We need to deploy the ENS ATP module on all the workstations, is it advisible to deploy ATP in observe mode, will will generate too many events and degrade any performance on Epo or DB?
Kindly suggest any deployment strategy...
Thanks for reaching out to community.
If you enable adaptive mode in observe mode, this creates lots of events and will eventually load the database.
For testing purpose, we recommend to test few pilot machines where the functionality can be tested.
Select few machines at random and enable observation mode on these machines and monitor the status.
If your are satisfied with the outcome, we recommend to go with deployment on a phased manner to the other machines.
Was my reply helpful?
Please give a kudo so that together we can assist other community users.
Even If we enable the observe mode for all systems it will create all events that "would be blocked" & if we disable observe mode & enable balance mode in policy, it will create same amount of blocked event.
we have not standard OS image in our environment, where we can apply observe mode policy on few systems and whitelist applications & disable observe mode and go for production deployment. We have many applications scattered across & all can not be tested with ATP policy before we can go for production roll-out.
is there any way to minimize events in observe mode?
Hi @Former Member, @girishm21,
Events are expected to be generated whether ATP is deployed in observe or enabled mode as long as the corresponding ATP rules/conditions are met for the running processes.
ATP works on processes that are not determined as malicious by On access Scan. Hence if you want to minimize the number of events generated by ATP, use of TIE server to mark PE files trusted by you/internally by the organization can be suggested here.
If TIE server is not used internally, then we recommend adding exclusions of the commonly used processes under OAS exclusions (Low risk process and exclusions for standard and High Risk processes as well) to avoid those processes from being scanned provided these are trusted internally by your organization. There is a certain amount of administration effort involved here as ATP will not be able to trust and reduce events o processes on it's won without being fed this required data.