Symantec DCS Policy Utility v1.0.0.11 For Windows OS (Note .NET Framework 4.5 is required)
Designed to help you tune your policy by processing the log files from an Agent.
There's a getting started tab that explains the best steps to get the logs and events you need to troubleshoot your policy.
The program does not make any changes to the machine or policy. It parses the sisidsevents and sisrtevents log files.
How does the utility work for the real time events?
The utility will parse the log file, create an id based on policy id, process path, target, sandbox, network src/dst (ip and port), and module. It uses that to remove duplicated events.
After the utility finishes loading and parsing, it will display a Grid View of the events, filtered down by only unique events, and mulit-column sorted on policy id, then sandbox, then type, then process, then target, then module.
What to search for
If prevention is disabled, search for [EVENT_TYPE]=Warning,[DISPOSITION]=Allowed
if prevention is enabled, search for [DISPOSITION]=Denied
This utility includes cmdmatch.exe to help test out argument matching in policies
v1.0.0.10 - Add's in the test option to Argument Match Utility, and add's support for the "?" character in IDS Windows Event Argument Testing
v1.0.0.11 - Clarifies the use of wildcards and ? in Windows Event Argument Testing