Manage applications

This topic describes the Application Catalog page, where you can see a list of applications detected by EPM on endpoint computers.

Overview

The Application Catalog displays a list of the applications detected by EPM and information about them. EPM detected these applications in any of the following ways:

  • If the applications are managed by an EPM policy.

  • If the applications are not managed by a policy but they generated events.

  • If you ran a scan to detect applications.

Applications appear in this list until the period of file retention defined in the system expires.

Scan applications

You can scan specific computers or computer groups, and discover the applications installed on them. The discovered applications are then added to the Application Catalog.

We recommend that you scan the minimal number of computers or a computer group containing a small number of targeted computers to prevent an unnecessary load on your network, which could affect system performance.

 

Currently, EPM only scans Windows and macOS endpoints.

Configure scanning

You must configure EPM to scan file types for the application catalog. The EPM management console only displays the application catalog when this configuration is set.

To configure scanning

  1. Go to Advanced > Agent Configuration.

  2. In the General configuration row, click the More actions (...) button, and select Edit parameters. You can now see a full list of the agent configuration settings and their values.

  3. Under Data collection, in the File types to scan for Application Catalog row, click the More actions (...) button, and select Edit .

  4. In the File types to scan for Application Catalog dialog, select the platform and then the file types to collect when scanning is triggered, then click Done.

    The following example shows the file types you can collect on Windows endoints.

By default, the following files and folders are not scanned:

  • EPM agent files and components

  • EPM agent installers

  • macOS folders: /dev and /Library/SystemExtensions

Start scanning EPM endpoints

EPM scans endpoint computers to detect installed applications, and then displays them as a list in the Application Catalog.

 

Scans are not performed on computers that are currently being scanned, have been scanned in the last 24 hours, or are currently disconnected.

  1. Click Scan Computers to open the Targets window.

  2. Select the computers to include in or exclude from the scan, then click Start scan.

You can also initiate a scan for individual computers in the My Computers pane. For details, see Scan application files.

View the scan status

When collection is enabled, you can see the progress of the application collection process at any time.

Click the arrow next to Scan computers and select Scanning status.

The computers scan summary displays the number of computers that are currently being scanned and the number of computers on which the scan has finished.

View applications on endpoint computers

The Application Catalog page displays a list of applications detected by EPM on endpoint computers in the Set. By default, applications are sorted according to when EPM first detected them. You can resort them according to any column, and apply filters to view a more focused list.

In addition, you can search for specific applications according to filename, checksum, publisher or product name, and can filter them according to file type, installation date, platform, and more.

To apply specific filters, click All filters.

At the top of the applications grid, you can see the number of applications that are currently displayed and the total number of applications that have been sent to the EPM service.

By default, 250 aggregated events are displayed at a time. This is configurable in Server configuration > Common settings.

When the total number of aggregated events is higher than 20,000, EPM displays 20,000+. This number increases every 10,000 events.

The following table lists the supported application types for each platform.

Application type

Platform

Executable/command

Windows, macOS, Linux

Dynamic link library

Windows

Script

Windows and Linux

Installation package

Windows, macOS, Linux

Windows update package

Windows

macOS disk image

macOS

Windows application

Windows

COM object

Windows

ActiveX control installation

Windows

View application details

Click an application to open the details pane and view information about the application event.

More application catalog actions

In the row of the application to manage, click the More actions (...) button, and then one of the following options:

Option

Description

File Summary

Opens a new tab that displays the File Summary page for this application. For details, see View application details.

Add application to policy

Add the application to an existing policy or to create a new advanced policy. For details, see Add an application to a policy, below.

Add application to application group

Add the application to an existing application group or create a new one. For details, see Add an application to an application group, below.

Threat Intelligence

Run threat analysis for this application. For details, see Run threat analysis for an application.

Add an application to a policy

Add an application to an existing policy

You can add applications to existing policies to apply immediate coverage.

  1. In the line of the application to add to the policy, click the More actions (...) button and select Add application to policy.

  2. In the Select application policy window, search for the existing policy. Enter the name, action and status of the policy, then click Apply to display a list of policies that match these criteria.

  3. Select the policy to add the application to, then click one of the following buttons:

    Option

    Description

    Edit in policy

    Open the Edit policy page to add the application to the policy and set properties.

    Add to policy

    Add the application to the policy to give it immediate coverage.

  4. In the Policy form, under Scope, click View all to display all the definitions that are configured for this policy, including the new one you are adding now. The new policy definition appears at the top of the list.

  5. In the line of the definition for the application you are adding now, click the More actions (...) button, and select Edit.

  6. In the Application definition window, click Add properties from event to display a list of the event details.

    The details that are already in the policy scope are checked. Select additional properties to include in the policy scope, then click Add.

    If you add a property to the policy scope definition and then change it, you can still revert to the original value before you save the policy.

  7. Click Add properties from event again and select the event property. This overwrites the changed value and applies the value collected by the event.

