Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control...

Product Guide

McAfee Change Control and McAfeeApplication Control 6.1.2For use with ePolicy Orchestrator 4.6.0 - 5.0.1 Software

COPYRIGHTCopyright 2013 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, PolicyLab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Othernames and brands may be claimed as the property of others.

Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Change Control and McAfee Application Control 6.1.2 Product Guide

http://mcafee.com

Contents

Preface 7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1 Introduction 11Application Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Change Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2 Getting started with Change Control 15Change Control modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15What are rule groups? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Manage rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Create rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Import or export rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . 17View assignments for a rule group . . . . . . . . . . . . . . . . . . . . . . . . 18

Enable Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3 Monitoring the file system and registry 21How monitoring rules work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21How do I define monitoring rules? . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

System variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Path considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Monitoring rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Review predefined monitoring rules . . . . . . . . . . . . . . . . . . . . . . . . . . 26Create monitoring policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Manage content changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Content change tracking settings . . . . . . . . . . . . . . . . . . . . . . . . 28Configure settings for tracking content changes . . . . . . . . . . . . . . . . . . 29Track content changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Manage file versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Compare files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Receive change details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

4 Protecting the file system and registry 35How protection rules work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Defining protection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

System variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Path considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Protection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Create a protection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Enable read protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

McAfee Change Control and McAfee Application Control 6.1.2 Product Guide 3

5 Monitoring and reporting 43Manage events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Review events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43View content changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Exclude events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45View queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

6 Getting started with Application Control 49Application Control modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50How do I manage protected endpoints? . . . . . . . . . . . . . . . . . . . . . . . . . 51

Authorizing files and programs . . . . . . . . . . . . . . . . . . . . . . . . . 51Allowing changes to endpoints . . . . . . . . . . . . . . . . . . . . . . . . . 52

Design the trust model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Memory-protection techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58What are rule groups? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Manage rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Create a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Import or export a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . 62View assignments for a rule group . . . . . . . . . . . . . . . . . . . . . . . . 62

Manage certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Add a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Assign a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Search for a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64View assignments for a certificate . . . . . . . . . . . . . . . . . . . . . . . . 65

Manage installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Add an installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Assign an installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Search for an installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67View assignments for an installer . . . . . . . . . . . . . . . . . . . . . . . . 67

7 Deploying Application Control in Observe mode 69What are observations? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Deploying in Observe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Configure the feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Place endpoints in Observe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Manage requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Review requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Process requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Review created rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Throttle observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Define the threshold value . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Review filter rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Manage accumulated requests . . . . . . . . . . . . . . . . . . . . . . . . . 80Restart observation generation . . . . . . . . . . . . . . . . . . . . . . . . . 80

Exit Observe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

8 Monitoring your protection 83Enable Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Review predefined rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Review events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Define rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Create a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Exclude events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Define bypass rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Contents


ActiveX controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

9 Managing the inventory 91How the inventory is updated? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Trust level and score . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Guidelines for fetching inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Fetch the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Fetch McAfee GTI ratings for isolated McAfee ePO environments . . . . . . . . . . . . . . . 94

Export SHA1s of all binaries . . . . . . . . . . . . . . . . . . . . . . . . . . 95Run the Offline GTI tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Import the GTI result file . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Verify the import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Review the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Manage the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Set the base image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Compare the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Run the inventory comparison . . . . . . . . . . . . . . . . . . . . . . . . . 101Review the comparison results . . . . . . . . . . . . . . . . . . . . . . . . . 102

10 Managing approval requests 103What is Self Approval? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Enable Self Approval on endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . 104Configure the feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Review requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Process requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Allow by checksum on all endpoints . . . . . . . . . . . . . . . . . . . . . . . 108Allow by publisher on all endpoints . . . . . . . . . . . . . . . . . . . . . . . 108Ban by checksum on all endpoints . . . . . . . . . . . . . . . . . . . . . . . 108Define custom rules for specific endpoints . . . . . . . . . . . . . . . . . . . . 109Allow by adding to whitelist for specific endpoints . . . . . . . . . . . . . . . . . 110Delete requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Review created rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

11 Using dashboards and queries 113Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113View queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

12 Maintaining your systems 117Make emergency changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Place the endpoints in Update mode . . . . . . . . . . . . . . . . . . . . . . 118Place the endpoints in Enabled mode . . . . . . . . . . . . . . . . . . . . . . 118

Change the CLI password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Collect debug information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Place the endpoints in Disabled mode . . . . . . . . . . . . . . . . . . . . . . . . . 120Send GTI feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Purge data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

13 Fine-tuning your configuration 125Configure a syslog server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Solidcore permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Customize end-user notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

A FAQs 129

B Change Control and Application Control events 133

Contents


Index 139

Contents


Preface

This guide provides the information you need to configure, use, and maintain your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

Administrators People who implement and enforce the company's security program.

Users People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term,emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialogboxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing anoption.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


What's in this guide This guide is organized to help you find the information you need.

This document is meant as a reference to use along with the Change Control, Application Control, andMcAfee ePO interfaces. This document provides information on configuring and using the ChangeControl and Application Control products.

Section Description Applies toChangeControl

Applies toApplicationControl

Introduction Provides an overview of the Change Controland Application Control products.

Getting started withChange Control

Details the various Change Control-relatedconcepts, such as modes and rule groups anddescribes how to enable the product.

NA

Monitoring the filesystem and registry

Provides concepts and instructions to help youdefine rules to monitor files and registryentries for changes.

NA

Protecting the filesystem and registry

Provides concepts and instructions to help youdefine rules to read-protect and write-protectfiles and registry entries.

NA

Monitoring andreporting

Describes how to use events, dashboards, andqueries to monitor the enterprise status whenusing the Change Control product.

NA

Getting started withApplication Control

Details the various Application Control-relatedconcepts, such as modes, trust model, rulegroups, installers, and publishers.

NA

Deploying ApplicationControl in Observemode

Provides detailed instructions to help youplace Application Control in the Observe modeto perform a dry run for the product.

NA

Monitoring yourprotection

Describes how to enable Application Controland details routine tasks to perform when theproduct is running in Enabled mode.

NA

Managing theinventory

Provides instructions to help you fetch, review,and manage the software inventory forprotected endpoints.

NA

Managing approvalrequests

Provides instructions to help you review,process, and manage approval requestsreceived from the endpoints in the enterprise.

NA

Using dashboards andqueries

Describes how to use dashboards and queriesto monitor the enterprise status when usingthe Application Control product.

NA

Maintaining yoursystems

Details various tasks to help you maintain theprotected endpoints.

Fine-tuning yourconfiguration

Describes advanced configuration tasks thathelp you fine-tune your configuration.

FAQs Provides answers to frequently askedquestions.

Change Control andApplication Controlevents

Provides a detailed list of all Change Controland Application Control events.

PrefaceAbout this guide


Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase Click Search the KnowledgeBase for answers to your product questions.

Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFind product documentation


http://mysupport.mcafee.com

PrefaceFind product documentation


1 IntroductionGet familiar with the Change Control and Application Control software and learn how they protect yourenvironment.

Before you can configure and use McAfee Change Control or McAfee Application Control, you must:

Make sure that McAfee ePolicy Orchestrator 5.0 or 4.6 is installed and running. For moreinformation on installing McAfee ePO 5.0 or 4.6, see ePolicy Orchestrator 5.0 Installation Guide orePolicy Orchestrator 4.6 Installation Guide, respectively.

Make sure that Change Control or Application Control is installed and running. For more informationon installation, see McAfee Change Control and Application Control Installation Guide.

Make sure valid licenses are added for using Change Control and Application Control. For moreinformation on adding licenses, see McAfee Change Control and Application Control InstallationGuide.

Contents Application Control overview Change Control overview

Application Control overviewTodays IT departments face tremendous pressure to make sure that their endpoints comply withmany different security policies, operating procedures, corporate IT standards, and regulations.Extending the viability of fixed function devices such as point-of-sale (POS) terminals, customerservice terminals, and legacy Windows NT platforms has become critical.

Application Control uses dynamic whitelisting to make sure that only trusted applications run ondevices, servers and desktops. This provides IT with the greatest degree of visibility and control overclients, and helps enforce software license compliance. Here are some product features.

Protects your organization against malware attacks before they occur by proactively controlling theapplications executing on your desktops, laptops, and servers.

Locks down the protected endpoints against threats and unwanted changes, with no file systemscanning or other periodic activity that could impact system performance.

Augments traditional security solutions and enables IT to allow only approved system andapplication software to run. Blocks unauthorized or vulnerable applications that may compromiseendpoints without imposing operational overhead. This makes sure that end-users cannotaccidentally introduce software that poses a risk to the business.

Uses dynamic whitelisting to make sure that only trusted applications run on devices, servers, anddesktops. McAfees dynamic whitelisting trust model eliminates the labor and cost associated withother whitelisting technologies, thereby reducing overhead and increasing continuity.

1


Provides IT control over endpoints and helps enforce software license compliance. With ApplicationControl, IT departments can eliminate unauthorized software on endpoints, while providingemployees greater flexibility to use the resources they need to get their jobs done.

Eliminates the need for IT administrators to manually maintain lists of approved applications. Thisenables IT departments to adopt a flexible approach where a repository of trusted applications canrun on endpoints. This prevents execution of all unauthorized software scripts and dynamic linklibraries (DLLs), and further defends against memory exploits.

Works effectively when integrated with McAfee ePO and in standalone mode without networkaccess. The product is designed to operate in a variety of network and firewall configurations.

Runs transparently on endpoints. It can be set up quickly with very low initial and ongoingoperational overhead and minimal impact on CPU cycles.

Change Control overviewChange Control allows you to monitor and prevent changes to the file system, registry, and useraccounts. You can view details of who made changes, which files were changed, what changes weremade to the files, and when and how the changes were made. You can write-protect critical files andregistry keys from unauthorized tampering. You can read-protect sensitive files. To ease maintenance,you can define trusted programs or users to allow updates to protected files and registry keys.

In effect, a change is permitted only if the change is applied in accordance with the update policies.Using Change Control, you can perform these actions:

Detect, track, and validate changes in real-time

Gain visibility into ad-hoc changes

Eliminate ad-hoc changes using protection rules

Enforce approved change policies and compliance

Real-time monitoring

Change Control provides real-time monitoring for file and registry changes. Real-time monitoringeliminates the need to perform scan after scan on endpoints and identifies transient change violations,such as when a file is changed and restored to its earlier state. It captures every change, including thetime of the change, who made the change, what program was used to make the change, and whetherthe change was made manually or by an authorized program. It maintains a comprehensive andup-to-date database (on McAfee ePO) that logs all attempts to modify files, registry keys, and localuser accounts.

Customizable filters

You can use filters to make sure that only relevant changes make it to the database. You can definefilters to match the file name, directory name, registry key, process name, file extension, and username. Using the criteria, you can define two types of filters:

Include filters to receive information on events matching the specified filtering criteria.

Exclude filters to ignore information on events matching the specified filtering criteria.

Filtering events is needed to control the volume of change events. Typically, a number of changes areprogram-generated and need not be reported to the system administrator. If programmatic andautomatic change activity is high, a large number of change events can overwhelm the system. Usingfilters makes sure that only relevant change events are recorded.

1 IntroductionChange Control overview


Read protection

Read-protection rules prevent users from reading the content of specified files, directories, andvolumes. If a directory or volume is read-protected, all files in the directory or volume areread-protected. Once defined, read-protection rules are inherited by subdirectories. You cannotread-protect registry keys.

By default, read protection is disabled.

Write protection

Use write-protection rules to prevent users from creating new files (including directories and registrykeys) and modifying existing files, directories, and registry keys. Write-protecting a file or registry keyrenders it read-only and protects it from unanticipated updates. These actions are prevented for awrite-protected file or registry key:

Delete

Rename

Create hard links

Modify contents

Append

Truncate

Change owner

Create Alternate Data Stream (Microsoft Windows only)

IntroductionChange Control overview 1


1 IntroductionChange Control overview


2 Getting started with Change ControlBefore you begin using Change Control, get familiar with it and understand related concepts.

Contents Change Control modes What are rule groups? Manage rule groups Enable Change Control

Change Control modesAt any time, Change Control can operate in one of these modes.

Enabled Indicates that the software is in effect and changes are monitored and controlled on theendpoints as per the defined policies. When in Enabled mode, Change Control monitors andprotects files and registry keys as defined by the configured policies. Enabled mode is therecommended mode of operation.

From the Enabled mode, you can switch to the Disabled or Update mode.

Update Indicates that the software is in effect, allows ad-hoc changes to the endpoints, and tracksthe changes made to the endpoints. Use the Update mode to perform scheduled oremergency changes, such as software and patch installations.

In the Enabled mode, you cannot read the read-protected files or modify anywrite-protected files (as per the defined policies). However, in the Update mode, all readand write protection that is in effect is overridden. Use the Update mode to define a changewindow during which you can make changes to endpoints and authorize the made changes.

From the Update mode, you can switch to the Enabled or Disabled mode. We recommendthat you switch to the Enabled mode as soon as the changes are complete.

Disabled Indicates that the software is not in effect. Although the software is installed, theassociated features are not active. When you place the endpoints in Disabled mode, theapplication restarts the endpoints.

From the Disabled mode, you can switch to the Enabled or Update mode.

What are rule groups?A rule group is a collection of rules. Although you can directly add rules to any McAfee ePO-basedpolicy, the rules defined within a policy are specific to that policy. In contrast, a rule group is anindependent unit that collates a set of similar or related rules.After you define a rule group, you can reuse the rules within the rule group by associating the rulegroup with different policies. Also, if you need to modify a rule, simply update the rule in the rulegroup and the change cascades across all associated policies automatically.

2


Change Control provides predefined rule groups to monitor commonly-used applications. Although youcannot edit the predefined rule groups, you can use an existing rule group as a starting point todevelop your rule groups. You can create a copy of an existing rule group and edit it to add more rulesor create a new rule group. If needed, you can also import or export rule groups.

If you need to define similar rules across policies, using rule groups can drastically reduce the effortrequired to define rules. If you have a large setup and are deploying the software across numerousendpoints, we recommend you use rule groups to minimize the deployment time and effort.

Consider an example. An organization runs Oracle on multiple servers. Each of these servers is usedby the HR, Engineering, and Finance departments for different purposes. To reduce rule redundancy,we define these rule groups with Oracle-specific rules.

