Application Control uses Allow listing and Memory-protection capabilities to make sure that only allowed, legitimate, and authorized applications and files run on the system.

After you perform the initial system solidification, an allow list for all supported applications and files is created. This allow list is validated against the execution of all supported files. This process locks down the system to prevent the following:

• Execution or running of any supported file outside the allow list
• Changes to any supported file in the allow list

What's Update mode?
Application Control provides the following channels to modify or update a locked-down system:

• Updater process: A process is any program in execution. An allowed executable or script can be configured as an Updater. Configuring it as an Updater allows it to modify or execute any supported file regardless of its state in the inventory (allow list). Changes performed by an Updater process are dynamically reflected in the inventory (allow list). 
• User as Updater or Trusted user: You can configure individuals to be Application Control trusted users. All changes performed by the configured user are allowed on a locked-down system. Changes performed by an Updater or Trusted user are dynamically reflected in the inventory (allow list). 
• Update mode: Update mode is a systemwide maintenance mode. In Update mode, all changes performed by any process or user are allowed. Changes performed when the system is in Update mode are dynamically reflected in the inventory (allow list).

NOTE:

•   Memory Protection is enabled and effective if the system is updated using any of the above channels.
•   Application Control can still block operations while in Update mode if reputation has been enabled in the Application Control options policy.

What's Observation mode?
A system in Observation mode allows any change or execution of files. Observation mode is available on the Windows operating system and in Application Control for Linux 6.2.0-187 and later.

NOTES:

• Observation mode function for Linux was added in Application Control for Linux 6.2.0-187 and later. See Change Control 6.2.0 - Linux Release Notes for details about this version.
• Observation mode function for Linux doesn't automatically update the Application Control allow-listed file inventory like it does in the Windows operating system. See the Functionality section: "What events are generated with 6.2.0 (Linux) in Observe mode and Enable mode?" in KB79576 - FAQs for Application and Change Control 6.x.x for further information.
• Files get allow-listed dynamically.

A benefit of the Observation mode is that Application Control generates events and notifications for file executions or change prevention without actually preventing the executions or changes. The events and notifications are reported to ePO with a suggestion about any configuration changes needed to allow the execution and changes in Enable mode. After the reported change is confirmed as legitimate, suggested configuration changes can be applied to allow the execution or change in Enable mode or locked-down state.

NOTE:

• Application Control recommends that you place 10% of the similar or matching systems in Observation mode. After you've identified any needed configuration changes, you can apply those changes to all hosts with a similar or matching software configuration.
• Application Control can still block operations while in Observe mode if the reputation has been enabled in the Application Control options policy.

If changes are allowed in Update mode, why is Observation mode needed?
Application Control ships with a default policy that includes rules identified in-house to make most common, known applications work seamlessly in an Application Control-enabled environment. But, many environments have applications or versions that haven't yet been tested by us. If these applications create and execute new files or modify the allow-listed files, Application Control blocks the action. This blocking can cause application issues or functionality loss.

It's not feasible to place a system in Update mode every time an application needs to execute or modify files or allow the application to make changes without any sort of monitoring. Observation mode allows you to minimize application failures in an Enabled or locked-down state. It determines which configuration changes are needed to allow applications to function correctly while creating the least amount of security risk.

Update mode vs. Observation mode
Although the Update and Observation modes are different in principle and use, to some, they might sound similar because both allow changes on the system. To classify further, the following list explains the differences in the nature and use of the Update and Observation modes:

• Update mode allows changes only while the system is in maintenance (Update) mode. Observation mode allows changes, but suggests the needed configuration to successfully carry out a similar change the next time without switching to Update mode.
• Update mode is useful for a one-time change or update of a system after it's solidified and locked down. Observation mode is an educator that helps to identify the configuration needed to make the locked-down system work seamlessly.
• Update mode can be initiated anytime an emergency or significant change or update is needed. Observation mode is initiated once to identify the Application Control-specific configurations before the system is finally locked down.
• You can put the system into Update mode without solidification or initial allow listing. Solidification or initial allow listing is a mandate or prerequisite to switch to Observation mode.
• Update mode allows the files to run or modify once. Configuration identified in Observation mode allows files to run seamlessly always.

Why am I seeing blocking in the Observe mode?
If reputation is enabled in the Application Control Options policy, Application Control still prevents execution of potentially malicious files while in the Update or Observe mode. It's advised to trust applications that are needed in the environment although given a low reputation score in the TIE reputations page. If the reputation is from GTI, open a Service Request with Technical Support to analyze and suppress the detection.

• If you are a registered user, type your User ID and Password, and then click Log In.
• If you are not a registered user, click Register and complete the fields. Your password and instructions are emailed to you.