Functionality of Network discovery in Symantec Endpoint Security (SES).
The cloud console provides a comprehensive view of files, applications, and executables that appear in your environment. You can view information about the risks, vulnerabilities, reputation, source, and other characteristics that are associated with these discovered items.
How discovery works
The first time that discovery runs in an environment, the inventory data takes some time to collect. The next time discovery runs it updates any differences in the inventory that it collects.
Discovery is currently supported for Windows only.
Scan results are uploaded to the cloud once per day.
About the type of discovery scans
The discovery mechanism scans Allentown locations. A full disk scan discovery is also performed on local drives if you use Application Control or Application Isolation.
The discovery scan mechanism is separate from the antimalware scans that run to protect your devices.
By default, the discovery mechanism examines the following well-known locations on the system drive of Windows devices:
How often discovery runs
The well-known location scan runs initially when the devices are licensed for the cloud. The full disk scan runs once initially when the devices are licensed to use Application Control or Application Isolation. After the initial run, discovery runs on the following schedule:
Viewing Discovered Items
To see the inventory and types of information that the discovery scans collect, go to Discovered Items.
The Discovered Items > Files page helps you make decisions about the types of protection and levels of protection that the environment requires. Use the information here during set up or make changes to your Intensive Protection settings or Antimalware policies.
The files in this view often map to an application. This view is also useful when updating any Application Control policies.
Symantec determines the risk level of the file based on the file reputation and prevalence.
If you use either Application Isolation or Application Control, discovery scans all installed and running applications on the devices that are licensed for these features.
You can use Discovered Items > Applications to help monitor and then enforce isolation policies and Application Control policies.
An application is often made up of multiple files. The files can be viewed that are associated with a particular version of an application.
Symantec determines the risk level of an application based on the application's vulnerability score and prevalence.
How Symantec defines an application
An application can have multiple versions. These versions are identified and aggregated internally into a single application object. For example, the discovery might find Mozilla Firefox version 52.1.1 on a device and Firefox version 52.0.1 on another device. The cloud console shows one application (Firefox) that is seen on two devices. You can drill down to see the multiple versions of Firefox on the Versions tab of the application details.