Indeed it was explorer.exe so that makes sense. Alright so it seems to be working then as by design now.

Can I expect any major differences between how this is working for windows, and how it will work for Linux on the latest version?

What does W.R.T stand for?

Hi,

W.R.T : with respect to.

Major difference in Linux versus Windows is following:

1) Windows , we  have 7 activity type for which policy discovery is generated.

Linux,  We have 2 activity type supported so far.

2) Windows: we whitelist the file in observe Mode on create and execute file operations.

Linux, we don't whitelist files in observe mode.

Regards,

Perfect. Is there a clean list of event types for both windows and linux I can get a hold of?

Thanks

Hi,

Our Product Guide explains this in detail.

Regards,

Question in regards to the product guide for Linux observations.

The table for 6.1.2 is very clear, but within the table for 6.2 changes, I'm a little confused on a couple of points.

https://kc.mcafee.com/corporate/index?page=content&id=KB79576

Question 1:
In 6.1.2 for all events, it states that under 'enabled mode' observations are generated.

Then under the 6.2 section under "Notes" there is  a little line that states 'Also, there are no observations created in Enabled mode on Linux.' So i'm do we get observations in linux under enable or not?

Question 2:
Under 6.2 table, there is a phrase used regularly which I dont understand. What does this mean?

'Out of scope for the first iteration'

Question 3:
Under 6.2 table 'deny execute' 'enable' it states 

• Out of scope for the first iteration: Generate Rule for "Attribute authorize by name"
  
  What does this mean? Thats its generating rules and allowing things? Is it mistake, and it should be saying 'generate observation'?
  
  
  

Hi,

Let me explain each of your question as below:

Question 1: 6.1.2 version is for Windows.
In 6.1.2 for all events, it states that under 'enabled mode' observations are generated.

As Linux had observe Mode implemented in 6.2.x version,

There we do not generate observation(Policy discovery) requests in Enable Mode.

So i' m do we get observations in linux under enable or not?

Answer is "No" , On Linux you get observations only if the Mode is "Observe Mode"

Question 2:
'Out of scope for the first iteration'

Answer: This means, it is not implemented, can be done in future releases.

Question 3:
Under 6.2 table 'deny execute' 'enable' it states 

• Out of scope for the first iteration: Generate Rule for "Attribute authorize by name"
  
  What does this mean? Thats its generating rules and allowing things? Is it mistake, and it should be saying 'generate observation.

Answer: As above, not Implemented in first release where Linux supported "Observe Mode" .

hence "out of scope".

Regards