Still very likely that symantec is the cause here. Here's how I helped another customer prove AV:
1. Find a file or directory of files on the file system
2. Run the following command on that file: fsutil usn readdata <file>
Example: C:\temp> fsutil usn readdata SIDBEngine.log
3. Record the USN
4. Run a scan over the file using your AV product
5. Check the USN again by using the fsutil function and see if the USN has changed.
Also, if the files NTFS permissions get changed, that can also cause a USN change as well - had another customer that was running scripts to change permissions etc.