Application and Device Control logs and quick reports

Application and Device Control logs and quick reports contain information about events where some type of behavior was blocked. Information includes items such as event times and types, actions taken, domains, hosts, rules, and caller processes.
Information is collected about application control and Tamper Protection, and about the hardware behavior and the software behavior that the Device Control technology detects.
Two log entries might appear in the Control log for a single event. For example, two entries might appear if an application reads and then tries to write a file. Two entries also appear if an application writes and then tries to delete a file. Also, the events that appear in the Control log might show a file size as 0 bytes rather than the actual file size. Typically, the file size appears as 0 bytes when the application control rule triggers before a process creates or writes a file.
Additional filter options for the Application Control log and report and the Device Control log and report
Option
Description
  • Severity
  • Event type
  • Operating system
  • Site
  • Domain
  • Group
  • Server
  • Computer
  • User
  • IP address
Test mode
Displays the events based on the mode that the policy is set at. Click
Yes
for
Test (log only)
mode and
No
for
Production
mode.
No
displays only information about the computers that are in
Production
mode and not
Test (log only)
mode.
This option is available only for the
Application Control
log.
Action
Specifies the type of action that you want to view information about. For example, you can select
Block
or
Continue
.
This option is available only for the
Application Control
log.
File size
Specifies the size of the file that application control detected. You can choose to view information about all the files or only files that are less than or greater than the specified size.
Caller process
Displays the process or application that triggers the event. For example, suppose that you create a rule to block programs from writing to a folder. If you then try to save a document to that folder, an event is logged where winword.exe is the caller process.
You can use the wildcard character question mark (?), which matches any one character, and the asterisk (*), which matches any string of characters. You can also use a comma-separated list as input.
This option is available only for the
Application Control
log.
Options in the Application and Device Control log window describes the options that are available in the log window after you view one of the logs.
Options in the
Application and Device Control
log window
Option
Description
Action
To add the selected process to the Exceptions policy so that the client does not scan it, click
Add Process to Exception Policy
, and then click
Start
.
Application and Device Control quick reports types
Option
Description
Top Groups With Most Alerted Application Control Logs
Specifies the minimum severity level of the events that you want to view. The setting filters the display to show only the specified severity level and above. For example, if you select
Major
, both the major and the critical events appear.
Top Targets Blocked
This option is available only for the
Top Groups With Most Alerted Application Control Logs
report and the
Top Targets Blocked
report.
Top Devices Blocked
This option is available only for the
Top Devices Blocked
report.