Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 8
Report Inappropriate Content
Message 1 of 6

Events not Generated in Observe Mode

Hi All, 

Fairly new to Application control so forgive me if I am missing something but I have installed App Control on and Endpoint and Solidified. Its running in Observe mode and has rebooted several times. I create a new script and execute it and nothing is displayed locally or in the Policy Discovery. If I set the Endpoint to Enabled Mode and re-run the script the script is blocked and the event is sent to Policy Discovery.  

Am I doing something wrong? 

5 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Events not Generated in Observe Mode

Hi @SMWip,

Thank you for posting on the community.

If it is a simple execution without modification other binary files like installer file, the observation event for the Policy Discovery is not generated as designed.

I think the following KB helps you. In the Functionality section, you can see the table for events generated in workflow in Observe mode and Enable mode.

I hope this helps.


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Level 8
Report Inappropriate Content
Message 3 of 6

Re: Events not Generated in Observe Mode

Ah thanks I see so for a file that would Deny Exec in Observe mode its just added to the Local WhiteList and no observation is registered. 

So what if I am trying to create a baseline policy using a "known good" endpoint and want to make sure all files executed are added to ePO policy and not just the local whitelist? Or the reverse, I want to see what files are running in Observe mode so I can block certain scripts that should not be in use?

I am also struggling to find enough information on Script Interpreters. For example I want to assign an AD group to PowerShell so that anyone in the group can execute custom PowerShell scripts but I cant see how to do this.   


Re: Events not Generated in Observe Mode


I'm experiencing the same problem with events not getting generated in Observe mode in app control version and extension (was told by support to upgrade the extension to resolve other issues we were having). The type of events I'm concerned with from the provided KB link are:

  • Executable extracting MSI files
  • Executable extracting binary files (exe, dll, driver) and script files

In our environment we were expecting to see an event get generated for software installations/uninstallations of apps that are not apart of the whitelist. Would this type of scenario fall under the event types I listed above? The product guide documentation isn't very easy to follow on this topic, but from what I can interpret, it seems like this scenario should generate an event in observe mode.


Level 8
Report Inappropriate Content
Message 5 of 6

Re: Events not Generated in Observe Mode

Do you have Generate Observations enabled under Features in the Application Control Options menu?

Re: Events not Generated in Observe Mode

Yes we do

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community