symantec = {
 symantec_anti_virus_corporate_edition = { # rewrite_rules_version = "1.0"
  event = { # LI EVENT: Indicates the Event Number

   1 = "Is Alert"
   2 = "Scan Stop"
   3 = "Scan Start"
   4 = "Pattern Update"
   5 = "Infection"
   6 = "File Not Open"
   7 = "Load Pattern"
   8 = "//Gl Std Message Info Not Used"
   9 = "//Gl Std Message Error Not Used"
   10 = "Checksum"
   11 = "Trap"
   12 = "Config Change"
   13 = "Shutdown"
   14 = "Startup"
   16 = "Pattern Download"
   17 = "Too Many Viruses"
   18 = "Fwd To Qserver"
   19 = "Scandlvr"
   20 = "Backup"
   21 = "Scan Abort"
   22 = "Rts Load Error"
   23 = "Rts Load"
   24 = "Rts Unload"
   25 = "Remove Client"
   26 = "Scan Delayed"
   27 = "Scan Restart"
   28 = "Add Savroamclient Toserver"
   29 = "Remove Savroamclient Fromserver"
   30 = "License Warning"
   31 = "License Error"
   32 = "License Grace"
   33 = "Unauthorized Comm"
   34 = "Log Fwd Thrd Err"
   35 = "License Installed"
   36 = "License Allocated"
   37 = "License Ok"
   38 = "License Deallocated"
   39 = "Bad Defs Rollback"
   40 = "Bad Defs Unprotected"
   41 = "Sav Provider Parsing Error"
   42 = "Rts Error"
   43 = "Compliance Fail"
   44 = "Compliance Success"
   45 = "Security Symprotect Policyviolation"
   46 = "Anomaly Start"
   47 = "Detection Action Taken"
   48 = "Remediation Action Pending"
   49 = "Remediation Action Failed"
   50 = "Remediation Action Successful"
   51 = "Anomaly Finish"
   52 = "Comms Login Failed"
   53 = "Comms Login Success"
   54 = "Comms Unauthorized Comm"
   55 = "Client Install Av"
   56 = "Client Install Fw"
   57 = "Client Uninstall"
   58 = "Client Uninstall Rollback"
   59 = "Comms Server Group Root Cert Issue"
   60 = "Comms Server Cert Issue"
   61 = "Comms Trusted Root Change"
   62 = "Comms Server Cert Startup Failed"
   63 = "Client Checkin"
   64 = "Client No Checkin"
   65 = "Scan Suspended"
   66 = "Scan Resumed"
   67 = "Scan Duration Insufficient"
   68 = "Client Move"
   69 = "Scan Failed Enhanced"
   70 = "Max Event Number"

  } # event

  category = { # LI CAT: Category number

  1 = "Infection"
  2 = "Summary"
  3 = "Pattern"
  4 = "Security"

  } # category
  
  logger = { # LI LOGGER: Indicates the logger of the event
  	
  	0 = "Scheduled"
    1 = "Manual"
    2 = "Realtime"
    6 = "Console"
    7 = "VPDOWN"
    8 = "System"
    9 = "Startup"
    101 = "Client - the event was received from a client"
    102 = "Forwarded - the event was received (forwarded) from another server"
    65637 = "Manual"
    131173 = "Realtime"
    524389 = "System"
    393317 = "Console"
    720997 = "Defwatch"
    6619237 = "Client"

  } # logger

  primary_action = { # LI ACTION1: Primary Action configuration (Virus Found event only)

   1 = "Quarantine infected file"
   2 = "Rename infected file"
   3 = "Delete infected file"
   4 = "Leave alone (log only)"
   5 = "Clean virus from file"
   6 = "Clean or delete macros"

  } # primary_action

  secondary_action = { # LI ACTION2: Secondary Action configuration (Virus Found event only)

   1 = "Quarantine infected file"
   2 = "Rename infected file"
   3 = "Delete infected file"
   4 = "Leave alone (log only)"
   5 = "Clean virus from file"
   6 = "Clean or delete macros"

  } # secondary_action

  action_taken = { # LI ACTION0: Action Taken (Virus Found event only)

