For use with McAfee ePolicy Orchestrator · PDF fileFor use with McAfee ePolicy Orchestrator....

Product Guide

McAfee Change Control and McAfeeApplication Control 8.0.0For use with McAfee ePolicy Orchestrator

COPYRIGHT

© 2016 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Change Control and McAfee Application Control 8.0.0 Product Guide

Contents

Preface 9About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Supported McAfee ePO versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

1 Introduction 13Application Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Application Control features . . . . . . . . . . . . . . . . . . . . . . . . . . 13Application Control advantages . . . . . . . . . . . . . . . . . . . . . . . . . 15

Change Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Change Control features . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Change Control advantages . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2 Getting started with Change Control 19Change Control modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19What are rule groups? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Rule group example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Rule group ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Permissions for rule configuration . . . . . . . . . . . . . . . . . . . . . . . . 21

Manage rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Change rule group ownership . . . . . . . . . . . . . . . . . . . . . . . . . . 22Manage permissions for rule group tabs . . . . . . . . . . . . . . . . . . . . . 23Create rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Delete or rename rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . 24Import or export a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . 24Verify the import for a rule group . . . . . . . . . . . . . . . . . . . . . . . . 27View assignments for a rule group . . . . . . . . . . . . . . . . . . . . . . . . 27

Enable Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3 Monitoring the file system and registry 29How monitoring rules work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Defining monitoring rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

System variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Path considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Monitoring rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Review predefined monitoring rules . . . . . . . . . . . . . . . . . . . . . . . . . . 34Create monitoring policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Manage content changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Content change tracking settings . . . . . . . . . . . . . . . . . . . . . . . . 37Configure settings for tracking content changes . . . . . . . . . . . . . . . . . . 37Track content changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Manage file versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

McAfee Change Control and McAfee Application Control 8.0.0 Product Guide 3

Compare files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Receive change details . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4 Protecting the file system and registry 45How protection rules work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Defining protection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

System variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Path considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Protection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Create a protection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Enable read protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

5 Monitoring and reporting 53Manage events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Review events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53View content changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Exclude events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56View queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

6 Getting started with Application Control 59Application Control modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60File and certificate reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Reputation sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Reputation-based workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Reputation values received from sources . . . . . . . . . . . . . . . . . . . . . 66How reputation is computed . . . . . . . . . . . . . . . . . . . . . . . . . . 67Configure reputation sources . . . . . . . . . . . . . . . . . . . . . . . . . . 72Using reputation information . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Memory-protection techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74What are rule groups? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Rule group example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Rule group ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

What are certificates? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76What are updater processes? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77What are installers? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Permissions for rule configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Configure and manage rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Change rule group ownership . . . . . . . . . . . . . . . . . . . . . . . . . . 82Manage permissions for rule group tabs . . . . . . . . . . . . . . . . . . . . . 82Create a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Delete or rename rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . 84Import or export a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . 84Verify the import for a rule group . . . . . . . . . . . . . . . . . . . . . . . . 86View assignments for a rule group . . . . . . . . . . . . . . . . . . . . . . . . 87

Manage certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Add a certificate to McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . 88Search for a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89View assignments for a certificate . . . . . . . . . . . . . . . . . . . . . . . . 89

Manage installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Add an installer to McAfee ePO . . . . . . . . . . . . . . . . . . . . . . . . . 90Search for an installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90View assignments for an installer . . . . . . . . . . . . . . . . . . . . . . . . 91

Configure Package Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Contents


7 Designing the trust model 93How Application Control allows execution . . . . . . . . . . . . . . . . . . . . . . . . 93Designing the trust model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Checks that Application Control runs for a file . . . . . . . . . . . . . . . . . . . 94Defining attribute-based rules for file execution . . . . . . . . . . . . . . . . . . 97Predefined rules in default policies . . . . . . . . . . . . . . . . . . . . . . . . 98Allowing changes to endpoints . . . . . . . . . . . . . . . . . . . . . . . . . 100

8 Deploying Application Control in Observe mode 109What are observations? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Deploying in Observe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Configure the feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Place endpoints in Observe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Policy discovery permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Allow non-global administrators to manage enterprise-wide requests . . . . . . . . . 113Manage requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Review requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Process requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Review created rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Specify filters for observations and events . . . . . . . . . . . . . . . . . . . . . . . 124Specify filters for user comments . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Throttle observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Define the threshold value . . . . . . . . . . . . . . . . . . . . . . . . . . 126Review filter rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126Manage accumulated requests . . . . . . . . . . . . . . . . . . . . . . . . . 127Restart observation generation . . . . . . . . . . . . . . . . . . . . . . . . . 127

Exit Observe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

9 Monitoring your protection 129Enable Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Review predefined rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Review events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

View event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Review endpoint details . . . . . . . . . . . . . . . . . . . . . . . . . . . 132View requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133View file details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Change file reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Define rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Create custom rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Create a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Exclude events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136Define bypass rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

ActiveX controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

10 Managing the inventory 141How the inventory is updated . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Configure inventory updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Guidelines for fetching inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Configure settings for fetching the inventory . . . . . . . . . . . . . . . . . . . . . . 143Fetch the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Fetch McAfee GTI ratings for isolated McAfee ePO environments . . . . . . . . . . . . . . 145

Export SHA-1s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145Run the Offline GTI tool . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Import the GTI result file . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Verify the import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Set enterprise reputation for files and certificates . . . . . . . . . . . . . . . . . . . . 147

Contents


Review the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Optimize your inventory view . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Manage the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Specify filters for inventory data . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Set the base image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Compare the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Run the inventory comparison . . . . . . . . . . . . . . . . . . . . . . . . . 156Review the comparison results . . . . . . . . . . . . . . . . . . . . . . . . . 156

11 Managing approval requests 159What is self-approval? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159Enable self-approval on endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . 160Configure the feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Policy discovery permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Allow non-global administrators to manage enterprise-wide requests . . . . . . . . . 163Review requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Process requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Allow the file on all endpoints . . . . . . . . . . . . . . . . . . . . . . . . . 166Allow by certificate on all endpoints . . . . . . . . . . . . . . . . . . . . . . . 167Ban by SHA-1 or SHA-256 on all endpoints . . . . . . . . . . . . . . . . . . . 167Define rules for specific endpoints . . . . . . . . . . . . . . . . . . . . . . . 168Allow by adding to whitelist for specific endpoints . . . . . . . . . . . . . . . . . 169Change file reputation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170View file details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170View events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170Delete requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Review created rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

12 Using dashboards and queries 173Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173View queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

13 Maintaining your systems 177Monitor enterprise health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Review congestion status and trend . . . . . . . . . . . . . . . . . . . . . . . 178Configure notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Make emergency changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180Place the endpoints in Update mode . . . . . . . . . . . . . . . . . . . . . . 180Place the endpoints in Enabled mode . . . . . . . . . . . . . . . . . . . . . . 180

Administer throttling for your enterprise . . . . . . . . . . . . . . . . . . . . . . . . 181Set up the feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Configure throttling values . . . . . . . . . . . . . . . . . . . . . . . . . . 182Manage throttling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Configure CLI breach notifications . . . . . . . . . . . . . . . . . . . . . . . . . . 185Change the CLI password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Collect debug information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187Place the endpoints in Disabled mode . . . . . . . . . . . . . . . . . . . . . . . . . 187Send McAfee GTI feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Server task settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189Configure server tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Purge data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

14 Fine-tuning your configuration 191Configure a syslog server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Solidcore permission sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Contents


Customize end-user notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

A FAQs 197

B Feature availability 209

C Change Control and Application Control events 211

Index 219

Contents


Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation Supported McAfee ePO versions What's in this guide

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses these typographical conventions and icons.

Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized

Monospace Commands and other text that the user types; a code sample; a displayed message

Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes

Hypertext blue A link to a topic or to an external website

Note: Extra information to emphasize a point, remind the reader of something, orprovide an alternative method

Tip: Best practice information

Caution: Important advice to protect your computer system, software installation,network, business, or data

Warning: Critical advice to prevent bodily harm when using a hardware product


Find product documentationOn the ServicePortal, you can find information about a released product, including productdocumentation, technical articles, and more.

Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.

2 In the Knowledge Base pane under Content Source, click Product Documentation.

3 Select a product and version, then click Search to display a list of documents.

Supported McAfee ePO versionsThis release of McAfee

®

Application Control and McAfee®

Change Control is compatible with theseMcAfee

®

ePolicy Orchestrator®

(McAfee®

ePO™

) versions.

• McAfee ePO 5.1.0–5.1.3

• McAfee ePO 5.3.0–5.3.2

We don't guarantee that Change Control and Application Control works with other versions of McAfeeePO.

What's in this guide This guide is organized to help you find the information you need.

This document is meant as a reference to use along with the Change Control, Application Control, andMcAfee ePO interfaces. This document provides information on configuring and using the ChangeControl and Application Control products.

Section Description Applies toChangeControl

Applies toApplicationControl

Introduction Provides an overview of the Change Controland Application Control products.

Getting started withChange Control

Details the various Change Control-relatedconcepts, such as modes and rule groups anddescribes how to enable the product.

NA

Monitoring the filesystem and registry

Provides concepts and instructions to help youdefine rules to monitor files and registryentries for changes.

NA

Protecting the filesystem and registry

Provides concepts and instructions to help youdefine rules to read-protect and write-protectfiles and registry entries.

NA

Monitoring andreporting

Describes how to use events, dashboards, andqueries to monitor the enterprise status whenusing the Change Control product.

NA

Getting started withApplication Control

Details the various Application Control-relatedconcepts, such as modes, trust model, rulegroups, installers, and certificates.

NA

PrefaceFind product documentation


https://support.mcafee.com

Section Description Applies toChangeControl

Applies toApplicationControl

Designing the trustmodel

Helps you design your trust model thatdictates the changes that are permitted inyour setup.

NA

Deploying ApplicationControl in Observemode

Provides detailed instructions to help youplace Application Control in the Observe modeto perform a dry run for the product.

NA

Monitoring yourprotection

Describes how to enable Application Controland details routine tasks to perform when theproduct is running in Enabled mode.

NA

Managing theinventory

Provides instructions to help you fetch,review, and manage the software inventoryfor protected endpoints.

NA

Managing approvalrequests

Provides instructions to help you review,process, and manage approval requestsreceived from the endpoints in the enterprise.

NA

Using dashboardsand queries

Describes how to use dashboards and queriesto monitor the enterprise status when usingthe Application Control product.

NA

Maintaining yoursystems

Details various tasks to help you maintain theprotected endpoints.

Fine-tuning yourconfiguration

Describes advanced configuration tasks thathelp you fine-tune your configuration.

FAQs Provides answers to frequently askedquestions.

Feature availability Lists Change Control and Application Controlfeatures and their availability for operatingsystems and supported configuration.

Change Control andApplication Controlevents

Provides a detailed list of all Change Controland Application Control events.

PrefaceWhat's in this guide


PrefaceWhat's in this guide


1 Introduction

Get familiar with the McAfee Change Control and McAfee Application Control software and learn howthey protect your environment.

Before you can configure and use Change Control or Application Control, you must make sure that:

• Supported version of McAfee ePO is installed and running. For information about the supportedMcAfee ePO versions, see Supported McAfee ePO versions. For more information about installingMcAfee ePO, see the installation guide for your version of McAfee® ePolicy Orchestrator® (McAfee®

ePO™) software.

• Change Control or Application Control is installed and running. For more information aboutinstallation, see McAfee Change Control and McAfee Application Control Installation Guide.

Contents Application Control overview Change Control overview

Application Control overviewToday’s IT departments face tremendous pressure to make sure that their endpoints comply withsecurity policies, operating procedures, corporate IT standards, and regulations. Extending theviability of fixed function devices such as point-of-sale (POS) terminals, customer service terminals,and legacy Windows NT platforms has become critical.

Application Control uses dynamic whitelisting to make sure that only trusted applications run ondevices, servers, and desktops. This provides IT with the greatest degree of visibility and control overclients, and helps enforce software license compliance.

Application Control featuresApplication Control software blocks unauthorized applications servers, corporate desktops, andfixed-function devices. This centrally managed whitelist solution uses a dynamic trust model andinnovative security features that thwart advanced persistent threats (APTs) — without requiringsignature updates or labor-intensive list management.

Application Control offers a variety of features that provide a robust security framework whenconfigured appropriately. We recommend that you evaluate your specific workflows, applications, andrequirements and configure product features based on your needs and setup.

Dynamic whitelist

This feature avoids the need to manually find and manage application-related files. Application Controlwhitelist groups executables (binaries, libraries, and drivers) and scripts across your enterprise byapplication and vendor, displaying them in an intuitive and hierarchical format. Applications arecategorized as trusted, malicious, and unknown. Also, you can easily search for useful insights, such

1


as applications added this week, uncertified binaries, files with unknown reputations, systems runningoutdated versions of Adobe Reader, and more to quickly pinpoint vulnerabilities and validatecompliance of software licenses.

Effective protection

Application Control extends coverage to executable files, libraries, drivers, Java applications, ActiveXcontrols, and scripts for greater control over application components.

Advanced memory protection

This feature prevents whitelisted applications from being exploited by memory buffer overflow attackson Windows 32- and 64-bit systems.

Knowledge acquisition

Application Control allows you to switch to Observation mode that helps you discover policies fordynamic desktop environments without enforcing a whitelist lockdown. This mode helps you graduallydeploy Application Control in pre- or early-production environments without breaking applications.Also, the software allows administrators to use the Policy Discovery page for defining policies.

User-centric solution

Application Control provides multiple ways to enable users for installing new applications:

• End user notification — Users can receive informative pop-up messages on endpoints, explainingwhy access to unauthorized applications is not allowed. These messages prompt users to requestapprovals using email or helpdesk.

• Self-approval — Users can install new software without waiting for IT approval. IT can inspect theself-approval requests and create policies to either ban the application or permit it on all orselected systems in the enterprise.

Reputation-based execution

Application Control integrates with a reputation source to receive reputation information for files andcertificates. Based on the reputation received from one of these sources, Application Control allows orbans the execution and software installation.

1 IntroductionApplication Control overview


• McAfee® Threat Intelligence Exchange (TIE) server — TIE server delivers a cohesive frameworkwhere security products collectively pinpoint threats and act as a unified threat defense systemproviding security resilience and immunity to infections. This allows instant communicationbetween endpoints, systems, and devices in your environment. The communication is madepossible with a new technology called the McAfee® Data Exchange Layer (DXL) framework. TIEserver provides fast detection and protection against security threats and malware. The productquickly analyzes files and content from several sources in your environment and makes informedsecurity decisions based on the reputation and your specific criteria.

Also, TIE integrates in real time with McAfee®

Advanced Threat Defense and McAfee®

Global ThreatIntelligence

™

(McAfee GTI) to provide detailed assessment and data on malware classification. Thisintegration allows you to respond to threats and share the information throughout yourenvironment.

