ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to set up learned applications in the Symantec Endpoint Protection Manager

book

Article ID: 151357

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You want to monitor and collect information about the applications and services that run on each computer in your environment, in part to help create Firewall Policies, Application and Device Control Policies, Proactive Threat Scans, and so forth.

 

Resolution

Note: In some countries, it may not be permissible under local law to use the learned applications tool under certain circumstances such as to gain application use information from a laptop when the employee logs on to your office network
from home using a company laptop. Prior to your use of this tool, please confirm that use is permitted for your purposes in your jurisdiction. If it is not permitted, please follow instructions for disabling the tool.

Enabling learned applications for a site

You can set up learned applications for the management servers within a local site or within a remote site.

To enable learned applications for a site:

  1. In the Symantec Endpoint Protection Manager, click the Admin tab, and then click Servers.
  2. Under View Servers, do one of the following actions:
    - Click Local Site (Site <site name>).
    - Expand Remote Sites, and then click Site <site name> .
  3. Under Tasks, click Edit Site Properties.
  4. In the Site Properties for site name dialog box, on the General tab, check Keep track of every application that the clients run.
  5. Click OK.


Enabling clients to send the learned applications list to the management server

After you have enabled a site to collect the lists of learned applications from the clients, you enable the clients to send the lists to the server by group or by location.
Note: The client must have the Network Threat Protection module installed for this feature to work.

Note: You can modify this setting only for the subgroups that do not inherit their policies and settings from a parent group.

To send the learned applications list to the management server:

  1. In the Symantec Endpoint Protection Manager, click the Clients tab.
  2. Under View Clients, select a group, and then click the Policies tab.
  3. On the Policies tab, click Communications Settings.
  4. In the Communications Settings for group name dialog box, make sure Upload a list of applications that the clients have run is checked.
  5. Click OK.


To send learned applications to the management server for a location:

  1. In the Symantec Endpoint Protection Manager, click the Clients tab.
  2. Under View Clients, select a group.
  3. Under Location-specific Policies and Settings, select the location, and then expand Location-specific Settings.
  4. To the right of Communications Settings, click Tasks, and then uncheck Use Group Communications Settings. Checking this setting enables you to create a location setting rather than a group setting.
  5. Click Tasks, and then click Edit Settings.
  6. In the Communications Settings for <location name> dialog box, check Upload a list of applications that the clients have run.
  7. Click OK.


Note: Need to also Enable Network Application Monitoring to allow changes in the application Checksum. To do this please follow these steps.

To enable Network Application Monitoring:
Login to the manager and go to Clients
Choose the group and Select the Policies tab
Under Policies Click Network Application Monitoring
Check the box that says, "Enable Network Application Monitoring."
From here, you can set the default policy when Endpoint Protection detects changes in an executable. Choose between Ask, Block the Traffic, or Allow and Log.



References
Administration Guide for Symantec Endpoint Protection..., Chapter 30 (page 389). Chapter 5 (page 100)