mcafeeapplicationcontrolevaluationguideb2b-download.mcafee.com/.../v5.0/mfe_app_con_win_eval_5_1.pdf ·...

McAfee Application Control Evaluation GuideFor use with ePO 4.0 and 4.5

COPYRIGHT

Copyright © 2010 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any formor by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCEEXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red inconnection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole propertyof their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICHTYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTSTHAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOUDO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURNTHE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee Application Control Evaluation Guide2

ContentsIntroducing McAfee Application Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Installing the McAfee Solidcore Extension. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Pre-requisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Installing the Solidcore extension package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Installing licenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Installing the Solidcore Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Checking in the Solidcore Agent deployment package to the ePO repository. . . . . . . . . . . . . . . . . . . 9

Installing Solidcore Agent on clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Enabling Solidcore Agent on clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Application Control Framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

How can I verify that only authorized code can run?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Verifying that the authorized application code can run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Defining an alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Verifying that unauthorized application code cannot run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Uploading events from the client to the ePO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

How do I verify that Application Control tamper proofs application code?. . . . . . . .18

Verifying that application code files cannot be tampered with. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18


Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

How can I blacklist an application so that it cannot run?. . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Creating an Application Control policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Assigning an Application Control policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Defining an alert. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Verifying that blacklisting is in effect. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22


Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Howcan I run software available on a trusted directory remotely fromaclient where Application Control is enabled?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23


3McAfee Application Control Evaluation Guide


Verifying your trusted directory policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Howcan I ensure that any software released by a trusted publisherwillalways run on a client where Application Control is enabled?. . . . . . . . . . . . . . . . . .25

Adding a new publisher. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25



Verifying your software from your trusted publisher will run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

How can I create a trusted installer so that it can be used for installingsoftware on a client where Application Control is enabled?. . . . . . . . . . . . . . . . . . . . .27

Adding an installer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Creating a software repository server scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28



Verifying your trusted installer will run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

How can I enable automatic updates on a client where ApplicationControl is enabled?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30



Verifying that the application code files can only be modified by your trusted program. . . . . . . . . . . . . . . . . 31


Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

How can I allow an admin user or a user group to install/updatesoftware on a client where Application Control is enabled?. . . . . . . . . . . . . . . . . . . . .32



Verifying trusted users can update the client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

How do I perform emergency changes when Application Control is enabled?. . . .34

Create a SC: Begin Update Mode task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Verifying that changes can be made during the update window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Create an SC: End Update Mode client task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Verifying that changes cannot be made outside update window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

How can I get the list of software inventory from client machine(s) inmy network?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

Creating a SC: Pull Inventory client task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Create an Solidcore: Update Inventory Search Indexes server task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Verifying the inventory list has been updated. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38


Contents

How do I whitelist java class files or a list of java class files lying in aparticular location?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39

Creating a SC: Run Commands client task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Verifying the Run Commands client task was successful. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Executing a java whitelist file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40


Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

How can I compare a baseline of the whitelisted files onmy host withthe list of files on a gold host?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Creating a SC: Pull Inventory client task for your Gold Host and Host A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Create a Solidcore: Run Image Deviation server task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Compare Host A whitelist against Gold Host whitelist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

How do I find other Application Control Reports?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

How can I receive a report through email?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Application Control Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

FAQs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46


Contents

Introducing McAfee Application ControlMcAfee Application Control uses dynamic whitelisting to ensure that only trusted applicationsrun on devices, servers and desktops. This provides IT with the greatest degree of visibility andcontrol over clients, and helps enforce software license compliance. Additionally, McAfeeApplication Control extends the viability of fixed function systems, without impacting systemperformance.

Gain complete protection against unwanted applications

Today's organizations struggle with ensuring that clients comply with corporate IT standards.End users can unintentionally introduce software that poses a risk to the business. What isneeded is a way to standardize clients without impacting end-user productivity. McAfeeApplication Control augments traditional security solutions, enabling IT to allow only approvedsystem and application software to run, and to easily block unauthorized or vulnerableapplications that may compromise clients without imposing operational overhead.

NOTE: System and application software is generally call application code throughout thisdocument.

Extend the business viability of constrained systems

McAfee Application Control has already been deployed on thousands of devices, servers anddesktops worldwide. It locks down these systems against malware threats, unwanted changes,with no file system scanning or other periodic activity that could impact system performance.It is equally effective in standalone mode without network access, and has been designed tooperate in a variety of network and firewall configurations.

Features

• Dynamic whitelisting through a trusted source.

• McAfee Application Control eliminates the need for IT administrators to manually maintainlists of approved applications. This enables IT departments to adopt a flexible approachwhere a repository of trusted applications can run on clients. This prevents execution of allunauthorized software scripts and dynamic link libraries (DLLs), and further defends againstmemory exploits.

• McAfee Application Control runs transparently on clients, and can be set up quickly, withvery low initial and ongoing operational overhead minimal impact on CPU cycles. Lowoverhead footprint

Today’s IT departments face tremendous pressure to ensure that their client nodes comply withmany different security policies, operating procedures, and regulations. Extending the viabilityof fixed function devices such as point-of-sale (POS) terminals, customer service terminals, andlegacy NT platforms has become critical.

With McAfee Application Control, IT departments now have a way to eliminate unauthorizedsoftware on client nodes, while providing employees greater flexibility to use the resources theyneed to get their jobs done. McAfee’s dynamic whitelisting trust model eliminates the labor and


cost associated with other whitelisting technologies, thereby reducing overhead and increasingcontinuity.

Application Control protects your organization against malware attacks before they occur byproactively controlling the applications executing on your desktops, laptops, and servers.

About this guideThis guide describes several Application Control use case scenarios using the ePolicy Orchestrator4.0 (Patch 5 or later) or version 4.5.

To use this guide effectively, you must be familiar with ePolicy Orchestrator versions 4.0 and/or4.5. For more information, see ePolicy Orchestrator product documentation.

Introducing McAfee Application ControlAbout this guide


Installing the McAfee Solidcore ExtensionThis section provides instructions for installing the McAfee Solidcore extension to an ePolicyOrchestrator already deployed in your network.

Contents

Pre-requisites

Installing the Solidcore extension package

Installing licenses

Installing the Solidcore Agent

Pre-requisitesComplete these procedures before installing the Solidcore extension software.

1 If you are using ePolicy Orchestrator 4.0, Patch 5 or later must be installed on your ePOserver.

2 Download the Solidcore_<version>.ZIP file from the McAfee download site.

3 Review the release notes to identify any last minute dependencies you may have to providefor, acquaint yourself with known issues.

Installing the Solidcore extension packageUse this procedure to install the Solidcore extension (zip) file. The extension must be installedbefore ePolicy Orchestrator can manage Solidcore products.

1 Ensure that the extension file is in an accessible location.

2 From the ePO 4.0 console, select Configuration | Extensions. From the ePO 4.5 console,select Menu | Software | Extensions.

3 The Extensions page opens, click Install Extension.

4 Browse to and select the SOLIDCORE_<VERSION>.ZIP file.

5 Click OK.

6 Verify that the Solidcore product name appears in the Extensions list.

Installing licensesAfter installing the Solidcore extension the license keys provided need to be added to enablethe corresponding product features. Use this procedure to add Solidcore licenses.


1 From the ePO 4.0 console, select Configuration | Server Settings. From the 4.5 ePOconsole, select Menu | Configuration | Server Settings.

2 The Settings Categories page opens. Under Setting Categories select Solidcore and clickEdit.

3 Add the appropriate license keys for enabling Application Control.

4 Click Save.

Installing the Solidcore AgentInstalling the Solidcore Agent on clients to enable Application Control includes the followingsteps:

1 Check the appropriate Solidcore Agent deployment package for your platform into the ePOsoftware repository.

2 Install the Solidcore Agent on clients.

3 Enable the Solidcore Agent on clients.

Checking in the Solidcore Agent deployment package to the ePOrepository

Before you begin:

• Download the Solidcore Agent deployment package from the McAfee download site.

• All clients should be managed by the ePO.

The following table provides a list of all available Solidcore Agent deployment packages:

Package NameOS Platform

SOLIDCOR<version>_WIN.ZipWindows

SOLIDCOR<version>_LNX.ZIPLinux

SOLIDCOR<version>_SLR.ZIPSolaris

SOLIDCOR<version>_HPX.ZIPHPUX

SOLIDCOR<version>_AIX.ZIPAIX

NOTE:

• Latest version and build number of the product. For example use SOLIDCOR510-6807_AIX.ZIPwhere 510 is the version of the product for 5.1.0 release and the Build number is 6807.

• Application Control is not available for AIX and HPUX.

Use the following procedure to add the Solidcore Agent deployment package into the ePOsoftware repository.

1 From the ePO 4.0 console, select Software | Master Repository. From the ePO 4.5console, select Menu | Software | Master Repository. The Packages in the MasterRepository page appears.

2 From the ePO 4.0 console, select Check In Package. From the ePO 4.5 console selectActions | Check In Package.

3 Select the package type as Product or Update (.ZIP).

Installing the McAfee Solidcore ExtensionInstalling the Solidcore Agent


4 Browse to and select the appropriate Solidcore Agent package zip file.

5 Click Next. The Package Options page appears.

6 Confirm the following:

• Package Info: Confirm that this is the correct package.

• Branch: Select the desired branch - current for new products.

• Package signing: This specifies if the package is signed by McAfee or is a third-partypackage.

7 Click Save to begin checking in the package. Wait while the package is checked in.The new package appears in the Packages in Master Repository list on the Master Repositorytab.

Installing Solidcore Agent on clientsThis section assumes that you have added each client computer on which the Solidcore Agentpackage is to be installed to the ePO and pushed the CMA agents to them. For details on howto achieve this, refer to the ePolicy Orchestrator Installation Guide and ePolicy OrchestratorProduct Guide.

NOTE: This guide only specifies steps to perform on a single system. To perform these stepson multiple systems, please select the appropriate group in the system tree and choose ClientTasks.

Use this procedure to install the Solidcore Agent on your clients.

1 From the ePO 4.0 console, select Systems | System Tree | Client Tasks. From theePO 4.5 console select Menu | Systems | System Tree | Client Tasks.

2 Click New Task. The Client Task Builder page appears.

3 Type the name of the task, (for example, Install Solidcore Agent on client-computer) andadd any descriptive information to the Notes field.

4 From the ePO 4.0 console, select Product Deployment (McAfee Agent) from the Typedrop-down menu. from the ePO 4.5 console, select Product Deployment from the Typedrop-down menu. Select Send this task to all computers.

5 Click Next. The Configuration page appears.

6 Next to Target platforms, select the type of platform to use (for example if you selectedthe Solidcore Agent package for windows then you would select Windows as your platform).

7 From the Products and components list select the Solidcore Agent for xxx 5.1.0 (where xxxis the platform name) and then:

• Set the Action to Install.

• Select the Language of the package.

• Set Branch (only applicable on ePO 4.5) to current for new package.

8 Click Next. The Schedule page appears.

9 Select Enabled for the schedule status.

10 From the Schedule type list select the appropriate schedule. To deploy immediately selectRun Immediately.

11 Click Next. The Summary page appears

12 Review and verify the details, then click Save.



13 If you scheduled the task to run immediately, perform an agent wake-up call. To confirmthat the Solidcore Agent has been successfully installed:

• Agent logs can be viewed from the ePO. Select Systems | System Tree then selecta client. From the More Actions menu select Show Agent Log.

NOTE: Agent logs are not enabled by default on ePO 4.5. For details on enabling Agentlogs, refer to ePolicy Orchestrator Product Guide.

• You can also perform a wake-up agent and use the following procedure to view Solidcoresystem properties after the agent deployment is complete.

Viewing Solidcore System DetailsUse the following procedure to view Solidcore system properties.

1 From the ePO 4.0 console, select Systems | System tree. From the ePO 4.5 consoleselect Menu | Systems | System Tree.

2 Double-click on your host. The System Details page appears.

3 Scroll down to Solidcore you should see the product version and installation path.

NOTE: At this point the Solidcore Agent is deployed on the client but its functionality is notactivated. To activate the functionality, you need to perform the SC: Enable client taskon the agent as described below.

Enabling Solidcore Agent on clientsUse this task to enable Solidcore Agent on the clients.

NOTE: When enabling the Solidcore Agent on a client with Application Control, no changesshould be made to the client during this time. Changes can be made to the client once theenable process is complete and the Solidcore Agent has restarted.

1 Log on to ePolicy Orchestrator server as an administrator.

2 From the ePO 4.0 console select Systems | System Tree | Client Tasks. From the ePO4.5 console, select Menu | Systems | System Tree | Client Tasks.

3 Click New Task. The Client Task Builder page appears.

4 Type the name of the task and add any descriptive information to the Notes field.

5 Select SC: Enable (Solidcore 5.1.0) from the Type drop-down menu.


7 Enable Application Control, then select Perform Initial Scan to create whitelist toperform the initial scan of the client system while enabling the Solidcore agent. For detailson enabling Application Control with Initial scan, refer to McAfee Solidcore Product Guide.

8 Select Force Reboot with the Task to restart the client system immediately after runningthe task, then click Next.

NOTE: A restart of the client system is necessary to bring the changes into effect.


10 Select Enabled for the Schedule status.

11 From the Schedule type list select the appropriate schedule. To deploy immediately selectRun Immediately.



12 Click Next. The Summary page appears.


14 If you scheduled the task to run immediately, perform an agent wake-up.

Use the following steps to verify that the Solidcore Agent has been enabled on the client.Please note that a wake up agent is required to fetch the current value for these propertiesafter the agent has been enabled.

a From the ePO 4.0 console, select Systems | System Tree. From the ePO 4.5 console,select Menu | Systems | System Tree.

b Double-click on your host. The System Details page appears.

c Scroll down to Solidcore and click More, you should see the status as enabled.

NOTE: Once you have installed and enabled the Solidcore Agent on your clients, policiescan be used for fulfilling the business requirements that are supported by having anApplication Control solution in place.



Application Control FrameworkThe principal mechanisms that enable McAfee’s Application Control Framework are:

• Application Code Protection: It allows only whitelisted programs (binary executables, scripts)to run. Any program that does not appear in the whitelist cannot run.

Additionally, it provides tamper proofing for whitelisted programs such that their programfiles, and optionally registry keys, cannot be modified on disk.

• Memory Protection: It prevents vulnerabilities in whitelisted programs from being exploited.Memory protection is only available on Windows.

McAfee Application Control supports policies, which are rules for selectively applying or overridingthe mechanisms. The policies have come into existence and been refined based on feedbackgained from customer experience with the usage of the product in the field:

The Application Code Protection policies allow or disallow membership into the whitelist by:

• Binary: Allow or ban a particular binary identified by its name or checksum.

• Trusted Publisher: Allow executables of a particular vendor, signed by a security certificateissued to the vendor by a Certificate Authority.

• Trusted Installer: Allow all software that is installed by a particular installer, identified by itschecksum, regardless of its source.

• Trusted Directories: Many organizations maintain shared folder on the internal network,where installers for authorized and licensed applications are kept. Such network shares arewithin the security perimeter, they are known and trusted by the customer. This policy allowsall users to run any software present on a Trusted Directory identified by its UNC pathname.

• Trusted Program, or Authorized Updater: Allow programs identified by name, to add/updateapplication code.

• Trusted User, or Authorized User, defines which users should be allowed to selectivelyoverride the tamper proofing to add/update application code.

• Trusted Time Window, or Update Mode, defines a time window within which all tamperproofing is overridden. Programs that are not part of the whitelist can run and update thesystem.

Here are some real life examples for Application Code Protection Policies:

ExamplePolicy

Blacklist or Ban regedit.exe to prevent users from performing unrestricted changesto the Windows Registry.

Binary

Add a network share as a Trusted Directory to allow users to install any softwareavailable at this location.

Trusted Directory

Add Adobe’s code signing certificate to permit all software issued by Adobe toinstall and run.

Trusted Publisher

Add Microsoft Office 2007 installer to allow any user to install it.Trusted Installer


ExamplePolicy

SMS should be able to install/update any application code on the client Anti Virusshould be able to update its engine on demand.

Trusted Program

All IT admin to install/update any software.Trusted User

IT should be able to update during a prescribed time window.Trusted Time Window

Emergency changes: IT should be able to override Application Control to updatea system, for example, restore a system to a previous known good state.

Memory protection (only available on Windows) is an advanced security mechanism and itsdescription lies beyond the scope of this Evaluation Guide.

Application Control Framework


How can I verify that only authorized code canrun?

Once you have installed the McAfee Solidcore extension and the McAfee Solidcore Agent youcan verify that only authorized programs run on your client. (For the sake of illustration youcan download desktop search for Windows from http://desktop.google.com/ and save it onyour desktop).

The use case scenario appears below:

1 Check whether Application Control is enabled at the client.

2 Verify that an authorized program can run.

3 Create an alert.

4 Verify that unauthorized programs cannot run.

5 Review events, alerts and reports.

Contents

Verifying that the authorized application code can run

Defining an alert

Verifying that unauthorized application code cannot run

Reporting

Verifying that the authorized application code canrun

Use the following procedure to confirm that authorized programs can run.

1 Login to the client.

2 Run any application. For example, a web browser, that was present on the client prior toenabling the Application Control and verify that it works as usual.

Defining an alertTo set up an alert so that you will be notified whenever anyone attempts to modify the filecomplete the following procedure.

1 From the 4.0 ePO console, select Automation | Responses. From the 4.5 ePO console,select Menu | Automation | Automatic Responses.

2 Click New Response. The Response Builder page opens to the Description page.


3 Enter a Name (for example Verify auth programs), select Solidcore Events, and selectEnabled.

4 Click Next. The Filter page appears.

5 Select the Event filter and from the drop down menu select Execution Denied.

6 Click Next.

7 In the Aggregation page, select Trigger this response for every event.

8 Click Next. The Actions page appears.

9 Select Show Alert in Reporting and enter:

• Set severity to Critical.

• From the Insert variable drop-down menu select List of All Values.

• In the Messages field create a meaningful message. Variables are inserted into theMessages field by selecting a variable from the drop-down menu and clicking Insert.

• Click Next. The Summary page appears.

10 Review the alert's details, then click Save.

Verifying that unauthorized application code cannotrun

Use the following procedure to confirm that unauthorized programs cannot run.


2 Download desktop search program for windows and save it on the desktop.

3 Double-click on desktop search installable.

4 The installation is denied.

5 Delete the desktop search installation program from the desktop.

Uploading events from the client to the ePOTo view events for the changes you made upload your events from your client to the ePO by:

1 In the System Tray right-click on the McAfee Agent icon .

2 Select McAfee Agent | Status Monitor.

3 In the McAfee Status Monitor console click the Send Events.

ReportingUse the following procedures to view events, alerts, and reports:

Viewing events

The Events tab allows you to view events as they occur.

1 From the 4.0 ePO console, select Reporting | Solidcore. From the 4.5 ePO console,select Menu | Reporting | Solidcore.

How can I verify that only authorized code can run?Verifying that unauthorized application code cannot run


2 Select the Events tab. Events have an asset tree integration, therefore depending uponwhich group the client belongs to by default it may or may not be visible. Select your groupto view your events.

3 Locate the events with Event Display Name as Execution Denied.

Viewing alerts

The Alerts tab allows you to view any alerts you have set up as they occur.


2 Select the Alerts tab, the alerts summary is displayed.

3 Locate your Verify Auth Programs alert.

Viewing reports

To view reports:

1 From the 4.0 ePO console, select Reporting | Queries. then from the Queries list selectSolidcore: Attempted Violation in Last 7 Days.

2 From the 4.5 ePO console, select Menu | Reporting | Queries. From Groups selectSolidcore, and then from the list of Solidcore reports, select, Solidcore: AttemptedViolation in the Last 7 Days.

3 Click Run. The selected report will be displayed.

4 Once the report has been displayed, click Close to return to the previous page.

How can I verify that only authorized code can run?Reporting


Howdo I verify that Application Control tamperproofs application code?

Once you have installed the McAfee Solidcore extension and the McAfee Solidcore Agent youcan verify that authorized programs cannot be tampered with.



2 Verify that files cannot be tampered with.

3 Review events and reports.

Contents

Verifying that application code files cannot be tampered with

Reporting

Verifying that application code files cannot betampered with

Use the following procedure to confirm that authorized files cannot be modified.


2 Attempt to rename a critical system file. For example, C:\windows\system32\winsock.dll.

3 The modification attempt should fail.





ReportingUse the following procedures to view events and reports related to attempted violations.


Viewing an event




3 View events with Event Display Name as File Write Denied events.

Viewing a report

To view reports:

1 From the 4.0 ePO console, select Reporting | Queries. then from the Queries list selectSolidcore: Attempted Violations Detected in Last 7 Days.

2 From the 4.5 ePO console, select Menu | Reporting | Queries. From Groups selectSolidcore, and then from the list of Solidcore reports select Solidcore: AttemptedViolations Detected in the Last 7 Days.

3 Click Run. The selected report will be displayed.


How do I verify that Application Control tamper proofs application code?Reporting


How can I blacklist an application so that itcannot run?

In this workflow you will create a policy to blacklist, or ban, a program which will not be allowedto run. You can ban a program by name or its checksum. (For the sake of illustration you willban regedit.exe by name) You can set up an alert which will notify you whenever anyone triesto execute the banned program.


1 Create a Application Control policy to ban a program.

2 Assign this policy to the Solidcore Agent deployed on the client.

3 Define an alert to receive notification upon execution attempts of the blacklisted program.

4 Once the policy has been applied to the client verify that the programs on the banned listcannot run.

5 View unauthorized execution events and alerts.

Contents

Creating an Application Control policy

Defining an alert

Verifying that blacklisting is in effect

Reporting

Creating an Application Control policyUse this procedure to create an Application Control policy for a list of banned programs.

1 From the 4.0 ePO console, select Systems | Policy Catalog. From the 4.5 ePO console,select Menu | Policy | Policy Catalog , and then select Solidcore 5.1.0 ApplicationControl.

2 Click New Policy. The Create New Policy dialog box appears.

3 Select the policy you want to duplicate from the Create a policy based on this existingpolicy drop-down menu.

4 Type a name for the new policy (for example Blacklist regedit policy) and click OK. ThePolicy Settings page opens.

5 To add a banned program, select Binary then click Add. Configure these options asrequired, then click OK.

• Enter the rule name as regedit.exe.

• Allow/Ban: select Ban.

• Rule Type: select File Name.


• Name/SHA1: This field will be either Name or SHA1 depending on the Rule Type.

6 Click Save.

Assigning an Application Control policyAssign the policy you create to the client on which you have installed the Application ControlAgent.

1 From the 4.0 ePO console, select Systems | System Tree | Policies.

2 From the 4.5 ePO console, selectMenu | Systems | System Tree | Assigned Policies.Select a Product.

3 Next to the McAfee Default policy select Edit assignments. The Policy Assignmentspage opens.

4 Create a new policy instance by clicking New Policy Instance. Select the policy you havecreated earlier from the Assign Policy drop-down list.

5 Click Save.

6 To apply the new policy immediately, perform an agent wake-up call.

Defining an alertTo set up an alert so that you will be notified whenever anyone attempts to execute anunauthorized program complete the following procedure.

1 From the 4.0 ePO console , select Automation | Responses. From the 4.5 ePO console,select Menu | Automation | Automatic Responses.

2 Click New Response . The Response Builder appears.

3 Enter a Name (for example, regedit execution alert), select Solidcore Events, and selectEnabled.

4 Click Next. The filter page appears.

5 Select the Event filter and from the drop down menu select Execution Denied.

6 Select Program and enter the programs (for example, regedit.exe) used to create the policyearlier.

7 Click Next.

8 In the Aggregation page, select Trigger this response for every event.


10 Select Show Alert in Reporting and enter:

• Set severity to Critical.

• From the Insert variable drop-down menu select List of All Values.

• In the Messages field create a meaningful message. Variables are inserted into theMessages field by selecting a variable from the drop-down menu and clicking Insert.

• Click Next. The Summary page appears.

11 Review the alert's details, then click Save.

How can I blacklist an application so that it cannot run?Defining an alert


Verifying that blacklisting is in effectUse the following procedure to confirm that banned programs do not run.

1 Login to the system.

2 Run regedit.exe — the execution of the program will be denied.





ReportingUse the following procedures to view events and alerts.

Viewing an event




3 Locate Execution Denied event.

Viewing an alert

The Alerts tab allows you to view any alerts you have set up as they occur.


2 Select the Alerts tab, the events summary is displayed.

3 Locate your regedit execution alert.

How can I blacklist an application so that it cannot run?Verifying that blacklisting is in effect


How can I run software available on a trusteddirectory remotely from a client whereApplication Control is enabled?

Application Control’s protection envelope prevents a client from executing code residing on anetwork share however, many organizations maintain shared folder on the internal network,where installers for authorized and licensed applications are kept. Such network shares arewithin the security perimeter, they are known and trusted by the customer. This policy allowsall users to run any software present on a Trusted Directory identified by its UNC pathname.

In this use case scenario you will verify that you can run software available on a trusted directoryfrom the client using its UNC pathname. (for the sake of illustration, you can provide the UNCpath \\servername\sharename). To demonstrate this capability, you will require both read andwrite access to the share.


1 Download the installer for the desktop search (from http://desktop.google.com) on\\servername\sharename drive.

2 Verify that you cannot run the installer from the client.

3 Create a trusted directory Application Control policy.


5 Once the policy has been applied to the client verify that you are able to run the installerfor the desktop search remotely from the client.

Contents


Verifying your trusted directory policy

Creating an Application Control policyIn the following procedure you will be creating an Application Control policy for authorizing atrusted directory.

1 From the 4.0 ePO console, select Systems | Policy Catalog . From the 4.5 ePO console,select Menu | Policy | Policy Catalog, and then select Solidcore 5.1.0 ApplicationControl.

2 Under Category select from Application Control Rules (Windows). All previouslycreated policies for Application Control appear in the pane.



4 Create a policy based on the McAfee Default policy by selecting it from the drop-downmenu.

5 Type a name for the new policy (for example Trusted directory policy) and click OK. ThePolicy Settings page opens.

6 To add a trusted directory such as a shared network drive select Trusted Directoriesand click Add. Configure these options as required, then click OK.

• Path - enter the location of your trusted directory.

• Include/Exclude - select Include.

• Select Make programs executed from this directory updaters.

• Click OK.

7 Click Save.






5 Click Save.


Verifying your trusted directory policyThis procedure verifies that you can install and run programs from your trusted directory.


2 Install the desktop search application from your trusted directory.

3 Run the installed program - the program should run.

4 Uninstall the desktop search application from your client.

How can I run software available on a trusted directory remotely from a client where Application Control is enabled?Verifying your trusted directory policy


How can I ensure that any software releasedby a trusted publisher will always run on aclient where Application Control is enabled?

In this workflow you will be adding a new authorized publisher for software that you want toallow users to download and install (for the sake of illustration, you will download the AdobeReader from http://www.adobe.com/downloads/). You will add its publisher (Adobe) as a trustedpublisher by extracting its security certificate from the installer and registering it with the ePO.

The workflow for this situation requires the following:

1 Download Adobe Reader for Windows and save it on a share that is accessible from ePOserver.

2 Create new Publisher and extract the certificate from the Reader.

3 Create an Application Control policy with the publisher you have just added.

4 Apply this newly created policy to the client.

5 Verify that the software from the authorized publisher can be installed on the client.

Contents

Adding a new publisher


Verifying your software from your trusted publisher will run

Adding a new publisherUse this procedure to add a new publisher.

1 From the 4.0 ePO console , select Configuration | Solidcore | Publishers. From the4.5 ePO console, select Menu | Configuration | Solidcore | Publishers.

2 Select Add.

3 Select Extract Certificate and import a valid certificate from the Adobe Reader installerprogram you previously downloaded.

Creating an Application Control policyUse this procedure to create an Application Control policy for an authorized installer.





4 Type a name for the new policy (for exampleTrusted publisher policy) and click OK. ThePolicy Settings page opens.

5 To add the publisher of the desktop search program as a trusted publisher, selectPublishers and then click Add. Specify a keyword to search for the certificate you addedin the previous procedure, for example, Adobe.

6 Click Save.






5 Click Save.


Verifying your software from your trusted publisherwill run

This procedure verifies that software released from your trusted publisher will always run.

1 Login to the client .

2 Go to http://www.adobe.com/downloads/.

3 Download Adobe Reader for windows and save it on the desktop.

4 Double-click on Adobe Reader installable.

How can I ensure that any software released by a trusted publisher will always run on a client where Application Control is enabled?Verifying your software from your trusted publisher will run


How can I create a trusted installer so that itcan be used for installing software on a clientwhere Application Control is enabled?

In this workflow you will be adding a new installer (For the sake of illustration you can downloaddesktop search for Windows from http://desktop.google.com/ and save it on your desktop). Inthis example we are presuming that you already know the SHA1 checksum of the installer orcan calculate it using a utility available in the public domain. For example, athttp://support.microsoft.com/kb/841290.


1 Try installing desktop search on your client. It should fail.

2 Add Google desktop search to your installers list in the ePO.

3 Optionally, create a Solidcore: Scan Software Repository server task to add installers tothe ePO database.

4 Create an Application Control policy.

5 Apply your policy to a system or group.

6 Once your policy has been applied to your host you can verify by installing the software.

Contents

Adding an installer

Creating a software repository server scan


Verifying your trusted installer will run

Adding an installerUse this procedure to add an installer.

1 From the 4.0 ePO console, select Configuration | Solidcore | Installers. From the 4.5ePO console, select Menu | Configuration | Solidcore | Installers.

2 Select Add Installer. Then enter the following:

• Installer Name - Type the name of the installer (for example Google desktop search).

• Binary Path - Type the path of the installer file.

• Vendor - Type the name of the vendor who publishes the installer. (for example Google)

• Version - Type the version of the installer. This field is optional.

• Checksum - Type the checksum (SHA1).


3 Click OK.

Creating a software repository server scanUse this procedure to create a software repository scan.

1 From the 4.0 ePO console , select Automation | Server Tasks. From the 4.5 ePO console,select Menu | Automation | Server Tasks and then click New Task. The Server TaskBuilder page opens to the Description page.

2 Enter a Name describe the task, and click Enabled, after the Schedule Status.


4 Select Solidcore: Scan a Software Repository from the drop-down menu.

5 Specify the repository path where the installers are saved. This repository should beaccessible from the ePO server.

NOTE: The subfolders in the repository are also scanned for installers.

6 Type the Domain, User Name, and Password to access the specified network location.

7 Click Test Connection to ensure that the connection to the server works.

8 Select Add extracted certificates and installers to Rule Group if you want to addthe certificates and installers extracted by the task to user-defined rule group, then selectthe user-defined rule group from the drop-down list.

NOTE:

• You can add extracted certificates and installers only to user-defined rule groups.

• If the selected rule-group is added to a policy, extracted certificates and installers willbe automatically added to the Policy.


10 Schedule the task as needed, and then click Next. The Summary page appears.

11 Review the task details, then click Save.

12 Click Run on the Server Tasks page to run the software repository server scan immediately.

Creating an Application Control policyUse this procedure to add an installer to an Application Control policy.




4 Type a name for the new policy (for exampleTrusted installer policy) and click OK. ThePolicy Settings page opens.

5 To add your desktop search program select Installer and then click Add. Then enter thefollowing:

How can I create a trusted installer so that it can be used for installing software on a client where Application Control is enabled?Creating a software repository server scan


Select Installer name•

• Search for your installer and select it

• Click OK

6 Click Save.






5 Click Save.


Verifying your trusted installer will runThis procedure verifies that your trusted installer will always run.


2 Download Google desktop search installer to your desktop.

3 Double-click on the desktop search installable to install it.

4 Uninstall Google desktop search to restore the client to its original state.

How can I create a trusted installer so that it can be used for installing software on a client where Application Control is enabled?Verifying your trusted installer will run


How can I enable automatic updates on a clientwhere Application Control is enabled?

In this scenario you will ensure that only an authorized updater is allowed to update softwareon your Windows XP client. (For the sake of illustration, we will use Adobe 8.0 updater C:\ProgramFiles\Common Files\Adobe\Updater5\AdobeUpdater.exe as an authorized update agent who canpatch the Adobe binaries periodically without requiring any user intervention.)


1 Create a policy to authorize a trusted program C:\Program Files\CommonFiles\Adobe\Updater5\AdobeUpdater.exe to be able to change files.

2 Assign this policy to the client.

3 Once the policy has been applied to the client verify that the authorized program canperform updates on the software protected by Solidcore on the client.

4 Generate an event.

Contents


Verifying that the application code files can only be modified by your trusted program

Reporting

Creating an Application Control policyUse this procedure to create an Application Control policy for trusted programs.

1 From the 4.0 ePO console, select Systems | Policy Catalog. From the 4.5 ePO console,select Menu | Policy | Policy Catalog, and then select Solidcore 5.1.0 ApplicationControl.



4 Type a name for the new policy (for example Adobe updater policy) and click OK. ThePolicy Settings page opens.

5 Select Updater and click Add. Configure these options as required, then click OK.

• Binary - type the location of the executable binary, C:\Program Files\CommonFiles\Adobe\Updater5\AdobeUpdater.exe

• Updater Label - type an identification label (For example, if you enter Adobe Updaterchanges, then changes done by Adobe_Updater.exe will be tagged with this label.)

6 Click Save.







5 Click Save.


Verifying that the application code files can only bemodified by your trusted program

This procedure verifies that only your trusted program is able to modify the protected file.


2 Start the Adobe Reader and click on Help | Check for Updates in the top Menu bar.

3 If there are updates, you should see them being applied.





ReportingUse the following procedure to view events.

Viewing an events




3 Locate your event.

How can I enable automatic updates on a client where Application Control is enabled?Verifying that the application code files can only be modified by your trusted program


How can I allow an admin user or a user groupto install/update software on a client whereApplication Control is enabled?

In this use case scenario you will ensure that only a specific trusted user, who does notnecessarily possess system administrator privileges, can modify the file. (For the sake ofillustration you will install a photo application (from http://picasa.google.com) on a clientprotected by Solidcore. In the following use case, you will make yourself a trusted user andverify that you are able to install that application and run it.


1 Create an Application Control policy for authorizing a trusted user.


3 Once the policy has been applied to the client verify that the trusted users can downloadsoftware and update the client.

Contents


Verifying trusted users can update the client

Creating an Application Control policyIn the following procedure you will be creating an Application Control policy authorizing a trusteduser.

1 From the 4.0 ePO console, select Systems | Policy Catalog. From the 4.5 ePO console,select Menu | Policy | Policy Catalog.

2 Under Category select Application Control Rules (Windows). All previously createdpolicies for Application Control appear in the pane.

3 Click New Policy. The New Policy dialog box appears.

4 Create a policy based on the McAfee Default policy by selecting it from the drop-downmenu.

5 Type a name (for example Trusted admin policy) for the new policy and click OK.

6 To add a trusted admin to a policy select Trusted User and click Add. In the Add Userdialog box, configure these options as required then click OK.

a Domain name\User - type the domain name and the logon name of the user. (forexample John Doe)

b User Label - type a identification label (for example if you enter John Doe changes,then changes done by John will be tagged with this label).


7 Click Save.






5 Click Save.


Verifying trusted users can update the clientThis procedure verifies that only your trusted user is able to modify the protected file.

1 Login to the client as a trusted user.

2 Download the installer for the photo application on your desktop.

3 Install it (the installation should succeed).

4 Run it (the program should run).

5 Uninstall the photo application.

6 Delete the installer from your desktop to restore the client to its original state.

How can I allow an admin user or a user group to install/update software on a client where Application Control is enabled?Verifying trusted users can update the client


How do I perform emergency changes whenApplication Control is enabled?

In order to perform emergency changes when Application Control is enabled and it is not possibleto have trusted users, directories, publishers or installers, you can create a change window thatoverrides all tamper proofing in effect.

You can create a change window in order to implement an emergency change that overridesall tamper proofing that is in effect.


1 Run the Begin Update Mode client task to open the client machine for updates.

2 Perform changes.

3 Run the End Update Mode client task.

NOTE: This should only be used if other mechanisms cannot be used.

Contents

Create a SC: Begin Update Mode task

Verifying that changes can be made during the update window

Create an SC: End Update Mode client task

Verifying that changes cannot be made outside update window

Create a SC: Begin Update Mode taskTo enable you to make emergency changes on your system you will need to open an updatewindow. To create the begin update mode task complete the following procedure.

1 From the 4.0 ePO console , select Systems | System Tree | Client Tasks. From the4.5 ePO console, select Menu | Systems | System Tree | Client Tasks.

2 Select the desired group in the System Tree, and then click New Task . The New clientTask Builder page appears .


4 Select SC: Begin Update Mode (Solidcore 5.1.0) from the Type drop-down menu.


6 Type the Workflow-Id and any comments. The workflow_Id can be a meaningfuldescription for this update window.



9 From the Schedule type list select Run Immediately.




12 To apply your task immediately wake-up the agent.

Verifying that changes can be made during theupdate window

Use the following procedure to confirm that you can make emergency changes.


2 Download the Google Earth from http://earth.google.com/ to your desktop.

3 Install Google Earth (the installation should succeed).

4 Run Google Earth.

5 Uninstall Google Earth to restore the client to its original state.

6 Delete the installer from your desktop.

Create an SC: End Update Mode client taskAfter completing your changes you will have to create a end update mode task.

1 After completing your changes you will have to create a close update mode task accordingto the following procedureFrom the 4.0 ePO console , select Systems | System Tree | Client Tasks. From the4.5 ePO console, select Menu | Systems | System Tree | Client Tasks.

2 Select the desired group in the System Tree, and then click New Task. The New clientTask Builder page appears.


4 Select SC: End Update Mode (Solidcore 5.1.0) from the Type drop-down menu.


6 No extra configuration settings are required for this task.







Verifying that changes cannot be made outsideupdate window

You should verify that changes cannot be made.

How do I perform emergency changes when Application Control is enabled?Verifying that changes can be made during the update window



2 Download the Google Earth from http://earth.google.com/ to your desktop. The installershould not be able to run.

3 Delete the installer from your desktop.

How do I perform emergency changes when Application Control is enabled?Verifying that changes cannot be made outside update window


How can I get the list of software inventoryfrom client machine(s) in my network?

In this case scenario you will pull a list of software running on your client machines.


1 Run the SC: Pull Inventory client task.

2 Wake-up the agent to send events from the client.

3 Create a Solidcore: Update Inventory Search Indexes server task to build an inventoryindex.

4 Verify that the inventory list has been updated.

Contents

Creating a SC: Pull Inventory client task

Create an Solidcore: Update Inventory Search Indexes server task

Verifying the inventory list has been updated

Creating a SC: Pull Inventory client taskUse this procedure to pull inventory from your client computer(s).




4 Select SC: Pull Inventory (Solidcore 5.1.0) from the Type drop-down menu.








NOTE: This tasks requires two agent wake-up calls with a short interval between the tasks.Invoke a wake-up call for the agent to get the task and compute the inventory. A secondwake up should be invoked for the client to send the inventory back to ePO.


Create an Solidcore: Update Inventory SearchIndexes server task

Use this procedure to update inventory search indexes with a scheduled server task.

1 From the 4.0 ePO console, select Automation |Server Tasks. From the 4.5 ePO console,select Menu | Automation | Server Tasks and then click New Task. The Server TaskBuilder page appears.

2 Enter a Name, describe the task, and click Enabled after the Schedule Status.


4 Select Solidcore: Update Inventory Search Indexes from the drop-down menu.




NOTE:

• To get data to display on the UI immediately, run the Update Inventory search indexesserver task immediately.

• Set this up to run as a scheduled task daily so that inventory data is updated periodically.

Verifying the inventory list has been updatedYou should verify that the inventory list has been updated by:

1 From the 4.0 ePO console, select Reporting | Solidcore | Inventory. From the 4.5 ePOconsole, select Menu | Reporting | Solidcore | Inventory.

2 You can search by name, product name, and checksum and so on.

You can search this inventory for defining allow / ban binary rules for Application ControlPolicies. Nominally, you should, pull Inventory from clients periodically (say once a month.)This inventory can give you details of the software inventory in your network and you canalso monitor file activity in your network, for example, Execution denied events on a fileor when an unauthorized file got created.

How can I get the list of software inventory from client machine(s) in my network?Create an Solidcore: Update Inventory Search Indexes server task


How do I whitelist java class files or a list ofjava class files lying in a particular location?

In this case scenario you will whitelist java class files located on the C:\drive (C:\javaclasses).


1 Add java classes for script authorization through the SC: Run Command client task.

2 Wake-up the agent to send events from the client.

3 On the client machine open the McAfee Agent and send events.

4 On the ePO verify SC: Run Commands client task has completed.

5 From the client execute the whitelisted java file.

6 Copy and paste the java file and execute.

7 Verify events through the Event tab.

Contents

Creating a SC: Run Commands client task

Verifying the Run Commands client task was successful

Executing a java whitelist file

Reporting

Creating a SC: Run Commands client taskUse this procedure to run a command remotely on the client to perform tasks such as addingjava classes.



3 Type the name of the task for example whitelist java files) and add any descriptiveinformation to the Notes field.

4 Select SC: Run Commands (Solidcore 5.1.0) from the Type drop-down menu.


6 Enter the following Run Commands; scripts add .jar "java.exe" then click + and enterso <the location of jar files or specific jar file>.

7 Select Requires Response.


9 Select Enabled for the schedule status.






NOTE: For immediately getting the response of the SC: Run Commands client task, you willhave to send events from the client.

Verifying the Run Commands client task wassuccessful

You should verify that the Run Commands client task was successful.


2 Select the Client Task Log tab and confirm the whitelist java files task completedsuccessfully.

Executing a java whitelist fileVerify that you can execute a whitelisted jar file but cannot execute a jar file that is not in yourwhitelist by completing the following:

1 On the client execute the whitelisted jar file by executing command java -jar <java classfile>. The java class file should execute.

2 Copy the same jar file and run this new java class file by executing command java -jar<java class file>. The java class file should not execute.





ReportingUse the following procedure to view attempted violation events.

Viewing an event



How do I whitelist java class files or a list of java class files lying in a particular location?Verifying the Run Commands client task was successful



3 Locate EXECUTION_DENIED event for the execution of the unauthorized java class file.

How do I whitelist java class files or a list of java class files lying in a particular location?Reporting


How can I compare a baseline of thewhitelisted files onmy host with the list of fileson a gold host?

In this scenario you will pull the baseline whitelist of software running on Host A and compareit with the whitelist on your Gold Host.


1 Run the SC: Pull Inventory client task for your Gold Host.

2 Run the SC: Pull Inventory client task for Host A.

3 Wake-up the agent.

4 Create a Solidcore: Run Image Deviation server task.

5 View the comparison of software whitelist for the two clients.

Contents

Creating a SC: Pull Inventory client task for your Gold Host and Host A

Create a Solidcore: Run Image Deviation server task

Compare Host A whitelist against Gold Host whitelist

Creating a SC: Pull Inventory client task for yourGold Host and Host A

Use this procedure to pull inventory from your Gold Host and Host A.


2 Select the desired group in the System Tree, and then click New Task. The New clientTask Builder page appears .

3 Type the name of the task (Gold Host inventory) and add any descriptive information tothe Notes field.

4 Select SC: Pull Inventory (Solidcore 5.1.0) from the Type drop-down menu.









NOTE: To see inventory immediately wake-up should be invoked for the agent to get thetask and compute the inventory. Wait a few minutes for the inventory files to be availablethen a second wake-up should be invoked for the client to send the inventory back to ePO.

12 Repeat steps 2 through 10 for Host A.

Create a Solidcore: Run Image Deviation servertask

Image deviation is used to compare the inventory of a system with a golden inventory whichis fetched from a designated gold system. This helps users to track inventory present on a clientsystem, if any changes occur they can be brought to the users attention immediately.

Use this procedure to select your Gold Host and compare it with Host A.

1 From the 4.0 ePO console, select Automation |Server Tasks. From the 4.5 ePO console,select Menu | Automation | Server Tasks and then click New Task. The Server TaskBuilder page appears.

2 Enter a Name (Inventory diff of Gold Host and Host A), describe the task, and click Enabledafter the Schedule Status.


4 Select Solidcore: Run Image Deviation from the drop-down menu.

5 Select the system to use as the gold standard (Gold Host). Then select the system to applythe gold standard to (Host A).




NOTE: To get the result of Image Deviation on the UI immediately, run the server taskimmediately.

Compare Host A whitelist against Gold Hostwhitelist

You can view the results of your comparison by using the following procedure.

1 From the 4.0 ePO console, select Reporting | Solidcore | Image Deviation. From the4.5 ePO console, select Menu | Reporting | Solidcore | Image Deviation.

2 Locate the Gold Host and Host A comparison. The result of the comparison will show thedeviations from the whitelisted image.

How can I compare a baseline of the whitelisted files on my host with the list of files on a gold host?Create a Solidcore: Run Image Deviation server task


How do I find other Application ControlReports?

