Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

How to utilize SEP 12.1 for Incident Response - PART 4

Created: 13 Jan 2014 • Updated: 14 Jan 2014 | 8 comments
Language Translations
.Brian's picture
+5 5 Votes
Login to vote

This article is a continuation of my three previous articles:

  1. How to utilize SEP 12.1 for Incident Response - PART 1
  2. How to utilize SEP 12.1 for Incident Response - PART 2
  3. How to utilize SEP 12.1 for Incident Response - PART 3

In it, we will look at using Application Learning in an incident response situation. The purpose of application learning is for the SEP client to collect and monitor the applications and services that run on client PCs. I do want to point out that I only use this for incident response. While it is perfectly acceptable to use this in a normal situation, if you have many clients, your database can grow quite rapidly. If you do decide to use this on a regular basis, you should check out the Best Practices Guide to Application Learning in Symantec Endpoint Protection Manager

Now, let's get started. From time to time I come across a problem user who is no stranger to re-infection. I have a special purpose group setup for such cases. Application learning is enabled for this group. Enabling application learning is a two step process.

Log in to the SEPM:

  1. Navigate to Admin page >> select your Local Site and select Edit Site Properties. Tick the checkbox for "Keep track of every application that the clients run". This will enable the feature.
  2. Go to the Clients page and create your special purpose group and uncheck inheritance. Go to the Policies tab at the top and under Settings select Communications Settings. Under Upload tick the checkbox for "Learn applications that run on the client computers". This tells the SEP client to monitor all applications and upload it to the SEPM.

Now, this process will not be completed immediately. Logs will start to come in but it will depend on what you have your heartbeat set to. For this special purpose group, I like to set the heartbeat from anywhere from 5-15 minutes. Since this is usually done for one or two clients at a time, this should not be a problem. I like to give the entire process a few hours to take shape before I really dig into it. Once you feel enough time has passed, you can begin reviewing what applications are running on the PC.

To do this, go to the Policies page and under Tasks select Search for Applications

A new box will come up which will allow you to do some filtering:



Feel free to edit as you see fit and select Search when completed. You will get a similar result if all is working correctly:



Now, what I like to do is export the results and compare it to a list of known good process that are on our golden image(s). This can be a tedious task although it makes it slighly easier to find bad processes when you have a list of what you know contain good ones. When I find what I believe are bad processes I will submit them to ThreatExpert and Virustotal for analysis. If it's found to be malicious, I submit to Symantec Security Reponse so they can create a signature for it.

I hope this article has been helpful for you. Please post any feedback or questions that you may have.


Comments 8 CommentsJump to latest comment

Mithun Sanghavi's picture

Excellent Article.!!!

Mithun Sanghavi
Senior Consultant

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Login to vote
JUSTICE's picture

BRAVO ZULU, I just wish everyone pushes SEP 12.1.4 like it was intended...a nuclear aircraft carrier and with arrogance!!!

Marcus Payne, Senior Security Administrator

A+ CE, Symantec SCS, SEP/SEPM 12.1 Administration
FishNet Security
m. 404.368.8164
500 Colonial Center Pkwy, Suite 150 | Roswell, GA, 30076

Follow us on  Facebook &  Twitter




Marcus Sebastian Payne
"So cyberspace is real. And so are the risks that come with it."
- President Barack Obama

Login to vote
.Brian's picture

For those interested, the previous SEP Incident Response articles are here:

How to utilize SEP 12.1 for Incident Response - PART 1

How to utilize SEP 12.1 for Incident Response - PART 2

How to utilize SEP 12.1 for Incident Response - PART 3

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Login to vote
Shawn T.'s picture

Great articles, Brian! It's awesome to see some of the finer features of the product put through their paces. I know far too many instances where the product is installed with nothing but basic protection and default settings, then left in a closet and forgotten.

It is so important to review the settings and features, then test and deploy what you can. The defaults are designed to get things rolling without harming the typical business operations. A little research and fine tuning can work with your existing software and network infrastructure to enhance security without causing lost productivity. In the long run, it can save you many hours of troubleshooting a threat in the network if features are deployed and configured appropriately.

One item I would point out is that Application Learning should be used judiciously. There can be quite an increase in the database load when used improperly. The document you referenced, Best Practices Guide to Application Learning in Symantec Endpoint Protection Manager, provides some good information and caveats about when, how long, and on how many clients Application Learning should be activated.


Login to vote
0dditor's picture

Excellent point.  We ran into issues during an upgrade a while back due to the size of the database because of Application Learning.

Login to vote
Nalini Raj's picture

Very informative, excellent article!


Nalini Raj.

“Whenever you are asked if you can do a job, tell 'em, 'Certainly I can!' Then get busy and find out how to do it.”

Login to vote
R_Sran's picture

Very helpful article. Thanks for sharing this.

Login to vote
Mick2009's picture

This new article may be of interest to anyone needing to send files to Security Response for analysis:

Symantec Insider Tip: Successful Submissions!

Many thanks!


With thanks and best regards,


Login to vote