Forum Discussion
Shadow IT Discovery-time taken for MDATP endpoint to use an app for the first time before block
Hi,
I am looking at using the new functionality in MD ATP to block unsanctioned apps on Win10 endpoints and have a question.
If I have a policy setup that apply's to "all continuous reports" and is set to tag any newly discovered app with a risk score of 3 or less as unsanctioned, how long does it take for the app to appear in the discovered list (assuming a user accesses it on a Win10 endpoint with MDATP enabled) and be blocked on other Win10 MDATP user endpoints?
I know there will be a lot of factors that influence the *actual* time taken but I am looking to understand the timings / variables involved to get to a point where I can understand the theoretical maximum time taken from User A accessing the app, to User A (and subsequently B, C and D etc) being blocked.
Thanks
Paul
Hi Paul,
This timing depends on 2 variables:
- Time from app tagging in MCAS until it is being sent to MDATP (~15 minutes today)
- Time for MDATP to propagate this to the endpoint (up to 2 hours)
The sum of these two (2:15 hrs) is the upper bound for the unsanctioning operation to take action on the endpoint.
Thanks,
Danny.
2 Replies
Hi Paul,
This timing depends on 2 variables:
- Time from app tagging in MCAS until it is being sent to MDATP (~15 minutes today)
- Time for MDATP to propagate this to the endpoint (up to 2 hours)
The sum of these two (2:15 hrs) is the upper bound for the unsanctioning operation to take action on the endpoint.
Thanks,
Danny.