• McAfee Global Threat Intelligence — McAfee GTI is a comprehensive, real-time, cloud-based threatintelligence service that enables McAfee products to protect customers against threats. McAfee GTIcomplements your on-premises or Software-as-a-Service (SaaS)McAfee products by providingthem with the most up-to-date reputation intelligence so that they can take appropriate actionwhen threats strike.

Application Control integrates with McAfee GTI, an exclusive McAfee technology, to track thereputation of files, messages, and senders in real time using millions of sensors worldwide. Thesoftware uses this cloud-based knowledge to determine the reputation of files in your computingenvironment, classifying them as trusted, malicious, or unknown. McAfee GTI reputation trackingcan operate both in secure and isolated environments and connected infrastructures. With McAfeeGTI integration, you know with certainty when any malware has been inadvertently whitelisted.

Centralized management

Application Control integrates with the McAfee ePO software to allow a consolidated and centralizedmanagement, providing a global view of enterprise security without blind spots. McAfee ePO integratesApplication Control software with McAfee Firewall, and other McAfee security and risk managementproducts from McAfee Security Innovation Alliance Partners, as well as your home-grown managementapplications. A single-step installation and update of Application Control deployment can be done fromMicrosoft System Center Configuration Manager. Also, as an added layer of defense, McAfee

®

NetworkSecurity Platform or McAfee

®

Host Intrusion Prevention software can prevent kernel vulnerabilityexploits and Denial of Service (DoS) attacks.

Application Control advantagesThese are the key advantages of using the Application Control software.

• Protects your organization against malware attacks before they occur by proactively controlling theapplications executing on your desktops, laptops, and servers.

• Enforces control on connected or disconnected servers, virtual machines (VMs), endpoints, andfixed devices, such as kiosks and point-of-sale (POS) terminals.

• Accepts new software added through your authorized processes.

• Locks down the protected endpoints against threats and unwanted changes, with no file systemscanning or other periodic activity that could affect system performance.

• Augments traditional security solutions and enables IT to allow only approved system andapplication software to run. Blocks unauthorized or vulnerable applications that might compromiseendpoints without imposing operational overhead. This makes sure that end users cannotaccidentally introduce software that poses a risk to the business.

• Uses dynamic whitelisting to make sure that only trusted applications run on devices, servers, anddesktops. McAfee’s dynamic whitelisting trust model eliminates the labor and cost associated withother whitelisting technologies, by that means reducing overhead and increasing continuity.

IntroductionApplication Control overview 1


• Provides control over endpoints to IT departments and helps enforce software license compliance.With Application Control, IT departments can eliminate unauthorized software on endpoints, whileproviding employees greater flexibility to use the resources they need to get their jobs done.

• Eliminates the need for IT administrators to manually maintain lists of approved applications. Thisenables IT departments to adopt a flexible approach where a repository of trusted applications canrun on endpoints. This allows execution of only authorized executables (binaries, libraries, anddrivers) and scripts, and further defends against memory exploits.

• Works effectively when integrated with McAfee ePO and in standalone configuration withoutnetwork access. The product is designed to operate in many network and firewall configurations.

• Runs transparently on endpoints. It can be set up quickly with low initial and ongoing operationaloverhead and minimal impact on CPU cycles.

• Protects unsupported legacy systems, such as Microsoft Windows NT, 2000, and XP. However, somefeatures are unavailable on the legacy systems. This information is indicated in this guide,wherever needed.

Change Control overviewChange Control allows you to monitor and prevent changes to the file system, registry, and useraccounts. You can view details of who made changes, which files were changed, what changes weremade to the files, and when and how the changes were made. You can write-protect critical files andregistry keys from unauthorized tampering. You can read-protect sensitive files. To ease maintenance,you can define trusted programs or users to allow updates to protected files and registry keys.

In effect, a change is permitted only if it is applied according to the Change Control policies. UsingChange Control, you can perform these actions.

• Detect, track, and validate changes in real time.

• Gain visibility into ad-hoc changes.

• Eliminate ad-hoc changes using protection rules.

• Enforce approved change policies and compliance.

Change Control featuresChange Control software can block change activities in server environments to prevent securitybreaches, data loss, and outages. This makes it easy to meet compliance requirements. These are thekey features of Change Control.

Real-time monitoring

Change Control fulfills the Payment Card Industry (PCI) Data Security Standard (DSS) requirements10 and 11.5 for file integrity monitoring (FIM). The software provides real-time monitoring for file andregistry changes. Real-time monitoring eliminates the need to perform scan after scan on endpointsand identifies transient change violations, such as when a file is changed and restored to its earlierstate. It captures changes including:

• Time of the change

• Who made the change

• What program was used to make the change

• Whether the change was made manually or by an authorized program

1 IntroductionChange Control overview


It maintains a comprehensive and up-to-date database (on McAfee ePO) that logs attempts to modifyfiles, registry keys, and local user accounts.

Content change tracking

Change Control allows you to track content and attribute changes for files. File content changes can beviewed and compared side-by-side to see what was added, deleted, or modified. This is handy whiletroubleshooting configuration-related outages. The software include special alerting mechanisms toinstantly notify you of critical changes, so that you can prevent configuration-related outages — arecommended information technology infrastructure library (ITIL) best practice. Also, qualified securityassessor (QSA) forms are provided for easy PCI reporting.

