1 2 Previous Next 13 Replies Latest reply on Mar 12, 2014 7:33 PM by hon

    observe mode

    hon

      hi everyone,

      I have met problems when try to configure app control in observe mode.

      1. When i try to enable observe mode there is no logging to epo and no alert when i try to violate the policy but it seems to work when i use in enable mode

      2. after i switch enable to disable and then observe agian . the policy remain working on the agent .Have anyone met something like this before

      [solidcore version 6.1.2]

        • 1. Re: observe mode

          hon,

           

          Can you show the event that comes in enabled mode?

           

          Thanks,

          Neelima

          • 2. Re: observe mode
            meforum

            - well - what exactly is (not) working / blocked?

            - where do you looking for that events on ePO? (there are several places to may look at).

            - observe mode will NOT log/show observation events for files on network shares (e.g. logon-scripts etc or just applications run from a share)

            • 3. Re: observe mode
              hon

              Capture.PNG

              • 4. Re: observe mode
                hon

                Capture2.PNG

                There is a policy and an error that i have met when i use observe mode . shall it only log ?.  Am i right that It should't block?

                or i misunderstand about the observe mode concept

                • 5. Re: observe mode
                  meforum

                  hi,

                   

                  I think to ban iexplore.exe is for testing only? (to see if it's blocked or reportet only)

                   

                  So I guess you may not enabled observe mode at all? You'll have to create/run a client task of type SC: observe mode to enable/disable observe mode on the client. (the other way would be to enable the correspondig checkbox in the SC: enable task, so go to observe mode instead of just enable after the initial scan)

                  You can check the current status if you type "sadmin status" at the client/cmd

                  • 6. Re: observe mode
                    meforum

                    oh and there's a section in the solid core install guide (and product guide?) about observe mode.

                    AND as far as as I know this mode is only available in 6.1.x(?) - but you have 6.1.2 - so its ok

                    • 7. Re: observe mode
                      hon

                      thank about your help but i have already turnen to observe mode

                      but problem still appear

                      Capture.PNG

                      • 8. Re: observe mode
                        hon

                        Yep iexplore is for testing only

                        • 9. Re: observe mode
                          meforum

                          hm .... not sure ... but my best guess is that's maybe because you have a explicit "ban/block" rule for iexplore.exe - maybe that even blocks with observe mode on? (never tried that).

                          how about that: try to copy some .exe / program to that client (that haven't been there before / is not whitelistet) and try to run it. This shoud work but generate an observation - I think.

                          1 2 Previous Next