How does
Symantec Endpoint Protection
use advanced machine learning?

Refer to the following topics for more information:
How does advanced machine learning work?
The advanced machine learning (AML) engine determines if a file is good or bad through a learning process. Symantec Security Response trains the engine to recognize malicious attributes and defines the rules that the AML engine uses to make detections. Symantec trains and tests the AML engine in a lab environment using the following process:
  • LiveUpdate downloads the AML model to the client and runs for several days.
  • The AML engine learns which applications the client runs and get exploited using the client's telemetry data. Each client computer is part of the global intelligence network that returns information about the model to Symantec.
  • Symantec adjusts the AML model based on what Symantec learns from the clients' telemetry data.
  • Symantec modifies the AML model to block the applications that exploits typically attack.
AML is part of the static data scanner (SDS) engine. The SDS engine includes the emulator, the Intelligent Threat Cloud Service (ITCS), and the CoreDef-3 definitions engine.
Symantec Endpoint Protection
uses advanced machine learning in Download Insight, SONAR, and virus and spyware scans, all which use Insight lookups for threat detection.
How does AML work with the cloud?
Symantec leverages the Intelligent Threat Cloud Service (ITCS) to confirm the detection that AML makes on the client computer is correct. Sometimes AML may reverse the conviction after it checks with the ITCS. While the AML engine does not need Symantec Insight, this feedback enables Symantec to train the AML algorithms to reduce false positives and increase true positives. When the computer is online,
Symantec Endpoint Protection
can stop an average of 99% of threats. See:
How do I configure AML?
You cannot configure advanced machine learning. LiveUpdate downloads the AML definitions by default. However, you do need to make sure that the following technologies are enabled.
Steps to ensure that AML protects the client computers
Step 1: Make sure that cloud lookup availability is enabled
The queries that AML makes to Symantec Insight are called reputation lookups, cloud lookups, or Insight lookups. If Insight lookups are enabled, the AML detections for SONAR and virus and spyware scans have fewer false positives.
To verify that Insight lookups are enabled, see:
In addition, make sure that client submissions are enabled. This information helps Symantec measure and improve the effectiveness of detection technologies. See:
Step 2: Make sure that Bloodhound Detections are enabled
Set the Bloodhound Detection level to either automatic or aggressive. See:
When the AML engine encounters certain high-risk files, the client automatically engages a more aggressive scan.
When aggressive scan mode engages:
  • The scan restarts.
  • The following notification appears on the client:
    Running an aggressive scan that uses Insight lookups to clean your computer.
In the aggressive mode, you may need to further manage the false positives.
Step 3: Make sure that LiveUpdate downloads high intensity definitions (14.0.1) (optional)
LiveUpdate always downloads AML content.
As of 14.0.1, LiveUpdate downloads a more aggressive set of definitions that work with the low bandwidth policy you get from the cloud. You can disable AML content from being downloaded through LiveUpdate.
From LiveUpdate to
Symantec Endpoint Protection Manager
, see:
Symantec Endpoint Protection Manager
to the Windows clients, see:
Step 4: Handle false positives
Troubleshooting advanced machine learning
The logs and reports for advanced machine learning detections are the same as for the other SDS engines. To see a report with recent threats, run a Risk report for
New Risks Detected in the Network
As of 14.0.1, you can run a scheduled report for AML detections. On the
page, click
Scheduled Reports
Computer Status
Advanced Machine Learning (Static) Content Distribution
. The
Symantec Endpoint Protection Manager
domain must be enrolled in the cloud console for the report to appear.
For more information, see: