Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control...

144
Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1 Software

Transcript of Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control...

Page 1: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Product Guide

McAfee Change Control and McAfeeApplication Control 6.1.2For use with ePolicy Orchestrator 4.6.0 - 5.0.1 Software

Page 2: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

COPYRIGHTCopyright © 2013 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, PolicyLab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Othernames and brands may be claimed as the property of others.

Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 3: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Contents

Preface 7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1 Introduction 11Application Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Change Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2 Getting started with Change Control 15Change Control modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15What are rule groups? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Manage rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Create rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Import or export rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . 17View assignments for a rule group . . . . . . . . . . . . . . . . . . . . . . . . 18

Enable Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3 Monitoring the file system and registry 21How monitoring rules work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21How do I define monitoring rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

System variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Path considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Monitoring rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Review predefined monitoring rules . . . . . . . . . . . . . . . . . . . . . . . . . . 26Create monitoring policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Manage content changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Content change tracking settings . . . . . . . . . . . . . . . . . . . . . . . . 28Configure settings for tracking content changes . . . . . . . . . . . . . . . . . . 29Track content changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Manage file versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Compare files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Receive change details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4 Protecting the file system and registry 35How protection rules work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Defining protection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

System variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Path considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Protection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Create a protection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Enable read protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 3

Page 4: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

5 Monitoring and reporting 43Manage events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Review events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43View content changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Exclude events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45View queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6 Getting started with Application Control 49Application Control modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50How do I manage protected endpoints? . . . . . . . . . . . . . . . . . . . . . . . . . 51

Authorizing files and programs . . . . . . . . . . . . . . . . . . . . . . . . . 51Allowing changes to endpoints . . . . . . . . . . . . . . . . . . . . . . . . . 52

Design the trust model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Memory-protection techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58What are rule groups? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Manage rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Create a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Import or export a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . 62View assignments for a rule group . . . . . . . . . . . . . . . . . . . . . . . . 62

Manage certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Add a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Assign a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Search for a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64View assignments for a certificate . . . . . . . . . . . . . . . . . . . . . . . . 65

Manage installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Add an installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Assign an installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Search for an installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67View assignments for an installer . . . . . . . . . . . . . . . . . . . . . . . . 67

7 Deploying Application Control in Observe mode 69What are observations? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Deploying in Observe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Configure the feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Place endpoints in Observe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Manage requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Review requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Process requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Review created rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Throttle observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Define the threshold value . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Review filter rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Manage accumulated requests . . . . . . . . . . . . . . . . . . . . . . . . . 80Restart observation generation . . . . . . . . . . . . . . . . . . . . . . . . . 80

Exit Observe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

8 Monitoring your protection 83Enable Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Review predefined rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Review events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Define rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Create a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Exclude events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Define bypass rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Contents

4 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 5: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

ActiveX controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

9 Managing the inventory 91How the inventory is updated? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Trust level and score . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Guidelines for fetching inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Fetch the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Fetch McAfee GTI ratings for isolated McAfee ePO environments . . . . . . . . . . . . . . . 94

Export SHA1s of all binaries . . . . . . . . . . . . . . . . . . . . . . . . . . 95Run the Offline GTI tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Import the GTI result file . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Verify the import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Review the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Manage the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Set the base image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Compare the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Run the inventory comparison . . . . . . . . . . . . . . . . . . . . . . . . . 101Review the comparison results . . . . . . . . . . . . . . . . . . . . . . . . . 102

10 Managing approval requests 103What is Self Approval? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Enable Self Approval on endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . 104Configure the feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Review requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Process requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Allow by checksum on all endpoints . . . . . . . . . . . . . . . . . . . . . . . 108Allow by publisher on all endpoints . . . . . . . . . . . . . . . . . . . . . . . 108Ban by checksum on all endpoints . . . . . . . . . . . . . . . . . . . . . . . 108Define custom rules for specific endpoints . . . . . . . . . . . . . . . . . . . . 109Allow by adding to whitelist for specific endpoints . . . . . . . . . . . . . . . . . 110Delete requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Review created rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

11 Using dashboards and queries 113Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113View queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

12 Maintaining your systems 117Make emergency changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Place the endpoints in Update mode . . . . . . . . . . . . . . . . . . . . . . 118Place the endpoints in Enabled mode . . . . . . . . . . . . . . . . . . . . . . 118

Change the CLI password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Collect debug information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Place the endpoints in Disabled mode . . . . . . . . . . . . . . . . . . . . . . . . . 120Send GTI feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Purge data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

13 Fine-tuning your configuration 125Configure a syslog server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Solidcore permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Customize end-user notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

A FAQs 129

B Change Control and Application Control events 133

Contents

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 5

Page 6: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Index 139

Contents

6 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 7: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Preface

This guide provides the information you need to configure, use, and maintain your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term,emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.

User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialogboxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing anoption.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 7

Page 8: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

What's in this guide This guide is organized to help you find the information you need.

This document is meant as a reference to use along with the Change Control, Application Control, andMcAfee ePO interfaces. This document provides information on configuring and using the ChangeControl and Application Control products.

Section Description Applies toChangeControl

Applies toApplicationControl

Introduction Provides an overview of the Change Controland Application Control products. √ √

Getting started withChange Control

Details the various Change Control-relatedconcepts, such as modes and rule groups anddescribes how to enable the product.

√ NA

Monitoring the filesystem and registry

Provides concepts and instructions to help youdefine rules to monitor files and registryentries for changes.

√ NA

Protecting the filesystem and registry

Provides concepts and instructions to help youdefine rules to read-protect and write-protectfiles and registry entries.

√ NA

Monitoring andreporting

Describes how to use events, dashboards, andqueries to monitor the enterprise status whenusing the Change Control product.

√ NA

Getting started withApplication Control

Details the various Application Control-relatedconcepts, such as modes, trust model, rulegroups, installers, and publishers.

NA √

Deploying ApplicationControl in Observemode

Provides detailed instructions to help youplace Application Control in the Observe modeto perform a dry run for the product.

NA √

Monitoring yourprotection

Describes how to enable Application Controland details routine tasks to perform when theproduct is running in Enabled mode.

NA √

Managing theinventory

Provides instructions to help you fetch, review,and manage the software inventory forprotected endpoints.

NA √

Managing approvalrequests

Provides instructions to help you review,process, and manage approval requestsreceived from the endpoints in the enterprise.

NA √

Using dashboards andqueries

Describes how to use dashboards and queriesto monitor the enterprise status when usingthe Application Control product.

NA √

Maintaining yoursystems

Details various tasks to help you maintain theprotected endpoints. √ √

Fine-tuning yourconfiguration

Describes advanced configuration tasks thathelp you fine-tune your configuration. √ √

FAQs Provides answers to frequently askedquestions. √ √

Change Control andApplication Controlevents

Provides a detailed list of all Change Controland Application Control events. √ √

PrefaceAbout this guide

8 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 9: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFind product documentation

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 9

Page 10: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

PrefaceFind product documentation

10 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 11: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

1 Introduction

Get familiar with the Change Control and Application Control software and learn how they protect yourenvironment.

Before you can configure and use McAfee® Change Control or McAfee® Application Control, you must:

• Make sure that McAfee ePolicy Orchestrator 5.0 or 4.6 is installed and running. For moreinformation on installing McAfee ePO 5.0 or 4.6, see ePolicy Orchestrator 5.0 Installation Guide orePolicy Orchestrator 4.6 Installation Guide, respectively.

• Make sure that Change Control or Application Control is installed and running. For more informationon installation, see McAfee Change Control and Application Control Installation Guide.

• Make sure valid licenses are added for using Change Control and Application Control. For moreinformation on adding licenses, see McAfee Change Control and Application Control InstallationGuide.

Contents Application Control overview Change Control overview

Application Control overviewToday’s IT departments face tremendous pressure to make sure that their endpoints comply withmany different security policies, operating procedures, corporate IT standards, and regulations.Extending the viability of fixed function devices such as point-of-sale (POS) terminals, customerservice terminals, and legacy Windows NT platforms has become critical.

Application Control uses dynamic whitelisting to make sure that only trusted applications run ondevices, servers and desktops. This provides IT with the greatest degree of visibility and control overclients, and helps enforce software license compliance. Here are some product features.

• Protects your organization against malware attacks before they occur by proactively controlling theapplications executing on your desktops, laptops, and servers.

• Locks down the protected endpoints against threats and unwanted changes, with no file systemscanning or other periodic activity that could impact system performance.

• Augments traditional security solutions and enables IT to allow only approved system andapplication software to run. Blocks unauthorized or vulnerable applications that may compromiseendpoints without imposing operational overhead. This makes sure that end-users cannotaccidentally introduce software that poses a risk to the business.

• Uses dynamic whitelisting to make sure that only trusted applications run on devices, servers, anddesktops. McAfee’s dynamic whitelisting trust model eliminates the labor and cost associated withother whitelisting technologies, thereby reducing overhead and increasing continuity.

1

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 11

Page 12: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

• Provides IT control over endpoints and helps enforce software license compliance. With ApplicationControl, IT departments can eliminate unauthorized software on endpoints, while providingemployees greater flexibility to use the resources they need to get their jobs done.

• Eliminates the need for IT administrators to manually maintain lists of approved applications. Thisenables IT departments to adopt a flexible approach where a repository of trusted applications canrun on endpoints. This prevents execution of all unauthorized software scripts and dynamic linklibraries (DLLs), and further defends against memory exploits.

• Works effectively when integrated with McAfee ePO and in standalone mode without networkaccess. The product is designed to operate in a variety of network and firewall configurations.

• Runs transparently on endpoints. It can be set up quickly with very low initial and ongoingoperational overhead and minimal impact on CPU cycles.

Change Control overviewChange Control allows you to monitor and prevent changes to the file system, registry, and useraccounts. You can view details of who made changes, which files were changed, what changes weremade to the files, and when and how the changes were made. You can write-protect critical files andregistry keys from unauthorized tampering. You can read-protect sensitive files. To ease maintenance,you can define trusted programs or users to allow updates to protected files and registry keys.

In effect, a change is permitted only if the change is applied in accordance with the update policies.Using Change Control, you can perform these actions:

• Detect, track, and validate changes in real-time

• Gain visibility into ad-hoc changes

• Eliminate ad-hoc changes using protection rules

• Enforce approved change policies and compliance

Real-time monitoring

Change Control provides real-time monitoring for file and registry changes. Real-time monitoringeliminates the need to perform scan after scan on endpoints and identifies transient change violations,such as when a file is changed and restored to its earlier state. It captures every change, including thetime of the change, who made the change, what program was used to make the change, and whetherthe change was made manually or by an authorized program. It maintains a comprehensive andup-to-date database (on McAfee ePO) that logs all attempts to modify files, registry keys, and localuser accounts.

Customizable filters

You can use filters to make sure that only relevant changes make it to the database. You can definefilters to match the file name, directory name, registry key, process name, file extension, and username. Using the criteria, you can define two types of filters:

• Include filters to receive information on events matching the specified filtering criteria.

• Exclude filters to ignore information on events matching the specified filtering criteria.

Filtering events is needed to control the volume of change events. Typically, a number of changes areprogram-generated and need not be reported to the system administrator. If programmatic andautomatic change activity is high, a large number of change events can overwhelm the system. Usingfilters makes sure that only relevant change events are recorded.

1 IntroductionChange Control overview

12 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 13: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Read protection

Read-protection rules prevent users from reading the content of specified files, directories, andvolumes. If a directory or volume is read-protected, all files in the directory or volume areread-protected. Once defined, read-protection rules are inherited by subdirectories. You cannotread-protect registry keys.

By default, read protection is disabled.

Write protection

Use write-protection rules to prevent users from creating new files (including directories and registrykeys) and modifying existing files, directories, and registry keys. Write-protecting a file or registry keyrenders it read-only and protects it from unanticipated updates. These actions are prevented for awrite-protected file or registry key:

• Delete

• Rename

• Create hard links

• Modify contents

• Append

• Truncate

• Change owner

• Create Alternate Data Stream (Microsoft Windows only)

IntroductionChange Control overview 1

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 13

Page 14: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

1 IntroductionChange Control overview

14 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 15: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

2 Getting started with Change Control

Before you begin using Change Control, get familiar with it and understand related concepts.

Contents Change Control modes What are rule groups? Manage rule groups Enable Change Control

Change Control modesAt any time, Change Control can operate in one of these modes.

Enabled Indicates that the software is in effect and changes are monitored and controlled on theendpoints as per the defined policies. When in Enabled mode, Change Control monitors andprotects files and registry keys as defined by the configured policies. Enabled mode is therecommended mode of operation.

From the Enabled mode, you can switch to the Disabled or Update mode.

Update Indicates that the software is in effect, allows ad-hoc changes to the endpoints, and tracksthe changes made to the endpoints. Use the Update mode to perform scheduled oremergency changes, such as software and patch installations.

In the Enabled mode, you cannot read the read-protected files or modify anywrite-protected files (as per the defined policies). However, in the Update mode, all readand write protection that is in effect is overridden. Use the Update mode to define a changewindow during which you can make changes to endpoints and authorize the made changes.

From the Update mode, you can switch to the Enabled or Disabled mode. We recommendthat you switch to the Enabled mode as soon as the changes are complete.

Disabled Indicates that the software is not in effect. Although the software is installed, theassociated features are not active. When you place the endpoints in Disabled mode, theapplication restarts the endpoints.

From the Disabled mode, you can switch to the Enabled or Update mode.

What are rule groups?A rule group is a collection of rules. Although you can directly add rules to any McAfee ePO-basedpolicy, the rules defined within a policy are specific to that policy. In contrast, a rule group is anindependent unit that collates a set of similar or related rules.After you define a rule group, you can reuse the rules within the rule group by associating the rulegroup with different policies. Also, if you need to modify a rule, simply update the rule in the rulegroup and the change cascades across all associated policies automatically.

2

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 15

Page 16: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Change Control provides predefined rule groups to monitor commonly-used applications. Although youcannot edit the predefined rule groups, you can use an existing rule group as a starting point todevelop your rule groups. You can create a copy of an existing rule group and edit it to add more rulesor create a new rule group. If needed, you can also import or export rule groups.

If you need to define similar rules across policies, using rule groups can drastically reduce the effortrequired to define rules. If you have a large setup and are deploying the software across numerousendpoints, we recommend you use rule groups to minimize the deployment time and effort.

Consider an example. An organization runs Oracle on multiple servers. Each of these servers is usedby the HR, Engineering, and Finance departments for different purposes. To reduce rule redundancy,we define these rule groups with Oracle-specific rules.

• An Integrity Monitor rule group (named IM-Oracle) containing rules to monitor and trackconfiguration files and registry keys (to help audit critical changes to Oracle configuration)

• A Change Control rule group (named CC-Oracle) containing rules to protect critical files for Oracle(to prevent unauthorized changes)

After the rule groups are defined, we can reuse these rule groups across policies for the HR,Engineering, and Finance departments. So, when defining policies for the HR Servers, add theIM-Oracle rule group to a monitoring (Integrity Monitor) policy and CC-Oracle rule group to aprotection (Change Control) policy along with rule groups for the other applications installed on the HRserver. Similarly, add the IM-Oracle and CC-Oracle rule groups to the relevant policies for the EnggServers and Fin Servers. After defining the policies, if you realize that the rule for a critical file was notcreated, directly update the rule group and all the policies will be updated automatically.

Manage rule groups Create and manage rule groups to export the rule group configuration from the source to the targetMcAfee ePO server.

Tasks• Create rule groups on page 16

Create a rule group to specify the required rules.

• Import or export rule groups on page 17If you need to replicate rule group configuration from one McAfee ePO server to another,export the rule group configuration from the (source) McAfee ePO server to an XML file andimport the XML file to the (target) McAfee ePO server.

• View assignments for a rule group on page 18Instead of navigating through all the created policies, you can directly view all the policiesin which a rule group is being used. This feature provides a convenient way to verify if eachrule group is assigned to the relevant policies.

Create rule groupsCreate a rule group to specify the required rules.

2 Getting started with Change ControlManage rule groups

16 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 17: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 Perform one of these steps from the Rule Groups tab.

• Select Integrity Monitor to view or define a rule group for monitoring changes performed on criticalresources.

• Select Change Control to view or define a rule group for preventing unauthorized changes oncritical resources.

You can use an existing rule group as a starting point or define a new rule group from scratch. Tomodify and edit an existing rule group, complete steps 3, 5, 6, and 7. To define a new rule group,complete steps 4, 5, 6, and 7.

3 Create a rule group based on an existing rule group.

a Click Duplicate for an existing rule group.

The Duplicate Rule Group dialog box appears.

b Specify the rule group name, then click OK.

The rule group is created and listed on the Rule Groups page.

4 Define a new rule group.

a Click Add Rule Group to open the Add Rule Group dialog box.

b Specify the rule group name.

c Select the rule group type and platform.

d Click OK.

The rule group is created and listed on the Rule Groups page.

5 Click Edit for the rule group.

6 Specify the required rules.

For information on the how to define rules, see How do I define monitoring rules? and Definingprotection rules.

7 Click Save Rule Group.

Import or export rule groupsIf you need to replicate rule group configuration from one McAfee ePO server to another, export therule group configuration from the (source) McAfee ePO server to an XML file and import the XML file tothe (target) McAfee ePO server.

You can also export rule groups into an XML file, edit the XML file to make the required changes to rulegroups, and import the file to the McAfee ePO server to use the changed rule groups.

When importing or exporting rule groups containing Trusted Groups, make sure the Active Directoryserver on the source McAfee ePO server and destination McAfee ePO server are configured using thesame domain name or server name (or IP address).

Getting started with Change ControlManage rule groups 2

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 17

Page 18: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 Complete one of these tasks from the Rule Groups tab.

• To import rule groups, click Import, browse and select the rule groups file, then click OK. Whileimporting, you can specify whether to override rule groups (if you are importing a rule groupwith the same name as an existing rule group).

• To export selected rule groups to an XML file, select the rule groups, click Export, and save thefile.

View assignments for a rule groupInstead of navigating through all the created policies, you can directly view all the policies in which arule group is being used. This feature provides a convenient way to verify if each rule group isassigned to the relevant policies.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 On the Rule Groups tab, click Assignments to view the policies to which the selected rule group isassigned.

Enable Change ControlEnable the Change Control software to monitor and control the changes on the endpoints as per thedefined policies.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Systems | System Tree.

2 Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page, then click Actions| Agent | Modify Tasks on a Single System.

3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

4 Select Solidcore 6.1.2 | SC: Enable, then click Create New Task to open the Client Task Catalog page.

5 Specify the task name and add any descriptive information.

6 Select these fields.

a Select the platform.

b Select the subplatform (only for the Windows and Unix platforms).

2 Getting started with Change ControlEnable Change Control

18 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 19: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

c Select the version (only for the All except NT/2000 subplatform).

d Make sure that the Change Control option is selected.

7 Complete these steps to enable Change Control.

Solidcore client version Steps

On Solidcore client version:• 5.1.5 or earlier (Windows)

• 6.0.1 or earlier (UNIX)

Select Force Reboot with the task to restart the endpoint.Restarting the system is necessary to enable the software.

On the Windows platforms, a pop-up message is displayed at theendpoint 5 minutes before the endpoint is restarted. This allowsthe user to save work and data on the endpoint.

On UNIX platforms, the endpoint is restarted as soon as the taskis applied.

On Solidcore client version6.0.0 or later (Windows)

No configuration is needed.

On Solidcore client version6.1.0 or later (UNIX)

Deselect Force Reboot with the task.When using Solidcore client version 6.1.0 or later, restarting thesystem is not necessary to enable the software.

8 Click Save.

9 Click Next to open the Schedule page.

10 Specify scheduling details, then click Next.

11 Review and verify the task details, then click Save.

12 Optionally, wake up the agent to send your client task to the endpoint immediately.

Getting started with Change ControlEnable Change Control 2

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 19

Page 20: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

2 Getting started with Change ControlEnable Change Control

20 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 21: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

3 Monitoring the file system and registry

Change Control allows you to designate a set of files and registry entries to monitor for changes.

You can also choose to track attribute and content changes for monitored files. You need to definerules to specify the files and registry keys to monitor and specifically enable the user account trackingfeature (which is disabled by default) to track user activity for relevant endpoints.

Contents How monitoring rules work? How do I define monitoring rules? Review predefined monitoring rules Create monitoring policies Manage content changes

How monitoring rules work?Using rules, you can monitor files, directories, registry keys, file types (based on file extension),programs, and users.

What you can monitor?

These operations are tracked for a monitored file, registry key, and user account.

3

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 21

Page 22: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Element Tracked operations

File • File creation

• File modification (file contents and attributes, such as permissions or owner)

• File deletion

• File rename

• Alternate Data Stream creation

• Alternate Data Stream modification (contents and attributes, such as permissions orowner)

• Alternate Data Stream deletion

• Alternate Data Stream rename

Registry key • Registry key creation

• Registry key modification

• Registry key deletion

User account • User account creation • User log on (success and failure)

• User account modification • User log off

• User account deletion

User account tracking is disabled by default. You must enable this feature to trackoperations for user accounts. To enable this feature, execute the SC: Run Commands clienttask to run the sadmin features enable mon‑uat command on the endpoint.

Are any predefined rules available?

Yes, Change Control includes predefined monitoring rules. For detailed information, see Reviewpredefined monitoring rules.

Does an order of precedence exist for monitoring rules?

Use the table to understand the order of precedence applied (highest to lowest) when processingmonitoring rules.

Table 3-1 Order of precedence for monitoring rules

Order Rule type Description

1. Advanced exclusion filters(AEF) rules have the highestprecedence.

For more information on AEF rules, see What are advancedexclusion filters or rules (AEFs)?.

2. Exclude rules are givenprecedence over include rules.

For example, if you erroneously define an include and excluderule for the same file, the exclude rule applies.

3. Rules based on user namehave the precedence over allother rule types except AEFrules.

The user name specified in the rule is compared with the username referenced in the event.

4. Rules based on program namehave precedence over rulesbased on file extension, filename, directory name, orregistry key.

The program name specified in the rule is compared with theprogram name referenced in the event.

3 Monitoring the file system and registryHow monitoring rules work?

22 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 23: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Table 3-1 Order of precedence for monitoring rules (continued)

Order Rule type Description

5. Rules based on file extensionhave precedence over rulesbased on file or directoryname (or path).

The file extension specified in the rule is compared with fileextension referenced in the event.For example, if C:\Program Files\Oracle is excluded frommonitoring (by a file-based rule) and the .ora extension isincluded for monitoring, events will be generated for fileswith .ora extension, such as listener.ora and tnsnames.ora.

6. Rules based on file names orpaths have precedence overrules based on directoryname. In effect, longer pathstake precedence forname-based rules.

The specified path is compared with path referenced in theevent. Paths (for files or directories) are compared from thebeginning. Consider these examples.

Windows platform If the C:\temp directory is excluded, andthe C:\temp\foo.cfg file is included, thechanges to the foo.cfg file are tracked.Similarly, if you exclude the HKEY_LOCAL_MACHINE key and include the HKEY_LOCAL_MACHINE\System key, the changes to theHKEY_LOCAL_MACHINE\System key aretracked.

UNIX platform If the /usr/dir1/dir2 directory isincluded and /usr/dir1 directory isexcluded, all operations for the files in the /usr/dir1/dir2 directory are monitoredbecause the /usr/dir1/dir2 path islonger and hence, takes precedence.

In the aforementioned order of precedence, all rules (except #5) apply to registry key rules also.

What are advanced exclusion filters or rules (AEFs)?

You can define advanced filters to exclude changes by using a combination of conditions. For example,you might want to monitor changes made to the tomcat.log file by all programs except the tomcat.exe program. To achieve this, define an advanced filter to exclude all changes made to the log file byits owner program. This will make sure you only receive events when the log file is changed by other(non-owner) programs. In this case, the defined filter will be similar to Exclude all events wherefilename is <log-file> and program name is <owner-program>.

Use AEFs to prune routine system-generated change events that are not relevant for your monitoringor auditing needs. Several applications, particularly the web browser, maintain the application state inregistry keys and routinely update several registry keys. For example, the ESENT setting is routinelymodified by the Windows Explorer application and it generates the Registry Key Modified event. Thesestate changes are routine and need not be monitored and reported upon. Defining AEFs allows you toeliminate any events that are not required for fulfilling compliance requirements and makes sure theevent list includes only meaningful notifications.

Monitoring the file system and registryHow monitoring rules work? 3

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 23

Page 24: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

How do I define monitoring rules?Regardless of whether you create a new monitoring policy or define a monitoring rule group, theframework available to define monitoring rules is the same.

System variablesThe path specified in a monitoring rule can include system environment variables (only on theWindows platform). This table lists the supported system variables.

Variable Example value (for most Windows platforms)

%ALLUSERSPROFILE% C:\Documents and Settings\All Users%APPDATA% C:\Documents and Settings\{username}\Application%COMMONPROGRAMFILES% C:\Program Files\Common Files%COMMONPROGRAMFILES (x86)% C:\Program Files (x86)\Common Files%HOMEDRIVE% C:%HOMEPATH% C:\Documents and Settings\{username} (\ on earlier Windows

versions)

%PROGRAMFILES% C:\Program Files%PROGRAMFILES (x86)% C:\Program Files (x86) (only for 64-bit versions)

%SYSTEMDRIVE% C:%SYSTEMROOT% C:\windows (C:\WINNT on earlier Windows versions)

%TEMP% (system) %tmp% (user) C:\Documents and Settings\{username}\local Settings\TempC:\Temp

%USERPROFILE% C:\Documents and Settings\{username} (C:WINNT\profiles\{username} for earlier versions)

%WINDIR% C:\Windows

Path considerationsThese considerations apply to path-based rules.

• Path should be absolute when specifying rules to monitor files and directories.

• Path is not required to be absolute when specifying rules to monitor program activity. For example,you can specify the partial path, such as AcroRd32.exe or Reader\AcroRd32.exe or fully qualifiedpath, such as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If you specify thepartial path, all programs with names that match the specified string are monitored. If you specifythe fully qualified path, activity is monitored for only the specified program.

• Paths can contain white spaces.

3 Monitoring the file system and registryHow do I define monitoring rules?

24 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 25: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

• Paths can include the wildcard character (*). However, it can only represent one complete pathcomponent. Here are a few examples.

Windowsplatform

Using \abc\*\def is allowed while \abc\*.doc, \abc\*.*, or \abc\doc.* is notsupported.

UNIX platform Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is notsupported.

You cannot use the wildcard character while defining a rule to track content and attribute changesfor a file.

• Paths used in registry key-based rules can include the wildcard character (*). However, thewildcard character can only represent one path component in the registry path. Make sure that youdo not use the character for the component at the end of the complete registry path (if used at theend the rule will not be effective).

Also, at any time, the CurrentControlSet in the Windows Registry is linked to the relevant HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX key. For example, the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet can be linked to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 key. When achange is made to either link, it is automatically updated on both the links. For a monitored key,events are always reported with the path of CurrentControlSet and not ControlSetXXX.

Monitoring rulesUse this table to define monitoring rules. You can perform these actions when creating or modifying amonitoring (Integrity Monitor) policy or rule group.

Action Steps

Monitor files anddirectories

1 Click Add on the File tab. The Add File dialog box appears.

2 Specify the file or directory name.

3 Indicate whether to include for or exclude from monitoring.

4 Optionally, to track content and attribute changes for a file, select Enablecontent change tracking and specify the other options. For more information, seeTrack content changes.

5 Click OK.

Monitor registrykeys (Windowsplatform only)

1 Click Add on the Registry tab. The Add Registry dialog box appears.

2 Specify the registry key.

3 Indicate whether to include for or exclude from monitoring and click OK.

Monitor specific filetypes

1 Click Add on the Extension tab. The Add Extension dialog box appears.

2 Type the file extension. Do not include the period (dot) in the extension. Forexample, log.

3 Indicate whether to include for or exclude from monitoring and click OK.

Monitor programactivity (in effectchoose to track ornot track all file orregistry changesmade by a program)

1 Click Add on the Program tab. The Add Program dialog box appears.

2 Enter the name or full path of the program.

3 Indicate whether to include for or exclude from monitoring and click OK. Werecommend that you exclude background processes, such as the lsass.exeprocess.

Monitoring the file system and registryHow do I define monitoring rules? 3

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 25

Page 26: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Action Steps

Specify the users toexclude frommonitoring (in effectall changes made bythe specified userare not tracked)

1 Click Add on the User tab. The Add User dialog box appears.

2 Specify the user name using these considerations:

• Spaces in user names should be specified within quotes.

• Domain name can be a part of the user name on the Windows platform. Ifthe domain name is not specified, the user name is excluded frommonitoring for all domains.

• Exclude all users in a particular domain (on the Windows platform) byusing MY-DOMAIN\* or *@MY-DOMAIN.

3 Click OK.

Specify advancedexclusion filters forevents

1 Click Add Rule on the Filters tab. A new filter row appears. You can create filtersbased on files, events, programs, registry keys, and users.

2 Edit the settings to specify the filter.

3 Click + or Add Rule to specify additional AND or OR conditions, respectively.

You can also define AEFs from the Events page. For more information, seeExclude events.

Review predefined monitoring rules Change Control provides multiple predefined filters suitable for monitoring relevant files on variousoperating systems.By default, these filters are applied to the global root in the system tree and hence are inherited by allMcAfee ePO-managed endpoints on which Change Control is installed. As soon as an endpointconnects to the McAfee ePO server, the Minimal System Monitoring policy applicable to the endpoint'soperating system comes into play.

You can review the predefined filters included in the Minimal System Monitoring policy (applicable toyour operating system).

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select, Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: Integrity Monitor product.

All policies for all categories are listed. A Minimal System Monitoring policy exists for each supportedoperating system.

3 Open the relevant Minimal System Monitoring policy.

By default, the My Rules rule group is open (which is blank).

4 Select a rule group in the Rule Groups pane to review the filters included in the rule group.

To override any rules included in the Minimal System Monitoring policy, you can duplicate the relevant rulegroup (in which the required rules are present), edit the rule group to add the new rules, and addthe rule group to a policy. For most other purposes, make sure that the Minimum System Monitoring policyis applied on the endpoints and additional rules are applied by using a separate policy.

5 Click Cancel.

3 Monitoring the file system and registryReview predefined monitoring rules

26 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 27: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Create monitoring policiesUsing a monitoring policy, you can choose to monitor changes or exclude from monitoring variousunits of a file system and registry. You can control monitoring of files, directories, registry keys, filetypes (based on file extension), programs, and users. These are multi-slot policies; you can assignmultiple policies to a single node in the system tree.

To create a monitoring policy, you can either define rules in a rule group (to allow reuse of rules) andadd the rule group to a policy or define the rules directly in a policy.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select, Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: Integrity Monitor product.

3 Click Actions | New Policy to open the New Policy dialog box.

4 Select the category.

5 Select the policy you want to duplicate from Create a policy based on this existing policy list.

6 Specify the policy name, then click OK.

7 Click on the policy name to open the Policy Settings page.

You can now define the rules to include in the policy. You can either add existing rule groups to thepolicy or directly add the new rules to the policy.

• To use a rule group, complete steps 8 and 10. For more information on how to create a rulegroup, see Create rule groups.

• To directly add the rules to the policy, complete steps 9 and 10.

8 Add a rule group to the policy.

a Click Add in the Rule Groups pane to open the Select Rule Groups dialog box.

b Select the rule group to add.

c Click OK.

d Select the rule group in the Rule Groups pane.

The rules included in the rule group are displayed in the various tabs.

e Review the rules.

9 Add the monitoring rules to the policy.

For information on the how to define rules, see How do I define monitoring rules?.

10 Save the policy.

Monitoring the file system and registryCreate monitoring policies 3

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 27

Page 28: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Manage content changes Using Change Control, you can track content and attribute changes for a single monitored file or for allfiles in a directory and its subdirectories.

If you enable content changetracking for a specific file

Any attribute or content change to the file creates a new fileversion at McAfee ePO server

If you enable content changetracking for a directory

Any attribute or content change to the files present in thedirectory creates new versions of the files at McAfee ePO server

You can view and compare the different versions that are created for a file. Also, you can compare anytwo files or file versions that exist on the same or different endpoints. To send an email whenever acritical file is modified (the email highlights the exact changes made to the file), configure anAutomatic Response. Alternatively, you can schedule generation of a report to get an overview of thechanges made to the tracked files in your setup.

Tasks• Content change tracking settings on page 28

You can configure these settings for tracking content changes.

• Configure settings for tracking content changes on page 29Specify the maximum file size for tracking content changes, file extensions for which totrack only attributes, and maximum number of files to fetch per rule.

• Track content changes on page 29When you create or modify a monitoring (Integrity Monitor) policy or rule group, you canspecify the files for which to track content changes.

• Manage file versions on page 30Review all versions available for a file, compare file versions, reset the base version, anddelete versions.

• Compare files on page 31Compare two files or two versions of a single file. You can compare files or versions on thesame endpoint or on different endpoints.

• Receive change details on page 32You can receive notifications and reports based on the changes made to the files in yoursetup.

Content change tracking settingsYou can configure these settings for tracking content changes.

Setting Description

Maximum filesize

By default, you can track changes for any file with a size of 1000 KB or lower. Ifneeded, you can configure the maximum file size for tracking content changes.

Modifying the maximum file size will affect the McAfee ePO database sizingrequirements and may impact performance.

File extensionsfor which totrack onlyattributechanges

For binary files, only attributes are tracked by the content change tracking feature(content changes are not tracked). This is because maintaining the contentdifference for files with non-displayable contents unnecessarily uses database spaceand McAfee ePO resources. By default, only attribute changes are tracked for theseextensions:

3 Monitoring the file system and registryManage content changes

28 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 29: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Setting Description

• zip • tar

• bmp • gz

• 7z • bz

• pdf • tgz

• rar

• bz2 • tiff

• jpg • sys

• exe • png

• gif • jar

• dll

You can edit the list to specify file extensions specific to your setup for which totrack only attribute changes.

Maximumnumber of filesto retrieve perrule

When you apply the content change tracking rule on a directory, base versions of allfiles in the directory that match the specified include or exclude patterns, if any, arecollected and sent to the McAfee ePO server. These base versions are used to trackcontent changes and allow comparison with future versions of the files.If the number of qualifying files for a single rule is too high, operational performanceof the endpoint and occasionally of the McAfee ePO server can deteriorate. Toprevent such disruptions, you can specify a value to control the maximum files toretrieve per rule. This limit applies to the number of qualifying files in the directory(that match the include and exclude patterns and recursive and non-recursiveoptions) and not to the total number of files in the directory. If the number ofqualifying files for a specified rule exceeds the set threshold value, the base versionsof the files are not retrieved to the McAfee ePO server. However, all subsequentchanges to the files are reported and base versions of new files are sent to theMcAfee ePO server.

By default, the limit is set to 100 files per rule. You can configure this setting, asneeded, for your setup.

Configure settings for tracking content changes Specify the maximum file size for tracking content changes, file extensions for which to track onlyattributes, and maximum number of files to fetch per rule.

For option definitions, click ? in the interface.

Task1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: General product.

The McAfee Default policy includes customizable configuration settings.

3 Click Duplicate for the McAfee Default policy in the Configuration (Client) category.

4 Specify the policy name, then click OK.

The policy is created and listed on the Policy Catalog page.

5 Click the new policy to open it.

6 Switch to the Miscellaneous Settings tab.

7 Specify values for the settings.

8 Save the policy and apply it to the relevant endpoints.

Track content changes When you create or modify a monitoring (Integrity Monitor) policy or rule group, you can specify thefiles for which to track content changes.

Monitoring the file system and registryManage content changes 3

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 29

Page 30: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 Navigate to the File tab.

2 Perform one of these steps.

• Click Add to monitor and track changes for a new file.

• Select an existing rule and click Edit.

3 Review or add the file information.

You cannot track changes for network files (files placed on network paths).

4 Select Enable Content Change Tracking.

5 Select the file encoding.

You can choose Auto Detect, ASCII, UTF-8, and UTF-16. Auto Detect works for most files. If you are aware ofthe file encoding, select ASCII, UTF-8, or UTF-16 (as appropriate). If needed, you can add new fileencoding values. Contact McAfee Support for assistance in adding a file encoding value.

6 Track content changes for files within a directory.

a Select Is Directory.

b Select Recurse Directory to track changes for files in all subdirectories of the specified directory.

c Optionally, specify patterns to match file names in the Include Patterns or Exclude Patterns. Whilespecifying multiple patterns, make sure that each pattern is on a separate line.

If you do not specify a pattern, all files are included for change tracking. You can add anasterisk (*) at the beginning or end of a pattern. For example, if you specify *.txt as aninclude pattern, only txt files in the directory are monitored. If you specify *.ini as an excludepattern, all ini files in the directory are not monitored.

Exclude patterns take precedence over include patterns. For example, if you erroneously definean include and exclude pattern for the same file, the exclude pattern applies.

7 Click OK.

Manage file versionsReview all versions available for a file, compare file versions, reset the base version, and deleteversions.The base version identifies the starting point or initial document to use for comparison or control.Typically, the oldest version of a file is set as the base version. In effect, when you start trackingchanges for a file, the initial file content and attributes are stored on the McAfee ePO database and setas the base version.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Reporting | Content Change Tracking.

All files for which content change tracking is enabled are listed.

3 Monitoring the file system and registryManage content changes

30 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 31: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

2 Identify the file for which you want to review versions.

• In the Quick find text box, specify the endpoint or file name, then click Apply. The list is updatedbased on the specified search string.

• Sort the list based on the system name, file path, or status.

3 Perform file operations.

To do this... Do this...

Review thefile status.

The File Status column denotes the current status of content change tracking.

Reviewversion.

Click View versions. The File revisions page displays all versions for the file. From thispage you can compare file versions, specify the base version, and delete fileversions from the McAfee ePO database.

Compare thefile versions.

1 Specify what to compare.

• Click Compare with previous for a version to compare that version with the previousversion of the file available at the McAfee ePO console.

• Click Compare with base for a version to compare that version with the baseversion.

• Select any two versions (by clicking the associated checkboxes), then selectActions | Compare Files to compare the selected versions.

The versions are compared and differences between the file content and fileattributes are displayed.

2 Click Close.

Reset thebase version.

1 Select a file version to set as the base version by clicking the associatedcheckbox.

2 Select Actions | Set as base version to open the Set as base version dialog box.

3 Click OK. This resets the base version and deletes all previous versions (olderthan the new base version) of the file.

The software can track up to 200 versions for a file. If the number of versionsexceeds 200, the application deletes the oldest versions to bring the version countto 200. Then, it automatically sets the oldest version as the base version. Ifneeded, you can configure the number of versions to maintain for a file. ContactMcAfee Support for assistance in configuring the number of versions to maintain fora file.

Delete fileversions.

Deleting file versions removes the selected file versions from the McAfee ePOdatabase. It does not alter or remove the actual file present on the endpoint.1 Select one or more file versions by clicking the associated checkboxes.

2 Select Actions | Delete, then click OK.

4 Click Close.

Compare filesCompare two files or two versions of a single file. You can compare files or versions on the sameendpoint or on different endpoints.

Monitoring the file system and registryManage content changes 3

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 31

Page 32: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Reporting | Content Change Tracking.

2 Click Advanced File Comparison.

3 Specify information for the first file.

a Select the group from the list.

b Enter the host name.

c Enter the name and path of the file.

d Select the version to compare.

4 Specify information for the second file.

5 Click Show Comparison.

The attributes and content of the files are compared and differences are displayed.

6 Review the results.

7 Click Close.

Receive change detailsYou can receive notifications and reports based on the changes made to the files in your setup.

Tasks• Monitor all changes for a file on page 32

To closely observe changes to a critical file, you can choose to receive an email detailingthe change each time the file is changed.

• Generate consolidated report on page 33To get an overview of the changes made to the tracked files in your setup, schedulegeneration of a consolidated report based on the required criteria.

Monitor all changes for a file To closely observe changes to a critical file, you can choose to receive an email detailing the changeeach time the file is changed.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Automation | Automatic Responses.

2 Click Actions | New Response to open the Response Builder page.

a Enter the response name.

b Select the Solidcore Events group and File Content Change Event type.

c Select Enabled.

d Click Next to open the Filter page.

3 Monitoring the file system and registryManage content changes

32 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 33: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

3 Specify the file name, system name, or both.

• To receive an email each time a specific tracked file changes (across all managed endpoints),specify only the file name.

• To receive an email each time any tracked file changes on an endpoint, specify only the systemname.

• To receive an email each time a specific file on an endpoint is changed, specify both file andsystem name.

4 Click Next to open the Aggregation page.

5 Specify aggregation details, then click Next to open the Actions page.

6 Select Send File Content Change Email, specify the email details, then click Next to open the Summary page.

7 Review the details, then click Save.

Generate consolidated reportTo get an overview of the changes made to the tracked files in your setup, schedule generation of aconsolidated report based on the required criteria.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, click Menu | Queries and Reports | McAfee Groups | Change Control.

2 Perform one of these steps.

Generate areport for alltracked fileswithin yoursetup

Use the Solidcore: Content Change Tracking Report Generation - With Group My Organization query.

Because this query pulls information for all tracked files in your setup, it canaffect performance. We recommend that you duplicate this query to create a newquery and specify criteria relevant to your setup.

Generate areport basedon specificcriteria

1 Click Duplicate for the Solidcore: Content Change Tracking Report Generation - With Group MyOrganization query to open the Duplicate dialog box.

2 Specify the query name and group, then click OK.

3 Navigate to the created query and click Edit to open the Query Builder wizard.

4 Switch to the Filter tab.

5 Add the required filters.

• Use the Generated time property to fetch information on content changes madein a specific interval.

• Use the File Path property to fetch information for one or more specific files.

• Use the System Name, Group Name, and Tags properties to specify the endpointsfor which to retrieve information.

6 Click Save to open the Save Query page.

7 Click Save.

3 On the McAfee ePO console, select Menu | Automation | Server Tasks.

4 Click Actions | New Task to open the Server Task Builder wizard.

5 Type the task name, then click Next to open the Actions page.

Monitoring the file system and registryManage content changes 3

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 33

Page 34: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

6 From the Actions list, select Solidcore: Content Change Tracking Report Generation.

7 Configure the settings for the task.

a Specify the rule group (Integrity Monitor).

b Specify the query (from step 2).

c Specify the number of revisions to fetch for each file.

For example, consider that a file has changed 50 times in the last seven days based on thespecified time interval in the query. To fetch information for the last 15 versions of the file, setthe value for Get Last N revisions to 15. The default value for the number of revisions is 10,maximum allowed value is 100, and minimum is 1.

d Specify the email addresses (separated by a comma) to send the generated report.

Make sure that an email server is configured in the McAfee ePO server.

e Specify the email subject.

f Specify the report name.

By default, the report name is appended with the date and time when the report is created.

By default, the report generated by the server task (PDF file) is sent as an email attachment to allrecipients. A file of up to 20 MB can be sent through email. If the file size exceeds 20 MB, therecipients are notified through a failure email message. Because the generated report can be large,you can save the report to a remote location and send a link to all recipients in an email.

8 Optionally, place the generated report on a shared folder and send the link to the report in an emailto all intended recipients.

a Select Use this option to copy report on a network share and send network share information on email.

b Specify a path at which to save the generated report.

c Specify the network credentials to access the specified path.

d Click Test Connection to make sure that the specified credentials work.

9 Click Next.

10 Specify the schedule for the task, then click Next to open the Summary page.

11 Review the task summary, then click Save.

12 From the Server Tasks page, select Run for this server task.

3 Monitoring the file system and registryManage content changes

34 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 35: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

4 Protecting the file system and registry

Using Change Control, you can prevent changes to the file system and registry.

Contents How protection rules work? Defining protection rules Create a protection policy Enable read protection

How protection rules work?To prevent unauthorized access and changes, you define read-protection and write-protection rules.

Read-protectionrules

Prevent users from reading the content of specified files, directories, andvolumes.

When a directory is read protected, all files in the directory are read protected.Any unauthorized attempt to read data from protected files is prevented and anevent is generated. Writing to read-protected files is allowed.

You cannot define read-protection rules for registry keys.

Write-protectionrules

Prevent users from creating new files (including directories and registry keys)and modifying existing files, directories, and registry keys.• Define write-protection rules for files and directories to protect them from

unauthorized modifications. Only protect critical files. When a directory isincluded for write protection, all files contained in that directory and itssubdirectories are write protected.

• Define write-protection rules for critical registry keys to protect them againstchange.

Can I override defined rules?

While you can define rules to protect, you can also define additional rules to selectively override theread or write protection that is in effect.

• Specify programs that are permitted to selectively override the read or write protection.

• Specify users (on the Windows platform only) who are permitted to selectively override the read orwrite protection.

4

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 35

Page 36: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Does an order of precedence exist for protection rules?

These considerations are used when protection rules are applied at the endpoint:

• Exclude rules are given precedence over include rules.

For example, if you erroneously define an include and exclude rule for the same file, the excluderule applies.

• Longer paths are given precedence.

For example, if C:\temp is included for write protection, and C:\temp\foo.cfg is excluded, thechanges to foo.cfg are permitted. Similarly, if you exclude the HKEY_LOCAL_MACHINE key andinclude the HKEY_LOCAL_MACHINE\System key for write protection, the changes to the HKEY_LOCAL_MACHINE\System key are prevented.

Defining protection rulesRegardless of whether you use a rule group or policy, the framework available to define protectionrules is the same.

System variablesThe path specified in a protection rule can include system environment variables (only on the Windowsplatform). This table lists the supported system variables.

Variable Example value (for most Windows platforms)

%ALLUSERSPROFILE% C:\Documents and Settings\All Users%APPDATA% C:\Documents and Settings\{username}\Application%COMMONPROGRAMFILES% C:\Program Files\Common Files%COMMONPROGRAMFILES (x86)% C:\Program Files (x86)\Common Files%HOMEDRIVE% C:%HOMEPATH% C:\Documents and Settings\{username} (\ on earlier Windows

versions)

%PROGRAMFILES% C:\Program Files%PROGRAMFILES (x86)% C:\Program Files (x86) (only on 64-bit versions)

%SYSTEMDRIVE% C:%SYSTEMROOT% C:\windows (C:\WINNT on earlier Windows versions)

%TEMP% (system) %tmp% (user) C:\Documents and Settings\{username}\local Settings\TempC:\Temp

%USERPROFILE% C:\Documents and Settings\{username} (C:WINNT\profiles\{username} for earlier versions)

%WINDIR% C:\Windows

4 Protecting the file system and registryDefining protection rules

36 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 37: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Path considerationsThese considerations apply to path-based rules.

• Path should be absolute when specifying rules to read or write-protect files and directories.

• Path need not be absolute when specifying rules to add a trusted program or updater. For example,you can specify the partial path, such as AcroRd32.exe or Reader\AcroRd32.exe or fully-qualifiedpath, such as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If you specify thepartial path, all programs with names that match the specified string are added as trustedprograms. If you specify the fully-qualified path, only the specified program is added as a trustedprogram.

• Paths can contain white spaces.

• Paths can include the wildcard character (*). However, it can only represent one complete pathcomponent. Here are a few examples.

Windowsplatform

Using \abc\*\def is allowed while \abc\*.doc, \abc\*.*, or \abc\doc.* is notsupported.

UNIX platform Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is notsupported.

• Paths used in registry key-based rules can include the wildcard character (*). However, thewildcard character can only represent one path component in the registry path. Make sure that youdo not use the character for the component at the end of the complete registry path (if used at theend, the rule will not be effective).

Protection rulesYou can define protection rules when modifying or creating a protection (Change Control) policy orrule group.

Action Steps

Read-protect filesand directories

1 Click Add on the Read Protect tab. The Add File dialog box appears.

2 Specify the file or directory name.

3 Indicate whether to include for or exclude from read protection.

4 Click OK.

By default, the read protection feature is disabled at the endpoints.

Write-protect filesand directories

1 Click Add on the Write Protect File tab. The Add File dialog box appears.

2 Specify the file or directory name.

3 Indicate whether to include for or exclude from write protection.

4 Click OK.

Write-protectregistry keys

1 Click Add on the Write Protect Registry tab. The Add Registry dialog box appears.

2 Specify the registry key.

3 Indicate whether to include for or exclude from write protection.

4 Click OK.

Protecting the file system and registryDefining protection rules 4

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 37

Page 38: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Action Steps

Specify trustedprogramspermitted tooverride the readand writeprotection rules

1 Click Add on the Updaters tab. The Add Updater dialog box appears.

2 Specify whether to add the updater based on the file name or checksum. Ifyou add the updater by name, the updater is not authorized automatically.However, when you add the updater by checksum, the updater is authorized.

3 Enter the location of the file (when adding by name) or SHA1 value (whenadding by checksum) of the executable binary.

4 Enter a unique identification label for the executable file. For example, if youspecify Adobe Updater Changes as the identification label for the Adobe_Updater.exe file, all change events made by the Adobe_Updater.exe file will betagged with this label.

5 When adding an updater by name, specify conditions that the binary file mustmeet to run as an updater.

• Select None to allow the binary file to run as an updater without anyconditions.

• Select Library to allow the binary file to run as updater only when it hasloaded the specified library. For example, when configuring iexplore.exe asan updater to allow Windows Updates using Internet Explorer, specify wuweb.dll as the library. This makes sure that the iexplore.exe program hasupdater privileges only till the web control library (wuweb.dll) is loaded.

• Select Parent to allow the binary file to run as an updater only if it is launchedby the specified parent. For example, when configuring updater.exe as anupdater to allow changes to Mozilla Firefox, specify firefox.exe as theparent. Although updater.exe is a generic name that can be part of anyinstalled application, using the parent makes sure that only the correctprogram is allowed to run as an updater.

6 When adding an updater by name, indicate whether to disable inheritance forthe updater. For example, if Process A (that is set as an updater) launchesProcess B, disabling inheritance for Process A makes sure that Process B willnot become an updater.

7 When adding an updater by name, indicate whether to suppress eventsgenerated for the actions performed by the updater. Typically, when an updaterchanges a protected file, a File Modified event is generated for the file. If youselect this option, no events are generated for changes made by the updater.

8 Click OK.

4 Protecting the file system and registryDefining protection rules

38 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 39: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Action Steps

Specify authorizedusers permitted tooverride the readand writeprotection rules

You can either enter user details or import user or group details from an ActiveDirectory. Make sure that the Active Directory is configured as a registeredserver.

Specify details to authorize users to override the read or write protection rules.(Windows only)

1 On the Trusted User tab, click Add. The Add User dialog box appears.

2 Create two rules for each user:

• With UPN/SAM and domain account name (in domainName\user format)

• With domain netbiosName (in netbiosName\user format)

3 Specify a unique identification label for the user. For example, if you specifyJohn Doe Changes as the identification label for the John Doe user, all changesmade by the user will be tagged with this label.

4 Type the user name.

5 Click OK.

Import user details from an Active Directory.

1 Click AD Import on the Trusted User tab. The Import from Active Directory dialog boxappears.

2 Select the server.

3 Select Global Catalog Search to search for users in the catalog (only if the selectedActive Directory is a Global Catalog server).

4 Specify whether to search for users based on the UPN (User Principal Name) orSAM account name. Your search criteria will determine the authorized user.Make sure that you use the trusted account to log on to the endpoint. If youuse the UPN name while adding a user, make sure that the user logs on withthe UPN name at the endpoint to enjoy trusted user privileges.

5 Enter the user name. The Contains search criteria is applied for the specifieduser name.

6 Specify a group name to search for users within a group.

You cannot directly add a group present in the Active Directory to a policy. Toauthorize all users in a group, add the user group to a rule group and includethe rule group in a policy. Adding user groups makes sure that all changes to auser group automatically cascade across all rule groups and associatedpolicies.

7 Click Find. The search results are displayed.

8 Select the users to add in the search results, then click OK.

Create a protection policyProtection policies are multi-slot policies; you can assign multiple policies to a single node in thesystem tree.

Protecting the file system and registryCreate a protection policy 4

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 39

Page 40: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2:Change Control product.

3 Click New Policy to open the New Policy dialog box.

4 Select the category.

5 Select the policy you want to duplicate from Create a policy based on this existing policy list.

6 Specify the policy name, then click OK to open the Policy Settings page.

7 Specify protection rules.

The read-protect feature is disabled by default. To use read-protection rules, enable the read-protectfeature for the endpoints.

8 Save the policy.

Enable read protectionBy default, the read-protect feature is disabled for optimal system performance. Run a command onthe endpoint to enable read protection.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Systems | System Tree.

2 Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and click Actions |Agent | Modify Tasks on a Single System.

a Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

b Select the Solidcore 6.1.2 product, SC: Run Commands task type, and click Create New Task.

The Client Task Catalog page appears.

c Specify the task name and add any descriptive information.

3 Type this command.

features enable deny-read

4 Select Requires Response if you want to view the status of the commands in Menu | Automation | SolidcoreClient Task Log tab.

5 Click Save.

6 Click Next to open the Schedule page.

4 Protecting the file system and registryEnable read protection

40 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 41: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

7 Specify scheduling details, then click Next.

8 Review and verify the task details, then click Save.

9 Optionally, wake up the agent to send your client task to the endpoint immediately.

Protecting the file system and registryEnable read protection 4

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 41

Page 42: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

4 Protecting the file system and registryEnable read protection

42 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 43: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

5 Monitoring and reporting

When a monitored file or registry key is changed or an attempt is made to access or change aprotected resource, an event is generated on the endpoint and sent to the McAfee ePO server. Reviewand manage the generated events to monitor the network status.

You can also use customizable dashboards to monitor critical security status at-a-glance, and reportthat status to stakeholders and decision makers using preconfigured queries.

Contents Manage events Dashboards Queries View queries

Manage eventsView and manage the events from the McAfee ePO console.

Tasks

• Review events on page 43Review the events by specifying the time duration and endpoint details.

• View content changes on page 44An event is generated each time the attributes or contents change for a file that is beingtracked for changes.

• Exclude events on page 45You can define rules to prune routine system-generated change events not relevant formonitoring or auditing.

Review eventsReview the events by specifying the time duration and endpoint details.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Reporting | Solidcore Events.

2 Specify the time duration for which to view events by selecting an option from the Time Filter list.

3 Specify the endpoints for which to view events.

a Select the required group in the System Tree.

b Select an option from the System Tree Filter list.

5

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 43

Page 44: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

4 Optionally, view only specific events by applying one or more filters.

a Click Advanced Filters to open the Edit Filter Criteria page.

b Select an available property.

c Specify the comparison and value for the property.

For example, to view only File Modified events, select the Event Display Name property, setcomparison to Equals, and select the File Modified value.

d Click Update Filter.

Events matching the specified criteria are displayed.

5 View details for an event.

a Click an event row.

b Review event details.

c Click Back.

6 Review endpoint details for one or more events.

a Select one or more events.

b Click Actions | Show Related Systems.

The Related Systems page lists the endpoints corresponding to the selected events.

c Click a row to review detailed information for the endpoint.

d Optionally, perform any action on the endpoint.

View content changes An event is generated each time the attributes or contents change for a file that is being tracked forchanges.Based on the change made to the file, one of these events is generated:

• FILE_CREATED • FILE_ATTR_SET

• FILE_DELETED • FILE_ATTR_CLEAR

• FILE_MODIFIED • ACL_MODIFIED

• FILE_RENAMED • OWNER_MODIFIED

• FILE_ATTR_MODIFIED

If any of the aforementioned events is generated for a file for which you are tracking content changes,you can review details of the change made to the file. View details of changes made to a file for whichyou are tracking content changes.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Reporting | Solidcore Events.

2 Click View Content Change for the event.

The page compares two versions of the file.

5 Monitoring and reportingManage events

44 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 45: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

3 Review the host, file attribute, and file content information.

The change made to the file is highlighted.

4 Click Close.

Exclude eventsYou can define rules to prune routine system-generated change events not relevant for monitoring orauditing.You can exclude or ignore events not required to meet compliance requirements.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Reporting | Solidcore Events.

2 Select the events to exclude.

3 Click Actions | Exclude Events to open the Events Exclusion Wizard.

4 Select the target platform for the rules.

5 Select the rule group type, then click Next to open the Define Rules page.

6 Rules are auto-populated based on the selected events.

7 Review and refine existing rules and add new rules, as needed.

8 Click Next to open the Select Rule Group page.

9 Add the rules to an existing or new rule group, then click Save.

10 Make sure the rule group is added to the relevant policy and the policy is assigned to theendpoints.

Once excluded, similar new events are no longer displayed on the McAfee ePO console. Excludingevents does not remove the existing or similar events from the Events page.

DashboardsDashboards are collections of monitors that help you keep an eye on your environment.

Change Control provides these default dashboards:

• Solidcore: Integrity Monitor dashboard allows you to observe the monitored endpoints

• Solidcore: Change Control dashboard helps you keep a check on the protected endpoints

You can create, modify (only on McAfee ePO 4.6), duplicate, and export dashboards. For moreinformation on working with dashboards, see McAfee ePolicy Orchestrator Software Product Guide.

QueriesUse the available queries to review information for the endpoints based on the data stored in theMcAfee ePO database.

These Change Control queries are available from the McAfee ePO console.

Monitoring and reportingDashboards 5

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 45

Page 46: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Table 5-1 Change Control queries

Query Description

Solidcore: Alerts Displays all alerts generated in the last 3 months.

Solidcore: AttemptedViolations Detected in theLast 24 Hours

Displays the attempted violation events detected during the last 24hours. The line chart plots data on a per hour basis. Click a value on thechart to review event details.

Solidcore: AttemptedViolations Detected in theLast 7 Days

Displays the attempted violation events detected during the last 7 days.The line chart plots data on a per day basis. Click a value on the chart toreview event details.

Solidcore: IntegrityMonitor Agent Status

Displays the status of all endpoints with the Change Control licensewhich are managed by the McAfee ePO console. The pie chartcategorizes the information based on the client status. Click a segmentto review endpoint information.

Solidcore: Agent StatusReport

Displays the status of all endpoints managed by the McAfee ePOconsole. This report combines information for both the ApplicationControl and Change Control licenses. The pie chart categorizes theinformation based on the client status. Click a segment to reviewdetailed information.

Solidcore: Agent LicenseReport

Indicates the number of Solidcore Agents that are managed by theMcAfee ePO console. The information is categorized based on the licenseinformation, namely Application Control and Change Control, and furthersorted based on the operating system on the endpoint.

Solidcore: Content ChangeTracking ReportGeneration - With GroupMy Organization

Pulls information from the McAfee ePO database for all files in yoursetup for which you are tracking content changes. The fetchedinformation is then used when you run the Solidcore: Content Change TrackingReport Generation server task to generate a report that details content andattribute changes made to the files for which you are tracking contentchanges.

Solidcore: IntegrityMonitor Events Detected inthe Last 24 Hours

Displays monitoring-related events detected during the last 24 hours.The line chart plots data on a per hour basis. Click a value on the chartto review event details.

Solidcore: IntegrityMonitor Events Detected inthe Last 7 Days

Displays monitoring-related events detected during the last 7 days. Theline chart plots data on a per day basis. Click a value on the chart toreview event details.

Solidcore: Non CompliantSolidcore Agents

Lists the endpoints that are currently not compliant. The list is sortedbased on the reason for non-compliance. An endpoint can be noncompliant if it is in Disabled or Update mode or if the local CommandLine Interface (CLI) access is recovered.

Solidcore: Out of BandChange Events detected inthe Last 24 Hours

Displays change events generated in the last 24 hours which are notcompliant with the update policy. The line chart plots data on a per hourbasis. Click a value on the chart to review event details.

Solidcore: Out of BandChange Events detected inthe Last 7 Days

Displays change events generated in the last 7 days which are notcompliant with the update policy. The line chart plots data on a per daybasis. Click a value on the chart to review event details.

Solidcore : PCI Req 10.3:File Integrity Monitoring -Rolling 90 Days

Displays the summary of changes that are grouped by the programname. This report allows you to comply with Payment Card Industry(PCI) requirement 10.3.

Solidcore : PCI DSS Req11.5: Detailed PCI FileIntegrity Monitoring -Rolling 90 Days

Displays a detailed audit log of the critical systems, critical applications,and configuration files. This report allows you to comply with PCI DataSecurity Standards (DSS) requirement 11.5.

Solidcore : PCI DSS Req11.5: Summary PCI FileIntegrity Monitoring -Rolling 90 Days

Displays a summarized audit log of the critical systems, criticalapplications, and configuration files. This report allows you to complywith PCI DSS requirement 11.5.

5 Monitoring and reportingQueries

46 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 47: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Table 5-1 Change Control queries (continued)

Query Description

Solidcore : PCI DSS Req10.3.1: User ReportDetail - Rolling 90 Days

Displays a detailed list of changes that are grouped by the user name.This report allows you to comply with PCI DSS requirement 10.3.1.

Solidcore : PCI DSS Req10.3.1: User ReportSummary - Rolling 90Days

Displays the summarized list of changes that are sorted based on theuser name and date. This report allows you to comply with PCI DSSrequirement 10.3.1.

Solidcore: PolicyAssignments By System

Lists the number of policies applied on the managed endpoints. Click asystem to review information on the applied policies.

Solidcore: Policy Details Categorizes and lists the rules defined in a selected monitoring orprotection policy. To view the report, click Edit for the query, navigate tothe Filter page, select a policy name, and click Run. Click a category toreview all the rules in the category.

Solidcore: Top 10 ChangeEvents in the Last 7 Days

Displays the top 10 change events that were generated during the last 7days. The chart includes a bar for each event type and indicates thenumber of events generated for each event type. The bar chart sorts thedata in descending order. Click a bar on the chart to review detailedinformation.

Solidcore: Top 10Programs with MostChange Events in the Last7 Days

Displays the top 10 programs with most changes during the last 7 days.The chart includes a bar for each program and indicates the number ofevents generated by each program. The bar chart sorts the data indescending order. Click a bar on the chart to review detailedinformation.

Solidcore: Top 10 Systemswith Most Change Eventsin the Last 7 Days

Displays the top 10 systems with the most changes during the last 7days. The chart includes a bar for each system and indicates the numberof events generated for each system. The bar chart sorts the data indescending order. Click a bar on the chart to review detailedinformation.

Solidcore: Top 10 Systemswith Most ViolationsDetected in the Last 24Hours

Displays the top 10 systems with the maximum number of violations inthe last 24 hours. The chart includes a bar for each system and indicatesthe number of violations for each system. Click a bar on the chart toreview detailed information.

Solidcore: Top 10 Systemswith Most ViolationsDetected in the Last 7Days

Displays the top 10 systems with the maximum number of violations inthe last 7 days. The chart includes a bar for each system and indicatesthe number of violations for each system. Click a bar on the chart toreview detailed information.

Solidcore: Top 10 Userswith Most Change Eventsin the Last 7 Days

Displays the top 10 users with the most changes during the last 7 days.The chart includes a bar for each user and indicates the number ofevents generated by each user. The bar chart sorts the data indescending order. Click a bar on the chart to review detailedinformation.

Solidcore: Top 10 Userswith Most ViolationsDetected in the Last 24Hours

Displays the top 10 users with the most policy violation attempts in thelast 24 hours. The chart includes a bar for each user and indicates thenumber of policy violation attempts for each user. The bar chart sortsthe data in descending order. Click a bar on the chart to review detailedinformation.

Solidcore: Top 10 Userswith Most ViolationsDetected in the Last 7Days

Displays the top 10 users with the most policy violation attempts in thelast 7 days. The chart includes a bar for each user and indicates thenumber of policy violation attempts for each user. The bar chart sortsthe data in descending order. Click a bar on the chart to review detailedinformation.

Monitoring and reportingQueries 5

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 47

Page 48: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

View queriesView a Change Control query.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Reporting | Queries & Reports.

2 Complete one of these steps.

• From the McAfee ePO 5.0 console, select the Change Control group under McAfee Groups.

• From the McAfee ePO 4.6 console, select the Change Control group under Shared Groups.

3 Review the queries in the list.

4 Navigate to the required query, then click Run.

The results for the selected query are displayed.

5 Click Close to return to the previous page.

5 Monitoring and reportingView queries

48 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 49: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

6 Getting started with Application Control

Before you begin using Application Control, get familiar with it and understand related concepts.

Contents Application Control modes How do I manage protected endpoints? Design the trust model Memory-protection techniques What are rule groups? Manage rule groups Manage certificates Manage installers

6

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 49

Page 50: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Application Control modesAt any time, Application Control can operate in one of these modes.

Enabled Indicates that the application is in effect and no unauthorized changes are allowed on theendpoints. When in Enabled mode, Application Control:

• Allows only authorized applications to run on servers and endpoints

• Prevents all unauthorized code including binaries and scripts from running

• Protects against memory-based attacks and application tampering

Enabled mode is the recommended mode of operation. From the Enabled mode, you canswitch to the Disabled, Update, or Observe mode.

Observe Indicates that the application is in effect but is not preventing any changes made on theendpoints. Using the Observe mode is similar to doing a dry run for Application Control.Observe mode is available only on the Windows platform.

Observe mode is a key capability that helps you discover relevant policies for yourenterprise. In Observe mode, the product recommends policy candidates by monitoring allexecution activity and comparing it with the local inventory. This mode does not preventany changes to the endpoint. All changes made in this mode are automatically whitelisted.

When running in Observe mode, Application Control emulates the Enabled mode but logsobservations instead of preventing any applications or code from running. An observation islogged corresponding to the action Application Control will take when in Enabled mode. Forexample, if not authorized, the execution of the Adobe Reader application will be preventedin Enabled mode. In Observe mode, the Adobe Reader application is allowed to execute andan observation is generated to indicate that the execution was permitted.

Starting with the 6.1.2 release, there may not be a one-to-one mapping between events andobservations.

You can place Application Control in Observe mode to:• Check the compatibility of Application Control with existing software during initial

deployment

• Test an application prior to enterprise-wide deployment on endpoints already runningApplication Control

• Create trusted updater policies for the applications in your enterprise

From the Observe mode, you can switch to the Enabled or Disabled mode. For moreinformation on the Observe mode, see Deploying Application Control in Observe mode.

6 Getting started with Application ControlApplication Control modes

50 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 51: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Update Indicates that the application is in effect, allows ad-hoc changes to the system, and tracksthe changes made to the endpoints. We recommend that you use the Update mode only forinstalling minor software updates. Only use the Update mode to perform scheduled oremergency changes that cannot be made when Application Control is running in Enabledmode. Whenever possible utilize other preferred methods, such as trusted users,directories, publishers, updaters, or installers to allow changes.

In the Enabled mode, if you install any new software or add new binary files, the files willnot be added to the whitelist or allowed to execute (unless performed by trusted changemethod). However, if you install or uninstall software or add new binary files in the Updatemode, all changes are tracked and added to the whitelist.

To authorize or approve changes to endpoints, a change window is defined during whichusers and programs can make changes to the endpoint. In effect, the Update mode allowsyou to schedule software and patch installations, remove or modify software, anddynamically update the local whitelist. The application generates the FILE_SOLIDIFIEDevent for files added during Update mode and FILE_UNSOLIDIFIED event for files deletedduring Update mode. Also, when an endpoint is in Update mode, all changes to existingfiles in the inventory generate corresponding update mode events, such asFILE_MODIFIED_UPDATE and FILE_RENAMED_UPDATE.

Memory-protection techniques are enabled in Update mode. This makes sure that runningprograms cannot be exploited.

From the Update mode, you can switch to the Enabled or Disabled mode.

Disabled Indicates that the application is not in effect. Although the application is installed, theassociated features are not active.

From the Disabled mode, you can switch to the Enabled, Update, or Observe mode.

How do I manage protected endpoints?When you deploy Application Control to protect an endpoint, it creates a whitelist of all executablebinary and script files present on the endpoint. The whitelist lists all authorized files and is used todetermine trusted or known files. In Enabled mode, only files present in whitelist are allowed toexecute. Also, all files in the whitelist are protected and cannot be modified or deleted. An executablebinary or script file that is not in the whitelist is said to be unauthorized and is prevented fromrunning.

Authorizing files and programsThe whitelist is the most-common method to determine trusted or known files.

You can authorize a program or file on a protected endpoint by using one of these methods.

• By checksum

• By certificate or publisher

• By name

• By adding to the whitelist

The order in which the methods are listed indicates the precedence the software applies to themethods. For example, if you ban a program based on its checksum value and it is present in thewhitelist (and hence is authorized), the program is banned. Similarly, if a program is allowed based onits checksum value and is banned by name, the program will be allowed to execute and run.

Getting started with Application ControlHow do I manage protected endpoints? 6

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 51

Page 52: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Allowing changes to endpointsMost application environments are dynamic in nature, some more than others. Application Controlprovides several mechanisms to help you create a dynamic whitelisting solution. Depending on theenterprise environment, administrators can choose to use one or more of these mechanisms to allowauthorized change agents to create, modify, or delete files in the whitelist.

To design a trust model and allow additional users or programs to modify a protected endpoint, youcan use one these methods.

Updater Refers to an application permitted to update the endpoint. If a program is configured asan updater, it is allowed to install new software and update existing software. Forexample, if you configure Adobe 8.0 updater program as an updater, it can periodicallypatch all needed files.

Updaters work at a global-level and are not application- or license-specific. After a programis defined as an updater, it can modify any protected file. If you are using both ApplicationControl and Change Control, an updater defined via an Application Control policy will alsobe able to modify files protected by rules defined in a Change Control policy.

An updater is not authorized automatically. To be authorized, an updater must be presentin the whitelist or given explicit authorization (defined as an allowed binary via a policy oradded as updater based on checksum). We recommend that you use caution andjudiciously assign updater privileges to binary files. For example, if you set cmd.exe as anupdater and invoke any executable from it, the executable can perform any change onthe protected endpoints.

To avoid a security gap, it is not recommended to have a file configured as an allowedbinary and updater concurrently.

Common candidates to set as updaters include software distribution applications, such asTivoli, Opsware, Microsoft Systems Management Server (SMS), and Bladelogic andprograms that need to frequently update themselves. Application Control includespredefined rules for commonly used applications that might need to update the endpointsfrequently. For example, rule groups are defined for the Altiris, SCCM, and McAfeeproducts.

You can also add scripts as updaters. However, this is not applicable for the WindowsServer 2012 platform.

Publisher Refers to a publisher or trusted certificate (associated with a software package) that ispermitted to run on a protected endpoint. After you add a certificate as a publisher, youcan run all software that is signed by the certificate. You can configure publishers only forthe Windows platform. For example, if you add Adobe’s code signing certificate as apublisher, all software issued by Adobe and signed by Adobe's certificate will be permittedto run.

To allow any in-house applications to run on protected endpoints, you can sign theapplications with an internal certificate and define the internal certificate as a trustedpublisher. After you do so, all applications signed by the certificate are allowed. Also, allapplications and binary files either added or modified on an endpoint that are signed bythe certificate are automatically added to the whitelist.

When adding a publisher, you can also choose to provide updater privileges to thepublisher. We recommend that you use this option judiciously because selecting thisoption will make sure that all the binary files signed by publisher acquire updaterprivileges. For example, if you set the Microsoft certificate that signs the InternetExplorer application as an updater, Internet Explorer can download and execute anyapplication from the internet. In effect, any files added or modified by an application thatis signed by the publisher (with updater privileges) will be added to the whitelistautomatically.

6 Getting started with Application ControlHow do I manage protected endpoints?

52 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 53: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Installer Refers to an application installer identified by its checksum (SHA1) that is allowed toinstall or update software. When a program (or an installer) is configured as anauthorized installer, it gets both the attributes - authorized binary and updater. Hence,regardless of whether the installer was originally present on the endpoint or not, it isallowed to execute and update software on the endpoint. You can configure installers onlyfor the Windows platform.

An authorized installer is allowed based on the checksum (SHA1) value of the installer(specified while configuring the policy). This makes sure that regardless of the source ofinstaller (and how one gets this installer to the endpoint), if the checksum value matches,the installer will be allowed to run. For example, if you add the installer for the MicrosoftOffice 2010 suite as an installer, if the checksum matches the installer will be allowed toinstall the Microsoft Office suite on the protected endpoints.

TrustedDirectory

Refers to a directory (local or network share) identified by its Universal NamingConvention (UNC) path. After you add a directory as a trusted directory, endpoints arepermitted to run any software present on that directory.

When enabled, Application Control prevents protected endpoints from executing any coderesiding on a network share. If you maintain shared folders containing installers forlicensed applications on the internal network in your organization, add trusted directoriesfor such network shares.

Additionally, if needed, you can also allow the software located at that UNC path to installsoftware on the protected endpoints. For example, when logging on to a DomainController from a protected endpoint, you will need to define \\domain‑name\SYSVOL as atrusted directory (to allow execution of scripts).

TrustedUser

Refers to an authorized Windows user with privileges to dynamically add to the whitelist.For example, add the administrator as a trusted user to allow the administrator to installor update any software. While adding the user details, you must also provide the domaindetails.

Of all the strategies available to allow changes to protected endpoints, this is the leastpreferred because it offers minimal security. We suggest that you define trusted usersjudiciously because after a trusted user is added, there are no restrictions on what theuser can modify or run on an endpoint.

Updatemode

Refers to a time-window during which all changes are allowed on a protected endpoint.Place the protected endpoints in the Update mode to perform ad-hoc changes to theendpoints.

Use this method when none of the other strategies, such as trusted users, trusteddirectories, publishers, or installers meet you requirements. For example, define a timewindow to allow the IT team to complete maintenance tasks, such as install patches orupgrade software. For more information on the Update mode, see Application Controlmodes.

Observemode

Refers to a mode in which the application is in effect but does not prevent any changesmade on the endpoints. In Observe mode, the product recommends policy candidates bymonitoring all execution activity and comparing it with the local inventory. All changesthat are made in this mode are automatically whitelisted. Observe mode is available onlyon the Windows platform.Use this method to discover relevant policies for your enterprise or perform a dry run forApplication Control. For more information on the Observe mode, see Application Controlmodes.

Design the trust modelRegardless of whether you use a rule group or policy, the framework available to define rules is thesame. Use this information when creating or modifying an Application Control policy or rule group.

For more information on the type of rules you can define, see How do I manage protected endpoints?.

Getting started with Application ControlDesign the trust model 6

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 53

Page 54: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Using variables in rules

The path specified in a rule can include system environment variables (only on the Windows platform).This table lists the supported system variables.

Variable Example value (true for most Windows platforms)

%ALLUSERSPROFILE% C:\Documents and Settings\All Users%APPDATA% C:\Documents and Settings\{username}\Application%COMMONPROGRAMFILES% C:\Program Files\Common Files%COMMONPROGRAMFILES (x86)% C:\Program Files (x86)\Common Files%HOMEDRIVE% C:%HOMEPATH% C:\Documents and Settings\{username} (\ on earlier Windows

versions)

%PROGRAMFILES% C:\Program Files%PROGRAMFILES (x86)% C:\Program Files (x86) (only for 64-bit versions)

%SYSTEMDRIVE% C:%SYSTEMROOT% C:\windows (C:\WINNT on earlier Windows versions)

%TEMP% (system) %tmp% (user) C:\Documents and Settings\{username}\local Settings\TempC:\Temp

%USERPROFILE% C:\Documents and Settings\{username} (C:WINNT\profiles\{username} for earlier versions)

%WINDIR% C:\Windows

Understanding path considerations

These considerations apply to path-based rules.

• Path need not be absolute when specifying rules.

For example, when defining an updater you can specify the partial path, such as AcroRd32.exe orReader\AcroRd32.exe or fully-qualified path, such as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If you specify the partial path, all programs with names that match thespecified string are assigned updater privileges. If you specify the fully-qualified path, only thespecified program is assigned updater privileges.

Similarly, when banning a file if you specify the partial path, such as notepad.exe, all programswith names that match the specified string are banned. However, if you specify the fully-qualifiedpath, for example C:\Windows\system32\notepad.exe, only the specified file is banned.Alternatively, if you specify the checksum value, only the file with the specified checksum value isbanned.

• Paths can contain white spaces.

• Paths can include the wildcard character (*). However, it can only represent one complete pathcomponent. Here are a few examples.

Windowsplatform

Using \abc\*\def is allowed while \abc\*.doc, \abc\*.*, or \abc\doc.* is notsupported.

UNIX platform Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is notsupported.

6 Getting started with Application ControlDesign the trust model

54 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 55: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Are any predefined rules available

Yes, Application Control includes predefined rules for commonly-used applications. These predefinedrules are included:

• McAfee Default (one each for UNIX and Windows). For detailed information, see Review predefinedrules.

• McAfee Applications (McAfee Default). This policy includes McAfee-specific rules that allow otherMcAfee products to run successfully on protected endpoints. These rules are also included in theMcAfee Default (Windows) policy.

How do I define rules?

Use this information to define the rules to design the trust model. You can perform these actions whencreating or modifying an Application Control policy or rule group.

Add an updater

1 Select the Updaters tab and click Add. The Add Updater dialog box appears.

2 Specify whether to add the updater based on the file name or checksum. If you add the updater byname, the updater is not authorized automatically. However, when you add the updater bychecksum, the updater is authorized.

3 Enter the location of the file (when adding by name) or SHA1 value (when adding by checksum) ofthe executable binary.

4 Specify an identification label for the program. For example, if you specify Adobe Updater changesas the label, all changes made by Adobe 8.0 updater are tagged with this label.

5 When adding an updater by name, specify conditions that the binary file must meet to run as anupdater.

• Select None to allow the binary file to run as an updater without any conditions.

