This article explains the differences between Observation mode and Update mode in McAfee Application Control (MAC).
MAC uses Whitelisting and Memory-protection capabilities to make sure that only whitelisted, legitimate, authorized applications and files run on the system.
After you perform the initial system solidification, a whitelist for all supported applications and files is created. This whitelist is validated against the execution of all supported files. This process locks down the system to prevent:
- Execution or running of any supported file outside the whitelist
- Changes to any supported file in the whitelist
What is Update mode?
MAC provides the following channels to modify or update a locked down system:
- Updater process: A process is any program in execution. A whitelisted executable or script can be configured as an Updater. Configuring it as an Updater allows it to modify or execute any supported file regardless of its state in the inventory (whitelist). Changes performed by an Updater process are dynamically reflected in the inventory (whitelist).
- User as Updater or Trusted user: You can configure individuals to be MAC trusted users. All changes performed by the configured user are allowed on a locked down system. Changes performed by an Updater or Trusted user are dynamically reflected in the inventory (whitelist).
- Update mode: Update mode is a systemwide maintenance mode. In Update mode, all changes performed by any process or user are allowed. Changes performed when the system is in Update mode are dynamically reflected in the inventory (whitelist).
NOTE:
- Memory Protection is enabled and effective if the system is updated using any of the above channels.
- MAC can still block operations while in update mode if reputation has been enabled in the application control options policy.
What is Observation mode?
A system in Observation mode allows any change or execution of files. Observation mode is available on the Windows operating system and in MAC for Linux 6.2.0-187 and later.
NOTES:
- Observation mode function for Linux was added in MAC for Linux 6.2.0-187 and later. See PD27665 for details about this version.
- Observation mode function for Linux does not automatically update the MAC whitelisted file inventory like it does in the Windows operating system. See KB79576 - Functionality section: "What events are generated with 6.2.0 (Linux) in Observe mode and Enable mode?" for further information.
A benefit of Observation mode is that MAC generates events and notifications for file executions or change prevention without actually preventing the executions or changes. The events and notifications are reported to ePO with a suggestion about any configuration changes needed to allow the execution and changes in Enable mode. Once the reported change is confirmed as legitimate, suggested configuration changes can be applied to allow the execution or change in Enable mode or locked down state.
NOTE:
- McAfee recommends that you place 10% of the similar or matching systems in Observation mode. After you have identified any needed configuration changes, you can apply those changes to all hosts with a similar or matching software configuration.
- MAC can still block operations while in observe mode if reputation has been enabled in the Application Control options policy.
If changes are allowed in Update mode, why is Observation mode needed?
MAC ships with a default policy that includes rules identified in-house to make most common, known applications work seamlessly in a MAC-enabled environment. But many environments have applications or versions that have not yet been tested by McAfee. If these applications create and execute new files or modify the whitelisted files, MAC blocks the action. This blocking can cause application issues or functionality loss.
It is not feasible to place a system in Update mode every time an application needs to execute/modify files or allow the application to make changes without any sort of monitoring. Observation mode allows you to minimize application failures in an Enabled or locked down state. It determines which configuration changes are needed to allow applications to function correctly while creating the least amount of security risk.
Update mode vs. Observation mode
Though Update and Observation mode are different in principle and use, to some they might sound similar as both allow changes on the system. To classify further, the following list explains the differences in the nature and use of Update and Observation mode:
- Update mode allows the changes only while the system is in maintenance (Update) mode. Observation mode allows the changes but suggests the needed configuration to successfully carry out a similar change next time without switching to Update mode.
- Update mode is useful for a one-time change or update of a system after it is solidified and locked down. Observation mode is an educator that helps to identify the configuration needed to make the locked down system work seamlessly.
- Update mode can be initiated anytime an emergency or significant change or update is needed. Observation mode is initiated once to identify the MAC-specific configurations before the system is finally locked down.
- Any change done in Update mode is dynamically updated in the inventory (whitelist). Any change done in Observation mode is updated in the inventory (whitelist) at user discretion.
- You can put the system into Update mode without solidification or initial whitelisting. Solidification or initial whitelisting is a mandate/pre-requisite to switch to Observation mode.
- Update mode allows the files to run or modify once. Configuration identified in Observation mode allows files to run seamlessly always.
Why am i seeing blocking in observe mode?
If reputation is enabled in the Application Control Options policy, MAC still prevents execution of potentially malicious files while in Update/Observe mode. It is advised to trust applications which are needed in the environment yet given a low reputation score in the TIE reputations page. If the reputation is from GTI, open a service request with Technical Support to analyze and suppress the detection.