Endpoint Protection

Application learning is a favorite feature of mine, but it doesn't seem to be working properly:

*Application learning is enabled under Clients/Communications Settings/"Upload" and Admin/Site Properties/General/"Keep track of every application..."

*If I search for .exe's and .dll's common to c:\windows\system32\ on a Windows 7 machine I get no hits

*Yet if I search for notepad.exe, I get results

SEP Managers are 12.1.1101.401

Most clients are 11.0.7101.1056

I'm not finding anything about a known incompatibility between the two versions... any other ideas or troubleshooting steps?  This feature has worked really well in the past to find infections on multiple machines...

Have you seen the same issue when the client is at 12.1.1101.401 as well?

Upgrade a few clients to 12.1.1101.401 to see if that help

I've got a few clients on 12.1.671.4971 and common system files still do not appear.

To elaborate further:

*The SEPM seems to learn of some applications, but not all of them.  For example notepad.exe produced plenty of results, but write.exe does not.

I do have a support case going on this (an on the phone waiting right now in fact) but figured I'd throw this out there... One thing I'm wondering is, does SEP only "learn" about processes that actually run, or anything that lives in the machine?

Should be for processes that actually run.

Ahh - that was one question I had (which the support engineer couldn't answer).  I'll make sure I run write and then check the database...

Thanks!