• Select Library to allow the binary file to run as updater only when it has loaded the specifiedlibrary. For example, when configuring iexplore.exe as an updater to allow Windows Updatesusing Internet Explorer, specify wuweb.dll as the library. This makes sure that the iexplore.exe program has updater privileges only until the web control library (wuweb.dll) is loaded.

• Select Parent to allow the binary file to run as an updater only if it is launched by the specifiedparent. For example, when configuring updater.exe as an updater to allow changes to MozillaFirefox, specify firefox.exe as the parent. Although updater.exe is a generic name that canbe part of any installed application, using the parent makes sure that only the correct programis allowed to run as an updater.

6 When adding an updater by name, indicate whether to disable inheritance for the updater. Forexample, if Process A (that is set as an updater) launches Process B, disabling inheritance forProcess A makes sure that Process B will not become an updater.

7 When adding an updater by name, indicate whether to suppress events generated for the actionsperformed by the updater. Typically, when an updater changes a protected file, a File Modifiedevent is generated for the file. If you select this option, no events are generated for changes madeby the updater.

8 Click OK.

Getting started with Application ControlDesign the trust model 6

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 55

Page 56: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Allow or ban a binary file

1 Select the Binary tab and click Add. The Add Binary dialog box appears.

2 Specify an identifier for the rule in the Rule Name field. You can use the identifier to group relatedrules. For example, you can specify Banning unauthorized programs as the identifier for all rulesthat you define to ban unauthorized programs in your organization.

3 Indicate whether to allow or ban the binary file.

4 Indicate whether to allow or ban the binary file based on the file's name or checksum value.

5 Enter the name or checksum value.

6 Click OK.

Specify authorized users permitted to override the protection in effect (only forthe Windows platform)

You can either enter user details or import user or group details from an Active Directory. Make surethat the Active Directory is configured as a registered server.

Specify details to authorize users to override the protection in effect. (Windows only)

1 Click Add on the Trusted Users tab. The Add User dialog box appears.

2 Create two rules for each user:

• With UPN/SAM and domain account name (in domainName\user format)

• With domain netbiosName (in netbiosName\user format)

3 Specify a unique identification label for the user. For example, if you specify John Doe's Changes as theidentification label for the John Doe user, all changes made by the user will be tagged with thislabel.

4 Type the user name.

5 Click OK.

Import user details from an Active Directory.

1 Click AD Import on the Trusted Users tab. The Import from Active Directory dialog box appears.

2 Select the server.

3 Select Global Catalog Search to search for users in the catalog (only if the selected Active Directory is aGlobal Catalog server).

4 Specify whether to search for users based on the UPN (User Principal Name) or SAM account name.Your search will determine the authorized user. If you search using the UPN or common name, theuser will be trusted with the UPN and if you search using the SAM account name, the user will betrusted with the SAM account name.

5 Enter the user name. The Contains search criteria is applied for the specified user name.

6 Specify a group name to search for users within a group.

You cannot directly add a group present in the Active Directory to a policy. To authorize all users in agroup, add the user group to a rule group and include the rule group in a policy. Using groupsmakes sure that all changes to a user group automatically cascade across all rule groups andassociated policies.

6 Getting started with Application ControlDesign the trust model

56 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 57: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

7 Click Find. The search results are displayed.

8 Select the users to add in the search results and click OK.

Add a publisher

1 Select the Publishers tab and click Add. The Add Publisher dialog box appears.

2 Search for and add the certificate. For example, you can search for and add the Microsoftcertificate. For information on how to add publishers, see Manage certificates.

3 Optionally, select the Add Publisher(s) as Updater option to provide updater privileges to the publisher.

4 Specify an identification label for the publisher. If you select the Add Publisher(s) as Updater option, youmust specify an identification label for the publisher.

5 Click OK.

Add an installer

1 Select the Installers tab and click Add. The Add Installer dialog box appears.

2 Search for and add the installer. For example, you can add the installer for the Adobe Reader toallow users to run the installer on the endpoints. For more information on how to add installers, seeManage installers.

3 Specify an identification label for the installer.

4 Click OK.

Add an exception

1 Select the Exceptions tab and click Add. The Add Attribute dialog box appears.

2 Enter the file name.

3 Select the required options. For detailed information on the available options, see Define bypassrules.

4 Click OK.

Add a trusted directory

1 Select the Trusted Directories tab and click Add. The Add Path dialog box appears.

2 Enter the location of the directory.

3 Select Include or Exclude. Use the Exclude option to exclude a specific folder or subfolder within atrusted directory.

4 Optionally, select the Make programs executed from this directory updaters option to allow the software locatedat that UNC path to modify the endpoints.

5 Click OK.

Getting started with Application ControlDesign the trust model 6

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 57

Page 58: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Specify advanced exclusion filters for observations and events

1 Click Add Rule on the Filters tab. A new filter row appears. You can create filters based on files,events, programs, registry keys, and users. By default, all defined filters are applied toobservations.

2 Edit the settings to specify the filter.

3 Click + or Add Rule to specify additional AND or OR conditions, respectively.

4 Select Apply rule to events also for a set of rules to apply the filter rules to events.

You can also define advanced exclusion filters from the Events page. For more information, seeExclude events.

Memory-protection techniques Application Control offers multiple memory-protection techniques to prevent zero-day attacks. Thesememory-protection techniques provide additional protection over the protection offered by nativeWindows features or signature-based buffer overflow protection products.

These memory-protection techniques are available on all Windows operating systems, including 64-bitplatforms. The memory-protection techniques are unavailable on the Windows Server 2012 and Unixplatforms. At a high-level, the available memory-protection techniques stop two kinds of exploits:

• Buffer overflow followed by direct code execution

• Buffer overflow followed by indirect code execution using Return-Oriented Programming

For a detailed and updated list of the exploits prevented by the memory -protection techniques,subscribe to McAfee Threat Intelligence Services (MTIS) security advisories.

Technique Description

CASP - Critical Address SpaceProtection (mp-casp)

CASP is a memory-protection technique that renders useless anycode that is running from the non-code area. Code running fromthe non-code area is an abnormal event that usually happens dueto a buffer overflow being exploited.

CASP is different from the DEP (Data Execution Prevention)feature available on 64-bit Windows platforms. While the DEPfeature prevents the code in a non-code area from executing at all(usually with the help of hardware), CASP allows such code toexecute but disallows such code from making any meaningful APIcalls, such as CreateProcess(), DeleteFile(), and others. Anymeaningful exploit code would want to invoke at least one of theseAPIs and because CASP blocks them, the exploit fails to do anydamage.

Supported OperatingSystems

This feature is available on these Windowsoperating systems:• 32-bit - Windows 2003, Windows 2003

R2, Windows 2008, Windows XP, WindowsXPE, WEPOS, Pos Ready 2009, WES2009, Windows Vista, Windows 7, andWindows 7 Embedded

Default State Enabled

Event generated PROCESS HIJACK ATTEMPTED

6 Getting started with Application ControlMemory-protection techniques

58 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 59: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Technique Description

NX - No eXecute (mp-nx) The NX feature utilizes Windows' Data Execution Prevention (DEP)feature to protect processes against exploits that try to executecode from writable memory area (stack/heap). On top of nativeDEP, MP-NX provides granular bypass capability as well as raisesviolation events that can be viewed on the McAfee ePO console.Windows DEP is a memory-protection technique that preventscode from being run from a non-executable memory region. Inmost cases, code running from the non-executable memory regionis an abnormal event. This mostly occurs when a buffer overflowhappens and the malicious exploit is attempting to execute codefrom these non-executable memory regions. DEP is available on64-bit Windows platforms.

Supported OperatingSystems

This feature is available on these Windowsoperating systems:• 64-bit - Windows XP, Windows 2003,

Windows 2003 R2, Windows 2008,Windows 2008 R2, Windows Vista,Windows 7, and Windows 7 Embedded

This feature is not available on the IA64architecture.

Default State Enabled

Event generated NX_VIOLATION_DETECTED

VASR - Virtual Address SpaceRandomization[mp-vasr (sub-features:• mp-vasr-rebase

• mp-vasr-randomization

• mp-vasr-relocation (for 32-bitWindows XP, Windows 2003,and Windows 2003 R2)

• mp-vasr-reloc (for 64-bitWindows XP, Windows 2003,and Windows 2003 R2)

)]

Although VASR is similar to the ASLR (Address Space LayoutRandomization) technique available on the Windows platform,VASR is more than just ASLR. Windows ASLR randomizes theaddresses where modules are loaded to help prevent an attackerfrom leveraging data from predictable locations. The problem withASLR is that all modules have to use a compile time flag to optinto this.VASR is available on older Windows operating systems that do notsupport ASLR. The aim of this technique is that malicious codethat expects useful functions or data to be located at fixedaddresses does not find the functions or data there. VASR will stopReturn-Oriented Programming (ROP) based attacks by adoptingthis approach:1 Stack or heap randomization - Randomize the location of stack

or heap in each process.

2 Code relocation - Randomize the location of code in memory.

If an exploit tries to work with fixed addresses, the associatedprocess may crash. No event will be generated.

Supported OperatingSystems

This feature is available on these Windowsoperating systems:• 32-bit - Windows XP, Windows 2003, and

Windows 2003 R2

• 64-bit - Windows XP, Windows 2003, andWindows 2003 R2

Default State • Disabled on 32-bit

• Enabled on 64-bit

Event generated No event is generated

Getting started with Application ControlMemory-protection techniques 6

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 59

Page 60: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Technique Description

Forced DLL Relocation(mp-vasr-forced-relocation)

This feature forces relocation of those dynamic-link libraries(DLLs) that have opted out of Windows' native ASLR feature.Some malware rely on these DLLs always getting loaded at thesame and known addresses. By relocating such DLLs, theseattacks are prevented.

Supported OperatingSystems

This feature is available on the WindowsVista (both 32 and 64 bit), Windows 7 (both32 and 64 bit), Windows 2008 (both 32 and64 bit), and Windows 2008 R2 (64 bit)operating systems.

Default State Enabled

Event generated VASR_VIOLATION_DETECTED

Occasionally, some applications (as part of their day-to-day processing) may run code in an atypicalway and hence may be prevented from running by the memory-protection techniques. To allow suchapplications to run, you can define specific rules to bypass the memory-protection techniques. Formore information, see Define bypass rules.

What are rule groups?A rule group is a collection of rules. Although you can directly add rules to any McAfee ePO-basedpolicy, the rules defined within a policy are specific to that policy. In contrast, a rule group is anindependent unit that collates a set of similar or related rules.

After you define a rule group, you can reuse the rules within the rule group by associating the rulegroup with different policies. Also, if you need to modify a rule, simply update the rule in the rulegroup and the change cascades across all associated policies automatically.

Application Control provides predefined rule groups to allow commonly-used applications to runsmoothly. Although you cannot edit the predefined rule groups, you can use an existing rule group asa starting point to develop your rule groups. You can create a copy of an existing rule group and edit itto add more rules or create a new rule group. If needed, you can also import or export rule groups.

If you need to define similar rules across policies, using rule groups can drastically reduce the effortrequired to define rules. If you have a large setup and are deploying the software across numerousendpoints, we recommend you use rule groups to minimize the deployment time and effort.

Consider an example. An organization runs Oracle on multiple servers. Each of these servers is usedby the HR, Engineering, and Finance departments for different purposes. To reduce rule redundancy,we define an Application Control rule group (named AC-Oracle) containing rules to define the relevantupdaters for Oracle to function.

After the rule group is defined, we can reuse these rule groups across policies for the HR, Engineering,and Finance departments. So, when defining the HR Servers policy, add the AC-Oracle rule group tothe policy along with rule groups for the other applications installed on the HR server. Similarly, addthe AC-Oracle rule group to the relevant policies for the Engg Servers and Fin Servers. After definingthe policies, if you realize that the rule for a critical file was not created, directly update the rule groupand all the policies will be updated automatically.

6 Getting started with Application ControlWhat are rule groups?

60 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 61: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Manage rule groups Create and manage rule groups to export the rule group configuration from the source to the targetMcAfee ePO server.

Tasks

• Create a rule group on page 61Create a rule group to specify the required rules.

• Import or export a rule group on page 62If you need to replicate rule group configuration from one McAfee ePO server to another,export the rule group configuration from the (source) McAfee ePO server to an XML file andimport the XML file to the (target) McAfee ePO server.

• View assignments for a rule group on page 62Instead of navigating through all the created policies, you can directly view all the policiesin which a rule group is being used. This feature provides a convenient way to verify if eachrule group is assigned to the relevant policies.

Create a rule groupCreate a rule group to specify the required rules.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 Select Application Control from the Rule Groups tab.

You can use an existing rule group as a starting point or define a new rule group from scratch. Tomodify an existing rule group, complete steps 3, 5, 6, and 7. To define a new rule group, completesteps 4, 5, 6, and 7.

3 Create a rule group based on an existing rule group.

a Click Duplicate for an existing rule group.

The Duplicate Rule Group dialog box appears.

b Specify the rule group name, then click OK.

The rule group is created and listed on the Rule Groups page.

4 Define a new rule group.

a Click Add Rule Group to open the Add Rule Group dialog box.

b Specify the rule group name.

c Select the rule group type and platform.

d Click OK.

The rule group is created and listed on the Rule Groups page.

5 Click Edit for the rule group.

6 Specify the required rules.

For information on the how to define rules, see How do I manage protected endpoints? and How doI define rules?.

7 Click Save Rule Group.

Getting started with Application ControlManage rule groups 6

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 61

Page 62: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Import or export a rule groupIf you need to replicate rule group configuration from one McAfee ePO server to another, export therule group configuration from the (source) McAfee ePO server to an XML file and import the XML file tothe (target) McAfee ePO server.

You can also export rule groups into an XML file, edit the XML file to make the required changes to rulegroups, and import the file to the McAfee ePO server to use the changed rule groups.

When importing or exporting rule groups containing Trusted Groups, make sure the Active Directoryserver on the source McAfee ePO server and destination McAfee ePO server are configured using thesame domain name or server name (or IP address).

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 Complete one of these tasks from the Rule Groups tab.

• To import rule groups, click Import, browse and select the rule groups file, and click OK. Whileimporting, you can specify whether to override rule groups (if you are importing a rule groupwith the same name as an existing rule group).

• To export selected rule groups to an XML file, select the rule groups, click Export, and save thefile.

View assignments for a rule groupInstead of navigating through all the created policies, you can directly view all the policies in which arule group is being used. This feature provides a convenient way to verify if each rule group isassigned to the relevant policies.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 On the Rule Groups tab, click Assignments for a rule group to view the policies to which the selectedrule group is assigned.

Manage certificates Add a certificate or publisher prior to defining rules to permit installation and execution of all softwaresigned by the certificate. You can add a certificate regardless of the whether the certificate is aninternal certificate or is issued to the vendor by a Certificate Authority.

Application Control supports only X.509 certificates.

After you add a certificate and define it as a trusted publisher, all applications signed by the certificateare allowed. Also, all applications and binary files either added or modified on an endpoint that aresigned by the certificate are automatically added to the whitelist.

6 Getting started with Application ControlManage certificates

62 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 63: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Tasks• Add a certificate on page 63

You can use one of these methods to add a certificate.

• Assign a certificate on page 64After you add a certificate, you can assign it to a policy or rule group.

• Search for a certificate on page 64Search for a certificate based on the category.

• View assignments for a certificate on page 65This feature provides a convenient way to verify if each certificate is assigned to therelevant policies and rule groups.

Add a certificate You can use one of these methods to add a certificate.

• Upload an existing certificate available to you

• Immediately extract certificates from one or more signed binary files present on a network share

• Schedule a server task to routinely extract certificates from one or more signed binary files presenton a network share

TaskFor option definitions, click ? in the interface.

1 Upload an available certificate by completing these steps.

a On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

b Switch to the Publishers tab.

c Select Actions | Upload to open the Upload Certificate page.

d Browse and select the certificate file to import, then click Upload.

2 Extract certificates associated with one or more signed binary files present on a network share bycompleting these steps.

a Select Menu | Configuration | Solidcore Rules.

b Switch to the Publishers tab.

c Select Actions | Extract Certificates to open the Extract Certificate from Binary page.

d Type the path of the binary file.

Make sure that the file path is accessible from the McAfee ePO server.

e Specify the network credentials to access the specified network location.

f Click Extract.

3 Schedule and extract the certificates associated with one or more signed binary files present on anetwork share on a regular basis by completing these steps.

a Select Menu | Automation | Server Tasks.

b Click New Task to open the Server Task Builder wizard.

c Type the task name, then click Next.

d Select Solidcore: Scan a Software Repository from the Actions drop-down list.

Getting started with Application ControlManage certificates 6

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 63

Page 64: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

e Specify the repository path.

All subfolders in the specified path are also scanned for installers and publishers.

f Specify the network credentials to access the specified network location.

g Click Test Connection to make sure that the specified credentials work.

h Select Add extracted certificates and installers to Rule Group to add the certificates and installers extractedby the task to a user-defined rule group and select the user-defined rule group from the list.

You can add extracted certificates and installers only to user-defined rule groups.

i Click Next, then specify the schedule for the task.

j Click Next to open the Summary page.

k Review the task summary, then click Save.

If needed, you can specify an alias or friendly name for a certificate. Complete these steps tospecify the friendly name for a certificate:

1 Select Menu | Configuration | Solidcore Rules. 4 Click Actions | Edit to open the Edit window.

2 Switch to the Publishers tab. 5 Enter the friendly name, then click OK.

3 Select a certificate.

Assign a certificate After you add a certificate, you can assign it to a policy or rule group.

TaskFor option definitions, click ? in the interface.

1 Assign a certificate to a policy by defining a trusted publisher in an policy.

For more information, see Design the trust model and How do I define rules?.

2 Assign a certificate to an existing rule group.

a On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

b Switch to the Publishers tab.

c Select the certificates to add to a rule group.

d Click Actions | Add to Rule Group to open the Add to Rule Group dialog box.

e Select the user-defined rule group in which to add the certificates, then click OK.

Alternatively, you can assign a certificate to a user-defined rule group by using the Menu | Configuration |Solidcore Rules | Rule Groups page. For more information, see Create a rule group.

Search for a certificateSearch for a certificate based on the category.

6 Getting started with Application ControlManage certificates

64 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 65: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 Switch to the Publishers tab.

3 Select a category to sort the listed certificates.

• Issued to — Sorts the list based on the name of the organization that publishes the certificate.

• Issued by — Sorts the list based on the name of the signing authority.

• Extracted From — Sorts the list based on the path of the binary file from which the certificate wasextracted.

• Friendly Name — Sorts the list based on the friendly name of the certificate.

4 Type the string to search for and click Search.

View assignments for a certificateThis feature provides a convenient way to verify if each certificate is assigned to the relevant policiesand rule groups.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 Switch to the Publishers tab.

3 Select a publisher and click Actions | Check Assignments.

The Publisher Assignments dialog box lists the rule groups and policies to which the selected certificateis assigned.

Manage installers Prior to defining rules to permit an installer to install or update software on endpoints, you must addthe installer. You can add an executable binary or script file as an installer.

Tasks• Add an installer on page 66

You can use one of these methods to add an installer.

• Assign an installer on page 66After you add an installer, you can assign it to a policy or rule group. Use this task to assignan installer to a policy or rule group.

• Search for an installer on page 67Search for an installer based on the category.

• View assignments for an installer on page 67This feature provides a convenient way to verify if each installer is assigned to the relevantpolicies and rule groups.

Getting started with Application ControlManage installers 6

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 65

Page 66: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Add an installerYou can use one of these methods to add an installer.

• Add an existing installer available to you

• Schedule a server task to routinely add installers

TaskFor option definitions, click ? in the interface.

1 Add an existing installer by completing these steps.

a On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

b Switch to the Installers tab.

c Select Actions | Add Installer to open the Add Installer page.

d Enter the installer details.

e Click Add.

2 Schedule and add installers present on a network share on a regular basis by completing thesesteps.

a Select Menu | Automation | Server Tasks.

b Click New Task to open the Server Task Builder wizard.

c Type the task name, then click Next.

d Select Solidcore: Scan a Software Repository from the Actions drop-down list.

e Specify the repository path.

All subfolders in the specified path are also scanned for installers and publishers.

f Specify the network credentials to access the specified network location.

g Click Test Connection to make sure that the specified credentials work.

h Select Add extracted certificates and installers to Rule Group to add the certificates and installers extractedby the task to a user-defined rule group and select the user-defined rule group from the list.

You can add extracted certificates and installers only to user-defined rule groups.

i Click Next.

j Specify the schedule for the task.

k Click Next to open the Summary page.

l Review the task summary, then click Save.

Assign an installer After you add an installer, you can assign it to a policy or rule group. Use this task to assign aninstaller to a policy or rule group.

6 Getting started with Application ControlManage installers

66 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 67: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 Assign an installer to a policy by defining a trusted installer in a policy.

For more information, see Design the trust model and How do I define rules?.

2 Assign an installer to an existing rule group.

a On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

b Switch to the Installers tab.

c Select the installers to assign to a rule group.

d Click Actions | Add to Rule Group to open the Add to Rule Group dialog box.

e Select the user-defined rule group in which to add the installers, then click OK.

Alternatively, you can assign an installer to a user-defined rule group by using the Menu | Configuration |Solidcore Rules | Rule Groups page. For more information, see Create a rule group.

Search for an installerSearch for an installer based on the category.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 Switch to the Installers tab.

3 Select a category to sort the listed installers.

• Installer Name — Sorts the list based on the name of the installer.

• Vendor — Sorts the list based on the name of the vendor who published the installer.

4 Type the installer or vendor name to search for, then click Search.

View assignments for an installerThis feature provides a convenient way to verify if each installer is assigned to the relevant policiesand rule groups.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 Switch to the Installers tab.

3 Select an installer and click Actions | Check Assignments. The Installer Assignments dialog box lists the rulegroups and policies to which the selected installer is assigned.

4 Click OK.

Getting started with Application ControlManage installers 6

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 67

Page 68: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

6 Getting started with Application ControlManage installers

68 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 69: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

7 Deploying Application Control in Observemode

You can place endpoints in Observe mode to perform a test run for the Application Control product.You can also use Observe mode to discover policy rules to run a new application beforeenterprise-wide deployment on endpoints already running Application Control.

Observe mode is available on all supported Windows platforms except Windows NT and Windows 2000.Observe mode is not available on the UNIX platforms.

Contents What are observations? Deploying in Observe mode Configure the feature Place endpoints in Observe mode Manage requests Throttle observations Exit Observe mode

What are observations?Observations record all activity for managed endpoints.

When running in Observe mode, Application Control allows all operations on the endpoints; no actionis blocked. In Enabled mode, for each action that is blocked by Application Control, a correspondingobservation is logged in Observe mode. For example, the installation of software or modification of apackage generates corresponding observations.

All observations generated on an endpoint are sent to the McAfee ePO console after the agent-servercommunication interval (ASCI). When an endpoint is in Observe mode, no Application Control eventsare generated for the endpoint.

Observations are generated in Enabled mode and Observe mode.

7

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 69

Page 70: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

• For a process or binary file that is assigned updater privileges, observations are generated for onlymemory protection-related operations in Enabled mode and Observe mode.

• For all processes or binary files that do not have updater privileges, these observations aregenerated in the Enabled mode and Observe mode.

• Execution Denied • Process Hijack Attempted

• File Write Denied • Nx Violation Detected

• ActiveX Installation Prevented • Package Modification Prevented

• For network files (files placed on network paths), no observations are generated.

Deploying in Observe modeDeploying Application Control in Observe mode involves these high-level steps.

1 Identify the staging or test endpoints for deployment.

If you have multiple types of endpoints in your setup, we recommend that you group similar typesof endpoints to roll out Observe mode. This allows you to analyze product impact on each group ofendpoints, discover policy groups, and validate the policies that apply to each group of endpoints.

2 Place Application Control in Observe mode for a few days and perform day-to-day tasks on theendpoints.

Requests are created based on observations generated for the endpoints. These requests allow youto discover Application Control policy rules for the software installed on the endpoints.

For detailed information, see Place the endpoints in Observe mode.

3 Periodically review and create rules for the received requests.

For detailed information, see Manage requests.

4 Validate the recently added policies by running frequently used workflows. This helps you verify ifadditional requests are received for the applications.

If appropriate rules are applied at the endpoints, repeat requests do not appear on the McAfee ePOconsole.

5 When the number of requests received reduces considerably, exit Observe mode and place theendpoints in Enabled mode.

For detailed information, see Exit Observe mode.

Configure the featureReview and edit the list of Generic Launcher Processes and Restricted Publisher Names.

You can configure these settings for the feature:

7 Deploying Application Control in Observe modeDeploying in Observe mode

70 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 71: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

• Generic Launcher Processes — Certain processes on the Windows operating system, such asexplorer.exe and iexplore.exe, start other processes and can be used to launch any software. Suchprocesses are referred to as Generic Launcher Processes and should never be configured asupdaters. A predefined list of such processes is available in Application Control. You can review andedit the list of Generic Launcher processes. No updater rules are generated for Generic LauncherProcesses at the endpoints.

• Restricted Publisher Names — Certificates from certain vendors such as Microsoft are associatedwith multiple commonly used applications and should not be used to define rules based on thepublisher. A predefined list of such certificates is available on the Application Control configurationinterface. You can review and edit the list of Restricted Publisher Names. If the binary in a requestis signed by one of these certificates, you cannot create rules based on the certificate associatedwith the binary file.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Server Settings | Solidcore.

2 Review and edit the list of Generic Launcher Processes.

a Review the processes listed in the Application Control: Generic Launcher Processes field.

b Click Edit to update the list.

c Add the process name to the end of this list (separated by a comma), then click Save.

3 Review and edit the list of Restricted Publishers.

a Review the names listed in the Application Control: Restricted Publisher Names field.

b Click Edit to update the list.

c Add the vendor name to the end of this list (separated by a comma), then click Save.

For example, to prevent creation of rules based on the Microsoft certificate, add Microsoft tothe list.

Place endpoints in Observe modeAfter installation, we recommend that you place selected endpoints in Observe mode to perform a testrun for the Application Control product.

