Maintenance Mode

Introduction

Maintenance Mode is an intermediate mode for configured hosts. This Mode is to smoothen upgrades on the Host systems. In this mode, the probe goes into an “observer” state, allowing the execution of new binaries during the change control window. No Incidents are reported and new binaries are automatically added to the allowlist.

Utilize Maintenance Mode for system maintenance windows that involve the installation and uninstallation of multiple software packages that could otherwise generate a large number of incidents and management overhead.

Maintenance Mode is an extension to the auto-Allowlist mode where files with a good reputation (or unknown reputation if so selected) are automatically added to the Allowlist. The difference is that it also allows the scenarios in which reputation check is not configured or reputation is unknown and is active for a limited period of time - the “Maintenance Window”.

Workflow

The Maintenance Mode workflow is depicted here:

Start Maintenance Mode

1. Ensure that the UTC time values on both CMS and Probe servers are in sync
2. On the Host Monitoring page, click the below icon for a host profile
3. The pop-up window displays the associated hosts. Select the required hosts
4. Click Maintenance and select Start Selected (Number of Hosts). Maintenance Mode can be started on any host irrespective of the Monitoring Mode (Protect, Detect OR Disabled). Click YES on the pop-up window to confirm the action
5. Once the Maintenance Mode is activated, it is depicted in these places:
   1. For the host, the Maintenance State shows Active
   2. The Monitoring Mode is greyed out as the host(s) is no longer monitored
   3. The Maintenance button is highlighted
   4. On the Host Monitoring page, the below icon is visible at the profile level
6. The configured Monitoring Mode is active on the hosts that are not under maintenance
7. In the Maintenance Mode, Protection mode (Protect, Detect, Disabled) change is allowed. But this will take effect only after the maintenance Mode ends

End Maintenance Mode

Once the upgrade or maintenance window on the Probe instance is complete, ensure that it is stopped in the CMS as well.

1. To end Maintenance Mode, select the required hosts and click Maintenance
2. There are two options to end Maintenance Mode. Select the appropriate option:
   1. Stop: This indicates that the Maintenance is complete and a scan is initiated on the selected hosts in Maintenance Mode
      1. Once the scan is complete, the allowlist is published and all the newly installed executables are auto-allowlisted
      2. Only the ones with the file reputation “Threat” are not allowlisted and are reported as incidents
      3. The profile is published to all the hosts automatically
   2. Cancel: This cancels the Maintenance Mode and a scan is not initiated on the hosts
3. The original Protection Mode is enabled on the respective hosts
4. Executables search can be performed based on the hosts in maintenance mode
5. Ensure that Maintenance Mode is not active during CMS and/or Probe upgrade

FAQ

What are the types of Host-related incidents that are not reported during the Maintenance Mode?

Incidents related to host protection, ACP and Memory exploit protection are not reported. All the other types of incidents (Web Application Protection, FSM and Buffer Exploit Protection) are reported on CMS even during the Maintenance Mode.

What are the types of Host-related files that are automatically added to allowlist during Maintenance Mode?

Only the new executables are added to the allowlist automatically.

What happens to that files that were previously not allowlisted explicitly? Are they discovered again during Maintenance Mode?

Such files are not allowlisted after maintenance ends. They are also not re-discovered during the scan.