cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
setry
Level 7
Report Inappropriate Content
Message 1 of 5

Observation mode is blocking executions

Jump to solution

Hi!

I'm facing many problems with my Application Control lab. 

My current lab systems are:

ePolicy Orchestrator 5.10.0 managing 15 Windows 10 1703 and 1803 clients with agent 5.6.0.878, ENS 10.6.1.1208 and Application Control 8.2.1.143.

For now, as I'm trying to implement Application Control on my production environment, I just installed AppControl, solidified C: and set in observe mode all my client computers.

I created some solidcore rules from Policy Discovery, but I just "observed" my Application Control is blocking many things, showing Execution Denied on my Application Control Events window.

As far as I understand, "MAC generates events and notifications for file executions or change prevention, as it would have done in Enable mode, but without actually preventing the executions or changes.", but it's actually blocking executions of (not whitelisted) programs.

Any advice and suggestions will be greatly appreciated.

1 Solution

Accepted Solutions
McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Observation mode is blocking executions

Jump to solution
Upgrade Status Reboot is Required


It looks like the system is pending a reboot from a previous upgrade, which may have left the system in a state with multiple Solidcore 8.x kernel drivers loaded and running.  Reboot the system and see if this continues; it shouldn't.  If an upgrade is performed, the system should be rebooted as soon as possible, as well.

View solution in original post

4 Replies
McAfee Employee gnautiya
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Observation mode is blocking executions

Jump to solution

Hi,

In ideal scenario execution denied should not happen in "Observe Mode".

 

Can you provide us one sample event which was observed on ePO from client running in observe mode.

Regards

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Observation mode is blocking executions

Jump to solution

Hi,

Please find the event which got blocked in observe mode.

Server ID: SV510057
Event Received Time: 7/25/19 1:34:03 PM BST
Event Generated Time: 7/25/19 1:33:57 PM BST
Preferred Event Time: 7/25/19 1:33:57 PM BST
Agent GUID: A77D83C2-DC50-11E8-39A7-005056986951
Detecting Prod ID (deprecated): SOLIDCORE_META
Detecting Product Name: Solidifier
Detecting Product Version: 8.1.0.179
Detecting Product Host Name: SV300582
DAT Version:
Engine Version:
Threat Source Host Name:
Threat Source MAC Address:
Threat Source User Name:
Threat Source Process Name:
Threat Source URL:
Threat Target Host Name: SV300582
Threat Target User Name: SV300582\Automate
Threat Target Port Number:
Threat Target Network Protocol:
Threat Target Process Name: C:\Program Files (x86)\Help Systems\Automate Schedule\pgsql\bin\postgres.exe
Threat Target File Path: C:\Program Files (x86)\Help Systems\Automate Schedule\pgsql\bin\ssleay32.dll
Event Category: Application Blocked
Event ID: 20720
Threat Severity: Error
Threat Name: EXECUTION_DENIED
Threat Type: None
Action Taken: deny execute
Threat Handled: True

----------------

Solidcore SOLIDCORE
Product Version 8.2.1
Language English (United States)
Hotfix/Patch Version
Installed Path C:\Program Files\McAfee\Solidcore
Action Type Install
Reported Date 6/3/19 6:04:30 AM BST
Status Successful
Features
Execution Control Enabled
Generate Observations Enabled
Memory Protection (CASP) Disabled
Memory Protection (NX) Disabled
Package Control Enabled
Reputation (GTI) Enabled
Reputation (TIE) Disabled
Self-Approval Disabled
General
Activation Status Full
ATD Submission Disabled
Installed Path C:\Program Files\McAfee\Solidcore
Language English
Local CLI access Restricted
Memory Protection Disabled
Memory Protection (ASLR) Enabled (Partial)
Memory Protection (DEP) Enabled (With Opt Out)
Product Version 8.1.0.179
Solidcore Service Status Running
Solidcore Status Observe
Solidcore Status on Reboot Observe
Upgrade Status Reboot is Required
Inventory Status
Inventory Fetch Time (Last) Jul 5, 2019 5:58:23 PM Greenwich Mean Time
Inventory Fetch Time (Next) Immediately
Inventory Updates Threshold Reached At Not Yet Hit
License
Application Control Enabled
Change Control Enabled
Solidification Status
Status Solidified
Throttling Status: Events
Cache Usage 0 %
Events Dropped 0
Threshold Reached At Not Yet Hit
Throttling Status: Policy Discovery (Observations)
Cache Usage 0 %
Data Dropped 0
Threshold Reached At Not Yet Hit

McAfee Employee ktankink
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Observation mode is blocking executions

Jump to solution
Upgrade Status Reboot is Required


It looks like the system is pending a reboot from a previous upgrade, which may have left the system in a state with multiple Solidcore 8.x kernel drivers loaded and running.  Reboot the system and see if this continues; it shouldn't.  If an upgrade is performed, the system should be rebooted as soon as possible, as well.

View solution in original post

Re: Observation mode is blocking executions

Jump to solution

Thanks it worked after reboot 🙂

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community