Version
All
Issue
Bit9 agent in Disable mode policy still has I/O activity.
Symptoms
Procmon shows I/O activities for parity.exe process.
Cause
Normal behavior.
Solution
Verify on procmon that there are I/O activities too on different applications.
A Bit9 agent in Disabled mode continues to monitor, but not report to the Bit9 server, certain operations to avoid gaps in file and process information if the Bit9 agent is later brought back into an active enforcement mode. This normally requires a very minimal amount of resources on the endpoint, although if an extremely large number of writes are performed on the machine by other application, which the Bit9 agent will monitor, the impact (I/O) may be noticeable.
Disabled policy agent still get a minimum of file information, such as hashes. The Disable mode Bit9 agent is not 100% dormant agent. It is still monitoring the machine for activity but not enforce the rules.