Your AV is Trying to Tell You Something: process.log

Client Management Control Log

The process log contains client activities that occured on the endpoint. The types of events the process log reports on are application control driver, application control rules, or tamper protect. There is little difference from the actual log and the Windows client. The process log is one of the more human readable logs.

Control Log File Format

The control log for SEP can be found at the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\processlog.log

Header

Field	Type	Size	Description
Log Type	hex	8	Always 00000004
Max Log Size	hex	8	Maximum log file size in bytes
Unknown	hex	8	?
Number of Entries	hex	8	Number of entries in log
Unknown	hex	8	?
Running Total Entries	hex	16	Total number of events generated
Max Log Days	hex	8	Maximun days to save log entries

Log Entries

The log is in TSV format, meaning, each field is separated by a tab character.

Field	Type	Size	Description
Entry Length	hex	3	Length of log entry
Date and Time	Windows: 64 bit Hex Value - Big Endian	16	The time of the generated event (GMT).
Event ID	hex	3	An event ID from the sending agent: 501 = Application Control Driver 502 = Application Control Rules 999 = Tamper Protection
Severity	int	1	The seriousness of the event 0 is most serious.
Action	int	1	The action that was taken: 0 = allow 1 = block 2 = ask 3 = continue 4 = terminate
Test Mode	int	1	Was this rule run in test mode? 0 = No, Else = Yes
Description	nvarchar	8000	The behavior that was blocked. Because of a character limit, actual values may be longer than the values that are displayed in Symantec Endpoint Protection Manager. You can verify the full text on the client that reports this data.
API	nvarchar	512	The API that was blocked.
Unknown	hex	16	Will require further investigation as to the purpose of this log entry.
Begin Time	Windows: 64 bit Hex Value - Big Endian	16	The start time of the security issue.
End Time	Windows: 64 bit Hex Value - Big Endian	16	The end time of the security issue. This field is an optional field because the exact end time of traffic may not be detected; for example, as with UDP traffic. If the end time is not detected, it is set to equal the start time.
Rule Name	nvarchar	512	The name of the rule that was triggered by the event. If the rule name is not specified in the security rule, then this field is empty. Having the rule name can be useful for troubleshooting.
Caller Process ID	hex	4	The ID of the process that triggers the logging.
Caller Process	nvarchar	512	The full path name of the application involved. It may be empty if the application is unknown, or if OS itself is involved, or if no application is involved. Also, it may be empty if profile says, "don't log application name in raw traffic log".
Unknown	int	1	Will require further investigation as to the purpose of this log entry.
Caller Return Module Name	nvarchar	512	The module name of the caller. See CallerReturnAddress for more information.
Target	nvarchar	?	Name of file
Location	nvarchar	512	The location used when the event occured.
User	nvarchar	512	The logon user name.
User Domain	nvarchar	512	The logon (Windows) domain name.
Unknown	int	1	Will require further investigation as to the purpose of this log entry.
Unknown	int	1	Will require further investigation as to the purpose of this log entry.
IPV4 Address	hex	8	The IP address of the computer associated with the application control violation.
Device Instance ID	varchar	256	The GUID of an external device (floppy disk, DVD, USB device, etc.).
File Size	hex	2	The size of the file associated with the application control violation, in bytes.
Unknown	hex	8	Will require further investigation as to the purpose of this log entry.
IPV6 Address	hex	32	The IP address of the computer associated with the application control violation. (IPV6)