This article describes the best practices for enabling Application Learning in Symantec Endpoint Protection Manager (SEPM).
Application Learning allows Symantec Endpoint Protection (SEP) clients to report information and statistics about the executables that are run on them. This information is provided to the Symantec Endpoint Protection Manager (SEPM) and aggregated into the SEPM database. The purpose of this information is to build a list of known applications in an environment to create Application-based firewall rules, Host Integrity (HI) rules and can be used as a reference for developing Application Control rules and Centralized Exceptions.
Database sizing considerations
A SEP client with Application Learning enabled will track each and every application running on it and forward this information to the SEPM. The SEPM processes this data and inserts parts of it into two different database tables: COMPUTER_APPLICATION and SEM_APPLICATION. The SEM_APPLICATION table is essentially a list of all learned applications (file hash, executable file name, file path, file size, version etc). The COMPUTER_APPLICATION table contains data on the “who”, ”what”, and “when” of Learned Applications. Essentially it is a list of when what machines encountered what applications.
Leaving Application Learning enabled indefinitely will always result in the COMPUTER_APPLICATION table growing to very large sizes – multiply the number of unique executables in your environment by the number of SEP clients with Application Learning enabled and you have an idea of how many entries you can expect. This number will range between the hundreds of thousands in small environments, to the hundreds of millions in large environments.
SEPM resource considerations
Since Learned Application data is forwarded to the SEPM by individual SEP clients, the SEPM bears the majority of the processing duties in ensuring this data is processed and stored in the SEPM database. The more systems forwarding learned application data, and the larger variety of applications run in an environment, the more information has to be temporarily stored, then processed by the SEPM. This can generate higher wait times on other SEP client data such as Operational State data, or security log data. In very busy environments, this can generate CPU or memory issues for already under-resourced SEPMs.
Application Learning is not designed to be deployed across an environment permanently. Application Learning only needs to be deployed to enough machines, and for enough time to get a representative sample of the applications that are used in the enterprise. It is recommended to determine the best method to ensure a large enough representative sample is taken of the applications in an enterprise and only deploy Application Learning to enough machines and for a long enough duration to gather that sample.
To ensure your Application Learning settings are applicable to your environment, please follow one of the recommendations below.
- Disable Application Learning entirely if not utilizing Learned Applications data to create Host Integrity (HI) policies, Application-based Firewall rules, Application Control rules, or Centralized Exceptions
- Enable Application Learning only on a select number of machines to ensure that new applications are still being added to the Application List in the database
- Enable Application Learning across the environment periodically when changes are made to the executables run in the environment.
Option 1 presents the lowest impact on SEPM CPU/Disk I/O resources and SEPM database resources, but does not allow for the added functionality of Application-based firewall rules. Because of this, Option 2 is the recommended solution in environments where Application-based firewall rules are to be configured.
For more information on enabling Application Learning, read How to set up learned applications in the Symantec Endpoint Protection Manager.