key, all columns contain data that is
ACTUALACTION
Column Name                                                            Comment                                                                                                   Data Type (MS, Sybase)                  Default Value                  Primary Key       Description
                                                                                                                                                                                                                                                                          This table lists actual action schema
                                                                                                                                                                                                                                                                          information.

                                                                                                                                                                                                                                                                          If there is only one data type value in
                                                                                                                                                                                                                                                                          a cell in the Data Type column, it
ACTUALACTION_IDX*                                                      Primary key (one of 1…500 as shown below)                                                                 int, NOT NULL                                                          PK_ACTUALACTION
                                                                                                                                                                                                                                                                          applies to both MS SQL Server and
                                                                                                                                                                                                                                                                          to Sybase. If there are two data type
                                                                                                                                                                                                                                                                          values, the first applies to MS SQL
                                                                                                                                                                                                                                                                          Server and the second applies to
                                                                                                                                                                                                                                                                          Sybase.


                                                                       Hard-coded English string used for lookup whose meaning is as follows:
                                                                       ActualAction_-1 = Action invalid
                                                                       ActualAction_1 = Quarantined
                                                                       ActualAction_2 = Renamed
                                                                       ActualAction_3 = Deleted
                                                                       ActualAction_4 = Left alone
                                                                       ActualAction_5 = Cleaned
                                                                       ActualAction_6 = Cleaned or macros deleted
                                                                       ActualAction_7 = Saved
                                                                       ActualAction_9 = Moved back
                                                                       ActualAction_10 = Renamed back
                                                                       ActualAction_11 = Undone
                                                                       ActualAction_12 = Bad
                                                                       ActualAction_13 = Backed up
                                                                       ActualAction_14 = Pending repair
ACTUALACTION                                                                                                                                                                     varchar(255), NOT NULL                  ('')
                                                                       ActualAction_15 = Partially repaired
                                                                       ActualAction_16 = Process termination pending restart
                                                                       ActualAction_17 = Excluded
                                                                       ActualAction_18 = Restart processing
                                                                       ActualAction_19 = Cleaned by deletion
                                                                       ActualAction_20 = Access denied
                                                                       ActualAction_21 = Process terminated
                                                                       ActualAction_22 = No repair available
                                                                       ActualAction_23 = All actions failed
                                                                       ActualAction_98 = Suspicious
                                                                       ActualAction_99 = Details pending
                                                                       ActualAction_110 = Detected using commercial application list
                                                                       ActualAction_111 = Forced detection using file name
                                                                       ActualAction_1000 = Forced detection using file hash
                                                                       ActualAction_500 = Not applicable




ADMINUSER
Column Name                                                            Comment                                                                                                   Data Type (MS, Sybase)                  Default Value                  Primary Key       Description
USER_ID*                                                               Login user ID                                                                                             char(32), NOT NULL                                                     PK_ADMINUSER
USER_NAME                                                              User name of the admin                                                                                    NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
DOMAIN_ID                                                              GUID representing currently logged in domain.                                                             char(32), NOT NULL                      ('')
AUTOREFRESH                                                            User-defined auto refresh value for all logs (events.php, alerts.php)                                     int, NOT NULL                                                      0
LASTCHANGE                                                             Last time that the user accessed the console                                                              int, NOT NULL                           (convert(int,getdate()))
LASTSPMTIME                                                            Last time for successful keep alive to application server                                                 int, NOT NULL                           (convert(int,getdate()))


AGENT_BEHAVIOR_LOG_1 and AGENT_BEHAVIOR_LOG_2
Column Name                                                            Comment                                                                                                   Data Type (MS, Sybase)                  Default Value                  Primary Key       Description

                                                                                                                                                                                                                                                                          This table is not used in Symantec
                                                                                                                                                                                                                                                                          Network Access Control.

                                                                                                                                                                                                                                                                          This table lists the database schema for
                                                                                                                                                                                                                                                                          the Agent Behavior logs. There are two
                                                                                                                                                                                                                                                                          tables for this schema. When logs are
                                                                                                                                                                                                                                                                          stored, the Policy Manager uses the first
                                                                                                                                                                                                                                                                          table until it is full. It then switches to
                                                                                                                                                                                                                                                                          using the second table. The data in the
USN                                                                                                                                                                              bigint, NOT NULL                                                                         first table is kept intact until the second
                                                                                                                                                                                                                                                                          table fills. Then it starts to fill the first
                                                                                                                                                                                                                                                                          table again. This cycle is continuous.

                                                                                                                                                                                                                                                                          If there is only one data type value in a
                                                                                                                                                                                                                                                                          cell in the Data Type column, it applies to
                                                                                                                                                                                                                                                                          both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                                                          there are two data type values, the first
                                                                                                                                                                                                                                                                          applies to MS SQL Server and the
                                                                                                                                                                                                                                                                          second applies to Sybase.
                                                                       A USN-based serial number; this ID is not unique.
DOMAIN_ID                                                              GUID of the domain to which the log belongs                                                               char(32), NOT NULL
SITE_ID                                                                GUID of the site to which the log belongs                                                                 char(32), NOT NULL
SERVER_ID                                                              GUID of the server to which the log belongs                                                               char(32), NOT NULL
GROUP_ID                                                               GUID of the group to which the log belongs                                                                char(32), NOT NULL
COMPUTER_ID                                                            GUID of the client computer associated with the agent log                                                 char(32), NOT NULL
TIME_STAMP                                                             The time when the event is logged into system (GMT), which is server side time                            bigint, NOT NULL
                                                                       An event ID from send agent:
                                                                       501 = Application Control Driver
EVENT_ID                                                                                                                                                                         int, NOT NULL
                                                                       502 = Application Control Rules
                                                                       999 = Tamper Protection
EVENT_TIME                                                             The event generated time (GMT)                                                                            bigint, NOT NULL
                                                                       The seriousness of the event
SEVERITY                                                                                                                                                                         int, NOT NULL
                                                                       0 is most serious
AGENT_ID                                                               GUID of the agent                                                                                         char(32), NULL
HARDWARE_KEY                                                           Hash of Computer Hardware information                                                                     char(32), NULL
HOST_NAME                                                              Host Name of client computer                                                                              nvarchar(256), varchar(256), NULL
                                                                       What we did:
                                                                       0 = allow
                                                                       1 = block
ACTION                                                                                                                                                                           int, NULL
                                                                       2 = ask
                                                                       3 = continue
                                                                       4 = terminate
                                                                       Was this rule run in test mode?
TEST_MODE                                                                                                                                                                        int, NULL
                                                                       0 = No, Else = Yes
DESCRIPTION                                                            What behavior was blocked                                                                                 nvarchar(256), varchar(256), NULL
VAPI_NAME                                                              What API was blocked                                                                                      nvarchar(256), varchar(256), NULL
ENCODED_API_NAME                                                                                                                                                                 nvarchar(256), varchar(256), NULL
BEGIN_TIME                                                             The begin time of security issue                                                                          bigint, NULL
                                                                       The end time of security issue. End time is an optional field because we may fail to detect the
END_TIME                                                                                                                                                                         bigint, NULL
                                                                       exact end time of traffic, like UDP. in those cases, the end time is equal to begin time.
                                                                       The ID of rule triggered by the event. It is always 0 if rule ID is not specified in security rule. The
RULE_ID                                                                field is helpful to security rule troubleshooting. If multiple rules matched, it logs the rule that has   char(32), NULL
                                                                       finial decision on PacketProc (pass/block/drop).
      Symantec Corp Confidential                                                                                          SEP Table Definition                                                                           3/3/2012 Page 28 / 54



                                   The name of rule triggered by the event. It is always empty string if rule name is not specified in
RULE_NAME                          security rule. It is for troubleshooting also. In theory, IT admin can know the rule by ID. However,        nvarchar(256), varchar(256), NULL
                                   name gives user a direct view of rule that could be used.
CALLER_PROCESS_ID                  ID of the Process that triggers the logging                                                                 bigint, NULL
                                   The full path name of the application involved. It may be empty if the application is unknown, or if
CALLER_PROCESS_NAME                OS itself is involved, or if no application is involved. Also, it may be empty if profile says “don’t log   nvarchar(256), varchar(256), NULL
                                   application name in raw traffic log”.
                                   Return address of the caller. This field allows our software to detect the calling module that makes
CALLER_RETURN_ADDRESS                                                                                                                          bigint, NULL
                                   the API call.
CALLER_RETURN_MODULE_NAME          Module name of caller. See “CallerReturnAddress” for more information.                                      nvarchar(256), varchar(256), NULL

PARAMETER                          Parameters that were used in the API call. Each parameter was converted to STRING format and                nvarchar(256), varchar(256), NULL
                                   separated by one space character. Double quotation char within the string are escape by a \ char.
                                   Indicates whether this event will be counted during alert notification processing at the server. It is
ALERT                                                                                                                                          int, NULL
                                   true if the event is logged by Tamper Protection. It is false otherwise. (True =1, False = 0)
SEND_SNMP_TRAP                     It reflects the send SNMP trap action. It is true if send is true.                                          tinyint, NULL
USER_NAME                          Login user name                                                                                             nvarchar(256), varchar(256), NULL
DOMAIN_NAME                        Login (Windows) domain name                                                                                 nvarchar(256), varchar(256) , NULL
RESERVED_INT1                                                                                                                                  int, NULL
RESERVED_INT2                                                                                                                                  int, NULL
RESERVED_BIGINT1                                                                                                                               bigint, NULL
RESERVED_BIGINT2                                                                                                                               bigint, NULL
RESERVED_CHAR1                                                                                                                                 char(32), NULL
RESERVED_CHAR2                                                                                                                                 char(32), NULL
RESERVED_VARCHAR1                                                                                                                              nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                                varbinary(2000), NULL
REPETITION                         Event repetition due to aggregation (damper)                                                                int, NOT NULL                                        -1
LOG_IDX                            Log index unique ID                                                                                         char(32), NULL



AGENT_PACKET_LOG_1 and AGENT_PACKET_LOG_2
Column Name                        Comment                                                                                                     Data Type (MS, Sybase)               Default Value        Primary Key   Description

                                                                                                                                                                                                                       This table is not used in Symantec
                                                                                                                                                                                                                       Network Access Control.

                                                                                                                                                                                                                       This table lists the database schema for
                                                                                                                                                                                                                       the Agent Packet logs. There are two
                                                                                                                                                                                                                       tables for this schema. When logs are
                                                                                                                                                                                                                       stored, the Policy Manager uses the first
                                                                                                                                                                                                                       table until it is full. It then switches to
                                                                                                                                                                                                                       using the second table. The data in the
USN                                                                                                                                            bigint, NOT NULL                                                        first table is kept intact until the second
                                                                                                                                                                                                                       table fills. Then it starts to fill the first
                                                                                                                                                                                                                       table again. This cycle is continuous.

                                                                                                                                                                                                                       If there is only one data type value in a
                                                                                                                                                                                                                       cell in the Data Type column, it applies to
                                                                                                                                                                                                                       both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                       there are two data type values, the first
                                                                                                                                                                                                                       applies to MS SQL Server and the
                                                                                                                                                                                                                       second applies to Sybase.
                                   A USN-based serial number; this ID is not unique.
DOMAIN_ID                          GUID of the domain to which the log belongs                                                                 char(32), NOT NULL
SITE_ID                            GUID of the site to which the log belongs                                                                   char(32), NOT NULL
SERVER_ID                          GUID of the server to which the log belongs                                                                 char(32), NOT NULL
GROUP_ID                           GUID of the group to which the log belongs                                                                  char(32), NOT NULL
COMPUTER_ID                        GUID of the client computer associated with the agent packet log                                            char(32), NOT NULL
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                              bigint, NOT NULL
                                   An event ID from send agent:
EVENT_ID                                                                                                                                       int, NOT NULL
                                   401 = Raw Ethernet
EVENT_TIME                         The event generated time (GMT)                                                                              bigint, NOT NULL
AGENT_ID                           GUID of the agent                                                                                           char(32), NULL
HARDWARE_KEY                       Hash of Computer Hardware information                                                                       char(32), NULL
HOST_NAME                          Host Name of client computer                                                                                nvarchar(256), varchar(256), NULL
LOCAL_HOST_IP                      The IP address of local computer (IPv4)                                                                     bigint, NULL
REMOTE_HOST_IP                     The IP address of remote computer (IPv4)                                                                    bigint, NULL
REMOTE_HOST_NAME                   The Name of remote computer (it may be empty if name solve failed)                                          nvarchar(64), varchar(64), NULL
                                   The TCP/UDP port in local machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and
LOCAL_PORT                                                                                                                                     int, NULL
                                   TSE_TRAFFIC_UDP. On the other event, it is always zero.
                                   The TCP/UDP port in remote machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and
REMOTE_PORT                                                                                                                                    int, NULL
                                   TSE_TRAFFIC_UDP. On the other event, it is always zero.
TRAFFIC_DIRECTION                  The direction of traffic. Enum (unknown = 0; inbound = 1; outbound = 2)                                     tinyint, NULL
BLOCKED                            Specify if the traffic was blocked (Yes = 1, no = 0)                                                        tinyint, NOT NULL
                                   The full path name of the application involved. It may be empty if an unknown application is involved
APP_NAME                           or if no application is involved. For example, the ping of death DoS attack doesn’t have an                 nvarchar(256), varchar(256), NULL
                                   AppName because it attacks the operating system.
ALERT                              It reflects the alert attribute in profile action. It is true if action::alert is true. (Yes = 1, no = 0)   int, NULL
SEND_SNMP_TRAP                     It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, no = 0)                        tinyint, NULL
EVENT_DATA                         Additional data in binary format. This field is optional.                                                   varbinary(2000), NULL
RESERVED_INT1                                                                                                                                  int, NULL
RESERVED_INT2                                                                                                                                  int, NULL
RESERVED_BIGINT1                                                                                                                               bigint, NULL
RESERVED_BIGINT2                                                                                                                               bigint, NULL
RESERVED_CHAR1                                                                                                                                 char(32), NULL
RESERVED_CHAR2                                                                                                                                 char(32), NULL
RESERVED_VARCHAR1                                                                                                                              nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                                varbinary(2000), NULL
LOG_IDX                            Log index unique ID                                                                                         char(32), NULL



AGENT_SECURITY_LOG_1 and AGENT_SECURITY_LOG_2
Column Name                        Comment                                                                                                     Data Type (MS, Sybase)               Default Value        Primary Key   Description
                                                                                                                                                                                                                       This table lists the database schema for
                                                                                                                                                                                                                       the Agent Security logs.

                                                                                                                                                                                                                       There are two tables for this schema.
                                                                                                                                                                                                                       When logs are stored, the Policy
                                                                                                                                                                                                                       Manager uses the first table until it is full.
                                                                                                                                                                                                                       It then switches to using the second
                                                                                                                                                                                                                       table. The data in the first table is kept
                                                                                                                                                                                                                       intact until the second table fills. Then it
USN                                                                                                                                            bigint, NOT NULL
                                                                                                                                                                                                                       starts to fill the first table again. This
                                                                                                                                                                                                                       cycle is continuous.

                                                                                                                                                                                                                       If there is only one data type value in a
                                                                                                                                                                                                                       cell in the Data Type column, it applies to
                                                                                                                                                                                                                       both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                       there are two data type values, the first
                                                                                                                                                                                                                       applies to MS SQL Server and the
                                                                                                                                                                                                                       second applies to Sybase.
                                   A USN-based serial number; this ID is not unique.
DOMAIN_ID                          GUID of the domain to which the log belongs                                                                 char(32), NOT NULL
SITE_ID                            GUID of the site to which the log belongs                                                                   char(32), NOT NULL
SERVER_ID                          GUID of the server to which the log belongs                                                                 char(32), NOT NULL
GROUP_ID                           GUID of the group to which the log belongs                                                                  char(32), NOT NULL
COMPUTER_ID                        GUID of the client computer associated with the agent security log                                          char(32), NOT NULL
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                              bigint, NOT NULL



                                   Compliance events:
                                   209 = Host Integrity failed (TSLOG_SEC_NO_AV)
                                   210 = Host Integrity passed (TSLOG_SEC_AV)
                                   221 = Host Integrity failed but reported as PASS
                                   237 = Host Integrity custom log entry

                                   Firewall and IPS events:
                                   207 = Active Response
                                   211 = Active Response Disengaged
                                   219 = Active Response Cancelled
                                   205 = Executable file changed
EVENT_ID                           216 = Executable file change detected                                                                       int, NOT NULL
                                   217 = Executable file change accepted
                                   218 = Executable file change denied
                                   220 = Application Hijacking
                                   201 = Invalid traffic by rule
                                   202 = Port Scan
                                   203 = Denial of Service
                                   204 = Trojan
                                   206 = Intrusion Prevention System (Intrusion Detected, TSLOG_SEC_INTRUSION_DETECTED)
                                   208 = MAC Spoofing

                                   Application and Device control:
                                   238 = Device control disabled device
                                   239 = Buffer Overflow Event
                                   240 = Software protection has thrown an exception
EVENT_TIME                         The event generated time (GMT)                                                                              bigint, NOT NULL
      Symantec Corp Confidential                                                                                         SEP Table Definition                                                                        3/3/2012 Page 29 / 54



                                   It is severity defined in Security Rule.
                                   Critical = 0 - 3
SEVERITY                           Major = 4 - 7                                                                                               int, NOT NULL
                                   Minor = 8 - 11
                                   Info = 12 - 15
AGENT_ID                           GUID of the agent                                                                                           char(32), NULL
HARDWARE_KEY                       Hash of Computer Hardware information                                                                       char(32), NULL
HOST_NAME                          Host Name of client computer                                                                                nvarchar(256), varchar(256), NULL
LOCAL_HOST_IP                      The IP address of local computer (IPv4)                                                                     bigint, NULL
REMOTE_HOST_IP                     The IP address of remote computer (IPv4)                                                                    bigint, NULL
REMOTE_HOST_NAME                   The Name of remote computer (it may be empty if name solve failed)                                          nvarchar(64), varchar(64), NULL
TRAFFIC_DIRECTION                  The direction of traffic. Enum ( unknown = 0; inbound = 1; outbound = 2)                                    tinyint, NULL
NETWORK_PROTOCOL                   The protocol type: Enum (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)                                            tinyint, NULL
                                   It is reason if event ID is TSLOG_SEC_NO_AV
                                   It is intrusion ID if Event ID is TSLOG_SEC_INTRUSION_DETECTED
                                   It is additional information if event ID is TSLOG_SEC_AV

HACK_TYPE                          Reasons:                                                                                                    int, NULL

                                   Process is not running - Bit0 is 1
                                   Signature is out of date - Bit1 is 1
                                   Recovery was attempted - Bit2 is 1
BEGIN_TIME                         The begin time of security issue                                                                            bigint, NULL
                                   The end time of security issue. End time is an optional field because we may fail to detect the exact
END_TIME                                                                                                                                       bigint, NULL
                                   end time of traffic, like UDP. In those cases, the end time is equal to begin time.
                                   The number of attacks. Sometime, when a hacker launches a mass attack, it may be damped to
REPETITION                                                                                                                                     int, NULL
                                   one event by the log system.
                                   The full path of application involved. It may be empty if unknown application is involved with that or
APP_NAME                           no application involved. For example, the ping of death DoS attacking doesn’t have AppName                  nvarchar(256), varchar(256), NULL
                                   because it attacks OS itself.
EVENT_DESC                         Description of the event. Usually, the first line of the description is treated as “summary”.               nvarchar(2000), varchar(4000), NULL
EVENT_DATA                         Additional data in binary format. This field is optional.                                                   varbinary(3000), NULL
ALERT                              It reflects the alert attribute in profile action. It is true if action::alert is true. (Yes = 1, No = 0)   tinyint, NULL
SEND_SNMP_TRAP                     It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, No = 0)                        tinyint, NULL
LOCAL_HOST_MAC                     The MAC address of local computer                                                                           varchar(18), NULL
REMOTE_HOST_MAC                    The MAC address of remote computer                                                                          varchar(18), NULL
LOCATION_NAME                      The location used when event occurs                                                                         nvarchar(256), varchar(256), NULL
USER_NAME                          Login user name                                                                                             nvarchar(256), varchar(256), NULL
DOMAIN_NAME                        Login domain name                                                                                           nvarchar(256), varchar(256), NULL
RESERVED_INT1                                                                                                                                  int, NULL
RESERVED_INT2                                                                                                                                  int, NULL
RESERVED_BIGINT1                                                                                                                               bigint, NULL
RESERVED_BIGINT2                                                                                                                               bigint, NULL
RESERVED_CHAR1                                                                                                                                 char(32), NULL
RESERVED_CHAR2                                                                                                                                 char(32), NULL
RESERVED_VARCHAR1                                                                                                                              nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                                varbinary(1900), NULL
AGENT_SECURITY_LOG_IDX             Log index unique ID                                                                                         char(32), NULL



AGENT_SYSTEM_LOG_1 and AGENT_SYSTEM_LOG_2
Column Name                        Comment                                                                                                     Data Type (MS, Sybase)                Default Value   Primary Key   Description
                                                                                                                                                                                                                   This table lists the database schema for
                                                                                                                                                                                                                   the Agent System logs.

                                                                                                                                                                                                                   There are two tables for this schema.
                                                                                                                                                                                                                   When logs are stored, the Policy
                                                                                                                                                                                                                   Manager uses the first table until it is full.
                                                                                                                                                                                                                   It then switches to using the second
                                                                                                                                                                                                                   table. The data in the first table is kept
                                                                                                                                                                                                                   intact until the second table fills. Then it
USN                                                                                                                                            bigint, NOT NULL
                                                                                                                                                                                                                   starts to fill the first table again. This
                                                                                                                                                                                                                   cycle is continuous.

                                                                                                                                                                                                                   If there is only one data type value in a
                                                                                                                                                                                                                   cell in the Data Type column, it applies to
                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                   second applies to Sybase.
                                   A USN-based serial number; this ID is not unique.
DOMAIN_ID                          GUID of the domain to which the log belongs                                                                 char(32), NOT NULL
SITE_ID                            GUID of the site to which the log belongs                                                                   char(32), NOT NULL
SERVER_ID                          GUID of the server to which the log belongs                                                                 char(32), NOT NULL
GROUP_ID                           GUID of the group to which the log belongs                                                                  char(32), NOT NULL
COMPUTER_ID                        GUID of the client computer that is associated with the agent system log                                    char(32), NOT NULL
TIME_STAMP                         An event when the event is logged into system (GMT), which is server side time
                                   The time ID from send agent                                                                                 bigint, NOT NULL

                                   AGENT_SYSTEM_INSTALL_EVENT_TYPES = Installation events: possible values are
                                   0x12070001 = Internal error
                                   0x12070101 = Install complete
                                   0x12070102 = Restart recommended
                                   0x12070103 = Restart required
                                   0x12070104 = Installation failed
                                   0x12070105 = Uninstallation complete
                                   0x12070106 = Uninstallation failed
                                   0x12071037 = Symantec AntiVirus installed
                                   0x12071038 = Symantec Firewall installed
                                   0x12071039 = Uninstall
                                   0x1207103A = Uninstall rolled-back

                                   AGENT_SYSTEM_SERVICE_EVENT_TYPES = Service events: possible values are
                                   0x12070201 = Service starting
                                   0x12070202 = Service started
                                   0x12070203 = Service start failure
EVENT_ID                                                                                                                                       int, NOT NULL
                                   0x12070204 = Service stopped,0x12070205=Service stop failure
                                   0x1207021A = Attempt to stop service

                                   AGENT_SYSTEM_CONFIG_EVENT_TYPES = Configuration events: possible values are
                                   0x12070206 = Config import complete
                                   0x12070207 = Config import error
                                   0x12070208 = Config export complete
                                   0x12070209 = Config export error

                                   AGENT_SYSTEM_HI_EVENT_TYPES = Host Integrity events: possible values are
                                   0x12070210 = Host Integrity disabled
                                   0x12070211 = Host Integrity enabled
                                   0x12070220 = NAP integration enabled

                                   AGENT_SYSTEM_IMPORT_EVENT_TYPES = Import events: possible values are
                                   0x12070214 = Successfully imported advanced rule
                                   0x12070215 = Failed to import advanced rule
                                   0x12070216 = Successfully exported advanced rule
EVENT_TIME                         The event generated time (GMT)                                                                              bigint, NOT NULL
SEVERITY                           The type of event. Possible values are: INFO = 0, WARNING = 1, ERROR = 2, FATAL = 3                         int, NOT NULL
AGENT_ID                           GUID of the agent                                                                                           char(32), NULL
HARDWARE_KEY                       Hash of Computer Hardware information                                                                       char(32), NULL
HOST_NAME                          Host Name of the client computer                                                                            nvarchar(256), varchar(256), NULL
CATEGORY                           It is not used now.                                                                                         int, NULL
EVENT_SOURCE                       The data source, such as NETPORT, NATSRV, etc.                                                              varchar(32), NOT NULL
EVENT_DESC                         Description of the event. Usually, the first line of the description is treated as “summary”.               nvarchar(1024), varchar(2048), NULL
EVENT_DATA                         Additional data in binary format. This field is optional.                                                   varbinary(2000), NULL
SEND_SNMP_TRAP                     It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, No = 0)                        tinyint, NULL
RESERVED_INT1                                                                                                                                  int, NULL
RESERVED_INT2                                                                                                                                  int, NULL
RESERVED_BIGINT1                                                                                                                               bigint, NULL
RESERVED_BIGINT2                                                                                                                               bigint, NULL
RESERVED_CHAR1                                                                                                                                 char(32), NULL
RESERVED_CHAR2                                                                                                                                 char(32), NULL
RESERVED_VARCHAR1                                                                                                                              nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                                varbinary(2000), NULL
LOG_IDX                            Log index unique ID                                                                                         char(32), NULL



AGENT_TRAFFIC_LOG_1 and AGENT_TRAFFIC_LOG_2
Column Name                        Comment                                                                                                     Data Type (MS, Sybase)                Default Value   Primary Key   Description
       Symantec Corp Confidential                                                                                           SEP Table Definition                                                                            3/3/2012 Page 30 / 54




                                                                                                                                                                                                                          This table is not used in Symantec
                                                                                                                                                                                                                          Network Access Control.

                                                                                                                                                                                                                          This table lists the database schema for
                                                                                                                                                                                                                          the Agent Traffic logs. There are two
                                                                                                                                                                                                                          tables for this schema. When logs are
                                                                                                                                                                                                                          stored, the Policy Manager uses the first
                                                                                                                                                                                                                          table until it is full. It then switches to
                                                                                                                                                                                                                          using the second table. The data in the
USN                                                                                                                                             bigint, NOT NULL                                                          first table is kept intact until the second
                                                                                                                                                                                                                          table fills. Then it starts to fill the first
                                                                                                                                                                                                                          table again. This cycle is continuous.

                                                                                                                                                                                                                          If there is only one data type value in a
                                                                                                                                                                                                                          cell in the Data Type column, it applies to
                                                                                                                                                                                                                          both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                          there are two data type values, the first
                                                                                                                                                                                                                          applies to MS SQL Server and the
                                                                                                                                                                                                                          second applies to Sybase.
                                    A USN-based serial number; this ID is not unique.
DOMAIN_ID                           GUID of the domain to which the log belongs                                                                 char(32), NOT NULL
SITE_ID                             GUID of the site to which the log belongs                                                                   char(32), NOT NULL
SERVER_ID                           GUID of the server to which the log belongs                                                                 char(32), NOT NULL
GROUP_ID                            GUID of the group to which the log belongs                                                                  char(32), NOT NULL
COMPUTER_ID                         GUID of the client computer that is associated with the agent traffic log                                   char(32), NOT NULL
TIME_STAMP                          The time when the event is logged into system (GMT), which is server side time                              bigint, NOT NULL
                                    An event ID from send agent:
                                    301 = TCP initiated
                                    302 = UDP datagram
                                    303 = Ping request
EVENT_ID                            304 = TCP completed                                                                                         int, NOT NULL
                                    305 = Traffic (other)
                                    306 = ICMP packet
                                    307 = Ethernet packet
                                    308 = IP packet
EVENT_TIME                          The event generated time (GMT)                                                                              bigint, NOT NULL
                                    Severity as defined in the Security Rule.
                                    Critical = 0 - 3
SEVERITY                            Major = 4 - 7                                                                                               int, NOT NULL
                                    Minor = 8 - 11
                                    Info = 12 - 15
AGENT_ID                            GUID of the agent                                                                                           char(32), NULL
HARDWARE_KEY                        Hash of Computer Hardware information                                                                       char(32), NULL
HOST_NAME                           Host Name of the client computer                                                                            nvarchar(256), varchar(256), NULL
LOCAL_HOST_IP                       The IP address of local computer (IPv4)                                                                     bigint, NULL
REMOTE_HOST_IP                      The IP address of remote computer (IPv4)                                                                    bigint, NULL
REMOTE_HOST_NAME                    The Name of remote computer (it may be empty if name solve failed)                                          nvarchar(64), varchar(64), NULL
NETWORK_PROTOCOL                    The protocol type: Enum (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)                                            tinyint, NULL
                                    The TCP/UDP port in local machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and
LOCAL_PORT                                                                                                                                      int, NULL
                                    TSE_TRAFFIC_UDP. On the other event, it is always zero.
                                    The TCP/UDP port in remote machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and
REMOTE_PORT                                                                                                                                     int, NULL
                                    TSE_TRAFFIC_UDP. On the other event, it is always zero.
TRAFFIC_DIRECTION                   The direction of traffic. Enum ( unknown = 0; inbound = 1; outbound = 2)                                    tinyint, NULL
BEGIN_TIME                          The begin time of security issue                                                                            bigint, NULL
                                    The end time of security issue. End time is an optional field because we may fail to detect the exact
END_TIME                                                                                                                                        bigint, NULL
                                    end time of traffic, like UDP. In those cases, the end time is equal to begin time.
                                    The number of attacks. Sometime, when a hacker launches a mass attack, it may be damped to
REPETITION                                                                                                                                      int, NULL
                                    one event by the log system.
                                    The full path of application involved. It may be empty if an unknown application is involved or if no
APP_NAME                            application is involved. For example, the ping of death DoS attack doesn’t have AppName because             nvarchar(256), varchar(256) , NULL
                                    it attacks the operating system itself.
BLOCKED                             Specify if the traffic was blocked. (Yes = 1, No = 0)                                                       tinyint, NOT NULL
                                    The ID of rule triggered by the event. It is always 0 if rule ID is not specified in security rule. The
RULE_ID                             field is helpful to security rule troubleshooting. If multiple rules matched, it logs the rule that has     char(32), NULL
                                    finial decision on PacketProc (pass/block/drop).
                                    The name of rule triggered by the event. It is always empty string if rule name is not specified in
RULE_NAME                           security rule. It is for troubleshooting also. In theory, IT admin can know the rule by ID. However,        nvarchar(256), varchar(256), NULL
                                    name gives user a direct view of rule that could be used.
ALERT                               It reflects the alert attribute in profile action. It is true if action::alert is true. (Yes = 1, No = 0)   tinyint, NULL
SEND_SNMP_TRAP                      It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, No = 0)                        tinyint, NULL
LOCAL_HOST_MAC                      The MAC address of local computer                                                                           varchar(18), NULL
REMOTE_HOST_MAC                     The MAC address of remote computer                                                                          varchar(18), NULL
LOCATION_NAME                       The location used when event occurs                                                                         nvarchar(256), varchar(256), NULL
USER_NAME                           Login user name                                                                                             nvarchar(256), varchar(256), NULL
DOMAIN_NAME                         Login domain name                                                                                           nvarchar(256), varchar(256), NULL
RESERVED_INT1                                                                                                                                   int, NULL
RESERVED_INT2                                                                                                                                   int, NULL
RESERVED_BIGINT1                                                                                                                                bigint, NULL
RESERVED_BIGINT2                                                                                                                                bigint, NULL
RESERVED_CHAR1                                                                                                                                  char(32), NULL
RESERVED_CHAR2                                                                                                                                  char(32), NULL
RESERVED_VARCHAR1                                                                                                                               nvarchar(260), VARCHAR(260), NULLL
RESERVED_BINARY                                                                                                                                 varbinary(2000), NULL
LOG_IDX                             Log index unique ID                                                                                         char(32), NULL



AGENTCONFIG
Column Name                         Comment                                                                                                     Data Type (MS, Sybase)               Default Value       Primary Key      Description
                                                                                                                                                                                                                          This table lists the database schema for
                                                                                                                                                                                                                          agent configuration. It is not used in
                                                                                                                                                                                                                          Semantic Antivirus.

