Knowledge Center

Differences between Observation mode and Update mode in Application Control
Technical Articles ID:   KB78223
Last Modified:  2/21/2019


McAfee Application and Change Control 8.x.x, 7.x.x, 6.x.x
Microsoft Windows


This article explains the differences between Observation mode and Update mode in McAfee Application Control (MAC).

MAC uses Whitelisting and Memory-protection capabilities to ensure that only whitelisted, legitimate, authorized applications and files run on the system.

After you perform the initial system solidification, a whitelist for all supported applications and files is created. This whitelist is validated against the execution of all supported files. This process locks down the system to prevent:

  • Execution or running of any supported file outside the whitelist
  • Changes to any supported file in the whitelist

What is Update mode?
MAC provides the following channels to modify or update a locked down system:

  • Updater process: A process is any program in execution. A whitelisted executable or script can be configured as an Updater to allow it to modify or execute any supported file irrespective of its state in the inventory (whitelist). Changes performed by an Updater process are dynamically reflected in the inventory (whitelist). 
  • User as Updater or Trusted user: You can configure individual users to be trusted by MAC. All changes performed by the configured user are allowed on a locked down system. Changes performed by an Updater or Trusted user are dynamically reflected in the inventory (whitelist). 
  • Update mode: Update mode is a system-wide maintenance mode. In Update mode, all changes performed by any process or user are allowed. Changes performed when the system is in Update mode are dynamically reflected in the inventory (whitelist).

NOTE: Memory Protection is enabled and effective if the system is updated using any of the above channels.

What is Observation mode?
A system in Observation mode allows any change or execution of files. Observation mode is available on the Windows operating system and in MAC for Linux 6.2.0-187 and later.


  • Observation mode functionality for Linux was added in MAC for Linux 6.2.0-187 and later. See PD27665 for details about this version.
  • Observation mode functionality for Linux does not automatically update the MAC whitelisted file inventory like it does in the Windows operating system. See KB79576 - Functionality section: "What events are generated with 6.2.0 (Linux) in Observe mode and Enable mode?" for further information.

The benefit of Observation mode is that MAC generates events and notifications for file executions or change prevention, as it would have done in Enable mode, but without actually preventing the executions or changes. The events and notifications are reported to ePO with a suggestion about any configuration changes required to allow the execution and changes in Enable mode. After the user determines that the change as reported in the event is legitimate, the suggested configuration changes can be applied to allow the execution or modification in Enable mode or locked down state.

NOTE: McAfee recommends that you place 10% of the similar or matching systems in Observation mode. After you have identified any required configuration changes, you can apply those changes to all hosts with a similar or matching software configuration.

If changes are allowed in Update mode, why is Observation mode needed?
MAC ships with a default policy that includes rules identified in-house to make most common, known applications work seamlessly in a MAC-enabled environment. But many environments have applications or versions that have not yet been tested by McAfee. If these applications create and execute new files or modify the whitelisted files, MAC blocks the action. This blocking can cause application issues or functionality loss.

It is not feasible to place a system in Update mode every time an application needs to execute or modify files or to allow the application to make changes without any sort of monitoring. Observation mode allows you to minimize application failures in an Enabled or locked down state. It does so by determining which configuration changes are required to allow your applications to function correctly while creating the least amount of security risk.

Update mode vs. Observation mode
Though Update and Observation mode are different in principle and usage, to some they might sound similar as both allow changes on the system. To classify further, the following lists differences in the nature and usage of Update and Observation mode.

  • Update mode allows the changes only while the system is in maintenance (Update) mode. Observation mode allows the changes but suggests the required configuration to successfully carry out a similar change next time without switching to Update mode.
  • Update mode is useful for a one-time change or update of a system after it is solidified and locked down. Observation mode is an educator that helps to identify the configuration required to make the locked down system work seamlessly.
  • Update mode can be initiated anytime an emergency or significant change or update is required. Observation mode is initiated once to identify the MAC-specific configurations before the system is finally locked down.
  • Any change done in Update mode is dynamically updated in the inventory (whitelist). Any change done in Observation mode is updated in the inventory (whitelist) at user discretion.
  • You can put the system into Update mode without solidification or initial whitelisting. Solidification or initial whitelisting is a mandate/pre-requisite to switch to Observation mode.
  • Update mode allows the files to run or modify once. Configuration identified in Observation mode allows files to run seamlessly always.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.