cancel
Showing results for 
Search instead for 
Did you mean: 
hon
Level 9
Report Inappropriate Content
Message 11 of 15

Re: observe mode

Capture.PNG

The incident is  appeared but i wonder that which type of file that will be genearted when using observe mode and what is the main purpose of this mode

meforum
Level 10
Report Inappropriate Content
Message 12 of 15

Re: observe mode

the main purpose is to check/verify your policies are correct without haveing a effekt on the end user / client, having much support calls etc. But remember to turn it of for production.

One further benefit is that in ePO you can go to the observation events (I think should be the screen you posted), select an event > actions and directly create a whitelist entry (based on hash), updater etc and create a policy (or add to an existing policy).

Re: observe mode

Check the "What's new?" hyperlink present on Policy Discovery UI page on ePO. (Check the upper-right corner). It will take you to a KB descriibg the principal changes done in v6.1.2 for Observation mode and its working.    

Highlighted
hon
Level 9
Report Inappropriate Content
Message 14 of 15

Re: observe mode

Firstly, I think like you said  but as you can see when i turn to observe mode my policy is working but the observe generate the event that not even relate with my policy for example i just creat rule for ie binary but when i try to installed chrome the event was generate. In contrast ,i cannot open ie that mean we cannot observe for policy violation that why i ask for this feature purpose

mkirby
Level 7
Report Inappropriate Content
Message 15 of 15

Re: observe mode

The observe mode will does not function in a way that shows the same event each time it happens.  It notes it the first time so that a rule / policy can be made and that's it.  When you "Enable" application control then it reports the violation all the time. 

In order to see the original event again you would need to clear the events already seen on the end point, change the system to Disabled Mode, reboot, place it into Observe mode and reboot again and then it would capture the event.  But to see the event constantly the offending item (.exe; .dll; etc..) needs the end point device to  be in an "enabled" state.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community