IDX*                                Primary key, Index                                                                                          int, NOT NULL                                            PK_AGENTCONFIG   If there is only one data type value in a
                                                                                                                                                                                                                          cell in the Data Type column, it applies to
                                                                                                                                                                                                                          both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                          there are two data type values, the first
                                                                                                                                                                                                                          applies to MS SQL Server and the
                                                                                                                                                                                                                          second applies to Sybase.
                                    Is "on" if status checking for this agent type is enabled, if status checking is not enabled, then it is
ENABLED                                                                                                                                         varchar(10), NOT NULL                ('')
                                    blank.
                                    1 = LogSender
                                    2 = ClientInventory
                                    3 = LogReaderInventory
                                    4 = LogReaderEvents
                                    5 = NotificationAgent
AGENTTYPE                                                                                                                                       varchar(20), NOT NULL                ('')
                                    6 = HistoryAgent
                                    7 = VirusCategory
                                    8 = DBmaint
                                    9 = Backup
                                    10 = DiskFull
                                    1 indicates this agent runs on a remote host; 0 indicates it is running locally on the SAV Reporter
REMOTEX                                                                                                                                         int, NOT NULL                                        0
                                    host itself.
WARNAFTER_VALUE                     Time of agent inactivity after which a warning will be raised                                               int, NOT NULL                                        0
WARNAFTER_UNIT                      Unit for Warnafter_value (minutes, hours or days)                                                           varchar(10), NOT NULL                ('')
EMAIL                               Comma-separated list of e-mail addresses to receive a warning mail if agent is considered inactive varchar(255), NOT NULL                        ('')


AGENTSTATUS
Column Name                         Comment                                                                                                     Data Type (MS, Sybase)               Default Value       Primary Key      Description
                                                                                                                                                                                                                          This table lists agent status schema
                                                                                                                                                                                                                          information.

                                                                                                                                                                                                                          If there is only one data type value in a
IDX*                                Primary key                                                                                                 char(32), NOT NULL                                       PK_AGENTSTATUS   cell in the Data Type column, it applies to
                                                                                                                                                                                                                          both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                          there are two data type values, the first
                                                                                                                                                                                                                          applies to MS SQL Server and the
                                                                                                                                                                                                                          second applies to Sybase.

                                    Type of Agent:
                                    SAV 10.x
                                    LogSender
                                    ClientInventory
AGENTTYPE                                                                                                                                       varchar(255), NOT NULL               ('')
                                    SAV 11.x
                                    AgentSweepingTask (Database maintenance)
                                    TopThreatsTask (Gathers top and latest threats information)
                                    VirusCatTask (Gathers virus properties)
                                    ThreatCatTask (Gathers risk properties)
                                    Name associated with this agent (for LogSender agents: Server Group name; for
AGENTNAME                           LogSenderSAVSMTP agents: mail gateway host name; for ClientInventory agents: name of Parent                 varchar(255), NOT NULL               ('')
                                    Server; else: blank)
LASTRUNGMT                          Last time this agent ran stored as GMT                                                                      varchar(50), NOT NULL                                0
REMOTE_TZ_OFFSET                    Time zone offset                                                                                            int, NOT NULL                                        0
REPORTER_TZ_OFFSET                  Time zone offset                                                                                            int, NOT NULL                                        0
MAIL                                Flag whether e-mail has already been sent (1 = Yes, 0 = No)                                                 int, NOT NULL                                        0
VERSION_BUILD                       Version/build (major.minor.build) of agent                                                                  varchar(20), NOT NULL                ('00.00.00')
MACHINE_NAME                        Computer name of the client computer                                                                        nvarchar(128), NOT NULL              ('')
SERVERGROUP_IDX                     Pointer to 'identity_map' table                                                                             char(32), NOT NULL                   ('')
LASTRUN_DATA                        Extra data associated with the agent run if any                                                             nvarchar(255), varchar(255), NULL    (null)
       Symantec Corp Confidential                                                                                     SEP Table Definition                                                                              3/3/2012 Page 31 / 54




ALERTFILTER
Column Name                         Comment                                                                                             Data Type (MS, Sybase)                  Default Value        Primary Key      Description

                                                                                                                                                                                                                      This table lists alert filter schema
                                                                                                                                                                                                                      information.

                                                                                                                                                                                                                      If there is only one data type value in a
ALERTFILTER_IDX*                    Primary key                                                                                         char(32), NOT NULL                                           PK_ALERTFILTER   cell in the Data Type column, it applies to
                                                                                                                                                                                                                      both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                      there are two data type values, the first
                                                                                                                                                                                                                      applies to MS SQL Server and the
                                                                                                                                                                                                                      second applies to Sybase.
USER_ID                             User ID                                                                                             char(32), NOT NULL                      ('')
FILTERNAME                          User-specified name of filter                                                                       NVARCHAR(255), varchar(255), NOT NULL   ('')
STARTDATEFROM                       Start date                                                                                          datetime, NOT NULL                      ('19700101')
STARTDATETO                         End date                                                                                            datetime, NOT NULL                      ('19700101')
                                    0 = past week
                                    1 = past month
                                    2 = past three months
RELATIVEDATETYPE                                                                                                                        int, NOT NULL                                           0
                                    3 = past year
                                    4 = past 24 hours
                                    5 = current month
                                    1 = Acknowledged
FILTERACKNOWLEDGED                                                                                                                      NVARCHAR(255), varchar(255), NOT NULL   ('')
                                    0 = Unacknowledged
                                    AF = Authentication failure
                                    CL = Client list changed
                                    CS = Client security alert
                                    ED = Enforcer Down
                                    WL = Forced or commercial application detected
                                    LA = New learned application
                                    NV = New risk detected
FILTERSUBJECT                                                                                                                           NVARCHAR(255), varchar(255), NOT NULL   ('')
                                    NS = New software package
                                    VO = Virus outbreak
                                    DF = Server health
                                    1V = Single risk event
                                    SE = System event
                                    UM = Unmanaged computer
                                    ID = Virus definitions out-of-date
FILTERCREATEDBY                     GUID of the administrator who created any alert filters                                             NVARCHAR(255), varchar(255), NOT NULL   ('')
LASTCOLUMN                                                                                                                              varchar(255), NOT NULL                  ('')
SERVERGROUP                         Not used                                                                                            NVARCHAR(255), varchar(255), NOT NULL   ('')
CLIENTGROUP                         Not used                                                                                            NVARCHAR(255), varchar(255), NOT NULL   ('')
PARENTSERVER                        Not used                                                                                            NVARCHAR(255), varchar(255), NOT NULL   ('')
COMPUTER                            Not used                                                                                            NVARCHAR(255), varchar(255), NOT NULL   ('')
THREATNAME                          Not used                                                                                            NVARCHAR(255), varchar(255), NOT NULL   ('')
THREATCATEGORY                      Not used                                                                                            varchar(255), NOT NULL                  ('')
SOURCE                              Not used                                                                                            varchar(255), NOT NULL                  ('')
ACTUALACTION                        Not used                                                                                            varchar(255), NOT NULL                  ('')
LIMITROWS                           Number of rows to use for pagination                                                                int, NOT NULL                                           20
USERELATIVE                         Use relative dates ('on') or absolute dates                                                         char(2), NOT NULL                       ('on')
REPORTINPUTS                        Special parameters if report needs them                                                             nvarchar(64), varchar(64), NOT NULL     ('')
NOTIFICATIONNAME                    Name of selected notification condition                                                             NVARCHAR(255), varchar(255), NOT NULL   ('')
USN                                 A USN-based serial number; this ID is not unique.                                                   bigint, NOT NULL                                        1
TIME_STAMP                          The time when the event is logged into system (GMT), which is server side time                      bigint, NOT NULL                                        0
DELETED                             Deleted row: 0 = not deleted, 1 = deleted                                                           tinyint, NOT NULL                                       0


ALERTMSG
Column Name                         Comment                                                                                             Data Type (MS, Sybase)                  Default Value        Primary Key      Description

                                                                                                                                                                                                                      This table lists alert message schema
                                                                                                                                                                                                                      information.

                                                                                                                                                                                                                      If there is only one data type value in a
ALERT_IDX*                          Primary key (one of 1 through 9)                                                                    int, NOT NULL                                                PK_ALERTMSG      cell in the Data Type column, it applies to
                                                                                                                                                                                                                      both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                      there are two data type values, the first
                                                                                                                                                                                                                      applies to MS SQL Server and the
                                                                                                                                                                                                                      second applies to Sybase.

                                    This is a hard-coded English string used as a look-up corresponding to an event ID from sender
                                    agent as follows:
                                    1 = Virus found
                                    2 = Security risk found
                                    3 is not used
ALERT                               4 is not used                                                                                       varchar(128), NOT NULL                  ('')
                                    5 = Commercial application detected
                                    6 = Forced proactive threat detected
                                    7 = Proactive detection now permitted
                                    8 = Potential risk found
                                    9 = Risk sample submitted to Symantec


ALERTS
Column Name                         Comment                                                                                             Data Type (MS, Sybase)                  Default Value        Primary Key      Description
                                                                                                                                                                                                                      This table lists alerts schema
                                                                                                                                                                                                                      information.

                                                                                                                                                                                                                      If there is only one data type value in a
IDX*                                Primary key                                                                                         char(32), NOT NULL                                           PK_ALERTS        cell in the Data Type column, it applies to
                                                                                                                                                                                                                      both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                      there are two data type values, the first
                                                                                                                                                                                                                      applies to MS SQL Server and the
                                                                                                                                                                                                                      second applies to Sybase.
ALERT_IDX                           Pointer to table ALERTMSG                                                                           int, NOT NULL                                           0
COMPUTER_IDX                        Foreign key to SEM_COMPUTER.COMPUTER_ID                                                             char(32), NOT NULL                      ('')
                                    Hard-coded English string used as lookup key for scan types:
                                    "Scheduled Scan"
                                    "Manual Scan"
                                    "Real Time Scan"
                                    "Integrity Shield"
                                    "Definition downloader"
SOURCE                                                                                                                                  varchar(50), NOT NULL                   ('')
                                    "System"
                                    "Startup Scan"
                                    "DefWatch"
                                    "Manual Quarantine"
                                    "Reboot Processing"
                                    "Heuristic Scan"
VIRUSNAME_IDX                       Pointer to table 'virus'                                                                            char(32), NOT NULL                      ('')
                                    Number of events for aggregated event record. This can be due to client-side aggregation, server-
NOOFVIRUSES                                                                                                                             int, NOT NULL                                           1
                                    side compression, or both.
FILEPATH                            File path of attacked file                                                                          NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
DESCRIPTION                                                                                                                             NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
ACTUALACTION_IDX                    Pointer to table 'actualaction'; this is the action taken on the risk                               int, NOT NULL                                           0
REQUESTEDACTION_IDX                 Pointer to table 'actualaction'; this is the action requested by the policy                         int, NOT NULL                                           0
SECONDARYACTION_IDX                 Pointer to table 'actualaction'; this is the secondary action requested by the policy               int, NOT NULL                                           0
ALERTDATETIME                       Time of event occurrences                                                                           datetime, NOT NULL                      ('19700101')
ALERTINSERTTIME                     Time at which event was inserted in to the database                                                 datetime, NOT NULL                      ('19700101')
SERVERGROUP_IDX                     Pointer to table 'identity_map'; this is the SEPM domain GUID                                       char(32), NOT NULL                      ('')
USER_NAME                           User logged into machine when event took place                                                      nvarchar(64), varchar(64), NOT NULL     ('')
PARENTSERVER_IDX                    Pointer to table 'identity_map'; this is the SEPM server GUID                                       char(32), NOT NULL                      ('')
CLIENTGROUP_IDX                     Pointer to table 'identity_map'; this is the SEPM group GUID                                        char(32), NOT NULL                      ('')
SOURCE_COMPUTER_NAME                This is the source of the threat. This is logged when threat tracer is enabled in the AV policy.    nvarchar(64), varchar(64), NOT NULL     ('')
SOURCE_COMPUTER_IP                  This is the source of the threat. This is logged when threat tracer is enabled in the AV policy.    bigint, NOT NULL                                        0
                                    Pointer to the related compressed event in the ALERTS table. This is the compressed event
MOTHER_IDX                          created by database maintenance. A value here means this event has been aggregated server-          char(32), NOT NULL                      ('')
                                    side and is a child event.
LAST_LOG_SESSION_GUID               This is an ID used by the client to keep track of related threat events.                            char(32), NOT NULL                      ('')
ALERTENDDATETIME                    Time at which event ended. This is the end of the aggregated event time.                            datetime, NOT NULL                      ('19700101')
HPP_APP_IDX                         Pointer to hpp_application table                                                                    varchar(32), NOT NULL                   ('')
SITE_IDX                            Pointer to table 'identity_map'; this is the SEPM site GUID                                         char(32), NULL                          (null)
VBIN_ID                             Client-side ID of the quarantined threat if quarantined                                             bigint, NOT NULL                                        0
SCAN_ID                             Pointer to scan table event that picked up this event                                               bigint, NOT NULL                                        0
USN                                 A USN-based serial number; this ID is not unique.                                                   bigint, NOT NULL                                        1
                                    The time when the event is logged into system or updated in the system (GMT), which is server
TIME_STAMP                                                                                                                              bigint, NOT NULL                                        0
                                    side time
DELETED                             Deleted row: 0 = not deleted, 1 = deleted                                                           tinyint, NOT NULL                                       0
LOCAL_HOST_IP                       IP address of the client when the detection was made                                                bigint,NULL                                             0
AV_PRODUCT                          Name of the AV product                                                                              varchar(256),NULL                       (null)
AV_PRODUCT_VERSION                  Version of the AV product                                                                           varchar(64),NULL                        (null)
                                    The status of the risk.
STATUS                              0: Success                                                                                          varchar(6),NULL                         (NULL)
                                    1: Restart required

ANOMALYDETECTION
Column Name                         Comment                                                                                             Data Type (MS, Sybase)                  Default Value        Primary Key      Description
    Symantec Corp Confidential                                                                                      SEP Table Definition                                                                                             3/3/2012 Page 32 / 54



                                                                                                                                                                                                                                   This table lists anomaly detection
                                                                                                                                                                                                                                   schema information.

                                                                                                                                                                                                                                   If there is only one data type value in a
ANOMALY_DETECTION_IDX*             Primary key                                                                                        char(32), NOT NULL                                          PK_ANOMALYDETECTION              cell in the Data Type column, it applies to
                                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                                   second applies to Sybase.
ANOMALY_DETECTION_OPERATION_ID     Pointer to table 'Anomalydetectionoperation'                                                       int, NOT NULL                                           0
ANOMALY_DETECTION_TYPE_ID          Pointer to table 'Anomalydetectiontype'                                                            int, NOT NULL                                           0
ACTION_OPERAND                     File or registry key on which this action took place                                               NVARCHAR(512), VARCHAR(512), NOT NULL   ('')
USN                                A USN-based serial number; this ID is not unique.                                                  bigint, NOT NULL                                        1
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                     bigint, NOT NULL                                        0
DELETED                            Deleted row: 0 = not deleted, 1 = deleted                                                          tinyint, NOT NULL                                       0
ACTION_OPERAND_HASH                Hash value for the column ACTION_OPERAND                                                           CHAR(32), NULL


ANOMALYDETECTIONOPERATION
Column Name                        Comment                                                                                            Data Type (MS, Sybase)                  Default Value       Primary Key                      Description
                                                                                                                                                                                                                                   This table lists anomaly detection
                                                                                                                                                                                                                                   operation schema information.

                                                                                                                                                                                                                                   If there is only one data type value in a
DETECTION_OPERATION_ID*            0-8                                                                                                int, NOT NULL                                               PK_ANOMALYDETECTIONOPERATION     cell in the Data Type column, it applies to
                                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                                   second applies to Sybase.

                                   Detection_Operation_ID, Detection_Operation_Desc (hard-coded English string used for lookup)
                                   0 = Unknown
                                   1 = Scan
                                   2 = Present
                                   3 = Not Present
DETECTION_OPERATION_DESC                                                                                                              varchar(255), NOT NULL                  ('')
                                   4 = Equal
                                   5 = Not Equal
                                   6 = Equal (Case-insensitive)
                                   7 = Not Equal (Case-insensitive)
                                   8 = Scan Memory



ANOMALYDETECTIONS
Column Name                        Comment                                                                                            Data Type (MS, Sybase)                  Default Value       Primary Key                      Description
                                                                                                                                                                                                                                   This table lists anomaly detections
                                                                                                                                                                                                                                   schema information.

                                                                                                                                                                                                                                   If there is only one data type value in a
ALERT_EVENT_IDX                    Foreign key to ALERTS.IDX                                                                          char(32), NOT NULL                                                                           cell in the Data Type column, it applies to
                                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                                   second applies to Sybase.
ANOMALY_DETECTION_IDX              Pointer to table 'anomalydetection'                                                                char(32), NOT NULL
                                   Scan detection status. Currently always 1 to mean "successful detection performed". Other values
STATUS                                                                                                                                int, NOT NULL
                                   are reserved for future use.
LOG_SESSION_GUID                   This is an ID used by the client to keep track of related threat events.                           char(32), NOT NULL                      ('')
USN                                A USN-based serial number; this ID is not unique.                                                  bigint, NOT NULL                                        1
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                     bigint, NOT NULL                                        0
DELETED                            Deleted row: 0 = not deleted, 1 = deleted                                                          tinyint, NOT NULL                                       0
ID*                                Primary key (added 11.0.1)                                                                         char(32), NOT NULL                                          PK_ANOMALYDETECTIONS


ANOMALYDETECTIONTYPE
Column Name                        Comment                                                                                            Data Type (MS, Sybase)                  Default Value       Primary Key                      Description
                                                                                                                                                                                                                                   This table lists anomaly detection type
                                                                                                                                                                                                                                   schema information.

                                                                                                                                                                                                                                   If there is only one data type value in a
DETECTION_TYPE_ID*                 Primary key                                                                                        int, NOT NULL                                               PK_ANOMALYDETECTIONTYPE          cell in the Data Type column, it applies to
                                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                                   second applies to Sybase.

                                   Detection_Type_ID, Detection_Type_Desc (a hard-coded English string used for lookup)
                                   1000 = Registry
                                   1001 = File
                                   1002 = Process
                                   1003 = Batch File
                                   1004 = INI File
DETECTION_TYPE_DESC                                                                                                                   varchar(255), NOT NULL                  ('')
                                   1005 = Service
                                   1006 = Infected File
                                   1007 = COM Object
                                   1008 = Hosts File Entry
                                   1009 = Directory
                                   1010 = Layered Service Provider


ANOMALYREMEDIATION
Column Name                        Comment                                                                                            Data Type (MS, Sybase)                  Default Value       Primary Key                      Description
                                                                                                                                                                                                                                   This table lists anomaly remediation
                                                                                                                                                                                                                                   schema information.

                                                                                                                                                                                                                                   If there is only one data type value in a
ANOMALY_REMEDIATION_IDX*           Primary key                                                                                        char(32), NOT NULL                                          PK_ANOMALYREMEDIATION            cell in the Data Type column, it applies to
                                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                                   second applies to Sybase.
ANOMALY_REMEDIATION_OPERATION_ID   Pointer to table 'anomalyremediationoperation'                                                     int, NOT NULL                                           0
ANOMALY_REMEDIATION_TYPE_ID        Pointer to table 'anomalyremediationtype'                                                          int, NOT NULL                                           0
ACTION_OPERAND                     File or registry key on which this action took place.                                              NVARCHAR(512), VARCHAR(512), NOT NULL   ('')
USN                                A USN-based serial number; this ID is not unique.                                                  bigint, NOT NULL                                        1
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                     bigint, NOT NULL                                        0
DELETED                            Deleted row: 0 = not deleted, 1 = deleted                                                          tinyint, NOT NULL                                       0
ACTION_OPERAND_HASH                Hash value for the column ACTION_OPERAND                                                           CHAR(32), NULL


ANOMALYREMEDIATIONOPERATION
Column Name                        Comment                                                                                            Data Type (MS, Sybase)                  Default Value       Primary Key                      Description
                                                                                                                                                                                                                                   This table lists anomaly remediation
                                                                                                                                                                                                                                   operation schema information.

                                                                                                                                                                                                                                   If there is only one data type value in a
REMEDIATION_OPERATION_ID*          Primary key                                                                                        int, NOT NULL                                               PK_ANOMALYREMEDIATIONOPERATION   cell in the Data Type column, it applies to
                                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                                   second applies to Sybase.
    Symantec Corp Confidential                                                                                    SEP Table Definition                                                                                    3/3/2012 Page 33 / 54



                                 Remediation_Operation_ID, Remediation_Operation_Desc (a hard-coded English string used for
                                 lookup)
                                 0 = Unknown
                                 1 = Delete
                                 2 = Delete Line
                                 3 = Move
                                 4 = Create Empty File
                                 5 = Set
                                 6 = Terminate
                                 7 = Suspend
                                 8 = Stop
                                 9 = Remove
                                 10 = Handle Threat
                                 11 = Set IP Address
                                 12 = Set Domain Name
                                 13 = Deny Access
                                 999 = Invalid
                                 1001 = Move
REMEDIATION_OPERATION_DESC                                                                                                    varchar(255), NOT NULL                  ('')
                                 1002 = Rename
                                 1003 = Delete
                                 1004 = Leave Alone
                                 1005 = Clean
                                 1006 = Remove Macros
                                 1007 = Save As
                                 1008 = Move Back
                                 1010 = Rename Back
                                 1011 = Undo
                                 1012 = Bad
                                 1013 = Backup
                                 1014 = Pending
                                 1015 = Partial
                                 1016 = Terminate
                                 1017 = Exclude
                                 1018 = Reboot Processing
                                 1019 = Clean By Deletion
                                 1020 = Access Denied


ANOMALYREMEDIATIONS
Column Name                      Comment                                                                                      Data Type                               Default Value         Primary Key                 Description
                                                                                                                                                                                                                        This table lists anomaly remediations
                                                                                                                                                                                                                        schema information.

                                                                                                                                                                                                                        If there is only one data type value in a
ALERT_EVENT_IDX                  Foreign key to ALERTS.IDX                                                                    char(32), NOT NULL                                                                        cell in the Data Type column, it applies to
                                                                                                                                                                                                                        both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                        there are two data type values, the first
                                                                                                                                                                                                                        applies to MS SQL Server and the
                                                                                                                                                                                                                        second applies to Sybase.
ANOMALY_REMEDIATION_IDX          Pointer to table 'anomalyremediation'                                                        char(32), NOT NULL
STATUS                           1 = successful remediation, 0 = failed remediation, no default.                              int, NOT NULL
LOG_SESSION_GUID                 This is an ID used by the client to keep track of related threat events.                     char(32), NOT NULL
USN                              A USN-based serial number; this ID is not unique                                             bigint, NOT NULL                                         1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time               bigint, NOT NULL                                         0
DELETED                          Deleted row; 0 = Not deleted, 1 = deleted                                                    tinyint, NOT NULL                                        0
ID*                              Primary key (added 11.0.1)                                                                   char(32), NOT NULL                                            PK_ANOMALYREMEDIATIONS


ANOMALYREMEDIATIONTYPE
Column Name                      Comment                                                                                      Data Type (MS, Sybase)                  Default Value         Primary Key                 Description
                                                                                                                                                                                                                        This table lists anomaly remediation type
                                                                                                                                                                                                                        schema information.

                                                                                                                                                                                                                        If there is only one data type value in a
REMEDIATION_TYPE_ID*             Primary key                                                                                  int, NOT NULL                                                 PK_ANOMALYREMEDIATIONTYPE   cell in the Data Type column, it applies to
                                                                                                                                                                                                                        both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                        there are two data type values, the first
                                                                                                                                                                                                                        applies to MS SQL Server and the
                                                                                                                                                                                                                        second applies to Sybase.

                                 Remediation_Type_ID, Remediation_Type_Desc (hard-coded English string used for lookup)
                                 2000 = Registry
                                 2001 = File
                                 2002 = Process
                                 2003 = Batch File
                                 2004 = INI File
REMEDIATION_TYPE_DESC            2005 = Service                                                                               varchar(255), NOT NULL                  ('')
                                 2006 = Infected File
                                 2007 = COM Object
                                 2008 = Hosts File Entry
                                 2009 = Directory
                                 2010 = Layered Service Provider
                                 2011 = Internet Browser Cache


AUDIT_REPORT
Column Name                      Comment                                                                                      Data Type (MS, Sybase)                  Default Value         Primary Key                 Description
                                                                                                                                                                                                                        This table lists audit report schema
                                                                                                                                                                                                                        information.

                                                                                                                                                                                                                        If there is only one data type value in a
AUDITFILTER_IDX*                 Primary key                                                                                  char(32), NOT NULL                                            PK_AUDITREPORT              cell in the Data Type column, it applies to
                                                                                                                                                                                                                        both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                        there are two data type values, the first
                                                                                                                                                                                                                        applies to MS SQL Server and the
                                                                                                                                                                                                                        second applies to Sybase.
USER_ID                          GUID of the administrator who created this filter                                            char(32), NOT NULL                      ('')
FILTERNAME                       Name of filter                                                                               NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
STARTDATEFROM                    Start time for filter                                                                        datetime, NOT NULL                      ('19700101')
STARTDATETO                      End time for filter                                                                          datetime, NOT NULL                      ('19700101')
                                 0 = past week
                                 1 = past month
                                 2 = past three months
RELATIVEDATETYPE                                                                                                              int, NOT NULL                                            0
                                 3 = past year
                                 4 = past 24 hours
                                 5 = current month
                                 0 = Policy added
                                 1 = Policy deleted
                                 2 = Policy edited
EVENTTYPE                                                                                                                     int, NULL                               (null)
                                 3 = Add shared policy upon system install
                                 4 = Add shared policy upon system upgrade
                                 5 = Add shared policy upon domain creation
SERVERGROUPLIST                  Comma-separated, wild-carded domain names by which to filter                                 NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
PARENTSERVERLIST                 Comma-separated, wild-carded server names by which to filter                                 NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
USERLIST                         Comma-separated, wild-carded user names by which to filter                                   NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
POLICYNAMELIST                   Comma-separated, wild-carded policy names by which to filter                                 NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
SITELIST                         Comma-separated, wild-carded site names by which to filter                                   NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
SORTORDER                        Column/Field by which to sort data                                                           varchar(32), NOT NULL                   ('TIME_STAMP')
SORTDIR                          DESC = descending sort, ASC = ascending sort                                                 varchar(5), NOT NULL                    ('DESC')
LIMITROWS                        Number of rows to use for pagination                                                         int, NOT NULL                                            20
USERELATIVE                      Use relative dates ('on') or absolute dates                                                  char(2), NOT NULL                       ('on')
REPORT_IDX                       Not used                                                                                     int, NOT NULL                           ('0')
REPORTINPUTS                     Special parameters if report needs them                                                      NVARCHAR(64), VARCHAR(64), NOT NULL     ('')
USN                              A USN-based serial number; this ID is not unique.                                            bigint, NOT NULL                                         1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time               bigint, NOT NULL                                         0
DELETED                          Deleted flag; 0 = Not deleted, 1 = Deleted                                                   tinyint, NOT NULL                                        0


BASIC_METADATA
Column Name                      Comment                                                                                      Data Type (MS, Sybase)                  Default Value         Primary Key                 Description
                                                                                                                                                                                                                        This table lists basic metadata schema
                                                                                                                                                                                                                        information.

