Showing results for 
Show  only  | Search instead for 
Did you mean: 

ENS Adaptive threat protection deployment strategy


We need to deploy the ENS ATP module on all the workstations, is it advisible to deploy ATP in observe mode, will will generate too many events and degrade any performance on Epo or DB?

Kindly suggest any deployment strategy...



Girish Modak.

3 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: ENS Adaptive threat protection deployment strategy

Hi Girishm21

Thanks for reaching out to community. 

If you enable adaptive mode in observe mode, this creates lots of events and will eventually load the database. 

For testing purpose, we recommend to test few pilot machines where the functionality can be tested.

Select few machines at random and enable observation mode on these machines and monitor the status. 

If your are satisfied with the outcome, we recommend to go with deployment on a phased manner to the other machines. 

Was my reply helpful?

Please give a kudo so that together we can assist other community users. 

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: ENS Adaptive threat protection deployment strategy

Hi @yaz 

Even If we enable the observe mode for all systems it will create all events that "would be blocked" & if we disable observe mode & enable balance mode in policy, it will create same amount of blocked event.

we have not standard OS image in our environment, where we can apply observe mode policy on few systems and whitelist applications &  disable observe mode and go for production deployment. We have many applications scattered across & all can not be tested with ATP policy before we can go for production roll-out.

is there any way to minimize events in observe mode?


Girish Modak


McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: ENS Adaptive threat protection deployment strategy

Hi @Former Member, @girishm21,

Events are expected to be generated whether ATP is deployed in observe or enabled mode as long as the corresponding ATP rules/conditions are met for the running processes.

ATP works on processes that are not determined as malicious by On access Scan. Hence if you want to minimize the number of events generated by ATP, use of TIE server to mark PE files trusted by you/internally by the organization can be suggested here.

If TIE server is not used internally, then we recommend adding exclusions of the commonly used processes under OAS exclusions (Low risk process and exclusions for standard and High Risk processes as well) to avoid those processes from being scanned provided these are trusted internally by your organization. There is a certain amount of administration effort involved here as ATP will not be able to trust and reduce events o processes on it's won without being fed this required data.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community