Community Help Hub

hon · ‎03-10-2014

hi everyone,

I have met problems when try to configure app control in observe mode.

1. When i try to enable observe mode there is no logging to epo and no alert when i try to violate the policy but it seems to work when i use in enable mode

2. after i switch enable to disable and then observe agian . the policy remain working on the agent .Have anyone met something like this before

[solidcore version 6.1.2]

neelima · ‎03-10-2014

hon,

Can you show the event that comes in enabled mode?

Thanks,

Neelima

meforum · ‎03-11-2014

- well - what exactly is (not) working / blocked?

- where do you looking for that events on ePO? (there are several places to may look at).

- observe mode will NOT log/show observation events for files on network shares (e.g. logon-scripts etc or just applications run from a share)

hon · ‎03-11-2014

hon · ‎03-11-2014

There is a policy and an error that i have met when i use observe mode . shall it only log ?. Am i right that It should't block?

or i misunderstand about the observe mode concept

ก

meforum · ‎03-12-2014

hi,

I think to ban iexplore.exe is for testing only? (to see if it's blocked or reportet only)

So I guess you may not enabled observe mode at all? You'll have to create/run a client task of type SC: observe mode to enable/disable observe mode on the client. (the other way would be to enable the correspondig checkbox in the SC: enable task, so go to observe mode instead of just enable after the initial scan)

You can check the current status if you type "sadmin status" at the client/cmd

meforum · ‎03-12-2014

oh and there's a section in the solid core install guide (and product guide?) about observe mode.

AND as far as as I know this mode is only available in 6.1.x(?) - but you have 6.1.2 - so its ok

hon · ‎03-12-2014

thank about your help but i have already turnen to observe mode

but problem still appear

hon · ‎03-12-2014

Yep iexplore is for testing only

meforum · ‎03-12-2014

hm .... not sure ... but my best guess is that's maybe because you have a explicit "ban/block" rule for iexplore.exe - maybe that even blocks with observe mode on? (never tried that).

how about that: try to copy some .exe / program to that client (that haven't been there before / is not whitelistet) and try to run it. This shoud work but generate an observation - I think.

observe mode

Re: observe mode

Re: observe mode

Re: observe mode

Re: observe mode

Re: observe mode

Re: observe mode

Re: observe mode

Re: observe mode

Re: observe mode

Community Help Hub

Join the Community