Customizable filters

You can use filters to make sure that only relevant changes make it to the database. You can definefilters to match the file name, directory name, registry key, process name, file extension, and username. Using the criteria, you can define two types of filters.

• Include filters to receive information about events matching the specified filtering criteria.

• Exclude filters to ignore information about events matching the specified filtering criteria.

Filtering events is required to control the volume of change events. Typically, some changes areprogram-generated and do not need to be reported to the system administrator. If programmatic andautomatic change activity is high, a large number of change events can overwhelm the system. Usingfilters makes sure that only relevant change events are recorded.

Efficient policy enforcement

Change Control enforces change policies that require the changes to be made within a time window,only by trusted sources. However, Change Control can be fine-tuned to allow native applications toupdate their files continuously without interruption, while disallowing other applications or users frommaking changes or even reading specified files.

Read protection

Read-protection rules prevent users from reading the content of specified files, directories, andvolumes. If a directory or volume is read-protected, all files in the directory or volume areread-protected. Once defined, read-protection rules are inherited by subdirectories. You cannotread-protect registry keys.

By default, read protection is disabled.

Write protection

Use write-protection rules to prevent users from creating files (including directories and registry keys)and modifying existing files, directories, and registry keys. Write-protecting a file or registry keyrenders it read-only and protects it from unanticipated updates. These actions are prevented for awrite-protected file or registry key.

• Delete

• Rename

• Create hard links

• Modify contents

• Append

IntroductionChange Control overview 1


• Truncate

• Change attributes (for example, owner, group, and permissions)

• Create Alternate Data Stream (Microsoft Windows only)

Change Control advantagesThese are the key advantages of using the Change Control software.

• Provides continuous visibility and real-time management of changes to critical system,configuration, or content files.

• Prevents tampering of critical files and registry keys by unauthorized parties.

• Fulfills the PCI DSS regulation for FIM.

• Starts easily with out-of-the-box FIM rules.

• Includes QSA-friendly reports for easy PCI reporting.

• Includes one-click exclusion feature to avoid tracking irrelevant information.

• Provides efficient policy enforcement to block unwanted changes before they occur.

• Integrates with McAfee ePO for centralized IT management.

1 IntroductionChange Control overview


2 Getting started with Change Control

Before you begin using Change Control, get familiar with it and understand related concepts.

Contents Change Control modes What are rule groups? Manage rule groups Enable Change Control

Change Control modesAt any time, Change Control can operate in one of these modes.

Enabled Indicates that the software is in effect and changes are monitored and controlled on theendpoints according to the defined policies. In Enabled mode, Change Control monitorsand protects files and registry keys as defined by the configured policies. Enabled mode isthe recommended mode of operation.

From Enabled mode, you can switch to Disabled or Update mode.

Update Indicates that the software is in effect, allows ad-hoc changes to the endpoints, and tracksthe changes made to the endpoints. Use Update mode to perform scheduled oremergency changes, such as software and patch installations.

In Enabled mode, you cannot read the read-protected files or modify any write-protectedfiles (according to the defined policies). But, in Update mode, all read and write protectionthat is in effect is overridden. Use Update mode to define a change window during whichyou can make changes to endpoints and authorize the made changes.

From Update mode, you can switch to Enabled or Disabled mode. Switch to Enabled modewhen the changes are complete.

Disabled Indicates that the software is not in effect. Although the software is installed, theassociated features are not active. When you place the endpoints in Disabled mode, theapplication restarts the endpoints.

From Disabled mode, you can switch to Enabled or Update mode.

What are rule groups?A rule group is a collection of rules. Although you can directly add rules to any McAfee ePO-basedpolicy, the rules defined within a policy are specific to that policy. In contrast, a rule group is anindependent unit that collates a set of similar or related rules.After you define a rule group, you can reuse the rules within the rule group by associating the rulegroup with different policies. Also, to modify a rule, update the rule in the rule group and the changecascades across all associated policies automatically.

2


The software provides predefined rule groups to allow commonly used applications to run smoothly.Although you cannot edit the predefined rule groups, you can use an existing rule group as a startingpoint to develop rule groups. If needed, you can also import or export rule groups.

Rule groups can drastically reduce the effort required to define similar rules across policies. If youhave a large setup and are deploying the software across numerous endpoints, use rule groups tominimize the deployment time and effort.

Rule group exampleHere is an example to help you understand how rule groups are used.

An organization runs Oracle on multiple servers. Each of these servers is used by the HR, Engineering,and Finance departments for different purposes. To reduce rule redundancy, we define these rulegroups with Oracle-specific rules.

• An Integrity Monitor rule group (named IM-Oracle) containing rules to monitor and trackconfiguration files and registry keys (to help audit critical changes to Oracle configuration)

• A Change Control rule group (named CC-Oracle) containing rules to protect critical files for Oracle(to prevent unauthorized changes)

After the rule groups are defined, we can reuse these rule groups across policies for the HR,Engineering, and Finance departments. So, when defining policies for the HR Servers, add theIM-Oracle rule group to a monitoring (Integrity Monitor) policy and CC-Oracle rule group to aprotection (Change Control) policy with rule groups for the other applications installed on the HRserver. Similarly, add the IM-Oracle and CC-Oracle rule groups to the relevant policies for theEngineering Servers and Finance Servers. After defining the policies, if you realize that the rule for acritical file was not created, directly update the rule group and all policies that include the rule groupare updated automatically.

Rule group ownershipUsers are allowed to edit and delete only the rule groups that they own.

A user who creates a rule group, is automatically set as the owner of the rule group. Only the ownerand McAfee ePO administrator can edit and delete the rule group. Also, the administrator can assignownership to other users or revoke ownership from the owner. In this case, the ownership isautomatically granted to the McAfee ePO administrator.

When you upgrade to the 6.2.0 or later extension, the McAfee ePO administrator becomes the owner ofall existing rule groups in the enterprise. The rule groups created by all owners are editable only by theMcAfee ePO administrator. The McAfee ePO administrator must assign rule group ownership to otherusers, as needed.

Users who do not own a rule group can only view the rule group and its policy assignments, duplicatethe rule group, and add the rule group to policies. However, if the owner or the McAfee ePOadministrator updates a rule in the rule group, the change cascades across all associated McAfee ePOpolicies.

This scenario suits non-global administrators who want to use a rule group (created by the McAfeeePO administrator) without maintaining it. If this scenario does not suit your requirements, duplicatethe rule group that you do not own, then assign the duplicate to policies. This method provides youownership of the duplicated rule group.

2 Getting started with Change ControlWhat are rule groups?


Permissions for rule configurationThe McAfee ePO administrator can configure permissions for Solidcore configuration, as needed. If youhave multiple administrators working in your enterprise, review and manage permissions for eachadministrator.

When do I assign permissions?

Typically, the McAfee ePO administrator is the global administrator who manages the whole enterpriseand has access to all Solidcore pages. In contrast, the non-global administrator can be a site or localadministrator who manages a particular site or group of systems. In the enterprise, the sites can becategorized based on locations, sectors, or functional groups.

For example, in an organization with multiple sites across different locations (north, south, east, andwest), the McAfee ePO administrator manages the whole organization and a site administrator ornon-global administrator is present to manage each site.

Permissions for the Rule Groups page

You can configure permissions for the Rule Groups page that appears on the Menu | Configuration | SolidcoreRules page. The permissions determine the actions you can take from the Rule Groups page and controlwhether the page is visible from other Solidcore pages.

You can assign one of these permissions for the Rule Groups page. By default, the McAfee ePOadministrator has edit permissions for all pages.

Permission Details

No permissions Indicates that the page is not visible to the user.For example, if no permissions are granted to a user for the Rule Groups page, the tabis not visible from the Solidcore Rules and Policy Catalog (rule group assignments) pages.Also, the user inherits no permissions on the Updater Processes, Users, and Filters tabs.

Viewpermissions

Indicates that the page is visible to the user. But, the user cannot perform modify,delete, or user operations from the page.For example, if view permissions are granted to a user for the Rule Groups page, thetab is visible from the Solidcore Rules and Policy Catalog (rule group assignments) pages.While the user can view rule group information and check assignments, the user isnot allowed to edit, duplicate, or add rule groups.

Editpermissions

Indicates that the tab is visible and the user can perform all actions available on thepage.For example, if edit permissions are granted to a user on the Rule Groups page, thepage is visible from the Solidcore Rules and Policy Catalog (rule group assignments)pages and the user is allowed to perform all operations.

Permissions for tabs contained in rule group and policy pages

User permissions for the Rule Groups page control the permissions for the Updater Processes, Users, andFilters tabs. The permissions available for the Rule Groups page indicate the permissions for the containedtabs. If needed, the McAfee ePO administrator can selectively change the permissions for individualtabs.

When No Permissions or View Permissions are granted to a user, certain actions are impacted and might notbe available.

Getting started with Change ControlWhat are rule groups? 2


Blocked actions Impacted pages Permissions required for...

Exclude Events action is blocked. Solidcore Events page Filters tab

Import action is unsuccessful becausetab-specific rules are not imported.

Rule Groups page Contained tab on the Rule Groupspage

Manage rule groups Create rule groups to collate a set of similar or related rules. Also, you can import or export rulegroups to manage rule group configuration.

Tasks

• Change rule group ownership on page 22Assign rule group ownership to more users or remove ownership from users.

• Manage permissions for rule group tabs on page 23You can manage permissions for Rule Groups page, and the tabs contained in rule group andpolicy pages.

• Create rule groups on page 23Create a rule group to specify the required rules.

• Delete or rename rule groups on page 24Delete or rename a rule group, as needed.

• Import or export a rule group on page 24To replicate rule group configuration from one McAfee ePO server to another, export therule group configuration from the source McAfee ePO server to an XML file and import theXML file to the target McAfee ePO server.

• Verify the import for a rule group on page 27You can verify whether the import operation for a rule group was successful.

