cancel
Showing results for 
Search instead for 
Did you mean: 
hon
Level 9
Report Inappropriate Content
Message 1 of 15

observe mode

hi everyone,

I have met problems when try to configure app control in observe mode.

1. When i try to enable observe mode there is no logging to epo and no alert when i try to violate the policy but it seems to work when i use in enable mode

2. after i switch enable to disable and then observe agian . the policy remain working on the agent .Have anyone met something like this before

[solidcore version 6.1.2]

14 Replies
neelima
Level 12
Report Inappropriate Content
Message 2 of 15

Re: observe mode

hon,

Can you show the event that comes in enabled mode?

Thanks,

Neelima

meforum
Level 10
Report Inappropriate Content
Message 3 of 15

Re: observe mode

- well - what exactly is (not) working / blocked?

- where do you looking for that events on ePO? (there are several places to may look at).

- observe mode will NOT log/show observation events for files on network shares (e.g. logon-scripts etc or just applications run from a share)

Highlighted
hon
Level 9
Report Inappropriate Content
Message 4 of 15

Re: observe mode

Capture.PNG

hon
Level 9
Report Inappropriate Content
Message 5 of 15

Re: observe mode

Capture2.PNG

There is a policy and an error that i have met when i use observe mode . shall it only log ?.  Am i right that It should't block?

or i misunderstand about the observe mode concept

meforum
Level 10
Report Inappropriate Content
Message 6 of 15

Re: observe mode

hi,

I think to ban iexplore.exe is for testing only? (to see if it's blocked or reportet only)

So I guess you may not enabled observe mode at all? You'll have to create/run a client task of type SC: observe mode to enable/disable observe mode on the client. (the other way would be to enable the correspondig checkbox in the SC: enable task, so go to observe mode instead of just enable after the initial scan)

You can check the current status if you type "sadmin status" at the client/cmd

meforum
Level 10
Report Inappropriate Content
Message 7 of 15

Re: observe mode

oh and there's a section in the solid core install guide (and product guide?) about observe mode.

AND as far as as I know this mode is only available in 6.1.x(?) - but you have 6.1.2 - so its ok

hon
Level 9
Report Inappropriate Content
Message 8 of 15

Re: observe mode

thank about your help but i have already turnen to observe mode

but problem still appear

Capture.PNG

hon
Level 9
Report Inappropriate Content
Message 9 of 15

Re: observe mode

Yep iexplore is for testing only

meforum
Level 10
Report Inappropriate Content
Message 10 of 15

Re: observe mode

hm .... not sure ... but my best guess is that's maybe because you have a explicit "ban/block" rule for iexplore.exe - maybe that even blocks with observe mode on? (never tried that).

how about that: try to copy some .exe / program to that client (that haven't been there before / is not whitelistet) and try to run it. This shoud work but generate an observation - I think.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community