cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
setry
Level 7
Report Inappropriate Content
Message 1 of 2

Observation mode is blocking executions

Hi!

I'm facing many problems with my Application Control lab. 

My current lab systems are:

ePolicy Orchestrator 5.10.0 managing 15 Windows 10 1703 and 1803 clients with agent 5.6.0.878, ENS 10.6.1.1208 and Application Control 8.2.1.143.

For now, as I'm trying to implement Application Control on my production environment, I just installed AppControl, solidified C: and set in observe mode all my client computers.

I created some solidcore rules from Policy Discovery, but I just "observed" my Application Control is blocking many things, showing Execution Denied on my Application Control Events window.

As far as I understand, "MAC generates events and notifications for file executions or change prevention, as it would have done in Enable mode, but without actually preventing the executions or changes.", but it's actually blocking executions of (not whitelisted) programs.

Any advice and suggestions will be greatly appreciated.

1 Reply
McAfee Employee gnautiya
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Observation mode is blocking executions

Hi,

In ideal scenario execution denied should not happen in "Observe Mode".

 

Can you provide us one sample event which was observed on ePO from client running in observe mode.

Regards

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator