I have met problems when try to configure app control in observe mode.
1. When i try to enable observe mode there is no logging to epo and no alert when i try to violate the policy but it seems to work when i use in enable mode
2. after i switch enable to disable and then observe agian . the policy remain working on the agent .Have anyone met something like this before
[solidcore version 6.1.2]
- well - what exactly is (not) working / blocked?
- where do you looking for that events on ePO? (there are several places to may look at).
- observe mode will NOT log/show observation events for files on network shares (e.g. logon-scripts etc or just applications run from a share)
I think to ban iexplore.exe is for testing only? (to see if it's blocked or reportet only)
So I guess you may not enabled observe mode at all? You'll have to create/run a client task of type SC: observe mode to enable/disable observe mode on the client. (the other way would be to enable the correspondig checkbox in the SC: enable task, so go to observe mode instead of just enable after the initial scan)
You can check the current status if you type "sadmin status" at the client/cmd
oh and there's a section in the solid core install guide (and product guide?) about observe mode.
AND as far as as I know this mode is only available in 6.1.x(?) - but you have 6.1.2 - so its ok
hm .... not sure ... but my best guess is that's maybe because you have a explicit "ban/block" rule for iexplore.exe - maybe that even blocks with observe mode on? (never tried that).
how about that: try to copy some .exe / program to that client (that haven't been there before / is not whitelistet) and try to run it. This shoud work but generate an observation - I think.