Select one endpoint for each type you have in your environment. Use one of these client tasks to placethe endpoints in Observe mode:

Deploying Application Control in Observe modePlace endpoints in Observe mode 7

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 71

Page 72: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

• SC: Enable — Use this client task to place the endpoints in Observe mode after fresh installation ofApplication Control.

• SC: Observe Mode — Use this client task to place the existing endpoints (running in Enabledmode) in Observe mode.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Systems | System Tree.

2 Perform one of these actions.

• To apply the client task to a group, select the group in the System Tree and click the Assigned ClientTasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and click Actions |Agent | Modify Tasks on a Single System.

3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

4 Select Solidcore 6.1.2 | SC: Enable, then click Create New Task to open the Client Task Catalog page.

a Specify the task name and add any descriptive information.

b Select these fields.

1 Select the Windows platform.

2 Select the All except NT/2000 subplatform.

3 Select the 6.0 and later version.

4 Select the Application Control option.

c Specify the scan priority.

The set scan priority determines the priority of the thread that is run to create the whitelist onthe endpoints. We recommend you set the scan priority to Low. This makes sure that ApplicationControl causes minimal performance impact on the endpoints but might take longer (than whenyou set the priority to High) to create the whitelist.

d Specify the activation option.

• Limited Feature Activation — Endpoints are not restarted, whitelist created, and limitedfeatures of Application Control (memory protection features are unavailable) are activated.Memory protection features are available only after the endpoint is restarted.

• Full Feature Activation — Endpoints are restarted, whitelist created, and all features ofApplication Control including memory protection are active. Restarting the endpoints isnecessary to enable the memory protection features. The endpoint is restarted 5 minutesafter the client task is received at the endpoint. A pop-up message is displayed on theendpoint before the endpoint is restarted.

e Select Start Observe Mode.

f Optionally, select Pull Inventory.

If you select this option, the inventory (including the created whitelist) is sent to McAfee ePO.We recommend that you select this option because inventory information is used in multipleworkflows available from McAfee ePO.

g Click Save.

5 Click Next to open the Summary page.

7 Deploying Application Control in Observe modePlace endpoints in Observe mode

72 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 73: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

6 Specify scheduling details, then click Next.

7 Review and verify the task details, then click Save.

8 Optionally, wake up the agent to send your client task to the endpoint immediately.

Manage requestsTo manage enterprise-wide requests, use the Policy Discovery page. As you process generated requestsand add relevant rules for your enterprise, the number of received requests gradually declines.

Starting with the 6.1.2 release, the Policy Discovery page serves as a central console to help you manageall observation and Self Approval requests. In 6.1.1 and earlier releases, the Observations page served asa central console to help you manage observations. After you install the 6.1.2 extension, observationsreceived from endpoints running version 6.1.1 and earlier can be viewed using the deprecatedObservations page.

Tasks• Review requests on page 73

Review the requests received from the endpoints.

• Process requests on page 74Process the received requests for your enterprise by taking relevant actions for therequests.

• Review created rules on page 78Review and manage the global rules created for the processed requests.

Review requestsReview the requests received from the endpoints.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

After the requests are received from the endpoints, Application Control collates and groupsrequests based on these parameters:

• Checksum value of binary file or cab file (if there is a request for an ActiveX control) for whichthe request is received

• Status of the request

• Type of request (whether request is for memory protection-related event)

The Activity field for each request indicates the action performed by the user on the endpoint. Forexample, if the user installs an MSI-based software, the Activity field lists Software Installation for therequest.

2 Review the listed requests by using one of these methods.

• Select an option from the Time Filter list to view requests received in a specific interval.

• Select a value for the request status from the Approval Status list to view requests that match thefilter criteria.

Deploying Application Control in Observe modeManage requests 7

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 73

Page 74: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

• Enter a search string in the Quick find field and click Apply to view requests that match thespecified search string.

• Sort the list based on the request prevalence, request generation time, activity, file name,application name, publisher, or trust level by clicking the column heading.

• Select requests of interest and click Show selected rows to review only the selected requests.

3 Review individual requests that make up a collated request and detailed information for the binaryfile.

a Click a row to open the Policy Discovery Details page.

b Review binary details, such as cloud trust score, properties, and publisher information.

c Review the individual requests that make up the collated request.

d Click Close.

Process requestsProcess the received requests for your enterprise by taking relevant actions for the requests.

Review each request and determine the action to take for the request.

We have optimized the software in the 6.1.1 and 6.1.2 releases to ensure that only meaningful andrelevant requests are received on the McAfee ePO console. However, if needed you can define exclusionrules to further prune routine or system-generated observations not relevant for your setup. Manuallydefine exclusion rules for any process by using the Filters tab in the Application Control policy.

Tasks• Allow by checksum on all endpoints on page 74

Define rules to allow an application or binary file to run on all endpoints in the enterprisebased on the checksum value of the binary file.

• Allow by publisher on all endpoints on page 75Define rules to allow an application, binary file, or ActiveX control to run on all endpoints inthe enterprise based on the publisher associated with the file.

• Ban by checksum on all endpoints on page 75Define rules to ban an application or binary file from running on all endpoints in theenterprise based on the checksum value of the binary file.

• Define custom rules for specific endpoints on page 76Define custom rules to allow or ban an application, binary file, or ActiveX control for specificendpoints in the enterprise.

• Allow by adding to whitelist for specific endpoints on page 77Add one or more binary files to the whitelist of an endpoint to allow the files to run on theendpoint.

• Define bypass rules for all endpoints on page 77Define rules to allow an application or binary file to bypass applied memory protection andother techniques.

• Delete requests on page 78Remove selected requests from the Policy Discovery page and database.

Allow by checksum on all endpointsDefine rules to allow an application or binary file to run on all endpoints in the enterprise based on thechecksum value of the binary file.

7 Deploying Application Control in Observe modeManage requests

74 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 75: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Select the requests for which you want to define rules.

3 Click Actions | Allow Binary Globally.

The Allow Binary Globally dialog box provides details and prompts you to confirm the action.

4 Click OK.

Rules are created for the binary files associated with the selected requests and added to the GlobalRules rule group included in the McAfee Default policy. For information on how to view or edit therules, see Review created rules.

Allow by publisher on all endpointsDefine rules to allow an application, binary file, or ActiveX control to run on all endpoints in theenterprise based on the publisher associated with the file.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Select the request for which you want to define rules.

3 Click Actions | Allow by Publisher Globally.

The Allow by Publisher Globally action is unavailable if the main binary associated with the request issigned by a certificate included in the Restricted Publisher Names list.

The Allow by Publisher Globally dialog box provides details and prompts you to confirm the action. Basedon the binary file associated with a selected request, the publisher is assigned or not assignedupdater privileges. If the publisher has updater privileges, allowing based on publisher allows allapplications signed by the publisher to make changes to existing executable files or launch newapplications on the endpoints.

4 Click OK.

Rules are created for the selected request and added to the Global Rules rule group included in theMcAfee Default policy.

Ban by checksum on all endpoints Define rules to ban an application or binary file from running on all endpoints in the enterprise basedon the checksum value of the binary file.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Select the requests for which you want to define rules.

Deploying Application Control in Observe modeManage requests 7

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 75

Page 76: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

3 Click Actions | Ban Binary Globally.

The Ban Binary Globally dialog box provides details and prompts you to confirm the action.

4 Click OK.

Rules are created for the binary files associated with the selected requests and added to the GlobalRules rule group included in the McAfee Default policy. For information on how to view or edit therules, see Review created rules.To ban an installer, such as an MSI-based installer, perform these steps:

• Ban the installer globally to make sure it cannot run on other endpoints in the enterprise(complete steps 3 and 4).

• Ban the files added by the installer on the endpoint where the installer was executed (completestep 5).For example, if the MSI-based installer for Mozilla Firefox 12 (Firefox-12.0-af.msi) was executedand installed on an endpoint, you must ban the files added by the installer on the endpoint.

Banning an installer that is not MSI-based or for which no binary is displayed on the Inventoryuser interface is also a two-step process. You must ban the installer globally to make sure itcannot run on other endpoints in the enterprise (complete steps 3 and 4). Next, you mustmanually search for the binary files corresponding to the application and ban the files using theInventory user interface.

5 Ban the files that have already been added to the endpoint.a Click the application name link.

The Binaries page lists all binary files installed on the endpoint.

b Select all listed binary files.

c Click Actions | Ban Binaries to open the Allow or Ban Binaries wizard.

d Specify the rule group for the rules.

• To add the rules to an existing rule group, select Add to Existing Rule Group, select the rule groupfrom the list, and specify the operating system.

• To create a new rule group with the rules, select Create a New Rule Group, enter the rule groupname, and specify the operating system.

Make sure that the rule group where you add the rules is added to a policy that is applied on theendpoint where the request was received.

e Click Next.

f Review the rules, then click Save.

Define custom rules for specific endpointsDefine custom rules to allow or ban an application, binary file, or ActiveX control for specific endpointsin the enterprise.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Select the request for which you want to define custom rules.

3 Click Actions | Create Custom Policy to open the Policy Discovery: Custom Rules page.

7 Deploying Application Control in Observe modeManage requests

76 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 77: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

4 Specify whether to allow the binary file, ban the binary file, or add the certificate as a publisher.

5 Review the prepopulated rule.

6 Edit the rule, if needed.

7 Specify the rule group for the rules.

• To add the rules to an existing rule group, select Add to an existing Rule Group and select the rulegroup from the list.

• To create a new rule group with the rules, select Create a new Rule Group and enter the rule groupname.

8 Optionally, add the modified or created rule group to a policy.

a Select Add the Rule Group to existing Policy.

b Select the policy where you want to add the rule group.

9 Click Save.

Allow by adding to whitelist for specific endpointsAdd one or more binary files to the whitelist of an endpoint to allow the files to run on the endpoint.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Click a row to review request details in the Policy Discovery Details page.

Each row in the Similar Policy Discovery Requests for Activity pane represents a binary file and endpointcombination.

3 Click Allow Locally for a row.

The Allow Locally dialog box lists one or more paths to add to the whitelist.

The Allow Locally action is available only for requests that are generated when you execute anapplication that is not in the whitelist (Application Execution activity).

4 Review and customize the listed paths.

For example, if you execute proc.exe for an endpoint, the following paths might be listed.

C:\Program Files\App Name\proc.exe

C:\Program Files\App Name\a.dll

C:\Program Files\App Name\b.dll

To avoid redundancy, we recommend that you add only the C:\Program Files\App Name path.

5 Click OK.

The specified paths are added to the whitelist and allowed to run on the endpoint.

Define bypass rules for all endpointsDefine rules to allow an application or binary file to bypass applied memory protection and othertechniques.

Deploying Application Control in Observe modeManage requests 7

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 77

Page 78: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Select the request for which you want to define bypass rules.

3 Click Actions | Bypass Memory Protection Globally.

4 When prompted to confirm, click OK.

Rules are created for the selected request and added to the Global Rules rule group included in theMcAfee Default policy.

Delete requestsRemove selected requests from the Policy Discovery page and database.

To ensure optimal performance, the Solidcore: Auto Purge Policy Discovery Requests server task is run weekly topurge policy discovery requests older than three months.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Select the requests to delete.

3 Click Actions | Delete Requests.

4 When prompted to confirm, click OK.

All selected collated requests and contained individual requests are deleted from the page anddatabase.

Review created rulesReview and manage the global rules created for the processed requests.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 On the Rule Groups tab, select these options.

• Application Control type.

• Windows platform.

3 Navigate and locate the Global Rules rule group.

4 Click Edit for the rule group.

5 Review the included rules.

6 Edit the defined rules, if needed.

7 Click Save Rule Group.

7 Deploying Application Control in Observe modeManage requests

78 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 79: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Throttle observationsFrequently reviewing and managing requests for the generated observations allows you to define therelevant rules for your setup. If you do not process observations in a timely manner, you will continueto get similar and repeated observations from endpoints.Also, if you place additional endpoints in Observe mode or perform multiple activities simultaneouslyon existing endpoints (in Observe mode), the absence of relevant rules might result in excessivegeneration of observations. If a high number of observations are received at the McAfee ePO serverfrom the endpoints, the McAfee ePO interface might become sluggish.

Observation throttling helps you take care of the unresponsiveness of the McAfee ePO interface. Whenthe number of observations received at the McAfee ePO server reaches the defined threshold,observation throttling is initiated. When observation throttling starts, these actions are taken:

• Stops further processing of observations at McAfee ePO to prevent unresponsiveness of the McAfeeePO interface.

• Applies the Throttling Rules policy to the My Organization group to prevent the generation of observationson all endpoints after agent-server communication interval.

• Generates the Observation Request Threshold Exceeded event. This event is displayed on the Threat Event Logpage and can be used to create an automatic response. For more information on creatingAutomatic Responses, see McAfee ePolicy Orchestrator Software Product Guide.

• Displays a warning message on the Policy Discovery page stating that observation generation hasstopped.

Tasks

• Define the threshold value on page 79By default, Application Control can process 100,000 observations in 24 hours. You canconfigure this setting to define the threshold value for your enterprise.

• Review filter rules on page 80To implement throttling, rules to filter and stop all observations are added to the StopObservation Requests rule group.

• Manage accumulated requests on page 80Process the received requests for your enterprise by taking relevant actions for therequests. Review each request and determine the rules to define for the request.

• Restart observation generation on page 80After you process existing requests and define rules for the accumulated requests, restartobservation generation at endpoints.

Define the threshold valueBy default, Application Control can process 100,000 observations in 24 hours. You can configure thissetting to define the threshold value for your enterprise.When the number of observations received at the McAfee ePO server in the last 24 hours reaches thedefined threshold, observation throttling is initiated.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, click Menu | Configuration | Server Settings.

2 From the Setting Categories pane, select Solidcore.

3 Modify the value of Observe Mode: Observation requests threshold value at which to initiate throttling and suspendobservation generation setting.

Deploying Application Control in Observe modeThrottle observations 7

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 79

Page 80: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Review filter rulesTo implement throttling, rules to filter and stop all observations are added to the Stop Observation Requestsrule group.This rule group is read-only and is assigned to the default read-only Throttling Rules policy. Initially, thispolicy is not assigned to any system or group. When the number of observations reaches the definedthreshold, this policy is applied to My Organization (all systems and groups in your organization).For option definitions, click ? in the interface.

Task1 On the McAfee ePO console, click Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: Application Control product.

3 Click the Throttling Rules policy.

4 From the Rule Groups pane, select Stop Observation Requests.

5 Select the Filters tab.

6 Review the listed rules.

Manage accumulated requestsProcess the received requests for your enterprise by taking relevant actions for the requests. Revieweach request and determine the rules to define for the request.For information on how to manage requests, see Manage requests.

Restart observation generationAfter you process existing requests and define rules for the accumulated requests, restart observationgeneration at endpoints.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, click Menu | Application Control | Policy Discovery.

The Policy Discovery page displays a message stating that the observation generation has stopped.

2 In the warning message, click Enable Observation Generation.

Exit Observe modePerform these steps to exit Observe mode.

Task1 Select Menu | Systems | System Tree.

2 Perform one of these actions.

• To apply a client task to a group, select the group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply a client task to an endpoint, select the endpoint on the Systems page and click Actions |Agent | Modify Tasks on a Single System.

3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

7 Deploying Application Control in Observe modeExit Observe mode

80 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 81: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

4 Select the Solidcore 6.1.2 | SC: Observe Mode and click Create New Task to open the Client Task Catalog page.

5 Specify the task name and add any descriptive information.

6 Select End Observe Mode.

7 Specify whether to place the endpoints in Enabled or Disabled mode.

8 Click Save, then click Next to open the Schedule page.

9 Specify scheduling details and click Next.

10 Review and verify the task details and click Save.

11 Optionally, wake up the agent to send your client task to the endpoint immediately.

Deploying Application Control in Observe modeExit Observe mode 7

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 81

Page 82: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

7 Deploying Application Control in Observe modeExit Observe mode

82 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 83: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

8 Monitoring your protection

When Application Control is running in Enabled mode, only authorized programs can run (executablebinary and script files), unauthorized programs cannot run, and authorized programs cannot bechanged. Application Control provides various methods to allow changes to the managed endpointswhile in Enabled mode.

You can choose to define updaters, publishers, installers, trusted users, and trusted directories. Also,to perform ad-hoc changes to the endpoints, you can place the endpoints in Update mode. Fordetailed information on each method, see How do I manage protected endpoints?.

Contents Enable Application Control Review predefined rules Review events Define rules ActiveX controls

Enable Application ControlPlace the endpoints in Enabled mode to activate the Application Control software.

If the endpoints are running in Observe mode, we recommend you use the SC: Observe Mode client task toexit Observe mode and place the endpoints in Enabled mode. For detailed instructions, see Exit Observemode.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Systems | System Tree.

2 Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page, then click Actions| Agent | Modify Tasks on a Single System.

3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

4 Select Solidcore 6.1.2 | SC: Enable, then click Create New Task to open the Client Task Catalog page.

5 Specify the task name and add any descriptive information.

8

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 83

Page 84: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

6 Select these fields.

a Select the platform.

b Select the subplatform (only for the Windows and Unix platforms).

c Select the version (only for the All except NT/2000 subplatform).

d Select the Application Control option.

7 Complete these steps to enable Application Control.

Solidcore client version Steps

On Solidcore client version:• 5.1.2 or earlier (UNIX)

• 5.1.5 or earlier (Windows)

1 Select Perform Initial Scan to create whitelist to create the whitelist whenenabling Application Control.Application Control requires the creation of a list of all trustedexecutable files present on the endpoint system (known as thewhitelist). The one-time activity of creating the whitelist is knownas whitelisting or solidification. You can choose to create theinventory while enabling the Solidcore client or defer to create itlater.

If you defer the scan, run the SC: Initial Scan to create whitelist clienttask after the SC: Enable task is applied and system is restarted.

2 Select Force Reboot with the task to restart the endpoint aftersolidification is complete.Restarting the system is necessary to enable the software. Apop-up message is displayed at the endpoint 5 minutes beforethe endpoint is restarted. This allows the user to save work anddata on the endpoint.

On Solidcore client version6.1.0 or later (UNIX)

Deselect Force Reboot with the task.When using Solidcore client version 6.1.0 or later, restarting thesystem is not necessary to enable the software.

On Solidcore client version6.0.0 or later (Windows)

Solidcore clientversion 6.1 is notavailable for theWindows NT, Windows2000, HP-UX, Solaris,and WindRiver Linuxplatforms.

1. Specify the scan priority.

The set scan priority determines the priority of the thread that isrun to create the whitelist on the endpoints. We recommend you setthe scan priority to Low. This makes sure that Application Controlcauses minimal performance impact on the endpoints but mighttake longer (than when you set the priority to High) to create thewhitelist.

2. Specify the activation option.

Limited Feature Activation The endpoints are not restarted and limitedfeatures of Application Control (memoryprotection features are unavailable) areactivated. Memory Protection features areavailable only after the endpoint is restarted.

8 Monitoring your protectionEnable Application Control

84 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 85: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Solidcore client version Steps

Full Feature Activation The endpoints are restarted, whitelist created,and all features of Application Controlincluding Memory Protection are active.Restarting the endpoints is necessary toenable the memory protection features. Theendpoint is restarted 5 minutes after theclient task is received at the endpoint. Apop-up message is displayed on the endpointbefore the endpoint is restarted.

3. Select Start Observe Mode to place the endpoints in Observe mode.

The Observation mode feature is available only on Windows.

4. Optionally, select Pull Inventory.

If you select this option, the software fetches the inventory detailsfor the endpoints (after the whitelist is created) and makes thedetails available on the McAfee ePO console when the ASCI lapses.We recommend you select this option if you want to manage theinventory using the McAfee ePO console.

8 Click Save.

9 Click Next to open the Schedule page.

10 Specify scheduling details, then click Next.

11 Review and verify the task details, then click Save.

12 Optionally, wake up the agent to send your client task to the endpoint immediately.

Review predefined rulesApplication Control includes predefined rules to allow multiple commonly-used applications, such asOracle and Adobe Acrobat to run. By default, these rules are applied to the global root in the systemtree and hence are inherited by all McAfee ePO-managed endpoints.As soon as an endpoint connects to the McAfee ePO, the McAfee Default policy applicable to theendpoint's operating system comes into play. We recommend that you do not remove McAfee Applications(McAfee Default) and McAfee Default policies from My Organization.

Review the predefined rules included in the McAfee Default policy.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: Application Control product.

All policies for all categories are listed. A McAfee Default policy exists for each supported operatingsystem.

3 Open the relevant policy.

4 Review the rules.

5 Click Cancel.

Monitoring your protectionReview predefined rules 8

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 85

Page 86: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Review events Any action to change or execute a file or program on a protected system causes Application Control toprevent the action and generate a corresponding event on the endpoint. All generated events formanaged systems are sent to the McAfee ePO server. Review and manage the generated events tomonitor the status of the managed endpoints.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Reporting | Solidcore Events.

2 Specify the time duration for which to view events by selecting an option from the Time Filter list.

3 Specify the endpoints for which to view events.

a Select the required group in the System Tree.

b Select an option from the System Tree Filter list.

4 Optionally, view only specific events by applying one or more filters.

a Click Advanced Filters to open the Edit Filter Criteria page.

b Select an available property.

c Specify the comparison and value for the property.

For example, to view only Execution Denied events, select the Event Display Name property, setcomparison to Equals, and select the Execution Denied value.

d Click Update Filter.

Events matching the specified criteria are displayed.

5 View event details.

a Click an event row.

b Review event details.

c Click Close.

For most events, you do not need to take any actions. However, if the protection that is in effect ispreventing a legitimate application from executing, you may need to define rules. For the ExecutionDenied, Nx Violation Detected, File Write Denied, ActiveX installation Prevented, Process HijackAttempted, and Package Modification Prevented events, we recommend that review requests on thePolicy Discovery page and define rules, if needed.

6 Review endpoint details for one or more events.

a Select one or more events.

b Click Actions | Show Related Systems.

The Related Systems page lists the endpoints corresponding to the selected events.

c Click a row to review detailed information for the endpoint.

d Optionally, perform any action on the endpoint.

8 Monitoring your protectionReview events

86 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 87: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Define rules Define rules to allow changes and override the applied protection.Use one of the available methods to define rules.

Tasks• Create a policy on page 87

Add specific rules to a rule group or policy. Application Control policies are multi-slotpolicies; a user can assign multiple policies to a single node in the system tree.

• Exclude events on page 88You can define rules to prune routine system-generated events not relevant for monitoringor auditing. Exclude or ignore events not required to meet compliance requirements.

• Define bypass rules on page 88Define specific rules in a policy to bypass applied memory-protection and other techniques.

Create a policyAdd specific rules to a rule group or policy. Application Control policies are multi-slot policies; a usercan assign multiple policies to a single node in the system tree.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: Application Control product.

3 Click Actions | New Policy to open the New Policy dialog box.

4 Select the category.

5 Select the policy you want to duplicate from Create a policy based on this existing policy list.

To define a policy from scratch, select the Blank Template policy.

6 Specify the policy name, then click OK to open the Policy Settings page.

You can now define the rules to include in the policy. You can either add the rules to a rule group ordirectly add the new rules to the policy.

• To use a rule group, complete steps 7 and 9. For more information on how to create a rulegroup, see Create a rule group.

• To directly add the rules to the policy, complete steps 8 and 9.

7 Add a rule group to the policy.a Select the rule group in the Rule Groups tab.

The rules included in the rule group are displayed in the various tabs.

b Review the rules.

For more information on adding new rules to the rule group, see Manage rule groups.

c Select Add in the Rule Groups tab to open the Select Rule Groups dialog box.

d Select the rule group to add, then click OK.

8 Add the rules to the policy.

For information on the rules, see Design the trust model .

9 Save the policy.

Monitoring your protectionDefine rules 8

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 87

Page 88: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Exclude eventsYou can define rules to prune routine system-generated events not relevant for monitoring or auditing.Exclude or ignore events not required to meet compliance requirements.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Reporting | Solidcore Events.

2 Select the events to exclude.

3 Click Actions | Exclude Events to open the Events Exclusion wizard.

4 Select the target platform for the rules.

5 Select the rule group type, then click Next to open the Define Rules page.

6 Rules are auto-populated based on the selected events.

7 Review and refine existing rules and add new rules, as needed.

8 Click Next to open the Select Rule Group page.

9 Add the rule to an existing or new rule group, then click Save.

10 Make sure the rule group is added to the relevant policy and the policy is assigned to theendpoints.

Define bypass rules Define specific rules in a policy to bypass applied memory-protection and other techniques.Some applications (as part of their day-to-day processing) run code in an atypical way and hence areprevented from running. To allow such applications to run, define appropriate bypass rules. Abypassed file or application is no longer considered by the memory-protection features of ApplicationControl. Bypassing a file should be the last-resort to allow an application to run and should be usedjudiciously.

TaskFor option definitions, click ? in the interface.

1 Perform one of these tasks.

• Define a new Application Control rule group (to define bypass rules to reuse across multipleendpoints). For detailed instructions, see Create a rule group.

• Create a new Application Control policy (to apply bypass rules to a single endpoint). For detailedinstructions, see Create a policy.

2 Select the Exceptions tab.

3 Click Add to open the Add Attribute window.

4 Enter the file name.

5 Select the required options.

6 Optionally, for Process Context File Operations Bypass, specify the parent to allow the file to bypass fileoperations only if it is launched by the specified parent.

7 Optionally, for VASR Forced-Relocation Bypass, specify the name of the DLL to relocate.

8 Click OK.

8 Monitoring your protectionDefine rules

88 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 89: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

ActiveX controlsBy default, Application Control prevents the installation of ActiveX controls on endpoints.

You can use the ActiveX feature to install and run ActiveX controls on endpoints. This feature isenabled by default and available on all supported Windows platforms except Windows Server 2012.This implies that policies and rules identified for ActiveX or memory protection events using the PolicyDiscovery page are not applicable for the Windows Server 2012 platform.

Only the Internet Explorer browser is supported for ActiveX control installations. If you are using a64-bit operating system, installation of ActiveX controls is supported only for the 32-bit InternetExplorer application. Simultaneous installation of ActiveX controls using multiple tabs of InternetExplorer is not supported.

Here are high-level steps to help you use the ActiveX feature.

1 Apply the Common ActiveX Rules policy to the endpoints to allow users to install commonly-usedActiveX controls on the endpoints. This policy is listed when you select Menu | Policy | Policy Catalogand then select the Solidcore 6.1.2: Application Control product.

2 Perform one of these tasks.

• If the ActiveX control you need to install is listed in the predefined rules, you can directly installthe ActiveX control on the endpoint.

• If the ActiveX control you need to install is not listed in the predefined rules, Application Controlprevents the installation of the ActiveX control on the endpoint. To allow installation of theActive X control, add the certificate associated with the ActiveX control as a trusted publisher.For detailed information, see Manage certificates.

3 Make sure the updated rule group is included in a policy applied to the endpoint.

Monitoring your protectionActiveX controls 8

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 89

Page 90: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

8 Monitoring your protectionActiveX controls

90 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 91: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

9 Managing the inventory

You can review, fetch, and manage the software inventory for protected endpoints. The softwareinventory for an endpoint contains information about the executable binary and script files present onthe endpoint. The information stored in the inventory includes complete file name, file size, checksum,file type, embedded application name, and version.

The software inventory for a managed endpoint is available on the McAfee ePO console and updatedregularly based on changes made to the endpoint. You can review and manage the inventory forendpoints from the McAfee ePO console. If needed, you can also fetch inventory for endpoints. Youcan perform multiple tasks, such as allow or ban specific binary files, review all occurrences of anapplication or binary file in the enterprise, and compare the endpoint inventory with a gold system toview image deviation.

Contents How the inventory is updated? Trust level and score Guidelines for fetching inventory Fetch the inventory Fetch McAfee GTI ratings for isolated McAfee ePO environments Review the inventory Manage the inventory Set the base image Compare the inventory

How the inventory is updated?Inventory information available at the McAfee ePO console for endpoints is updated at regular intervalsbased on changes made at the endpoints.

A change to an endpoint's inventory triggers inventory information to be pushed to the McAfee ePOserver after the agent-server communication interval. This keeps the inventory information at theMcAfee ePO server updated with changes to inventory at the endpoints. Additionally, this avoids theneed to manually fetch inventory for an endpoint to get the updated inventory.

These changes on an endpoint cause corresponding changes to the inventory information at theMcAfee ePO server:

• Addition of a file • Deletion of a file

• Modification of an existing file • Solidification or unsolidification of a file

• Rename of a file

9

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 91

Page 92: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Trust level and scoreApplication Control is integrated with the McAfee Global Threat Intelligence (McAfee GTI) filereputation service. The software synchronizes with the McAfee GTI file reputation service regularly tofetch information.

For each binary file, McAfee GTI provides these values:

CloudTrustLevel

Indicates if the file is a good, bad, or unknown file. Based on information fetched fromMcAfee GTI, the application and binary files in the inventory are sorted into Good, Bad, andUnclassified categories.

For every Bad binary file encountered in your setup, the software generates the Bad FileFound event. Also, if the trust level for a binary file changes from Bad to Good, the AssumedBad File is Clean event is generated. You can view these events on the Menu | Reporting | ThreatEvent Log page. If needed, you can set up responses to receive a notification for theseevents.

CloudTrustScore

Indicates the reliability or credibility of the file. The assigned value ranges between 1–5. Avalue of 1 or 2 represents known bad files, such as trojan, virus, and potentially unwantedprograms (PUP) files. A value of 3 indicates an Unclassified file. A value of 4 or 5 representsknown and trusted good files.

Value Description Details

5 Known Clean Represents files that belong toknown, trusted software vendors thatMcAfee considers clean due to theanalysis and reputation of the file,application, software vendor, ordigital signature.

4 Assumed Clean Indicates a high probability thatthese files are clean based onMcAfee's heuristic analysis computedfrom file reputation and telemetrydata.

3 Unknown Indicates that McAfee did not havesufficient data on these files toconclusively categorize the files asgood or bad.

2 Suspicious Indicates that the files are suspiciousand maybe malware (based onMcAfee's heuristic and behavioralanalysis computed from filereputation, telemetry data, andemulation).

1 Malicious Indicates that the files have beenanalyzed and determined to bemalware.

In addition to the above values, Application Control also tracks the Enterprise Trust Level value for eachbinary file. By default, the enterprise trust level for a file is the same as the cloud trust level. Whenedited, the enterprise trust level for a file overrides the cloud trust level for the file.

For example, if your organization uses an internally developed application, McAfee GTI will mark it asan Unclassified application because it is specific to your organization. However, because you trust theapplication, you can recategorize it as a Good file by editing the enterprise trust level for the file. Toedit the enterprise trust level for a file, select the file and select Actions | Change Enterprise Trust Level.

9 Managing the inventoryTrust level and score

92 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 93: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Guidelines for fetching inventoryApplication Control provides multiple methods to help you fetch the software inventory for anendpoint.

To fetch the inventory forendpoints when placing theendpoints in Enabled mode

Use the Enable client task. For more information, see Enable ApplicationControl.

To fetch the inventory forselected endpoints

Use the Fetch link on the Menu | Application Control | Inventory | By Systemspage to quickly fetch inventory for an endpoint.

To fetch the inventory foran endpoint

Use the Fetch Inventory action (Actions | Application Control | Fetch Inventory)for a selected endpoint on the Menu | Systems | System Tree | Systems page toquickly fetch inventory for an endpoint.

To fetch the inventory forone or more endpoints

Use the Pull Inventory client task to fetch inventory details for a group.We recommend that you use this client task to fetch inventory from 500or fewer endpoints simultaneously.

To import inventory detailsfor endpoints notconnected to the McAfeeePO console

1 Execute the sadmin ls -lax > <XML file name> command on theendpoint using the CLI to generate an XML file with inventory details.

2 On the McAfee ePO console, select the endpoint on the Menu | Systems |System Tree | Systems page and click Actions | Application Control | ImportInventory.

The inventory for the selected endpoint is updated based on theinventory details included in the XML file.

To ignore and not includecertain files in theinventory when fetching orimporting inventory detailsfor endpoints to the McAfeeePO console

Specify the file paths to ignore:1 Select Menu | Configuration | Server Settings | Solidcore.

2 Review the file paths listed in the Inventory: Ignored file paths for Inventory itemsfield.

3 Click Edit to update the list.The Edit Solidcore page displays.

4 Use regular expressions to specify file path string at the end of the list(separated by a comma) and click Save.

To fetch McAfee GTI ratingswhen McAfee ePO server isnot connected to theInternet

Use the Offline GTI tool to fetch McAfee GTI ratings for endpoints thatare managed by a McAfee ePO server that is not connected to theInternet. For more information, see Fetch McAfee GTI ratings forisolated McAfee ePO environments.

Fetch the inventoryAlthough Application Control maintains the current inventory for managed endpoints, you can fetchthe inventory for one or more managed endpoints, as needed.

Managing the inventoryGuidelines for fetching inventory 9

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 93

Page 94: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Systems | System Tree.

2 Perform one of these actions.

• To apply a client task to a group, select a group in the System Tree and switch to the Assigned ClientTasks tab.

• To apply a client task to an endpoint, select the endpoint on the Systems page, then click Actions |Agent | Modify Tasks on a Single System.

3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

4 Select Solidcore 6.1.2 for the product and SC: Pull Inventory for the task type, then click Create New Task toopen the Client Task Catalog page.

5 Specify the task name and add any descriptive information.

6 Click Save.

7 Click Next to open the Schedule page.

8 Specify schedule details, then click Next.

9 Review and verify the task details, then click Save.

10 Optionally, wake up the agent to send your client task to endpoints immediately.

Fetch McAfee GTI ratings for isolated McAfee ePO environmentsUse the Offline GTI tool to fetch McAfee GTI ratings for isolated McAfee ePO environments with noaccess to the Internet.In certain organizations, for security reasons Internet access might not be available to systems. Insuch cases, if the McAfee ePO server is not connected to the Internet, the Solidcore extension cannotfetch McAfee GTI ratings, such as trust level and score from the McAfee GTI file reputation service. Asa result, the binaries in the inventory remain unclassified, making it difficult for the McAfee ePOadministrator to distinguish between good, bad, or unknown files present in the inventory.

For optimal performance in isolated McAfee ePO environments, navigate to the Menu | Configuration | ServerSettings | Solidcore page, click Edit, then set the GTI Cloud: Enable Fetching Cloud Trust Levels of App Control InventoryBinaries from Cloud and GTI Cloud: Enable Fetching Cloud Trust Levels of SHA1s updated in Cloud options to No.

9 Managing the inventoryFetch McAfee GTI ratings for isolated McAfee ePO environments

94 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 95: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Tasks• Export SHA1s of all binaries on page 95

Export SHA1s of all binaries in the Application Control inventory to a file. The created file iscompressed and encrypted.

• Run the Offline GTI tool on page 95Run the Offline GTI tool to fetch McAfee GTI ratings, such as trust level and score for allSHA1s from the McAfee GTI file reputation service. The Offline GTI tool fetches the McAfeeGTI ratings and saves the information to a result file.

• Import the GTI result file on page 96Import the GTI result file to a system connected to the McAfee ePO server to update theApplication Control inventory with the fetched McAfee GTI ratings.

• Verify the import on page 97Review the server task log to verify if McAfee GTI ratings were successfully imported to theMcAfee ePO server.

Export SHA1s of all binariesExport SHA1s of all binaries in the Application Control inventory to a file. The created file iscompressed and encrypted.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Inventory.

2 On the By Applications tab, select Actions | Export Inventory for Offline GTI Tool to create the inventory file.

The file name is appended with the date and time when the file is created. Here is the syntax of thefile name.

App‑Control‑Inventory‑<year>‑<month>‑<day>_<hour>‑<minute>‑<second>.zip

3 Save the inventory file.

4 Copy the inventory file to a system with access to the Internet.

Run the Offline GTI toolRun the Offline GTI tool to fetch McAfee GTI ratings, such as trust level and score for all SHA1s fromthe McAfee GTI file reputation service. The Offline GTI tool fetches the McAfee GTI ratings and savesthe information to a result file.

Before you begin• Make sure that Java Runtime Environment (JRE) 1.6.0_33 or later is installed on the

system.

• Verify that the system is connected to the Internet.

• Make sure that you have downloaded and saved the OfflineGTITool.zip file from theMcAfee Downloads site.

Managing the inventoryFetch McAfee GTI ratings for isolated McAfee ePO environments 9

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 95

Page 96: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Task1 Set the GTI_TOOL_JAVA_HOME environment variable.

a Open a command window.

b Run the following command and provide the path to the JRE.

set GTI_TOOL_JAVA_HOME=<JRE path>For example:

set GTI_TOOL_JAVA_HOME=C:\Program Files\Java\jre6

2 Run the Offline GTI tool.

a Extract the OfflineGTITool.zip file to a system with access to the Internet.

The OfflineGTITool directory is created. This directory contains the readme.txt file thatexplains the prerequisites, procedure, configuration, and logging details. For detailedinformation on using the Offline GTI tool, we recommend that you read this file.

b Change to the OfflineGTITool directory.

cd <directory path>Make sure that you specify the absolute path to the OfflineGTITool directory.

c Verify that the current directory is OfflineGTITool.

cd

d Run the tool.

runOfflineGTITool.cmd <Inventory file path>Specify the tool name followed by the path to the inventory file that you saved on this system

For example:

runOfflineGTITool.cmd c:\inventory\App-Control-Inventory-yyyy-MM-dd_HH-mm-SS.zip

The Offline GTI tool connects to the McAfee GTI file reputation service and fetches McAfee GTIratings for the SHA1s. When ratings for all SHA1s are fetched, a success or failure message isdisplayed at the command prompt. The created GTI result file contains the McAfee GTI ratings ofthe SHA1s and its contents are encrypted. The file name is appended with the date and time atwhich the file is created.

GTI‑Result‑<year>‑<month>‑<day>_<hour>‑<minute>‑<second>.zip

3 Copy the GTI result file to a system connected to the McAfee ePO server.

Import the GTI result fileImport the GTI result file to a system connected to the McAfee ePO server to update the ApplicationControl inventory with the fetched McAfee GTI ratings.

After the GTI result file is successfully generated, you must import the McAfee GTI ratings to McAfeeePO within seven days. If you exceed seven days, you will not be able to update the Application Controlinventory with the McAfee GTI ratings. Although the default setting is seven days, you can configure it,as needed. To configure this setting, contact McAfee Support.

9 Managing the inventoryFetch McAfee GTI ratings for isolated McAfee ePO environments

96 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 97: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Inventory.

2 On the By Applications tab, select Actions | Import GTI Ratings to open the Import GTI Ratings dialog box.

3 Click Browse to select the GTI result file, then click OK.

The Import GTI Ratings dialog box states that the McAfee GTI ratings are uploaded to the McAfee ePOserver and processing of the McAfee GTI ratings has started. Review the server task log to verifythat the processing has completed.

4 Click OK.

Verify the importReview the server task log to verify if McAfee GTI ratings were successfully imported to the McAfeeePO server.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Automation | Server Task Log.

2 Specify the task name Imports GTI ratings from file to Inventory in the Quick find text box, then click Apply.

The list is updated based on the specified search string.

3 Verify that the status of this server task is Completed.

Review the inventoryYou can manage and take actions on the software inventory for an endpoint.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Inventory.

2 Perform one of these steps.

• To manage the inventory for all managed endpoints, select the By Applications tab.

• To manage the inventory for a selected endpoint, switch to the By Systems tab and click View forthe relevant endpoint. The inventory for the selected endpoint is listed.

Managing the inventoryReview the inventory 9

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 97

Page 98: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

3 Review the applications in the inventory. By default, based on information received from McAfeeGTI, the application and binary files are sorted into Good, Bad, and Unclassified categories.

Here are some alternate views you can use.

Review all binary files To view files sorted by name, select Binary Name filter, leave the filterblank, and click Search.

Review all files sortedby applications

Select Application filter, leave the file name filter blank, and click Search.The applications and binary files are sorted into Good, Bad, andUnclassified categories.For applications with MSI-based installers, application and binary filesare grouped and categorized based on the product name and version.

Sort the application andbinary files based onvendor

Select the Vendor filter, do not specify a vendor name, and click Search.The applications and binary files are sorted by the vendor. For eachvendor, you can view the Good, Bad, and Unclassified categories.

4 Review application details (only when you review all files sorted by applications).

a Click App Details to open the Application Details page.

b View the details for the application.

c Review the binary files associated with the selected application in the Binaries pane.

d Review the endpoints on which the selected application is present in the Systems pane.

e Optionally, perform any action on the listed endpoints.

f Click Close.

5 Optionally, apply seeded filters, create new filters, or search for specific files, as needed.

Use seeded filters Select a value from the Saved Filters list. You can choose from these filters:• All Bad Binaries • Allowed Unclassified Unsigned Binaries

• Allowed Bad Binaries • Banned Good Binaries

• Allowed Unclassified Signed Binaries

Create a new filter To create a new filter:1 Select Add Saved Filter from the Saved Filters list.

2 Select an available property. For example, to identify all unclassifiedapplications that are signed, select the Has Cert and Trust Level (Enterprise)properties.

3 Specify the comparison and value for the property.

• For the Has Cert property, set comparison to Equals, and select the Truevalue.

• For the Trust Level (Enterprise) property, set comparison to Equals, and selectthe Unclassified value.

4 Click Update Filter.

Search for specificfiles, for examplesearch for a filebased on itschecksum value

Select the Binary SHA1 or Binary MD5 filter, enter a checksum value, and clickSearch. The binary file with the specified checksum value is displayed.

9 Managing the inventoryReview the inventory

98 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 99: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

6 Review the binary files.

When you view files sorted by applications or vendors, the Applications or Vendors pane is displayed.The pane provides a tree structure to help you navigate and view the files under each category.Select a node in the tree to review associated binary files in the Binaries pane. For all other views,only the Binaries pane is displayed. For each file, the Binaries pane lists the name, version, trustscore, trust level (cloud and enterprise), allowed system count, and banned system count.

7 View binary details.

a Click a binary file to open the Binary Details page.

b Click the cloud trust score to view the details fetched from the McAfee GTI server for the binaryfile.

c Review the endpoints listed in the Systems for this Binary pane.

d Click View Events for an endpoint to view events generated for the endpoint.

e Click Ban to ban the binary file from an endpoint.

f Click Close.

Manage the inventoryApplication Control sorts your inventory files into these categories:

Good Includes known good or trusted applications (effectively creating the Whitelist for yourenterprise). Because these applications are known files, you do not need to performextensive management activities for the good files. If your organization needs todisallow a known good file, you can ban the file.

Bad Includes known malware or bad applications (effectively creating the Blacklist for yourenterprise). Because these applications are known bad files, usually, you will need toban the bad applications. If needed, you can categorize any in-house or trustedapplications in the bad list as a good file.

Unclassified Includes all unknown applications (effectively creating the graylist for your enterprise).You should routinely review and manage the graylist for your enterprise to keep it to aminimum size (ideally zero). You might need to reclassify internally developed,recognized, or trusted (from a reputed vendor) files that are currently in the unclassifiedlist.

Any pre-existing advanced persistent threat (APTs) will reside in the graylist orUnclassified category.

TaskFor option definitions, click ? in the interface.

1 Perform one of these tasks.

• To manage the inventory for all managed endpoints, navigate to the Menu | Application Control |Inventory | By Applications page.

• To manage the inventory for a selected endpoint, navigate to the Menu | Application Control |Inventory | By Systems page and click View for the relevant endpoint.

2 Prevent bad binary or script files from running.

a Select the files to ban.

b Select Actions | Ban Binaries to open the Allow or Ban Binaries wizard.

Managing the inventoryManage the inventory 9

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 99

Page 100: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

c Specify the rule group for the rules.

• To add the rules to an existing rule group, select Add to Existing Rule Group, select the rule groupfrom the list, and specify the operating system.

• To create a new rule group with the rules, select Create a New Rule Group, enter the rule groupname, and specify the operating system.

d Click Next.

e Review the rules, then click Save.

3 Allow known binary or script files to run.

a Select the files to allow.

b Select Actions | Allow Binaries to open the Allow or Ban Binaries wizard.

c Perform one of these tasks.

• To allow the binary file only on the selected endpoint, add the binary file to the whitelist ofthe endpoint by selecting Add Binaries to Whitelist. This option is available only if you aremanaging the inventory for an endpoint (by clicking the View link for an endpoint on the BySystems page).

• To allow the binary file on multiple endpoints, to add the rules to a rule group.

Add the rules to an existingrule group

Select Add to Existing Rule Group, select the rule group fromthe list, and specify the operating system.

Create a new rule group withthe rules

Select Create a New Rule Group, enter the rule group name,and specify the operating system.

d Click Next.

e Review the rules, then click Save.

4 Recategorize an unclassified binary or script file as a good file by editing the enterprise trust levelfor the file.

a Select the files.

b Select Actions | Change Enterprise Trust Level to open the Change Enterprise Trust Level window.

c Set the trust level.

By default, the enterprise trust level for a file is the same as the cloud trust level. When edited,the enterprise trust level for a file overrides the cloud trust level for the file.

5 Add the updated rule group to the policies applied to the endpoints.

Set the base image Set the base image for your enterprise.

If the inventory for an endpoint in your setup includes known and trusted applications, you can set itas a base image for your enterprise. This creates an approved repository of known applications,including internally developed, recognized, or trusted (from a reputed vendor) applications. Also, thismakes management of desktop systems easier by verifying the corporate applications.

9 Managing the inventorySet the base image

100 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 101: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Inventory | By Systems.

The endpoints in your setup are listed.

2 Navigate to the endpoint on which the known and trusted applications exist.

3 Select Mark Good for the endpoint.

This recategorizes all unclassified binary or script files on the endpoint as good files and edits theenterprise trust level for the files. No changes are made to the Bad binary or script files on theendpoint.

You can also perform this action from the Systems page. Select the endpoint on the Menu | Systems |System Tree | Systems page and click Actions | Application Control | Mark Good.

Compare the inventory Image deviation is used to compare the inventory of an endpoint with the inventory that is fetchedfrom a designated gold system. This helps you to track the inventory present on an endpoint andidentify any differences that occur.

To accomplish this, complete these steps.

TaskFor option definitions, click ? in the interface.

1 Fetch the inventory for your gold host. For detailed information, see Fetch the inventory.

2 Fetch the inventory for the endpoint. For detailed information, see Fetch the inventory.

3 Review the Menu | Automation | Solidcore Client Task Log page to make sure that both client taskscompleted successfully.

4 Compare the inventory of gold host with the inventory of the endpoint. This is known as ImageDeviation.

5 Review the comparison results.

Tasks• Run the inventory comparison on page 101

Compare the inventory of the gold host with the inventory of an endpoint.

• Review the comparison results on page 102Review the results of inventory comparison (image deviation).

Run the inventory comparisonCompare the inventory of the gold host with the inventory of an endpoint.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Automation | Server Tasks.

2 Click Actions | New Task to open the Server Task Builder wizard.

Managing the inventoryCompare the inventory 9

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 101

Page 102: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

3 Type the task name, then click Next.

4 Select Solidcore: Run Image Deviation from the Actions drop-down list.

5 Specify the gold system.

6 Configure these options to select the endpoint to compare with the gold system.

• System to compare with Gold System — Click Add to search for the endpoint that you want to comparewith the gold system. Type the name of the endpoint in the System Name field and click Search.

• Groups to compare with Gold System — Click Add to search for the group that you want to compare withthe gold system. Type the name of the group in the Group Name field and click Search.

• Include Systems with Tags — Click Add to search for endpoints based on their tag names. Type the tagname in the Tag Name field and click Search.

• Exclude Systems with Tags — Click Add to search for endpoints based on their tag names. Type thetag name in the Tag Name field and click Search. Select the required tag from the search result. Allendpoints with the selected tags are excluded from comparison with the gold system.

7 Click Next to open the Schedule page.

8 Specify the schedule for the task.

9 Click Next to open the Summary page.

10 Review the task summary, then click Save.

11 Run the server task immediately to instantly review the comparison results.

Review the comparison resultsReview the results of inventory comparison (image deviation).

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Image Deviation.

2 Locate the comparison of the gold host and endpoint.

To quickly find the corresponding row, enter the endpoint name in the Search Target System field, thenclick Search.

3 Click Show Deviations.

4 Review the comparison details.

• Select the view type. You can organize the results based on applications or binary files.

• Use the available filters to sort the results. Using the filters, you can view new (added),modified, and removed (missing) files. Use the Execution Status Mismatch filter to view files withchanges to the execution status. Use the path filter to sort the results based on the file path.

9 Managing the inventoryCompare the inventory

102 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 103: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

10 Managing approval requests

Application Control prevents any new or unknown applications from running on protected endpoints.When the Self Approval feature is enabled and users try to run an unknown or new application on aprotected endpoint, they are prompted to approve or deny the application execution.

Contents What is Self Approval? Enable Self Approval on endpoints Configure the feature Review requests Process requests Review created rules

What is Self Approval?For any blocked application or file, users can approve the execution and run the application on theendpoint. When a user approves the execution, the business need or justification provided by the userfor running the application is sent to the McAfee ePO administrator. The administrator reviews theapproval request and can define rules to allow or ban the application for one or all endpoints in theenterprise.

The rules that are applied through policies have precedence over the Self Approval feature. Forexample, if the Self Approval feature is enabled and the user tries to run an application that is bannedthrough a policy, the user will not be prompted to take any action for the application. Also, you cannotself approve and perform any actions that are prevented by Application Control memory-protectiontechniques.

The Self Approval feature is available for binary or executable files, scripts, installers, ActiveX controls,and supported files that you run from network shares and removable devices. This feature is availableon all supported Windows platforms except Windows NT, Windows 2000, and Windows 2003 (IA-64platform). This feature is not available on the UNIX platforms. The following diagram details the SelfApproval feature.

10

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 103

Page 104: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Although the Self Approval feature is available in Limited Feature Activation mode, we recommend thatyou use this feature in Full Feature Activation mode (after restarting the endpoints). This is because thisfeature requires patching of some system DLLs and patching may require a restart to work effectively.

Enable Self Approval on endpointsBy default, the Self Approval feature is disabled on endpoints. You can configure a policy to enable thisfeature on selected endpoints.

After the feature is enabled, users can approve an unknown or new application on a protectedendpoint and run it.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: Application Control product.

3 Select the Application Control Options (Windows) category.

10 Managing approval requestsEnable Self Approval on endpoints

104 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 105: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

4 Click the My Default policy to edit it.

By default, the My Default policy is applied to all endpoints in your enterprise. To enable the SelfApproval feature for selected endpoints, duplicate the My Default policy, edit the settings, and applythe policy to only the relevant endpoints.

5 Select Enable Self Approval.

6 Optionally, specify the message to display to the users on the endpoints when they try to run anew or unknown application.

This specified text is displayed on the endpoint in the McAfee Application Control - Self Approval dialog box.

7 Specify a timeout value for the McAfee Application Control - Self Approval dialog box.

The specified value determines the duration when the McAfee Application Control - Self Approval dialog boxis displayed on the endpoint after an action is performed by the user. If the user does not take anaction in the specified time, the action is automatically denied and the McAfee Application Control - SelfApproval dialog box closes.

8 Optionally, specify the advanced options.

If you select this option, all applications that run on the system while it is booting up or when aninteractive session is unavailable are allowed to execute.

9 Save the policy and apply to endpoints.

After the policy is applied, the Self Approval feature is enabled on the endpoints.

10 When users try to run a new application on the endpoints, the McAfee Application Control - Self Approvaldialog box indicates that execution of the application has been detected and prompts the user totake an action. Perform one of these tasks:

• Provide a justification and click Allow to allow the action immediately. When you self approve theaction, an approval request is sent to the administrator who reviews the provided justification todetermine whether to allow or ban the action for one or more endpoints in the enterprise. TheMcAfee ePO administrator will allow the action only if it is in accordance with the corporatepolicies and application is trusted and known.

• Click Deny to deny the action. Users can deny the action when it is not user-initiated or thechanges seem irrelevant. The deny action is event-specific. If the same event is generatedagain, the user is prompted again to take an action.

Configure the featureReview and edit the list of Generic Launcher Processes and Restricted Publisher Names.

You can configure these settings for the feature:

Managing approval requestsConfigure the feature 10

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 105

Page 106: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

• Generic Launcher Processes — Certain processes on the Windows operating system, such asexplorer.exe and iexplore.exe, start other processes and can be used to launch any software. Suchprocesses are referred to as Generic Launcher Processes and should never be configured asupdaters. A predefined list of such processes is available in Application Control. You can review andedit the list of Generic Launcher processes. No updater rules are generated for Generic LauncherProcesses at the endpoints.

• Restricted Publisher Names — Certificates from certain vendors such as Microsoft are associatedwith multiple commonly used applications and should not be used to define rules based on thepublisher. A predefined list of such certificates is available on the Application Control configurationinterface. You can review and edit the list of Restricted Publisher Names. If the binary in a requestis signed by one of these certificates, you cannot create rules based on the certificate associatedwith the binary file.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Server Settings | Solidcore.

2 Review and edit the list of Generic Launcher Processes.

a Review the processes listed in the Application Control: Generic Launcher Processes field.

b Click Edit to update the list.

c Add the process name to the end of this list (separated by a comma), then click Save.

3 Review and edit the list of Restricted Publishers.

a Review the names listed in the Application Control: Restricted Publisher Names field.

b Click Edit to update the list.

c Add the vendor name to the end of this list (separated by a comma), then click Save.

For example, to prevent creation of rules based on the Microsoft certificate, add Microsoft tothe list.

Review requestsReview the requests received from the endpoints.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

After the requests are received from the endpoints, Application Control collates and groupsrequests based on these parameters:

• Checksum value of the binary file or cab file (in case of a request for an ActiveX control) forwhich the request is received

• Status of the request

The Activity field for each request indicates the action performed by the user on the endpoint. Forexample, if the user installs an MSI-based software, the Activity field lists Software Installation for therequest.

10 Managing approval requestsReview requests

106 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 107: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

2 Review the listed requests using one of these methods.

• Specific interval — Select an option from the Time Filter list to view requests received in aspecific interval.

• Filter criteria — Select a value for the request status from the Approval Status list to viewrequests that match the filter criteria.

• Specific search string — Enter a search string in the Quick find field and click Apply to viewrequests that match the specified search string.

• Sort — Sort the list based on the request prevalence, request generation time, activity, filename, application name, publisher, or trust level by clicking the column heading.

• Selected requests — Select requests of interest and click Show selected rows to review only theselected requests.

The Policy Discovery page lists only the requests for which the McAfee ePO administrator can makerules. To view other requests, such as those for software uninstall, run the Self Approval Audit Reportquery. This report lists all requests received from the endpoints in the last month. For information onhow to run queries, see View queries.

3 Review individual requests that make up a collated request and detailed information for the binaryfile.

a Click a row to open the Policy Discovery Details page.

b Review binary details, such as cloud trust score, properties, and publisher information.

c Review the individual requests that make up the collated request.

d Click Close.

Process requestsProcess the received requests for your enterprise by taking relevant actions for the requests.

Tasks• Allow by checksum on all endpoints on page 74

Define rules to allow an application or binary file to run on all endpoints in the enterprisebased on the checksum value of the binary file.

• Allow by publisher on all endpoints on page 75Define rules to allow an application, binary file, or ActiveX control to run on all endpoints inthe enterprise based on the publisher associated with the file.

• Ban by checksum on all endpoints on page 75Define rules to ban an application or binary file from running on all endpoints in theenterprise based on the checksum value of the binary file.

• Define custom rules for specific endpoints on page 76Define custom rules to allow or ban an application, binary file, or ActiveX control for specificendpoints in the enterprise.

• Allow by adding to whitelist for specific endpoints on page 77Add one or more binary files to the whitelist of an endpoint to allow the files to run on theendpoint.

• Delete requests on page 78Remove selected requests from the Policy Discovery page and database.

Managing approval requestsProcess requests 10

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 107

Page 108: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Allow by checksum on all endpointsDefine rules to allow an application or binary file to run on all endpoints in the enterprise based on thechecksum value of the binary file.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Select the requests for which you want to define rules.

3 Click Actions | Allow Binary Globally.

The Allow Binary Globally dialog box provides details and prompts you to confirm the action.

4 Click OK.

Rules are created for the binary files associated with the selected requests and added to the GlobalRules rule group included in the McAfee Default policy. For information on how to view or edit therules, see Review created rules.

Allow by publisher on all endpointsDefine rules to allow an application, binary file, or ActiveX control to run on all endpoints in theenterprise based on the publisher associated with the file.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Select the request for which you want to define rules.

3 Click Actions | Allow by Publisher Globally.

The Allow by Publisher Globally action is unavailable if the main binary associated with the request issigned by a certificate included in the Restricted Publisher Names list.

The Allow by Publisher Globally dialog box provides details and prompts you to confirm the action. Basedon the binary file associated with a selected request, the publisher is assigned or not assignedupdater privileges. If the publisher has updater privileges, allowing based on publisher allows allapplications signed by the publisher to make changes to existing executable files or launch newapplications on the endpoints.

4 Click OK.

Rules are created for the selected request and added to the Global Rules rule group included in theMcAfee Default policy.

Ban by checksum on all endpoints Define rules to ban an application or binary file from running on all endpoints in the enterprise basedon the checksum value of the binary file.

10 Managing approval requestsProcess requests

108 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 109: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Select the requests for which you want to define rules.

3 Click Actions | Ban Binary Globally.

The Ban Binary Globally dialog box provides details and prompts you to confirm the action.

4 Click OK.

Rules are created for the binary files associated with the selected requests and added to the GlobalRules rule group included in the McAfee Default policy. For information on how to view or edit therules, see Review created rules.

To ban an installer, such as an MSI-based installer, perform these steps:

• Ban the installer globally to make sure it cannot run on other endpoints in the enterprise(complete steps 3 and 4).

• Ban the files added by the installer on the endpoint where the installer was executed (completestep 5).

For example, if the MSI-based installer for Mozilla Firefox 12 (Firefox-12.0-af.msi) was executedand installed on an endpoint, you must ban the files added by the installer on the endpoint.

Banning an installer that is not MSI-based or for which no binary is displayed on the Inventoryuser interface is also a two-step process. You must ban the installer globally to make sure itcannot run on other endpoints in the enterprise (complete steps 3 and 4). Next, you mustmanually search for the binary files corresponding to the application and ban the files using theInventory user interface.

5 Ban the files that have already been added to the endpoint.

a Click the application name link.

The Binaries page lists all binary files installed on the endpoint.

b Select all listed binary files.

c Click Actions | Ban Binaries to open the Allow or Ban Binaries wizard.

d Specify the rule group for the rules.

• To add the rules to an existing rule group, select Add to Existing Rule Group, select the rule groupfrom the list, and specify the operating system.

• To create a new rule group with the rules, select Create a New Rule Group, enter the rule groupname, and specify the operating system.

Make sure that the rule group where you add the rules is added to a policy that is applied on theendpoint where the request was received.

e Click Next.

f Review the rules, then click Save.

Define custom rules for specific endpointsDefine custom rules to allow or ban an application, binary file, or ActiveX control for specific endpointsin the enterprise.

Managing approval requestsProcess requests 10

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 109

Page 110: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Select the request for which you want to define custom rules.

3 Click Actions | Create Custom Policy to open the Policy Discovery: Custom Rules page.

4 Specify whether to allow the binary file, ban the binary file, or add the certificate as a publisher.

5 Review the prepopulated rule.

6 Edit the rule, if needed.

7 Specify the rule group for the rules.

• To add the rules to an existing rule group, select Add to an existing Rule Group and select the rulegroup from the list.

• To create a new rule group with the rules, select Create a new Rule Group and enter the rule groupname.

8 Optionally, add the modified or created rule group to a policy.

a Select Add the Rule Group to existing Policy.

b Select the policy where you want to add the rule group.

9 Click Save.

Allow by adding to whitelist for specific endpointsAdd one or more binary files to the whitelist of an endpoint to allow the files to run on the endpoint.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Click a row to review request details in the Policy Discovery Details page.

Each row in the Similar Policy Discovery Requests for Activity pane represents a binary file and endpointcombination.

3 Click Allow Locally for a row.

The Allow Locally dialog box lists one or more paths to add to the whitelist.

The Allow Locally action is available only for requests that are generated when you execute anapplication that is not in the whitelist (Application Execution activity).

10 Managing approval requestsProcess requests

110 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 111: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

4 Review and customize the listed paths.

For example, if you execute proc.exe for an endpoint, the following paths might be listed.

C:\Program Files\App Name\proc.exe

C:\Program Files\App Name\a.dll

C:\Program Files\App Name\b.dll

To avoid redundancy, we recommend that you add only the C:\Program Files\App Name path.

5 Click OK.

The specified paths are added to the whitelist and allowed to run on the endpoint.

Delete requestsRemove selected requests from the Policy Discovery page and database.

To ensure optimal performance, the Solidcore: Auto Purge Policy Discovery Requests server task is run weekly topurge policy discovery requests older than three months.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

2 Select the requests to delete.

3 Click Actions | Delete Requests.

4 When prompted to confirm, click OK.

All selected collated requests and contained individual requests are deleted from the page anddatabase.

Review created rulesReview and manage the global rules created for the processed requests.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 On the Rule Groups tab, select these options.

• Application Control type.

• Windows platform.

3 Navigate and locate the Global Rules rule group.

4 Click Edit for the rule group.

5 Review the included rules.

Managing approval requestsReview created rules 10

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 111

Page 112: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

6 Edit the defined rules, if needed.

7 Click Save Rule Group.

10 Managing approval requestsReview created rules

112 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 113: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

11 Using dashboards and queries

Use dashboards to view the status of the endpoints and queries to review reports based on the datastored in the McAfee ePO database.

Contents Dashboards Queries View queries

DashboardsDashboards are collections of monitors that help you keep an eye on your environment.

Application Control provides these default dashboards:

• Solidcore: Inventory dashboard allows you to observe the inventory for the endpoints

• Solidcore: Application Control dashboard helps you keep a check on the protected endpoints

You can create, modify (only on McAfee ePO 4.6), duplicate, and export dashboards. For moreinformation on working with dashboards, see McAfee ePolicy Orchestrator Software Product Guide.

QueriesUse the available queries to review information for the endpoints based on the data stored in theMcAfee ePO database.

These Application Control queries are available from the McAfee ePO console.

Table 11-1 Application Control Queries

Query Description

Self Approval Audit Report Displays a list of all approval requests received from the endpoints in thelast month.

Solidcore: Alerts Displays all alerts generated in the last 3 months.

Solidcore: ApplicationControl Agent Status

Displays the status of all endpoints with the Application Control licensewhich are managed by the McAfee ePO console. The pie chartcategorizes the information based on the client status. Click a segmentto review endpoint information.

Solidcore: AttemptedViolations Detected in theLast 24 Hours

Displays the attempted violation events detected during the last 24hours. The line chart plots data on a per hour basis. Click a value on thechart to review event details.

11

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 113

Page 114: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Table 11-1 Application Control Queries (continued)

Query Description

Solidcore: AttemptedViolations Detected in theLast 7 Days

Displays the attempted violation events detected during the last 7 days.The line chart plots data on a per day basis. Click a value on the chart toreview event details.

Solidcore: Non CompliantSolidcore Agents

Lists the endpoints that are currently not compliant. The list is sortedbased on the reason for non-compliance. An endpoint can be noncompliant if it:• Is in Disabled, Observe, or Update mode

• Is operating in limited feature activation mode

• If the local command line interface (CLI) access is recovered

Solidcore: Solidcore AgentStatus Report

Displays the status of all endpoints managed by the McAfee ePO console.This report combines information for both the Application Control andChange Control licenses. The pie chart categorizes the information basedon the client status. Click a segment to review detailed information.

Solidcore: Solidcore AgentLicense Report

Indicates the number of Solidcore Agents that are managed by the bythe McAfee ePO console. The information is categorized based on thelicense information and further sorted based on the operating system onthe endpoint.

Solidcore: PolicyAssignments By System

Lists the number of policies applied on the managed endpoints. Click asystem to review information on the applied policies.

Solidcore: SummaryServer Reboot Log -Rolling 30 Days

Displays the reboot log grouped by system name.

Solidcore: Top 10 Systemswith Most ViolationsDetected in the Last 24Hours

Displays the top 10 systems with the maximum number of violations inthe last 24 hours. The chart includes a bar for each system and indicatesthe number of violations for each system. Click a bar on the chart toreview detailed information.

Solidcore: Top 10 Systemswith Most ViolationsDetected in the Last 7Days

Displays the top 10 systems with the maximum number of violations inthe last 7 days. The chart includes a bar for each system and indicatesthe number of violations for each system. Click a bar on the chart toreview detailed information.

Solidcore: Top 10 Userswith Most ViolationsDetected in the Last 24Hours

Displays the top 10 users with the most policy violation attempts in thelast 24 hours. The chart includes a bar for each user and indicates thenumber of policy violation attempts for each user. The bar chart sorts thedata in descending order. Click a bar on the chart to review detailedinformation.

Solidcore: Top 10 Userswith Most ViolationsDetected in the Last 7Days

Displays the top 10 users with the most policy violation attempts in thelast 7 days. The chart includes a bar for each user and indicates thenumber of policy violation attempts for each user. The bar chart sorts thedata in descending order. Click a bar on the chart to review detailedinformation.

View queriesView an Application Control query.

11 Using dashboards and queriesView queries

114 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 115: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Reporting | Queries & Reports.

2 Complete one of these steps.

• From the McAfee ePO 5.0 console, select the Application Control group under McAfee Groups.

• From the McAfee ePO 4.6 console, select the Application Control group under Shared Groups.

3 Review the queries in the list.

4 Navigate to the required query and click Run.

The results for the selected query are displayed.

5 Click Close to return to the previous page.

Using dashboards and queriesView queries 11

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 115

Page 116: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

11 Using dashboards and queriesView queries

116 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 117: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

12 Maintaining your systems

After Change Control or Application Control is deployed, you can perform various tasks to maintain theendpoints. Review these topics for details about maintenance tasks.

Contents Make emergency changes Change the CLI password Collect debug information Place the endpoints in Disabled mode Send GTI feedback Purge data

Make emergency changes To implement an emergency change, you can create a change window that overrides all protection andtamper proofing that is in effect. Memory protection (for Application Control only) remains enabledeven in Update mode. You should use a change window only when the other available mechanismscannot be used.

Complete these steps to make emergency changes.

Task1 Place the endpoints in Update mode.

2 Complete the required emergency changes.

3 Place the endpoints in Enabled mode.

Tasks• Place the endpoints in Update mode on page 118

Place the endpoints in Update mode to make emergency changes.

• Place the endpoints in Enabled mode on page 118Place the endpoints back in Enabled mode after you complete the required changes in theUpdate mode.

12

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 117

Page 118: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Place the endpoints in Update modePlace the endpoints in Update mode to make emergency changes.

Task1 Select Menu | Systems | System Tree.

2 Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page, then click Actions| Agent | Modify Tasks on a Single System.

3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

4 Select the Solidcore 6.1.2 product, SC: Begin Update Mode task type, then click Create New Task to open theClient Task Catalog page.

5 Specify the task name and add any descriptive information.

6 Enter the Workflow ID and any comments.

The workflow ID provides a meaningful description for the update window.

7 Click Save.

8 Click Next to open the Schedule page.

9 Specify scheduling details, then click Next.

10 Review and verify the task details, then click Save.

11 Optionally, wake up the agent to send your client task to the endpoint immediately.

Place the endpoints in Enabled modePlace the endpoints back in Enabled mode after you complete the required changes in the Updatemode.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Systems | System Tree.

2 Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page, then click Actions| Agent | Modify Tasks on a Single System.

3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

4 Select the Solidcore 6.1.2 product, SC: End Update Mode task type, then click Create New Task to open theClient Task Catalog page.

5 Specify the task name and add any information.

6 Click Save.

7 Click Next to open the Specify the task name and add any information.

12 Maintaining your systemsMake emergency changes

118 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 119: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

8 Specify scheduling details, then click Next.

9 Review and verify the task details, then click Save.

10 Optionally, wake up the agent to send your client task to the endpoint immediately.

Change the CLI passwordChange the default CLI password.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: General product.

3 Click Duplicate for the McAfee Default policy in the Configuration (Client) category.

The Duplicate Existing Policy dialog box appears.

4 Specify the policy name, then click OK.

The policy is created and listed on the Policy Catalog page.

5 Click the policy to open it.

6 Type the new password in the CLI Settings tab.

7 Confirm the password.

8 Click Save.

9 Apply the policy to the endpoints.

Collect debug informationPrior to contacting McAfee Support to help you with a Solidcore client issue, collect configuration anddebug information for your setup.This will help McAfee Support quickly identify and resolve the encountered issue. Run the CollectDebug Info client task to create an archive with endpoint configuration information and Solidcore clientlog files. The zip file is generated on the endpoint and its location is listed (click the record associatedwith the client task) on the Client Task Log page. Send the zip file to McAfee Support along withdetails of the encountered issue.

Create a zip file with configuration and debug information.

Maintaining your systemsChange the CLI password 12

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 119

Page 120: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Systems | System Tree.

2 Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page, then click Actions| Agent | Modify Tasks on a Single System.

3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

4 Select the Solidcore 6.1.2 product, SC: Collect Debug Info task type, then click Create New Task to open theClient Task Catalog page.

5 Specify the task name and add any descriptive information.

6 Click Save.

7 Click Next to open the Schedule page.

8 Specify scheduling details, then click Next.

9 Review and verify the task details, then click Save.

10 Optionally, wake up the agent to send your client task to the endpoint immediately.

Place the endpoints in Disabled modeUse this task to place the endpoints in Disabled mode.

Task1 Select Menu | Systems | System Tree.

2 Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page, then click Actions| Agent | Modify Tasks on a Single System.

3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

4 Select the Solidcore 6.1.2 product, SC: Disable task type, then click Create New Task to open the Client TaskCatalog page.

5 Specify the task name and add any descriptive information.

6 Complete these steps.

12 Maintaining your systemsPlace the endpoints in Disabled mode

120 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 121: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

License Solidcore clientversion

Steps

ApplicationControl

• 5.1.2 or earlier (UNIXand Windows)

• 6.0.0 and later(Windows)

Select Force Reboot with the task to restart the endpoints.

• 6.1.0 and later (UNIX) Deselect Force Reboot with the task if you are temporarilydisabling the client protection for maintenance ortroubleshooting. The software is disabled as soon asthe task is applied.If you are disabling the software prior touninstallation, select Force Reboot with the task.

ChangeControl

• 6.0.1 or earlier (UNIX)

• 6.0.0 and later(Windows)

Select Force Reboot with the task to restart the endpoints.

• 6.1.0 and later (UNIX) Deselect Force Reboot with the task if you are temporarilydisabling the client protection for maintenance ortroubleshooting. The software is disabled as soon asthe task is applied.If you are disabling the software prior touninstallation, select Force Reboot with the task.

7 Click Save.

8 Click Next to open the Schedule page.

9 Specify scheduling details, then click Next.

10 Review and verify the task details, then click Save.

11 Optionally, wake up the agent to send your client task to the endpoint immediately.

Send GTI feedbackApplication Control includes these seeded server tasks that allow you to send feedback to McAfee onhow you are currently using the GTI features.

• Solidcore: Send Event Feedback to Application Control GTI Cloud Server (disabled by default)

• Solidcore: Send Policy and Inventory Feedback to Application Control GTI Cloud Server (enabled bydefault to run daily)

No information about individual computers or users is sent to McAfee. In addition, McAfee stores nodata that can be used to track the feedback information to a specific customer or organization.

You can configure the server tasks to send information on how you are currently using one or all ofthese parameters.

Maintaining your systemsSend GTI feedback 12

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 121

Page 122: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Policies Send information on Change Control, Application Control, and General policies.

This information helps McAfee understand how you are currently using polices andapplying rules and will eventually help McAfee improve the default policies and rules.

Events Send information, such as binary name and SHA1 value for the Execution Denied,Process Hijack Attempted, and Nx Violation Detected events. You can also choose tosend information on the number of endpoints on which the event occurred with the fullpath of the binary file.

This information helps McAfee determine how frequently and effectively ApplicationControl blocks actions and will eventually help us improve product functionality andefficacy.

Inventory Send detailed information for binary files, including base name, embedded applicationname, embedded application version, embedded version, and so on. You can alsochoose to send information on the number of endpoints on which the binary file ispresent, its execution status, and full path of the binary. The feedback does not includeany information to identify the endpoints, such as system name or IP address.

This information helps McAfee determine how you are using (and altering) the trustscore and trust level values assigned to binary files. This information will eventuallyhelp McAfee improve the GTI file reputation service.

ePOidentifier

Send information on the unique McAfee ePO identifier.

Follow the steps to edit the server tasks.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Automation | Server Tasks.

2 Select Edit for a server task.

The Server Task Builder wizard opens.

3 Optionally, change the schedule status for the server task.

4 Click Save.

Purge data Purge Solidcore reporting data by age or based on other parameters. When you purge data, therecords are permanently deleted.

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Automation | Server Tasks.

2 Click New Task to open the Server Task Builder wizard.

3 Type the task name, then click Next.

4 Select Solidcore: Purge from the Actions list.

12 Maintaining your systemsPurge data

122 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 123: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

5 Configure these options as required.

• Choose Feature - Select the reporting feature for which to purge records.

• Purge records older than - Select this option to purge the entries older than the specified age. Thisoption is not applicable for features that do not have ageing criteria, such as inventory records.

• Purge by query - Select this option to purge the records for the selected feature that meet thequery criteria. This option is only available for reporting features that support queries in McAfeeePO. Also, this option is supported only for tabular query results.

No seeded queries are available for purging. Prior to purging records, you must create the queryfrom the Menu | Reporting | Queries & Reports page.

6 Click Next to open the Schedule page.

7 Specify schedule details, then click Next open the Summary page.

8 Review and verify the details, then click Save.

Maintaining your systemsPurge data 12

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 123

Page 124: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

12 Maintaining your systemsPurge data

124 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 125: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

13 Fine-tuning your configuration

Perform advanced configuration tasks to fine tune your configuration.

Contents Configure a syslog server Solidcore permission sets Customize end-user notifications

Configure a syslog serverYou can access additional servers by registering them with your McAfee ePO server. Registered serversallow you to integrate your software with other external servers.Add the syslog server as a registered server and send information (responses or Solidcore events) tothe syslog server.

TaskFor option definitions, click ? in the interface.

1 Add the syslog server as a registered server.

a On the McAfee ePO console, select Menu | Configuration | Registered Servers, then click New Server toopen the Registered Server Builder wizard.

b Select Solidcore Syslog Server from the Server type list.

c Specify the server name, add any notes, then click Next.

d Optionally, modify the syslog server port.

e Enter the server address.

You can choose to specify the DNS name, IPV4 address, or IPv6 address.

f Select the type of logs the server is configured to receive by selecting a value from the SyslogFacility list.

g Click Test Syslog send to verify the connection to the server.

h Click Save.

You can choose to send specific responses to the syslog server (complete step 2) or use the seededresponse to send all Solidcore events to the syslog server (complete step 3).

2 Send responses to the syslog server.

a Select Menu | Automation | Automatic Responses.

b Click Actions | New Response.

13

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 125

Page 126: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

c Enter the alert name.

d Select the ePO Notification Events group and Threat event type.

e Select Enabled, then click Next to open the Filter page.

f Define the relevant filters, then click Next to open the Aggregation page.

g Specify aggregation details, then click Next to open the Actions page.

h Select the Send Event To Solidcore Syslog action.

i Specify the severity and message.

You can use the listed variables to create the message string.

j Select the appropriate syslog servers (one or more), then click Next.

k Review the response details, then click Save.

3 Send all Solidcore events to the syslog server.

Application Control and Change Control include a seeded response that you can configure toautomatically send all Solidcore events to the syslog server.

a Select Menu | Automation | Automatic Responses.

b Edit the Send Solidcore events to Syslog Server response to configure these options.

• Set the status to Enabled.

• Verify that the appropriate syslog server is selected.

• Review the message string.

The message string is based on the Common Exchange format. Contact McAfee Support forassistance in understanding the message string.

c Save the response.

Solidcore permission setsA permission set is a collection of permissions that can be granted to any user by assigning it to theuser's account. Permission sets control the level of access users have to the different featuresavailable in the software. While user accounts provide a means for users to access and use thesoftware, each user account is associated with one or more permission sets that define what the useris allowed to do with the software.

Permission sets only grant rights and access — no permission set removes rights or access. Whenmultiple permission sets are applied to a user account, they aggregate. For example, if one permissionset does not provide any permissions to server tasks, but another permission set applied to theaccount grants all permissions to server tasks, that user account has all permissions for server tasks.Consider this as you plan your strategy for granting permissions to the users in your environment.

Solidcore default permission sets

When a new product extension is installed, it adds the product-specific permission sets to McAfee ePO.The Solidcore extension for Change Control and Application Control adds these permission sets:

13 Fine-tuning your configurationSolidcore permission sets

126 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 127: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

SolidcoreAdmin

Provides view and change permissions across McAfee ePO features. Users that areassigned this permission set each need at least one more permission set that grantsaccess to needed products and groups of the System Tree.

SolidcoreReviewer

Provides view permissions across McAfee ePO features. Users that are assigned thispermission set each need at least one more permission set that grants access toneeded products and groups of the System Tree.

If you need to create additional permission sets, use the Solidcore Admin permission set as a startingpoint and edit it as per your requirements. You can create, delete, modify, import, and exportpermission sets. For more information on working with permission sets, see McAfee ePolicyOrchestrator Software Product Guide.

Customize end-user notificationsIf Application Control protection prevents an action on an endpoint, you can choose to display acustomized notification message for the event on the endpoint.

You can configure the notification to be displayed on the endpoints for these events:

• Execution Denied • Nx Violation Detected

• File Write Denied • ActiveX Installation Prevented

• File Read Denied • Package Modification Prevented

• Process Hijack Attempted • VASR Violation Detected

TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: Application Control product.

3 Select the Application Control Options (Windows) category.

4 Click the My Default policy to edit it.

5 Switch to the End User Notifications tab.

6 Select Show the messages dialog box when a event is detected and display the specified text in the message to display amessage box at the endpoint each time any of the afore-mentioned events is generated.

7 Enter the helpdesk information.

Mail To Represents the email address to which all approval requests (fromendpoints) are sent.

Mail Subject Represents the subject of the email message sent for approval requests(from endpoints).

Link to Website Indicates the website listed in the Application and Change ControlEvents window on the endpoints.

ePO IP Address and Port Specifies the McAfee ePO server address and port.

8 Customize the notifications for the various types of events.

a Enter the notification message.

You can use the listed variables to create the message string.

Fine-tuning your configurationCustomize end-user notifications 13

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 127

Page 128: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

b Select Show Event in Dialog to make sure that all events of the selected event type (such asExecution Denied) are listed in the Application and Change Control Events window on the endpoints.

9 Save the policy and apply to the relevant endpoints.

10 From the endpoints, users can review the notifications for the events and request for approval forcertain actions.

a Right-click the McAfee Agent icon in the system tray on the endpoint.

b Select Quick Settings | Application and Change Control Events.

The Application and Change Control Events window appears.

c Review the events.

d Request approval for a certain action by selecting the event and clicking Request Approval.

13 Fine-tuning your configurationCustomize end-user notifications

128 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 129: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

A FAQs

Here are answers to frequently asked questions.

What is an Alternate Data Stream (ADS)? Does Change Control monitor changes toADSs?

On the Microsoft NTFS file system, a file consists of multiple data streams. One stream holds the filecontents and another contains security information. You can create alternate data streams (ADS) for afile to associate information or other files with the existing file. In effect, alternate data streams allowyou to embed information or files in existing files. The ADSs associated with a file do not affect itscontents or attributes and are not visible in Windows Explorer. So, for practical purposes, the ADSsassociated with a file are hidden. Malicious users can misuse the ADS feature to associate maliciousfiles with other files without the malicious files being detected.

Change Control monitors changes to ADSs associated with files on the Windows platforms. For amonitored file, all ADS-related changes, including stream creation, modification, updation, deletion,and attribute changes are reported as events. If you are also using Application Control, any executableprograms (associated as an ADS with an existing file) are prevented from running. To disable ADSmonitoring execute the SC: Run Commands client task to run the sadmin features disable mon-adscommand on the endpoint.

Why am I not receiving the events for user account activity for an endpoint?

User account activity is not tracked by default for endpoints. To track operations for user accounts,you must enable this feature specifically on endpoints on which Change Control is deployed andenabled. To enable this feature, execute the SC: Run Commands client task to run the sadmin featuresenable mon‑uat command on the endpoint.

In addition, you must make sure that the Audit Policy is configured on the Windows operating systemto allow generation of user activity events.

To successfully track user account activity for an endpoint, verify the Audit Policy configuration for theendpoint.

1 Navigate to Control Panel | Administrative Tools.

2 Double click Local Security Policy.

3 Select Local Policies | Audit Policy.

4 Double click the Audit account logon events policy.

5 Select Success and Failure, then click OK.

6 Repeat steps 4 and 5 for the Audit account management and Audit logon events policies.

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 129

Page 130: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

What are the implications of recovering the local CLI access for an endpoint?

To troubleshoot or debug issues, you might need to recover the local CLI access for an endpoint.Recovering the local CLI for an endpoint prevents the enforcement of policies from McAfee ePO to theendpoint. This implies that when the CLI is recovered for an endpoint, no existing or new policies(created on the McAfee ePO console) are applied to that endpoint.

What is the significance of the label specified in a policy while configuringupdaters, installers, and trusted users?

The specified labels help you correlate the generated events with the actions performed by the trustedresources. For example, when an event is generated for an action performed by a trusted user, theWorkflow ID attribute for the event includes the label specified for the trusted user.

How do I unsolidify a file, directory, or volume?

To unsolidify a file, directory, or volume, run the SC: Run Commands client task with the sadmin unso<resource name> command.

As a best practice, we recommend that you do not unsolidify a system drive or volume.

Do Change Control and Application Control work in Network Address Translation(NAT) environments?

If the McAfee ePO server is able to communicate with the McAfee Agent in a NAT environment, ChangeControl and Application Control will work.

How can I trust applications developed for use within my organization?

Sign the applications with a self-generated certificate, then trust the certificate.

1 Perform one of these actions.

• Locate your certificate if you have an existing certificate.

• Generate a X.509 certificate pair using a tool, such as makecert.exe (see http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.80%29.aspx).

2 Export the certificate in PEM (Base-64 encoded X.509 - .CER) format.

3 Upload the certificate and add it to an Application Control policy as a trusted publisher.

4 Apply the policy to the endpoints.

5 Use the certificate to sign and verify all in-house applications. This can be done using a tool, suchas SignTool.exe.

When working with scripts, convert the script into a self extracting executable file, then sign the file.

6 Define the internal certificate as a trusted publisher.

Can I script sadmin commands?

Yes, you can script sadmin commands. While recovering the CLI, you are prompted to enter topassword. To achieve this within a script, suffix the sadmin recover command with -z <password>.

A FAQs

130 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 131: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

How can I resolve discrepancies and inconsistencies in the Solidcore rule groupsafter upgrading the Solidcore extension? When I access the Rule Groups page, anInternal Server Error is displayed.

Run the Rule Group Sanity Check server task from the McAfee ePO console to fix the inconsistencies inthe rule groups. This server task reports and corrects (if possible) discrepancies and inconsistencies inthe Solidcore rule groups and policies.

1 Select Menu | Automation | Server Tasks.

2 Click New Task.

The Server Task Builder wizard opens.

3 Type the task name and click Next.

4 Select Solidcore: Rule Group Sanity Check from the Actions drop-down list.

5 Click Next.

6 Specify the schedule for the task.

7 Click Next.

The Summary page appears.

8 Review the task summary and click Save.

9 Review the logs generated by the server task (on the Server Task Log page) to view the warnings,if any.

What can I do to manage the predefined rules available with Change Control andApplication Control?

We recommend that you revisit the predefined rules available with Change Control and ApplicationControl when you install or upgrade the Solidcore extension. Because the software installed on theendpoints in your enterprise may change (is added or removed), you must revise the rulesperiodically. Based on the software installed on the endpoints in your setup, revise the rules andremove unwanted or irrelevant rules.

How can I enable or disable selected features on endpoints from the McAfee ePOconsole?

Use the Application Control Options (Windows) policy to enable or disable selected features onendpoints from the McAfee ePO console.

1 Select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: Application Control product.

3 Select the Application Control Options (Windows) category.

4 Click the My Default policy.

5 Switch to the Features tab.

6 Select the Enforce feature control from ePO option.

7 Select the features to enable or disable.

8 Save the policy and apply to the relevant endpoints.

FAQs A

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 131

Page 132: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

What proxy is used by Application Control to communicate with the GTI server?

Application Control uses the proxy server configured on the Menu | Configuration | Server Settings | ProxySettings page on the McAfee ePO console. If no proxy server is configured, Application Controlcommunicates directly with the GTI server.

What is the address of the GTI server?

Application Control communicates with these two GTI servers:

Application Control GTI Cloud Server https://cwl.gti.mcafee.com/api/index.php/api

Application Control GTI Cloud Feedback Server https://cwl.gti.mcafee.com/api/index.php/etl

Complete these steps to view the configuration for the GTI servers:

1 Select Menu | Configuration | Registered Servers.

2 Select the Application Control GTI Cloud Server entry and click Actions | Edit.

The Registered Server Builder page displays.

3 Click Next.

4 Review the GTI server configuration.

A FAQs

132 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 133: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

B Change Control and Application Controlevents

This table provides a detailed list of all Change Control and Application Control events.

Event Name EventDisplayString

SolidcoreClientSeverity

McAfeeePOSeverity

ChangeControlEvent

ApplicationControlEvent

SolidcoreClient-RelatedEvent

BOOTING_DISABLED Booted inDisabledmode

Warning Warning√

BOOTING_ENABLED Booted inEnabledmode

Info Information√

BOOTING_UPDATE

_MODE

Booted inUpdatemode

Info Information√

ENABLED_DEFERRED Enabled OnReboot

Info Information √

DISABLED_DEFERRED DisabledOn Reboot

Warning Warning √

BEGIN_UPDATE OpenedUpdateMode

Info Information√

END_UPDATE ClosedUpdateMode

Info Information√

COMMAND_EXECUTED CommandExecuted

Info Information √

REG_KEY_CREATED RegistryCreated

Info Information √

REG_KEY_DELETED RegistryDeleted

Info Information √

REG_VALUE_DELETED RegistryDeleted

Info Information √

PROCESS_TERMINATED ProcessTerminated

Major Error √

WRITE_DENIED File WriteDenied

Major Error √

EXECUTION_DENIED ExecutionDenied

Major Error √

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 133

Page 134: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Event Name EventDisplayString

SolidcoreClientSeverity

McAfeeePOSeverity

ChangeControlEvent

ApplicationControlEvent

SolidcoreClient-RelatedEvent

PROCESS_TERMINATED

_UNAUTH_SYSCALL

ProcessTerminated

Major Error√

PROCESS_TERMINATED

_UNAUTH_API

ProcessTerminated

Major Error√

MODULE_LOADING

_FAILED

ModuleLoadingFailed

Major Error√

FILE_ATTR_SET FileAttributeSet

Info Information√

FILE_ATTR_CLEAR FileAttributeCleared

Info Information√

FILE_ATTR_SET_UPDATE

FileAttributeSet

Info Information√

FILE_ATTR_CLEAR_UPDATE

FileAttributeCleared

Info Information√

REG_VALUE_WRITE_DENIED

RegistryWriteDenied

Major Error√

REG_KEY_WRITE_DENIED

RegistryWriteDenied

Major Error√

REG_KEY_CREATED_UPDATE

RegistryCreated

Info Information√

REG_KEY

_DELETED_UPDATE

RegistryDeleted

Info Information√

REG_VALUE

_DELETED_UPDATE

RegistryDeleted

Info Information√

OWNER_MODIFIED FileOwnershipChanged

Info Information√

OWNER_MODIFIED_UPDATE

FileOwnershipChanged

Info Information√

PROCESS_HIJACKED ProcessHijackAttempted

Major Error√

INVENTORY_CORRUPT InventoryCorrupted

Critical Critical √

BOOTING_DISABLED

_SAFEMODE

Booted inDisabledmode

Warning Warning√

B Change Control and Application Control events

134 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 135: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Event Name EventDisplayString

SolidcoreClientSeverity

McAfeeePOSeverity

ChangeControlEvent

ApplicationControlEvent

SolidcoreClient-RelatedEvent

BOOTING_DISABLED

_INTERNAL_ERROR

Booted inDisabledmode

Critical Critical√

FILE_CREATED FileCreated

Info Information √

FILE_DELETED File Deleted Info Information √

FILE_MODIFIED FileModified

Info Information √

FILE_ATTR_MODIFIED FileAttributeModified

Info Information√

FILE_RENAMED FileRenamed

Info Information √

FILE_CREATED_UPDATE

FileCreated

Info Information√

FILE_DELETED_UPDATE

File Deleted Info Information√

FILE_MODIFIED_UPDATE

FileModified

Info Information√

FILE_ATTR

_MODIFIED_UPDATE

FileAttributeModified

Info Information√

FILE_RENAMED_UPDATE

FileRenamed

Info Information√

FILE_SOLIDIFIED FileSolidified

Info Information √

FILE_UNSOLIDIFIED FileUnsolidified

Info Information √

ACL_MODIFIED File AclModified

Info Information √

ACL_MODIFIED_UPDATE File AclModified

Info Information √

PROCESS_STARTED ProcessStarted

Info Information √

PROCESS_EXITED ProcessExited

Info Information √

TRIAL_EXPIRED Trial licenseexpired

Major Error √

READ_DENIED File ReadDenied

Major Error √

USER_LOGON_SUCCESS

UserLogged On

Info Information√

USER_LOGON_FAIL User LogonFailed

Info Information √

Change Control and Application Control events B

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 135

Page 136: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Event Name EventDisplayString

SolidcoreClientSeverity

McAfeeePOSeverity

ChangeControlEvent

ApplicationControlEvent

SolidcoreClient-RelatedEvent

USER_LOGOFF UserLogged Off

Info Information √

USER_ACCOUNT

_CREATED

UserAccountCreated

Info Information√

USER_ACCOUNT

_DELETED

UserAccountDeleted

Info Information√

USER_ACCOUNT

_MODIFIED

UserAccountModified

Info Information√

PKG_MODIFICATION

_PREVENTED

PackageModificationPrevented

Critical Critical√

PKG_MODIFICATION

_ALLOWED_UPDATE

PackageModificationAllowed

Info Information√

PKG_MODIFICATION

_PREVENTED_2

PackageModificationPrevented

Critical Critical√

NX_VIOLATION_DETECTED

NxViolationDetected

Critical Critical√

REG_VALUE_MODIFIED

RegistryModified

Info Information√

REG_VALUE

_MODIFIED_UPDATE

RegistryModified

Info Information√

UPDATE_MODE_DEFERRED

UpdateMode OnReboot

Info Information√

FILE_READ_UPDATE File read inupdatemode

Info Information√

STREAM_CREATED AlternateDataStreamCreated

Info Information√

STREAM_DELETED AlternateDataStreamDeleted

Info Information√

STREAM_MODIFIED AlternateDataStreamModified

Info Information√

STREAM_ATTR_MODIFIED

AttributeModified inDataStream

Info Information√

B Change Control and Application Control events

136 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 137: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Event Name EventDisplayString

SolidcoreClientSeverity

McAfeeePOSeverity

ChangeControlEvent

ApplicationControlEvent

SolidcoreClient-RelatedEvent

STREAM_CREATED_UPDATE

AlternateDataStreamCreated

Info Information√

STREAM_DELETED_UPDATE

AlternateDataStreamDeleted

Info Information√

STREAM_MODIFIED_UPDATE

AlternateDataStreamModified

Info Information√

STREAM_ATTR

_MODIFIED_UPDATE

AttributeModified inDataStream

Info Information√

STREAM_ATTR_SET AttributeAdded inDataStream

Info Information√

STREAM_ATTR_CLEAR AttributeCleared inDataStream

Info Information√

STREAM_ATTR

_SET_UPDATE

AttributeAdded inDataStream

Info Information√

STREAM_ATTR

_CLEAR_UPDATE

AttributeCleared inDataStream

Info Information√

STREAM_RENAMED AlternateDataStreamRenamed

Info Information√

STREAM_RENAMED_UPDATE

AlternateDataStreamRenamed

Info Information√

BEGIN_OBSERVE StartObserveMode

Info Information√

BEGIN_OBSERVE_DEFERRED

StartObserveMode OnReboot

Info Information√

END_OBSERVE EndObserveMode

Info Information√

END_OBSERVE_DEFERRED

EndObserveMode OnReboot

Info Information√

Change Control and Application Control events B

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 137

Page 138: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Event Name EventDisplayString

SolidcoreClientSeverity

McAfeeePOSeverity

ChangeControlEvent

ApplicationControlEvent

SolidcoreClient-RelatedEvent

INITIAL_SCAN

_TASK_COMPLETED

Initial ScanCompleted

Info Information√

BOOTING_OBSERVE Booted inObserveMode

Info Information√

ACTX_ALLOW_INSTALL ActiveXinstallationAllowed

Info Information√

ACTX_INSTALL_PREVENTED

ActiveXinstallationPrevented

Major Error√

VASR_VIOLATION_DETECTED

VASRViolationDetected

Critical Critical√

B Change Control and Application Control events

138 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 139: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

Index

Aabout this guide 7ActiveX controls 89

Address Space Layout Randomization (ASLR) 58

advanced configuration tasksconfigure syslog server 125

end-user notifications 127

permission sets 126

advanced exclusion filters (AEFs)add 53

overview 21

agent-server communication interval (ASCI) 69

alerts, purge 122

Alternate Data Stream (ADS) 129

Application Controlactivation options 71

deploy in Observe mode 69–71

disable 120

dry run 50

enable 83, 118

modes 50

overview and uses 11

predefined rules 85

whitelist 51

Bbinaries

add to whitelist 77, 110

allow by checksum 74, 108

allow by publishers 75, 108

ban by checksum 75, 108

bypass rules 77

export SHA1s 95

fetch GTI ratings 94

in inventory, review 97

trust level and score 92

Ccertificates

add 63, 129

add publishers 53

assign policy or rule group 64

authorize programs or files 51

certificates (continued)manage 62

search 64

supported 62, 129

view assignments 65

Change Controldashboards 45

enable 18

exclude events 45

modes 15

overview and uses 12

queries 45

track content changes 29

change window 50, 117, 118

checksumauthorize programs or files 51, 74, 108

ban programs or files 75, 108

client task log, purge 122

command line interface (CLI)password 119, 129

recover 129

content changescompare files 31

configure settings 29

events 44

generate report 33

manage file versions 30

monitor file changes 32

purge 122

track 28, 29

conventions and icons used in this guide 7Critical Address Space Protection (CASP)

about 58

define bypass rules 88

Ddashboards

Application Control 113

Change Control 45

Data Execution Prevention (DEP) 58

data, purgealerts 122

client task log 122

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 139

Page 140: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

data, purge (continued)content change tracking data 122

events 122

image deviation 122

inventory 122

policy discovery 122

deprecatedObservations page 73

Self Approval page 73

directoriesmonitor 24–27

path considerations 24

read-protect 35, 37

remove from whitelist 129

track content changes 28, 29

unsolidify 129

write-protect 35, 37

Disabled modeoverview, Application Control 50

overview, Change Control 15

place in 120

documentationaudience for this guide 7product-specific, finding 9typographical conventions and icons 7

Eemergency changes 50, 117, 118

Enabled modeoverview, Application Control 50

overview, Change Control 15

place in, Application Control 83, 118

place in, Change Control 18

end-user notifications 127

ePolicy Orchestratoraccess additional servers 125

add certificates 63

add installers 66

dashboards, Application Control 113

dashboards, Change Control 45

fetch GTI ratings for isolated environments 94

import GTI result file 96

install 11

manage events 43

queries, Application Control 113

queries, Change Control 45

throttle observations 79

verify the import of GTI ratings 97

view queries, Application Control 114

view queries, Change Control 48

eventsadd advanced exclusion filters (AEFs) 53

exclude 45, 88

for user account activity 129

events (continued)list 133

purge data 122

review and manage 43, 86

view content changes 44

Ffeatures, enable or disable 129

filesadd advanced exclusion filters (AEFs) 53

add to whitelist 77, 110

allow or ban, binary files 53

Alternate Data Stream (ADS) 129

authorize by checksum 74, 108

authorize by publishers 75, 108

authorized and whitelisted 51

ban by checksum 75, 108

bypass rules 77, 88

export SHA1s 95

fetch GTI ratings 94

how to authorize 51

in inventory, review 97

manage content changes 28–30

monitor 21, 24–27

path considerations 24

read-protect 35, 37

remove from whitelist 129

self approve 103, 104

track content changes 29

tracked, content change tracking report 33

trust level and score 92

unsolidify 129

view and manage events, Change Control 43

view content changes, events 44

write-protect 35, 37

filtersoverview 12

use seeded 97

Forced DLL Relocationabout 58

define bypass rules 88

frequently asked questions (FAQs) 129

Full Feature Activation 71, 83

GGeneric Launcher Processes 70, 105

graylist 99

Iimage deviation

how to 101

purge 122

installersadd 53, 66

Index

140 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 141: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

installers (continued)assign 66

description 52

manage 65

search 67

view assignments 67

Integrity Monitorcreate rule groups 16

dashboards 45

import or export rule groups 17

manage rule groups 16

monitoring rules 25, 26

view assignments for a rule group 18

inventorycompare 101

export SHA1s 95

fetch 93

fetch GTI ratings 94, 95

file categories 99

guidelines to fetch 93

import GTI result file 96

manage 91, 97

purge 122

review 97

set the base image 100

Llicense 11

Limited Feature Activation 71, 83

MMcAfee Global Threat Intelligence (McAfee GTI)

address of cloud and feedback server 129

fetch ratings 94

file reputation service 95

import GTI result file 96

proxy server 129

run the Offline GTI tool 95

send feedback 121

trust level and score 92

verify the import of GTI ratings 97

McAfee ServicePortal, accessing 9McAfee Support

collect information for configuration and debug 119

configure settings for GTI ratings 96

McAfee Threat Intelligence Services (MITS) 58

memory-protection techniquesbypass 77, 88

Critical Address Space Protection (CASP) 58

Forced DLL Relocation 58

mp-casp (Critical Address Space Protection) 58

mp-nx (No eXecute) 58

mp-vasr (Virtual Address Space Randomization) 58

mp-vasr-randomization (VASR Randomization) 58

memory-protection techniques (continued)mp-vasr-rebase (VASR Rebasing) 58

mp-vasr-reloc (VASR Relocation for 64-bit) 58

mp-vasr-relocation (VASR Relocation for 32-bit) 58

No eXecute (NX) 58

Virtual Address Space Randomization (VASR) 58

modesDisabled, Application Control 120

Disabled, Change Control 120

Enabled, Application Control 83, 118

Enabled, Change Control 18, 118

Observe 52, 69, 80

overview, Application Control 50

overview, Change Control 15

Update 52, 118

monitoring rulesactions 25

changes to Alternate Data Stream (ADS) 129

define 24

how it works 21

policies 27

review, predefined rules 26

NNetwork Address Translation (NAT) environments 129

No eXecute (NX)about 58

define bypass rules 88

Oobservations

description 69

manage 73

restart generation 80

review rules for throttling 80

throttle 79

Observe modedescription 52, 69

exit 80

overview 50

place in 69–71

throttle observations 79

Offline GTI tool 95

Ppaths

add to whitelist 77, 110

system variables and considerations 24, 36, 53

permission sets 126

policiesassign certificates 64

assign installers 66

change CLI password 119

create 87

Index

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 141

Page 142: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

policies (continued)define rule groups 15, 60

define rules to override protection 87

exclusion rules 74

monitoring 27

protection 39

specified labels 129

throttling 80

view assignments for certificates 65

view assignments for installers 67

prerequisites 11

programsadd advanced exclusion filters (AEFs) 53

authorize 51

potentially unwanted programs (PUPs) 92

updaters 52

publishersadd 53

authorize programs or files 51, 75, 108

description 52

manage 62

search 64

trusted 62

Qqueries

Application Control 113

Change Control 45

view, Application Control 114

view, Change Control 48

Rread-protection feature

enable 40

override 37

overview 12

rules 35, 37

real-time monitoring 12

recommendationsconvert scripts to self extracting executable file 129

duplicate query for content change tracking reportgeneration 33

for allowed binary and updater configuration 52

for drives or volumes in the whitelist 129

retain default policies 85

Self Approval feature, Full Feature Activation mode 103

registry keysadd advanced exclusion filters (AEFs) 53

monitor 21, 24–27

path considerations 24

write-protect 35, 37

requestsadd to whitelist 77, 110

bypass rules 77

requests (continued)define custom rules 76, 109

delete 78, 111

manage 73

manage, accumulated 80

process 74

purge 122

review rules 78, 111

review Self Approval 103, 104, 106

Restricted Publisher Names 70, 105

Return-Oriented Programming (ROP) 58

rule groupsassign certificates 64

assign installers 66

create and manage, Application Control 61

create and manage, Integrity Monitor and Change Control16

define bypass rules 88

define rules to override protection 87

global rules 78, 111

import or export, Application Control 62

import or export, Integrity Monitor and Change Control 17

overview, Application Control 60

overview, Change Control 15

resolve discrepancies and inconsistencies 129

view assignments for certificates 65

view assignments for installers 67

view assignments, Application Control 62

view assignments, Integrity Monitor and Change Control 18

rulesmanage predefined 129

monitoring 21

protection 35–37

SSelf Approval feature

configure 70, 105

enable 103, 104

what is 103

ServicePortal, finding product documentation 9syslog server 125

system variables 24, 36

TTechnical Support, finding product information 9trust model

add certificates 63, 129

add installers 66

add to whitelist 77, 110

authorize by checksum 74, 108

authorize by publishers 75, 108

ban by checksum 75, 108

define rules 53, 76, 109

installers 52

Index

142 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

Page 143: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

trust model (continued)Observe mode 52, 69, 70

publishers 52

trusted directories 52

trusted users 52

Update mode 52

updaters 52

trusted directoriesadd 53

description 52

trusted usersadd 53

description 52

override read-protection and write-protection 37

UUpdate mode

description 52

make emergency changes 117

overview, Application Control 50

overview, Change Control 15

place in 118

updatersadd 53

description 52

override read-protection and write-protection 37

usersaccount activity 129

add trusted users 53

approve requests 103, 104

end-user notifications 127

monitor 21

permission sets 126

users (continued)review requests 106

VVirtual Address Space Randomization (VASR)

about 58

define bypass rules 88

volumesread-protect 35

remove from whitelist 129

unsolidify 129

write-protect 35

Wwhat's in this guide 8whitelist

add to 77, 110

allow changes 52

compare 101

export SHA1s 95

fetch 93

fetch GTI ratings 94, 95

file categories 99

guidelines to fetch 93

import GTI result file 96

manage 91, 97

overview 51

review 97

set the base image 100

write-protection featureoverride 37

overview 12

rules 35, 37

Index

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 143

Page 144: Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control and McAfee Application Control 6.1.2 For use with ePolicy Orchestrator 4.6.0 - 5.0.1

0-00