Solved

symantec protection manager 12 search applications

Posted on 2014-03-07
12
937 Views
Last Modified: 2014-03-11
With a default install of sep 12 what application information can I get from machines that have sep installed. Do the clients report all applications straight off or do I need to put an application on monitor first. I'd like to get some direct feedback on this as oppose to links to other forums
0
Comment
Question by:Sid_F
  • 6
  • 6
12 Comments
 
LVL 61

Expert Comment

by:btan
ID: 39914258
The Windows Symantec Endpoint Protection client monitors and collects information about the applications and the services that run on each computer. You can configure the client to collect the information in a list and send the list to the management server. The list of applications and their characteristics is called learned applications. That is the list of application in that target the sep agent gathered.

I see it more of agent learning the softwares installed on SEP client machines. Running independent exe process (w/o installed or portable appls) may not be part of the learned application

After the management server receives the list of applications from the clients, you can run queries to find out details about the applications. For example, you can find all the client computers that use an unauthorized application. You can then create a firewall rule to block the application on the client computer. Or you may want to upgrade all the client computers to use the most current version of Microsoft Word. You can use the Search for Applications task from any type of policy.

Searching for information about the applications that the computers run
http://www.symantec.com/business/support/index?page=content&id=HOWTO80931

To enable learned applications for a site, you need to go into Site Properties for site name dialog box, on the General tab, check Keep track of every application that the clients run. After you have enabled a site to collect the lists of learned applications from the clients, you enable the clients to send the lists to the server by group or by location.
Note: The client must have the Network Threat Protection module installed for this feature to work.
http://www.symantec.com/business/support/index?page=content&id=TECH102994
0
 
LVL 5

Author Comment

by:Sid_F
ID: 39915341
Do the list of learned applications include all applications installed on the machine or only applications that cause network traffic. In other words can I pick up what office version is running?
0
 
LVL 61

Expert Comment

by:btan
ID: 39915346
It should for learned appl

http://www.symantec.com/business/support/index?page=content&id=TECH134367

A SEP client with Application Learning enabled will track each and every application running on it and forward this information to the SEPM. The SEPM processes this data and inserts parts of it into two different database tables: COMPUTER_APPLICATION and SEM_APPLICATION. The SEM_APPLICATION table is essentially a list of all learned applications (file hash, executable file name, file path, file size, version etc). The COMPUTER_APPLICATION table contains data on the “who”, ”what”, and “when” of Learned Applications. Essentially it is a list of when what machines encountered what applications.

but it may not be intuitive as it is more alluding to the product name, pls see screen capture below which they use "log only" for endpoint appl inspection

http://www.symantec.com/business/support/index?page=content&id=TECH203266
0
 
LVL 5

Author Comment

by:Sid_F
ID: 39916372
Ok the bit that is confusing me is if sep learns applications and publishes back to sepm why would i need to add the application as an exception to monitor?
0
 
LVL 61

Expert Comment

by:btan
ID: 39916466
Indeed, it is not really an "exception"we expected. But apparently in Symantec best practice it stated to be an informed decision by user as it is not supposed to be a permanent and wide deployment purpose.

The more systems forwarding learned application data, and the larger variety of applications run in an environment, the more information has to be temporarily stored, then processed by the SEPM. This can generate higher wait times on other SEP client data such as Operational State data, or security log data. In very busy environments, this can generate CPU or memory issues for already under-resourced SEPMs.

My own view is that centralised service tends to be loaded and if all the learned appl for all clients have their learned appl and services monitored by default, this inadvertent leads to denial of service. I am thinking in a  scenario for infected client this has greater ripple effects too. Let say if a client is infected and not "detected" (in time)  by SEP agent and with appl monitor enabled, the appl or service can be malicious to spawn off lots of "itself" (maybe several copies probably with different filename with exact content copy or slight changes to skip the signature detection).

