Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: "High Enforcement Report Only" (HERO) Policy Still Blocking Files It Should Report On

App Control: "High Enforcement Report Only" (HERO) Policy Still Blocking Files It Should Report On

Environment

  • App Control Server: All Supported Versions

Symptoms

  • Files not banned and that should be reported on with the "HERO" policy being blocked.
  • Moving same agent into a different "HERO" policy reports as expected on the files being blocked by the affected "HERO" policy.

Cause

Rules to allow report only of files not received by "HERO" policy.

Resolution

  1. Create a new "HERO" policy with the desired settings, from scratch, and name it something slightly different than the affected policy.
  2. Move one agent into the new "HERO" policy and see if the rules work as expected.
  3. If the new policy works as expected, move all relevant agents to this new policy and delete the affected policy.

Additional Notes

"HERO" policies should not be used because they frequently cause a large volume of Unapproved (Persisted) files, which then require manual intervention for approval.

Related Content


Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎06-16-2022
Views:
490
Contributors