Attempts to install unauthorized software or processes denied execution by the Solidcore Agenton the client machine come up to ePO as Execution Denied events and can be viewed from:

1 From the 4.0 ePO console, select Reporting | Queries. Then select the appropriateIntegrity Monitor report from the Queries list.

2 From the 4.5 ePO console, select Menu | Reporting | Queries. From Groups selectSolidcore and then select the appropriate Integrity Monitor report from the Queries list.


Contents

How can I receive a report through email?

Application Control Reports

How can I receive a report through email?On the 4.0 and 4.5 ePolicy Orchestrator reports can be scheduled to be sent to you throughemail. Use the following procedure to receive a report through email.

1 From the 4.0 ePO console, select Automation | Server Tasks. From the 4.5 ePO console,select Menu | Automation | Server Tasks and then click Actions | New Task. TheServer Task builder wizard opens.

2 From the Actions drop-down menu, select Run Query.

3 Select a query by clicking the button in front of the query text box.

4 (For ePO 4.5 only) In the Select a Query from List dialog box select Shared Groups.

5 Select a report (for example Application Control Status) and click OK.

6 Select Email File and the recipient's email and then click Next. The Schedule page appears.

7 Specify the schedule for this task, and then click Next. The Summary page appears.

8 Review the summary details, then click Save.

Application Control ReportsThe following Application Control reports are available from the ePO console.

Solidcore: Alerts

This report displays the active alerts by severity in the last three months.


Solidcore: Application Control Agent Status

This report displays the status of Solidcore Application Control agents being managed by theePolicy Orchestrator.

Solidcore: Attempted Violations Detected in the Last 24 Hours

This report displays the attempted violation events that were detected during the last 24 hourson a per hour basis.

Solidcore: Attempted Violations Detected in the Last 7 Days

This report displays all the attempted violation events that were detected during the last weekon a per day basis.s

Solidcore: Top 10 Users with Most Change Events in the Last 7 Days

This report displays the top 10 users with the most changes during the last seven days.

Solidcore: Top 10 Users with Most Violations Detected in the Last 7 Days

This report displays the top 10 users with the most violations detected during the last 7 days

Solidcore: Top 10 Users with Most Violations Detected in the Last 24 Hours

This report displays the top 10 users with the most violations detected during the last 24 hours.

Solidcore: Top 10 Programs with Most Change Events in the Last 7 Days

This report displays the top 10 programs with most changes during the last seven days.

Solidcore: Top 10 Programs with Most Change Events in the Last 24 Hours

This report d splays the top 10 programs with most changes during the last 24 hours.

Solidcore: Top 10 Systems with Most Violations Detected in the Last 7 Days

This report displays the top 10 systems with the most violations detected during the last 7 days.

Solidcore: Top 10 Systems with Most Violations Detected in the Last 24 Hours

This report displays the top 10 systems with the most violations detected during the last 24hours.

Solidcore: Non Compliant Solidcore Agents

This report lists Solidcore Agents which are either disabled or where Local CLI access isrecovered. Disabled agents do not provide any Application Control functionality on the clientand ePO policy and task enforcement is suspended.

How do I find other Application Control Reports?Application Control Reports


FAQs

How can I see which files were modified, added, deleted in update mode when theonly license installed on my client is for Application Control?

Update mode events are generated for modification of files present in the inventory list, whenthe client is in update mode even though only Application Control is installed on the clientmachine. When a system is in update mode, any changes that occur to existing solidified filesgenerate corresponding update mode events(FILE_MODIFIED_UPDATE/FILE_RENAMED_UPDATE). In addition the Solidcore agent alsogenerates FILE_SOLIDIFIED for newly generated code files and FILE_UNSOLIDIFIED for deletedfiles. Users need to select Send Events from the McAfee Agent monitor to see these eventson the ePO console. This behavior is uniform across both the 4.0 and 4.5 ePO.

What is the difference between updaters and installers?

There are essentially two attributes that can be associated with each binary executable:authorized and updater. The definition of updater and installer differ in these two attributes.

Updaters -are applications that update the system (program code, exe, dll and so on). Whena program is configured as an updater, it gets the privilege to install new software and updateexisting program code (including itself) present on the system. But it does not get authorizedautomatically, for example, in order to execute this program it has to be present in the inventoryeither through initial scan (solidification) or given explicit authorization (through allowed binaryin the policy).

Installers - when a program (or an installer) is configured as an authorized installer, it getsboth the attributes - authorized and updater, for example, irrespective of whether this installerwas originally present on the system or not, it will be allowed to execute and install/updatesoftware on that system. Authorized Installer are allowed on the basis of the checksum (SHA1)of the original installer used while configuring this policy. This ensures that irrespective of thesource of installer (and how one gets this installer to the system), if the checksum remains thesame, it will be authorized and work as an updater.

I have Integrity Monitor enabled on my client, how can I enable Application Controlas well?

To enable Application Control on your client do the following:

1 Check to see if an Application Control license has been applied, from the 4.0 ePO consoleConfiguration | Server Settings | Solidcore. From the 4.5 ePO console select Menu| Configuration | Server Settings | Solidcore.

2 If an Application Control license has been applied do the following:

• Create a SC: Disable client task. Select Force Reboot with the Task to automaticallyrestart once this task is run.

• Create a SC: Enable client task and enable Application Control and Integrity monitor.Select Perform Initial Scan to create whitelist to perform the initial scan of the


client system while enabling the Solidcore agent. For details on enabling ApplicationControl with Initial scan, refer to McAfee Solidcore Product Guide. Select Force Rebootwith the Task to automatically restart once this task is run.

3 If an Application Control license has not been applied do the following:

• Apply an Application control license.

• Create a SC: Enable client task and enable application Control and Integrity Monitor.Select Perform Initial Scan to create whitelist to perform the initial scan of theclient system while enabling the Solidcore agent. For details on enabling ApplicationControl with Initial scan, refer to McAfee Solidcore Product Guide.

What is the Search button present in the Application Control policy Binary tab usedfor?

The Search button is located in the Binary tab of the Application Control policy. This searchworks over the Inventory Data and requires:

• The Inventory Data to be pulled into the ePO from clients through the SC: Pull Inventoryclient task.

• By scheduling a Solidcore: Update Inventory Search Indexes server task. This ensuresthat only binaries and scripts present on a client machine can be authorized to run.

In the Binary tab of the Application Control policy can I add scripts with binaries?

Yes, binaries and scripts can be added in the Binary tab. There is default support for certainscript files, for example batch files. Additionally more script interpreters (and their extensions)can be added through a SC: Run Command client task.

FAQs


mcafeeapplicationcontrolevaluationguideb2b-download.mcafee.com/.../v5.0/mfe_app_con_win_eval_5_1.pdf ·...

Documents