Admin needs to be aware what they really want to monitor to be informed and savvy on the performance latency if significant esp for server compared to client machine.
0
 
LVL 5

Author Comment

by:Sid_F
ID: 39917602
I still seem to be missing something. My client machine has Microsoft office, when I look at the list of applications for this machine on SEPM I can see several pages of information but nothing that mentions office. Could this be that it only picks up recently accessed applications or is there something else happening?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 5

Author Comment

by:Sid_F
ID: 39917647
I also notice despite adding an exception to monitor an application "notepad.exe" I can't seem to find any logs relating to activity on client machines.
0
 
LVL 61

Expert Comment

by:btan
ID: 39917853
Need to make sure no conflicting rule that will implicate the application monitor exception.
The Exceptions policy includes a SONAR file path exception to prevent SONAR code injection into the specified application. SONAR does not inject code into applications on Symantec Endpoint Protection 12.1 or earlier clients. If you use Symantec Endpoint Protection Manager 12.1.2 to manage clients, a SONAR file exception in an Exceptions policy is ignored on your legacy clients. If you use a legacy Symantec Endpoint Protection Manager to manage clients, the legacy policy does not support SONAR file exceptions for your Symantec Endpoint Protection 12.1.2 clients.

Unlike a file name exception, an application exception is a hash-based exception. Different files can have the same name, but a file hash uniquely identifies an application.

The application exception is a SHA-2 hash-based exception. Legacy exceptions for TruScan proactive threat scans appear as SHA-1 hash-based exceptions. Legacy clients support SHA-1 exceptions only. The file fingerprint in the exceptions list is preceded by a 2 or a 1 respectively to indicate the file hash type.

If it is really learned, you can use a query tool to search for the list of applications that the client computers run. You can search on application-based criteria or computer-based criteria.

To specify how Symantec Endpoint Protection handles monitored applications

On the Exceptions Policy page, click Exceptions.

Click Add > Windows Exceptions > Application.

In the View drop-down list, select All, Watched Applications, or User-allowed Applications.

Select the applications for which you want to create an exception.

In the Action drop-down box, select Ignore, Log only, Quarantine, Terminate, or Remove.

The Ignore and Log only actions apply when scans detect the application. The Terminate, Quarantine, and Remove actions apply when the application launches.
0
 
LVL 5

Author Comment

by:Sid_F
ID: 39917890
I appreciate the reponse but I'm not looking for a copy and paste from the Symantec website as above. I'm really looking for someone who has already set this up and understands how it hangs together.

My main query is how the application monitor relates to application learning. What's the reason for setting an application monitor if application learning already picks up a number of the applications.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39919307
If you do not know what apps you want to target and monitor, you can start fresh to collect information from the client and then the list of apps known and traits are logged as learned apps.

If you already know the apps you want to target and still not in the "learned apps state", then you can set to application monitor to target specific apps and then they will subsequently be learned apps.

All in all, learned apps will then allow you to create exception for further policy enforcement. This policy include even apps and device control. The apps control then allows you to have the various rule controls

Most of it having the learned apps just make it convenient for administration, as to configure FW policy to control apps, you can either (1) adds in details about that apps, e.g. (you can one or more of these) path and file name, size in bytes, date that the application was last changed, or file fingerprint, OR (2) select from the learned applications list.

Actually it is recommended to disable apps learning entirely if not utilizing learned apps data to create those policy as mentioned previously that include HI policies, app Firewall rules, apps control rules, or even exceptions.

I am not imply that steps are wrong by cut copy and pardon me for that. The missing apps in the learned list may not be immediate and even symantec has short link (understand you do not like to refer here and there) that apps must be detected by a scan before it appear, and they suggested to configure an exception to force detection of an (targeted) application. only after that, it should appear for further actions like inclusion in exception list.
0
 
LVL 5

Author Closing Comment

by:Sid_F
ID: 39919891
Super response. Thank you. Well earned points.
0
 
LVL 61

Expert Comment

by:btan
ID: 39920005
Glad to have help
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now