cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Would Clean, Block and Delete

Jump to solution

Hello, all

It maybe be a noob question, but I need confirmation on it. So, on my company we have this Observe Mode configured on like 20.000 endpoints and I see a lot of events 35106, 35102 and 34938 on ePO, even saying that it is a known malicius software, but did not clean or block or delete because it set to Observe Mode. Is that mean this malwares are running free in the environment? Would ENS not delete this files if they are known malicius?  

This is not my responsibility on the company, but seeing all this non-action events are buging me... 

Thanks!

1 Solution

Accepted Solutions
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: Would Clean, Block and Delete

Jump to solution

Hi @Eduardo_Zeit 

Good question! I am afraid as per this specific log event, the file is being determined malicious by ATP component only(we have other components involved for malware detection as well). Since the entire ATP is set to be in Observe mode, despite seeing the file as malicious, it would only generate the events and not block it.

Why?

This would be as per design as this is a conscious choice made by the user(Admin) to only observe and not block the events.

I would presume this is in Observe mode to understand the possibilities of False Positives and probably fine tune the rules and settings in your environment for optimal use of ATP. It is best to discuss this with your Administrators to understand why this choice is made. Sincerely hope this helps!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
7 Replies
McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Would Clean, Block and Delete

Jump to solution

I wouldnt think that is because its set to observe mode that it couldnt clean block or delete. because we dont typically protect in observe mode. It reports whats not in your policy. We will block from execution though if reputation settings are checked in policy. Application Control Options Policy.. Will show you reputation is allowed at what levels. You would need to look at the ENS logs to understand why it didnt delete. You could also look at the events to see if failed delete.. 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Would Clean, Block and Delete

Jump to solution

Just a example: 

In this event, with that description:  Adaptive Threat Protection would have repaired C:\Retodaded.exe based on its reputation (Known Malicious), but didn't because Observe mode is enabled.

Reputation is Known Malicious

Balance Security for: Balanced

Is that mean this exe file is free to do whatever it does even if its a malware? Or if its really a malware, the ENS would delete?

Im sorry, but Im no understanding how this 2 products work together when the machine is with Observe Mode On..

McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: Would Clean, Block and Delete

Jump to solution

Not sure i follow> did you check your reputation settings that my last email talked about.

 

https://docs.mcafee.com/bundle/application-control-8.1.0-windows-product-guide-epolicy-orchestrator/...

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 5 of 8

Re: Would Clean, Block and Delete

Jump to solution

https://docs.mcafee.com/bundle/application-control-8.1.0-windows-product-guide-epolicy-orchestrator/...

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Would Clean, Block and Delete

Jump to solution

Thanks for your attention, man...but I do not have permission to view this settings. My concern is that we have a lot of endpoint with Observe Mode Enable. Can that mean that this threats, or possible threats, are free on this machines when the event description says that Would block but it didn't?

Im gonna have a look on this technical  documents and see if I can understand better how ATP works with ENS...oh, and sorry about my English, it is not my native language .

Cheers

 

 

McAfee Employee gnautiya
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: Would Clean, Block and Delete

Jump to solution
The straight answer to your question is: if the file reputation is "known malicious" , first ATP should block it, based on what policy is being applied for its configuration. secondly, if its behavior is malicious, than any of our memory protection techniques will block its execution, Kindly check your policies, I hope they are in "monitor phase", you should change it to "Block". Regards
Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: Would Clean, Block and Delete

Jump to solution

Hi @Eduardo_Zeit 

Good question! I am afraid as per this specific log event, the file is being determined malicious by ATP component only(we have other components involved for malware detection as well). Since the entire ATP is set to be in Observe mode, despite seeing the file as malicious, it would only generate the events and not block it.

Why?

This would be as per design as this is a conscious choice made by the user(Admin) to only observe and not block the events.

I would presume this is in Observe mode to understand the possibilities of False Positives and probably fine tune the rules and settings in your environment for optimal use of ATP. It is best to discuss this with your Administrators to understand why this choice is made. Sincerely hope this helps!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community