Some notes from our Lab.
1. When you create a blacklist policy for a file using its MD5 hash value, the hash value is added to the ATP Blacklisted file on Symantec Endpoint Protection Manager.
1.1. If you want to see the contents of that list just export it from SEPM , and open it with notepad.exe or another tool for .txt
2. Application and Device Control Logs : You can see here any System LockDown event and the caller process name but not specifically per File Fingerprint List
3. SHA256 blacklist will have another behaviour.