                                                                                                                                                                                                                        If there is only one data type value in a
CHECKSUM                                                                                                                      char(32), NOT NULL                                                                        cell in the Data Type column, it applies to
                                                                                                                                                                                                                        both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                        there are two data type values, the first
                                                                                                                                                                                                                        applies to MS SQL Server and the
                                 Checksum of XML content                                                                                                                                                                second applies to Sybase.
CONTENT                          XML content of the schema object                                                             image, NOT NULL
DELETED                          Deleted flag; 0 = Not deleted, 1 = Deleted                                                   tinyint, NOT NULL
ID*                              GUID of the schema object. Primary Key.                                                      char(32), NOT NULL                                            PK_BASIC_METADATA
OWNER                            GUID of the owner. It only applies to a private object.                                      char(32), NULL
TIME_STAMP                       Time that the record was modified; used to resolve merge conflict.                           bigint, NOT NULL
TYPE                             Type name of the schema object                                                               varchar(256), NOT NULL
USN                              Update serial number; used by replication                                                    bigint, NOT NULL
                                 GUID of the domain that the object belong to.
DOMAIN_ID                                                                                                                     char(32), NULL
                                 SemRootConfig and SemSite do not have DOMAIN_ID
REF_ID                           Object reference ID                                                                          varchar(32), NULL
NAME                             Object name                                                                                  nvarchar(2000), varchar(2000), NULL
DESCRIPTION                      Object description                                                                           nvarchar(256), varchar(256), NULL
LAST_MODIFY_TIME                 Last modify time                                                                             bigint, NULL
RESERVED_INT1                                                                                                                 int, NULL
RESERVED_INT2                                                                                                                 int, NULL
    Symantec Corp Confidential                                                                                     SEP Table Definition                                                                                    3/3/2012 Page 34 / 54



RESERVED_BIGINT1                                                                                                                       bigint, NULL
RESERVED_BIGINT2                                                                                                                       bigint, NULL
RESERVED_CHAR1                                                                                                                         char(32), NULL
RESERVED_CHAR2                                                                                                                         char(32), NULL
RESERVED_VARCHAR1                                                                                                                      nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                        varbinary(2000), NULL
DISABLED                         Indicate the policy is disabled or not                                                                tinyint,NULL


BEHAVIOR_REPORT
Column Name                      Comment                                                                                               Data Type (MS, Sybase)                  Default Value         Primary Key         Description
                                                                                                                                                                                                                         This table lists behavior report schema
                                                                                                                                                                                                                         information.

                                                                                                                                                                                                                         If there is only one data type value in a
BEHAVIORFILTER_IDX*              Primary key                                                                                           char(32), NOT NULL                                            PK_BEHAVIORREPORT   cell in the Data Type column, it applies to
                                                                                                                                                                                                                         both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                         there are two data type values, the first
                                                                                                                                                                                                                         applies to MS SQL Server and the
                                                                                                                                                                                                                         second applies to Sybase.
USER_ID                          GUID of user who created this filter                                                                  char(32), NOT NULL                      ('')
FILTERNAME                       Name of filter                                                                                        NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
STARTDATEFROM                    Filter start date                                                                                     datetime, NOT NULL                      ('19700101')
STARTDATETO                      Filter end date                                                                                       datetime, NOT NULL                      ('19700101')
                                 0 = past week
                                 1 = past month
                                 2 = past three months
RELATIVEDATETYPE                                                                                                                       int, NOT NULL                                            0
                                 3 = past year
                                 4 = past 24 hours
                                 5 = current month
BEHAVIORTYPE                     1 = Application type, 2 = Device Control type                                                         tinyint, NULL                           (null)
                                 1 = Critical
                                 5 = Major
SEVERITY                                                                                                                               int, NULL                               (null)
                                 9 = Minor
                                 13 = Information
                                 For Application Control
                                 501 = Application Control Driver
EVENTTYPE                                                                                                                              int, NULL                               (null)
                                 502 = Application Control Rules
                                 999 = Tamper Protection
                                 0 = Allow
                                 1 = Block
ACTION                           2 = Ask                                                                                               tinyint, NULL                           (null)
                                 3 = Continue
                                 4 = Terminate
SERVERGROUPLIST                  Comma-separated, wild-carded domain names by which to filter                                          NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
CLIENTGROUPLIST                  Comma-separated, wild-carded group names by which to filter                                           NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
PARENTSERVERLIST                 Comma-separated, wild-carded server names by which to filter                                          NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
COMPUTERLIST                     Comma-separated, wild-carded computer names by which to filter                                        NVARCHAR(512), VARCHAR(512), NOT NULL   ('')
SITELIST                         Comma-separated, wild-carded site names by which to filter                                            NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
CALLERPROCESSLIST                Comma-separated, wild-carded process names by which to filter                                         NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
IPADDRESSLIST                    Comma-separated, wild-carded IP by which to filter                                                    NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
USERLIST                         Comma-separated, wild-carded user names by which to filter                                            NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
TEST_MODE                        1 = Yes, 0 = No                                                                                       tinyint, NULL                           (null)
SORTORDER                        Table column to sort by                                                                               varchar(32), NOT NULL                   ('EVENT_TIME')
SORTDIR                          DESC = descending order, ASC = Ascending order                                                        varchar(5), NOT NULL                    ('DESC')
LIMITROWS                        Number of rows to show for pagination                                                                 int, NOT NULL                                            20
USERELATIVE                      Use relative dates ('on') or absolute dates                                                           char(2), NOT NULL                       ('on')
REPORT_IDX                       Not used                                                                                              int, NOT NULL                           ('0')
REPORTINPUTS                     Special parameters if report needs them                                                               NVARCHAR(64), VARCHAR(64), NOT NULL     ('')
USN                              A USN-based serial number; this ID is not unique.                                                     bigint, NOT NULL                                         1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                        bigint, NOT NULL                                         0
DELETED                          Deleted flag; 0 = Not deleted, 1 = Deleted                                                            tinyint, NOT NULL                                        0


BINARY_FILE
Column Name                      Comment                                                                                               Data Type (MS, Sybase)                  Default Value         Primary Key         Description
                                                                                                                                                                                                                         This table lists binary file schema
                                                                                                                                                                                                                         information.

                                                                                                                                                                                                                         If there is only one data type value in a
CHECKSUM                                                                                                                               char(32), NULL                                                                    cell in the Data Type column, it applies to
                                                                                                                                                                                                                         both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                         there are two data type values, the first
                                                                                                                                                                                                                         applies to MS SQL Server and the
                                 Checksum of XML content                                                                                                                                                                 second applies to Sybase.
CONTENT                          XML content of the schema object                                                                      image, NULL
                                 The deleted flag of the schema object:
DELETED                          1 = Deleted                                                                                           tinyint, NOT NULL
                                 0 = Not Deleted
ID*                              GUID of the schema object                                                                             char(32), NOT NULL                                            PK_BINARY_FILE
OWNER                            GUID of the owner. It only applies to private object                                                  char(32), NULL
TIME_STAMP                       Time that the record was modified; used to resolve merge conflict                                     bigint, NOT NULL
TYPE                             Type name of the schema object                                                                        varchar(256), NULL
USN                              Update serial number; used by replication                                                             bigint, NOT NULL
DOMAIN_ID                        GUID of the domain to which the binary file belongs                                                   char(32), NULL
RESERVED_INT1                                                                                                                          int, NULL
RESERVED_INT2                                                                                                                          int, NULL
RESERVED_BIGINT1                                                                                                                       bigint, NULL
RESERVED_BIGINT2                                                                                                                       bigint, NULL
RESERVED_CHAR1                                                                                                                         char(32), NULL
RESERVED_CHAR2                                                                                                                         char(32), NULL
RESERVED_VARCHAR1                                                                                                                      nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                        varbinary(2000), NULL


COMMAND
Column Name                      Comment                                                                                               Data Type (MS, Sybase)                  Default Value         Primary Key         Description
                                                                                                                                                                                                                         This table lists command schema
                                                                                                                                                                                                                         information.

                                                                                                                                                                                                                         If there is only one data type value in a
HARDWARE_KEY                                                                                                                           char(32), NOT NULL                                            PK_COMMAND          cell in the Data Type column, it applies to
                                                                                                                                                                                                                         both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                         there are two data type values, the first
                                                                                                                                                                                                                         applies to MS SQL Server and the
                                 Hash of Computer Hardware information                                                                                                                                                   second applies to Sybase.

COMMAND_ID                                                                                                                             char(32), NOT NULL                                            PK_COMMAND
                                 GUID of the command object. This GUID corresponded to the ID in the BASIC_METADATA table
DOMAIN_ID                        The domain ID currently being administered when the command is created                                char(32), NOT NULL
USN                              Update serial number; used by replication                                                             bigint, NOT NULL
BEGIN_TIME                       Time that the command launched at the client in GMT                                                   bigint, NOT NULL                                         0
LAST_UPDATE_TIME                 Time of last status reported by client in GMT                                                         bigint, NOT NULL                                         0
                                 Command status: a numeric value corresponding to one of
                                 0 = INITIAL
                                 1 = RECEIVED
                                 2 = IN_PROGRESS
                                 3 = COMPLETED
                                 4 = REJECTED
STATE_ID                                                                                                                               int, NOT NULL                                            0
                                 5 = CANCELLED
                                 6 = ERROR

                                 When first created, the command’s status = INITIAL. It indicates that the endpoint has not received
                                 it yet.


                                 Command-specific status:
                                 0 = Success
                                 1 = Client did not execute the command
                                 2 = Client did not report any status
                                 3 = Command was a duplicate and not executed
                                 4 = Spooled command could not restart
                                 100 = Success
                                 101 = Security risk found
SUB_STATE_ID                                                                                                                           int, NULL
                                 102 = Scan was suspended
                                 103 = Scan was aborted
                                 105 = Scan did not return status
                                 110 = Auto-Protect could not be turned on
                                 120 = LiveUpdate download is in progress
                                 121 = LiveUpdate download failed
                                 131 = Quarantine delete failed
                                 132 = Quarantine delete partial success
SUB_STATE_DESC                   Command-specific extra information like number of files scanned or error message.                     nvarchar(520), NULL
ESTIMATED_DURATION               Agent estimation of command duration in minutes. 0 = no estimate or negligible time.                  int, NOT NULL                                            0
PERCENT_COMPLETE                 Progress (0-100%) of command based on estimated duration.                                             tinyint, NOT NULL                                        0
TIME_STAMP                       The time when the command is added into system (GMT), which is server side time                       bigint, NOT NULL
                                 The deleted flag of the schema object:
DELETED                          1 = Deleted                                                                                           tinyint, NOT NULL
                                 0 = Not Deleted
RESERVED_INT1                                                                                                                          int, NULL
RESERVED_INT2                                                                                                                          int, NULL
RESERVED_BIGINT1                                                                                                                       bigint, NULL
RESERVED_BIGINT2                                                                                                                       bigint, NULL
    Symantec Corp Confidential                                                                                    SEP Table Definition                                                                                       3/3/2012 Page 35 / 54



RESERVED_CHAR1                                                                                                                    char(32), NULL
RESERVED_CHAR2                                                                                                                    char(32), NULL
RESERVED_VARCHAR1                                                                                                                 VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                   varbinary(1000), NULL


COMMAND_REPORT
Column Name                      Comment                                                                                          Data Type (MS, Sybase)                    Default Value            Primary Key           Description
                                                                                                                                                                                                                           This table lists command report schema
                                                                                                                                                                                                                           information.

                                                                                                                                                                                                                           If there is only one data type value in a
COMMANDFILTER_IDX*               Primary key                                                                                      char(32), NOT NULL                                                 PK_COMMANDREPORT      cell in the Data Type column, it applies to
                                                                                                                                                                                                                           both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                           there are two data type values, the first
                                                                                                                                                                                                                           applies to MS SQL Server and the
                                                                                                                                                                                                                           second applies to Sybase.
USER_ID                          GUID of user who created this filter                                                             char(32), NOT NULL                        ('')
FILTERNAME                       Name of filter                                                                                   NVARCHAR(255), VARCHAR(255), NOT NULL     ('')
STARTDATEFROM                    Start time                                                                                       datetime, NOT NULL                        ('19700101')
STARTDATETO                      End time                                                                                         datetime, NOT NULL                        ('19700101')
                                 0 = past week
                                 1 = past month
                                 2 = past three months
RELATIVEDATETYPE                                                                                                                  int, NOT NULL                                                 0
                                 3 = past year
                                 4 = past 24 hours
                                 5 = current month
                                 Command status
                                 0 = Not received
                                 1 = Received
                                 2 = In progress
STATE_ID                                                                                                                          int, NULL                                 (null)
                                 3 = Completed
                                 4 = Rejected
                                 5 = Canceled
                                 6 = Error

                                 Status Details
                                 0 = Success
                                 1 = Client did not execute the command
                                 2 = Client did not report any status
                                 3 = Command was a duplicate and not executed
                                 4 = Spooled command could not restart
                                 101 = Security risk found
SUB_STATE_ID                     102 = Scan was suspended                                                                         int, NULL                                 (null)
                                 103 = Scan was aborted
                                 105 = Scan did not return status
                                 110 = Auto-Protect could not be turned on
                                 120 = LiveUpdate download is in progress
                                 121 = LiveUpdate download failed
                                 131 = Quarantine delete failed
                                 132 = Quarantine delete partial success
PERCENT_COMPLETE                 Command progress                                                                                 tinyint, NULL                             (null)
COMPUTERLIST                     Command separated, wild-carded list of computer names to filter                                  NVARCHAR(512), VARCHAR(512), NOT NULL     ('')
SORTORDER                        Column name in table to sort by                                                                  varchar(32), NOT NULL                     ('COMPUTER_NAME')
SORTDIR                          DESC = Descending order, ASC = Ascending order                                                   varchar(5), NOT NULL                      ('asc')
LIMITROWS                        Number of rows to use for pagination                                                             int, NOT NULL                                                 20
USERELATIVE                      Use relative dates ('on') or absolute dates                                                      char(2), NOT NULL                         ('on')
REPORT_IDX                       Not used                                                                                         int, NOT NULL                             ('0')
REPORTINPUTS                     Special parameters if report needs them                                                          NVARCHAR(64), VARCHAR(64), NOT NULL       ('')
USN                              A USN-based serial number; this ID is not unique.                                                bigint, NOT NULL                                              1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                   bigint, NOT NULL                                              0
DELETED                          Deleted rows; 0 = not deleted, 1 = deleted                                                       tinyint, NOT NULL                                             0


COMPLIANCE_REPORT
Column Name                      Comment                                                                                          Data Type (MS, Sybase)                    Default Value            Primary Key           Description
                                                                                                                                                                                                                           This table lists compliance report
                                                                                                                                                                                                                           schema information.

                                                                                                                                                                                                                           If there is only one data type value in a
COMPLIANCEFILTER_IDX*            Primary key                                                                                      char(32), NOT NULL                                                 PK_COMPLIANCEREPORT   cell in the Data Type column, it applies to
                                                                                                                                                                                                                           both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                           there are two data type values, the first
                                                                                                                                                                                                                           applies to MS SQL Server and the
                                                                                                                                                                                                                           second applies to Sybase.
USER_ID                          GUID of user who created this filter                                                             char(32), NOT NULL                        ('')
FILTERNAME                       Filter name                                                                                      NVARCHAR(255), VARCHAR(255), NOT NULL     ('')
STARTDATEFROM                    Start date                                                                                       datetime, NOT NULL                        ('19700101')
STARTDATETO                      End date                                                                                         datetime, NOT NULL                        ('19700101')
                                 0 = past week
                                 1 = past month
                                 2 = past three months
RELATIVEDATETYPE                                                                                                                  int, NOT NULL                                                 0
                                 3 = past year
                                 4 = past 24 hours
                                 5 = current month
                                 1 = Enforcer Server
                                 2 = Enforcer Client
                                 3 = Enforcer Traffic
COMPLIANCE_TYPE                                                                                                                   tinyint, NULL                             (null)
                                 4 = Host Compliance
                                 5 = Attack (Firewall logs)
                                 6 = Device Control
                                 1 = Critical (which filters on SEVERITY >= 0 AND SEVERITY <= 3)
                                 5 = Major (which filters on SEVERITY >= 4 AND SEVERITY <= 7)
SEVERITY                                                                                                                          int, NULL                                 (null)
                                 9 = Minor (which filters on SEVERITY >= 8 AND SEVERITY <= 11)
                                 13 = Info (which filters on SEVERITY >= 12 AND SEVERITY <= 15)

                                 Events for Enforcer Server:
                                  1 = Enforcer registered
                                  2 = Enforcer failed to register
                                  5 = Enforcer downloaded policy
                                  7 = Enforcer downloaded sylink.xml
                                  9 = Server received Enforcer log
                                  12 = Server received Enforcer information
                                 Events for Enforcer Traffic :
                                  17 = Incoming traffic blocked
                                  18 = Outgoing traffic blocked
                                  33 = Incoming traffic allowed
                                  34 = Outgoing traffic allowed
                                 Events for Host compliance:
                                  209 = Host Integrity failed
                                  210 = Host Integrity passed
                                  221 = Host Integrity failed but reported as PASS
EVENT_ID                                                                                                                          int, NULL                                 (null)
                                  237 = Host Integrity custom log entry
                                 Events for Attack (firewall):
                                  207 = Active Response
                                  211 = Active Response disengaged
                                  219 = Active Response canceled
                                  217 = Executable file change accepted
                                  218 = Executable file change denied
                                  220 = Application Hijack
                                  201 = N/A (invalid traffic by rule)
                                  202 = Port Scan
                                  203 = Denial of Service
                                  204 = Trojan
                                  206 = Intrusion Prevention
                                  208 = MAC Spoofing
                                 Events for Device control:
                                 238 = Device control disabled device

BLOCKED                          0 = Blocked, 1 = Not Blocked                                                                     tinyint, NULL                             (null)
NETWORK_PROTOCOL                 1 = Other, 2 = TCP, 3 = UDP, 4 = ICMP                                                            tinyint, NULL                             (null)
TRAFFIC_DIRECTION                1 = Inbound, 2 = Outbound, 0 = Unknown                                                           tinyint, NULL                             (null)
SERVERGROUPLIST                  Comma-separated, wild-carded domain names by which to filter                                     NVARCHAR(255), VARCHAR(255), NOT   NULL   ('')
CLIENTGROUPLIST                  Comma-separated, wild-carded group names by which to filter                                      NVARCHAR(255), VARCHAR(255), NOT   NULL   ('')
PARENTSERVERLIST                 Comma-separated, wild-carded server names by which to filter                                     NVARCHAR(255), VARCHAR(255), NOT   NULL   ('')
COMPUTERLIST                     Comma separate, wild-carded computer names by which to filter                                    NVARCHAR(512), VARCHAR(512), NOT   NULL   ('')
IPADDRESSLIST                    Comma-separated, wild-carded IP list by which to filter                                          NVARCHAR(255), VARCHAR(255), NOT   NULL   ('')
USERLIST                         Comma-separated, wild-carded user names by which to filter                                       NVARCHAR(255), VARCHAR(255), NOT   NULL   ('')
SITELIST                         Comma-separated, wild-carded site names by which to filter                                       NVARCHAR(255), VARCHAR(255), NOT   NULL   ('')
ENFORCERLIST                     Comma-separated, wild-carded Enforcer names by which to filter                                   NVARCHAR(255), VARCHAR(255), NOT   NULL   ('')
REMOTEHOSTLIST                   Comma-separated, wild-carded remote computer names by which to filter                            NVARCHAR(255), VARCHAR(255), NOT   NULL   ('')
REMOTEIPLIST                     Comma-separated, wild-carded remote IP list by which to filter                                   NVARCHAR(255), VARCHAR(255), NOT   NULL   ('')
LOCAL_PORT                       Port number                                                                                      int, NULL                                 (null)
                                 0 = Process is not running
HACK_TYPE                        1 = Signature is out-of-date                                                                     int, NULL                                 (null)
                                 2 = Recovery was attempted
ACTION                           For Enforcer Client: Authenticated, Disconnected, Passed, Rejected, Failed                       varchar(32), NOT NULL                     ('')
                                 For Enforcer Client: 0 = Gateway Enforcer, 1 = LAN Enforcer, 2 = DHCP Enforcer, 3 = Integrated
ENFORCER_TYPE                                                                                                                     tinyint, NULL                             (null)
                                 Enforcer, 4 = NAP Enforcer, 5 = PeerToPeer Enforcer
       Symantec Corp Confidential                                                                                       SEP Table Definition                                                                                    3/3/2012 Page 36 / 54



                                    600 = Windows Vista and Windows Server 2008
                                    502 = Windows 2003 and Windows XP 64 bit
                                    501 = Windows XP
OS_TYPE                                                                                                                                 int, NULL                             (null)
                                    500 = Windows 2000
                                    400 = Windows NT
                                    000 = Other
SORTORDER                           Log column sort                                                                                     varchar(32), NOT NULL                 ('EVENT_TIME')
SORTDIR                             DESC = Descending, ASC = Ascending                                                                  varchar(5), NOT NULL                  ('DESC')
LIMITROWS                           Number of rows to use for pagination                                                                int, NOT NULL                                          20
USERELATIVE                         Use relative dates ('on') or absolute dates                                                         char(2), NOT NULL                     ('on')
REPORT_IDX                          Not used                                                                                            int, NOT NULL                         ('0')
REPORTINPUTS                        Special parameters if report needs them                                                             nvarchar(64), varchar(64), NOT NULL   ('')
USN                                 A USN-based serial number; this ID is not unique.                                                   bigint, NOT NULL                                       1
TIME_STAMP                          Time that the record was modified                                                                   bigint, NOT NULL                                       0
DELETED                             Deleted entry; 0 = Not deleted, 1 = Deleted                                                         tinyint, NOT NULL                                      0
FULL_CHARTS                         Admin-specified list of charts to include in the NTP Full Report                                    VARCHAR(255), NOT NULL                ('')


COMPUTER_APPLICATION
Column Name                         Comment                                                                                             Data Type (MS, Sybase)                Default Value         Primary Key               Description
                                                                                                                                                                                                                              This table lists computer application
                                                                                                                                                                                                                              schema information.

                                                                                                                                                                                                                              If there is only one data type value in a
AGENT_ID                                                                                                                                char(32), NOT NULL                                          PK_COMPUTER_APPLICATION   cell in the Data Type column, it applies to
                                                                                                                                                                                                                              both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                              there are two data type values, the first
                                                                                                                                                                                                                              applies to MS SQL Server and the
                                    GUID of the agent                                                                                                                                                                         second applies to Sybase.
DOMAIN_ID                           GUID of the domain to which the client computer belongs                                             char(32), NOT NULL                                          PK_COMPUTER_APPLICATION
APP_HASH                            Hash value of the learned application record                                                        char(32), NOT NULL                                          PK_COMPUTER_APPLICATION
LOCATION_ID                         GUID of the location                                                                                char(32), NOT NULL                                          PK_COMPUTER_APPLICATION
COMPUTER_ID                         GUID of the computer                                                                                char(32), NOT NULL
GROUP_ID                            Group GUID                                                                                          char(32), NOT NULL
LAST_ACCESS_TIME                    Last access time of the application on the computer (GMT)                                           bigint, NULL
USN                                 Update serial number; used by replication                                                           bigint, NOT NULL
TIME_STAMP                          Time that the record was modified; used to resolve merge conflict                                   bigint, NOT NULL
                                    The deleted flag of the schema object:
DELETED                             1 = Deleted                                                                                         tinyint, NOT NULL
                                    0 = Not Deleted
RESERVED_INT1                                                                                                                           int, NULL
RESERVED_INT2                                                                                                                           int, NULL
RESERVED_BIGINT1                                                                                                                        bigint, NULL
RESERVED_BIGINT2                                                                                                                        bigint, NULL
RESERVED_CHAR1                                                                                                                          char(32), NULL
RESERVED_CHAR2                                                                                                                          char(32), NULL
RESERVED_VARCHAR1                                                                                                                       nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                         varbinary(2000), NULL


CONNECTION_TEST
Column Name                         Comment                                                                                             Data Type (MS, Sybase)                Default Value         Primary Key               Description
                                                                                                                                                                                                                              This table lists dummy schema
                                                                                                                                                                                                                              information.

                                                                                                                                                                                                                              If there is only one data type value in a
STATUS                              Not specified                                                                                       char(1), NULL                                                                         cell in the Data Type column, it applies to
                                                                                                                                                                                                                              both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                              there are two data type values, the first
                                                                                                                                                                                                                              applies to MS SQL Server and the
                                                                                                                                                                                                                              second applies to Sybase.


DATA_HANDLER
Column Name                         Comment                                                                                             Data Type (MS, Sybase)                Default Value         Primary Key               Description
                                                                                                                                                                                                                              This table lists data handler schema
                                                                                                                                                                                                                              information.

                                                                                                                                                                                                                              If there is only one data type value in a
IDX*                                Primary key                                                                                         char(32), NOT NULL                                          PK_DATA_HANDLER           cell in the Data Type column, it applies to
                                                                                                                                                                                                                              both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                              there are two data type values, the first
                                                                                                                                                                                                                              applies to MS SQL Server and the
                                                                                                                                                                                                                              second applies to Sybase.
                                    Technology extension.
                                    Possible values are as follows:
                                    AvMan
TECH_ID                             CAvMan                                                                                              varchar(255), NOT NULL                ('')
                                    LuMan
                                    legacy
                                    SEP
                                    File Extension: possible values are .dat, .AgentStatus, .SecurityRisk, .VirusScans, .VirusLogs,
LF_EXT                                                                                                                                  varchar(255), NOT NULL                ('')
                                    .Inventory
LF_SORT                             Sort files: 0 = Ascending by file modification time, 1 = Descending by file modification time       tinyint, NOT NULL                                      0
                                    Classes that handle data files. varchar(255), not null
                                    Possible values are as follows:
                                    AvMan = com.sygate.scm.server.logreader.av.LogHandler
                                    CAvMan = com.sygate.scm.server.logreader.cav.CommonLogHandler
                                    Legacy agentstatus =
LF_HANDLER                                                                                                                              varchar(255), NOT NULL                ('')
                                    com.sygate.scm.server.logreader.av.AgentStatusHandler
                                    Legacy inventory =
                                    com.sygate.scm.server.logreader.av.InventoryHandler
                                    Legacy security and virus logs =
                                    com.sygate.scm.server.logreader.av.LogHandler
                                    Classes that handle state files:
                                    SEP = com.sygate.scm.server.statereader.sep.StateHandler
STATE_HANDLER                                                                                                                           varchar(255), NOT NULL                ('')
                                    AvMan = com.sygate.scm.server.statereader.av.StateHandler
                                    LuMan = com.sygate.scm.server.statereader.lu.StateHandler


ENFORCER_CLIENT_LOG_1 and ENFORCER_CLIENT_LOG_2
Column Name                         Comment                                                                                             Data Type (MS, Sybase)                Default Value         Primary Key               Description

                                                                                                                                                                                                                              This table lists the database schema for
                                                                                                                                                                                                                              the Enforcer Client logs.

                                                                                                                                                                                                                              There are two tables for this schema.
                                                                                                                                                                                                                              When logs are stored, the Policy
                                                                                                                                                                                                                              Manager uses the first table until it is full.
                                                                                                                                                                                                                              It then switches to using the second
                                                                                                                                                                                                                              table. The data in the first table is kept
                                                                                                                                                                                                                              intact until the second table fills. Then it
USN                                                                                                                                     bigint, NOT NULL
                                                                                                                                                                                                                              starts to fill the first table again. This
                                                                                                                                                                                                                              cycle is continuous.

                                                                                                                                                                                                                              If there is only one data type value in a
                                                                                                                                                                                                                              cell in the Data Type column, it applies to
                                                                                                                                                                                                                              both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                              there are two data type values, the first
                                                                                                                                                                                                                              applies to MS SQL Server and the
                                                                                                                                                                                                                              second applies to Sybase.
                                    A USN-based serial number; this ID is not unique.
DOMAIN_ID                           Not used (logged as '00000000000000000000000000000000')                                             char(32), NOT NULL
SITE_ID                             GUID of the site to which the log belongs                                                           char(32), NOT NULL
TIME_STAMP                          The time when the event is logged into system (GMT), which is server side time                      bigint, NOT NULL
EVENT_ID                            No event IDs defined, logged as 0                                                                   int, NOT NULL
EVENT_TIME                          The event generated time (GMT)                                                                      bigint, NOT NULL
ENFORCER_ID                         GUID of the Enforcer                                                                                char(32), NOT NULL
                                    0 = Gateway Enforcer
                                    1 = LAN Enforcer
                                    2 = DHCP Enforcer
ENFORCER_TYPE                                                                                                                           tinyint, NOT NULL
                                    3 = Integrated Enforcer
                                    4 = NAP Enforcer
                                    5 = PeerToPeer Enforcer
CLIENT_ID                           Not used (logged as '')                                                                             char(32), NULL
REMOTE_HOST                         Remote host name                                                                                    nvarchar(512), NULL
                                    Enforcer's action on this client (hard-coded English string used as lookup)

                                    Authenticated = Agent's UID is correct
ACTION                              Rejected = Agent's UID is wrong or there's no agent running                                         varchar(256), NULL
                                    Disconnected = Agent disconnects from Enforcer or Enforcer service stops
                                    Passed = Agent has passed Host Integrity check
                                    Failed = Agent has failed Host Integrity check
                                    The period in seconds that the Enforcer will take action on the client. Only valid when action is
PERIOD                                                                                                                                  int, NULL
                                    equal to Rejected and Disconnected. For other actions, this field must be 0.
EVENT_DESC                          Description of the event. Usually, first line of the description is treated as “summary”.           nvarchar(256), varchar(256), NULL
REMOTE_HOST_MAC                     Remote host MAC address                                                                             varchar(17), NULL
REMOTE_HOST_INFO                    Remote host information                                                                             nvarchar(128), varchar(128), NULL
EXTENDED_INFO                                                                                                                           nvarchar(1024), varchar(1024), NULL
RESERVED_INT1                                                                                                                           int, NULL
RESERVED_INT2                                                                                                                           int, NULL
RESERVED_BIGINT1                                                                                                                        bigint, NULL
RESERVED_BIGINT2                                                                                                                        bigint, NULL
      Symantec Corp Confidential                                                                                         SEP Table Definition                                                               3/3/2012 Page 37 / 54



RESERVED_CHAR1                                                                                                                          char(32), NULL
RESERVED_CHAR2                                                                                                                          char(32), NULL
                                   For PeerToPeer Enforcer log records, this field contains the host name of the client acting as the
RESERVED_VARCHAR1                                                                                                                       nvarchar(260), VARCHAR(260), NULL
                                   Enforcer.
RESERVED_BINARY                                                                                                                         varbinary(2000), NULL
LOG_IDX                                                                                                                                 char(32), NULL



ENFORCER_SYSTEM_LOG_1 and ENFORCER_SYSTEM_LOG_2
Column Name                        Comment                                                                                              Data Type (MS, Sybase)              Default Value   Primary Key   Description
                                                                                                                                                                                                          This table lists the database schema for
                                                                                                                                                                                                          the Enforcer System logs.

                                                                                                                                                                                                          There are two tables for this schema.
                                                                                                                                                                                                          When logs are stored, the Policy
                                                                                                                                                                                                          Manager uses the first table until it is full.
                                                                                                                                                                                                          It then switches to using the second
                                                                                                                                                                                                          table. The data in the first table is kept
                                                                                                                                                                                                          intact until the second table fills. Then it
USN                                                                                                                                     bigint, NOT NULL
                                                                                                                                                                                                          starts to fill the first table again. This
                                                                                                                                                                                                          cycle is continuous.

                                                                                                                                                                                                          If there is only one data type value in a
                                                                                                                                                                                                          cell in the Data Type column, it applies to
                                                                                                                                                                                                          both MS SQL Server and to Sybase. If
                                                                                                                                                                                                          there are two data type values, the first
                                                                                                                                                                                                          applies to MS SQL Server and the
                                                                                                                                                                                                          second applies to Sybase.
                                   A USN-based serial number; this ID is not unique.
SITE_ID                            GUID of the site to which the log belongs                                                            char(32), NOT NULL
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                       bigint, NOT NULL
                                   An event ID from send agent: (in hex)
                                   0x101 = Connected to management server
                                   0x102 = Lost connection to management server
                                   0x103 = Applied policy downloaded from management server
                                   0x104 = Failed to apply policy downloaded from management server
                                   0x105 = Applied management server configuration
                                   0x106 = Failed to apply management server configuration
                                   0x107 = Applied management server configuration
                                   0x108 = Failed to apply management server configuration
                                   0x110 = Registered to NAP management server
                                   0x111 = Unregistered from NAP management server
                                   0x112 = Failed to register to NAP management server
                                   0x201 = Enforcer started
                                   0x202 = Enforcer stopped
                                   0x203 = Enforcer paused
                                   0x204 = Enforcer resumed
                                   0x205 = Enforcer disconnected from server
                                   0x301 = Enforcer failover enabled
EVENT_ID                                                                                                                                int, NULL
                                   0x302 = Enforcer failover disabled
                                   0x303 = Enforcer in standby mode
                                   0x304 = Enforcer in primary mode
                                   0x305 = Enforcer short
                                   0x306 = Enforcer loop
                                   0x401 = Forward engine pause
                                   0x402 = Forward engine start
                                   0x403 = DNS Enforcer enabled
                                   0x404 = DNS Enforcer disabled
                                   0x405 = DHCP Enforcer enabled
                                   0x406 = DHCP Enforcer disabled
                                   0x407 = Allow all enabled
                                   0x408 = Allow all disabled
                                   0x501 = Seat number change
                                   0x601 = Failed to create policy parser
                                   0x602 = Failed to import policy downloaded from management server
                                   0x603 = Failed to export policy downloaded from management server
                                   0x701 = Incorrect customized attribute
EVENT_TIME                         The event generated time (GMT)                                                                       bigint, NOT NULL
ENFORCER_ID                        GUID of the Enforcer                                                                                 char(32), NOT NULL
                                   0 = Gateway Enforcer
                                   1 = LAN Enforcer
                                   2 = DHCP Enforcer
ENFORCER_TYPE                                                                                                                           tinyint, NOT NULL
                                   3 = Integrated Enforcer
                                   4 = NAP Enforcer
                                   5 = PeerToPeer Enforcer
                                   The type of event. Possible values are:
                                   0 = INFO
SEVERITY                           1 = WARNING                                                                                          int, NOT NULL
                                   2 = ERROR
                                   3 = FATAL
EVENT_DESC                         Description of the event. Usually, the first line of the description is treated as “summary”.        nvarchar(256), varchar(256), NULL
RESERVED_INT1                                                                                                                           int, NULL
RESERVED_INT2                                                                                                                           int, NULL
RESERVED_BIGINT1                                                                                                                        bigint, NULL
RESERVED_BIGINT2                                                                                                                        bigint, NULL
RESERVED_CHAR1                                                                                                                          char(32), NULL
RESERVED_CHAR2                                                                                                                          char(32), NULL
RESERVED_VARCHAR1                                                                                                                       nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                         varbinary(2000), NULL
LOG_IDX                            Log index unique ID                                                                                  char(32), NULL



ENFORCER_TRAFFIC_LOG_1 and ENFORCER_TRAFFIC_LOG_2
Column Name                        Comment                                                                                              Data Type (MS, Sybase)              Default Value   Primary Key   Description
                                                                                                                                                                                                          This table lists the database schema for
                                                                                                                                                                                                          the Enforcer Traffic logs.

                                                                                                                                                                                                          There are two tables for this schema.
                                                                                                                                                                                                          When logs are stored, the Policy
                                                                                                                                                                                                          Manager uses the first table until it is full.
                                                                                                                                                                                                          It then switches to using the second
                                                                                                                                                                                                          table. The data in the first table is kept
                                                                                                                                                                                                          intact until the second table fills. Then it
USN                                                                                                                                     bigint, NOT NULL
                                                                                                                                                                                                          starts to fill the first table again. This
                                                                                                                                                                                                          cycle is continuous.

                                                                                                                                                                                                          If there is only one data type value in a
                                                                                                                                                                                                          cell in the Data Type column, it applies to
                                                                                                                                                                                                          both MS SQL Server and to Sybase. If
                                                                                                                                                                                                          there are two data type values, the first
                                                                                                                                                                                                          applies to MS SQL Server and the
                                                                                                                                                                                                          second applies to Sybase.
                                   A USN-based serial number; this ID is not unique.
DOMAIN_ID                          Not used (logged as '00000000000000000000000000000000')                                              char(32), NOT NULL
SITE_ID                            GUID of the site to which the log belongs                                                            char(32), NOT NULL
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                       bigint, NOT NULL
                                   An event ID from send agent:
                                   17 = Incoming traffic blocked
EVENT_ID                           18 = Outgoing traffic blocked                                                                        int, NULL
                                   33 = Incoming traffic allowed
                                   34 = Outgoing traffic allowed
EVENT_TIME                         The event generated time (GMT)                                                                       bigint, NOT NULL
ENFORCER_ID                        GUID of the Enforcer                                                                                 char(32), NOT NULL
                                   0 = Gateway Enforcer
                                   1 = LAN Enforcer
                                   2 = DHCP Enforcer
ENFORCER_TYPE                                                                                                                           tinyint, NOT NULL
                                   3 = Integrated Enforcer
                                   4 = NAP Enforcer
                                   5 = PeerToPeer Enforcer
CLIENT_ID                          Not used (logged as '')                                                                              char(32), NULL
LOCAL_HOST_IP                      The IP address of local computer (IPv4)                                                              bigint, NOT NULL
REMOTE_HOST_IP                     The IP address of remote computer (IPv4)                                                             bigint, NOT NULL
NETWORK_PROTOCOL                   The protocol type: Enum (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)                                     tinyint, NOT NULL
                                   The TCP/UDP port in local machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and
LOCAL_PORT                                                                                                                              int, NOT NULL
                                   TSE_TRAFFIC_UDP. On the other event, it is always zero
                                   The TCP/UDP port in remote machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and
REMOTE_PORT                                                                                                                             int, NOT NULL
                                   TSE_TRAFFIC_UDP. On the other event, it is always zero.
TRAFFIC_DIRECTION                  The direction of traffic. Enum (unknown = 0; inbound = 1; outbound = 2)                              tinyint, NOT NULL
BEGIN_TIME                         The begin time of Enforcer event                                                                     bigint, NULL
END_TIME                           The end time of Enforcer event                                                                       bigint, NULL
                                   Specify if the traffic was blocked. (0 = blocked, 1 = Not blocked ** note the difference in values
BLOCKED                                                                                                                                 tinyint, NOT NULL
                                   between this and the AGENT_TRAFFIC_LOG_x tables)
TOTAL_BYTES                        The total length of all packets in the traffic                                                       int, NOT NULL
                                   The number of attacks. Sometime, when a hacker launches a mass attack, it may be damped to
REPETITION                                                                                                                              int, NULL
                                   one event by the log system.
ALERT                              It reflects the alert attribute in profile action. It is true if action::alert is true.              tinyint, NOT NULL
RESERVED_INT1                                                                                                                           int, NULL
RESERVED_INT2                                                                                                                           int, NULL
RESERVED_BIGINT1                                                                                                                        bigint, NULL
RESERVED_BIGINT2                                                                                                                        bigint, NULL
RESERVED_CHAR1                                                                                                                          char(32), NULL
RESERVED_CHAR2                                                                                                                          char(32), NULL
    Symantec Corp Confidential                                                                                    SEP Table Definition                                                                                 3/3/2012 Page 38 / 54



RESERVED_VARCHAR1                                                                                                                  nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                    varbinary(2000), NULL
LOG_IDX                                                                                                                            char(32), NULL



FIREWALL_REPORT
Column Name                      Comment                                                                                           Data Type (MS, Sybase)                  Default Value         Primary Key         Description
                                                                                                                                                                                                                     This table lists firewall report schema
                                                                                                                                                                                                                     information.

                                                                                                                                                                                                                     If there is only one data type value in a
FIREWALLFILTER_IDX*              Primary Key                                                                                       char(32), NOT NULL                                            PK_FIREWALLREPORT   cell in the Data Type column, it applies to
                                                                                                                                                                                                                     both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                     there are two data type values, the first
                                                                                                                                                                                                                     applies to MS SQL Server and the
                                                                                                                                                                                                                     second applies to Sybase.
USER_ID                          GUID of the user who created this filter                                                          char(32), NOT NULL                      ('')
FILTERNAME                       Filter name                                                                                       NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
STARTDATEFROM                    Start date                                                                                        datetime, NOT NULL                      ('19700101')
STARTDATETO                      End date                                                                                          datetime, NOT NULL                      ('19700101')
                                 0 = past week
                                 1 = past month
                                 2 = past three months
RELATIVEDATETYPE                                                                                                                   int, NOT NULL                                            0
                                 3 = past year
                                 4 = past 24 hours
                                 5 = current month
FIREWALLTYPE                     1 = Traffic, 2 = Packets                                                                          int, NULL                               (null)
SEVERITY                         1 = Critical, 5 = Major, 9 = Minor, 13 = Info                                                     int, NULL                               (null)
                                 Events for Traffic :
                                 307 = Ethernet packet,
                                 306 = ICMP packet,
                                 308 = IP packet,
                                 303 = Ping request,
EVENTTYPE                        301 = TCP initiated,                                                                              int, NULL                               (null)
                                 304 = TCP completed,
                                 302 = UDP datagram,
                                 305 = Other
                                 Events for Packet:
                                 401 = Raw Ethernet
BLOCKED                          1 = Blocked, 0 = Not blocked                                                                      int, NULL                               (null)
PROTOCOL                         1 = Other, 2 = TCP, 3 = UDP, 4 = ICMP                                                             int, NULL                               (null)
DIRECTION                        1 = Inbound, 2 = Outbound, 0 = Unknown                                                            int, NULL                               (null)
LOCALPORT                        Port number                                                                                       int, NULL                               (null)
SITELIST                         Comma-separated, wild-carded site names by which to filter                                        NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
SERVERGROUPLIST                  Comma-separated, wild-carded domain names by which to filter                                      NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
CLIENTGROUPLIST                  Comma-separated, wild-carded group names by which to filter                                       NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
PARENTSERVERLIST                 Comma-separated, wild-carded server names by which to filter                                      NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
COMPUTERLIST                     Comma-separated, wild-carded computer names by which to filter                                    NVARCHAR(512), VARCHAR(512), NOT NULL   ('')
IPADDRESSLIST                    Comma-separated, wild-carded IP list by which to filter                                           NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
REMOTEHOSTLIST                   Comma-separated, wild-carded remote computer names by which to filter                             NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
REMOTEIPADDRLIST                 Comma-separated, wild-carded remote IP list by which to filter                                    NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
USERLIST                         Comma-separated, wild-carded user names by which to filter                                        NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
SORTORDER                        Column in table to sort by                                                                        varchar(32), NOT NULL                   ('EVENT_TIME')
SORTDIR                          DESC = Descending, ASC = Ascending                                                                varchar(5), NOT NULL                    ('DESC')
LIMITROWS                        Number of rows to use for pagination                                                              int, NOT NULL                                            20
USERELATIVE                      Use relative dates ('on') or absolute dates                                                       char(2), NOT NULL                       ('on')
REPORT_IDX                       Not used                                                                                          int, NOT NULL                           ('0')
REPORTINPUTS                     Special parameters if report needs them                                                           nvarchar(64), VARCHAR(64), NOT NULL     ('')
USN                              A USN-based serial number; this ID is not unique.                                                 bigint, NOT NULL                                         1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                    bigint, NOT NULL                                         0
DELETED                          Delete row; 0 = Not deleted, 1 = Deleted                                                          tinyint, NOT NULL                                        0
FULL_CHARTS                      Not used                                                                                          VARCHAR(255), NOT NULL                  ('')


GUIPARMS
Column Name                      Comment                                                                                           Data Type (MS, Sybase)                  Default Value         Primary Key         Description
                                                                                                                                                                                                                     This table lists schema information for
                                                                                                                                                                                                                     GUI parameters.

                                                                                                                                                                                                                     If there is only one data type value in a
GUIPARMS_IDX*                    Primary key                                                                                       int, NOT NULL                                                 PK_GUIPARMS         cell in the Data Type column, it applies to
                                                                                                                                                                                                                     both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                     there are two data type values, the first
                                                                                                                                                                                                                     applies to MS SQL Server and the
                                                                                                                                                                                                                     second applies to Sybase.
PARAMETER                        Parameter name                                                                                    varchar(255), NOT NULL                  ('')
VALUE                            Parameter value                                                                                   NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
USN                              A USN-based serial number; this ID is not unique.                                                 bigint, NOT NULL                                         1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                    bigint, NOT NULL                                         0
DELETED                          Delete row; 0 = Not deleted, 1 = Deleted                                                          tinyint, NOT NULL                                        0


GUP_LIST
Column Name                      Comment                                                                                           Data Type (MS, Sybase)                  Default Value         Primary Key         Description
                                                                                                                                                                                                                     This table lists schema information for
                                                                                                                                                                                                                     group update provider information.

                                                                                                                                                                                                                     If there is only one data type value in a
GUP_ID*                          Primary key                                                                                       char(32),NOT NULL                                             PK_GUP_LIST         cell in the Data Type column, it applies to
                                                                                                                                                                                                                     both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                     there are two data type values, the first
                                                                                                                                                                                                                     applies to MS SQL Server and the
                                                                                                                                                                                                                     second applies to Sybase.
COMPUTER_ID                      Referencing Computer_ID in SEM_COMPUTER table                                                     char(32),NOT NULL
IP_ADDRESS                       Represents the GUP IP address                                                                     bigint,NOT NULL
PORT                             Represents the GUP port                                                                           int,NOT NULL
USN                              A USN-based serial number; this ID is not unique.                                                 bigint, NOT NULL                                         1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                    bigint, NOT NULL                                         0
DELETED                          Delete row; 0 = Not deleted, 1 = Deleted                                                          tinyint, NOT NULL                                        0


HISTORY
Column Name                      Comment                                                                                           Data Type (MS, Sybase)                  Default Value         Primary Key         Description
                                                                                                                                                                                                                     This table lists history schema
                                                                                                                                                                                                                     information.

                                                                                                                                                                                                                     If there is only one data type value in a
HISTORY_IDX*                     Primary key, Index                                                                                char(32), NOT NULL                                            PK_HISTORY          cell in the Data Type column, it applies to
                                                                                                                                                                                                                     both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                     there are two data type values, the first
                                                                                                                                                                                                                     applies to MS SQL Server and the
                                                                                                                                                                                                                     second applies to Sybase.
HISTORYCONFIG_IDX                Pointer to historyconfig table                                                                    char(32), NOT NULL                      ('')
EVENT_DATETIME                   Snapshot time in GMT                                                                              bigint, NOT NULL                                         0
STAT_TYPE                        What kind of data; hard-coded English key **See Snapshot data format worksheet for details **     varchar(64), NOT NULL                   ('')
TARGET                           Data **See Snapshot data format worksheet for details **                                          NVARCHAR(256), VARCHAR(256), NOT NULL   ('')
STATISTIC                        Summary statistic **See Snapshot data format worksheet for details **                             NVARCHAR(256), VARCHAR(256), NOT NULL   ('')


HISTORYCONFIG
Column Name                      Comment                                                                                           Data Type (MS, Sybase)                  Default Value         Primary Key         Description
                                                                                                                                                                                                                     This table lists history configuration
                                                                                                                                                                                                                     schema information.

                                                                                                                                                                                                                     If there is only one data type value in a
HISTORYCONFIG_IDX*               Primary key                                                                                       char(32), NOT NULL                                            PK_HISTORYCONFIG    cell in the Data Type column, it applies to
                                                                                                                                                                                                                     both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                     there are two data type values, the first
                                                                                                                                                                                                                     applies to MS SQL Server and the
                                                                                                                                                                                                                     second applies to Sybase.
USER_ID                          GUID of user who created this scheduled report                                                    char(32), NOT NULL                      ('')
FILTER_USER_ID                   Owner ID of the filter. It is the SEPM administrator who created the filer for a report.          char(32),NULL                           ('')
                                 Time zone offset from when the admin created the scheduled report so that data can be formatted
TZ_OFFSET                                                                                                                          int, NOT NULL                                            0
                                 to the administrator's local time
FILTERNAME                       Filter used by this scheduled report                                                              NVARCHAR(255), VARCHAR(255), NOT NULL   ('Default')
       Symantec Corp Confidential                                                                                     SEP Table Definition                                                                           3/3/2012 Page 39 / 54



                                    Format is Reporttype-number: example I-0 is Virus Definitions Distribution

                                    I = Computer Status Report
                                    0 = Virus Definitions Distribution
                                    1 = Computers Not Checked Into Server
                                    2 = Symantec Endpoint Protection Product Versions
                                    3 = Intrusion Prevention Signature Distribution
                                    4 = Client Inventory
                                    5 = Compliance Status Distribution
                                    6 = Client Online Status
                                    7 = Clients With Latest Policy
                                    8 = Client Count by Group
                                    9 = Security Status Summary
                                    10 = Protection Content Versions
                                    11 =Client Migration
                                    100 = Client Software Rollout (Snapshots)
                                    101 = Clients Online/Offline Over Time (Snapshots)
                                    102 = Clients With Latest Policy Over Time (Snapshots)
REPORT_IDX                          103 = Non-Compliant Clients Over Time (Snapshots)                                            varchar(10), NOT NULL                   ('I-0')
                                    104 = Virus Definition Rollout (Snapshots)

                                    A = Audit Report
                                    0 = Policies Used

                                    B = Application and Device Control Report
                                    0 = Top Groups With Most Alerted Application Control Logs
                                    1 = Top Targets Blocked
                                    2 = Top Devices Blocked


                                    C = Compliance Report
                                    0 = Network Compliance Status
                                    1 = Compliance Status
                                    2 = Clients by Compliance Failure Summary
                                    3 = Compliance Failure Details
                                    4 = Non-compliant Clients by Location
                                    When to start generating the report. This establishes its scheduled time within the repeat
STARTTIME                                                                                                                        datetime, NOT NULL                      ('19700101')
                                    schedule.
LASTRUN                             When the report got generated last in GMT                                                    bigint, NOT NULL                                        0
                                    Repeat schedule for this report in hours, for example:
                                    1 = Every 1 hour
RUNHOURS                            24 = Every 1 day                                                                             int, NOT NULL                                           24
                                    168 = Every week
                                    720 = Every month
NAME                                Name of this scheduled report                                                                NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
EMAIL                               Comma-separated list of emails to send the report to                                         NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
DESCRIPTION                         Admin-provided description for this report                                                   NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
DISABLED                            Scheduled report disabled: 0 = No, 1 = Yes                                                   tinyint, NOT NULL                                       0
USN                                 A USN-based serial number; this ID is not unique.                                            bigint, NOT NULL                                        1
TIME_STAMP                          The time when the event is logged into system (GMT), which is server side time               bigint, NOT NULL                                        0
DELETED                             Deleted row; 0 = Not Deleted, 1 = Deleted                                                    tinyint, NOT NULL                                       0


HOMEPAGECONFIG
Column Name                         Comment                                                                                      Data Type (MS, Sybase)                  Default Value        Primary Key          Description
                                                                                                                                                                                                                   This table lists home page configuration
                                                                                                                                                                                                                   schema information.

                                                                                                                                                                                                                   If there is only one data type value in a
HOMEPAGECONFIG_IDX*                 Primary key                                                                                  char(32), NOT NULL                                           PK_HOMEPAGECONFIG    cell in the Data Type column, it applies to
                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                   second applies to Sybase.
USER_NAME                           Admin GUID                                                                                   char(32), NOT NULL                      ('')
PARAMETER                           Parameter name                                                                               varchar(255), NOT NULL                  ('')
VALUE                               Parameter value                                                                              NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
USN                                 A USN-based serial number; this ID is not unique.                                            bigint, NOT NULL                                        1
TIME_STAMP                          The time when the event is logged into system (GMT), which is server side time               bigint, NOT NULL                                        0
DELETED                             Deleted row; 0 = Not Deleted, 1 = Deleted                                                    tinyint, NOT NULL                                       0
TZ_NAME                             Time Zone name, like "America/Los_Angeles".                                                  varchar(255),NOT NULL                   ('')


HPP_ALERTS
Column Name                         Comment                                                                                      Data Type (MS, Sybase)                  Default Value        Primary Key          Description
                                                                                                                                                                                                                   This table lists Proactive Threat
                                                                                                                                                                                                                   Protection (TruScan) event schema
                                                                                                                                                                                                                   information.

                                                                                                                                                                                                                   If there is only one data type value in a
IDX*                                Primary key                                                                                  char(32), NOT NULL                                           PK_HPP_ALERTS
                                                                                                                                                                                                                   cell in the Data Type column, it applies to
                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                   second applies to Sybase.
SENSITIVITY                         The engine sensitivity setting that produced the detection (0...100)                         tinyint, NOT NULL                                       0
DETECTION_SCORE                     The score of the detection (0...100)                                                         tinyint, NOT NULL                                       0
COH_ENGINE_VERSION                  Version of the TruScan engine                                                                varchar(64), NOT NULL                   ('')
DIS_SUBMIT                          Recommendation if this detection should be submitted to Symantec (0 = No, 1 = Yes)           tinyint, NOT NULL                                       0
                                    0 = Not on the permitted application list
                                    100 = Symantec permitted application list
WHITELIST_REASON                                                                                                                 int, NOT NULL                                           0
                                    101 = Administrator permitted application list
                                    102 = User permitted application list
USN                                 A USN-based serial number; this ID is not unique.                                            bigint, NOT NULL                                        -1
TIME_STAMP                          The time when the event is logged into system (GMT), which is server side time               bigint, NOT NULL                                         0
DELETED                             Deleted row; 0 = Not Deleted, 1 = Deleted                                                    tinyint, NOT NULL                                        0


HPP_APPLICATION
Column Name                         Comment                                                                                      Data Type (MS, Sybase)                  Default Value        Primary Key          Description
                                                                                                                                                                                                                   This table lists schema information for
                                                                                                                                                                                                                   applications detected by TruScan.

                                                                                                                                                                                                                   If there is only one data type value in a
APP_IDX*                            Primary key                                                                                  char(32), NOT NULL                                           PK_HPP_APPLICATION   cell in the Data Type column, it applies to
                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                   second applies to Sybase.
APP_HASH                            HASH for this application                                                                    varchar(64), NOT NULL
                                    HASH algorithm used:
                                    0 = MD5
HASH_TYPE                                                                                                                        tinyint, NOT NULL                                       1
                                    1 = SHA-1
                                    2 = SHA-256
COMPANY_NAME                        Company name                                                                                 nvarchar(260), varchar(260), NOT NULL   ('')
APP_NAME                            Application name                                                                             nvarchar(260), varchar(260), NOT NULL   ('')
APP_VERSION                         Application version                                                                          nvarchar(256), varchar(256), NOT NULL   ('')
                                    Application type:
                                    0 = Trojan worm
APP_TYPE                            1 = Trojan worm                                                                              int, NOT NULL                           ((-1))
                                    2 = Key logger
                                    100 = Remote control
FILE_SIZE                           File size                                                                                    bigint, NOT NULL                                        0
                                    Detection type:
DETECTION_TYPE                      0 = heuristic                                                                                tinyint, NOT NULL                                       0
                                    1 = commercial application
USN                                 A USN-based serial number; this ID is not unique.                                            bigint, NOT NULL                                        1
TIME_STAMP                          The time when the event is logged into system (GMT), which is server side time               bigint, NOT NULL                                        0
DELETED                             Deleted row; 0 = Not Deleted, 1 = Deleted                                                    tinyint, NOT NULL                                       0
HELP_VIRUS_IDX                      Foreign key to VIRUS table which provides help ID for online Symantec write-up               char(32), NULL


IDENTITY_MAP
Column Name                         Comment                                                                                      Data Type (MS, Sybase)                  Default Value        Primary Key          Description
                                                                                                                                                                                                                   This table lists identity map schema
                                                                                                                                                                                                                   information.

                                                                                                                                                                                                                   If there is only one data type value in a
ID*                                                                                                                              char(32), NOT NULL                                           PK_IDENTITY_MAP      cell in the Data Type column, it applies to
                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                   applies to MS SQL Server and the
                                    GUID of an object. Primary Key.                                                                                                                                                second applies to Sybase.
NAME                                Name of the object                                                                           nvarchar(2000), varchar(2000), NULL
TYPE                                Object Type Name                                                                             varchar(256), NULL
DOMAIN_ID                           GUID of the domain                                                                           char(32), NULL
RESERVED_INT1                                                                                                                    int, NULL
RESERVED_INT2                                                                                                                    int, NULL
RESERVED_BIGINT1                                                                                                                 bigint, NULL
RESERVED_BIGINT2                                                                                                                 bigint, NULL
RESERVED_CHAR1                                                                                                                   char(32), NULL
RESERVED_CHAR2                                                                                                                   char(32), NULL
RESERVED_VARCHAR1                                                                                                                nvarchar(260), VARCHAR(260), NULL
    Symantec Corp Confidential                                                                                      SEP Table Definition                                                                                          3/3/2012 Page 40 / 54



RESERVED_BINARY                                                                                                                varbinary(2000), NULL
DELETED                          Remove deleted client group from certain reports. Deleted row; 0 = Not Deleted, 1 = Deleted   tinyint, NULL                             null


INVENTORYCURRENTRISK
Column Name                      Comment                                                                                       Data Type (MS, Sybase)                    Default Value               Primary Key                Description
                                                                                                                                                                                                                                This table lists inventory current risk
                                                                                                                                                                                                                                schema information.

                                                                                                                                                                                                                                If there is only one data type value in a
COMPUTER_IDX                     Foreign key to SEM_COMPUTER.COMPUTER_ID                                                       char(32), NOT NULL                                                    PK_INVENTORYCURRENTRISK    cell in the Data Type column, it applies to
                                                                                                                                                                                                                                both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                there are two data type values, the first
                                                                                                                                                                                                                                applies to MS SQL Server and the
                                                                                                                                                                                                                                second applies to Sybase.
ALERT_EVENT_IDX                  Foreign key to ALERTS.IDX                                                                     char(32), NOT NULL                                                    PK_INVENTORYCURRENTRISK
USN                              A USN-based serial number; this ID is not unique.                                             bigint, NOT NULL                                                 -1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                bigint, NOT NULL                                                  0
DELETED                          Deleted row; 0 = Not Deleted, 1 = Deleted                                                     tinyint, NOT NULL                                                 0


INVENTORYCURRENTVIRUS
Column Name                      Comment                                                                                       Data Type (MS, Sybase)                    Default Value               Primary Key                Description
                                                                                                                                                                                                                                This table lists inventory current virus
                                                                                                                                                                                                                                schema information.

                                                                                                                                                                                                                                If there is only one data type value in a
COMPUTER_IDX                     Foreign key to SEM_COMPUTER.COMPUTER_ID                                                       char(32), NOT NULL                                                    PK_INVENTORYCURRENTVIRUS   cell in the Data Type column, it applies to
                                                                                                                                                                                                                                both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                there are two data type values, the first
                                                                                                                                                                                                                                applies to MS SQL Server and the
                                                                                                                                                                                                                                second applies to Sybase.
ALERT_EVENT_IDX                  Foreign key to ALERTS.IDX                                                                     char(32), NOT NULL                                                    PK_INVENTORYCURRENTVIRUS
USN                              A USN-based serial number; this ID is not unique.                                             bigint, NOT NULL                                                 -1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                bigint, NOT NULL                                                  0
DELETED                          Deleted row; 0 = Not Deleted, 1 = Deleted                                                     tinyint, NOT NULL                                                 0


INVENTORYREPORT
Column Name                      Comment                                                                                       Data Type (MS, Sybase)                    Default Value               Primary Key                Description
                                                                                                                                                                                                                                This table lists inventory report schema
                                                                                                                                                                                                                                information.

                                                                                                                                                                                                                                If there is only one data type value in a
INVENTORYFILTER_IDX*             Primary key                                                                                   char(32), NOT NULL                                                    PK_INVENTORYREPORT         cell in the Data Type column, it applies to
                                                                                                                                                                                                                                both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                there are two data type values, the first
                                                                                                                                                                                                                                applies to MS SQL Server and the
                                                                                                                                                                                                                                second applies to Sybase.
USER_ID                          Administrator GUID                                                                            char(32), NOT NULL                        ('')
FILTERNAME                       User-specified name for this saved filter                                                     NVARCHAR(255), VARCHAR(255), NOT NULL     ('')
LASTCHECKINTIME                  Last time of check in with parent server                                                      datetime, NOT NULL                        ('19700101')
                                 Last time machine was scanned:
                                 0 = past week
                                 1 = past month
LASTSCANTIME                     2 = past three months                                                                         int, NULL                                 (null)
                                 3 = past year
                                 4 = past 24 hours
                                 5 = current month
                                 Last check in time if relative filtering used:
                                 0 = past week
                                 1 = past month
RELATIVEDATETYPE                 2 = past three months                                                                         int, NOT NULL                             ('0')
                                 3 = past year
                                 4 = past 24 hours
                                 5 = current month
OPERATOR                         Not used                                                                                      tinyint, NOT NULL                                                0
                                 Hard-coded English string used as key (filters for Antivirus signature version):
                                 WITHIN_RELATIVE_30 = Within the last 30 days
                                 WITHIN_RELATIVE_90 = Within the last 90 days
PATTERN_IDX                      OUTSIDE_RELATIVE_30 = Older than the last 30 days                                             varchar(255), NOT NULL                    ('%')
                                 OUTSIDE_RELATIVE_90 = Older than the last 90 days

                                 or virus definition revision which results in an < = query on that revision.
PRODUCTVERSION                   Product version by which to filter                                                            varchar(32), NOT NULL                     ('%')
PROFILE_VERSION                  Profile version by which to filter                                                            varchar(64), NOT NULL                     ('%')
IDS_VERSION                      Intrusions detection system signature version by which to filter                              varchar(64), NOT NULL                     ('%')
GOOD                             Not used                                                                                      varchar(5), NOT NULL                      ('%')
LICENSE_STATUS                   Not used                                                                                      tinyint, NULL                                                127
STATUS                           1 = online, 0 = offline,127 = No filter (all)                                                 tinyint, NULL                                                127
                                 Auto-Protect Status:
ONOFF                                                                                                                          tinyint, NULL                                                127
                                 0 = filter for off, 127 = No filter (all)
                                 Tamper Protection Status:
TAMPER_ONOFF                                                                                                                   tinyint, NULL                                                127
                                 0 = filter for off, 127 = No filter (all)
                                 Restart Required Status:
REBOOT_REQUIRED                                                                                                                tinyint, NULL                                                127
                                 1 = filter for needs restart, 127 = No filter (all)
                                 Antivirus Engine Status:
AVENGINE_ONOFF                                                                                                                 tinyint, NULL                                                127
                                 0 = filter for off, 127 = No filter (all)
                                 TPM device installed:
TPM_DEVICE                                                                                                                     tinyint, NULL                                                127
                                 1 = filters on device is installed, 127 = No filter (all)
SERVERGROUPLIST                  Comma-separated, wild-carded list of domain names by which to filter                          NVARCHAR(255), VARCHAR(255), NOT   NULL   ('%')
CLIENTGROUPLIST                  Comma-separated, wild-carded list of group names by which to filter                           NVARCHAR(255), VARCHAR(255), NOT   NULL   ('%')
PARENTSERVERLIST                 Comma-separated, wild-carded list of server names by which to filter                          NVARCHAR(255), VARCHAR(255), NOT   NULL   ('%')
SITELIST                         Comma-separated, wild-carded list of site names by which to filter                            NVARCHAR(255), VARCHAR(255), NOT   NULL   ('%')
                                 Possible values are as follows:
                                 601=Windows 7
                                 600 = Windows Vista and Windows Server 2008
                                 502 = Windows 2003 and Windows XP 64 bit
                                 501 = Windows XP
                                 500 = Windows 2000
                                 400 = Windows NT
R_OS_TYPE                                                                                                                      int, NULL                                 ((-1))
                                 000 = All Non-Windows
                                 0001=All Windows
                                 0002=All Mac
                                 0004= Mac OS X 10.4
                                 0005= Mac OS X 10.5
                                 0006= Mac OS X 10.6
                                 -1 = No filter (all)

                                 Filters on the following compliance status:
                                 0 = Fail
                                 1 = Success
HI_STATUS                        2 = Pending                                                                                   tinyint, NULL                                                127
                                 3 = Disabled
                                 4 = Ignore
                                 127 = No filter (all)
                                 Filters on the following reasons:
                                 0 = Pass
                                 101 = Antivirus version is out-of-date
                                 102 = Antivirus is not running
HI_REASONCODE                    103 = Script failed                                                                           int, NULL                                 ((-1))
                                 104 = Check is incomplete
                                 105 = Check is disabled
                                 127 = Location changed
                                 -1 = No filter (all)
SERVICE_PACK                     OS service pack or % for no filter (all)                                                      nvarchar(128), NOT NULL                   ('%')
WORSTINFECTION_IDX               Not used                                                                                      int, NULL                                 ((-1))
COMPUTERLIST                     Comma-separated, wild-carded list of computer names by which to filter                        NVARCHAR(512), VARCHAR(512), NOT NULL     ('%')
IPADDRESSLIST                    Comma-separated, wild-carded list of IP addresses by which to filter                          NVARCHAR(255), VARCHAR(255), NOT NULL     ('%')
USERLIST                         Comma-separated, wild-carded list of user names by which to filter                            NVARCHAR(255), VARCHAR(255), NOT NULL     ('%')
INFECTED                         On' = filter for infected machines                                                            varchar(2), NOT NULL                      ('')
SORTORDER                        Which column to sort for Computer Status log                                                  varchar(32), NOT NULL                     ('LAST_UPDATE_TIME')
SORTDIR                          Ascending or descending                                                                       varchar(5), NOT NULL                      ('DESC')
FILVIEW                          Not used                                                                                      varchar(16), NOT NULL                     ('SAVCE')
CLIENTTYPE                       Not used                                                                                      varchar(32), NOT NULL                     ('')
LIMITROWS                        Number of rows to use for pagination                                                          int, NOT NULL                             ('20')
USERELATIVE                      Use relative dates ('on') or absolute dates                                                   char(2), NOT NULL                         ('on')
REPORT_IDX                       Not used                                                                                      int, NOT NULL                             ('0')
REPORTINPUTS                     Special parameters if report needs them                                                       nvarchar(64), VARCHAR(64), NOT NULL       ('')
USN                              A USN-based serial number; this ID is not unique.                                             bigint, NOT NULL                                                 1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                bigint, NOT NULL                                                 0
DELETED                          Deleted row; 0 = Not Deleted, 1 = Deleted                                                     tinyint, NOT NULL                                                0
                                 NTP Status:
FIREWALL_ONOFF                                                                                                                 tinyint, NULL                                                127
                                 0 = filters on off, 127 = No filter (all)


LAN_DEVICE_DETECTED
Column Name                      Comment                                                                                       Data Type (MS, Sybase)                    Default Value               Primary Key                Description
       Symantec Corp Confidential                                                                                             SEP Table Definition                                                                    3/3/2012 Page 41 / 54



                                                                                                                                                                                                                    This table is not used in Symantec
                                                                                                                                                                                                                    Network Access Control.

                                                                                                                                                                                                                    This table lists LAN Device Detected
                                                                                                                                                                                                                    schema information.
LAN_DEVICE_ID                                                                                                                          char(32), NOT NULL
                                                                                                                                                                                                                    If there is only one data type value in a
                                                                                                                                                                                                                    cell in the Data Type column, it applies to
                                                                                                                                                                                                                    both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                    there are two data type values, the first
                                                                                                                                                                                                                    applies to MS SQL Server and the
                                    GUID of the device                                                                                                                                                              second applies to Sybase.
AGENT_ID                            GUID of the agent                                                                                  char(32), NOT NULL
COMPUTER_ID                         The agent ID from a version 5.x agent . Primary Key.                                               char(32), NOT NULL
HASH                                Link with the computer HARDWARE_KEY                                                                char(32), NOT NULL                                  PK_LAN_DEVICE_DETECTED
MAC_ADDRESS                         Mac Address of the device                                                                          varchar(18), NOT NULL                               PK_LAN_DEVICE_DETECTED
IP_ADDRESS                          IP Address of the device                                                                           bigint, NOT NULL
DEVICE_DETECTED_TIME                GUID of the domain                                                                                 bigint, NULL
ALERT                               It reflects the alert attribute in profile action. It is true if action::alert is true.            tinyint, NULL
SEND_SNMP_TRAP                      It reflects the send SNMP trap action. It is true if send is true.                                 tinyint, NULL
USN                                 Update serial number; used by replication                                                          bigint, NOT NULL
TIME_STAMP                          Time that the record was modified; used to resolve merge conflict                                  bigint, NOT NULL
                                    The deleted flag of the schema object:
DELETED                             1 = Deleted                                                                                        tinyint, NOT NULL
                                    0 = Not Deleted
RESERVED_INT1                                                                                                                          int, NULL
RESERVED_INT2                                                                                                                          int, NULL
RESERVED_BIGINT1                                                                                                                       bigint, NULL
RESERVED_BIGINT2                                                                                                                       bigint, NULL
RESERVED_CHAR1                                                                                                                         char(32), NULL
RESERVED_CHAR2                                                                                                                         char(32), NULL
RESERVED_VARCHAR1                                                                                                                      varchar(260), NULL
RESERVED_BINARY                                                                                                                        varbinary(2000), NULL


LAN_DEVICE_EXCLUDED
Column Name                         Comment                                                                                            Data Type (MS, Sybase)              Default Value   Primary Key              Description
                                                                                                                                                                                                                    This table is not used in Symantec
                                                                                                                                                                                                                    Network Access Control.

                                                                                                                                                                                                                    This table lists LAN Device Excluded
                                                                                                                                                                                                                    schema information.
EXCLUDED_ID*                        GUID of the record. Primary Key.                                                                   char(32), NOT NULL                                  PK_LAN_DEVICE_EXCLUDED
                                                                                                                                                                                                                    If there is only one data type value in a
                                                                                                                                                                                                                    cell in the Data Type column, it applies to
                                                                                                                                                                                                                    both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                    there are two data type values, the first
                                                                                                                                                                                                                    applies to MS SQL Server and the
                                                                                                                                                                                                                    second applies to Sybase.
HASH                                Link with the computer HARDWARE_KEY                                                                char(32), NOT NULL
EXCLUDE_MODE                                                                                                                           tinyint, NOT NULL
MAC_ADDRESS                         Mac Address of the device                                                                          varchar(18), NULL
IP_ADDRESS                          IP Address of the device                                                                           bigint, NULL
SUBNET_MASK                         Subnet mask of the device                                                                          bigint, NULL
IP_RANGE_START                      Start of IP Address range                                                                          bigint, NULL
IP_RANGE_END                        End of IP Address range                                                                            bigint, NULL
USN                                 Update serial number; used by replication                                                          bigint, NOT NULL
TIME_STAMP                          Time that the record was modified; used to resolve merge conflict                                  bigint, NOT NULL
                                    The deleted flag of the schema object:
DELETED                             0 = Deleted                                                                                        tinyint, NOT NULL
                                    1 = Not Deleted
RESERVED_INT1                                                                                                                          int, NULL
RESERVED_INT2                                                                                                                          int, NULL
RESERVED_BIGINT1                                                                                                                       bigint, NULL
RESERVED_BIGINT2                                                                                                                       bigint, NULL
RESERVED_CHAR1                                                                                                                         char(32), NULL
RESERVED_CHAR2                                                                                                                         char(32), NULL
RESERVED_VARCHAR1                                                                                                                      varchar(260), NULL
RESERVED_BINARY                                                                                                                        varbinary(2000), NULL


LEGACY_AGENT
Column Name                         Comment                                                                                            Data Type (MS, Sybase)              Default Value   Primary Key              Description
                                                                                                                                                                                                                    This table is not used in Symantec
                                                                                                                                                                                                                    Network Access Control.

                                                                                                                                                                                                                    This table lists Legacy Agent schema
                                                                                                                                                                                                                    information, which is used for product
                                                                                                                                                                                                                    migration.
LEGACY_AGENT_ID*                                                                                                                       char(32), NOT NULL                                  PK_LEGACY_AGENT
                                                                                                                                                                                                                    If there is only one data type value in a
                                                                                                                                                                                                                    cell in the Data Type column, it applies to
                                                                                                                                                                                                                    both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                    there are two data type values, the first
                                                                                                                                                                                                                    applies to MS SQL Server and the
                                    The agent ID from a version 5.x agent . Primary Key.                                                                                                                            second applies to Sybase.
GROUP_PATH                          Group full path                                                                                    char(260), NOT NULL
POLICY_MODE                         User/Computer mode                                                                                 int, NOT NULL
LAN_SENSOR                          If the Agent is a LAN_SENSOR                                                                       int, NOT NULL
CLIENT_ID                           GUID in the SEM_CLIENT tablet                                                                      char(32), NOT NULL
COMPUTER_ID                         GUID in the SEM_COMPUTER tablet                                                                    char(32), NOT NULL
AGENT_ID                            GUID in the SEM_AGENT tablet                                                                       char(32), NOT NULL
USN                                 Update serial number; used by replication                                                          bigint, NOT NULL
TIME_STAMP                          Time that the record was modified; used to resolve merge conflict                                  bigint, NOT NULL
                                    The deleted flag of the schema object:
DELETED                             1 = Deleted                                                                                        tinyint, NOT NULL
                                    0 = Not Deleted
RESERVED_INT1                                                                                                                          int, NULL
RESERVED_INT2                                                                                                                          int, NULL
RESERVED_BIGINT1                                                                                                                       bigint, NULL
RESERVED_BIGINT2                                                                                                                       bigint, NULL
RESERVED_CHAR1                                                                                                                         char(32), NULL
RESERVED_CHAR2                                                                                                                         char(32), NULL
RESERVED_VARCHAR1                                                                                                                      nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                        varbinary(2000), NULL


LOCAL_METADATA
Column Name                         Comment                                                                                            Data Type (MS, Sybase)              Default Value   Primary Key              Description
                                                                                                                                                                                                                    This table lists local metadata schema
                                                                                                                                                                                                                    information.

                                                                                                                                                                                                                    If there is only one data type value in a
ID*                                                                                                                                    char(32), NOT NULL                                  PK_LOCAL_METADATA        cell in the Data Type column, it applies to
                                                                                                                                                                                                                    both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                    there are two data type values, the first
                                                                                                                                                                                                                    applies to MS SQL Server and the
                                    Primary Key. GUID                                                                                                                                                               second applies to Sybase.
                                    Type of local_metadata.
TYPE                                                                                                                                   varchar(256), NULL
                                    Only support SemLocalSettings at this moment.
CHECKSUM                            Checksum of XML content                                                                            char(32), NULL
CONTENT                             XML content of the schema object                                                                   image, NULL
                                    The deleted flag of the schema object:
DELETED                             0 = Deleted                                                                                        tinyint, NOT NULL
                                    1 = Not Deleted
RESERVED_INT1                                                                                                                          int, NULL
RESERVED_INT2                                                                                                                          int, NULL
RESERVED_BIGINT1                                                                                                                       bigint, NULL
RESERVED_BIGINT2                                                                                                                       bigint, NULL
RESERVED_CHAR1                                                                                                                         char(32), NULL
RESERVED_CHAR2                                                                                                                         char(32), NULL
RESERVED_VARCHAR1                                                                                                                      nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                        varbinary(2000), NULL


LOG_CONFIG
Column Name                         Comment                                                                                            Data Type (MS, Sybase)              Default Value   Primary Key              Description

                                    Primary Key. Type of the logs:
                                    101 = SERVER_SYSTEM_LOG
                                    102 = SERVER_ADMIN_LOG                                                                                                                                                          This table lists log configuration schema
                                    103 = SERVER_POLICY_LOG                                                                                                                                                         information.
                                    104 = SERVER_CLIENT_LOG
                                    105 = SERVER_ENFORCER_LOG                                                                                                                                                       If there is only one data type value in a
LOG_TYPE*                           201 = AGENT_SYSTEM_LOG                                                                             int, NOT NULL                                       PK_LOG_CONFIG            cell in the Data Type column, it applies to
                                    202 = AGENT_SECURITY_LOG                                                                                                                                                        both MS SQL Server and to Sybase. If
                                    203 = AGENT_TRAFFIC_LOG                                                                                                                                                         there are two data type values, the first
                                    204 = AGENT_PACKET_LOG                                                                                                                                                          applies to MS SQL Server and the
                                    205 = AGENT_BEHAVIOR_LOG                                                                                                                                                        second applies to Sybase.
                                    301 = ENFORCER_SYSTEM_LOG
                                    302 = ENFORCER_CLIENT_LOG
                                    303 = ENFORCER_TRAFFIC_LOG
       Symantec Corp Confidential                                                                                       SEP Table Definition                                                                                               3/3/2012 Page 42 / 54



TABLE_LIST                          The name of the tables to switch logs                                                             varchar(250), NOT NULL
THRESHOLD                           Threshold of the log count                                                                        int, NOT NULL                                                -10000
EXPIRATION                          Expiration date of the logs                                                                       int, NOT NULL                                                    60
CURRENT_TABLE                       Current log table name                                                                            varchar(60), NOT NULL
CURRENT_ROWS                        Current log count in the log table                                                                int, NOT NULL
SWITCH_TIME                         Last log switch time                                                                              bigint, NULL
RESERVED_INT1                                                                                                                         int, NULL
RESERVED_INT2                                                                                                                         int, NULL
RESERVED_BIGINT1                                                                                                                      bigint, NULL
RESERVED_BIGINT2                                                                                                                      bigint, NULL
RESERVED_CHAR1                                                                                                                        char(32), NULL
RESERVED_CHAR2                                                                                                                        char(32), NULL
RESERVED_VARCHAR1                                                                                                                     nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                       varbinary(2000), NULL


NETWORK_SCAN
Column Name                         Comment                                                                                           Data Type (MS, Sybase)                  Default Value                     Primary Key              Description
                                                                                                                                                                                                                                         This table lists network scan schema
                                                                                                                                                                                                                                         information.

                                                                                                                                                                                                                                         If there is only one data type value in a
ID*                                 GUID of the network scan. Primary Key.                                                            char(32), NOT NULL                                                        PK_NETWORK_SCAN          cell in the Data Type column, it applies to
                                                                                                                                                                                                                                         both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                         there are two data type values, the first
                                                                                                                                                                                                                                         applies to MS SQL Server and the
                                                                                                                                                                                                                                         second applies to Sybase.
DESCRIPTION                         Optional description of the network scan                                                          nvarchar(512), NULL
SCAN_TIME                           The time when the network scan is added into system (GMT), which is server side time              bigint, NOT NULL
ADMIN_ID                            Administrator who starts the network scan                                                         char(32), NOT NULL
USN                                 Update serial number; used by replication                                                         bigint, NOT NULL
TIME_STAMP                          The time when the command is added into system (GMT), which is server side time                   bigint, NOT NULL
                                    The deleted flag of the schema object:
DELETED                             1 = Deleted                                                                                       tinyint, NOT NULL
                                    0 = Not Deleted
RESERVED_INT1                                                                                                                         int, NULL
RESERVED_INT2                                                                                                                         int, NULL
RESERVED_BIGINT1                                                                                                                      bigint, NULL
RESERVED_BIGINT2                                                                                                                      bigint, NULL
RESERVED_CHAR1                                                                                                                        char(32), NULL
RESERVED_CHAR2                                                                                                                        char(32), NULL
RESERVED_VARCHAR1                                                                                                                     varchar(260), NULL
RESERVED_BINARY                                                                                                                       varbinary(1000), NULL


NETWORK_SCAN_RESULT
Column Name                         Comment                                                                                           Data Type (MS, Sybase)                  Default Value                     Primary Key              Description
                                                                                                                                                                                                                                         This table lists network scan result
                                                                                                                                                                                                                                         schema information.

                                                                                                                                                                                                                                         If there is only one data type value in a
ID*                                 GUID of the network scan. Primary Key.                                                            char(32), NOT NULL                                                        PK_NETWORK_SCAN_RESULT   cell in the Data Type column, it applies to
                                                                                                                                                                                                                                         both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                         there are two data type values, the first
                                                                                                                                                                                                                                         applies to MS SQL Server and the
                                                                                                                                                                                                                                         second applies to Sybase.
IP_ADDR                             The IP address of scanned computer                                                                bigint, NOT NULL
COMPUTER_NAME                       The computer name of scanned computer if the name can be resolved.                                nvarchar(512), NULL
DESCRIPTION                         The computer’s OS, OS version and platform                                                        nvarchar(512), NULL
SOFTWARE                            Detected software name                                                                            nvarchar(512), NULL
CLIENT_ID                           ID of the client associated with the client ID in SEM_CLIENT table                                char(32), NULL
STATUS                              Scan status code of the client                                                                    tinyint, NOT NULL
USN                                 Update serial number; used by replication                                                         bigint, NOT NULL
TIME_STAMP                          The time when the command is added into system (GMT), which is server side time                   bigint, NOT NULL
                                    The deleted flag of the schema object:
DELETED                             1 = Deleted                                                                                       tinyint, NOT NULL
                                    0 = Not Deleted
RESERVED_INT1                                                                                                                         int, NULL
RESERVED_INT2                                                                                                                         int, NULL
RESERVED_BIGINT1                                                                                                                      bigint, NULL
RESERVED_BIGINT2                                                                                                                      bigint, NULL
RESERVED_CHAR1                                                                                                                        char(32), NULL
RESERVED_CHAR2                                                                                                                        char(32), NULL
RESERVED_VARCHAR1                                                                                                                     varchar(260), NULL
RESERVED_BINARY                                                                                                                       varbinary(1000), NULL


NOTIFICATION
Column Name                         Comment                                                                                           Data Type (MS, Sybase)                  Default Value                     Primary Key              Description
                                                                                                                                                                                                                                         This table lists notification schema
                                                                                                                                                                                                                                         information.

                                                                                                                                                                                                                                         If there is only one data type value in a
NOTAG_IDX*                          Primary key, Index of notification                                                                char(32), NOT NULL                                                        PK_NOTIFICATION          cell in the Data Type column, it applies to
                                                                                                                                                                                                                                         both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                         there are two data type values, the first
                                                                                                                                                                                                                                         applies to MS SQL Server and the
                                                                                                                                                                                                                                         second applies to Sybase.

                                    VO = Risk outbreak
                                    SO = Outbreak on single computers
                                    VM = Outbreak by number of computers
                                    1V = Single risk event
                                    NV = New risk detected
                                    ID = Virus definitions out-of-date
                                    AF = Authentication failure
                                    AFS = Authentication failure on single server
                                    SE = System event
TYPE                                CS = Client security alert                                                                        varchar(30), NOT NULL                   ('')
                                    CSS = Client security alert on single computers
                                    CSM = Client security alert by number of computers
                                    LA = New learned application
                                    CL = Client list changed
                                    DF = Server health
                                    UM = Unmanaged computers
                                    NS = New software package
                                    ED = Enforcer is down
                                    WL = Forced or Commercial application detected

USER_ID                             Admin GUID                                                                                        char(32), NOT NULL                      ('')
                                    Time zone when admin created the notification so that e-mailed reports can display dates in
TZ_OFFSET                                                                                                                             int, NOT NULL                                                         0
                                    admin's local time zone.
                                    Name of server group(s) to which this notification applies (Comma-separated list, wild-cards
SERVERGROUP                                                                                                                           NVARCHAR(255), VARCHAR(255), NOT NULL   ('%')
                                    allowed)
                                    Name of client group(s) to which this notification applies (Comma-separated list, wild-cards
CLIENTGROUP                                                                                                                           NVARCHAR(255), VARCHAR(255), NOT NULL   ('%')
                                    allowed)
                                    Name of parent server(s) to which this notification applies (Comma-separated list, wild-cards
PARENTSERVER                                                                                                                          NVARCHAR(255), VARCHAR(255), NOT NULL   ('%')
                                    allowed)
COMPUTER                            Name of computer(s) to which this notification applies (Comma-separated list, wild-cards allowed) NVARCHAR(255), VARCHAR(255), NOT NULL   ('%')

VIRUS                               Name of virus(es) to which this notification applies (Comma-separated list, wild-cards allowed)   NVARCHAR(255), VARCHAR(255), NOT NULL   ('%')

                                    Scan for which this notification applies (hard-coded English string used as key):
                                    % = all
                                    Scheduled Scan
                                    Manual Scan
                                    Real Time Scan
                                    Heuristic Scan
SOURCE                                                                                                                                varchar(255), NOT NULL                  ('%')
                                    Console
                                    Definition downloader
                                    System
                                    Startup Scan
                                    Idle Scan
                                    Manual Quarantine

                                    % = No filter (all)
                                    1 = Quarantined
                                    3 = Deleted
                                    4 = Left alone
                                    5 = Cleaned
                                    6 = Cleaned or macros deleted
                                    14 = Pending repair
                                    15 = Partially repaired
ACTACTION                           16 = Process termination pending restart                                                          varchar(255), NOT NULL                  ('%')
                                    17 = Excluded
                                    19 = Cleaned by deletion
                                    20 = Access denied
                                    21 = Process terminated
                                    22 = No repair available
                                    23 = All actions failed
                                    98 = Suspicious


HYPERLINK2                          Hyperlink used to generate report                                                                 NVARCHAR(255), VARCHAR(255), NOT NULL   ('/reports/FullReport.php')
       Symantec Corp Confidential                                                                                    SEP Table Definition                                                                           3/3/2012 Page 43 / 54



NTIMES                              Number of occurrences to trigger this notification                                        int, NOT NULL                                           0
XMINUTES                            Time window in which ntimes events must occur to trigger the notification                 int, NOT NULL                                           0
EMAIL                               Comma-separated email list to send email when this notification is triggered              NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
LASTRUN                             Time stamp when this notification has last been analyzed                                  bigint, NOT NULL                                        0
TRIGGERED                           Time when alert was last triggered                                                        bigint, NOT NULL                                        0
LASTRUN_DATA                        Any extra data needed to give details in notification e-mail                              varchar(50), NOT NULL                   ('')
                                    Virus category for which this notification applies:
                                    >= -1 is no filter (all)
                                    >= 1 filters for Category 1 (Very Low) and above
                                    >= 2 filters for Category 2 (Low) and above
CATEGORY                                                                                                                      varchar(10), NOT NULL                   ('>= -1')
                                    >= 3 filters for Category 3 (Moderate) and above
                                    >= 4 filters for Category 4 (Severe) and above
                                    >= 5 filters for Category 5 (Very Severe)
                                    = -1 filters for unknown
USN                                 A USN-based serial number; this ID is not unique.                                         bigint, NOT NULL                                        1
TIME_STAMP                          The time when the event is logged into system (GMT), which is server side time            bigint, NOT NULL                                        0
DELETED                             Deleted row; 0 = Not Deleted, 1 = Deleted                                                 tinyint, NOT NULL                                       0
SYSTEM_EVENT                        Which buckets of system events                                                            int, NOT NULL                                           0
SECURITY_EVENT                      Which buckets of security events                                                          int, NOT NULL                                           0
DAMPER                              Minimum quiet time between alerts in minutes; 0 means autodamper which is 60 minutes      int, NOT NULL                                           0
BATCH_FILE_NAME                     Batch file or executable to be executed when the notification is triggered                nvarchar(64), VARCHAR(64), NOT NULL     ('')
NAME                                Name of notification configuration                                                        NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
TZ_NAME                             Time Zone name, like "America/Los_Angeles".                                               varchar(255),NOT NULL                   ('')


NOTIFICATIONALERTS
Column Name                         Comment                                                                                   Data Type (MS, Sybase)                  Default Value       Primary Key             Description
                                                                                                                                                                                                                  This table lists notification alerts schema
                                                                                                                                                                                                                  information.

