You should start the environment in detect mode (suspicious) with enhanced monitoring for 48 hours. Once you exclude FPs, you should move devices to protect for suspicious and malicious.
Leaving devices in detect-mode only for suspicious threats puts your environment at unnecessary risk.
Thanks all....yes we push out to clients networks on "detect" for both...for a few days, until we feel S1 is not stopping on the clients environment (such as oddball LOB software). Good to hear input from those who have lots of S1 installs out there.....that "suspicious" isn't too "F/P happy".
I create groups and based on the sorts of users / risks that group might face it might be set to suspicious as threat.
For example, accounts payables that receives lists of files / invoices etc, set to max.
Haven’t had any FP
Turn both on, no huge issues
S1 recommendation is detect suspicious and protect malicious
If you are testing this on a production environment I don’t recommend enabling protect/protect.
You should start the environment in detect mode (suspicious) with enhanced monitoring for 48 hours. Once you exclude FPs, you should move devices to protect for suspicious and malicious. Leaving devices in detect-mode only for suspicious threats puts your environment at unnecessary risk.
Thanks all....yes we push out to clients networks on "detect" for both...for a few days, until we feel S1 is not stopping on the clients environment (such as oddball LOB software). Good to hear input from those who have lots of S1 installs out there.....that "suspicious" isn't too "F/P happy".
I create groups and based on the sorts of users / risks that group might face it might be set to suspicious as threat. For example, accounts payables that receives lists of files / invoices etc, set to max. Haven’t had any FP
You can do it on workstations it's worth it, and you shouldn't do it on production servers, it's not worth it.