How are files discovered on Endpoints in SES ICDm?

book

Article ID: 221003

calendar_today

Updated On:

Products

Endpoint Detection and Response Complete Endpoint Defense (with SEP)

Issue/Introduction

 In the "Discovered Items" section of the ICDm, you need to know how the list of files are generated/discovered.

Cause

You want to submit a file to sandbox or setup a block or other file based action from the list of Discovered Items. It is not clear from the Interface what mechanism provides the list of files, and some endpoints may show different files, which is unexpected.

Environment

Symantec™ Integrated Cyber Defense Manager

Resolution

The ICDm console provides a complete view of files and applications that Symantec Endpoint Security discovers in your environment. There are three primary ways that the items populate the Discovered items section.

1) 'Discovered' files are based on files discovered as part of event information. For example, if there is a log or block event associated with the file, then these are populated in the discovered file list.

2) If Application Control is installed (a policy is configured), then application discovery runs on endpoints and populates the applications found to ICDm. Discovery scans are automated scans which are described here. In summary, these are:

  • Well-known locations scans run once a day at 3:00 A.M.
  • Full disk scans run on System drives once a month, on the tenth day of the month at midnight.
  • Full disk scans run on non-System drives once a month, on the twentieth of the month at midnight.

 

It can take some time for the files to populate