The advanced machine learning (AML) engine determines if a file is good or bad through a learning process. Symantec Security Response trains the engine to recognize malicious attributes and defines the rules that the AML engine uses to make detections. Symantec trains and tests the AML engine in a lab environment using the following process:
LiveUpdate downloads the AML model to the client and runs for several days.
The AML engine learns which applications the client runs and get exploited using the client's telemetry data. Each client computer is part of the global intelligence network that returns information about the model to Symantec.
Symantec adjusts the AML model based on what Symantec learns from the clients' telemetry data.
Symantec modifies the AML model to block the applications that exploits typically attack.
AML is part of the static data scanner (SDS) engine. The SDS engine includes the emulator, the Intelligent Threat Cloud Service (ITCS), and the CoreDef-3 definitions engine.
Symantec Endpoint Protection uses advanced machine learning in Download Insight, SONAR, and virus and spyware scans, all which use Insight lookups for threat detection.
How does AML work with the cloud?
Symantec leverages the Intelligent Threat Cloud Service (ITCS) to confirm the detection that AML makes on the client computer is correct. Sometimes AML may reverse the conviction after it checks with the ITCS. While the AML engine does not need Symantec Insight, this feedback enables Symantec to train the AML algorithms to reduce false positives and increase true positives. When the computer is online, Symantec Endpoint Protection can stop an average of 99% of threats.
You cannot configure advanced machine learning. LiveUpdate downloads the AML definitions by default. However, you do need to make sure that the following technologies are enabled.
Table: Steps to ensure that AML protects the client computers
Step 1: Make sure that cloud lookup availability is enabled
The queries that AML makes to Symantec Insight are called reputation lookups, cloud lookups, or Insight lookups. If Insight lookups are enabled, the AML detections for SONAR and virus and spyware scans have fewer false positives.
When the AML engine encounters certain high-risk files, the client automatically engages a more aggressive scan.
When aggressive scan mode engages:
The scan restarts.
The following notification appears on the client:
Running an aggressive scan that uses Insight lookups to clean your computer.
In the aggressive mode, you may need to further manage the false positives.
Step 3: Make sure that LiveUpdate downloads high intensity definitions (14.0.1) (optional)
LiveUpdate always downloads AML content.
As of 14.0.1, LiveUpdate downloads a more aggressive set of definitions that work with the low bandwidth policy you get from the cloud. You can disable AML content from being downloaded through LiveUpdate.
From LiveUpdate to Symantec Endpoint Protection Manager:
The logs and reports for advanced machine learning detections are the same as for the other SDS engines. To see a report with recent threats, run a Risk report for New Risks Detected in the Network.
As of 14.0.1, you can run a scheduled report for AML detections. On the Reports page, click Scheduled Reports > Add > Computer Status > Advanced Machine Learning (Static) Content Distribution. The Symantec Endpoint Protection Manager domain must be enrolled in the cloud console for the report to appear.