How to enable and disable the Alert Only mode for a ZeroLock Agent.
Alert Only Mode is meant to be used during maintenance periods when the configured agent alert responses may interfere with sensitive operations.
Before starting maintenance operations, go to the ENDPOINTS window, select the target endpoint, and select ENABLE ALERT ONLY mode from the ACTIONS dropdown menu.
Note: Both the Enable and Disable Alert Only mode options only work with ZeroLock Agent version 3.5.10 and newer.
The user must select an end date and time on the activation dialog window when activating Alert Only mode. The default is 24 hours from the current time. Upon reaching the timeout, the agent will automatically revert to its normal mode of operation.
The number following the confirmation sentence is that of the target endpoint. In this example, the Alert Only mode is being activated for Endpoint #2.
When an agent is in Alert Only mode, its connection status dot is light blue. Agents in Alert Only mode will also show as light blue on the endpoint status ring.
When an agent is in Alert Only mode, when triggered, detection and response engines will only send alerts and will not interfere with user activity. The only exceptions to this behavior are:
- SSH-MFA is unaffected. If SSH-MFA is turned on, alert only mode will not affect it.
- The tampering engine will not kill user sessions but will prevent users from killing the agent or removing the agent’s files.
When the maintenance activity is completed, select the endpoint and, from the ACTIONS drop-down menu, select Disable Alert Only mode. The agents will immediately exit Alert Only mode.