cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CraigR1
Level 8
Report Inappropriate Content
Message 1 of 17

Observation Mode - Where should observation events be displaying?

Jump to solution
I have put a couple of hosts into observation mode. Some are windows, some are linux. When I navigate to 'policy discovery' I do not see any events there? Is this not where observation events appear? Also i'm a little confused as to what events appear there? This article outlines what events should show, but Im not sure if i'm reading it right. https://kc.mcafee.com/corporate/index?page=content&id=KB79576 Deny execution events do or dont show for linux? Deny writes appear to be listed as showing?
1 Solution

Accepted Solutions
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Hi @CraigR1 ,

Policy Discovery page usually lists events that is blocked by Solidcore in Enabled Mode.

Administrators can review the events and add create custom policies if required.

Observe Mode generally allows All Operation (that would otherwise be blocked in Enable Mode) and writes an event in the following logs.

C:\ProgramData\McAfee\SolidCore\Logs\Solidcore.log

C:\ProgramData\McAfee\SolidCore\Logs\S3diag.log

Please also refer to the SolidCore Events page on ePO.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

16 Replies
Pravas
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Hi @CraigR1 ,

Policy Discovery page usually lists events that is blocked by Solidcore in Enabled Mode.

Administrators can review the events and add create custom policies if required.

Observe Mode generally allows All Operation (that would otherwise be blocked in Enable Mode) and writes an event in the following logs.

C:\ProgramData\McAfee\SolidCore\Logs\Solidcore.log

C:\ProgramData\McAfee\SolidCore\Logs\S3diag.log

Please also refer to the SolidCore Events page on ePO.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

CraigR1
Level 8
Report Inappropriate Content
Message 3 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

I have multiple linux hosts and windows hosts in 'observe' mode but I dont see any events under 'policy discovery' or under the hosts themselves, in the system tree/system details/threat events page?

Should I not be seeing any 'deny write' or 'deny execute (for windows)' listed here?

gnautiya
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

All the data related to policy discovery will be displayed in "Policy discovery" page at ePO.

 

In Observe Mode, we generate policy discovery data and sends it to ePO.

Windows:

For "deny-write"  -> An activity "File Modified"  should be listed under the Policy Discovery page.

For "deny-exec" -> No data will be listed, as files get whitelisted at the time they are created or copied on system while our product is in observe mode.

 

Linux:

For "deny-write"  -> An activity "File Modified"  should be listed under the Policy Discovery page.

For "deny-exec" -> An activity "Application Execution" should be listed under the Policy Discovery page.

Regards,

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
CraigR1
Level 8
Report Inappropriate Content
Message 5 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Yes this matches up to my expectation from the documentation.

But in reality, i'm not seeing anything in the policy discovery page, so either no events, or..... something aint working quite right.

What logs can I check to confirm, or what's a good test process for ensuring the setup is working?

gnautiya
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Hi,

There are 2 ways to figure this out:

1) In solidcore.log : We log information as "sending observation" for xyz filename for which denial might have happened.

2) if you want to test it, one usecase can be as follows:

Deny-write: Have a process attempt modification of a soildified file, this will result in 2 xml files within C:\ProgramData\McAfee\Agent\AgentEvents.

one should have a type as "request" and another one a type as "rule" . If you are getting these, means Policy discovery is generated successfully.

Regards,

 

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
CraigR1
Level 8
Report Inappropriate Content
Message 7 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

I create a test.ps1 script.

ran 'sadmin so test.ps1' command - This however did not 'solidify the script?' I thought solidcore whitelists .ps1 scripts?

However when 'enabling solidcore' and then attempting to modify the .ps1 script it did reject any changes.... so it is protecting it.... found that confusing.

Lookin the Agent Events folder, I am seeing a single xml that has 'Write Denied' in it. 

Then I put solidcore into 'observe mode' and attempt to modify the .ps1 again. This time it saves fine. And no xml files show up in the Agent Events folder?

gnautiya
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Yes in latest Windows versions .ps1 should get solidified if done.

In Enable Mode:

Execute the .ps1 script without soldification, you should get an activity "Script execution" named policy discovery.

 

Second: If this script was denied for modification, and you got event for same, then policy discovery should also get generated.

if not, this calls for a more debugging, share your c:\progrmadata\McAfee\Solidcore\Logs folder with us.

Regards.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
CraigR1
Level 8
Report Inappropriate Content
Message 9 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Alright so half the problem figured out. There was a setting under 'Application Control Common Options' policy, that enabled 'generate observations' under a feature list. Once I turned this on, I have spotted a couple of observations appearing in the 'Policy Discovery' area. However they don't also appear in the 'Threat Events' area as I had expected from your description?

But still I have an issue in regards to what events are generating observations. So far this is what my tests have shown.

1. I create a new .ps1 script whilst in observation mode. I then execute the script. This executes fine. An observation is generated, stating that Microsoft.PowerShell.Utility.psm1 was allowed to add Test.ps1 in Observe Mode.

Alright so that indicates, observe mode just added the temporary executable created when running the .ps1 to the whiltelist. That makes sense.

2. I then edit this .ps1 script and save. The save happens without issue. No events or observations are created however. No logs appear in the solidcore.log. But if I look in the s3diag.log I see the following:

File_Modified file_name = Test.ps1 file_type="script" is_system_file="false"

WRITE_DENIED file_name = Test.ps1 deny_reason="File-solidified"

So its confusing as the file is being modified and saved as expected, without any interruption to this from a windows perspective. No events are created (that seems correct), but no observations are created (now that doesnt seem correct). BUT the s3diag log shows 'write_denied' events.... according to the observations documentation and what you have said, it should be generating observations for write_denied.

CraigR1
Level 8
Report Inappropriate Content
Message 10 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Ill add another type of test which worked as expected:

3. Copy an .exe installer file. And then run it.
This allowed the executable to run, and an observation was observed in both 'Policy Discover' and 'Threat Events'.

So at least it appears to be somewhat working. Just the issues with 1 and 2.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community