Going through the documentation trying to confirm or deny the following.
When using the Adaptive Threat Protection in Observe mode so that it can learn and build product prevelance, is the system still protected by the standard On-Access Scanner using DAT files? If it is, where is the informaiton located. I have gone through the Help from the ePO console, reviewed the ENS documentation (Help, Prod Guide and Install Guide) but have not found this answer.
The Threat Prevention On-Access Scan behavior is independent of Adaptive Threat Protection Observe mode. If Adaptive Threat Protection is operating in Observe mode, the system remains protected when On-Access Scan is enabled.
Although not expressly stated I believe the answer to this question is as follows. 1. Threat protection (aka VSE and on-Access protection) is still valid and running. Hence the system(s) running the Adaptive threat Protection is protected. In the documentation ATP is referred to as an ** Optional component ** which in my mind means that it does not need to be enabled. 2. When Adaptive Threat Protection is in Observe mode, that portion of the ENS is not blocking. Much like in SolidCore products. However as the On-Access Scanner is running and using the DAT files the system(s) in question are protected in the same manner as if VSE would be. 3. When in Observe Mode Heuristic scanning is not protecting the target devices. If I am missing something, or not fully under standing the product please feel free to reach out and let me know.