1 Reply Latest reply on Jan 17, 2017 10:12 PM by aus_mick

    Switching from Observe Mode to Enable Mode

    janukahw

      I have put a Windows XP System on Observe Mode and also fetched inventory. I am about to put the system into Enable Mode. Which raised a few questions in my mind.

      1. Does policy Discovery page only lists events by non-trusted applications ? Because it doesnt list executions done by Windows Operating system etc.

      2. Before switching to Enable mode, Do I need to go to the Inventory and mark as trusted all the apps in the list (assuming that I only have apps that I trust) ? because 99% of the apps in this list did not come up to the policy discovery page. Does this mean these are trusted already ? Do I need to make the mark as trusted before switching to Enable Mode?

        • 1. Re: Switching from Observe Mode to Enable Mode
          aus_mick

          Janukahw,

           

          Broadly speaking you could say that Policy Discovery is used to identify binaries that function as Updaters as well as other binaries that have come into existence after your initial solidification and therefore are not whitelisted. McAfee purportedly added logic into the generation of Policy Discovery Requests such that not every event is reported and uploaded to the ePO. So in my experience you sometimes miss events that you would otherwise need to have catered for with a Solidcore rule to prevent system instability, hence why McAfee recommend robust testing (including Enabled mode) and a staged implementation.

           

          With regards to the enterprise trust level of binaries in the inventory, when we initially deployed we reviewed and classified accordingly but we find little value in undertaking the activity now. We do pay attention to the Cloud Trust level as this is a score determined by McAfee having aggregated information from their customers to feed into the Global Threat Intelligence platform. If binaries are reported as having a poor reputation by McAfee then we investigate accordingly to determine if action is required to block that binary globally. The inventory in the ePO is an aggregated source of binaries uploaded from your endpoints. Each endpoint maintains its own local inventory which it uses as its whitelist so there is no need to mark as trusted within the ePO before you enable Solidcore on your endpoints.

           

          HTH

          Mick