In the "Discovered Items" section of the ICDm, you need to know how the list of files are generated/discovered.
Symantec™ Integrated Cyber Defense Manager
You want to submit a file to sandbox or setup a block or other file based action from the list of Discovered Items. It is not clear from the Interface what mechanism provides the list of files, and some endpoints may show different files, which is unexpected.
The ICDm console provides a complete view of files and applications that Symantec Endpoint Security discovers in your environment. There are three primary ways that the items populate the Discovered items section.
1) 'Discovered' files are based on files discovered as part of event information. For example, if there is a log or block event associated with the file, then these are populated in the discovered file list.
2) If Application Control is installed (a policy is configured), then application discovery runs on endpoints and populates the applications found to ICDm. Discovery scans are automated scans which are described here. In summary, these are:
It can take some time for the files to populate