cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Switching from Observe Mode to Enable Mode

I have put a Windows XP System on Observe Mode and also fetched inventory. I am about to put the system into Enable Mode. Which raised a few questions in my mind.

1. Does policy Discovery page only lists events by non-trusted applications ? Because it doesnt list executions done by Windows Operating system etc.

2. Before switching to Enable mode, Do I need to go to the Inventory and mark as trusted all the apps in the list (assuming that I only have apps that I trust) ? because 99% of the apps in this list did not come up to the policy discovery page. Does this mean these are trusted already ? Do I need to make the mark as trusted before switching to Enable Mode?

1 Reply
Highlighted

Re: Switching from Observe Mode to Enable Mode

Janukahw,

Broadly speaking you could say that Policy Discovery is used to identify binaries that function as Updaters as well as other binaries that have come into existence after your initial solidification and therefore are not whitelisted. McAfee purportedly added logic into the generation of Policy Discovery Requests such that not every event is reported and uploaded to the ePO. So in my experience you sometimes miss events that you would otherwise need to have catered for with a Solidcore rule to prevent system instability, hence why McAfee recommend robust testing (including Enabled mode) and a staged implementation.

With regards to the enterprise trust level of binaries in the inventory, when we initially deployed we reviewed and classified accordingly but we find little value in undertaking the activity now. We do pay attention to the Cloud Trust level as this is a score determined by McAfee having aggregated information from their customers to feed into the Global Threat Intelligence platform. If binaries are reported as having a poor reputation by McAfee then we investigate accordingly to determine if action is required to block that binary globally. The inventory in the ePO is an aggregated source of binaries uploaded from your endpoints. Each endpoint maintains its own local inventory which it uses as its whitelist so there is no need to mark as trusted within the ePO before you enable Solidcore on your endpoints.

HTH

Mick

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community