Discovering devices on a network


Article ID: 184833


Updated On:


Endpoint Protection


Functionality of Network discovery in Symantec Endpoint Security (SES).


SEP 15


The cloud console provides a comprehensive view of files, applications, and executables that appear in your environment. You can view information about the risks, vulnerabilities, reputation, source, and other characteristics that are associated with these discovered items.

How discovery works

The first time that discovery runs in an environment, the inventory data takes some time to collect. The next time discovery runs it updates any differences in the inventory that it collects.


Discovery is currently supported for Windows only.

Scan results are uploaded to the cloud once per day.

About the type of discovery scans

The discovery mechanism scans Allentown locations. A full disk scan discovery is also performed on local drives if you use Application Control or Application Isolation.


The discovery scan mechanism is separate from the antimalware scans that run to protect your devices.

  • Well-known locations scan

By default, the discovery mechanism examines the following well-known locations on the system drive of Windows devices:

  • Add/Remove Programs
  • Programs folder
  • Desktop and Start menu shortcuts
  • Microsoft registry locations
  • Full disk scan
    • Includes all of the well-known scan locations plus all local drives (system or non-system)
    • Runs on devices that have Application Hardening installed and are licensed for either Application Control or Application Isolation.

How often discovery runs

The well-known location scan runs initially when the devices are licensed for the cloud. The full disk scan runs once initially when the devices are licensed to use Application Control or Application Isolation. After the initial run, discovery runs on the following schedule:

  • Well-known locations scans run once a day at 3:00 A.M.
  • Full disk scans run on System drives once a month, on the tenth day of the month at midnight.
  • Full disk scans run on non-System drives once a month, on the twentieth of the month at midnight.

Viewing Discovered Items

To see the inventory and types of information that the discovery scans collect, go to Discovered Items.

The Discovered Items > Files page helps you make decisions about the types of protection and levels of protection that the environment requires. Use the information here during set up or make changes to your Intensive Protection settings or Antimalware policies.

The files in this view often map to an application. This view is also useful when updating any Application Control policies.

Symantec determines the risk level of the file based on the file reputation and prevalence.

If you use either Application Isolation or Application Control, discovery scans all installed and running applications on the devices that are licensed for these features.

You can use Discovered Items > Applications to help monitor and then enforce isolation policies and Application Control policies.

An application is often made up of multiple files. The files can be viewed that are associated with a particular version of an application.

Symantec determines the risk level of an application based on the application's vulnerability score and prevalence.

See Viewing discovered files

See Viewing discovered applications

How Symantec defines an application

An application can have multiple versions. These versions are identified and aggregated internally into a single application object. For example, the discovery might find Mozilla Firefox version 52.1.1 on a device and Firefox version 52.0.1 on another device. The cloud console shows one application (Firefox) that is seen on two devices. You can drill down to see the multiple versions of Firefox on the Versions tab of the application details.