• View assignments for a rule group on page 27Instead of navigating through all the created policies, you can directly view all policies inwhich a rule group is being used. This feature provides a convenient way to verify if eachrule group is assigned to the relevant policies.

Change rule group ownershipAssign rule group ownership to more users or remove ownership from users.

Before you beginYou must be a global administrator to perform this task.

TaskFor details about product features, usage, and best practices, click ? or Help.

1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

2 On the Rule Groups tab in the Owners column, click the owner for a rule group to open the Rule GroupOwnership page.

3 Change the default ownership by selecting or deselecting users listed on the page.

4 Click Save.

Changes made to owners are reflected in the Owners column for the selected rule group.

2 Getting started with Change ControlManage rule groups


Manage permissions for rule group tabsYou can manage permissions for Rule Groups page, and the tabs contained in rule group and policypages.

Before you beginYou must be a McAfee ePO administrator to use this task.


1 On the McAfee ePO console, select Menu | User Management | Permission Sets.

2 Click New to create a permission set.

3 Provide a name for the permission set.

4 Select the users you want to assign the permission set to.

The level of permissions that you specify in the permission set is granted to the user. Whenmultiple permission sets are applied to a user account, they aggregate. Consider this as you planyour strategy for granting permissions to the users in your environment. For more information, seeSolidcore permission sets.

5 Click Save.

6 Click Edit on the Solidcore General permissions category.

7 Grant permissions for Rule Groups, as needed.

8 Grant permissions selectively for the tabs (Updater Processes, Users, and Filters) contained in rule groupand policy pages, as needed.

This is based on the permissions the user has on the Rule Groups page. For information, seePermissions for rule configuration.

9 Click Save.

Create rule groupsCreate a rule group to specify the required rules.



2 Perform one of these steps from the Rule Groups tab.

• Select Integrity Monitor to view or define a rule group for monitoring changes performed on criticalresources.

• Select Change Control to view or define a rule group for preventing unauthorized changes oncritical resources.

You can use an existing rule group as a starting point or define a new rule group from scratch. Tomodify and edit an existing rule group, complete steps 3, 5, 6, and 7. To define a new rule group,complete steps 4, 5, 6, and 7.

Getting started with Change ControlManage rule groups 2


3 Create a rule group based on an existing rule group.

a Click Duplicate for an existing rule group.

The Duplicate Rule Group dialog box appears.

b Specify the rule group name, then click OK.

The rule group is created and listed on the Rule Groups page.

4 Define a new rule group.

a Click Add Rule Group to open the Add Rule Group dialog box.

b Specify the rule group name.

c Select the rule group type and platform.

d Click OK.


5 Click Edit for the rule group.

6 Specify the required rules.

For information about how to define rules, see Defining monitoring rules and Defining protectionrules.

7 Click Save Rule Group.

Delete or rename rule groupsDelete or rename a rule group, as needed.

Before you beginYou must be the global administrator or owner of the rule group to perform this task.



2 Complete one of these steps from the Rule Groups tab.

• To rename a rule group, click Rename, specify a new name, and click OK to close the Rename RuleGroup dialog box.

• To delete a rule group, click Delete and click Yes to close the Delete Rule Group dialog box.

Import or export a rule groupTo replicate rule group configuration from one McAfee ePO server to another, export the rule groupconfiguration from the source McAfee ePO server to an XML file and import the XML file to the targetMcAfee ePO server.

If you are the owner of the rule group or the global administrator, you can import the rule group XMLfile to the target McAfee ePO server. However, if you are a non-global administrator, you can importrules only for the tabs where you have permissions. All other rules are not imported and details areavailable on the Server Task Log page. For information on permissions, see Permissions for ruleconfiguration.



Also, when you import rule groups to a (target) McAfee ePO server, the user logged on to the McAfeeePO server becomes the owner of the imported rule group. When you export rule groups from asource McAfee ePO server, the owner information is not exported.

When importing or exporting rule groups containing Trusted Groups, make sure that the ActiveDirectory server on the source and destination McAfee ePO servers are configured using the samedomain name, server name, or IP address.

You can import or export rule groups using the McAfee ePO console or web service APIs.

Tasks• Use the McAfee ePO console on page 25

Based on your setup, you can import or export rule groups using the McAfee ePO console.

• Use web service APIs on page 25Based on your setup, you can import or export rule groups using web service APIs providedby Application Control and Change Control.

Use the McAfee ePO consoleBased on your setup, you can import or export rule groups using the McAfee ePO console.

You can also export rule groups to an XML file, edit the XML file to make the required changes to rulegroups, and import the file to the McAfee ePO server to use the changed rule groups.




• To import rule groups, click Import, browse to and select the rule groups file, and click OK. Whileimporting, you can specify whether to override rule groups (if you are importing a rule groupwith the same name as an existing rule group).

• To export selected rule groups to an XML file, select the rule groups, click Export, and save thefile.

Use web service APIsBased on your setup, you can import or export rule groups using web service APIs provided byApplication Control and Change Control.

Task1 Open the command prompt, then navigate to this directory.

