Understanding Active Prevention and Activation Mode
Prevention features and Activation Mode work together to protect the assets in your environment.
- Prevention Features: Control whether prevention capabilities are enabled for assets in the selected group.
- Activation Mode: Controls how the agent enforces policies on assets in the selected group.
How They Work Together
For organizations configured with an NGAV or Ransomware Prevention license, Prevention is turned on by default, which enables prevention capabilities in the group and sets Activation Mode to Active Prevention.
If you need to change these settings, use the table below to understand how the toggle and activation mode interact:
| Prevention Features | Applied License | Activation Mode Options | Effective State |
|---|---|---|---|
| ON | Prevention | Active Prevention (Default) | Full Protection: Full prevention capabilities are enabled. Threats are actively blocked. |
| ON | Prevention | Detection Only | Monitoring Only: Threats are not blocked and key security settings are disabled. |
| OFF | Detection | Detection Only | Monitoring Only: Standard detection capabilities apply. Prevention is unavailable. |
Use Case: Policy Testing
While keeping Active Prevention enabled is recommended for production environments, switching to Detection Only is highly effective for staging and testing.
If you are deploying a new, restrictive security policy to a group of assets, you can temporarily set the Activation Mode to Detection Only. This allows you to:
- Evaluate policy impact: See the new policy flags without accidentally blocking legitimate business applications or creating false positives.
- Validate your policies: Keep your Prevention license active on the asset group while safely conducting your test.
Once you verify that the new policy doesn’t cause operational disruption, you can confidently switch the Activation Mode back to Active Prevention to fully enforce the rules.
Validate policies in Detection Only mode
Active Prevention may block applications or processes that violate configured policies. We recommend validating policies in Detection Only mode before enabling blocking in production environments.
Manage Your Prevention License
- Go to Data Connectors > Agents > Endpoint Prevention.
- Click Prevention Groups and select a prevention group.
- Click Activation Mode.
- Under Prevention Features, select On to enable prevention, or Off to disable it.