Using Discovered Items

The cloud console provides a comprehensive view of files, applications, and executables that appear in your environment. You can view information about the risks, vulnerabilities, reputation, source, and other characteristics that are associated with these discovered items.
How discovery works
The first time that discovery runs in your environment, the inventory data takes some time to collect. The next time discovery runs it updates any differences in the inventory that it collects.
Discovery is currently supported for Windows devices and Android devices. Android applications are not used in Application Control rule generation.
Scan results are uploaded to the cloud once per day.
About the type of discovery scans
The discovery mechanism scans well-known locations. A full disk scan discovery is also performed on local drives.
The discovery scan mechanism is separate from the antimalware scans that you run to protect your devices.
  • Well-known locations scan
    By default, the discovery mechanism examines the following well-known locations on the system drive of your Windows devices:
    • Add/Remove Programs
    • Programs folder
    • Desktop and Start menu shortcuts
    • Microsoft registry locations
  • Full disk scan
    • Includes all of the well-known scan locations plus all local drives (system or non-system)
    • Runs on all your devices.
How often discovery runs
The well-known location scan and the full disk scan run initially when your devices are licensed for the cloud. After the initial run, discovery runs on the following schedule:
  • Well-known locations scans run once a day at 3:00 A.M.
  • Full disk scans run on System drives once a month, on the tenth day of the month at midnight.
  • Full disk scans run on non-System drives once a month, on the twentieth of the month at midnight.
Viewing Discovered Items
To see the inventory and types of information that the discovery scans collect, go to
Discovered Items
Discovered Items > Files
page helps you make decisions about the types of protection and levels of protection that your environment requires. Use the information here when you set up or make changes to your Intensive Protection settings or Antimalware policies.
The files in this view often map to an application. This view is also useful when you update any Application Control policies that you use.
Symantec determines the risk level of the file based on the file reputation and prevalence.
You can use
Discovered Items > Applications
to help you monitor and manage Application Control policies.
An application is often made up of multiple files. You can view the files that are associated with a particular version of an application.
Symantec determines the risk level of an application based on the application's vulnerability score and prevalence.
For more information, see:
How Symantec defines an application
An application can have multiple versions. These versions are identified and aggregated internally into a single application object. For example, discovery might find Mozilla Firefox version 52.1.1 on a device and Firefox version 52.0.1 on another device. The cloud console shows one application (Firefox) that is seen on two devices. You can drill down to see the multiple versions of Firefox on the
tab of the application details. You can select a particular version of an application when you create a rule in an Application Control policy.