                                                                                                                                                                                                                  If there is only one data type value in a
IDX*                                Primary key, Index of notification alert                                                  char(32), NOT NULL                                          PK_NOTIFICATIONALERTS   cell in the Data Type column, it applies to
                                                                                                                                                                                                                  both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                  there are two data type values, the first
                                                                                                                                                                                                                  applies to MS SQL Server and the
                                                                                                                                                                                                                  second applies to Sybase.
NOTAG_IDX                           Notification which triggered this alert (Pointer to table 'notification')                 char(32), NOT NULL                      ('')
ALERTDATETIME                       Time stamp when the alert was generated                                                   datetime, NOT NULL                      ('19700101')
SUBJECT                             Subject of alert                                                                          NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
MSG                                 Notification alert message text                                                           nvarchar(512), VARCHAR(512), NOT NULL   ('')
HYPERLINK                           Link to report with details about alert situation                                         nvarchar(512), VARCHAR(512), NOT NULL   ('')
ACKNOWLEDGED                        Flag whether the alert has been acknowledged                                              int, NOT NULL                                           0
ACKNOWLEDGED_USERID                 GUID of user who acknowledged this notification                                           char(32), NOT NULL                      ('')
ACKNOWLEDGED_TIME                   Time when notification was acknowledged                                                   datetime, NOT NULL                      ('19700101')
USN                                 A USN-based serial number; this ID is not unique.                                         bigint, NOT NULL                                        1
TIME_STAMP                          The time when the event is logged into system (GMT), which is server side time            bigint, NOT NULL                                        0
DELETED                             Deleted row; 0 = Not deleted, 1 = deleted                                                 tinyint, NOT NULL                                       0


PATTERN
Column Name                         Comment                                                                                   Data Type (MS, Sybase)                  Default Value       Primary Key             Description
                                                                                                                                                                                                                  This table lists pattern schema
                                                                                                                                                                                                                  information.

                                                                                                                                                                                                                  If there is only one data type value in a
PATTERN_IDX*                        Primary key                                                                               char(32), NOT NULL                                          PK_PATTERN              cell in the Data Type column, it applies to
                                                                                                                                                                                                                  both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                  there are two data type values, the first
                                                                                                                                                                                                                  applies to MS SQL Server and the
                                                                                                                                                                                                                  second applies to Sybase.
CLIENT_MONIKER                      Moniker for this content                                                                  varchar(40), NOT NULL                   ('')
                                    Virus definition = VIRUS_DEFS
                                    DECABI
                                    DEUCE_SIG
                                    ERASER_ENGINE
PATTERN_TYPE                        PTS_CONTENT                                                                               NVARCHAR(128), VARCHAR(128), NOT NULL   ('')
                                    PTS_ENGINE
                                    SYKNAPPS_CAL
                                    SYKNAPPS_ENGINE
                                    SYKNAPPS_WHITELIST
SEQUENCE                            Sequence number associated with this definition                                           int, NOT NULL                                           0
PATTERNDATE                         Date when this content was released                                                       datetime, NOT NULL                      ('19700101')
REVISION                            Revision number for this content                                                          int, NOT NULL                                           0
VERSION                             Version number for this content                                                           varchar(255), NOT NULL                  ('')
INSERTDATETIME                      Time when this pattern information was entered into the database                          datetime, NOT NULL                      ('19700101')
USN                                 A USN-based serial number; this ID is not unique.                                         bigint, NOT NULL                                        1
TIME_STAMP                          The time when the event is logged into system (GMT), which is server side time            bigint, NOT NULL                                        0
DELETED                             Deleted row; 0 = Not deleted, 1 = Deleted                                                 tinyint, NOT NULL                                       0


PROCESS_STATE
Column Name                         Comment                                                                                   Data Type (MS, Sybase)                  Default Value       Primary Key             Description
                                                                                                                                                                                                                  This table is used for processes
ID*                                 Primary key                                                                               char(32), NOT NULL                                          PK_PROCESS_STATE
                                                                                                                                                                                                                  synchronization.
TYPE                                "PROCESS_STATE" is set for processes synchronization.                                     varchar(256),NOT NULL
                                    Virus definition
                                    PROCESS_STATE_NA = -1
STATUS                                                                                                                        int,NOT NULL
                                    PROCESS_STATE_UNLOCKED = 0
                                    PROCESS_STATE_LOCKED = 1
TIME_STAMP                          The time when the data is inserted/updated into system (GMT), which is server side time   bigint,NOT NULL
UPDATE_OWNER                        Server ID + process name                                                                  varchar(255),NULL


REPORTS
Column Name                         Comment                                                                                   Data Type (MS, Sybase)                  Default Value       Primary Key             Description
                                                                                                                                                                                                                  This table is not used.

                                                                                                                                                                                                                  This table lists report schema
                                                                                                                                                                                                                  information.

ID*                                                                                                                           char(32), NOT NULL                                          PK_REPORTS              If there is only one data type value in a
                                                                                                                                                                                                                  cell in the Data Type column, it applies to
                                                                                                                                                                                                                  both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                  there are two data type values, the first
                                                                                                                                                                                                                  applies to MS SQL Server and the
                                    GUID of the report object. Primary Key.                                                                                                                                       second applies to Sybase.
TYPE                                Type of report                                                                            varchar(256), NOT NULL
REPORT_TIME                         Report sample time                                                                        bigint, NOT NULL
SITE_ID                             GUID of the site from where the report generated                                          char(32), NOT NULL
                                    GUID of the domain to which the report belongs
DOMAIN_ID                                                                                                                     char(32), NULL
                                    The reports for system administrator do not have DOMAIN_ID
CHECKSUM                            Checksum of XML content                                                                   char(32), NOT NULL
CONTENT                             XML content of the schema object                                                          image, NOT NULL
USN                                 Update serial number; used by replication                                                 bigint, NOT NULL
TIME_STAMP                          Time that the record was modified; used to resolve merge conflict                         bigint, NOT NULL
                                    The deleted flag of the schema object:
DELETED                             1 = Deleted                                                                               tinyint, NOT NULL
                                    0 = Not Deleted
RESERVED_INT1                                                                                                                 int, NULL
RESERVED_INT2                                                                                                                 int, NULL
RESERVED_BIGINT1                                                                                                              bigint, NULL
RESERVED_BIGINT2                                                                                                              bigint, NULL
RESERVED_CHAR1                                                                                                                char(32), NULL
RESERVED_CHAR2                                                                                                                char(32), NULL
RESERVED_VARCHAR1                                                                                                             varchar(260), NULL
RESERVED_BINARY                                                                                                               varbinary(2000), NULL


SCANREPORT
Column Name                         Comment                                                                                   Data Type (MS, Sybase)                  Default Value       Primary Key             Description
                                                                                                                                                                                                                  This table lists scan report schema
                                                                                                                                                                                                                  information.

                                                                                                                                                                                                                  If there is only one data type value in a
SCANFILTER_IDX*                     Primary key                                                                               char(32), NOT NULL                                          PK_SCANREPORT           cell in the Data Type column, it applies to
                                                                                                                                                                                                                  both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                  there are two data type values, the first
                                                                                                                                                                                                                  applies to MS SQL Server and the
                                                                                                                                                                                                                  second applies to Sybase.
USER_ID                             Admin GUID                                                                                char(32), NOT NULL                      ('')
FILTERNAME                          user-specified name for this saved filter                                                 NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
STARTTIMEFROM                       Start date                                                                                datetime, NOT NULL                      ('19700101')
STARTTIMETO                         End date                                                                                  datetime, NOT NULL                      ('19700101')
                                    0 = past week
                                    1 = past month
                                    2 = past three months
RELATIVEDATETYPE                                                                                                              int, NOT NULL                           ('0')
                                    3 = past year
                                    4 = past 24 hours
                                    5 = current month
DURATION                            Length of the scan                                                                        int, NOT NULL                           ('0')
FILESCANNED                         Number of files scanned                                                                   bigint, NOT NULL                        ('0')
THREATS                             Number of risks the scan found                                                            int, NOT NULL                           ('0')
    Symantec Corp Confidential                                                                                    SEP Table Definition                                                                                 3/3/2012 Page 44 / 54



FILESINFECTED                    Number of files the scan found                                                                  bigint, NOT NULL                         ('0')
SCANSTARTMESSAGE                 Scan description                                                                                NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
STATUS                           Scan status as hard-coded English key: Completed, Cancelled, Started, % means no filter (all)   varchar(32), NOT NULL                    ('%')
SERVERGROUPLIST                  Comma-separated, wild-carded list of server groups by which to filter                           NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
CLIENTGROUPLIST                  Comma-separated, wild-carded list of client groups by which to filter                           NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
PARENTSERVERLIST                 Comma-separated, wild-carded list of parent servers by which to filter                          NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
COMPUTERLIST                     Comma-separated, wild-carded list of computers by which to filter                               NVARCHAR(1024), VARCHAR(512), NOT NULL   ('%')
IPADDRESSLIST                    Comma-separated, wild-carded list of IP addresses by which to filter                            NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
USERLIST                         Comma-separated, wild-carded list of users by which to filter                                   NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
LASTCOLUMN                       Not used                                                                                        varchar(32), NOT NULL                    ('SERVERGROUP')
                                 I.Computer'
                                 'P.Parentserver'
                                 'G.Clientgroup'
                                 'C.Clientuser'
                                 'S.Servergroup'
SORTORDER                                                                                                                        varchar(32), NOT NULL                    ('STARTDATETIME')
                                 'SC.Startdatetime'
                                 'SC.Duration'
                                 'SC.Totalfiles' (total files scanned)
                                 'SC.Threats'
                                 'SC.Infected' (total files infected)
SORTDIR                          Sort direction; desc = Descending, asc = Ascending                                              varchar(5), NOT NULL                     ('DESC')
LIMITROWS                        Number of rows to use for pagination                                                            int, NOT NULL                            ('0')
USERELATIVE                      Use relative dates ('on') or absolute dates                                                     char(2), NOT NULL                        ('on')
REPORT_IDX                       Not used                                                                                        int, NOT NULL                            ('0')
REPORTINPUTS                     Special parameters if report needs them                                                         NVARCHAR(255), VARCHAR(255), NOT NULL    ('')
USN                              A USN-based serial number; this ID is not unique.                                               bigint, NOT NULL                                             1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                  bigint, NOT NULL                                             0
DELETED                          Deleted row; 0 = Not Deleted, 1 = Deleted                                                       tinyint, NOT NULL                                            0
                                 Possible values are as follows:
                                 601=Windows 7
                                 600 = Windows Vista and Windows Server 2008
                                 502 = Windows 2003 and Windows XP 64 bit
                                 501 = Windows XP
                                 500 = Windows 2000
                                 400 = Windows NT
R_OS_TYPE                                                                                                                        int, NULL                                                    -1
                                 000 = All Non-Windows
                                 0001=All Windows
                                 0002=All Mac
                                 0004= Mac OS X 10.4
                                 0005= Mac OS X 10.5
                                 0006= Mac OS X 10.6
                                 -1 = No filter (all)


SCANS
Column Name                      Comment                                                                                         Data Type (MS, Sybase)                   Default Value            Primary Key       Description
                                                                                                                                                                                                                     This table lists scans schema
                                                                                                                                                                                                                     information.

                                                                                                                                                                                                                     If there is only one data type value in a
SCAN_IDX*                        Primary key                                                                                     char(32), NOT NULL                                                PK_SCANS          cell in the Data Type column, it applies to
                                                                                                                                                                                                                     both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                     there are two data type values, the first
                                                                                                                                                                                                                     applies to MS SQL Server and the
                                                                                                                                                                                                                     second applies to Sybase.
SCAN_ID                          Scan ID provided by agent                                                                       bigint, NOT NULL                                             0
STARTDATETIME                    Start time for scan                                                                             datetime, NOT NULL                       ('19700101')
STOPDATETIME                     Stop time for scan                                                                              datetime, NOT NULL                       ('19700101')
                                 Scan status as hard-coded English key:
                                 completed = Completed
STATUS                                                                                                                           varchar(20), NOT NULL                    ('started')
                                 cancelled = Canceled
                                 started = Started
DURATION                         Length of the scan in seconds                                                                   int, NOT NULL                                                0
COMPUTER_IDX                     Foreign key to SEM_COMPUTER.COMPUTER_ID                                                         char(32), NOT NULL                       ('')
CLIENTUSER1                      User who was logged in when scan started                                                        nvarchar(64), varchar(64), NOT NULL      ('')
CLIENTUSER2                      User who was logged in when scan ended                                                          nvarchar(64), varchar(64), NOT NULL      ('')
SERVERGROUP_IDX                  Pointer to table IDENTITY_MAP (domain GUID)                                                     char(32), NOT NULL                       ('')
PARENTSERVER_IDX                 Pointer to table IDENTITY_MAP (server GUID)                                                     char(32), NOT NULL                       ('')
CLIENTGROUP_IDX                  Pointer to table IDENTITY_MAP (group GUID)                                                      char(32), NOT NULL                       ('')
MESSAGE1                         Scan message when scan started                                                                  nvarchar(255), varchar(255)NOT NULL      ('')
MESSAGE2                         Scan message when scan ended                                                                    nvarchar(255), varchar(255), NOT NULL    ('')
THREATS                          Number of threats that the scan found                                                           bigint, NOT NULL                                             0
INFECTED                         Number of files the scan found infected                                                         bigint, NOT NULL                                             0
TOTALFILES                       Number of files scanned                                                                         bigint, NOT NULL                                             0
OMITTED                          Number of files omitted                                                                         bigint, NOT NULL                                             0
USN                              A USN-based serial number; this ID is not unique.                                               bigint, NOT NULL                                             1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                  bigint, NOT NULL                                             0
DELETED                          Deleted row; 0 = Not deleted, 1 = Deleted                                                       tinyint, NOT NULL                                            0
                                 Type of scan:
                                 ScanNow_Quick = Active Scan
SCAN_TYPE                                                                                                                        varchar(64), NOT NULL                    ('')
                                 ScanNow_Full = Full Scan
                                 ScanNow_Custom = Admin-defined Scan
COMMAND_ID                       Pointer to table SEM_JOB; command ID that kicked off this scan (if any)                         varchar(32), NULL                        (null)


SCFINVENTORY
Column Name                      Comment                                                                                         Data Type (MS, Sybase)                   Default Value            Primary Key       Description
                                                                                                                                                                                                                     This table is not used.

                                                                                                                                                                                                                     This table lists SCF inventory schema
                                                                                                                                                                                                                     information.

AGENT_ID*                        Pointer to table 'sem_agent'. Primary Key.                                                      char(32), NOT NULL                                                PK_SCFINVENTORY   If there is only one data type value in a
                                                                                                                                                                                                                     cell in the Data Type column, it applies to
                                                                                                                                                                                                                     both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                     there are two data type values, the first
                                                                                                                                                                                                                     applies to MS SQL Server and the
                                                                                                                                                                                                                     second applies to Sybase.
IPSSIGDATE                       Date of IPS signature                                                                           datetime, NULL                           (null)
IPSSIGREV                        Revision of IPS signature                                                                       int, NULL                                (null)
SCFVERSION                       Firewall version                                                                                varchar(255), NOT NULL                   ('')
SCFPOLICYFILE                                                                                                                    nvarchar(510), NOT NULL                  ('')
USN                              A USN-based serial number; this ID is not unique.                                               bigint, NOT NULL                                             -1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                  bigint, NOT NULL                                              0
DELETED                          Deleted row; 0 = Not deleted, 1 = Deleted                                                       tinyint, NOT NULL                                             0


SE_GLOBAL
Column Name                      Comment                                                                                         Data Type (MS, Sybase)                   Default Value            Primary Key       Description
                                                                                                                                                                                                                     This table lists the system sequence
                                                                                                                                                                                                                     number.

                                                                                                                                                                                                                     If there is only one data type value in a
SEQ_NUM                                                                                                                          bigint, NOT NULL                                                                    cell in the Data Type column, it applies to
                                                                                                                                                                                                                     both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                     there are two data type values, the first
                                                                                                                                                                                                                     applies to MS SQL Server and the
                                 The latest USN on the site                                                                                                                                                          second applies to Sybase.


SEM_AGENT
Column Name                      Comment                                                                                         Data Type (MS, Sybase)                   Default Value            Primary Key       Description
                                                                                                                                                                                                                     This table lists schema information for
                                                                                                                                                                                                                     the agent.

                                                                                                                                                                                                                     If there is only one data type value in a
AGENT_ID*                                                                                                                        char(32), NOT NULL                                                PK_SEM_AGENT      cell in the Data Type column, it applies to
                                                                                                                                                                                                                     both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                     there are two data type values, the first
                                                                                                                                                                                                                     applies to MS SQL Server and the
                                 GUID of the agent. Primary Key.                                                                                                                                                     second applies to Sybase.
                                 Type of the agent installed:
AGENT_TYPE                       105 = Symantec Endpoint Protection                                                              varchar(64), NULL
                                 151 = Symantec Network Access Control
    Symantec Corp Confidential                                                                                       SEP Table Definition                                                                                3/3/2012 Page 45 / 54




                                 Operating System type running on the client computer:
                                 269091840=B1185Mac OS X 10.4
                                 269092096=Mac OS X 10.5
                                 269092352=Mac OS X 10.6
                                 17170690=Windows 7
                                 17170434=Windows Vista Ultimate Edition
                                 17170444=Windows Vista Starter Edition
                                 17170435=Windows Vista Home Basic Edition
                                 17170436=Windows Vista Home Premium Edition
                                 17170437=Windows Vista Enterprise Edition
                                 17170439=Windows Vista Business Edition
                                 50659858=Windows Server 2003 Family Datacenter Edition
                                 50659874=Windows Server 2003 Family Enterprise Edition
                                 50659890=Windows Server 2003 Family Web Edition
                                 50659842=Windows Server 2003 Family Standard Edition
R_OS_TYPE                                                                                                                         int, NULL
                                 50724882=Windows Server 2008
                                 17105170=Windows XP Home Edition
                                 17105186=Windows XP Home Embedded
                                 17105154=Windows XP Professional
                                 50659346=Windows 2000 Datacenter Server
                                 50659362=Windows 2000 Advanced Server
                                 50659330=Windows 2000 Server
                                 17104898=Windows 2000 Professional
                                 50593810=Windows NT Server 4.0, Enterprise Edition
                                 50593794=Windows NT Server 4.0
                                 17039362=Windows NT WorkStation 4.0
                                 285185=Windows Millennium
                                 264961=Windows 98 SE
                                 264705=Windows 98
                                 262401=Windows 95 OSR2
                                 262145=Windows 95
                                 0=OS Type Unspecified
COMPUTER_ID                      GUID of the register computer                                                                    char(32), NULL
DOMAIN_ID                        GUID of the domain                                                                               char(32), NULL
GROUP_ID                         Current group GUID of the agent                                                                  char(32), NULL
AGENT_VERSION                    Version of agent software                                                                        nvarchar(64), varchar(64), NULL
PROFILE_VERSION                  Current profile version of agent                                                                 varchar(64), NULL
PROFILE_SERIAL_NO                Current profile serial number of agent                                                           varchar(64), NULL
PROFILE_CHECKSUM                 Current profile checksum of agent                                                                char(32), NULL
IDS_VERSION                      Current IDS version of agent                                                                     varchar(64), NULL
IDS_SERIAL_NO                    Current IDS serial number of agent                                                               varchar(64), NULL
IDS_CHECKSUM                     Current IDS checksum of agent                                                                    char(32), NULL
                                 Host integrity status:
                                 0 = Fail
                                 1 = Success
HI_STATUS                                                                                                                         int, NULL
                                 2 = Pending
                                 3 = Disabled
                                 4 = Ignore
                                 Host integrity reason code:
                                 0 = Pass
                                 101 = Antivirus version is out-of-date
HI_REASONCODE                    102 = Antivirus is not running                                                                   int, NULL
                                 103 = Script failed
                                 104 = Check is incomplete
                                 105 = Check is disabled
                                 127 = Location changed
HI_REASONDESC                    Host integrity description                                                                       varchar(64), NULL
CREATION_TIME                    Create time of the agent                                                                         bigint, NULL
STATUS                           Online status of the agent (0 = offline, 1 = online)                                             tinyint, NULL
LAST_UPDATE_TIME                 Last online time of the agent                                                                    bigint, NULL
LAST_SERVER_ID                   Last connected server GUID                                                                       char(32), NULL
LAST_SITE_ID                     Last connected site GUID                                                                         char(32), NULL
ATTRIBUTE_EXTENSION              Not used                                                                                         nvarchar(2000), varchar(2000), NULL
FULL_NAME                        Employee full name                                                                               nvarchar(256), varchar(256), NULL
EMAIL                            Employee email                                                                                   nvarchar(129), varchar(129), NULL
JOB_TITLE                        Employee job title                                                                               nvarchar(128), varchar(128), NULL
DEPARTMENT                       Employee department                                                                              nvarchar(128), varchar(128), NULL
EMPLOYEE_NUMBER                  Employee number                                                                                  varchar(32), NULL
EMPLOYMENT_STATUS                Employee status                                                                                  varchar(16), NULL
OFFICE_PHONE                     Employee office number                                                                           varchar(32), NULL
MOBILE_PHONE                     Employee mobile number                                                                           varchar(32), NULL
HOME_PHONE                       Employee home phone number                                                                       varchar(32), NULL
USN                              Update serial number; used by replication                                                        bigint, NOT NULL
TIME_STAMP                       Time that the record was modified; used to resolve merge conflict                                bigint, NOT NULL
                                 The deleted flag of the schema object:
DELETED                          1 = Deleted                                                                                      tinyint, NOT NULL
                                 0 = Not Deleted
RESERVED_INT1                                                                                                                     int, NULL
RESERVED_INT2                                                                                                                     int, NULL
RESERVED_BIGINT1                                                                                                                  bigint, NULL
RESERVED_BIGINT2                                                                                                                  bigint, NULL
RESERVED_CHAR1                                                                                                                    char(32), NULL
RESERVED_CHAR2                                                                                                                    char(32), NULL
RESERVED_VARCHAR1                                                                                                                 nvarchar(520), NULL
PATTERN_IDX                      Pointer to table 'pattern'                                                                       char(32), NOT NULL                      ('')
AP_ONOFF                         AutoProtect status: 1 = on, 2 = Not installed, 0 = off, 127 = Not reporting                      tinyint, NOT NULL                                        -127
INFECTED                         Is this machine infected? 0 = Not infected, 1 = Infected                                         tinyint, NOT NULL                                           0

                                 Worst detection:
                                 0 = (Severity 0) Viral
                                 1 = (Severity 1) Non-Viral malicious
                                 2 = (Severity 2) Malicious
                                 3 = (Severity 3) Antivirus - Heuristic
                                 5 = (Severity 5) Hack tool
                                 6 = (Severity 6) Spyware
                                 7 = (Severity 7) Trackware
WORSTINFECTION_IDX               8 = (Severity 8) Dialer                                                                          int, NOT NULL                                           -9999
                                 9 = (Severity 9) Remote access
                                 10 = (Severity 10) Adware
                                 11 = (Severity 11) Jokeware
                                 12 = (Severity 12) Client compliancy
                                 13 = (Severity 13) Generic load point
                                 14 = (Severity 14) Proactive Threat Scan - Heuristic
                                 15 = (Severity 15) Cookie
                                 9999 = No detections
LAST_SCAN_TIME                   Last scan time for this agent (GMT)                                                              bigint, NOT NULL                                            0
LAST_VIRUS_TIME                  Last time virus was detected on the client computer (GMT)                                        bigint, NOT NULL                                            0
CONTENT_UPDATE                   Accepts content update: 1 = Yes, 0 = no                                                          tinyint, NOT NULL                                          -1
AVENGINE_ONOFF                   RTVScan status: 1 = on, 2 = Not installed, 0 = off, 127 = Not reporting                          tinyint, NOT NULL                                        -127
TAMPER_ONOFF                     Tamper Protection status: 1 = on, 2 = Not installed, 0 = off, 127 = Not reporting status         tinyint, NOT NULL                                        -127
MAJOR_VERSION                    SEP version: 11                                                                                  int, NOT NULL                                               0
MINOR_VERSION                    Minor version                                                                                    int, NOT NULL                                               0
REBOOT_REQUIRED                  Reboot Required: 0 = No, 1 = Yes                                                                 tinyint, NOT NULL                                           0
                                 Format is <component> = <reason ID>;<component> = <reason ID>...
                                 Components:
                                 AVMAN = Antivirus
                                 LUMAN = LiveUpdate
                                 FW = Network Threat Protection
REBOOT_REASON                                                                                                                     varchar(128), NOT NULL                  ('')
                                 GUP = Group Update Provider
                                 Reasons:
                                 1 = risk remediation to complete
                                 2 = product patch to apply
                                 3 = content download to apply
LICENSE_STATUS                   For future use                                                                                   int, NOT NULL                           ((-1))
LICENSE_EXPIRY                   For future use                                                                                   bigint, NOT NULL                                            0
TIMEZONE                         Time zone offset of the client computer                                                          int, NOT NULL                                               0
FIREWALL_ONOFF                   Firewall status: 1 = On, 2 = Not installed, 0 = Off, 127 = Not reporting                         tinyint, NOT NULL                                        -127
FREE_MEM                         Free memory available                                                                            bigint, NULL
FREE_DISK                        Free disk space available                                                                        bigint, NULL
LAST_DOWNLOAD_TIME               Last download time                                                                               bigint, NOT NULL                                           0
CURRENT_CLIENT_ID                Client that logs on this agent.                                                                  char(32),NULL


SEM_APPLICATION
Column Name                      Comment                                                                                          Data Type (MS, Sybase)                  Default Value           Primary Key          Description
                                                                                                                                                                                                                       This table lists schema information for
                                                                                                                                                                                                                       the application.

                                                                                                                                                                                                                       If there is only one data type value in a
DOMAIN_ID*                       GUID of the domain. Primary Key.                                                                 char(32), NOT NULL                                              PK_SEM_APPLICATION   cell in the Data Type column, it applies to
                                                                                                                                                                                                                       both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                       there are two data type values, the first
                                                                                                                                                                                                                       applies to MS SQL Server and the
                                                                                                                                                                                                                       second applies to Sybase.
APP_HASH                         Checksum of the learned application. Including name, path, file checksum, file size and so on.   char(32), NOT NULL                                              PK_SEM_APPLICATION
APPLICATION_NAME                 Name of the learned application                                                                  nvarchar(260), varchar(260), NOT NULL
APPLICATION_PATH                 Path of the learned application                                                                  nvarchar(260), varchar(260), NULL
APP_DESCRIPTION                  Description of the learned application                                                           nvarchar(1024), varchar(1024), NULL
CHECKSUM                         File checksum of the application binary                                                          char(32), NOT NULL
FILE_SIZE                        File size of the application binary                                                              bigint, NULL
VERSION                          File version of the application binary                                                           varchar(256), NULL
       Symantec Corp Confidential                                                                                        SEP Table Definition                                                                                    3/3/2012 Page 46 / 54



LAST_MODIFY_TIME                    Last modify time of the application binary                                                            bigint, NULL
USN                                 Update serial number; used by replication                                                             bigint, NOT NULL
TIME_STAMP                          Time that the record was modified; used to resolve merge conflict                                     bigint, NOT NULL
                                    The deleted flag of the schema object:
DELETED                             1 = Deleted                                                                                           tinyint, NOT NULL
                                    0 = Not Deleted
RESERVED_INT1                                                                                                                             int, NULL
RESERVED_INT2                                                                                                                             int, NULL
RESERVED_BIGINT1                                                                                                                          bigint, NULL
RESERVED_BIGINT2                                                                                                                          bigint, NULL
RESERVED_CHAR1                                                                                                                            char(32), NULL
RESERVED_CHAR2                                                                                                                            char(32), NULL
RESERVED_VARCHAR1                                                                                                                         nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                           varbinary(2000), NULL


SEM_CLIENT
Column Name                         Comment                                                                                               Data Type (MS, Sybase)                  Default Value   Primary Key                  Description
                                                                                                                                                                                                                               This table lists schema information for
                                                                                                                                                                                                                               the client.

                                                                                                                                                                                                                               If there is only one data type value in a
CLIENT_ID*                                                                                                                                char(32), NOT NULL                                      PK_SEM_CLIENT                cell in the Data Type column, it applies to
                                                                                                                                                                                                                               both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                               there are two data type values, the first
                                                                                                                                                                                                                               applies to MS SQL Server and the
                                    GUID of the client. Primary Key.                                                                                                                                                           second applies to Sybase.
DOMAIN_ID                           GUID of the domain                                                                                    char(32), NULL
GROUP_ID                            GUID of the group                                                                                     char(32), NULL
GROUP_IS_OU                         If client is from ActiveDirectory                                                                     tinyint, NULL
OU_GUID                             OU's GUID if the client is from ActiveDirectory                                                       char(32), NULL
POLICY_MODE                         Enum {USER_MODE, COMPUTER_MODE}                                                                       int, NULL
COMPUTER_ID                         GUID of the register computer                                                                         char(32), NULL
HARDWARE_KEY                        Hash of Computer Hardware information                                                                 char(32), NULL
COMPUTER_NAME                       Computer name                                                                                         nvarchar(64), varchar(64), NULL
COMPUTER_DOMAIN_NAME                Computer description                                                                                  nvarchar(256), varchar(256), NULL
DESCRIPTION                         Domain name of the computer                                                                           nvarchar(256), varchar(256), NULL
USER_NAME                           User login name                                                                                       nvarchar(64), varchar(64), NULL
FULL_NAME                           User full name                                                                                        nvarchar(64), varchar(64), NULL
USER_DOMAIN_NAME                    User login domain name                                                                                nvarchar(256), varchar(256), NULL
                                    Hash of
HASH                                POLICY_MODE,COMPUTER_NAME,COMPUTER_DOMAIN_NAME,USER_NAME,USER_DOMAI                                   char(32), NOT NULL
                                    N_NAME
PIN_MARK                            A flag to mark if this client should synchronized with ActiveDirectory                                tinyint, NULL
EXTRA_FEATURE                                                                                                                             int, NULL
CREATOR                                                                                                                                   tinyint, NULL
CREATION_TIME                       Create time of the client                                                                             bigint, NULL
USN                                 Update serial number; used by replication                                                             bigint, NOT NULL
TIME_STAMP                          Time that the record was modified; used to resolve merge conflict                                     bigint, NOT NULL
                                    The deleted flag of the schema object:
DELETED                             1 = Deleted                                                                                           tinyint, NOT NULL
                                    0 = Not Deleted
RESERVED_INT1                                                                                                                             int, NULL
RESERVED_INT2                                                                                                                             int, NULL
RESERVED_BIGINT1                                                                                                                          bigint, NULL
RESERVED_BIGINT2                                                                                                                          bigint, NULL
RESERVED_CHAR1                                                                                                                            char(32), NULL
RESERVED_CHAR2                                                                                                                            char(32), NULL
RESERVED_VARCHAR1                                                                                                                         nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                           varbinary(2000), NULL


SEM_COMPLIANCE_CRITERIA
Column Name                         Comment                                                                                               Data Type (MS, Sybase)                  Default Value   Primary Key                  Description
                                                                                                                                                                                                                               This table lists schema information for
                                                                                                                                                                                                                               compliance criteria.

