Events 35100 - 35107 are enabled and stored on ePO. Also the McAfee Agent>General policy Events are set to Minor. Could be issue with policy.  I checked and the ENS Common policy didn't have Client Logging> Event Logging for ATP events to log: set at all. I set to warning,critical, and alert. Will monitor for events.

If you have any other steps, please let me know.

Hi @kblowe 

You may need to set the Event Level within ePO Forwarding to Informational. If you still don't see any events, please do try this. And as I said, if you want to force event generation so you can check quicker then you can use the Real Protect Test Files.

But if you didn't have ATP Events within ENS Common Policy enabled, then you may have already found the problem 🙂 

Just a FYI, I was seeing events up until a month ago. I changed to Informational and that didn't make a difference. I downloaded the Test File to generate a event and that worked as it should. The events showed in under ATP events as blocked.

My question now is maybe the ATP policy is not strict enough. I have "Endpoint Security Adaptive Threat Protection : Policy Category > Options" set to Productivity under Rule Assignment. Which by default the Action Enforcement is  "Trigger Dynamic Application Containment when reputation threshold reaches: Most Likely Malicious" and "Block when reputation threshold reaches: Known Malicious". Is it better to keep the Rule Assignment at "Balanced" or it depends on the organization. Because currently no events are happening and we not not in observe mode. Any insight would be helpful. Thanks.

Hi @kblowe 

Thank you for sharing feedback. I am glad you received events once forced with the Test File - at least that proves that you do have everything set up correctly.

We recommend keeping the default configuration. Of course you can change these settings if you want, this is your choice and I urge caution and would advise only applying the policy as a test to a certain sub-set of machines so you avoid any impact. If you change DAC to trigger when "Unknown" I would expect you to see a lot of events. 

Thanks for the tips. I recreated the ATP Option policy and left at the default of Balanced instead of Productivity. I started noticing events slowly generating.

There is not much in the ATP guide on Threat Detection Messaging. I have the defaults below, but isn't that excessive, meaning it will send a message for every Unknown file to the user?

Display threat notifications to user The defaults when checked states: Notify the user when reputation threshold reaches: Unknown  Default Action: Allow  Specify length (minutes) of timeout: 5. Message: McAfee Endpoint Security detected a file with an unknown reputation.

Hi @kblowe 

By default, ATP's specific Threat Detection User Messaging is actually disabled. You will still receive threat detection notifications in the form of a windows toast notification, the same as you would for a threat detected from On-Access Scan.

To directly answer your question though, yes this would generate a lot of noise/interruption for users if you have this setting enabled and set to trigger at unknown. The main benefit this feature provides is the ability to make users confirm that they want to run the unknown application (by selecting Allow in the notification) to give an extra bump towards thinking about what they're running on the machine. But, like I said, this will generate a lot of noise.

Hopefully that helps!

Hello, No enforce or observed events are generating for ATP at all now. I have reset a few polices, restarted the TIE server, and still nothing. Its like ATP is not enabled. Help!