How do you use All Undetermined Software Seen to identify heavy monitoring merits an override?

  • 20 December 2016
  • 0 replies

Badge +1
Best practices guide recommends using Silent Audit profile on new client machines. It suggests "After using the Silent Audit policy for a day or two, you can create overrides to address unknowns and work with support to correct any false positives you may have encountered."
In the "Addressing Unknowns" it appears to be re-active guidance to use the report to see if the program on a host is in the unknown list. And then how to create overrides from the report.
Is it possible to use the report pro-actively to create overrides? If not are there other tools that could do this?
Is dwell time significant? Given two program with same first seen and same last seen but different dwell times, does it suggest one is monitored more frequently? Does it indicate how long the file was in a monitoring state (i.e. a long dwell time suggesting program is alway active and a shorter dwell time suggesting how long the last monitoring event ran)?

0 replies

Be the first to reply!