cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
gnautiya
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 11 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Hi,

For the second case, in the S3diag.log, what is the parent process making this change?

Mostly if its e.g. explorer.exe or cmd.exe or any other generic processes, we do not generate policy discovery w.r.t them.

So basically if its a file modified, and parent process is any xyz.exe, our rule suggestion in policy discovery would have been to make the parent process as an updater.

Now if the parent process is a generic process, we do not want users to take action w.r.t it, hence we do not generate the any policy discovery request.

Regards,

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
CraigR1
Level 8
Report Inappropriate Content
Message 12 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Indeed it was explorer.exe so that makes sense. Alright so it seems to be working then as by design now.

Can I expect any major differences between how this is working for windows, and how it will work for Linux on the latest version?

What does W.R.T stand for?

gnautiya
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 13 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Hi,

W.R.T : with respect to.

Major difference in Linux versus Windows is following:

1) Windows , we  have 7 activity type for which policy discovery is generated.

Linux,  We have 2 activity type supported so far.

2) Windows: we whitelist the file in observe Mode on create and execute file operations.

Linux, we don't whitelist files in observe mode.

Regards,

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
CraigR1
Level 8
Report Inappropriate Content
Message 14 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Perfect. Is there a clean list of event types for both windows and linux I can get a hold of?

Thanks

gnautiya
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 15 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Hi,

Our Product Guide explains this in detail.

Regards,

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
CraigR1
Level 8
Report Inappropriate Content
Message 16 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Question in regards to the product guide for Linux observations.

The table for 6.1.2 is very clear, but within the table for 6.2 changes, I'm a little confused on a couple of points.

https://kc.mcafee.com/corporate/index?page=content&id=KB79576

Question 1:
In 6.1.2 for all events, it states that under 'enabled mode' observations are generated.

Then under the 6.2 section under "Notes" there is  a little line that states 'Also, there are no observations created in Enabled mode on Linux.' So i'm do we get observations in linux under enable or not?

Question 2:
Under 6.2 table, there is a phrase used regularly which I dont understand. What does this mean?

'Out of scope for the first iteration'

 

Question 3:
Under 6.2 table 'deny execute' 'enable' it states 

  • Out of scope for the first iteration: Generate Rule for "Attribute authorize by name"

    What does this mean? Thats its generating rules and allowing things? Is it mistake, and it should be saying 'generate observation'?


gnautiya
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 17 of 17

Re: Observation Mode - Where should observation events be displaying?

Jump to solution

Hi,

Let me explain each of your question as below:

Question 1: 6.1.2 version is for Windows.
In 6.1.2 for all events, it states that under 'enabled mode' observations are generated.

As Linux had observe Mode implemented in 6.2.x version,

There we do not generate observation(Policy discovery) requests in Enable Mode.

So i' m do we get observations in linux under enable or not?

Answer is "No" , On Linux you get observations only if the Mode is "Observe Mode"

Question 2:
'Out of scope for the first iteration'

Answer: This means, it is not implemented, can be done in future releases.

Question 3:
Under 6.2 table 'deny execute' 'enable' it states 

  • Out of scope for the first iteration: Generate Rule for "Attribute authorize by name"

    What does this mean? Thats its generating rules and allowing things? Is it mistake, and it should be saying 'generate observation.

Answer: As above, not Implemented in first release where Linux supported "Observe Mode" .

hence "out of scope".

 

Regards

 

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community