How Symantec calculates Application Control recommendations for allowed, undetermined, and blocked applications

For Application Control, Symantec recommends whether application versions and standalone files should be allowed, blocked, or classified as undetermined.
These recommendations appear in the Application Control wizards. If you choose to turn off Symantec recommendations, all application versions and standalone files are considered undetermined.
Recommendation criteria
Symantec uses the following criteria for the recommendations:
Reputation
Symantec collects information about files and applications from its global community of millions of users and its Global Intelligence Network. The collected information is available to Symantec products through Symantec Insight.
Insight uses the following criteria to determine reputation:
  • The source of the file or application
  • How new the file or application is
  • How common the file or application is in the community
  • Other security metrics, such as how the file or application might be associated with malware
For an application version, Symantec uses the worst reputation of any the files that are included in the application version.
Vulnerability score
In October 2020, to improve attack surface reduction, Symantec changed the way it calculates vulnerability.
Application vulnerabilities are assessed and scored with a new technology. In some cases, the change might result in applications with higher vulnerability scores as compared to the same values before the change.
There are some reasons for differences in scoring. The new technology uses the following:
  • New CVSS v3.0 standards
    The former technology used CVSS v2.0 standards.
  • Base vulnerability score
    The former technology used temporal scores.
You might notice these changes in the cloud console:
  • Applications List or Applications Details pages
    These pages show the vulnerability score for every application.
  • Application Control Configurator
    When administrators create new Application Control policies, Symantec recommendations might now show applications in the block bucket rather than the undetermined bucket. The vulnerability score carries a lower weight compared with reputation and prevalence, but it is possible that some applications will now appear in the block bucket when previously they appeared as undetermined.
The change in vulnerability assessment does not impact existing policy configuration.
Prevalence rating
Symantec measures how many devices in the enterprise installed the application version versus the total devices in the enterprise where the application discovery is run.
Prevalence rating
Percentage of devices on which the application exists
Rating
Greater than 50 percent
High
16 to 50 percent
Medium
0 to 15 percent
Low
Recommendations for application versions
If the reputation of an application version is low, Symantec always recommends that the application be blocked.
Symantec recommendations for application versions
Reputation Score
Vulnerability Score
Prevalence
Symantec Recommendation
Medium
Medium/Low
High/Medium
Allow
High
Low/Medium
High/Medium/Low
Allow
High
High
High
Allow
Medium
High
Medium/Low
Allow
Low
High/Medium/Low
High/Medium/Low
Block
Unknown
High/Medium
Medium/Low
Block
Medium
High
High/Medium/Low
Block
Unknown
Unknown
High/Medium/Low
Undetermined
Unknown
Low
High/Medium/Low
Undetermined
Recommendations for standalone files
If the reputation of a standalone file is low, Symantec always recommends that the standalone file be blocked.
Symantec recommendations for standalone files
Reputation Score
Prevalence
Symantec Recommendation
High
High/Medium/Low
Allow
Medium
High/Medium
Allow
Medium
Low
Undetermined
Unknown
High/Medium/Low
Undetermined
Low
Low
Block