Link to home
Start Free TrialLog in
Avatar of Sid_F
Sid_F

asked on

symantec protection manager 12 search applications

With a default install of sep 12 what application information can I get from machines that have sep installed. Do the clients report all applications straight off or do I need to put an application on monitor first. I'd like to get some direct feedback on this as oppose to links to other forums
Avatar of btan
btan

The Windows Symantec Endpoint Protection client monitors and collects information about the applications and the services that run on each computer. You can configure the client to collect the information in a list and send the list to the management server. The list of applications and their characteristics is called learned applications. That is the list of application in that target the sep agent gathered.

I see it more of agent learning the softwares installed on SEP client machines. Running independent exe process (w/o installed or portable appls) may not be part of the learned application

After the management server receives the list of applications from the clients, you can run queries to find out details about the applications. For example, you can find all the client computers that use an unauthorized application. You can then create a firewall rule to block the application on the client computer. Or you may want to upgrade all the client computers to use the most current version of Microsoft Word. You can use the Search for Applications task from any type of policy.

Searching for information about the applications that the computers run
http://www.symantec.com/business/support/index?page=content&id=HOWTO80931

To enable learned applications for a site, you need to go into Site Properties for site name dialog box, on the General tab, check Keep track of every application that the clients run. After you have enabled a site to collect the lists of learned applications from the clients, you enable the clients to send the lists to the server by group or by location.
Note: The client must have the Network Threat Protection module installed for this feature to work.
http://www.symantec.com/business/support/index?page=content&id=TECH102994
Avatar of Sid_F

ASKER

Do the list of learned applications include all applications installed on the machine or only applications that cause network traffic. In other words can I pick up what office version is running?
It should for learned appl

http://www.symantec.com/business/support/index?page=content&id=TECH134367

A SEP client with Application Learning enabled will track each and every application running on it and forward this information to the SEPM. The SEPM processes this data and inserts parts of it into two different database tables: COMPUTER_APPLICATION and SEM_APPLICATION. The SEM_APPLICATION table is essentially a list of all learned applications (file hash, executable file name, file path, file size, version etc). The COMPUTER_APPLICATION table contains data on the “who”, ”what”, and “when” of Learned Applications. Essentially it is a list of when what machines encountered what applications.

but it may not be intuitive as it is more alluding to the product name, pls see screen capture below which they use "log only" for endpoint appl inspection

http://www.symantec.com/business/support/index?page=content&id=TECH203266
Avatar of Sid_F

ASKER

Ok the bit that is confusing me is if sep learns applications and publishes back to sepm why would i need to add the application as an exception to monitor?
Indeed, it is not really an "exception"we expected. But apparently in Symantec best practice it stated to be an informed decision by user as it is not supposed to be a permanent and wide deployment purpose.

The more systems forwarding learned application data, and the larger variety of applications run in an environment, the more information has to be temporarily stored, then processed by the SEPM. This can generate higher wait times on other SEP client data such as Operational State data, or security log data. In very busy environments, this can generate CPU or memory issues for already under-resourced SEPMs.

My own view is that centralised service tends to be loaded and if all the learned appl for all clients have their learned appl and services monitored by default, this inadvertent leads to denial of service. I am thinking in a  scenario for infected client this has greater ripple effects too. Let say if a client is infected and not "detected" (in time)  by SEP agent and with appl monitor enabled, the appl or service can be malicious to spawn off lots of "itself" (maybe several copies probably with different filename with exact content copy or slight changes to skip the signature detection).

Admin needs to be aware what they really want to monitor to be informed and savvy on the performance latency if significant esp for server compared to client machine.
Avatar of Sid_F

ASKER

I still seem to be missing something. My client machine has Microsoft office, when I look at the list of applications for this machine on SEPM I can see several pages of information but nothing that mentions office. Could this be that it only picks up recently accessed applications or is there something else happening?
Avatar of Sid_F

ASKER

I also notice despite adding an exception to monitor an application "notepad.exe" I can't seem to find any logs relating to activity on client machines.
Need to make sure no conflicting rule that will implicate the application monitor exception.
The Exceptions policy includes a SONAR file path exception to prevent SONAR code injection into the specified application. SONAR does not inject code into applications on Symantec Endpoint Protection 12.1 or earlier clients. If you use Symantec Endpoint Protection Manager 12.1.2 to manage clients, a SONAR file exception in an Exceptions policy is ignored on your legacy clients. If you use a legacy Symantec Endpoint Protection Manager to manage clients, the legacy policy does not support SONAR file exceptions for your Symantec Endpoint Protection 12.1.2 clients.

Unlike a file name exception, an application exception is a hash-based exception. Different files can have the same name, but a file hash uniquely identifies an application.

The application exception is a SHA-2 hash-based exception. Legacy exceptions for TruScan proactive threat scans appear as SHA-1 hash-based exceptions. Legacy clients support SHA-1 exceptions only. The file fingerprint in the exceptions list is preceded by a 2 or a 1 respectively to indicate the file hash type.

If it is really learned, you can use a query tool to search for the list of applications that the client computers run. You can search on application-based criteria or computer-based criteria.

To specify how Symantec Endpoint Protection handles monitored applications

On the Exceptions Policy page, click Exceptions.

Click Add > Windows Exceptions > Application.

In the View drop-down list, select All, Watched Applications, or User-allowed Applications.

Select the applications for which you want to create an exception.

In the Action drop-down box, select Ignore, Log only, Quarantine, Terminate, or Remove.

The Ignore and Log only actions apply when scans detect the application. The Terminate, Quarantine, and Remove actions apply when the application launches.
Avatar of Sid_F

ASKER

I appreciate the reponse but I'm not looking for a copy and paste from the Symantec website as above. I'm really looking for someone who has already set this up and understands how it hangs together.

My main query is how the application monitor relates to application learning. What's the reason for setting an application monitor if application learning already picks up a number of the applications.
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Sid_F

ASKER

Super response. Thank you. Well earned points.
Glad to have help