Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 0 subscribers
  • Views 11863 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control - General Query

isoffice

Hi All,

I have created a policy within Enterprise Console (5.2.1 R2) to detect (but allow to run) all applications that users on our network may be using. I am slightly concerned that this may result in the creation of large log files on the Enterprise Console Server.

Does anyone know where these events are logged and is it likely to impact on the performance of the Enterprise Console Server and/or the client PC? We have approximately 600 client PCs.

Any pointers on how long I should let this policy run or best practice in this area would be much appreciated.

Many thanks,

JP

:50022


This thread was automatically locked due to age.
Parents
  • 0

    Hello JP,

    alerts and events are stored in the database - no logs are created. While this has some impact monitoring for a limited time (a few days) shouldn't be a problem given the number of endpoints.BTW: You can scan for the applications present on the endpoints with a scheduled scan.

    Perhaps you should assign the policy to a typical group of computers to see how many events are created. You'll likely want to authorize your frequently used and permissible "standard" applications (browser, PDF Viewer, Office suite) before assigning the policy to all your endpoints to reduce the number of events.

    Please also note that Detect but allow to run is a global setting - thus you can't monitor a certain type and block another. Feel free to ask if you have more questions.

     Christian

    :50026
Reply
  • 0

    Hello JP,

    alerts and events are stored in the database - no logs are created. While this has some impact monitoring for a limited time (a few days) shouldn't be a problem given the number of endpoints.BTW: You can scan for the applications present on the endpoints with a scheduled scan.

    Perhaps you should assign the policy to a typical group of computers to see how many events are created. You'll likely want to authorize your frequently used and permissible "standard" applications (browser, PDF Viewer, Office suite) before assigning the policy to all your endpoints to reduce the number of events.

    Please also note that Detect but allow to run is a global setting - thus you can't monitor a certain type and block another. Feel free to ask if you have more questions.

     Christian

    :50026
Children
No Data
Unfiltered HTML