The advanced machine learning (AML) engine determines if a file is good or bad through a learning process. Symantec Security Response trains the engine to recognize malicious attributes and defines the rules that the AML engine uses to make detections. Symantec trains and tests the AML engine in a lab environment using the following process:
LiveUpdate downloads the AML model to the client and runs for several days.
The AML engine learns which applications the client runs and get exploited using the client's telemetry data. Each client computer is part of the global intelligence network that returns information about the model to Symantec.
Symantec adjusts the AML model based on what Symantec learns from the clients' telemetry data.
Symantec modifies the AML model to block the applications that exploits typically attack.
AML is part of the static data scanner (SDS) engine. The SDS engine includes the emulator, the Intelligent Threat Cloud Service (ITCS), and the CoreDef-3 definitions engine.
Symantec Endpoint Protection uses advanced machine learning in Download Insight, SONAR, and virus and spyware scans, all which use Insight lookups for threat detection.
Symantec leverages the Intelligent Threat Cloud Service (ITCS) to confirm the detection that AML makes on the client computer is correct. Sometimes AML may reverse the conviction after it checks with the ITCS. While the AML engine does not need Symantec Insight, this feedback enables Symantec to train the AML algorithms to reduce false positives and increase true positives. When the computer is online, Symantec Endpoint Protection can stop an average of 99% of threats.
You cannot configure advanced machine learning. LiveUpdate downloads the AML definitions by default. However, you do need to make sure that the following technologies are enabled.
Table: Steps to ensure that AML protects the client computers
The logs and reports for advanced machine learning detections are the same as for the other SDS engines. To see a report with recent threats, run a Risk report for New Risks Detected in the Network.
As of 14.0.1, you can run a scheduled report for AML detections. On the Reports page, click Scheduled Reports > Add > Computer Status > Advanced Machine Learning (Static) Content Distribution. The Symantec Endpoint Protection Manager domain must be enrolled in the cloud console for the report to appear.
See Viewing logs