An Integrity Monitor rule group (named IM-Oracle) containing rules to monitor and trackconfiguration files and registry keys (to help audit critical changes to Oracle configuration)

A Change Control rule group (named CC-Oracle) containing rules to protect critical files for Oracle(to prevent unauthorized changes)

After the rule groups are defined, we can reuse these rule groups across policies for the HR,Engineering, and Finance departments. So, when defining policies for the HR Servers, add theIM-Oracle rule group to a monitoring (Integrity Monitor) policy and CC-Oracle rule group to aprotection (Change Control) policy along with rule groups for the other applications installed on the HRserver. Similarly, add the IM-Oracle and CC-Oracle rule groups to the relevant policies for the EnggServers and Fin Servers. After defining the policies, if you realize that the rule for a critical file was notcreated, directly update the rule group and all the policies will be updated automatically.

Manage rule groups Create and manage rule groups to export the rule group configuration from the source to the targetMcAfee ePO server.

Tasks Create rule groups on page 16

Create a rule group to specify the required rules.

Import or export rule groups on page 17If you need to replicate rule group configuration from one McAfee ePO server to another,export the rule group configuration from the (source) McAfee ePO server to an XML file andimport the XML file to the (target) McAfee ePO server.

View assignments for a rule group on page 18Instead of navigating through all the created policies, you can directly view all the policiesin which a rule group is being used. This feature provides a convenient way to verify if eachrule group is assigned to the relevant policies.

Create rule groupsCreate a rule group to specify the required rules.

2 Getting started with Change ControlManage rule groups


TaskFor option definitions, click ? in the interface.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 Perform one of these steps from the Rule Groups tab. Select Integrity Monitor to view or define a rule group for monitoring changes performed on critical

resources.

Select Change Control to view or define a rule group for preventing unauthorized changes oncritical resources.

You can use an existing rule group as a starting point or define a new rule group from scratch. Tomodify and edit an existing rule group, complete steps 3, 5, 6, and 7. To define a new rule group,complete steps 4, 5, 6, and 7.

3 Create a rule group based on an existing rule group.

a Click Duplicate for an existing rule group.

The Duplicate Rule Group dialog box appears.

b Specify the rule group name, then click OK.

The rule group is created and listed on the Rule Groups page.

4 Define a new rule group.

a Click Add Rule Group to open the Add Rule Group dialog box.

b Specify the rule group name.

c Select the rule group type and platform.

d Click OK.

The rule group is created and listed on the Rule Groups page.

5 Click Edit for the rule group.

6 Specify the required rules.

For information on the how to define rules, see How do I define monitoring rules? and Definingprotection rules.

7 Click Save Rule Group.

Import or export rule groupsIf you need to replicate rule group configuration from one McAfee ePO server to another, export therule group configuration from the (source) McAfee ePO server to an XML file and import the XML file tothe (target) McAfee ePO server.

You can also export rule groups into an XML file, edit the XML file to make the required changes to rulegroups, and import the file to the McAfee ePO server to use the changed rule groups.

When importing or exporting rule groups containing Trusted Groups, make sure the Active Directoryserver on the source McAfee ePO server and destination McAfee ePO server are configured using thesame domain name or server name (or IP address).

Getting started with Change ControlManage rule groups 2




2 Complete one of these tasks from the Rule Groups tab. To import rule groups, click Import, browse and select the rule groups file, then click OK. While

importing, you can specify whether to override rule groups (if you are importing a rule groupwith the same name as an existing rule group).

To export selected rule groups to an XML file, select the rule groups, click Export, and save thefile.

View assignments for a rule groupInstead of navigating through all the created policies, you can directly view all the policies in which arule group is being used. This feature provides a convenient way to verify if each rule group isassigned to the relevant policies.



2 On the Rule Groups tab, click Assignments to view the policies to which the selected rule group isassigned.

Enable Change ControlEnable the Change Control software to monitor and control the changes on the endpoints as per thedefined policies.


1 On the McAfee ePO console, select Menu | Systems | System Tree.

2 Perform one of these actions. To apply the client task to a group, select a group in the System Tree and switch to the Assigned

Client Tasks tab.

To apply the client task to an endpoint, select the endpoint on the Systems page, then click Actions| Agent | Modify Tasks on a Single System.

3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

4 Select Solidcore 6.1.2 | SC: Enable, then click Create New Task to open the Client Task Catalog page.

5 Specify the task name and add any descriptive information.

6 Select these fields.

a Select the platform.

b Select the subplatform (only for the Windows and Unix platforms).

2 Getting started with Change ControlEnable Change Control


c Select the version (only for the All except NT/2000 subplatform).

d Make sure that the Change Control option is selected.

7 Complete these steps to enable Change Control.

Solidcore client version Steps

On Solidcore client version: 5.1.5 or earlier (Windows)

6.0.1 or earlier (UNIX)

Select Force Reboot with the task to restart the endpoint.Restarting the system is necessary to enable the software.

On the Windows platforms, a pop-up message is displayed at theendpoint 5 minutes before the endpoint is restarted. This allowsthe user to save work and data on the endpoint.

On UNIX platforms, the endpoint is restarted as soon as the taskis applied.

On Solidcore client version6.0.0 or later (Windows)

No configuration is needed.

On Solidcore client version6.1.0 or later (UNIX)

Deselect Force Reboot with the task.When using Solidcore client version 6.1.0 or later, restarting thesystem is not necessary to enable the software.

8 Click Save.

9 Click Next to open the Schedule page.

10 Specify scheduling details, then click Next.

11 Review and verify the task details, then click Save.

12 Optionally, wake up the agent to send your client task to the endpoint immediately.

Getting started with Change ControlEnable Change Control 2


2 Getting started with Change ControlEnable Change Control


3 Monitoring the file system and registryChange Control allows you to designate a set of files and registry entries to monitor for changes.

You can also choose to track attribute and content changes for monitored files. You need to definerules to specify the files and registry keys to monitor and specifically enable the user account trackingfeature (which is disabled by default) to track user activity for relevant endpoints.

Contents How monitoring rules work? How do I define monitoring rules? Review predefined monitoring rules Create monitoring policies Manage content changes

How monitoring rules work?Using rules, you can monitor files, directories, registry keys, file types (based on file extension),programs, and users.

What you can monitor?

These operations are tracked for a monitored file, registry key, and user account.

3


Element Tracked operations

File File creation

File modification (file contents and attributes, such as permissions or owner)

File deletion

File rename

Alternate Data Stream creation

Alternate Data Stream modification (contents and attributes, such as permissions orowner)

Alternate Data Stream deletion

Alternate Data Stream rename

Registry key Registry key creation

Registry key modification

Registry key deletion

User account User account creation User log on (success and failure)

User account modification User log off

User account deletion

User account tracking is disabled by default. You must enable this feature to trackoperations for user accounts. To enable this feature, execute the SC: Run Commands clienttask to run the sadmin features enable monuat command on the endpoint.

Are any predefined rules available?

Yes, Change Control includes predefined monitoring rules. For detailed information, see Reviewpredefined monitoring rules.

Does an order of precedence exist for monitoring rules?

Use the table to understand the order of precedence applied (highest to lowest) when processingmonitoring rules.

Table 3-1 Order of precedence for monitoring rules

Order Rule type Description

1. Advanced exclusion filters(AEF) rules have the highestprecedence.

For more information on AEF rules, see What are advancedexclusion filters or rules (AEFs)?.

2. Exclude rules are givenprecedence over include rules.

For example, if you erroneously define an include and excluderule for the same file, the exclude rule applies.

3. Rules based on user namehave the precedence over allother rule types except AEFrules.

The user name specified in the rule is compared with the username referenced in the event.

4. Rules based on program namehave precedence over rulesbased on file extension, filename, directory name, orregistry key.

The program name specified in the rule is compared with theprogram name referenced in the event.

3 Monitoring the file system and registryHow monitoring rules work?


Table 3-1 Order of precedence for monitoring rules (continued)

Order Rule type Description

5. Rules based on file extensionhave precedence over rulesbased on file or directoryname (or path).

The file extension specified in the rule is compared with fileextension referenced in the event.For example, if C:\Program Files\Oracle is excluded frommonitoring (by a file-based rule) and the .ora extension isincluded for monitoring, events will be generated for fileswith .ora extension, such as listener.ora and tnsnames.ora.

6. Rules based on file names orpaths have precedence overrules based on directoryname. In effect, longer pathstake precedence forname-based rules.

The specified path is compared with path referenced in theevent. Paths (for files or directories) are compared from thebeginning. Consider these examples.

Windows platform If the C:\temp directory is excluded, andthe C:\temp\foo.cfg file is included, thechanges to the foo.cfg file are tracked.Similarly, if you exclude the HKEY_LOCAL_MACHINE key and include the HKEY_LOCAL_MACHINE\System key, the changes to theHKEY_LOCAL_MACHINE\System key aretracked.

UNIX platform If the /usr/dir1/dir2 directory isincluded and /usr/dir1 directory isexcluded, all operations for the files in the /usr/dir1/dir2 directory are monitoredbecause the /usr/dir1/dir2 path islonger and hence, takes precedence.

In the aforementioned order of precedence, all rules (except #5) apply to registry key rules also.

What are advanced exclusion filters or rules (AEFs)?

You can define advanced filters to exclude changes by using a combination of conditions. For example,you might want to monitor changes made to the tomcat.log file by all programs except the tomcat.exe program. To achieve this, define an advanced filter to exclude all changes made to the log file byits owner program. This will make sure you only receive events when the log file is changed by other(non-owner) programs. In this case, the defined filter will be similar to Exclude all events wherefilename is and program name is .

Use AEFs to prune routine system-generated change events that are not relevant for your monitoringor auditing needs. Several applications, particularly the web browser, maintain the application state inregistry keys and routinely update several registry keys. For example, the ESENT setting is routinelymodified by the Windows Explorer application and it generates the Registry Key Modified event. Thesestate changes are routine and need not be monitored and reported upon. Defining AEFs allows you toeliminate any events that are not required for fulfilling compliance requirements and makes sure theevent list includes only meaningful notifications.

Monitoring the file system and registryHow monitoring rules work? 3


How do I define monitoring rules?Regardless of whether you create a new monitoring policy or define a monitoring rule group, theframework available to define monitoring rules is the same.

System variablesThe path specified in a monitoring rule can include system environment variables (only on theWindows platform). This table lists the supported system variables.

Variable Example value (for most Windows platforms)

%ALLUSERSPROFILE% C:\Documents and Settings\All Users%APPDATA% C:\Documents and Settings\{username}\Application%COMMONPROGRAMFILES% C:\Program Files\Common Files%COMMONPROGRAMFILES (x86)% C:\Program Files (x86)\Common Files%HOMEDRIVE% C:%HOMEPATH% C:\Documents and Settings\{username} (\ on earlier Windows

versions)

%PROGRAMFILES% C:\Program Files%PROGRAMFILES (x86)% C:\Program Files (x86) (only for 64-bit versions)%SYSTEMDRIVE% C:%SYSTEMROOT% C:\windows (C:\WINNT on earlier Windows versions)%TEMP% (system) %tmp% (user) C:\Documents and Settings\{username}\local Settings\Temp

C:\Temp

%USERPROFILE% C:\Documents and Settings\{username} (C:WINNT\profiles\{username} for earlier versions)

%WINDIR% C:\Windows

Path considerationsThese considerations apply to path-based rules.

Path should be absolute when specifying rules to monitor files and directories.

Path is not required to be absolute when specifying rules to monitor program activity. For example,you can specify the partial path, such as AcroRd32.exe or Reader\AcroRd32.exe or fully qualifiedpath, such as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If you specify thepartial path, all programs with names that match the specified string are monitored. If you specifythe fully qualified path, activity is monitored for only the specified program.

Paths can contain white spaces.

3 Monitoring the file system and registryHow do I define monitoring rules?


Paths can include the wildcard character (*). However, it can only represent one complete pathcomponent. Here are a few examples.

Windowsplatform

Using \abc\*\def is allowed while \abc\*.doc, \abc\*.*, or \abc\doc.* is notsupported.

UNIX platform Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is notsupported.

You cannot use the wildcard character while defining a rule to track content and attribute changesfor a file.

Paths used in registry key-based rules can include the wildcard character (*). However, thewildcard character can only represent one path component in the registry path. Make sure that youdo not use the character for the component at the end of the complete registry path (if used at theend the rule will not be effective).

Also, at any time, the CurrentControlSet in the Windows Registry is linked to the relevant HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX key. For example, the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet can be linked to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 key. When achange is made to either link, it is automatically updated on both the links. For a monitored key,events are always reported with the path of CurrentControlSet and not ControlSetXXX.

Monitoring rulesUse this table to define monitoring rules. You can perform these actions when creating or modifying amonitoring (Integrity Monitor) policy or rule group.

Action Steps

Monitor files anddirectories

1 Click Add on the File tab. The Add File dialog box appears.

2 Specify the file or directory name.

3 Indicate whether to include for or exclude from monitoring.

4 Optionally, to track content and attribute changes for a file, select Enablecontent change tracking and specify the other options. For more information, seeTrack content changes.

5 Click OK.

Monitor registrykeys (Windowsplatform only)

1 Click Add on the Registry tab. The Add Registry dialog box appears.

2 Specify the registry key.

3 Indicate whether to include for or exclude from monitoring and click OK.

Monitor specific filetypes

1 Click Add on the Extension tab. The Add Extension dialog box appears.

2 Type the file extension. Do not include the period (dot) in the extension. Forexample, log.

3 Indicate whether to include for or exclude from monitoring and click OK.

Monitor programactivity (in effectchoose to track ornot track all file orregistry changesmade by a program)

1 Click Add on the Program tab. The Add Program dialog box appears.

2 Enter the name or full path of the program.

3 Indicate whether to include for or exclude from monitoring and click OK. Werecommend that you exclude background processes, such as the lsass.exeprocess.

Monitoring the file system and registryHow do I define monitoring rules? 3


Action Steps

Specify the users toexclude frommonitoring (in effectall changes made bythe specified userare not tracked)

1 Click Add on the User tab. The Add User dialog box appears.

2 Specify the user name using these considerations: Spaces in user names should be specified within quotes.

Domain name can be a part of the user name on the Windows platform. Ifthe domain name is not specified, the user name is excluded frommonitoring for all domains.

Exclude all users in a particular domain (on the Windows platform) byusing MY-DOMAIN\* or *@MY-DOMAIN.

3 Click OK.

Specify advancedexclusion filters forevents

1 Click Add Rule on the Filters tab. A new filter row appears. You can create filtersbased on files, events, programs, registry keys, and users.

2 Edit the settings to specify the filter.

3 Click + or Add Rule to specify additional AND or OR conditions, respectively.

You can also define AEFs from the Events page. For more information, seeExclude events.

Review predefined monitoring rules Change Control provides multiple predefined filters suitable for monitoring relevant files on variousoperating systems.By default, these filters are applied to the global root in the system tree and hence are inherited by allMcAfee ePO-managed endpoints on which Change Control is installed. As soon as an endpointconnects to the McAfee ePO server, the Minimal System Monitoring policy applicable to the endpoint'soperating system comes into play.

You can review the predefined filters included in the Minimal System Monitoring policy (applicable toyour operating system).


1 On the McAfee ePO console, select, Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: Integrity Monitor product.

All policies for all categories are listed. A Minimal System Monitoring policy exists for each supportedoperating system.

3 Open the relevant Minimal System Monitoring policy.

By default, the My Rules rule group is open (which is blank).

4 Select a rule group in the Rule Groups pane to review the filters included in the rule group.

To override any rules included in the Minimal System Monitoring policy, you can duplicate the relevant rulegroup (in which the required rules are present), edit the rule group to add the new rules, and addthe rule group to a policy. For most other purposes, make sure that the Minimum System Monitoring policyis applied on the endpoints and additional rules are applied by using a separate policy.

5 Click Cancel.

3 Monitoring the file system and registryReview predefined monitoring rules


Create monitoring policiesUsing a monitoring policy, you can choose to monitor changes or exclude from monitoring variousunits of a file system and registry. You can control monitoring of files, directories, registry keys, filetypes (based on file extension), programs, and users. These are multi-slot policies; you can assignmultiple policies to a single node in the system tree.

To create a monitoring policy, you can either define rules in a rule group (to allow reuse of rules) andadd the rule group to a policy or define the rules directly in a policy.


1 On the McAfee ePO console, select, Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: Integrity Monitor product.

3 Click Actions | New Policy to open the New Policy dialog box.

4 Select the category.

5 Select the policy you want to duplicate from Create a policy based on this existing policy list.

6 Specify the policy name, then click OK.

7 Click on the policy name to open the Policy Settings page.

You can now define the rules to include in the policy. You can either add existing rule groups to thepolicy or directly add the new rules to the policy.

To use a rule group, complete steps 8 and 10. For more information on how to create a rulegroup, see Create rule groups.

To directly add the rules to the policy, complete steps 9 and 10.

8 Add a rule group to the policy.

a Click Add in the Rule Groups pane to open the Select Rule Groups dialog box.

b Select the rule group to add.

c Click OK.

d Select the rule group in the Rule Groups pane.

The rules included in the rule group are displayed in the various tabs.

e Review the rules.

9 Add the monitoring rules to the policy.

For information on the how to define rules, see How do I define monitoring rules?.

10 Save the policy.

Monitoring the file system and registryCreate monitoring policies 3


Manage content changes Using Change Control, you can track content and attribute changes for a single monitored file or for allfiles in a directory and its subdirectories.

If you enable content changetracking for a specific file

Any attribute or content change to the file creates a new fileversion at McAfee ePO server

If you enable content changetracking for a directory

Any attribute or content change to the files present in thedirectory creates new versions of the files at McAfee ePO server

You can view and compare the different versions that are created for a file. Also, you can compare anytwo files or file versions that exist on the same or different endpoints. To send an email whenever acritical file is modified (the email highlights the exact changes made to the file), configure anAutomatic Response. Alternatively, you can schedule generation of a report to get an overview of thechanges made to the tracked files in your setup.

Tasks Content change tracking settings on page 28

You can configure these settings for tracking content changes.

Configure settings for tracking content changes on page 29Specify the maximum file size for tracking content changes, file extensions for which totrack only attributes, and maximum number of files to fetch per rule.

Track content changes on page 29When you create or modify a monitoring (Integrity Monitor) policy or rule group, you canspecify the files for which to track content changes.

Manage file versions on page 30Review all versions available for a file, compare file versions, reset the base version, anddelete versions.

Compare files on page 31Compare two files or two versions of a single file. You can compare files or versions on thesame endpoint or on different endpoints.

Receive change details on page 32You can receive notifications and reports based on the changes made to the files in yoursetup.

Content change tracking settingsYou can configure these settings for tracking content changes.

Setting Description

Maximum filesize

By default, you can track changes for any file with a size of 1000 KB or lower. Ifneeded, you can configure the maximum file size for tracking content changes.

Modifying the maximum file size will affect the McAfee ePO database sizingrequirements and may impact performance.

File extensionsfor which totrack onlyattributechanges

For binary files, only attributes are tracked by the content change tracking feature(content changes are not tracked). This is because maintaining the contentdifference for files with non-displayable contents unnecessarily uses database spaceand McAfee ePO resources. By default, only attribute changes are tracked for theseextensions:

3 Monitoring the file system and registryManage content changes


Setting Description

zip tar

bmp gz

7z bz

pdf tgz

rar

bz2 tiff

jpg sys

exe png

gif jar

dll

You can edit the list to specify file extensions specific to your setup for which totrack only attribute changes.

Maximumnumber of filesto retrieve perrule

When you apply the content change tracking rule on a directory, base versions of allfiles in the directory that match the specified include or exclude patterns, if any, arecollected and sent to the McAfee ePO server. These base versions are used to trackcontent changes and allow comparison with future versions of the files.If the number of qualifying files for a single rule is too high, operational performanceof the endpoint and occasionally of the McAfee ePO server can deteriorate. Toprevent such disruptions, you can specify a value to control the maximum files toretrieve per rule. This limit applies to the number of qualifying files in the directory(that match the include and exclude patterns and recursive and non-recursiveoptions) and not to the total number of files in the directory. If the number ofqualifying files for a specified rule exceeds the set threshold value, the base versionsof the files are not retrieved to the McAfee ePO server. However, all subsequentchanges to the files are reported and base versions of new files are sent to theMcAfee ePO server.

By default, the limit is set to 100 files per rule. You can configure this setting, asneeded, for your setup.

Configure settings for tracking content changes Specify the maximum file size for tracking content changes, file extensions for which to track onlyattributes, and maximum number of files to fetch per rule.

For option definitions, click ? in the interface.

Task1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2: General product.

The McAfee Default policy includes customizable configuration settings.

3 Click Duplicate for the McAfee Default policy in the Configuration (Client) category.

4 Specify the policy name, then click OK.

The policy is created and listed on the Policy Catalog page.

5 Click the new policy to open it.

6 Switch to the Miscellaneous Settings tab.

7 Specify values for the settings.

8 Save the policy and apply it to the relevant endpoints.

Track content changes When you create or modify a monitoring (Integrity Monitor) policy or rule group, you can specify thefiles for which to track content changes.

Monitoring the file system and registryManage content changes 3



1 Navigate to the File tab.

2 Perform one of these steps. Click Add to monitor and track changes for a new file.

Select an existing rule and click Edit.

3 Review or add the file information.

You cannot track changes for network files (files placed on network paths).

4 Select Enable Content Change Tracking.

5 Select the file encoding.

You can choose Auto Detect, ASCII, UTF-8, and UTF-16. Auto Detect works for most files. If you are aware ofthe file encoding, select ASCII, UTF-8, or UTF-16 (as appropriate). If needed, you can add new fileencoding values. Contact McAfee Support for assistance in adding a file encoding value.

6 Track content changes for files within a directory.

a Select Is Directory.

b Select Recurse Directory to track changes for files in all subdirectories of the specified directory.

c Optionally, specify patterns to match file names in the Include Patterns or Exclude Patterns. Whilespecifying multiple patterns, make sure that each pattern is on a separate line.

If you do not specify a pattern, all files are included for change tracking. You can add anasterisk (*) at the beginning or end of a pattern. For example, if you specify *.txt as aninclude pattern, only txt files in the directory are monitored. If you specify *.ini as an excludepattern, all ini files in the directory are not monitored.

Exclude patterns take precedence over include patterns. For example, if you erroneously definean include and exclude pattern for the same file, the exclude pattern applies.

7 Click OK.

Manage file versionsReview all versions available for a file, compare file versions, reset the base version, and deleteversions.The base version identifies the starting point or initial document to use for comparison or control.Typically, the oldest version of a file is set as the base version. In effect, when you start trackingchanges for a file, the initial file content and attributes are stored on the McAfee ePO database and setas the base version.


1 On the McAfee ePO console, select Menu | Reporting | Content Change Tracking.

All files for which content change tracking is enabled are listed.



2 Identify the file for which you want to review versions. In the Quick find text box, specify the endpoint or file name, then click Apply. The list is updated

based on the specified search string.

Sort the list based on the system name, file path, or status.

3 Perform file operations.

To do this... Do this...

Review thefile status.

The File Status column denotes the current status of content change tracking.

Reviewversion.

Click View versions. The File revisions page displays all versions for the file. From thispage you can compare file versions, specify the base version, and delete fileversions from the McAfee ePO database.

Compare thefile versions.

1 Specify what to compare. Click Compare with previous for a version to compare that version with the previous

version of the file available at the McAfee ePO console.

Click Compare with base for a version to compare that version with the baseversion.

Select any two versions (by clicking the associated checkboxes), then selectActions | Compare Files to compare the selected versions.

The versions are compared and differences between the file content and fileattributes are displayed.

2 Click Close.

Reset thebase version.

1 Select a file version to set as the base version by clicking the associatedcheckbox.

2 Select Actions | Set as base version to open the Set as base version dialog box.

3 Click OK. This resets the base version and deletes all previous versions (olderthan the new base version) of the file.

The software can track up to 200 versions for a file. If the number of versionsexceeds 200, the application deletes the oldest versions to bring the version countto 200. Then, it automatically sets the oldest version as the base version. Ifneeded, you can configure the number of versions to maintain for a file. ContactMcAfee Support for assistance in configuring the number of versions to maintain fora file.

Delete fileversions.

Deleting file versions removes the selected file versions from the McAfee ePOdatabase. It does not alter or remove the actual file present on the endpoint.1 Select one or more file versions by clicking the associated checkboxes.

2 Select Actions | Delete, then click OK.

4 Click Close.

Compare filesCompare two files or two versions of a single file. You can compare files or versions on the sameendpoint or on different endpoints.




1 On the McAfee ePO console, select Menu | Reporting | Content Change Tracking.

2 Click Advanced File Comparison.

3 Specify information for the first file.

a Select the group from the list.

b Enter the host name.

c Enter the name and path of the file.

d Select the version to compare.

4 Specify information for the second file.

5 Click Show Comparison.

The attributes and content of the files are compared and differences are displayed.

6 Review the results.

7 Click Close.

Receive change detailsYou can receive notifications and reports based on the changes made to the files in your setup.

Tasks Monitor all changes for a file on page 32

To closely observe changes to a critical file, you can choose to receive an email detailingthe change each time the file is changed.

Generate consolidated report on page 33To get an overview of the changes made to the tracked files in your setup, schedulegeneration of a consolidated report based on the required criteria.

Monitor all changes for a file To closely observe changes to a critical file, you can choose to receive an email detailing the changeeach time the file is changed.


1 On the McAfee ePO console, select Menu | Automation | Automatic Responses.

2 Click Actions | New Response to open the Response Builder page.

a Enter the response name.

b Select the Solidcore Events group and File Content Change Event type.

c Select Enabled.

d Click Next to open the Filter page.



3 Specify the file name, system name, or both. To receive an email each time a specific tracked file changes (across all managed endpoints),

specify only the file name.

To receive an email each time any tracked file changes on an endpoint, specify only the systemname.

To receive an email each time a specific file on an endpoint is changed, specify both file andsystem name.

4 Click Next to open the Aggregation page.

5 Specify aggregation details, then click Next to open the Actions page.

6 Select Send File Content Change Email, specify the email details, then click Next to open the Summary page.

7 Review the details, then click Save.

Generate consolidated reportTo get an overview of the changes made to the tracked files in your setup, schedule generation of aconsolidated report based on the required criteria.


1 On the McAfee ePO console, click Menu | Queries and Reports | McAfee Groups | Change Control.

2 Perform one of these steps.

Generate areport for alltracked fileswithin yoursetup

Use the Solidcore: Content Change Tracking Report Generation - With Group My Organization query.

Because this query pulls information for all tracked files in your setup, it canaffect performance. We recommend that you duplicate this query to create a newquery and specify criteria relevant to your setup.

Generate areport basedon specificcriteria

1 Click Duplicate for the Solidcore: Content Change Tracking Report Generation - With Group MyOrganization query to open the Duplicate dialog box.

2 Specify the query name and group, then click OK.

3 Navigate to the created query and click Edit to open the Query Builder wizard.

4 Switch to the Filter tab.

5 Add the required filters. Use the Generated time property to fetch information on content changes made

in a specific interval.

Use the File Path property to fetch information for one or more specific files.

Use the System Name, Group Name, and Tags properties to specify the endpointsfor which to retrieve information.

6 Click Save to open the Save Query page.

7 Click Save.

3 On the McAfee ePO console, select Menu | Automation | Server Tasks.

4 Click Actions | New Task to open the Server Task Builder wizard.

5 Type the task name, then click Next to open the Actions page.



6 From the Actions list, select Solidcore: Content Change Tracking Report Generation.

7 Configure the settings for the task.

a Specify the rule group (Integrity Monitor).

b Specify the query (from step 2).

c Specify the number of revisions to fetch for each file.

For example, consider that a file has changed 50 times in the last seven days based on thespecified time interval in the query. To fetch information for the last 15 versions of the file, setthe value for Get Last N revisions to 15. The default value for the number of revisions is 10,maximum allowed value is 100, and minimum is 1.

d Specify the email addresses (separated by a comma) to send the generated report.

Make sure that an email server is configured in the McAfee ePO server.

e Specify the email subject.

f Specify the report name.

By default, the report name is appended with the date and time when the report is created.

By default, the report generated by the server task (PDF file) is sent as an email attachment to allrecipients. A file of up to 20 MB can be sent through email. If the file size exceeds 20 MB, therecipients are notified through a failure email message. Because the generated report can be large,you can save the report to a remote location and send a link to all recipients in an email.

8 Optionally, place the generated report on a shared folder and send the link to the report in an emailto all intended recipients.

a Select Use this option to copy report on a network share and send network share information on email.

b Specify a path at which to save the generated report.

c Specify the network credentials to access the specified path.

d Click Test Connection to make sure that the specified credentials work.

9 Click Next.

10 Specify the schedule for the task, then click Next to open the Summary page.

11 Review the task summary, then click Save.

12 From the Server Tasks page, select Run for this server task.



4 Protecting the file system and registryUsing Change Control, you can prevent changes to the file system and registry.

Contents How protection rules work? Defining protection rules Create a protection policy Enable read protection

How protection rules work?To prevent unauthorized access and changes, you define read-protection and write-protection rules.

Read-protectionrules

Prevent users from reading the content of specified files, directories, andvolumes.

When a directory is read protected, all files in the directory are read protected.Any unauthorized attempt to read data from protected files is prevented and anevent is generated. Writing to read-protected files is allowed.

You cannot define read-protection rules for registry keys.

Write-protectionrules

Prevent users from creating new files (including directories and registry keys)and modifying existing files, directories, and registry keys. Define write-protection rules for files and directories to protect them from

unauthorized modifications. Only protect critical files. When a directory isincluded for write protection, all files contained in that directory and itssubdirectories are write protected.

Define write-protection rules for critical registry keys to protect them againstchange.

Can I override defined rules?

While you can define rules to protect, you can also define additional rules to selectively override theread or write protection that is in effect.

Specify programs that are permitted to selectively override the read or write protection.

Specify users (on the Windows platform only) who are permitted to selectively override the read orwrite protection.

4


Does an order of precedence exist for protection rules?

These considerations are used when protection rules are applied at the endpoint:

Exclude rules are given precedence over include rules.

For example, if you erroneously define an include and exclude rule for the same file, the excluderule applies.

Longer paths are given precedence.

For example, if C:\temp is included for write protection, and C:\temp\foo.cfg is excluded, thechanges to foo.cfg are permitted. Similarly, if you exclude the HKEY_LOCAL_MACHINE key andinclude the HKEY_LOCAL_MACHINE\System key for write protection, the changes to the HKEY_LOCAL_MACHINE\System key are prevented.

Defining protection rulesRegardless of whether you use a rule group or policy, the framework available to define protectionrules is the same.

System variablesThe path specified in a protection rule can include system environment variables (only on the Windowsplatform). This table lists the supported system variables.

Variable Example value (for most Windows platforms)

%ALLUSERSPROFILE% C:\Documents and Settings\All Users%APPDATA% C:\Documents and Settings\{username}\Application%COMMONPROGRAMFILES% C:\Program Files\Common Files%COMMONPROGRAMFILES (x86)% C:\Program Files (x86)\Common Files%HOMEDRIVE% C:%HOMEPATH% C:\Documents and Settings\{username} (\ on earlier Windows

versions)

%PROGRAMFILES% C:\Program Files%PROGRAMFILES (x86)% C:\Program Files (x86) (only on 64-bit versions)%SYSTEMDRIVE% C:%SYSTEMROOT% C:\windows (C:\WINNT on earlier Windows versions)%TEMP% (system) %tmp% (user) C:\Documents and Settings\{username}\local Settings\Temp

C:\Temp

%USERPROFILE% C:\Documents and Settings\{username} (C:WINNT\profiles\{username} for earlier versions)

%WINDIR% C:\Windows

4 Protecting the file system and registryDefining protection rules


Path considerationsThese considerations apply to path-based rules.

Path should be absolute when specifying rules to read or write-protect files and directories.

Path need not be absolute when specifying rules to add a trusted program or updater. For example,you can specify the partial path, such as AcroRd32.exe or Reader\AcroRd32.exe or fully-qualifiedpath, such as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If you specify thepartial path, all programs with names that match the specified string are added as trustedprograms. If you specify the fully-qualified path, only the specified program is added as a trustedprogram.

Paths can contain white spaces.

Paths can include the wildcard character (*). However, it can only represent one complete pathcomponent. Here are a few examples.

Windowsplatform

Using \abc\*\def is allowed while \abc\*.doc, \abc\*.*, or \abc\doc.* is notsupported.

UNIX platform Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is notsupported.

Paths used in registry key-based rules can include the wildcard character (*). However, thewildcard character can only represent one path component in the registry path. Make sure that youdo not use the character for the component at the end of the complete registry path (if used at theend, the rule will not be effective).

Protection rulesYou can define protection rules when modifying or creating a protection (Change Control) policy orrule group.

Action Steps

Read-protect filesand directories

1 Click Add on the Read Protect tab. The Add File dialog box appears.


3 Indicate whether to include for or exclude from read protection.

4 Click OK.

By default, the read protection feature is disabled at the endpoints.

Write-protect filesand directories

1 Click Add on the Write Protect File tab. The Add File dialog box appears.


3 Indicate whether to include for or exclude from write protection.

4 Click OK.

Write-protectregistry keys

1 Click Add on the Write Protect Registry tab. The Add Registry dialog box appears.

2 Specify the registry key.

3 Indicate whether to include for or exclude from write protection.

4 Click OK.

Protecting the file system and registryDefining protection rules 4


Action Steps

Specify trustedprogramspermitted tooverride the readand writeprotection rules

1 Click Add on the Updaters tab. The Add Updater dialog box appears.

2 Specify whether to add the updater based on the file name or checksum. Ifyou add the updater by name, the updater is not authorized automatically.However, when you add the updater by checksum, the updater is authorized.

3 Enter the location of the file (when adding by name) or SHA1 value (whenadding by checksum) of the executable binary.

4 Enter a unique identification label for the executable file. For example, if youspecify Adobe Updater Changes as the identification label for the Adobe_Updater.exe file, all change events made by the Adobe_Updater.exe file will betagged with this label.

5 When adding an updater by name, specify conditions that the binary file mustmeet to run as an updater.

Select None to allow the binary file to run as an updater without anyconditions.

Select Library to allow the binary file to run as updater only when it hasloaded the specified library. For example, when configuring iexplore.exe asan updater to allow Windows Updates using Internet Explorer, specify wuweb.dll as the library. This makes sure that the iexplore.exe program hasupdater privileges only till the web control library (wuweb.dll) is loaded.

Select Parent to allow the binary file to run as an updater only if it is launchedby the specified parent. For example, when configuring updater.exe as anupdater to allow changes to Mozilla Firefox, specify firefox.exe as theparent. Although updater.exe is a generic name that can be part of anyinstalled application, using the parent makes sure that only the correctprogram is allowed to run as an updater.

6 When adding an updater by name, indicate whether to disable inheritance forthe updater. For example, if Process A (that is set as an updater) launchesProcess B, disabling inheritance for Process A makes sure that Process B willnot become an updater.

7 When adding an updater by name, indicate whether to suppress eventsgenerated for the actions performed by the updater. Typically, when an updaterchanges a protected file, a File Modified event is generated for the file. If youselect this option, no events are generated for changes made by the updater.

8 Click OK.

4 Protecting the file system and registryDefining protection rules


Action Steps

Specify authorizedusers permitted tooverride the readand writeprotection rules

You can either enter user details or import user or group details from an ActiveDirectory. Make sure that the Active Directory is configured as a registeredserver.

Specify details to authorize users to override the read or write protection rules.(Windows only)

1 On the Trusted User tab, click Add. The Add User dialog box appears.

2 Create two rules for each user: With UPN/SAM and domain account name (in domainName\user format)

With domain netbiosName (in netbiosName\user format)

3 Specify a unique identification label for the user. For example, if you specifyJohn Doe Changes as the identification label for the John Doe user, all changesmade by the user will be tagged with this label.

4 Type the user name.

5 Click OK.

Import user details from an Active Directory.

1 Click AD Import on the Trusted User tab. The Import from Active Directory dialog boxappears.

2 Select the server.

3 Select Global Catalog Search to search for users in the catalog (only if the selectedActive Directory is a Global Catalog server).

4 Specify whether to search for users based on the UPN (User Principal Name) orSAM account name. Your search criteria will determine the authorized user.Make sure that you use the trusted account to log on to the endpoint. If youuse the UPN name while adding a user, make sure that the user logs on withthe UPN name at the endpoint to enjoy trusted user privileges.

5 Enter the user name. The Contains search criteria is applied for the specifieduser name.

6 Specify a group name to search for users within a group.

You cannot directly add a group present in the Active Directory to a policy. Toauthorize all users in a group, add the user group to a rule group and includethe rule group in a policy. Adding user groups makes sure that all changes to auser group automatically cascade across all rule groups and associatedpolicies.

7 Click Find. The search results are displayed.

8 Select the users to add in the search results, then click OK.

Create a protection policyProtection policies are multi-slot policies; you can assign multiple policies to a single node in thesystem tree.

Protecting the file system and registryCreate a protection policy 4



1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.2:Change Control product.

3 Click New Policy to open the New Policy dialog box.

4 Select the category.

5 Select the policy you want to duplicate from Create a policy based on this existing policy list.

6 Specify the policy name, then click OK to open the Policy Settings page.

7 Specify protection rules.

The read-protect feature is disabled by default. To use read-protection rules, enable the read-protectfeature for the endpoints.

8 Save the policy.

Enable read protectionBy default, the read-protect feature is disabled for optimal system performance. Run a command onthe endpoint to enable read protection.


1 On the McAfee ePO console, select Menu | Systems | System Tree.

2 Perform one of these actions. To apply the client task to a group, select a group in the System Tree and switch to the Assigned

Client Tasks tab.

To apply the client task to an endpoint, select the endpoint on the Systems page and click Actions |Agent | Modify Tasks on a Single System.

a Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

b Select the Solidcore 6.1.2 product, SC: Run Commands task type, and click Create New Task.

The Client Task Catalog page appears.

c Specify the task name and add any descriptive information.

3 Type this command.features enable deny-read

4 Select Requires Response if you want to view the status of the commands in Menu | Automation | SolidcoreClient Task Log tab.

5 Click Save.

6 Click Next to open the Schedule page.

4 Protecting the file system and registryEnable read protection


7 Specify scheduling details, then click Next.

8 Review and verify the task details, then click Save.

9 Optionally, wake up the agent to send your client task to the endpoint immediately.

Protecting the file system and registryEnable read protection 4


4 Protecting the file system and registryEnable read protection


5 Monitoring and reportingWhen a monitored file or registry key is changed or an attempt is made to access or change aprotected resource, an event is generated on the endpoint and sent to the McAfee ePO server. Reviewand manage the generated events to monitor the network status.

You can also use customizable dashboards to monitor critical security status at-a-glance, and reportthat status to stakeholders and decision makers using preconfigured queries.

Contents Manage events Dashboards Queries View queries

Manage eventsView and manage the events from the McAfee ePO console.

Tasks

Review events on page 43Review the events by specifying the time duration and endpoint details.

View content changes on page 44An event is generated each time the attributes or contents change for a file that is beingtracked for changes.

Exclude events on page 45You can define rules to prune routine system-generated change events not relevant formonitoring or auditing.

Review eventsReview the events by specifying the time duration and endpoint details.


1 On the McAfee ePO console, select Menu | Reporting | Solidcore Events.

2 Specify the time duration for which to view events by selecting an option from the Time Filter list.

3 Specify the endpoints for which to view events.

a Select the required group in the System Tree.

b Select an option from the System Tree Filter list.

5


4 Optionally, view only specific events by applying one or more filters.

a Click Advanced Filters to open the Edit Filter Criteria page.

b Select an available property.

c Specify the comparison and value for the property.

For example, to view only File Modified events, select the Event Display Name property, setcomparison to Equals, and select the File Modified value.

d Click Update Filter.

Events matching the specified criteria are displayed.

5 View details for an event.

a Click an event row.

b Review event details.

c Click Back.

6 Review endpoint details for one or more events.

a Select one or more events.

b Click Actions | Show Related Systems.

The Related Systems page lists the endpoints corresponding to the selected events.

c Click a row to review detailed information for the endpoint.

d Optionally, perform any action on the endpoint.

View content changes An event is generated each time the attributes or contents change for a file that is being tracked forchanges.Based on the change made to the file, one of these events is generated:

FILE_CREATED FILE_ATTR_SET

FILE_DELETED FILE_ATTR_CLEAR

FILE_MODIFIED ACL_MODIFIED

FILE_RENAMED OWNER_MODIFIED

FILE_ATTR_MODIFIED

If any of the aforementioned events is generated for a file for which you are tracking content changes,you can review details of the change made to the file. View details of changes made to a file for whichyou are tracking content changes.


1 On the McAfee ePO console, select Menu | Reporting | Solidcore Events.

2 Click View Content Change for the event.

The page compares two versions of the file.

5 Monitoring and reportingManage events


3 Review the host, file attribute, and file content information.

The change made to the file is highlighted.

4 Click Close.

Exclude eventsYou can define rules to prune routine system-generated change events not relevant for monitoring orauditing.You can exclude or ignore events not required to meet compliance requirements.


1 On the McAfee ePO console, select Menu | Reporting |

Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control...

Documents

Transcript of Application Control 6.1.2 McAfee Change Control and McAfee · Product Guide McAfee Change Control...

SIMATIC Process Control System PCS 7 McAfee … · SIMATIC Process Control System PCS 7 McAfee VirusScan (V8.5; ... Qualified personnel are those who, based on their training and

McAfee Application Control McAfee Embedded Control McAfee ... · McAfee Embedded Control McAfee Integrity Control. McAfee Embedded Security . Enhanced Security for Today's ... of

For use with Wind River Linux 5.0 - McAfee€¦ · McAfee Embedded Control 6.5.1 For use with Wind River Linux 5.0.1. ... McAfee Embedded Control 6.5.1 User Guide 3. ... conf layer.conf

McAfee Policy Enforcer network access control solution

McAfee Firewall Enterprise v8.3.2 and McAfee Firewall ... Firewall... · McAfee Firewall Enterprise v8.3.2 and McAfee Firewall Enterprise Control Center v5.3.2 Security Target 17

Change Control and Application Control 6.0.0 Product Guide - McAfee

McAfee™ Training Courses - BeSecure IT Limited€¦ · McAfee™ Training Courses VISIBILITY, CONTROL & OPTIMISED SECURITY 4 Day Intelligent Endpoint OVERVIEW The McAfee 4 Day Advanced

McAfee technical support PPT | McAfee Customer Support Number | McAfee PPT

McAfee, Inc. McAfee Firewall Enterprise 1100F

McAfee Inc. McAfee Linux Cryptographic Module

McAfee Application Control 6.0.0 User’s Guide (Standalone ...€¦ · McAfee Technical Support and Maintenance Terms. i) “Updates” are related to content and include without

For use in standalone mode - McAfee · PDF fileCommand Line Interface Guide McAfee Application Control 6.1.0 For use in standalone mode

Uninstall McAfee and the McAfee Removal Tool-Support for McAfee-TechSpeedy

ArubaOS 6.1.2 - NVC

McAfee, Inc. McAfee Endpoint Encryption for PC with … Inc. McAfee Endpoint Encryption for PC with McAfee Endpoint Encryption Manager Common Criteria Security Target McAfee, Inc.

For use with McAfee ePolicy Orchestrator · Best Practices Guide McAfee Application Control 7.0.0 For use with McAfee ePolicy Orchestrator

support.mcafee.com, Mcafee Support number, McAfee/Activate, Install McAfee

Application Control 6.1 Product Guide - McAfee · PDF file2 McAfee Application Control 6.1.0 Product Guide. Contents Preface 7 ... Configure CASP.....52 Configure NX ... Task 1 Go

Network Access Control 4.0 Product Guide for use with - McAfee

Webroot SecureAnywhere Business Endpoint Protection vs ... · Sophos Sophos EndUser Protection – Busienss Sophos Endpoint Security and Control 10.3 Jan 2014 McAfee, Inc. McAfee