                                                                                                                                                                                                                               If there is only one data type value in a
CRITERIA_IDX*                       Primary key                                                                                           char(32), NOT NULL                                      PK_SEM_COMPLIANCE_CRITERIA   cell in the Data Type column, it applies to
                                                                                                                                                                                                                               both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                               there are two data type values, the first
                                                                                                                                                                                                                               applies to MS SQL Server and the
                                                                                                                                                                                                                               second applies to Sybase.
AGENT_SECURITY_LOG_IDX              Foreign key to V_AGENT_SECURITY.AGENT_SECURITY_LOG_IDX                                                char(32), NOT NULL
ACTION                              hard-coded English key: one of “check” or “remediation”                                               varchar(64), NOT NULL                   ('')
RULE_NAME                           Admin-provided rule name from policy                                                                  nvarchar(256), varchar(256), NOT NULL   ('')
                                    hard-coded English key - one of:
                                       antivirus
                                       antispyware
                                       patch
RULE_TYPE                              servicepack                                                                                        varchar(64), NOT NULL                   ('')
                                       firewall
                                       custom
                                       unknown - fallback when processing log at the server and action ends up null or blank



                                    hard-coded English key - one of:
                                       as_is_installed
                                       as_is_running
                                       as_signature_ok
                                       av_is_installed
                                       av_is_running
                                       av_signature_ok
                                       file_age_ok
                                       file_date_ok
                                       file_size_ok
                                       file_version_ok
                                       file_download
                                       file_exists
                                       file_checksum_ok
                                       file_execute
                                       fw_is_installed
CRITERIA                               fw_is_running                                                                                      varchar(256), NOT NULL                  ('')
                                       patch_is_installed
                                       reg_value_incr
                                       reg_key_exists
                                       reg_value_ok
                                       reg_value_exists
                                       reg_value_set
                                       timestamp_ok
                                       msg_dlg_ok
                                       os_ok
                                       os_lang_ok
                                       process_is_running – means either user app or service
                                       file_delete
                                       service_pack_ok
                                       hi_setup
                                       remediation – so we can have overall status of remediation
                                       unknown – fallback at the server if the criteria type is null or blank

                                    The target of the criteria, for example, the AV product name, the firewall product name, the file
TARGET                              name, the registry key, the registry value, the patch version, the OS version, the process name, or   nvarchar(256), varchar(256), NOT NULL   ('')
                                    the service name.
                                    One of:
                                      pass
                                      fail
                                      ignore
RESULT                                                                                                                                    varchar(64), NOT NULL                   ('')
                                      error
                                      postponed – just for remediation criteria
                                      unknown – fallback at the server if the criteria or rule ends up without a final status


                                      One of:
                                       unknown = unknown
                                       product_unknown = product unknown
                                       file_notfound = file not found
                                       filename_invalid = invalid file name
                                       parameter_invalid = invalid condition parameter
                                       parameter_undefined = condition parameter was not specified in the policy
                                       bad_url = URL format is invalid
                                       filedownload_op_err = URL not accessible or failed to create destination file
                                       time_out = action timed out
ERROR                                                                                                                                     varchar(128), NOT NULL                  ('')
                                       connection_lost = connection was lost
                                       access_violation = access violation on file
                                       access_denied = access denied
                                       remediation_abort = user aborted remediation
                                       remediation_postpone = user postponed remediation
                                       createdir_failed = directory creation failed
                                       system_err = system error
                                       runas_noprivilege = a required privilege is not held by the client
                                       internal_err = internal error
                                       os_unknown = failed to detect operating system type
      Symantec Corp Confidential                                                                                    SEP Table Definition                                                                             3/3/2012 Page 47 / 54



                                   Additional compliance check details. Either exception text or one of:
                                       Checksum_blank = fingerprint value is empty
                                       Failed_to_get_modification_date = failed to get modification date
                                       NAN = not a number
                                       Cannot_parse_URL = cannot parse URL
                                       URL_not_accessible_or_failed_to_create_destination_file = URL not accessible or failed to
                                   create destination file
                                       Download_exceeded_limit = download exceeded limit
                                       Destination = destination file access violation
                                       By_User = action initiated by user
                                       Access_denied_by_server = access denied by server
                                       Download_file = download file not found
                                       Process_time_out = process timed out
DESCRIPTION                            Failed_to_detect_OS_type = failed to detect OS type                                           nvarchar(256), varchar(256), NOT NULL   ('')
                                       Application_name_is_empty = application name is empty
                                       Probably_software_is_not_installed = probably software is not installed
                                       Signature_age_in_seconds_failed = could not compute signature age
                                       Failed_to_parse_URL = failed to parse URL
                                       Missing_or_no_version_info = missing or no version information
                                       After_script_file_running = after script file run
                                       OS_ignore = operating system check was ignored
                                       Save_failed = save failed
                                       No_previous_time = no previous time
                                       OK_or_YES = user response was OK or Yes
                                       Cancel_or_NO = user response was Cancel or No
                                       Fail_to_get_current_OS_language_version = could not retrieve current operating system
                                   language
USN                                Update serial number; used by replication                                                         bigint, NOT NULL                                        1
TIME_STAMP                         Time that the record was modified; used to resolve merge conflict                                 bigint, NOT NULL                                        0
                                   The deleted flag of the schema object:
DELETED                            1 = Deleted                                                                                       tinyint, NOT NULL                                       0
                                   0 = Not Deleted


SEM_COMPUTER
Column Name                        Comment                                                                                           Data Type (MS, Sybase)                  Default Value       Primary Key       Description
                                                                                                                                                                                                                   This table lists computer schema
                                                                                                                                                                                                                   information.

                                                                                                                                                                                                                   If there is only one data type value in a
                                   GUID of the computer. Computer can be added from both console and client registration.
COMPUTER_ID*                                                                                                              char(32), NOT NULL                                                     PK_SEM_COMPUTER   cell in the Data Type column, it applies to
                                   Primary key.                                                                                                                                                                    both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                   second applies to Sybase.
DOMAIN_ID                          GUID of the domain                                                                                char(32), NULL
HARDWARE_KEY                       Hash of computer hardware information                                                             char(32), NULL
COMPUTER_NAME                      Computer name                                                                                     nvarchar(64), varchar(64), NULL
COMPUTER_DOMAIN_NAME               Computer description                                                                              nvarchar(256), varchar(256), NULL
COMPUTER_DESCRIPTION               Domain name of the computer                                                                       nvarchar(256), varchar(256), NULL
PROCESSOR_TYPE                     Processor type                                                                                    nvarchar(64), varchar(64), NULL
PROCESSOR_CLOCK                    Processor clock                                                                                   bigint, NULL
PROCESSOR_NUM                      Number of processors                                                                              int, NULL
MEMORY                             Physical memory in kb                                                                             bigint, NULL
BIOS_VERSION                       BIOS version                                                                                      varchar(128), NULL
TPM_DEVICE                         TPM device id                                                                                     int, NULL
OPERATION_SYSTEM                   Operation System name                                                                             nvarchar(64), varchar(64), NULL
SERVICE_PACK                       Service pack                                                                                      nvarchar(64), varchar(64), NULL
CURRENT_LOGIN_USER                 Logged in user                                                                                    nvarchar(64), varchar(64), NULL
CURRENT_LOGIN_DOMAIN               Windows domain                                                                                    nvarchar(256), varchar(256), NULL
DNS_SERVER1                                                                                                                          bigint, NULL
DNS_SERVER2                                                                                                                          bigint, NULL
WINS_SERVER1                                                                                                                         bigint, NULL
WINS_SERVER2                                                                                                                         bigint, NULL
DHCP_SERVER                                                                                                                          bigint, NULL
MAC_ADDR1                                                                                                                            varchar(17), NULL
IP_ADDR1                                                                                                                             bigint, NULL
GATEWAY1                                                                                                                             bigint, NULL
SUBNET_MASK1                                                                                                                         bigint, NULL
MAC_ADDR2                                                                                                                            varchar(17), NULL
IP_ADDR2                                                                                                                             bigint, NULL
GATEWAY2                                                                                                                             bigint, NULL
SUBNET_MASK2                                                                                                                         bigint, NULL
MAC_ADDR3                                                                                                                            varchar(17), NULL
IP_ADDR3                                                                                                                             bigint, NULL
GATEWAY3                                                                                                                             bigint, NULL
SUBNET_MASK3                                                                                                                         bigint, NULL
MAC_ADDR4                                                                                                                            varchar(17), NULL
IP_ADDR4                                                                                                                             bigint, NULL
GATEWAY4                                                                                                                             bigint, NULL
SUBNET_MASK4                                                                                                                         bigint, NULL
USN                                Update serial number; used by replication                                                         bigint, NOT NULL
TIME_STAMP                         Time that the record was modified; used to resolve merge conflict                                 bigint, NOT NULL
                                   The deleted flag of the schema object:
DELETED                            1 = Deleted                                                                                       tinyint, NOT NULL
                                   0 = Not Deleted
RESERVED_INT1                                                                                                                        int, NULL
RESERVED_INT2                                                                                                                        int, NULL
RESERVED_BIGINT1                                                                                                                     bigint, NULL
RESERVED_BIGINT2                                                                                                                     bigint, NULL
RESERVED_CHAR1                                                                                                                       char(32), NULL
RESERVED_CHAR2                                                                                                                       char(32), NULL
RESERVED_VARCHAR1                                                                                                                    nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                      varbinary(2000), NULL
DISK_TOTAL                         Total disk space                                                                                  bigint, NULL
DISK_DRIVE                         Drive letter referred to by DISK_TOTAL                                                            varchar(3), NULL
OS_LANG                            Operating system language ID, for example, English = 0x09                                         int, NULL


SEM_CONTENT
Column Name                        Comment                                                                                           Data Type (MS, Sybase)                  Default Value       Primary Key       Description
                                                                                                                                                                                                                   This table lists content schema
                                                                                                                                                                                                                   information.

                                                                                                                                                                                                                   If there is only one data type value in a
AGENT_ID                                                                                                                             char(32), NOT NULL                                          PK_SEM_CONTENT    cell in the Data Type column, it applies to
                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                   applies to MS SQL Server and the
                                   GUID of the agent                                                                                                                                                               second applies to Sybase.
PATTERN_IDX                        Pointer to pattern table                                                                          char(32), NOT NULL                                          PK_SEM_CONTENT
USN                                Update serial number; used by replication                                                         bigint, NOT NULL                                        1
TIME_STAMP                         Time that the record was modified; used to resolve merge conflict                                 bigint, NOT NULL                                        0
                                   The deleted flag of the schema object:
DELETED                            1 = Deleted                                                                                       tinyint, NOT NULL                                       0
                                   0 = Not Deleted


SEM_JOB
Column Name                        Comment                                                                                           Data Type (MS, Sybase)                  Default Value       Primary Key       Description
                                                                                                                                                                                                                   This table lists job schema information.

                                                                                                                                                                                                                   If there is only one data type value in a
                                                                                                                                                                                                                   cell in the Data Type column, it applies to
COMMAND_ID*                                                                                                                          char(32), NOT NULL                                          PK_SEM_JOB
                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                   applies to MS SQL Server and the
                                   GUID of the command object. This GUID corresponds to the ID in the BASIC_METADATA table.                                                                                        second applies to Sybase.
USN                                Update serial number; used by replication                                                         bigint, NOT NULL

                                   Hard-coded English string that indicates which command was launched. This is the same string as
                                   what is placed in the XML for pre-defined name.

                                   Update_Now = Update Content
                                   ScanNow_Full = Full Scan
                                   ScanNow_Quick = Active Scan
                                   ScanNow_Custom = Custom Scan
                                   Update_ScanNow_Full = Update Content and Scan Full
COMMAND_NAME                                                                                                                         varchar(64), NOT NULL
                                   Update_ScanNow_Quick = Update Content and Scan Quick
                                   Update_ScanNow_Custom = Update Content and Scan Custom
                                   CancelScan = Cancel Scan
                                   Reboot = Restart
                                   ApOn = Turn Auto-Protect On
                                   ApOff = Turn Auto-Protect Off
                                   FwOn = Turn Firewall On
                                   FwOff = Turn Firewall Off
                                   DeleteQuarantine = Delete from Quarantine
COMMAND_DESC                       Detail description of the command                                                                 NVARCHAR(700), varchar(350), NULL
SOURCE_SITE_ID                     GUID of the site from where the command generated                                                 char(32), NOT NULL
SOURCE_ADMIN_ID                    GUID of the administrator who issued the command                                                  char(32), NOT NULL
CREATE_TIME                        When the command was issued at the console by the administrator                                   bigint, NOT NULL
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                    bigint, NOT NULL
      Symantec Corp Confidential                                                                                    SEP Table Definition                                                                             3/3/2012 Page 48 / 54



                                   Deleted row:
DELETED                            1 = Deleted                                                                                         tinyint, NOT NULL
                                   0 = Not Deleted
RESERVED_INT1                                                                                                                          int, NULL
RESERVED_INT2                                                                                                                          int, NULL
RESERVED_BIGINT1                                                                                                                       bigint, NULL
RESERVED_BIGINT2                                                                                                                       bigint, NULL
RESERVED_CHAR1                                                                                                                         char(32), NULL
RESERVED_CHAR2                                                                                                                         char(32), NULL
RESERVED_VARCHAR1                                                                                                                      varchar(260), NULL
RESERVED_BINARY                                                                                                                        varbinary(1000), NULL


SERIAL_NUMBERS
Column Name                        Comment                                                                                             Data Type (MS, Sybase)                  Default Value   Primary Key         Description
                                                                                                                                                                                                                   This table lists serial number schema
                                                                                                                                                                                                                   information.

                                                                                                                                                                                                                   If there is only one data type value in a
GROUP_ID                           GUID of a group                                                                                     char(32), NOT NULL                                      PK_SERIAL_NUMBERS   cell in the Data Type column, it applies to
                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                   second applies to Sybase.
PROFILE_SERIAL_NO                  Profile serial number of the group                                                                  varchar(64), NOT NULL
POLICY_LAST_MODIFIED               The time when the event is logged into system (GMT), which is server side time                      bigint,NULL
IPS_SERIAL_NO                      IPS serial number of the group                                                                      varchar(64),NULL


SERVER_ADMIN_LOG_1 and SERVER_ADMIN_LOG_2
Column Name                        Comment                                                                                             Data Type (MS, Sybase)                  Default Value   Primary Key         Description
                                                                                                                                                                                                                   This table lists the database schema for
                                                                                                                                                                                                                   the Server Administration logs.

                                                                                                                                                                                                                   There are two tables for this schema.
                                                                                                                                                                                                                   When logs are stored, the Policy
                                                                                                                                                                                                                   Manager uses the first table until it is full.
                                                                                                                                                                                                                   It then switches to using the second
                                                                                                                                                                                                                   table. The data in the first table is kept
                                                                                                                                                                                                                   intact until the second table fills. Then it
USN                                                                                                                                    bigint, NOT NULL
                                                                                                                                                                                                                   starts to fill the first table again. This
                                                                                                                                                                                                                   cycle is continuous.

                                                                                                                                                                                                                   If there is only one data type value in a
                                                                                                                                                                                                                   cell in the Data Type column, it applies to
                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                   second applies to Sybase.
                                   A USN-based serial number; this ID is not unique.
DOMAIN_ID                          GUID of the domain to which the log belongs                                                         char(32), NULL
SITE_ID                            GUID of the site to which the log belongs                                                           char(32), NOT NULL
SERVER_ID                          GUID of the server to which the log belongs                                                         char(32), NOT NULL
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                      bigint, NOT NULL
SEVERITY                           Enum (SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST)                                           int, NOT NULL
ADMIN_NAME                         Administrator’s name
                                   A unique ID of the admin event:                                                                     nvarchar(250), varchar(250), NOT NULL
                                   0x1001 = Login succeeded
                                   0x1002 = Login failed
                                   0x1003 = Logout
                                   0x1004 = Account locked
                                   0x1005 = Account unlocked
                                   0x1006 = Account disabled
                                   0x1007 = Account enabled
                                   0x1008 = Administrator created
                                   0x1009 = Administrator deleted
                                   0x100A = Administrator renamed
                                   0x100B = Password changed
                                   0x100C = Administrator properties are changed
                                   0x100D = Domain is created
                                   0x100E = Domain is deleted
                                   0x100F = Domain properties are changed
                                   0x1020 = Domain is disabled
                                   0x1021 = Domain is enabled
                                   0x1022 = Domain is renamed
EVENT_ID                                                                                                                               int, NOT NULL
                                   0x2001 = Group is created
                                   0x2002 = Group is deleted
                                   0x2003 = Group is renamed
                                   0x2004 = Group is moved
                                   0x2005 = Group properties are changed
                                   0x2006 = User is created
                                   0x2007 = User is deleted
                                   0x2008 = User is moved
                                   0x2009 = User is copied
                                   0x200A = User policy mode is switched
                                   0x200B = User properties are changed
                                   0x200C = Computer is created
                                   0x200D = Computer is deleted
                                   0x200E = Computer is moved
                                   0x200F = Computer is copied
                                   0x2010 = Computer policy mode is switched
                                   0x2011 = Computer properties are changed
                                   0x2012 = Organizational Unit is imported
EVENT_DESC                         Description of the event. Usually, the first line of the description is treated as “summary”.       nvarchar(256), varchar(256), NULL
                                   Event description ID, use this ID to load the localized message (Only used when an exception is
MSG_ID                                                                                                                                 int, NULL
                                   related to this event). ** See worksheet ERROR_CODE and MSG_ID values. **
                                   ErrorCode can unique identify the error in source code (Only used when an exception is related to
ERROR_CODE                                                                                                                             int, NULL
                                   this event). ** See worksheet ERROR_CODE and MSG_ID values. **
STACK_TRACE                        Stacktrace of exception (Only used when an exception is related to this event)                      nvarchar(2000), varchar(2000), NULL
RESERVED_INT1                                                                                                                          int, NULL
RESERVED_INT2                                                                                                                          int, NULL
RESERVED_BIGINT1                                                                                                                       bigint, NULL
RESERVED_BIGINT2                                                                                                                       bigint, NULL
RESERVED_CHAR1                                                                                                                         char(32), NULL
RESERVED_CHAR2                                                                                                                         char(32), NULL
RESERVED_VARCHAR1                                                                                                                      nvarchar(520), NULL
RESERVED_BINARY                                                                                                                        varbinary(2000), NULL


SERVER_CLIENT_LOG_1 and SERVER_CLIENT_LOG_2
Column Name                        Comment                                                                                             Data Type (MS, Sybase)                  Default Value   Primary Key         Description

                                                                                                                                                                                                                   This table lists the database schema for
                                                                                                                                                                                                                   the Server Client logs.

                                                                                                                                                                                                                   There are two tables for this schema.
                                                                                                                                                                                                                   When logs are stored, the Policy
                                                                                                                                                                                                                   Manager uses the first table until it is full.
                                                                                                                                                                                                                   It then switches to using the second
                                                                                                                                                                                                                   table. The data in the first table is kept
                                                                                                                                                                                                                   intact until the second table fills. Then it
USN                                                                                                                                    bigint, NOT NULL
                                                                                                                                                                                                                   starts to fill the first table again. This
                                                                                                                                                                                                                   cycle is continuous.

                                                                                                                                                                                                                   If there is only one data type value in a
                                                                                                                                                                                                                   cell in the Data Type column, it applies to
                                                                                                                                                                                                                   both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                   there are two data type values, the first
                                                                                                                                                                                                                   applies to MS SQL Server and the
                                                                                                                                                                                                                   second applies to Sybase.
                                   A USN-based serial number; this ID is not unique.
DOMAIN_ID                          GUID of the domain to which the log belongs                                                         char(32), NULL
SITE_ID                            GUID of the site to which the log belongs                                                           char(32), NOT NULL
SERVER_ID                          GUID of the server to which the log belongs                                                         char(32), NOT NULL
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                      bigint, NOT NULL

                                   A unique ID of the client activity event:
                                     1 = Registration succeeded
                                     2 = Registration failed
                                     3 = Client reconnected
                                     4 = Client disconnected
                                     5 = Downloaded policy
                                     6 = Downloaded Intrusion Prevention policy
                                     7 = Downloaded sylink.xml
EVENT_ID                             8 = Downloaded auto-upgrade file                                                                  int, NOT NULL
                                     9 = Server received log
                                     10 = Log processing failed
                                     11 = Server received learned application
                                     12 = Server received client information
                                     13 = Client information processing failed
                                     14 = Hardware identity change
                                     15 = Downloaded File Fingerprint list
                                     20 = Downloaded content package
                                     22 = Downloaded command
AGENT_ID                           GUID of the agent                                                                                   char(32), NOT NULL
HOST_NAME                          Computer name of the client                                                                         nvarchar(256), varchar(256), NULL
USER_NAME                          Login user name of the client                                                                       nvarchar(256), varchar(256), NULL
      Symantec Corp Confidential                                                                                         SEP Table Definition                                                          3/3/2012 Page 49 / 54



DOMAIN_NAME                        Domain name of the client                                                                       nvarchar(256), varchar(256), NULL
RESERVED_INT1                                                                                                                      int, NULL
RESERVED_INT2                                                                                                                      int, NULL
RESERVED_BIGINT1                                                                                                                   bigint, NULL
RESERVED_BIGINT2                                                                                                                   bigint, NULL
RESERVED_CHAR1                                                                                                                     char(32), NULL
RESERVED_CHAR2                                                                                                                     char(32), NULL
RESERVED_VARCHAR1                                                                                                                  nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                    varbinary(2000), NULL
LOG_IDX                            Log index unique ID                                                                             char(32), NULL


SERVER_ENFORCER_LOG_1 and SERVER_ENFORCER_LOG_2
Column Name                        Comment                                                                                         Data Type (MS, Sybase)              Default Value   Primary Key   Description
                                                                                                                                                                                                     This table lists the database schema for
                                                                                                                                                                                                     the Server Enforcer logs.

                                                                                                                                                                                                     There are two tables for this schema.
                                                                                                                                                                                                     When logs are stored, the Policy
                                                                                                                                                                                                     Manager uses the first table until it is full.
                                                                                                                                                                                                     It then switches to using the second
                                                                                                                                                                                                     table. The data in the first table is kept
                                                                                                                                                                                                     intact until the second table fills. Then it
USN                                                                                                                                bigint, NOT NULL
                                                                                                                                                                                                     starts to fill the first table again. This
                                                                                                                                                                                                     cycle is continuous.

                                                                                                                                                                                                     If there is only one data type value in a
                                                                                                                                                                                                     cell in the Data Type column, it applies to
                                                                                                                                                                                                     both MS SQL Server and to Sybase. If
                                                                                                                                                                                                     there are two data type values, the first
                                                                                                                                                                                                     applies to MS SQL Server and the
                                                                                                                                                                                                     second applies to Sybase.
                                   A USN-based serial number; this ID is not unique.
SITE_ID                            GUID of the site to which the log belongs                                                       char(32), NOT NULL
SERVER_ID                          GUID of the server to which the log belongs                                                     char(32), NOT NULL
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                  bigint, NOT NULL


                                   A unique ID of the Enforcer activity:
                                   0x101 = Connected to Policy Manager
                                   0x102 = Lost connection to Policy Manager
                                   0x103 = Applied policy downloaded from Policy Manager
                                   0x104 = Failed to apply policy downloaded from Policy Manager
                                   0x105 = Applied Policy Manager configuration
                                   0x106 = Failed to apply Policy Manager configuration
                                   0x107 = Applied Policy Manager configuration
                                   0x108 = Failed to apply Policy Manager configuration
                                   0x201 = Enforcer started
                                   0x202 = Enforcer stopped
                                   0x203 = Enforcer paused
                                   0x204 = Enforcer resumed
                                   0x205 = Enforcer disconnected from server
                                   0x301 = Enforcer failover enabled
EVENT_ID                           0x302 = Enforcer failover disabled                                                              int, NOT NULL
                                   0x303 = Enforcer in standby mode
                                   0x304 = Enforcer in primary mode
                                   0x305 = Enforcer short
                                   0x306 = Enforcer loop
                                   0x401 = Forward engine pause
                                   0x402 = Forward engine start
                                   0x403 = DNS Enforcer enabled
                                   0x404 = DNS Enforcer disabled
                                   0x405 = DHCP Enforcer enabled
                                   0x406 = DHCP Enforcer disabled
                                   0x407 = Allow all enabled
                                   0x408 = Allow all disabled
                                   0x501 = Seat number change
                                   0x601 = Failed to create policy parser
                                   0x602 = Failed to import policy downloaded from Policy Manager
                                   0x603 = Failed to export policy downloaded from Policy Manager
                                   0x701 = Incorrect customized attribute
ENFORCER_ID                        GUID of the Enforcer                                                                            char(32), NOT NULL
RESERVED_INT1                                                                                                                      int, NULL
RESERVED_INT2                                                                                                                      int, NULL
RESERVED_BIGINT1                                                                                                                   bigint, NULL
RESERVED_BIGINT2                                                                                                                   bigint, NULL
RESERVED_CHAR1                                                                                                                     char(32), NULL
RESERVED_CHAR2                                                                                                                     char(32), NULL
RESERVED_VARCHAR1                                                                                                                  nvarchar(520), NULL
RESERVED_BINARY                                                                                                                    varbinary(2000), NULL
LOG_IDX                                                                                                                            char(32), NULL


SERVER_POLICY_LOG_1 and SERVER_POLICY_LOG_2
Column Name                        Comment                                                                                         Data Type (MS, Sybase)              Default Value   Primary Key   Description
                                                                                                                                                                                                     This table lists the database schema for
                                                                                                                                                                                                     the Server Policy logs.

                                                                                                                                                                                                     There are two tables for this schema.
                                                                                                                                                                                                     When logs are stored, the Policy
                                                                                                                                                                                                     Manager uses the first table until it is full.
                                                                                                                                                                                                     It then switches to using the second
                                                                                                                                                                                                     table. The data in the first table is kept
                                                                                                                                                                                                     intact until the second table fills. Then it
USN                                                                                                                                bigint, NOT NULL
                                                                                                                                                                                                     starts to fill the first table again. This
                                                                                                                                                                                                     cycle is continuous.

                                                                                                                                                                                                     If there is only one data type value in a
                                                                                                                                                                                                     cell in the Data Type column, it applies to
                                                                                                                                                                                                     both MS SQL Server and to Sybase. If
                                                                                                                                                                                                     there are two data type values, the first
                                                                                                                                                                                                     applies to MS SQL Server and the
                                                                                                                                                                                                     second applies to Sybase.
                                   A USN-based serial number; this ID is not unique.
DOMAIN_ID                          GUID of the domain which was administered                                                       char(32), NULL
SITE_ID                            GUID of the site to which the log belongs                                                       char(32), NOT NULL
SERVER_ID                          GUID of the server to which the log belongs                                                     char(32), NOT NULL
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                  bigint, NOT NULL
                                   A unique ID of the policy event:
                                   0 = Policy added
                                   1 = Policy deleted
EVENT_ID                           2 = Policy edited                                                                               int, NOT NULL
                                   3 = Add shared policy upon system install
                                   4 = Add shared policy upon system upgrade
                                   5 = Add shared policy upon domain creation
OBJECT_ID                          GUID of the AgentPolicy                                                                         char(32), NOT NULL
ADMIN_ID                           GUID of the administrator who is modifying the policy                                           char(32), NOT NULL
EVENT_DESC                         Description of the event. Usually, the first line of the description is treated as “summary”.   nvarchar(512), NULL
EVENT_DATA                         Additional data in binary format. This field is optional.                                       varbinary(2000), NULL
RESERVED_INT1                                                                                                                      int, NULL
RESERVED_INT2                                                                                                                      int, NULL
RESERVED_BIGINT1                                                                                                                   bigint, NULL
RESERVED_BIGINT2                                                                                                                   bigint, NULL
RESERVED_CHAR1                                                                                                                     char(32), NULL
RESERVED_CHAR2                                                                                                                     char(32), NULL
RESERVED_VARCHAR1                                                                                                                  nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                    varbinary(2000), NULL


SERVER_SYSTEM_LOG_1 and SERVER_SYSTEM_LOG_2
Column Name                        Comment                                                                                         Data Type (MS, Sybase)              Default Value   Primary Key   Description
                                                                                                                                                                                                     This table lists the database schema for
                                                                                                                                                                                                     the Server System logs.

                                                                                                                                                                                                     There are two tables for this schema.
                                                                                                                                                                                                     When logs are stored, the Policy
                                                                                                                                                                                                     Manager uses the first table until it is full.
                                                                                                                                                                                                     It then switches to using the second
                                                                                                                                                                                                     table. The data in the first table is kept
                                                                                                                                                                                                     intact until the second table fills. Then it
USN                                                                                                                                bigint, NOT NULL
                                                                                                                                                                                                     starts to fill the first table again. This
                                                                                                                                                                                                     cycle is continuous.

