I'm facing many problems with my Application Control lab.
My current lab systems are:
ePolicy Orchestrator 5.10.0 managing 15 Windows 10 1703 and 1803 clients with agent 22.214.171.1248, ENS 10.6.1.1208 and Application Control 126.96.36.199.
For now, as I'm trying to implement Application Control on my production environment, I just installed AppControl, solidified C: and set in observe mode all my client computers.
I created some solidcore rules from Policy Discovery, but I just "observed" my Application Control is blocking many things, showing Execution Denied on my Application Control Events window.
As far as I understand, "MAC generates events and notifications for file executions or change prevention, as it would have done in Enable mode, but without actually preventing the executions or changes.", but it's actually blocking executions of (not whitelisted) programs.
Any advice and suggestions will be greatly appreciated.
In ideal scenario execution denied should not happen in "Observe Mode".
Can you provide us one sample event which was observed on ePO from client running in observe mode.
Was my reply helpful? If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?