Looking for client log files I had to do a bunch of digging.  This is what I’ve concluded (for now).

C:\Windows\Temp\ (technically the System Temp folder)

  • MpCmdRun.log
  • MpSigStub.log

C:\ProgramData\Microsoft\Microsoft Security Client\Support (technically the %ProgramData%\Microsoft\Microsoft Security Client\Support folder)

  • EppSetup.log
  • EppSetup_#.log
  • MSSecurityClient_Setup_<version>_epp_install.log
  • MSSecurityClient_Setup_<version>_epp_uninstall.log
  • MSSecurityClient_Setup_<version>_eppManagement_install.log
  • MSSecurityClient_Setup_<version>_eppManagement_uninstall.log
  • MSSecurityClient_Setup_<version>_FEP_install.log

C:\Windows\CCM\logs (technically <SCCM Client location\logs folder> which can be discovered at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Client\Configuration\Client Properties\Local SMS Path)

  • EndpointProtectionAgent.log
  • UpdatesDeployment.log (for definition updates)
  • UpdatesHandler.log (for definition updates)
  • UpdatesStore.log (for definition updates)
  • UpdateStore.log (for definition updates)
  • WUAHandler.log (for definition updates)

C:\Windows (technically the %windir% folder)

  • WindowsUpdate.log (for definition updates)

The Technical Reference for Log Files in Configuration Manager lists these server side files:

  • EPCtrlMgr.log
  • EPMgr.log
  • EPSetup.log
  • NotiCtrl.log

This product has a few different names depending on the version and where you look in the application and logs.  Here are a few alternative names:

  • Microsoft System Center Endpoint Protection (the product GUI)
  • SCEP (just the acronym)
  • Microsoft Endpoint Protection (as seen in WSUS definitions)
  • Microsoft System Center Configuration Manager Endpoint Protection
  • Microsoft Configuration Manager Endpoint Protection (as seen in some product documentation)
  • Microsoft Security Client (as seen in the software’s folder structure)
  • Microsoft Antimalware Client (as seen in the software’s folder structure)
  • Microsoft Security Essentials
  • Microsoft Forefront Endpoint Protection 2010 Client (as seen in WSUS products…  technically this is the old version but it is still there)

Thanks to a few other bloggers for getting me started

SCEP 2012 client log files
Tagged on: