Showing results for 
Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 2

Observation mode is blocking executions


I'm facing many problems with my Application Control lab. 

My current lab systems are:

ePolicy Orchestrator 5.10.0 managing 15 Windows 10 1703 and 1803 clients with agent, ENS and Application Control

For now, as I'm trying to implement Application Control on my production environment, I just installed AppControl, solidified C: and set in observe mode all my client computers.

I created some solidcore rules from Policy Discovery, but I just "observed" my Application Control is blocking many things, showing Execution Denied on my Application Control Events window.

As far as I understand, "MAC generates events and notifications for file executions or change prevention, as it would have done in Enable mode, but without actually preventing the executions or changes.", but it's actually blocking executions of (not whitelisted) programs.

Any advice and suggestions will be greatly appreciated.

1 Reply
McAfee Employee gnautiya
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Observation mode is blocking executions


In ideal scenario execution denied should not happen in "Observe Mode".


Can you provide us one sample event which was observed on ePO from client running in observe mode.


Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator