Hi @Walker ,

First, please check the following two points to isolate the cause.

1. Check if the policy assigned to the linux machine allows events to be sent to ePO.
2. Check if the ENSL log records the blocked event.

For 1, please check if the following options are enabled in the policy assigned to the system on which ENSL is installed.
[Endpoint Security Common]
 - [Client Logging]
  - [Event Logging]
   - [Send events to Trellix ePO]

For 2, please check the ENSL logs to see if the block is detected by any of the ENSL functions. For example, you can test the detection of OnAccess Scan by following the procedure below.

1.Log on to the system as a user with administrator rights.
2.Download the EICAR test file.
#Instructions for downloading the Eicar file can be found in the installation guide below.
3.Verify the detection in the log file.
4.The default location of the log file is /var/McAfee/ens/log/tp/mfeoasmgr.log

In this case, please first confirm that the eicar file is detected in /var/McAfee/ens/log/tp/mfeoasmgr.log.

#reference information
[Test Threat Prevention installation]
https://docs.trellix.com/bundle/endpoint-security--v10-7-0-installation-guide-linux/page/GUID-DFD6C1...

The problems you are describing are very difficult for the community to identify the cause. If you cannot identify the cause of the problem, please contact us by a Service Request to investigate the problem.