1 2 Previous Next 13 Replies Latest reply on Mar 12, 2014 7:33 PM by hon

    observe mode


      hi everyone,

      I have met problems when try to configure app control in observe mode.

      1. When i try to enable observe mode there is no logging to epo and no alert when i try to violate the policy but it seems to work when i use in enable mode

      2. after i switch enable to disable and then observe agian . the policy remain working on the agent .Have anyone met something like this before

      [solidcore version 6.1.2]

        • 1. Re: observe mode



          Can you show the event that comes in enabled mode?




          • 2. Re: observe mode

            - well - what exactly is (not) working / blocked?

            - where do you looking for that events on ePO? (there are several places to may look at).

            - observe mode will NOT log/show observation events for files on network shares (e.g. logon-scripts etc or just applications run from a share)

            • 3. Re: observe mode


              • 4. Re: observe mode


                There is a policy and an error that i have met when i use observe mode . shall it only log ?.  Am i right that It should't block?

                or i misunderstand about the observe mode concept

                • 5. Re: observe mode



                  I think to ban iexplore.exe is for testing only? (to see if it's blocked or reportet only)


                  So I guess you may not enabled observe mode at all? You'll have to create/run a client task of type SC: observe mode to enable/disable observe mode on the client. (the other way would be to enable the correspondig checkbox in the SC: enable task, so go to observe mode instead of just enable after the initial scan)

                  You can check the current status if you type "sadmin status" at the client/cmd

                  • 6. Re: observe mode

                    oh and there's a section in the solid core install guide (and product guide?) about observe mode.

                    AND as far as as I know this mode is only available in 6.1.x(?) - but you have 6.1.2 - so its ok

                    • 7. Re: observe mode

                      thank about your help but i have already turnen to observe mode

                      but problem still appear


                      • 8. Re: observe mode

                        Yep iexplore is for testing only

                        • 9. Re: observe mode

                          hm .... not sure ... but my best guess is that's maybe because you have a explicit "ban/block" rule for iexplore.exe - maybe that even blocks with observe mode on? (never tried that).

                          how about that: try to copy some .exe / program to that client (that haven't been there before / is not whitelistet) and try to run it. This shoud work but generate an observation - I think.

                          1 2 Previous Next