Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Learned Application Notification

Created: 17 Aug 2010 • Updated: 17 Aug 2010 | 1 comment

Hello all,
There are several threads about this which have been locked and marked as "solved".  As far as I know this has never been solved:

When notifications are enabled, so the system administrator gets a notice when new applications are installed, the canned report provides lots of nice to know info. about what was installed, the path it was installed to (i.e., c:\Programm Files\Common\your-new-malware.exe), and even what server the client machine reports to (not sure why that is important...), but does NOT show what workstation (SEP Client machine) has had the new application installed on it.

The solution is NOT to go to SEPM Console > Monitors > Logs > Application... reports - which is the common answer provided.

This happens all the time, but here is an example:

Received a "Learned Application Notification" with an attached learned application report (missing the painfully obvious workstation ID needed to make the report useful...).  The report indicates that "WINDWORD.exe" was installed at 10:41:50 (today), or was reported at that time (?).  Anyway, when I go to "SEPM Console > Monitors > Logs > Application... reports", there is no report of WINDWORD.exe being installed.  It makes no difference if I look at a "Last 24 Hours" report (for applications), or go back weeks.  WINWORD.exe is not reported as a newly installed application.

Obviously, a WINWORD.exe install is not too alarming except for the fact that every workstation already has an Office Suite and there are no new installations authorized on our network (which I manage myself).  So, is this WINWORD.exe executible really an instance of MS Word, or is it some kind of malware?  Has something modified the original executable for MS Word on some machine somewhere on our network?  I wish I knew.  Why doesn't SEP 11.x make it easy and tell me in this "Learned Application Notification" (especially after about a dozen patches and updates?

So, where did WINDWORD.exe get installed?  How do I find that information?

When will these reports be cleaned up and some of this mountain of repetitious customer feedback be used to improve them?  What version update or "Maintenance Release" or patch are we waiting for, and when is it coming?

Comments 1 CommentJump to latest comment

Fatih Teke's picture

Hello Tarsies,
As you said we cannot see which computer now. But you can write it to ideas tab and Symantec Employers will work on it.
I cannot give any another answer to you now. Cause you said reports (SEPM Console > Monitors > Logs > Application) is not answer for you.

Best Regards.

 Everything works better when everything works together.