cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
hon
Level 9
Report Inappropriate Content
Message 11 of 15
‎03-12-2014 02:50 AM

Re: observe mode

Capture.PNG

The incident is  appeared but i wonder that which type of file that will be genearted when using observe mode and what is the main purpose of this mode

0 Kudos
Reply
meforum
Level 10
Report Inappropriate Content
Message 12 of 15
‎03-12-2014 03:52 AM

Re: observe mode

the main purpose is to check/verify your policies are correct without haveing a effekt on the end user / client, having much support calls etc. But remember to turn it of for production.

One further benefit is that in ePO you can go to the observation events (I think should be the screen you posted), select an event > actions and directly create a whitelist entry (based on hash), updater etc and create a policy (or add to an existing policy).

0 Kudos
Reply
sbansal1
Level 8
Report Inappropriate Content
Message 13 of 15
‎03-12-2014 05:26 AM

Re: observe mode

Check the "What's new?" hyperlink present on Policy Discovery UI page on ePO. (Check the upper-right corner). It will take you to a KB descriibg the principal changes done in v6.1.2 for Observation mode and its working.    

0 Kudos
Reply
hon
Level 9
Report Inappropriate Content
Message 14 of 15
‎03-12-2014 05:33 PM

Re: observe mode

Firstly, I think like you said  but as you can see when i turn to observe mode my policy is working but the observe generate the event that not even relate with my policy for example i just creat rule for ie binary but when i try to installed chrome the event was generate. In contrast ,i cannot open ie that mean we cannot observe for policy violation that why i ask for this feature purpose

0 Kudos
Reply
mkirby
Level 7
Report Inappropriate Content
Message 15 of 15
‎01-11-2018 10:36 AM

Re: observe mode

The observe mode will does not function in a way that shows the same event each time it happens.  It notes it the first time so that a rule / policy can be made and that's it.  When you "Enable" application control then it reports the violation all the time. 

In order to see the original event again you would need to clear the events already seen on the end point, change the system to Disabled Mode, reboot, place it into Observe mode and reboot again and then it would capture the event.  But to see the event constantly the offending item (.exe; .dll; etc..) needs the end point device to  be in an "enabled" state.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC