Endpoint Protection

Good day dears,

I've setup sepm v14 according to this article Using Application and Device Control in Symantec Endpoint Protection (SEP) to block activity in common loading points for threats - https://support.symantec.com/en_US/article.TECH96766.html and receive logs regarding the policy.

But there is no parameter in the logs. Accordint to mentioned article:

"Parameter: What was the process trying to touch? "

How can I get this "parameter" shown in logs?

Thank you in advance.

There is a 'caller process' and 'target' field that should be reviewed.

Thank you Brian,

But how can I find (investigate) which file/registry value was created or written to by the "caller process" in the "target" directory?

Guys any additional suggestions?

This is very strange, because the mentioned parameter has been shown in the manual, but is absend in log

Exact SEPM version is?

May need to open a support case.

SEPM version 14

There are multiple versions of 14. Which one exactly?

The exact version is Version 14.0.1 (14.0 RU1 MP1) build 3897 (14.0.3897.1101)

Can the cause of the mentioned issue be the version of SEPM?

Maybe a known issues fixed in 14.2, that was just released:

http://www.symantec.com/docs/INFO5072

ADC policy truncates log data

Fix ID: 4131794

Symptoms: An Application and Device Control log is missing data or truncates items that are expected to be there.

Solution: Change Application Control log codes to only treat "*" as a special character if that description string came from internal codes.

Thank you for your reply Brian!

Update will take a time to implement. How can I "Change Application Control log codes to only treat "*" as a special character if that description string came from internal codes." as described in your post?

This was a fix in the latest release. Requires a product upgrade to implement.