cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 10
Report Inappropriate Content
Message 1 of 5

ATP - Observe and Enforce

Jump to solution

I have the ATP Options policy configured with Observe mode unchecked, {Enable Observe mode (Events are generated but actions are not enforced)} and its applied to the systems, but I'm still seeing Observe events generated. Why? Any new events should be under Enforcement events but they are not. I recreated the policy in case it was corrupted but same behavior. Can someone please shed some light on this issue?

1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: ATP - Observe and Enforce

Jump to solution

Yes - if the system generated A LOT of events, they wouldn't have all been uploaded in one go so that your ePO server doesn't get overwhelmed. So it could be that the system is still sending old events. That folder stores all of those events on the clients, so if there are any there, they will still be being sent to ePO to be parsed. A restart won't help if this is the case.

Personally I would follow other routes before removing and reinstalling the software. But of course up to you. (This option btw also wouldn't remove the events, if the above theory is right).

 

If you are saying though that the event generated date is today it sounds more likely that the endpoint hasn't actually retrieved the updated policy. There are many reasons this could happen and I would suggest to get in touch with our Technical Support Team to look into why this is happening.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

4 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: ATP - Observe and Enforce

Jump to solution

Hi @kblowe 

There could still be some events being uploaded from the endpoints. If you have access to the endpoints, you can check: %Programdata%\McAfee\Agent\AgentEvents to see if there are still some .xml files to be uploaded (these are the events generated)

Have you been able to check locally at all in the ENS Console that the policy has actually taken effect?

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted
Level 10
Report Inappropriate Content
Message 3 of 5

Re: ATP - Observe and Enforce

Jump to solution

Are you implying that older events captured in observe mode are being uploaded, while the endpoint is in enforced mode? The policy current policy was been applied for a few days and the event was generated today. Will a restart help. Should I remove ATP and reinstall it?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: ATP - Observe and Enforce

Jump to solution

Yes - if the system generated A LOT of events, they wouldn't have all been uploaded in one go so that your ePO server doesn't get overwhelmed. So it could be that the system is still sending old events. That folder stores all of those events on the clients, so if there are any there, they will still be being sent to ePO to be parsed. A restart won't help if this is the case.

Personally I would follow other routes before removing and reinstalling the software. But of course up to you. (This option btw also wouldn't remove the events, if the above theory is right).

 

If you are saying though that the event generated date is today it sounds more likely that the endpoint hasn't actually retrieved the updated policy. There are many reasons this could happen and I would suggest to get in touch with our Technical Support Team to look into why this is happening.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

Highlighted
Level 10
Report Inappropriate Content
Message 5 of 5

Re: ATP - Observe and Enforce

Jump to solution

Thanks. Will contact technical support.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community