Dec 05 2019 04:04 AM - edited Dec 05 2019 06:25 AM
Hi,
I am looking at using the new functionality in MD ATP to block unsanctioned apps on Win10 endpoints and have a question.
If I have a policy setup that apply's to "all continuous reports" and is set to tag any newly discovered app with a risk score of 3 or less as unsanctioned, how long does it take for the app to appear in the discovered list (assuming a user accesses it on a Win10 endpoint with MDATP enabled) and be blocked on other Win10 MDATP user endpoints?
I know there will be a lot of factors that influence the *actual* time taken but I am looking to understand the timings / variables involved to get to a point where I can understand the theoretical maximum time taken from User A accessing the app, to User A (and subsequently B, C and D etc) being blocked.
Thanks
Paul
Dec 09 2019 07:38 AM
SolutionHi Paul,
This timing depends on 2 variables:
The sum of these two (2:15 hrs) is the upper bound for the unsanctioning operation to take action on the endpoint.
Thanks,
Danny.
Dec 09 2019 09:03 AM
Dec 09 2019 07:38 AM
SolutionHi Paul,
This timing depends on 2 variables:
The sum of these two (2:15 hrs) is the upper bound for the unsanctioning operation to take action on the endpoint.
Thanks,
Danny.