   1 = "Quarantined"
   2 = "Renamed"
   3 = "Deleted"
   4 = "Left alone"
   5 = "Cleaned"
   6 = "Cleaned or Macros Deleted"
   8 = "Sent to Intel (AMS)"
   9 = "Moved to backup location"
   10 = "Renamed backup file"
   11 = "Undo action in Quarantine View"
   12 = "Write protected or lack of permissions - Unable to act on file"
   13 = "Backed up file"
   14 = "Pending analysis"
   15 = "First action was partially successful; second action was Leave Alone. Results of the second action are not mentioned."
   16 = "A process needs to be terminated to remove a risk"
   17 = "Prevent a risk from being loggged or a user interface from being displayed"
   18 = "Performing a request to restart the computer"
   19 = "The only way to clean the file is to delete it (as with Trojan horses)"
   20 = "Auto-Protect prevented a file from being created; reported 'Access denied'"

  } # action_taken

  virus_type = { # LI VIRUSTYPE: Virus Type listed below in hex (Virus Found event only)
   
   1 = "Boot virus"
   3 = "Boot1 Virus"
   5 = "Boot2 Virus"
   9 = "Boot3 Virus"
   256 = "File virus"
   768 = "Mutation virus"
   1280 = "File macro virus"
   2304 = "File2 Virus"
   4352 = "File3 Virus"
   65536 = "Memory virus"
   196608 = "Mem os virus"
   327680 = "mem mcb virus"
   589824 = "Mem highest virus"
   16777216 = "Virus behavior"
   50331648 = "Virus1 Behavior"
   134217728 = "File compressed"
   268435456 = "Huristic"
   
   16 = "non viral malicious"
   32 = "reserved malicious" 
   48 = "heuristic"
   64 = "security risk on"
   80 = "hacker tools"
   96 = "spyware"
   112 = "trackware"
   128 = "dialers"
   144 = "remote access"
   160 = "adware"
   176 = "joke programs"
   192 = "security risk off"
   
  } # virus_type
  
  flags = { # LI_FLAGS: Indicates what kind of action the Eventblock is
  	
  	4194304 = "access denied"
    8388608 = "report"
    16777216 = "log"
    33554432 = "real client"
    67108864 = "first item"
    134217728 = "last item"
    0x10000000 = "no log (listed in hex)"
    268435456 = "no log (listed in hex)"
    0x20000000 = "from client (listed in hex)"
    536870912 = "from client (listed in hex)"
    4095 = "fa overlays"
    4190208 = "n overlays"

} # flags

  quarantine_status = {
  	
  	0 = "None"
    1 = "Failed"
    2 = "OK"
  	
  } # quarantine _status

  operation_flags = { # LI ACCESS: This stores the "operation flags" but is almost always equal to 0

   1 = "read"
   2 = "write"
   4 = "exec"
   8 = "in table"
   16 = "reject action"
   32 = "action complete"
   64 = "delete when complete"
   128 = "client request"
   256 = "owned by user"
   512 = "delete"
   2048 = "owned by queue"
   4096 = "file in cache"
   8192 = "get trap data"
   12288 = "use trap data"
   65536 = "file needs scan"
   131072 = "before open"
   262144 = "after open"
   524288 = "scan boot sector"
   268435456 = "coming from navap"
   536870912 = "backup to quarantine"
   
  } # operation flags
  
  compressed = { # LI_COMPRESSED: Indicated whether it is or is in a compressed file or not.
 
   0 = "no"
   1 = "yes"
   
  } # compressed

  cleanable = { # LI CLEANINFO: Indicates whether file is cleanable or not

    0 = "Cleanable"
    1 = "No Clean Pattern"
    2 = "Not Cleanable"

  } # cleanable

  deletable = { # LI DELETEINFO: Indicates whether the file can be deleted

    4 = "Deletable"
    5 = "Not Deletable"

  } # deletable

  still_infected = { # LI STILL INFECTED: Indicates how many files in a compressed container are still infected after a manual or scheduled scan

  	0 = "none"

  } # still_infected
 } # symantec_anti_virus_corporate_edition
} # symantec