                                                                                                                                                                                                     If there is only one data type value in a
                                                                                                                                                                                                     cell in the Data Type column, it applies to
                                                                                                                                                                                                     both MS SQL Server and to Sybase. If
                                                                                                                                                                                                     there are two data type values, the first
                                                                                                                                                                                                     applies to MS SQL Server and the
                                                                                                                                                                                                     second applies to Sybase.
                                   A USN-based serial number; this ID is not unique.
DOMAIN_ID                          Not used, logged as ''                                                                          char(32), NULL
SITE_ID                            GUID of the site to which the log belongs                                                       char(32), NOT NULL
SERVER_ID                          GUID of the server to which the log belongs                                                     char(32), NOT NULL
TIME_STAMP                         The time when the event is logged into system (GMT), which is server side time                  bigint, NOT NULL
    Symantec Corp Confidential                                                                                         SEP Table Definition                                                                                       3/3/2012 Page 50 / 54



                                 Enum (SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST):
                                 >= 400 is Finer and above
                                 >=500 is Fine and above
SEVERITY                         >=700 is Configuration and above                                                                           int, NOT NULL
                                 >=800 is Informational and above
                                 >=900 is Warning and above
                                 >=1000 is Severe and above
EVENT_ID                         A unique ID of the system event **See SERVER_SYSTEM_LOG event IDs worksheet **                             int, NOT NULL
EVENT_DESC                       Description of the event; usually, the first line of description is treated as a “summary”                 nvarchar(2000), varchar(2000), NULL
                                 Event description ID, use this ID to load localized message (Only used when an exception is related
MSG_ID                                                                                                                                      int, NULL
                                 to this event) ** See ERROR_CODE and MSG_ID worksheet **
                                 ErrorCode can unique identify the error in source code (Only used when an exception is related to
ERROR_CODE                                                                                                                                  int, NULL
                                 this event). ** See ERROR_CODE and MSG_ID worksheet **
STACK_TRACE                      Stacktrace of exception (Only used when an exception is related to this event).                            nvarchar(2000), varchar(2000), NULL
RESERVED_INT1                                                                                                                               int, NULL
RESERVED_INT2                                                                                                                               int, NULL
RESERVED_BIGINT1                                                                                                                            bigint, NULL
RESERVED_BIGINT2                                                                                                                            bigint, NULL
RESERVED_CHAR1                                                                                                                              char(32), NULL
RESERVED_CHAR2                                                                                                                              char(32), NULL
RESERVED_VARCHAR1                                                                                                                           nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                             varbinary(2000), NULL


SYSTEM_REPORT
Column Name                      Comment                                                                                                    Data Type (MS, Sybase)                       Default Value        Primary Key       Description
                                                                                                                                                                                                                                This table lists system report schema
                                                                                                                                                                                                                                information.

                                                                                                                                                                                                                                If there is only one data type value in a
SYSTEMFILTER_IDX*                Primary key                                                                                                char(32), NOT NULL                                                PK_SYSTEMREPORT   cell in the Data Type column, it applies to
                                                                                                                                                                                                                                both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                                there are two data type values, the first
                                                                                                                                                                                                                                applies to MS SQL Server and the
                                                                                                                                                                                                                                second applies to Sybase.
USER_ID                          ID of admin who created this filter. Foreign key to user_id column in adminuser table.                     char(32), NOT NULL                           ('')
FILTERNAME                       Filter name provided by admin during save filter operation                                                 NVARCHAR(255), varchar(255), NOT NULL        ('')
STARTDATEFROM                    Time filter start date                                                                                     datetime, NOT NULL                           ('19700101')
STARTDATETO                      Time filter end date                                                                                       datetime, NOT NULL                           ('19700101')
                                 0 = past week
                                 1 = past month
                                 2 = past three months
RELATIVEDATETYPE                                                                                                                            int, NOT NULL                                                 0
                                 3 = past year
                                 4 = past 24 hours
                                 5 = current month
                                 1 = Administrative
                                 2 = Client server activity
SYSTEM_TYPE                      3 = Server activity                                                                                        tinyint, NULL                                (null)
                                 4 = Client activity
                                 5 = Enforcer Activity
                                 For Administrative, Client-Server and Server activity:
                                 1000 = Error and above
                                 900 = Warning and above
                                 800 = Informational and above
                                 -1 = No filter (all)
SEVERITY                                                                                                                                    int, NULL                                    (null)
                                 For Enforcer activity and Client activity:
                                 0 = Informational and above
                                 1 = Warning and above
                                 2 = Error and above
                                 3 = Fatal
                                 -1 = No filter (all)
                                 Blank or % in this field means no filtering.

                                 For System>Administrative. For this log type, this field stores the value on the left of the = sign, for
                                 example, 'ADMIN_ADMIN_TYPES'. It is a hard-coded English string key. To the right of the = sign
                                 are the events that will get queried when the user selects the bucket.

                                 ADMIN_ADMIN_TYPES=Administrator events: Possible values 4097=Login succeeded,
                                 4098=Login failed, 4099=Logout, 4050=Account locked, 4101=Account unlocked, 4102=Account
                                 disabled, 4103=Account enabled, 4104=Administrator created, 4105=Administrator deleted,
                                 4106=Administrator renamed, 4107=Password changed, 4108=Administrator properties are
                                 changed

                                 ADMIN_DOMAIN_TYPES=Domain events: Possible values 4109=Domain is created,
                                 4110=Domain is deleted, 4111=Domain properties are changed, 4128=Domain is disabled,
                                 4129=Domain is enabled, 4130=Domain is renamed

                                 ADMIN_GROUP_TYPES=Group events: Possible values 8193=Group is created, 8194=Group is
                                 deleted, 8195=Group is renamed, 8196=Group is moved, 8197=Group properties are changed
EVENT_ID                                                                                                                                    varchar(32), NOT NULL                        ('')
                                 ADMIN_USER_TYPES=User events: possible values 8198=User is created, 8199=User is deleted,
                                 8200=User is moved, 8201=User is copied, 8202=User policy mode is switched, 8203=User
                                 properties are changed

                                 ADMIN_COMPUTER_TYPES=Computer events: possible values 8204=Computer is created,
                                 8205=Computer is deleted, 8206=Computer is moved, 8207=Computer is copied, 8208=Computer
                                 policy mode is switched, 8209=Computer properties are changed

                                 ADMIN_IMPORT_TYPES=Import events: possible values 8210=Organizational Unit is imported,
                                 8211=Domain user is imported, 8212=LDAP user is imported

                                 ADMIN_PACKAGE_TYPES=Package events: possible values 12289=Package is created,
                                 12290=Package is deleted, 12291=Package is exported, 12292=Package is moved to recycle bin,
                                 12293=Package is now current, 12294=Package is added to other domain, 12295=Package
                                 properties are changed, 12296=Package deployment created, 12297=Package deployment deleted,
                                 12298=Package deployment properties changed, 12299=Package updated

EVENT_DESC                       ADMIN_REPLICATION_TYPES=Replication events: Possible values 16385=Replication partner is NVARCHAR(255), varchar(255), NOT NULL                          ('')
                                 This field stores the hard-coded English string key found to the left of the = sign. To the right is a
                                 description of the kinds of error messages that will be queried. % or blank in this field means no
                                 filtering (all records). See "ERROR_CODE and MSG_ID" worksheet for the list of corresponding
                                 MSG IDs that fall into each bucket.
                                 For System>Administrative:
                                 ERR_SERVER=Server error messages
                                 ERR_INVALID_PARAMETER=Invalid parameter error messages
                                 ERR_GENERAL=General error messages
                                 ERR_ROOT=Root error messages
                                 ERR_AUTHENTICATION=Login related error messages
                                 ERR_METADATA=Metadata error messages
                                 ERR_TRANSACTION=Transaction error messages
                                 ERR_DATASTORE=Datastore error messages
                                 ERR_LICENSE=License error messages
                                 ERR_CERTIFICATE=Certificate error messages
                                 ERR_GROUP=Group error messages
                                 ERR_FILE=File related error messages
                                 ERR_LIVEUPDATE=LiveUpdate error messages
MSG_ID                           ERR_OTHER=Other error messages                                                                         varchar(255), NOT NULL                           ('')
                                 ERR_NONE=None

                                 For System> Server activity:
                                 ERR_SERVER=Server error messages
                                 ERR_INVALID_PARAMETER=Invalid parameter error messages
                                 ERR_GENERAL=General error messages
                                 ERR_ROOT=Root error messages
                                 ERR_AUTHENTICATION=Login related error messages
                                 ERR_METADATA=Metadata error messages
                                 ERR_TRANSACTION=Transaction error messages
                                 ERR_DATASTORE=Datastore error messages
                                 ERR_LICENSE=License error messages
                                 ERR_CERTIFICATE=Certificate error messages
                                 ERR_GROUP=Group error messages
                                 ERR_FILE=File related error messages
                                 ERR_LIVEUPDATE=LiveUpdate error messages
                                 ERR_OTHER=Other error messages
ENFORCERLIST                     ERR_NONE=None                                                                                              NVARCHAR(255), VARCHAR(255), NOT NULL        ('')
                                 Comma separated Enforcer names by which to filter
                                 0 = Gateway Enforcer
                                 1 = LAN Enforcer
                                 2 = DHCP Enforcer
ENFORCER_TYPE                                                                                                                               int, NULL                                    (null)
                                 3 = Integrated Enforcer
                                 4 = NAP Enforcer
                                 5 = PeerToPeer Enforcer
SERVERGROUPLIST                  Comma separated, wild-card domain names by which to filter                                                 NVARCHAR(255), VARCHAR(255), NOT      NULL   ('')
CLIENTGROUPLIST                  Comma separated, wild-card group names by which to filter                                                  NVARCHAR(255), VARCHAR(255), NOT      NULL   ('')
SITELIST                         Comma-separated, wild-card site names by which to filter                                                   NVARCHAR(255), VARCHAR(255), NOT      NULL   ('')
PARENTSERVERLIST                 comma separated, wild-card server names by which to filter                                                 NVARCHAR(255), VARCHAR(255), NOT      NULL   ('')
COMPUTERLIST                     Comma-separated, wild-card computer names by which to filter                                               NVARCHAR(512), VARCHAR(512), NOT      NULL   ('')
IPADDRESSLIST                    Comma-separated, wild-card IP addresses by which to filter                                                 NVARCHAR(255), VARCHAR(255), NOT      NULL   ('')
USERLIST                         Comma-separated, wild-card user names by which to filter                                                   NVARCHAR(255), VARCHAR(255), NOT      NULL   ('')
POLICYNAMELIST                   Comma-separated, wild-card policy names by which to filter                                                 NVARCHAR(255), VARCHAR(255), NOT      NULL   ('')
EVENTSOURCELIST                  Comma-separated event names by which to filter                                                             NVARCHAR(255), VARCHAR(255), NOT      NULL   ('')
SORTORDER                        Column to sort on for log views                                                                            varchar(32), NOT NULL                        ('EVENT_TIME')
SORTDIR                          Sort direction: Desc = Descending, Asc = Ascending                                                         varchar(5), NOT NULL                         ('DESC')
    Symantec Corp Confidential                                                                                        SEP Table Definition                                                                                   3/3/2012 Page 51 / 54



LIMITROWS                        Number of rows to use for pagination                                                                  int, NOT NULL                                                20
USERELATIVE                      Use relative dates ('on') or absolute dates                                                           char(2), NOT NULL                        ('on')
REPORT_IDX                       Not used                                                                                              int, NOT NULL                            ('0')
REPORTINPUTS                     Special parameters if report needs them                                                               nvarchar(64), varchar(64), NOT NULL      ('')
USN                              A USN-based serial number; this ID is not unique.                                                     bigint, NOT NULL                                             1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                        bigint, NOT NULL                                             0
                                 The deleted flag of the schema object:
DELETED                          0 = Deleted                                                                                           tinyint, NOT NULL                                            0
                                 1 = Not Deleted


SYSTEM_STATE
Column Name                      Comment                                                                                               Data Type (MS, Sybase)                   Default Value            Primary Key       Description
                                                                                                                                                                                                                           This table lists system state schema
                                                                                                                                                                                                                           information.

                                                                                                                                                                                                                           If there is only one data type value in a
CHECKSUM                                                                                                                               char(32), NOT NULL                                                                  cell in the Data Type column, it applies to
                                                                                                                                                                                                                           both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                           there are two data type values, the first
                                                                                                                                                                                                                           applies to MS SQL Server and the
                                 Checksum of XML content                                                                                                                                                                   second applies to Sybase.
CONTENT                          XML content of the schema object                                                                      image, NOT NULL
DELETED                                                                                                                                tinyint, NOT NULL
ID*                              GUID of the schema object                                                                             char(32), NOT NULL                                                PK_SYSTEM_STATE
OWNER                            GUID of the corresponding schema object                                                               char(32), NULL
TIME_STAMP                       Time that the record was modified; used to resolve merge conflict                                     bigint, NOT NULL
TYPE                             Type name of the schema object                                                                        varchar(256), NOT NULL
USN                              Update serial number; used by replication                                                             bigint, NOT NULL
DOMAIN_ID                        GUID of the domain that the state object                                                              char(32), NULL
RESERVED_INT1                                                                                                                          int, NULL
RESERVED_INT2                                                                                                                          int, NULL
RESERVED_BIGINT1                                                                                                                       bigint, NULL
RESERVED_BIGINT2                                                                                                                       bigint, NULL
RESERVED_CHAR1                                                                                                                         char(32), NULL
RESERVED_CHAR2                                                                                                                         char(32), NULL
RESERVED_VARCHAR1                                                                                                                      nvarchar(260), VARCHAR(260), NULL
RESERVED_BINARY                                                                                                                        varbinary(2000), NULL


THREATREPORT
Column Name                      Comment                                                                                               Data Type (MS, Sybase)                   Default Value            Primary Key       Description
                                                                                                                                                                                                                           This table lists threat report schema
                                                                                                                                                                                                                           information.

                                                                                                                                                                                                                           If there is only one data type value in a
THREATFILTER_IDX*                Primary key                                                                                           char(32), NOT NULL                                                PK_THREATREPORT   cell in the Data Type column, it applies to
                                                                                                                                                                                                                           both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                           there are two data type values, the first
                                                                                                                                                                                                                           applies to MS SQL Server and the
                                                                                                                                                                                                                           second applies to Sybase.
USER_ID                          Admin GUID                                                                                            char(32), NOT NULL                       ('')
FILTERNAME                       User-specified name for this saved 'report'                                                           NVARCHAR(255), VARCHAR(255), NOT NULL    ('')
STARTDATEFROM                    Starting date                                                                                         datetime, NOT NULL                       ('19700101')
STARTDATETO                      Ending date                                                                                           datetime, NOT NULL                       ('19700101')
                                 0 = past week
                                 1 = past month
                                 2 = past three months
RELATIVEDATETYPE                                                                                                                       int, NOT NULL                            ('0')
                                 3 = past year
                                 4 = past 24 hours
                                 5 = current month
FILTER_TYPE                      1 = Risk , 2 = Proactive Threat Protection                                                            tinyint, NULL                            (null)
PRODUCT                          Not used                                                                                              varchar(32), NOT NULL                    ('generic')
EVENTTYPE                        Possibilities here are in the ALERTMSG table                                                          varchar(32), NOT NULL                    ('')
ACTUALACTION                     Possibilities here are in the ACTUALACTION table                                                      varchar(32), NOT NULL                    ('')
                                 Hard-coded English lookup key:
                                 Scheduled Scan
                                 Manual Scan
                                 Real Time Scan
                                 Heuristic Scan
SOURCE                           Console                                                                                               varchar(255), NOT NULL                   ('')
                                 Definition downloader
                                 System
                                 Startup Scan
                                 Idle Scan
                                 Manual Quarantine
SORTORDER                        Which column to use for the log view sort                                                             varchar(32), NOT NULL                    ('ALERTDATETIME')
SORTDIR                          Either 'asc' or 'desc'                                                                                varchar(5), NOT NULL                     ('DESC')
TIMEBASE                         Deprecated                                                                                            varchar(32), NOT NULL                    ('')
TREATCOMPRESSED                  Deprecated                                                                                            varchar(32), NOT NULL                    ('')
SERVERGROUPLIST                  Comma-separated, wild-carded list of domains by which to filter                                       NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
SERVERGROUPINCLUDE               Whether to include (1) or exclude (0) the domains in the list. (Always set to 1 in SAV 11.0.)         int, NOT NULL                            ('0')
CLIENTGROUPLIST                  Comma-separated, wild-carded list of client groups by which to filter                                 NVARCHAR(255), VARCHAR(255), NOT NULLL   ('%')
CLIENTGROUPINCLUDE               Whether to include (1) or exclude (0) the client groups in the list. (Always set to 1 in SAV 11.0.)   int, NOT NULL                            ('0')
PARENTSERVERLIST                 Comma-separated, wild-carded list of SEPM servers by which to filter                                  NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
PARENTSERVERINCLUDE              Whether to include (1) or exclude (0) the servers in the list. (Always set to 1 in SAV 11.0.)         int, NOT NULL                            ('0')
COMPUTERLIST                     Comma-separated, wild-carded list of computers by which to filter                                     NVARCHAR(1024), VARCHAR(512), NOT NULL   ('%')
COMPUTERINCLUDE                  Whether to include (1) or exclude (0) the computers in the list. (Always set to 1 in SAV 11.0.)       int, NOT NULL                            ('0')
IPADDRESSLIST                    Comma-separated, wild-carded list of IP addresses by which to filter                                  NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
IPADDRESSINCLUDE                 Whether to include (1) or exclude (0) the IP addresses in the list. (Always set to 1 in SAV 11.0.)    int, NOT NULL                            ('0')
CLIENTUSERLIST                   Comma-separated, wild-carded list of users by which to filter                                         NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
CLIENTUSERINCLUDE                Whether to include (1) or exclude (0) the users in the list. (Always set to 1 in SAV 11.0.)           int, NOT NULL                            ('0')
HPP_APP_LIST                     Comma-separated, wild-carded list of heuristic risks by which to filter                               NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
THREATLIST                       Comma-separated, wild-carded list of risks by which to filter                                         NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
THREATINCLUDE                    Whether to include (1) or exclude (0) the risks in the list. (Always set to 1 in SAV 11.0.)           int, NOT NULL                            ('0')
THREATTYPELIST                   Possibilities here are in the VIRUSCATEGORY table--no longer a list but a single item.                varchar(255), NOT NULL                   ('%')
THREATTYPEINCLUDE                Whether to include (1) or exclude (0) the risk types in the list (Always set to 1 in SAV 11.0.)       int, NOT NULL                            ('0')
                                 = -1 (Unknown)
                                 >= 1 (Very low risk)
                                 >= 2 (Low risk)
THREATCATEGORY                                                                                                                         varchar(255), NOT NULL                   ('')
                                 >= 3 (Moderate risk)
                                 >= 4 (Severe risk)
                                 >= 5 (Very severe risk)
LIMITROWS                        Number of rows to use for pagination                                                                  int, NOT NULL                            ('20')
USERELATIVE                      Use relative dates ('on') or absolute dates                                                           char(2), NOT NULL                        ('on')
REPORT_IDX                       Not used                                                                                              int, NOT NULL                            ('0')
REPORTINPUTS                     Special parameters if report needs them                                                               NVARCHAR(255), VARCHAR(255), NOT NULL    ('')
FROMUSERLIST                     Deprecated                                                                                            NVARCHAR(255), VARCHAR(255), NOT NULL    ('%')
FROMUSERINCLUDE                  Deprecated                                                                                            int, NOT NULL                                                0
USN                              A USN-based serial number; this ID is not unique.                                                     bigint, NOT NULL                                             1
TIME_STAMP                       The time when the event is logged into system (GMT), which is server side time                        bigint, NOT NULL                                             0
DELETED                          Deleted row: 0 = Not deleted, 1 = Deleted                                                             tinyint, NOT NULL                                            0
FULL_CHARTS                      Admin-specified list of charts to include in the Antivirus Comprehensive report                       varchar(255), NOT NULL                   ('')
                                 Possible values are as follows:
                                 601=Windows 7
                                 600 = Windows Vista and Windows Server 2008
                                 502 = Windows 2003 and Windows XP 64 bit
                                 501 = Windows XP
                                 500 = Windows 2000
                                 400 = Windows NT
R_OS_TYPE                                                                                                                              int, NULL                                                    -1
                                 000 = All Non-Windows
                                 0001=All Windows
                                 0002=All Mac
                                 0004= Mac OS X 10.4
                                 0005= Mac OS X 10.5
                                 0006= Mac OS X 10.6
                                 -1 = No filter (all)


VERSION
Column Name                      Comment                                                                                               Data Type (MS, Sybase)                   Default Value            Primary Key       Description
                                                                                                                                                                                                                           This table lists version schema
                                                                                                                                                                                                                           information.

                                                                                                                                                                                                                           If there is only one data type value in a
PRODUCT*                         Primary key                                                                                           char(20), NOT NULL                                                PK_VERSION        cell in the Data Type column, it applies to
                                                                                                                                                                                                                           both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                           there are two data type values, the first
                                                                                                                                                                                                                           applies to MS SQL Server and the
                                                                                                                                                                                                                           second applies to Sybase.
VERSION                          Version of Reporting                                                                                  char(10), NOT NULL
DBSCHEMA                         Schema version                                                                                        int, NOT NULL
SR_NONCE                         For internal usage only                                                                               char(64), NULL


VIRUS
Column Name                      Comment                                                                                               Data Type (MS, Sybase)                   Default Value            Primary Key       Description
       Symantec Corp Confidential                                                                                        SEP Table Definition                                                                             3/3/2012 Page 52 / 54




                                                                                                                                                                                                                        This table lists virus schema information.

                                                                                                                                                                                                                        If there is only one data type value in a
                                                                                                                                                                                                                        cell in the Data Type column, it applies to
VIRUSNAME_IDX*                      Primary key, Index of virus / threat                                                                       char(32), NOT NULL                                    PK_VIRUS
                                                                                                                                                                                                                        both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                        there are two data type values, the first
                                                                                                                                                                                                                        applies to MS SQL Server and the
                                                                                                                                                                                                                        second applies to Sybase.

VIRUSNAME                           Name of virus / threat                                                                               NVARCHAR(255), VARCHAR(255), NOT NULL   ('')
                                    Current category (as downloaded from Symantec's web site). Values are 1 through 5 where 1 is
CATEGORY                            very low and 5 is very severe. -1 means unknown or not applicable. This rating is only applicable to int, NOT NULL                           ((-1))
                                    viral threats.
                                    Maximum category that the virus has reached. Values are 1 through 5. -1 means unknown or not
MAXCATEGORY                                                                                                                              int, NOT NULL                           ((-1))
                                    applicable. This rating is only applicable to viral threats.
                                    Threat type:
                                    0 = Viral
                                    1 = Non-Viral malicious
                                    2 = Malicious
                                    3 = Antivirus - Heuristic
                                    4 = Security risk
                                    5 = Hack tool
                                    6 = Spyware
TYPE                                7 = Trackware                                                                                              int, NULL                         (null)
                                    8 = Dialer
                                    9 = Remote access
                                    10 = Adware
                                    11 = Jokeware
                                    12 = Client compliancy
                                    13 = Generic load point
                                    14 = Proactive Threat Scan - Heuristic
                                    15 = Cookie

                                    Threat location:
                                    0 = Boot virus
                                    1 = File virus
                                    2 = Mutation virus
                                    3 = Macro virus
                                    4 = File virus
                                    5 = File virus
TYPE2                               6 = Memory virus                                                                                           int, NULL                         (null)
                                    7 = Memory OS virus
                                    8 = Memory mcb virus
                                    9 = Memory highest virus
                                    11 = Virus behavior
                                    12 = Virus behavior
                                    13 = Compressed file
                                    14 = Heuristic
DISCOVERED                          When threat was first discovered by Symantec (as downloaded from Symantec's web site)                      datetime, NOT NULL                ('19700101')
VID                                 Unique identifier for a virus set by Security Response                                                     bigint, NOT NULL                                  0
USN                                 A USN-based serial number; this ID is not unique.                                                          bigint, NOT NULL                                  1
TIME_STAMP                          The time when the event is logged into system (GMT), which is server side time                             bigint, NOT NULL                                  0
DELETED                             Deleted row: 0 = Not deleted, 1 = deleted                                                                  tinyint, NOT NULL                                 0
PATTERN_IDX                         Pointer to table 'pattern', that protects against this threat/virus                                        char(32), NOT NULL                ('')
TOP_THREAT                          0 = Not a top threat, 1 = top threat                                                                       tinyint, NOT NULL                                 0
LATEST_THREAT                       0 = not a latest threat, 1 = latest threat                                                                 tinyint, NOT NULL                                 0
STEALTH                             Assesses how easy it is to determine if a security risk is present on a computer. 0 = No rating, 1,2       int, NOT NULL                     ((-1))
REMOVAL                             = Low, 3 = Medium, remove the threat from a given computer. 0rating is only applicable to non-
                                    Skill level required to 4> = High, -1 means not applicable. This = No rating, 1,2 = Low, 3 =               int, NOT NULL                     ((-1))
                                    Medium, 4the negative impact that applicable. Thisa securityonly applicable to non-viral threats.
                                    Measures >= High, -1 means not the presence of rating is risk has on the computer's
PERFORMANCE                         performance. 0= No rating, 1,2= Low, 3= Medium, 4>= High, -1 means not applicable. This rating is          int, NOT NULL                     ((-1))
                                    only applicable to non-viral threats.
                                    The level of privacy that is lost due to the presence of a security risk on a computer. 0= No rating, 1,
PRIVACY                             2 = Low, 3 = Medium, 4 >= High, -1 means not applicable. This rating is only applicable to non-viral       int, NOT NULL                     ((-1))
                                    threats.
                                    Number of dependent components that risk installs. 0 = No rating, 1, 2 = Low, 3 = Medium, 4 >=
DEPENDENCY                                                                                                                                     int, NOT NULL                     ((-1))
                                    High, -1 means not applicable. This rating is only applicable to non-viral threats.
OVERALL                             An average of all the security risk ratings. This rating is only applicable to non-viral threats.          int, NOT NULL                     ((-1))


VIRUSCATEGORY
Column Name                         Comment                                                                                                    Data Type (MS, Sybase)            Default Value       Primary Key        Description
                                                                                                                                                                                                                        This table lists virus category schema
                                                                                                                                                                                                                        information.

                                                                                                                                                                                                                        If there is only one data type value in a
CATEGORY                            Primary key                                                                                                int, NOT NULL                                         PK_VIRUSCATEGORY   cell in the Data Type column, it applies to
                                                                                                                                                                                                                        both MS SQL Server and to Sybase. If
                                                                                                                                                                                                                        there are two data type values, the first
                                                                                                                                                                                                                        applies to MS SQL Server and the
                                                                                                                                                                                                                        second applies to Sybase.

                                    Category, Category_Desc (English string key used for lookup)
                                    0 = Viral
                                    1 = Non-Viral malicious
                                    2 = Malicious
                                    3 = Heuristic
                                    /* 4 = Security risk */
                                    5 = Hack tool
                                    6 = Spyware
CATEGORY_DESC                       7 = Trackware                                                                                              varchar(255), NOT NULL            ('')
                                    8 = Dialer
                                    9 = Remote access
                                    10 = Adware
                                    11 = Jokeware
                                    12 = Client compliancy
                                    13 = Generic load point
                                    14 = ApplicationHeuristic
                                    15 = Cookie
Report                           STAT_TYPE
Percentage of Clients Failing    PercentHIFail
Host Integrity Check over Time
(All)
                                 ztaPercentHIFail
Percentage of Clients Failing    PercentHIFailGroup
Host Integrity Check over Time
(By Top 10 Groups)

                                 ztaPercentHIFailGroup
Percentage of Clients Failing    PercentHIFailOS
Host Integrity Check over Time
(By Top 10 OS)

                                 ztaPercentHIFailOS
Software Packages Rollout        SoftwareRollout
Number of Computers              OnlineAgents
online/offline over Time         OfflineAgents
                                 zta
Number of Online Computers       OnlineAgentsGroup
over Time: Grouped by Top 10
(By Group)

                                 ztaOnlineAgentsGroup
Number of Online Computers       OnlineAgentsOS
over Time: Grouped by Top 10
(By OS)

                                 ztaOnlineAgentsOS
Number of Computers having       LatestProfileAgents
Latest Profile over Time (All)
                                 ztaLatestProfileAgents
Number of Computers having       LatestProfileAgentsGroup
Latest Profile over Time (By Top ztaLatestProfileAgentsGroup
Number of Computers having       LatestProfileAgentsOS
Latest Profile over Time (By Top
10 OS)
                                 ztaLatestProfileAgentsOS
Virus Definition Rollout         VirusDefRollout
TARGET                    STATISTIC
                          Percentage number



                          Total agent count
GroupGUID                 Percentage of group




Group GUID                Total agents in group
OS ID number              Percentage of OS total




OS ID number              Total agents with OS
Agent version             Agent count
                          Agent count online
                          Agent count offline
                          Agent count total
Group GUID                Agent count online by group




Group GUID                Agent count in group
OS ID                     Agent count online by OS




OS ID                     Agent count with OS
                          Count of agents who have the
                          group’s profile
                          Total count of agents
Group GUID                Agent count with latest profile
Group GUID                Agent count per group
OS ID                     Agent count with latest profile by
                          OS

OS ID                     Agent count by OS
Pattern GUID – key into   Agent count per pattern (virus
PATTERN table             definition version)

								
To top