What is an application scan?
Application scan is a passive and continuous discovery mechanism designed to provide security administrators with full visibility into the inventory of software installed on endpoints managed by Segura® EPM Windows.
This feature bridges the gap between a lack of knowledge regarding the technology landscape and the enforcement of privilege policies. It ensures that security rules are built on actual data rather than assumptions.
Why use application scan?
Traditionally, IT administrators struggle to list the executables and software present on user machines without relying on external inventory tools. Application scan integrates this intelligence directly into the EPM console, allowing for:
Elimination of External Tools: Reduces dependency on third-party inventories for collecting executable data.
Data-Driven Decision Making: Facilitates the creation of access lists (Allowlists/Denylists) based on what truly exists in the environment.
Quick Response to New Threats: Enables administrators to quickly identify newly installed software or unusual executions.
Core Concepts
To understand how application scan works, it is important to distinguish how data collection and processing occur.
1. Automatic Collection Mechanism
The scan is not a manual process triggered on demand; instead, it is a background task linked to the EPM agent Recorder.
- Trigger: The scan operation is tied to the execution of the recording service (Recorder) on the device.
- Frequency: Collection occurs automatically every 15 minutes.
- Transparency: The process is designed to be seamless for the end user, ensuring that productivity is not impacted by system resource consumption.
- Data Transmission: Every time the agent identifies installed software, it generates an event called Windows Application Scan and sends this information to the backend. This transmission occurs alongside other events every 15 minutes or whenever the service is restarted.
2. Focus on Installed vs. Executed Applications
A fundamental distinction of this feature is its primary focus on scan installed applications.
While other EPM logs focus on who executed what, the scan focuses on what is available to be executed. This distinction allows for the proactive creation of policies even before harmful or unauthorized software is opened by the user.
Application scan is a global feature within the product. Once enabled in the EPM settings, it will operate on all Windows devices running a compatible client version. If disabled, the system stops searching for new applications.
Reports
To transform the data collected by the scan into actionable intelligence, Segura® EPM Windows provides one dashboard and four main reports. These allow administrators to monitor everything from software presence to user behavior.
Statistics scan dashboard
The statistics scan dashboard provides a centralized view to monitor and manage applications scanned, executed, and blocked in the EPM, enabling real‑time tracking of endpoint activity and identification of behaviors that require administrative action or policy adjustment. More information in Scan Statistics.
Applications report
This is the central inventory generated by the scan. It details the software installed across the fleet, assisting in both licensing control and security analysis. More information in Applications.
Application usage report
Provides an analytical view of how applications are being used, recording interactions that deviate from the privilege rules defined for the Windows environment. More information in Application usage.
Execution report
Acts as a complete history, displaying a log of all applications that were actually launched on the monitored Windows devices.
Unauthorized executions report
Focused on security and compliance, this report lists actions by users who attempted to run programs that violate established access or privilege policies. More information in Unauthorized executions.