MAC uses Allow listing and Memory-protection capabilities to make sure that only allowed, legitimate, authorized applications and files run on the system.

After you perform the initial system solidification, an allow list for all supported applications and files is created. This allow list is validated against the execution of all supported files. This process locks down the system to prevent:

• Execution or running of any supported file outside the allow list
• Changes to any supported file in the allow list

What is Update mode?
MAC provides the following channels to modify or update a locked down system:

• Updater process: A process is any program in execution. An allowed executable or script can be configured as an Updater. Configuring it as an Updater allows it to modify or execute any supported file regardless of its state in the inventory (allow list). Changes performed by an Updater process are dynamically reflected in the inventory (allow list). 
• User as Updater or Trusted user: You can configure individuals to be MAC trusted users. All changes performed by the configured user are allowed on a locked down system. Changes performed by an Updater or Trusted user are dynamically reflected in the inventory (allow list). 
• Update mode: Update mode is a systemwide maintenance mode. In Update mode, all changes performed by any process or user are allowed. Changes performed when the system is in Update mode are dynamically reflected in the inventory (allow list).

NOTE:

•   Memory Protection is enabled and effective if the system is updated using any of the above channels.
•   MAC can still block operations while in update mode if reputation has been enabled in the application control options policy.

What is Observation mode?
A system in Observation mode allows any change or execution of files. Observation mode is available on the Windows operating system and in MAC for Linux 6.2.0-187 and later.

NOTES:

• Observation mode function for Linux was added in MAC for Linux 6.2.0-187 and later. See McAfee Change Control 6.2.0 - Linux Release Notes for details about this version.
• Observation mode function for Linux doesn’t automatically update the MAC allow listed file inventory like it does in the Windows operating system. See KB79576 - FAQs for Application and Change Control 6.x.x.
  Functionality section: "What events are generated with 6.2.0 (Linux) in Observe mode and Enable mode?" for further information.
• Files get allow listed dynamically.

A benefit of Observation mode is that MAC generates events and notifications for file executions or change prevention without actually preventing the executions or changes. The events and notifications are reported to ePO with a suggestion about any configuration changes needed to allow the execution and changes in Enable mode. After the reported change is confirmed as legitimate, suggested configuration changes can be applied to allow the execution or change in Enable mode or locked down state.

NOTE:

• MAC recommends that you place 10% of the similar or matching systems in Observation mode. After you’ve identified any needed configuration changes, you can apply those changes to all hosts with a similar or matching software configuration.
• MAC can still block operations while in observe mode if reputation has been enabled in the Application Control options policy.

If changes are allowed in Update mode, why is Observation mode needed?
MAC ships with a default policy that includes rules identified in-house to make most common, known applications work seamlessly in a MAC-enabled environment. But many environments have applications or versions that haven’t yet been tested by McAfee Enterprise. If these applications create and execute new files or modify the allow listed files, MAC blocks the action. This blocking can cause application issues or functionality loss.

It's not feasible to place a system in Update mode every time an application needs to execute/modify files or allow the application to make changes without any sort of monitoring. Observation mode allows you to minimize application failures in an Enabled or locked down state. It determines which configuration changes are needed to allow applications to function correctly while creating the least amount of security risk.

Update mode vs. Observation mode
Though Update and Observation mode are different in principle and use, to some they might sound similar because both allow changes on the system. To classify further, the following list explains the differences in the nature and use of Update and Observation mode:

• Update mode allows the changes only while the system is in maintenance (Update) mode. Observation mode allows the changes, but suggests the needed configuration to successfully carry out a similar change next time without switching to Update mode.
• Update mode is useful for a one-time change or update of a system after it’s solidified and locked down. Observation mode is an educator that helps to identify the configuration needed to make the locked down system work seamlessly.
• Update mode can be initiated anytime an emergency or significant change or update is needed. Observation mode is initiated once to identify the MAC-specific configurations before the system is finally locked down.
• You can put the system into Update mode without solidification or initial allow listing. Solidification or initial allow listing is a mandate/pre-requisite to switch to Observation mode.
• Update mode allows the files to run or modify once. Configuration identified in Observation mode allows files to run seamlessly always.

Why am i seeing blocking in observe mode?
If reputation is enabled in the Application Control Options policy, MAC still prevents execution of potentially malicious files while in Update/Observe mode. It’s advised to trust applications which are needed in the environment yet given a low reputation score in the TIE reputations page. If the reputation is from GTI, open a Service Request with Technical Support to analyze and suppress the detection.

• If you are a registered user, type your User ID and Password, and then click Log In.
• If you are not a registered user, click Register and complete the fields. Your password and instructions are emailed to you.