  8. To remove a property that was automatically included, delete it from the list of properties.

  9. When you have finished setting the application definitions, click Done to return to the Policy form.

  10. Define the rest of the policy, as described in Application policies.

Add an application to a new policy

You can add applications to a new policy and apply it immediately.

  1. In the line of the application to add to the new policy, click the More actions (...) button and select Add application to policy.

  2. In the Select application policy window, click Create advanced policy, and confirm that you want to create an advanced application policy.

  3. Specify the name of the policy, the platform, and the action that the policy will manage, then click Continue.

  4. Under Scope, the details of the event are already listed.

    If you can't see all the events you selected, click View all to refresh the scope. The new policy definition appears at the top of the list.

    To edit this scope, click the More actions (...) button and select Edit.

  5. In the Application definition window, click Add properties from event to display a list of the event details.

    The details that are already in the policy scope are checked. Select additional properties to include in the policy scope, then click Add.

    If you add a property to the policy scope definition and then change it, you can still revert to the original value before you save the policy.

  6. Click Add properties from event again and select the event property. This overwrites the changed value and applies the value collected by the event.

  7. To remove a property that was automatically included, delete it from the list of properties.

  8. Define the rest of the policy, as described in Application policies.

Create a trust policy

  1. In the row of the application to manage, click the More actions (...) button and select Add application to policy.

  2. Click the Create advanced policy drop-down, then select Create trust policy.

  3. Define a trust application policy for the application. For more details, see Trust policies.

Add an application to an application group

Add an application to an existing application group

You can add an application to an existing application group to immediately apply the policy coverage that has already been defined for that group.

  1. In the line of the application to add to the existing application group, click the More actions (...) button and select Add application to application group.

  2. Search for the existing application group. Enter the name and type of the application group, then click Apply to display a list of groups that match these criteria.

  3. Select the application group to add the application to, then click one of the following:

    Option

    Description

    Edit in application group

    Open the Edit application group page, then add the application to the group and set properties.

    Add to application group

    Add the application to the application group and apply the policies that manage the selected application group immediately.

    All policies that manage the selected application group apply to this application immediately.

  4. In the Application Groups form, under Scope, click View all to display all the definitions that are configured for this application group, including the new application you are adding now. The new application appears at the top of the list.

  5. In the line of the definition for the application you are adding now, click the More actions (...) button and select Edit.

  6. In the Application definition window, click Add properties from event to display a list of the application definitions.

    The details that are already in the scope of the application group are checked. Select additional properties to include in the scope, then click Add.

    If you add a property to the scope definition and then change it, you can still revert to the original value before you save the policy.

  7. Click Add properties from event again and select the event property. This overwrites the changed value, and applies the value collected by the event.

  8. To remove a property that was automatically included, in the Application definition window, delete it from the list of properties.

  9. When you have finished defining the Application definitions, click Done to return to the Application Group form, and then Save to add the new application(s) to the group.

Add an application to a new application group

You can create a new application group and add applications to it directly.

  1. In the line of the application to add to the existing application group, click the More actions (...) button and select Add application to application group.

  2. In the Select application group window, click Create application group, then specify the name of the application group and the platform of the applications it will include.

  3. In the Application Groups form, under Scope, click View all to display the definitions for this application group. EPM takes these from the application(s) you are adding now.

  4. In the line of the definition for each application, click the More actions (...) button and select Edit.

  5. In the Application definition window, click Add properties from event to display a list of the application definitions.

    The details that are already in the scope of the application group are checked. Select additional properties to include in the scope, then click Add.

    If you add a property to the scope definition and then change it, you can still revert to the original value before you save the policy.

  6. Click Add properties from event again and select the event property. This overwrites the changed value, and applies the value collected by the event.

  7. To remove a property that was automatically included, in the Application definition window, delete it from the list of properties.

  8. When you have finished defining the Application definitions, click Done to return to the Application Group form, and then Create to add the new application(s) to the group.

For more details, see Application groups.

Run threat analysis for an application

You can run a threat analysis for a single application.

  1. In the row of the application to manage, click the More actions (...) button and select Threat Intelligence.

  2. Select the threat intelligence service to run for the selected application. Depending on the application you selected, either a pop-up appears and displays the results or EPM opens a full report in a browser for a third party site.

For more details, see Assess threats.

Analyze policy coverage

The Application Coverage by Policies page gives you an overview of applications on endpoint computers and how many are managed by EPM policies.

By default, applications are sorted according to policies, in alphabetical order. You can resort them according to any column, and apply filters to view a more focused list.

To analyze policy coverage

In the EPM menu, expand Application Catalog, and click Applications Coverage by Policies to start the analysis.

This process takes a while and you can only run one analysis at a time.

You can apply filters to find any application in the list and check that it is managed by an EPM policy. You can also sort the list of applications according to any column.

More actions

In the row of the application to view, click the More actions (...) button and then one of the following options:

Option

Description

Open in Application Catalog

Opens a new tab that displays this application in the Application Catalog.

Open in File Summary

Opens a new tab that displays the View application details page for this application.