5 Replies Latest reply on Sep 22, 2014 5:30 PM by neelima

    Mcafee application control ( Observation events Unavailable) Solidcore

    humaid

      Hi Folks,

       

      I have a small issue, I recently deployed the Mcafee application control to our servers. Everything is working fine except the "Observation Mode". Well i can deploy the "Observation Mode" but couldn't monitor their events afterwards. According to the research i did, there should be something like "Observations" under Menu -> Application Control tab. But i don't see anything there. Am wondering why is that. And folks is there any extra patch that i need to apply? Or Did i miss any steps in deploying the App control which is the cause for the disappearance of "Observations"?  Attached a screen shot for your consideration.

       

      Oh well, One more thing. I really Love Solidcore application control and change control i would say it's one of the best out there.If you are not tested it out yet, Give a try and you will love it too. Also there are couple of works in the back round when it comes to live environment that's why i wanted to do a test run (Observation) mode first and whitelist what ever i want. But unfortunately that option is not working me. Strange It would be a great help if you guys can help me to sort that out. Thanks in advance

       

      Regards,

      Humaid

        • 1. Re: Mcafee application control ( Observation events Unavailable) Solidcore
          vaidyanathan

          Hi,

           

          Am running Solidcore 6.1.3 which is the latest version as of now and I don't see observations under Application. I'm new to Application control as well

           

          But can you please let me know what would you achieve if "Observation" menu is present?

           

          In the system tree menu -> Actions -> choose columns -> select "Solidcore Satus" under Solidcore client properties which will list you if the system is under observation mode or enable mode.

           

          In addition to that  when a system is placed in observation mode I think the logs are still generated under c:\programdata\mcafee\solidcore\logs

          • 2. Re: Mcafee application control ( Observation events Unavailable) Solidcore

            Hi Humaid,

             

            Looks like you are using MAC V6.1.2 or MAC v6.1.3. From these versions onwards, Observations will flow into "Policy Discovery" page.

             

            Thanks,

            Neelima

            • 3. Re: Mcafee application control ( Observation events Unavailable) Solidcore
              humaid

              Hey Vaidyanathan,

               

              Thanks for your contribution for Application control "Observation" issue. Well "Observation" is one of the important part if you are going to deploy the Application Control to your entire networks, Specially for ATM's. Because last time i had a small issue while deploying to one of our banking customer's ATM and after the Initial solidification the ATM stopped responding ( This is normal as custom made script will be stopped or prevent from running because it is not in the corporate white list policy) So the normal procedure is to figure out which is being blocked (By looking at events) and allowing them manually through policies.

               

              How ever with "Observation" we will not have that hassle. We will just deploy the App Ctrl using "Observation Mode" and it will not block anything on the server instead upload the events to a place called " Observation" within the ePO like i mentioned above. So by going there we can see, Which applications could be blocked and we can allow them within the policy prior to "Enabling" App Ctrl.  So it's a hassle free deployment.  And trust me I love App Ctrl it is awesome . Now i think Neelima has suggested something. I'll test that out and update you guys asap. Thanks

               

              Regards,

              Humaid

              • 4. Re: Mcafee application control ( Observation events Unavailable) Solidcore
                humaid

                Hey Neelima,

                 

                Thanks your option is actually working. And i can see all the observation events are going to "Policy Discovery" 

                 

                Regards,

                Humaid