I have multiple linux hosts and windows hosts in 'observe' mode but I dont see any events under 'policy discovery' or under the hosts themselves, in the system tree/system details/threat events page?

Should I not be seeing any 'deny write' or 'deny execute (for windows)' listed here?

All the data related to policy discovery will be displayed in "Policy discovery" page at ePO.

In Observe Mode, we generate policy discovery data and sends it to ePO.

Windows:

For "deny-write"  -> An activity "File Modified"  should be listed under the Policy Discovery page.

For "deny-exec" -> No data will be listed, as files get whitelisted at the time they are created or copied on system while our product is in observe mode.

Linux:

For "deny-write"  -> An activity "File Modified"  should be listed under the Policy Discovery page.

For "deny-exec" -> An activity "Application Execution" should be listed under the Policy Discovery page.

Regards,

Yes this matches up to my expectation from the documentation.

But in reality, i'm not seeing anything in the policy discovery page, so either no events, or..... something aint working quite right.

What logs can I check to confirm, or what's a good test process for ensuring the setup is working?

Hi,

There are 2 ways to figure this out:

1) In solidcore.log : We log information as "sending observation" for xyz filename for which denial might have happened.

2) if you want to test it, one usecase can be as follows:

Deny-write: Have a process attempt modification of a soildified file, this will result in 2 xml files within C:\ProgramData\McAfee\Agent\AgentEvents.

one should have a type as "request" and another one a type as "rule" . If you are getting these, means Policy discovery is generated successfully.

Regards,

I create a test.ps1 script.

ran 'sadmin so test.ps1' command - This however did not 'solidify the script?' I thought solidcore whitelists .ps1 scripts?

However when 'enabling solidcore' and then attempting to modify the .ps1 script it did reject any changes.... so it is protecting it.... found that confusing.

Lookin the Agent Events folder, I am seeing a single xml that has 'Write Denied' in it. 

Then I put solidcore into 'observe mode' and attempt to modify the .ps1 again. This time it saves fine. And no xml files show up in the Agent Events folder?

Yes in latest Windows versions .ps1 should get solidified if done.

In Enable Mode:

Execute the .ps1 script without soldification, you should get an activity "Script execution" named policy discovery.

Second: If this script was denied for modification, and you got event for same, then policy discovery should also get generated.

if not, this calls for a more debugging, share your c:\progrmadata\McAfee\Solidcore\Logs folder with us.

Regards.

Alright so half the problem figured out. There was a setting under 'Application Control Common Options' policy, that enabled 'generate observations' under a feature list. Once I turned this on, I have spotted a couple of observations appearing in the 'Policy Discovery' area. However they don't also appear in the 'Threat Events' area as I had expected from your description?

But still I have an issue in regards to what events are generating observations. So far this is what my tests have shown.

1. I create a new .ps1 script whilst in observation mode. I then execute the script. This executes fine. An observation is generated, stating that Microsoft.PowerShell.Utility.psm1 was allowed to add Test.ps1 in Observe Mode.

Alright so that indicates, observe mode just added the temporary executable created when running the .ps1 to the whiltelist. That makes sense.

2. I then edit this .ps1 script and save. The save happens without issue. No events or observations are created however. No logs appear in the solidcore.log. But if I look in the s3diag.log I see the following:

File_Modified file_name = Test.ps1 file_type="script" is_system_file="false"

WRITE_DENIED file_name = Test.ps1 deny_reason="File-solidified"

So its confusing as the file is being modified and saved as expected, without any interruption to this from a windows perspective. No events are created (that seems correct), but no observations are created (now that doesnt seem correct). BUT the s3diag log shows 'write_denied' events.... according to the observations documentation and what you have said, it should be generating observations for write_denied.

Ill add another type of test which worked as expected:

3. Copy an .exe installer file. And then run it.
This allowed the executable to run, and an observation was observed in both 'Policy Discover' and 'Threat Events'.

So at least it appears to be somewhat working. Just the issues with 1 and 2.