Endpoint Protection

Is it possible to determine exactly what files are being scanned by SEP in real-time?

I'm using process monitor with a filter set to show only activity from rtvscan.exe but I'm not getting much other than a bunch of registry activity.

There is an option in SEP under Antivirus and Antispyware Protection >> Options >> View File System Auto-Protect Statistics. This appears to be Ok but I would prefer something I could save to a file and drop into Excel and go from there.

Running SEP RU6 MP3. Curious to see if anyone has done anything with this.

Any help would be appreciated.

enabling vpdebug will help in this case.

http://www.symantec.com/business/support/index?page=content&id=TECH102939

the log will show waht files have been scanned .

As Pete already mentioned, the best for you would be to use VPdebug.

Keep in mind as well that ProcessMonitor require some modifications to capture Auto-Protect events (see http://www.symantec.com/docs/TECH98079 for more details).

Is there a particular string within vpdebug to look for?  I see a ton of info but nothing referring to the scanning of files.

You should see lines like this:

Thumbs up to John Q.

You should be looking for entry like

Processing file  

Been running for over an hour and there is nothing with "processing" in the string