Application Control 6.0.0 Evaluation Guide · PDF fileIntroducingMcAfeeApplicationControl...

McAfee Application Control 6.0.0 EvaluationGuideFor use with ePolicy Orchestrator 4.5.0 and 4.6.0

COPYRIGHT

Copyright © 2011 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any formor by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCEEXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red inconnection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole propertyof their respective owners.

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICHTYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTSTHAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOUDO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURNTHE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee Application Control 6.0.0 Evaluation Guide2

ContentsIntroducing McAfee Application Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

About this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Application Control framework. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Allowing installation and automatic updates on endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . .8

Defining an installer to allow software installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Defining an updater to allow automatic updates on endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Ensuring that all software released by a publisher runs. . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Verifying that only authorized code can run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Running software from a remote directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Allowing an administrator or user to install or update software. . . . . . . . . . . . . . . . . . . .13

Making emergency changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Placing the endpoints in Update mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Placing the endpoints in Enabled mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Testing an application for enterprise-wide deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Placing the endpoints in Observe mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Reviewing and analyzing the observations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Placing the endpoints in Enabled mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Fetching and managing the software inventory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Managing the inventory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Checking for unknown threats, such as APTs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Checking if a virus is accidentally whitelisted. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Comparing the inventory of an endpoint with that of a gold host. . . . . . . . . . . . . . . . . .26

Comparing the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Reviewing the comparison results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Whitelisting Java or interpreted script files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

Running the SC: Run Commands client task. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Allowing ActiveX controls to run. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

Using Application Control queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Running a query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Receiving query results on email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3McAfee Application Control 6.0.0 Evaluation Guide

Application Control queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Performing common or routine tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Creating a policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Assigning the policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Fetching the inventory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Uploading events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Viewing events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39


Contents

Introducing McAfee Application ControlToday’s IT departments face tremendous pressure to ensure that their endpoints comply withmany different security policies, operating procedures, corporate IT standards, and regulations.Extending the viability of fixed function devices, such as point-of-sale (POS) terminals, customerservice terminals, and legacy NT platforms has become critical.

McAfee® Application Control® uses dynamic whitelisting to ensure that only trusted applicationsrun on devices, servers, laptops and desktops. This provides IT with the greatest degree ofvisibility and control over clients, and helps enforce software license compliance. Here are someproduct features.

• Protects your organization against malware attacks before they occur by proactively controllingthe applications executing on your endpoints.

• Locks down the protected endpoints against threats and unwanted changes, with no filesystem scanning or other periodic activity that could impact system performance.

• Augments traditional security solutions and enables IT to allow only approved system andapplication software to run. Blocks unauthorized or vulnerable applications that maycompromise endpoints without imposing operational overhead. This ensures that end userscannot accidentally introduce software that poses a risk to the business.

• Uses dynamic whitelisting to ensure that only trusted applications run on endpoints. McAfee’sdynamic whitelisting trust model eliminates the labor and cost associated with otherwhitelisting technologies, thereby reducing overhead and increasing continuity.

• Provides IT control over endpoints and helps enforce software license compliance. WithApplication Control, IT departments can eliminate unauthorized software on endpoints, whileproviding employees greater flexibility to use the resources they need to get their jobs done.

• Eliminates the need for IT administrators to manually maintain lists of approved applications.This enables IT departments to adopt a flexible approach where a repository of trustedapplications can run on endpoints. This prevents execution of all unauthorized softwarescripts and dynamic link libraries (DLLs), and further defends against memory exploits.

• Works effectively when integrated with McAfee® ePolicy Orchestrator® and in standalonemode without network access. The product is designed to operate in a variety of networkand firewall configurations.

• Runs transparently on endpoints. It can be set up quickly with very low initial and ongoingoperational overhead and minimal impact on CPU cycles.

Contents

About this guide

Application Control framework


About this guideThis guide describes common use cases for the McAfee Application Control product.

To use this guide effectively, you must be familiar with McAfee ePO versions 4.5 or 4.6. Formore information, see the ePolicy Orchestrator Product Guide for your version.

Application Control frameworkThe following mechanisms are used by Application Control to protect endpoints:

• Application Code Protection: Allows only whitelisted programs (binary executables, scripts)to run. Any program that does not appear in the whitelist cannot run. Also, it tamper proofsthe whitelisted programs to ensure that the program files and registry keys, cannot bemodified on the endpoint.

• Memory Protection: Prevents vulnerabilities in whitelisted programs from being exploited.

NOTE: Memory protection is only available on the Windows platform. Memory protection isan advanced security mechanism and its description lies beyond the scope of this EvaluationGuide.

When using McAfee Application Control, you can define policies to selectively apply or overridethe mechanisms in place. You can use one of these methods to allow or prevent membershipto the whitelist.

• Binary: Allow or ban a particular binary identified by its name, path, or checksum.

• Publisher: Allow executables of a particular vendor, signed by a security certificate issuedto the vendor by a Certificate Authority. Also, all applications and binary files either addedto or modified on an endpoint that are signed by the certificate are automatically added tothe whitelist.

• Installer: Allow all software that is installed by a particular installer, identified by its checksum,regardless of its source.

• Trusted Directories: Allow users to run any software present on a directory, identified by itsUNC pathname.

• Updater or Program: Allow programs identified by name or path to selectively override thetamper proofing and add or update protected files.

• Trusted User: Specify users allowed to selectively override the tamper proofing and add orupdate protected files.

• Trusted Time Window or Update Mode: Specify a time window within which all tamperproofing is overridden. Programs that are not part of the whitelist can run and update thesystem. Also, any files added during the trusted time window are added to the whitelistautomatically.

Here are some real-life examples.

ExamplePolicy

Blacklist or ban regedit.exe to prevent users from performing unrestricted changes to theWindows registry.

Binary

Add a network share as a trusted directory to allow users to install software available in thedirectory.

Trusted Directory

Add Adobe’s certificate to permit all software issued by Adobe to install and run.Publisher

Introducing McAfee Application ControlAbout this guide


ExamplePolicy

Add Microsoft Office 2007 installer to allow any user to install it.Installer

Configure Adobe 8.0 updater as a trusted program so that it can periodically patch the Adobebinary files.

Updater

Add the IT administrator as a trusted user to allow the administrator to install or update anysoftware.

Trusted User

Define a time window to allow the IT team to complete maintenance tasks, such as installpatches or upgrade software.

Trusted TimeWindow

Introducing McAfee Application ControlApplication Control framework


Allowing installation and automatic updateson endpoints

Consider a scenario in which you would like to allow installation of the Adobe Reader applicationon all endpoints. After installation, you also want to allow automatic updates to the AdobeReader application. To complete this use case, you will need to define an installer and updater.

What is the difference between an updater and installer?

There are essentially two attributes that can be associated with each binary executable file,namely authorized and updater.

As the name suggests, updaters are applications that update the system (program code, exe, dll andso on). If a program is configured as an updater, it is allowed to install new software and update

Updaters

existing program code (including itself). However, an updater is not authorized automatically. To beauthorized, an updater must be present in the inventory either through initial scan (solidification) orgiven explicit authorization (defined as an allowed binary via a policy).

When a program (or an installer) is configured as an authorized installer, it gets both the attributes -authorized and updater. Regardless of whether the installer was originally present on the system or

Installers

not, it is allowed to execute and install or update software on the system. An authorized installer isallowed on the basis of the checksum (SHA1) of the original installer (specified while configuring thepolicy). This ensures that irrespective of the source of installer (and how one gets this installer to thesystem), if the checksum value matches, the installer will be authorized and work as an updater.

Contents

Defining an installer to allow software installation

Defining an updater to allow automatic updates on endpoints

Defining an installer to allow software installationIn this use case, you will add a new installer as a trusted installer, such as the installer for theAdobe Reader application. Download the installer for the Windows platform and save it on yourdesktop. In this example, we assume that you know the SHA1 checksum of the installer or cancalculate it using a utility.

Here are the high-level steps to complete for this use case. For detailed instructions, refer tothe Performing common or routine tasks section.

1 Download the application from http://get.adobe.com/reader/ and save it.

2 Try to install the application on an endpoint. The installation fails.

3 Complete these steps to add a new installer.

a Select Menu | Configuration | Solidcore Rules | Installers.

b Select Actions | Add Installer.

The Add Installer page appears.

c Specify the installer name. For example, Adobe Reader application.


http://get.adobe.com/reader/

d Enter the path of the installer file.

e Optionally, specify the installer version.

f Specify the name of the vendor authorizing the installer. For example, Adobe.

g Enter the SHA1 checksum.

h Click OK.

4 Create a policy to define the installer. Consider the following while defining the policy.

• To add the installer, select the Installers tab and click Add. In the Add Installerdialog box, search for and add the installer. In our example, we add the installer forthe Adobe Reader application.

5 Assign this policy to the endpoints.

6 Verify that the installer is permitted to run and install software on the endpoint.

a Log on to the endpoint.

b Navigate to the http://get.adobe.com/reader/ webpage.

c Download the installer for the Adobe Reader application to the desktop.

d Double-click on the installer file.The installation succeeds.

Defining an updater to allow automatic updates onendpoints

In this scenario, you will ensure that only an authorized updater is allowed to update softwareon the endpoints. In this use case, we will define the Adobe updater as an authorized updateagent so that it can periodically patch the Adobe binary files without user intervention on anendpoint.

NOTE: Authorized updaters work at a global-level and are not application-specific. After aprogram is defined as an updater, it can modify any write-protected or read-protected file.


1 Create a policy to define the updater. Consider the following while defining the policy.

• To add a trusted program, select the Updaters tab and click Add. In the Add Updaterdialog box, enter the name and path of the file and specify an identification label forthe updater. In our example, enter C:\Program Files\CommonFiles\Adobe\Updater5\AdobeUpdater.exe in the Binary field.


3 Complete these steps to verify that the authorized program can perform software updateson the protected endpoint.


b Open the Adobe Reader and click Help | Check for Updates. Updates, if available,are applied.

4 Upload events from the endpoint to the McAfee ePO console.

5 View the events generated by the AdobeUpdater.exe process on the Menu | Reporting| Solidcore Events page.

Allowing installation and automatic updates on endpointsDefining an updater to allow automatic updates on endpoints


http://get.adobe.com/reader/

Ensuring that all software released by apublisher runs

In this use case, you will add an authorized publisher to allow users to download and installsoftware endorsed by the publisher. You will download Adobe Reader fromhttp://www.adobe.com/downloads/ and extract the security certificate from the installer. Then,add and register the security certificate to the McAfee ePO console to define Adobe as a trustedpublisher.

NOTE: You can also define an internal certificate as a trusted publisher. After you define theinternal certificate as a publisher, all applications signed by the certificate are allowed. Also, allapplications and binary files either added to or modified on an endpoint that are signed by thecertificate are automatically added to the whitelist.


1 Download the installer for Adobe Reader (for the Windows platform) and save it to a locationaccessible from McAfee ePO server.

2 Complete these steps to extract the certificate and add a new publisher.

a Select Menu | Configuration | Solidcore Rules | Publishers.

b Select Actions | Extract Certificate.

The Extract Certificate from Binary page appears.

c Navigate and specify the path to the Adobe Reader installer.

d Specify credentials, if needed, to access the network path.

3 Create a policy to define the publisher.

• To add the publisher, select the Publishers tab and click Add. In the Add Publisherdialog box, search for and add the certificate. In our example, we add the Adobecertificate.


5 Verify that software endorsed by the publisher can be installed on the endpoint.

a Log on to an endpoint.

b Navigate to the Adobe website (http://www.adobe.com/downloads/).

c Download Adobe Reader for the Windows platform and save it on the desktop.

d Double-click the installer.

You will be able to install the application.


http://www.adobe.com/downloads/

http://www.adobe.com/downloads/

Verifying that only authorized code can runAfter you install and enable Application Control, you can verify that only authorized programscan run on an endpoint. For the sake of illustration, download the desktop search utility for theMicrosoft Windows platform from http://desktop.google.com/ and save it on the desktop.


1 Ensure that Application Control is enabled on the endpoint.

2 Complete these steps to verify that an authorized program can run.


b Run an application that was present on the endpoint prior to enabling the software,such as the web browser. The executed application runs.

3 Complete these steps to verify that unauthorized programs cannot run.


b Download the desktop search utility from http://desktop.google.com/ and save it onthe desktop.

c Double-click the installer for the desktop search utility.

The installation is denied.

d Delete the installer from the desktop.


5 Review the Execution Denied event for the GoogleDesktopSetup.exe file.

6 Run the Solidcore: Attempted Violations Detected in the Last 24 Hours query.

a Select Menu | Reporting.

b Perform one of these actions:

• From the McAfee ePO 4.6 console, select Queries & Reports | ApplicationControl.

• From the McAfee ePO 4.5 console, select Queries | Application Control.

c Click Run for the Solidcore: Attempted Violations Detected in the Last 24Hours query.

d Review query results.


http://desktop.google.com/


Running software from a remote directoryBy default, when enabled, Application Control prevents you from executing software stored ona network share. However, many organizations maintain shared folders on the internal networkto store installers for authorized and licensed applications. Such network shares are within thesecurity perimeter and are known and trusted by the customer. You can set up a network shareas a trusted directory to allow users to run software present on the network share.

In this use case scenario, you will define a directory using its UNC pathname and verify thatyou can run software from this directory. Ensure that you have both read and write access tothe network share. Also, provide the UNC path using the \\servername\sharename syntax.


1 Download the desktop search utility from http://desktop.google.com/ and save it on thenetwork share.

2 Log on to the endpoint and verify that you cannot run the installer for the desktop searchutility from the network share.

3 Create a policy to define the trusted directory. Consider the following while defining thepolicy.

• To define the trusted directory, select the Trusted Directories tab and click Add. Inthe Add Path dialog box, enter the location of the directory, select Include andMakeprograms executed from this directory updaters.


5 Complete these steps to verify that you are able to run the installer from the network share.


b Install the desktop search utility from the directory.

c Run the installed program - the program runs.

d Uninstall the desktop search utility from the endpoint.



Allowing an administrator or user to install orupdate software

In this use case, you will define a trusted user, with or without system administrator privileges,to install a new application. In this scenario, we will download (from http://picasa.google.com)and install a photo application on an endpoint. Also, add yourself as a trusted user and verifythat you are able to install and run the application.


1 Create a policy to define the trusted user. Consider the following while defining the policy.

• To add a trusted user, select the Trusted Users tab and click Add. In the Add Userdialog box, enter the user details in domain\user syntax and specify an identificationlabel for the trusted user.


3 Complete these steps to verify that the trusted user can download and update softwareon the endpoint.

a Log on to the endpoint as a trusted user.

b Download the installer for the photo application to your desktop.

c Run the installer.

The application installs successfully.

d Open the application.

The application runs successfully.


http://picasa.google.com

Making emergency changesTo implement an emergency change (when you cannot use trusted users, directories, publishersor installers), you can create a change window that overrides all protection and tamper proofingthat is in effect. You should use a change window only when the other available mechanismscannot be used.

Here are the high-level steps to complete for this use case.

1 Place the endpoints in Update mode.

2 Complete these steps to verify that you can make emergency changes.


b Download the Google Earth application from http://earth.google.com/ to your desktop.

c Install the Google Earth application.

The application installs successfully.

d Open the Google Earth application.

The application runs successfully.

e Uninstall the application to restore the endpoint to its original state.

f Delete the installer from the desktop.

NOTE: When an endpoint is in Update mode, all changes to existing files in the inventorygenerate corresponding update mode events, such as FILE_MODIFIED_UPDATE andFILE_RENAMED_UPDATE. In addition, the application generates the FILE_SOLIDIFIEDevent for new files and FILE_UNSOLIDIFIED event for deleted files.

3 Place the endpoints in Enabled mode.

4 Complete these steps to verify that changes cannot be made after the change windowcloses.


b Download the Google Earth application from http://earth.google.com/ to your desktop.

c Try to install the Google Earth application.

The installer does not run.

d Delete the installer from the desktop.

Contents

Placing the endpoints in Update mode

Placing the endpoints in Enabled mode


http://earth.google.com/

http://earth.google.com/

Placing the endpoints in Update modeUse this task to place the endpoints in Update mode to make emergency changes.

Task

For option definitions, click ? in the interface.

1 Select Menu | Systems | System Tree.

2 Complete these steps for the McAfee ePO 4.6 console:

a Perform one of these actions:

• To apply the client task to a group, select a group in the System Tree and switch tothe Assigned Client Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems pageand click Actions | Agent | Modify Tasks on a Single System.

b Click Actions | New Client Task Assignment.The Client Task Assignment Builder page displays.

c Select the Solidcore 6.0.0 product, SC: Begin Update Mode task type, and clickCreate New Task.The Client Task Catalog page displays.

d Specify the task name and add any descriptive information.



• To apply the client task to a group, select a group in the System Tree and switch tothe Client Tasks tab.


b Click Actions | New Task.The Client Task Builder page displays.

c Specify the task name and add any descriptive information.

d Select SC: Begin Update Mode (Solidcore 6.0.0) and click Next.The Configuration page displays.

4 Enter the Workflow ID and any comments.The workflow ID is a meaningful description for the update window.

5 Click Save (McAfee ePO 4.6 only).

6 Click Next.The Schedule page displays.

7 Specify scheduling details and click Next.

8 Review and verify the task details and click Save.

9 Optionally, wake up the agent to send your client task to the endpoint immediately.

Placing the endpoints in Enabled modeUse this task to place the endpoints back in Enabled mode after you complete the requiredchanges in the Update mode.

Making emergency changesPlacing the endpoints in Update mode


Task








c Select the Solidcore 6.0.0 product, SC: End UpdateMode task type, and click CreateNew Task.The Client Task Catalog page displays.

d Specify the task name and add any information.







d Select SC: End Update Mode (Solidcore 6.0.0) and click Next.The Configuration page states that no other configuration settings are required forthe task.






Making emergency changesPlacing the endpoints in Enabled mode


Testing an application for enterprise-widedeployment

Prior to deploying a new application across the enterprise, you can perform a dry run and deploythe application on a few test endpoints running in Observe mode. When running in Observemode, Application Control emulates the Enabled mode but logs observations instead of preventingany applications or code from running. An observation is logged corresponding to each actionApplication Control will take when in Enabled mode.

In this use case, you will download and install Google Talk on an endpoint to ascertain andmanage any issues that you might encounter when running in Enabled mode. This will ensurethat the enterprise-wide deployment of the application will be seamless.


1 Place the endpoint in Observe mode.

• If the endpoint is currently in Enabled mode, run the SC: Observe Mode client taskto place the endpoint in Observe mode. (detailed in this use case)

• If you are using a new endpoint (fresh deployment of Application Control), run the SC:Enable client task to place the endpoint in Observe mode.

2 Install the application on the endpoint.


b Install and run the Google Talk.

3 Review and take actions for the generated observations.

Observations are generated every minute.

4 Create a new rule group, named GTalk, for the provided suggestions.

5 Place the endpoint in Enabled mode.

6 To ensure seamless deployment of the Google Talk application on endpoints running inEnabled mode, add the GTalk rule group to a policy applied to the endpoints.

Contents

Placing the endpoints in Observe mode

Reviewing and analyzing the observations

Placing the endpoints in Enabled mode

Placing the endpoints in Observe modeUse this task to place the endpoints in Observe mode.


Task








c Select the Solidcore 6.0.0 product, SC: Observe Mode task type, and click CreateNew Task.The Client Task Catalog page displays.








d Select SC: Observe Mode (Solidcore 6.0.0) and click Next.The Configuration page displays.

4 Enter the Workflow ID and any comments.The workflow ID provides a meaningful description for switching to Observe mode.






Reviewing and analyzing the observationsUse this task to review and analyze the logged observations.

Task


1 Select Menu | Application Control | Observations.

Testing an application for enterprise-wide deploymentReviewing and analyzing the observations


The Solidcore Observations page displays. On this page, you can review the followinginformation for each observation:

• Time at which the observation was logged

• Name of the host on which the observation occurred

• Name of user who caused the observation

• Name and location of the object for which the observation was generated

• Type of observation

• Status of the observation (Approved, Dismissed, or Pending)

• Remarks specified by the user while approving or dismissing the observation

• Group to which the host belongs

2 Filter observations to review the observations generated for the Google Talk applicationby using one of these methods.

• Enter a search string in the Quick find field and click Apply to view observations thatmatch the specified search criteria.

• Sort the list based on the time or process name by clicking the column heading.

3 Click Show Suggestions for the observation.Detailed information for the observation displays. By default, the file associated with theobservation is selected in the Process Tree pane.

4 Review the suggestions and details available for the observation.For all files, the Binary Info pane is available on the Suggestions tab. The PublisherInfo pane is displayed only if a certificate is associated with the file.

Displays detailed information for the binary file. You can review the binary name, path, andchecksum. Cloud Trust Score and Enterprise Trust Level are displayed for the binary file ifavailable with the McAfee GTI file reputation service.

Binary Info

Depending on the file's properties and attributes, one or more of the following actions areavailable for the file.

• Add as Installer

• Add as Updater

• Add to Whitelist

• Add Parent as Updater

• Add as Exception

• Allow by Checksum

• Add as Trusted Directory

Displays information for the certificate associated with the file. For the certificate you canreview the following details:

Publisher Info

• Company name the certificate is issued to

• Certificate issuing authority

• Modification date for the certificateFor a certificate, you can click Add Publisher to add the certificate as a publisher.

a Take the required actions for the file.The Rule Group and Files to beWhitelisted panes are updated based on the selectedactions.

b Review the information in the Rule Group and Files to be Whitelisted panes.The files you add to the whitelist are included in the inventory of the specific endpointwhile any rules you add to a rule group are available at a global level and can used onmultiple endpoints (as long as they are added to the policies applied to the endpoints).

Testing an application for enterprise-wide deploymentReviewing and analyzing the observations


c Select Create a new Rule Group and enter the rule group name (for example, GTalk).

d Click Approve.The Approve window displays.

e Enter remarks to optionally provide a description for the approval.

f Click OK.

Placing the endpoints in Enabled modeUse this task to place the endpoints in Enabled mode after you complete the required changesin the Observe mode.

Task








c Select the Solidcore 6.0.0 product, SC: Observe Mode task type, and click CreateNew Task.The Client Task Catalog page displays.








d Select SC: Observe Mode (Solidcore 6.0.0) and click Next.The Configuration page displays.

4 Select End Observe Mode.

5 Select Enable Solidcore client to place the endpoint in Enabled mode.

6 Select Update changes made in Observe Mode to whitelist to update the inventorywith the recent changes.


8 Click Next.

Testing an application for enterprise-wide deploymentPlacing the endpoints in Enabled mode


The Schedule page displays.




Testing an application for enterprise-wide deploymentPlacing the endpoints in Enabled mode


Fetching andmanaging the software inventoryIn this scenario, you will fetch a list of all software running on an endpoint and review andmanage the endpoint inventory.


1 Fetch the software inventory for an endpoint.

2 Wake up the agent to send events from the endpoint.

3 Review and manage the inventory for the endpoint.

4 Wake up the agent to send the policies to the endpoint.

5 Check for unknown threats, such as advanced persistent threat (APTs)

6 Check if a virus is accidentally whitelisted

Contents

Managing the inventory

Checking for unknown threats, such as APTs

Checking if a virus is accidentally whitelisted

Managing the inventoryApplication Control is integrated with the McAfee GTI file reputation service. Based on informationfetched from GTI, the application and binary files in the inventory are sorted into Good, Bad,and Unclassified categories. For each application and binary file, GTI provides the trust leveland trust score. The trust level indicates if the file is a good, bad, or unknown file. The trustscore value ranges between 1 to 5. A value of 1 or 2 represents known bad files, such as trojan,virus, and Potentially unwanted programs (PUP) files. A value of 3 indicates an Unclassified file.A value of 4 or 5 represents known and trusted good files.

Use this task to manage and take actions on the software inventory for an endpoint.

Task


1 Select Menu | Application Control | Inventory | Inventory By Systems.

2 Click View Inventory for the endpoint.The inventory for the selected endpoint is listed.

3 Review the applications running on the endpoint. By default, based on information receivedfrom GTI, the application and binary files are sorted into Good, Bad, and Unclassifiedcategories.Here are some alternative views you can use.


Review all binary files on the endpoint Select Binary Name filter, do not specify a file name, and clickSearch. All binary files on the endpoint are listed.

Navigate the Applications tree and select the Unclassified Binariesnode. All unclassified binary files on the endpoint are listed.

Review all unclassified binary files on theendpoint

Select the Vendor filter, do not specify a vendor name, and clickSearch. The applications and binary files are sorted by the vendor.

Sort the application and binary files basedon vendor

For each vendor, you can view the Good, Bad, and Unclassifiedcategories.

Select the Binary SHA1 filter, enter a checksum value, and clickSearch. The binary file with the specified checksum value isdisplayed.

Search for a file based on its checksumvalue

4 Review and manage the unclassified files.

• If an unclassified application is from a reputed vendor, is internally developed, orrecognized, mark it as a good application. To mark an unclassified application or binaryfile as a good application, edit the enterprise trust level of the file. By default, theenterprise trust level for a file is the same as the cloud trust level. When edited, theenterprise trust level for a file overrides the cloud trust level for the file. To edit theenterprise trust level for a file, choose the file and select Actions | Change EnterpriseTrust Level.

• To prevent applications or binary files from running, choose the files and select Actions| Ban Binaries. Specify the rule group in which to add the rules.

• To allow known applications or binary files to run, choose the files and select Actions| Allow Binaries. Specify the rule group in which to add the rules.

5 Add the updated rule group to the policies applied to the endpoint.

Checking for unknown threats, such as APTsApplication Control is integrated with the McAfee GTI file reputation service. Based on theinformation fetched from GTI, application and binary files in the inventory are sorted into Good,Bad, and Unclassified categories. In effect, this segregates your inventory into three categories:

• Blacklist (known malware or bad applications)

• Whitelist (known good or trusted application)

• Graylist (unknown applications)

Any pre-existing APTs will reside in the Graylist or Unclassified category. In this use case, youwill learn how to check and take actions for unknown threats, such as APTs.

Use this task to check for unknown threats, such as APTs. Here are the high-level steps tocomplete for this use case. Please note that several steps in the work flow lie outside the scopeof the product.

Task


1 Fetch the software inventory for an endpoint.

2 Review the inventory.

3 Ban the Bad applications and binary files.Alternatively, if you have installed McAfee VirusScan Enterprise, use it to clean the badapplication and binary files.

Fetching and managing the software inventoryChecking for unknown threats, such as APTs


4 Analyze the unclassified files. If they exist, the APTs will usually be one of the unclassifiedfiles. Use these guidelines to manage the unclassified files.

a Mark an unclassified application as a good application if it meets one or more of thefollowing criteria.

• Check if the application is an internally developed or recognized application.Recategorize all in house or trusted files as Good files by editing the enterprise trustlevel of the file. To edit the enterprise trust level for a file, select the file and selectActions | Change Enterprise Trust Level.

• Verify if the application or binary file is signed by a reputed certificate authority (CA).You can add a new filter to identify unclassified applications that are signed.

1 Select Add Saved Filter from the Saved Filters list.

2 Select the Has Cert filter, set comparison to Equals, and select the True value.

3 Select the Trust Level (Enterprise) filter, set comparison to Equals, and selectthe Unclassified value.

4 Click Update Filter.

b Compare the inventory of the endpoint with a trusted gold image. This will help youidentify additional applications that GTI is not aware of but are trusted or known to yourorganization.

c Use GTI tools, such as GetClean or GetSusp to send an unknown file back to GTI forfurther analysis. For more information about these tools, see KB69385.

d If you have McAfee Host Intrusion Prevention installed, create a firewall rule to blockthe gray binary's network access. While defining the rule, ensure that you identify thefile by its name or checksum.

Checking if a virus is accidentally whitelistedIf you do not have an anti-virus software installed and have enabled Application Control, youcould have accidentally whitelisted a virus file. In this use case, you will verify if a virus file ispresent in your inventory and will take action for the file.

If available with the McAfee GTI file reputation service, for each application and binary file, GTIprovides the trust level and trust score. For known Bad files, the cloud trust score value is 1 or2 and Application Control generates the THREAT_DETECTED event.

Use this task to check if a virus is accidentally whitelisted. Here are the high-level steps tocomplete for this use case. For detailed instructions, refer to the Performing common or routinetasks section.

Task


1 Define an alert to receive a notification when the THREAT_DETECTED event is generated.

a Select Menu | Automation | Automatic Responses.

b Click NewResponse. The Response Builder wizard opens to the Description page.

c Enter the alert name.

d Select the ePO Notification Events group and Threat event type.

e Select Enabled.

Fetching and managing the software inventoryChecking if a virus is accidentally whitelisted


https://kc.mcafee.com/corporate/index?page=content&id=KB69385

f Click Next. The Filter page appears.

g Specify the endpoint or group in the Defined at field.

h Select the Threat Name filter, set comparison to Equals, and select theTHREAT_DETECTED value.

i Click Next. The Aggregation page appears.

j Select Trigger this response for every event.

k Click Next. The Actions page appears.

l Select Send Email, specify the email details, and click Next.

m Review the details and click Save.

2 Fetch the inventory for the endpoint.

3 Review if any alerts are generated for the THREAT_DETECTED event.

4 Ban the infected files.

Fetching and managing the software inventoryChecking if a virus is accidentally whitelisted


Comparing the inventory of an endpoint withthat of a gold host

Image deviation is used to compare the inventory of an endpoint with the golden inventorythat is fetched from a designated gold system. This helps you to track the inventory presenton an endpoint and identify any differences that occur. In this scenario, you will fetch thebaseline inventory of an endpoint and compare it with the inventory of your Gold Host.


1 Fetch the inventory for your Gold Host.

2 Fetch the inventory for an endpoint, such as Host A.

3 Review the Menu | Automation | Solidcore Client Task Log page to ensure that bothclient tasks completed successfully.

4 Compare the inventory of Gold Host with the inventory of Host A.

5 Review the comparison results.

Contents

Comparing the inventory

Reviewing the comparison results

Comparing the inventoryUse this task to compare the inventory of the Gold Host with the inventory of Host A.

Before you begin

Ensure that you have recently fetched the inventory for the Gold Host and Host A.

Task


1 Select Menu | Automation | Server Tasks.

2 Click Actions | New Task.The Server Task Builder wizard opens.

3 Type the task name and click Next.

4 Select Solidcore: Run Image Deviation from the Actions drop-down list.

5 Specify the gold system (Gold Host).

6 Select the endpoint to compare with the gold system (Host A) and click Next.The Schedule page appears.


7 Specify the schedule for the task.To instantly review the comparison results, run the server task immediately.

8 Click Next.The Summary page appears.

9 Review the task summary and click Save.

Reviewing the comparison resultsUse this task to review the results of the inventory comparison.

Task


1 Select Menu | Application Control | Image Deviation.

2 Locate the Gold Host and Host A comparison.

3 Click Show Deviations.

4 Review the comparison details.

• Select the view type. You can organize the results based on applications or binary files.

• Use the available filters to sort the results. Using the filters, you can view new (added),modified, and removed (missing) files. Use the Execution Allowed Mismatch filter toview files with changes to the execution status.

Comparing the inventory of an endpoint with that of a gold hostReviewing the comparison results


Whitelisting Java or interpreted script filesApplication Control tamper proofs all Portable Executable (PE) files and certain script files. Whenthe software inventory is created for an endpoint, all PE files and the following script files areadded to the inventory.

• .ps1

• .bat

• .cmd

• .pif

• .sys

• .vbe

• 16Bit

• .vbs

• .exe

• .com

Using the software, you can tamper proof other non-PE files, such as Java class files by addingthem to the software inventory. To add a non-PE file, specify the script interpreter and the fileextension. In this scenario, you will whitelist Java class files located on the C:\ drive(C:\javaclasses).


1 Run the SC: Run Commands client task to complete these tasks:

a Add the program associated with the files as an interpreter.

In our example, we will add java.exe as an interpreter.

b Add the required files to the software inventory.

In our example, we will add Java class files to the inventory.


3 Complete these steps to verify that the SC: Run Commands client task executedsuccessfully.

a Select Menu | Automation | Solidcore Client Task Log.

b Check if the client task completed successfully.

4 Complete these steps to verify that you can execute a whitelisted jar file but cannot executea jar file that is not in the whitelist.


b Execute the whitelisted jar file by using the following command:

java -jar <java class file path>

The java class file executes.


c Copy the same jar file to a different location and execute the file by using the followingcommand:

java -jar <java class file path>

The java class file does not execute.


6 Review the EXECUTION_DENIED event generated for the execution of the unauthorizedjava class file.

Contents

Running the SC: Run Commands client task

Running the SC: Run Commands client taskUse this task to add java.exe as an authorized program and .jar files to the inventory.

Task








c Select the Solidcore 6.0.0 product, SC: Run Commands task type, and click CreateNew Task.The Client Task Catalog page displays.




• To apply the client task to a group, select the group in the System Tree and switchto the Client Tasks tab.




d Select SC: Run Commands (Solidcore 6.0.0) and click Next.The Configuration page displays.

4 Enter the following command:scripts add .jar "java.exe"

Whitelisting Java or interpreted script filesRunning the SC: Run Commands client task


5 Click + and enter the following command:so <location of jar files>

6 Select Requires Response.



9 Specify schedule details and click Next.



Whitelisting Java or interpreted script filesRunning the SC: Run Commands client task


Allowing ActiveX controls to runBy default, Application Control prevents the installation of ActiveX controls on endpoints. Youcan use the ActiveX feature to install and run ActiveX controls on endpoints. This feature isenabled by default and available only on the Windows platform.

NOTE: Only the Internet Explorer browser is supported for ActiveX control installations. If youare using a 64-bit operating system, installation of ActiveX controls is supported only for the32-bit Internet Explorer application. Simultaneous installation of ActiveX controls using multipletabs of Internet Explorer is not supported.

Here are high-level steps to help you use the ActiveX feature.

1 Install the required ActiveX control on the endpoint.


b Navigate to the http://www.webex.com/lp/jointest/ page.

c Enter the user name and email ID.

d Click Join Test.

The browser prompts you to install the ActiveX control. Application Control preventsthe installation of ActiveX control on the endpoint.

2 Review the notification for the ActiveX Installation Prevented event on the endpoint.

a Right-click the McAfee Agent icon in the system tray.

b Select Quick Settings | Application and Change Control Events. The Applicationand Change Control Events console appears.

c Locate the ActiveX Installation Prevented event.

3 Wait for a few minutes. Observations are generated every minute.


5 Review and take actions for the ActiveX Installation Prevented event from the McAfee ePOconsole.

a Select Menu | Reporting | Solidcore Events.

b Locate the ActiveX Installation Prevented event for the endpoint.

c Click Show Suggestions.

Detailed information for the event appears.

d Click Add Publisher to add the certificate associated with the ActiveX control as apublisher.

e Specify the rule group for the suggestions.

f Click Approve.

The Approve window displays.

g Click OK.


http://www.webex.com/lp/jointest/

6 Ensure the updated rule group is included in a policy applied to the endpoint.

7 Complete these steps to verify that you can install the ActiveX control on the endpoint.


b Navigate to the http://www.webex.com/lp/jointest/ page.

c Enter the user name and email ID.

d Click Join Test.

You can install the ActiveX control on the endpoint.

Allowing ActiveX controls to run


http://www.webex.com/lp/jointest/

Using Application Control queriesFrom the McAfee ePO console, you can run queries on the data stored in the McAfee ePOdatabase to view the status of the endpoints.

Contents

Running a query

Receiving query results on email

Application Control queries

Running a queryUse this task to run a query.

Task


1 Select Menu | Reporting.

2 Perform one of these actions:

• From the McAfee ePO 4.6 console, select Queries & Reports.

• From the McAfee ePO 4.5 console, select Queries.

3 Select the Application Control group under Shared Groups.

4 Review the queries in the list.

5 Navigate to the required query and click Run.Results for the selected query are displayed.

6 Click Close to return to the previous page.

Receiving query results on emailUse this task to receive results for a query via email.

Task


1 Select Menu | Automation | Server Tasks.

2 Click Actions | New Task.The Server Task Builder wizard opens.

3 Type the task name and click Next.


4 Select Run Query from the Actions drop-down list.

5 Specify the query to run.

a Click the button next to the Query field.The Select a query from the list dialog box appears.

b Switch to the Shared Groups tab.

c Navigate to the Application Control group and select a query.

d Click OK.

6 Specify email details.

• From the McAfee ePO 4.6 console, click the button next to the Sub-Actions field, selectEmail File in the dialog box, and click OK.

• From the McAfee ePO 4.5 console, view the Sub-Actions drop-down list and selectEmail File.

7 Specify the recipient's email address and click Next.The Schedule page appears.

8 Specify the schedule for this task and click Next.The Summary page appears.

9 Review the task summary and click Save.

Application Control queriesThe following Application Control queries are available from the McAfee ePO console.

Table 1: Application Control QueriesDescriptionQuery

Displays all alerts generated in the last 3 months.Solidcore: Alerts

Displays the status of all endpoints with the Application Control license which aremanaged by the McAfee ePO console. The pie chart categorizes the informationbased on the client status. Click a segment to review endpoint information.

Solidcore: Application ControlAgent Status

Displays the attempted violation events detected during the last 24 hours. The linechart plots data on a per hour basis. Click a value on the chart to review eventdetails.

Solidcore: Attempted ViolationsDetected in the Last 24 Hours

Displays the attempted violation events detected during the last seven days. Theline chart plots data on a per day basis. Click a value on the chart to review eventdetails.

Solidcore: Attempted ViolationsDetected in the Last 7 Days

Lists the endpoints that are currently non compliant. The list is sorted based onthe reason for non-compliance. An endpoint can be non compliant if it:

Solidcore: Non CompliantSolidcore Agents

• Is in Disabled, Observe, or Update mode

• Is operating in limited feature activation mode

• If the local command line interface (CLI) access is recovered

Displays the status of all endpoints managed by the McAfee ePO console. Thisreport combines information for both the Application Control and Change Control

Solidcore: Solidcore Agent StatusReport

licenses. The pie chart categorizes information based on the client status. Click asegment to review detailed information.

Indicates the number of Solidcore Agents that are managed by the McAfee ePOconsole. Information is categorized based on the license information and furthersorted based on the operating system on the endpoint.

Solidcore: Solidcore AgentLicense Report

Using Application Control queriesApplication Control queries


DescriptionQuery

Lists the number of policies applied on the managed endpoints. Click a system toreview information on the applied policies.

Solidcore: Policy Assignments BySystem

Displays the reboot log grouped by system name.Solidcore: Summary ServerReboot Log - Rolling 30 Days

Displays the top 10 systems with the maximum number of violations in the last 24hours. The chart includes a bar for each system and indicates the number ofviolations for each system. Click a bar on the chart to review detailed information.

Solidcore: Top 10 Systems withMost Violations Detected in theLast 24 Hours

Displays the top 10 systems with the maximum number of violations in the lastseven days. The chart includes a bar for each system and indicates the number ofviolations for each system. Click a bar on the chart to review detailed information.

Solidcore: Top 10 Systems withMost Violations Detected in theLast 7 Days

Displays the top 10 users with the most policy violation attempts in the last 24hours. The chart includes a bar for each user and indicates the number of policy

Solidcore: Top 10 Users withMost Violations Detected in theLast 24 Hours violation attempts for each user. The bar chart sorts the data in descending order.

Click a bar on the chart to review detailed information.

Displays the top 10 users with the most policy violation attempts in the last sevendays. The chart includes a bar for each user and indicates the number of policy

Solidcore: Top 10 Users withMost Violations Detected in theLast 7 Days violation attempts for each user. The bar chart sorts the data in descending order.

Click a bar on the chart to review detailed information.

Using Application Control queriesApplication Control queries


Performing common or routine tasksThis section describes the common or routine tasks you need to perform to complete the usecases discussed in this guide. Details specific to each use case are included in the tasks.

Contents

Creating a policy

Assigning the policy

Fetching the inventory

Uploading events

Viewing events

Creating a policyUse this task to create an Application Control policy.

Task


1 Select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.0.0: Application Control product.

3 Select the Application Control Rules (Windows) category.All policies for the selected category are listed.

4 Click Actions | New Policy. The Create New Policy dialog box appears.

5 Create a new policy based on the Blank Template policy.

6 Type the policy name and click OK.The Policy Settings page opens.

7 Define the rules to selectively apply or override the whitelisting or memory protectionfeatures.

To define an installer toallow software installation

1 Select the Installers tab and click Add. The Add Installerdialog box appears.

2 Search for and add the installer. In our example, we add theinstaller for the Google desktop search utility.

3 Click OK.

To define an updater toallow automatic updates onendpoints

1 Select the Updaters tab and click Add. The Add Updaterdialog box appears.


2 Enter the location of the executable binary. In our example,specify the path to the Adobe 8.0 updater (C:\ProgramFiles\Common Files\Adobe\Updater5\AdobeUpdater.exe).

3 Specify an identification label for the updater. For example, ifyou specify Adobe Updater changes as the label, all changesmade by Adobe 8.0 updater are tagged with this label.

4 Click OK.

To ensure that all softwarereleased by a publisherruns

1 Select the Publishers tab and click Add. The Add Publisherdialog box appears.

2 Search for and add the certificate. In our example, we add theAdobe certificate.

3 Click OK.

To run software from aremote directory

1 Select the Trusted Directories tab and click Add. The AddPath dialog box appears.

2 Enter the location of the directory.3 Select Include.4 Select Make programs executed from this directory

updaters.5 Click OK.

To allow an administratoror user to install or updatesoftware

1 Select the Trusted Users tab and click Add. The Add Userdialog box appears.

2 Enter the user details in domain\user syntax.If configured, you can import user details from an Active Directory. For moreinformation about importing user details from an Active Directory, see theMcAfee Application Control and Change Control Product Guide.

3 Specify an identification label for the trusted user. For example,if you specify John Doe's changes as the label, all changesmade by John Doe are tagged with this label.

4 Click OK.

8 Click Save.

Assigning the policyUse this task to assign the created policy to an endpoint.

Task


1 Select Menu | Systems | System Tree | Assigned Policies.

2 Select the Solidcore 6.0.0: Application Control product and click Edit Assignmentsfor the McAfee Default policy.The Policy Assignments page opens.

3 Click New Policy Instance to create a new policy instance.

4 Select the policy you created earlier from the Assigned Policy drop-down list.

Performing common or routine tasksAssigning the policy


5 Click Save.

6 Optionally, wake up the agent to send your policy to the endpoint immediately.

Fetching the inventoryUse this task to fetch the software inventory for an endpoint.

Task








c Select the Solidcore 6.0.0 product, SC: Pull Inventory task type, and click CreateNew Task.The Client Task Catalog page displays.








d Select SC: Pull Inventory (Solidcore 6.0.0) and click Next.The Configuration page displays.



6 Specify schedule details and click Next.



Performing common or routine tasksFetching the inventory


Uploading eventsUse this task to upload events from the endpoint to the McAfee ePO console.

Task


1 Right-click the McAfee Agent icon in the system tray.

2 Select McAfee Agent | Status Monitor. The McAfee Status Monitor console appears.

3 Click Send Events.

Viewing eventsUse this task to review the generated events.

Task


1 Select Menu | Reporting | Solidcore Events.

2 Review the relevant events listed in the Event Display Name column. Locate the eventsgenerated for the protected file.

Review the events generated by the AdobeUpdater.exe process.To allow automatic updates onendpoints

Review the Execution Denied event generated for theGoogleDesktopSetup.exe file.

To verify that only authorized codecan run

Review the Execution Denied event generated for the execution of theunauthorized java class file.

To whitelist code files

3 Click the row corresponding to the event to view details.

4 Click Close.

Performing common or routine tasksUploading events


Application Control 6.0.0 Evaluation Guide · PDF fileIntroducingMcAfeeApplicationControl...

Documents

Transcript of Application Control 6.0.0 Evaluation Guide · PDF fileIntroducingMcAfeeApplicationControl...