<ePO installation directory>\Remote‑Client\For example, C:\Program Files\McAfee\ePolicy Orchestrator\Remote‑Client\

2 Run this command to connect to the McAfee ePO shell client.

shell-client.bat <eposerverip:epoport> <epouserid> <epopassword> https postFor example, shell-client.bat <xxx.xx.xx.xxx:xxxx> admin testP@ssword https post

3 Use these web service APIs, as needed.

Getting started with Change ControlManage rule groups 2


Web service APIs Description

scor.rulegroup.find(ruleGroupOS,ruleGroupType,ruleGroupName)

Searches for the required rule group in the list of all Solidcore rulegroups. This service takes these parameters.

ruleGroupOS (Required) Operating system associated with therule group. Possible values are WIN and UNIX.

ruleGroupType (Required) Product associated with the rulegroup. Possible values are APPLICATION_CONTROL,CHANGE_CONTROL, and INTEGRITY_MONITOR.

ruleGroupName (Optional) Name of the rule group.

scor.rulegroup.export(ruleGroupOS,ruleGroupType,ruleGroupName,exportFileName)

Exports the rule group information from the (source) McAfee ePOserver. Optionally, you can export the rule group information to anXML file on the McAfee ePO server. This service takes theseparameters.




If you do not provide a rule group name, alleditable rules are exported for the specifiedoperating system and rule group type.

exportFileName (Optional) Name of the XML file, such as c:\foo.xml, c:\foo\foo.xml, where you want to storethe exported rule group information. The locationof the XML file must be on the McAfee ePO server.Make sure that you provide the absolute path tothe location and not the relative path as thevalue.

scor.rulegroup.import(file, override)

Imports the rule group information from an XML file to the (target)McAfee ePO server. This service takes these parameters.

file (Required) Path to the XML file. Follow theseconsiderations based on the location of the XMLfile.• If the XML file is located on the McAfee ePO

server, specify the fully qualified name as thevalue for this parameter. For example,scor.rulegroup.import c:\abc.xml.

• If the XML file is located on a local system,specify the value for this parameter as file:/// followed by the location on the local system.For example, scor.rulegroup.importfile=file:///c:/abc.xml.

override (Optional) Overwrites an existing matching rulegroup on the target McAfee ePO server. Bydefault, the value for this parameter is set tofalse, so that the parameter does not overwritean existing matching rule group on the targetMcAfee ePO server.



Verify the import for a rule groupYou can verify whether the import operation for a rule group was successful.

You can view details about the import operations for a rule group to verify whether the operation issuccessful.


1 On the McAfee ePO console, select Menu | Automation | Server Task Log.

2 Specify the task name Import Solidcore Rule Groups in the Quick find text box, then click Apply.

3 Verify that the status of this server task is Completed.

If the status of the task shows Failed, the import operation was not successful.

4 Click the server task to open the Server Task Log Details page.

Review the Log Messages tab for details about the rules.

View assignments for a rule groupInstead of navigating through all the created policies, you can directly view all policies in which a rulegroup is being used. This feature provides a convenient way to verify if each rule group is assigned tothe relevant policies.



2 On the Rule Groups tab, click Assignments to view the policies to which the selected rule group isassigned.

Enable Change ControlEnable the Change Control software to monitor and control the changes on the endpoints according tothe defined policies.


1 On the McAfee ePO console, select Menu | Systems | System Tree.

2 Perform one of these actions.

• Group — Select a group in the System Tree and switch to the Assigned Client Tasks tab.

• Endpoint — Select the endpoint on the Systems page, then click Actions | Agent | Modify Tasks on aSingle System.

3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

4 Select Solidcore 8.0.0 | SC: Enable, then click Create New Task to open the Client Task Catalog page.

5 Specify the task name and add any descriptive information.

6 Select the platform and subplatform, then make sure that Change Control is selected.

Getting started with Change ControlEnable Change Control 2


7 Complete these steps to enable Change Control.

Solidcore clientsrunning

Steps

Windows all No configuration is needed.

Windows NT andWindows 2000

Select Reboot endpoint to restart the endpoint.On the Windows platforms, a message is displayed at the endpoint 5minutes before it is restarted. This allows the user to save work and data onthe endpoint.

Linux • Using version 6.1.0 or later — Deselect Reboot endpoint.

• Using version 6.0.1 or earlier — Select Reboot endpoint to restart theendpoint.Restarting the system is needed to enable the software. The endpoint isrestarted when the task is applied.

8 Click Save.

9 Click Next to open the Schedule page.

10 Specify scheduling details, then click Next.

11 Review and verify the task details, then click Save.

12 (Optional) Wake up the agent to send your client task to the endpoint immediately.

2 Getting started with Change ControlEnable Change Control


3 Monitoring the file system and registry

Change Control allows you to designate a set of files and registry entries to monitor for changes.

You can also choose to track attribute and content changes for monitored files. You must define rulesto specify the files and registry keys to monitor and specifically enable the user account trackingfeature (which is disabled by default) to track user activity for relevant endpoints.

Contents How monitoring rules work Defining monitoring rules Review predefined monitoring rules Create monitoring policies Manage content changes

How monitoring rules workUsing rules, you can monitor files, directories, registry keys, file types (based on file extension),programs, and users.

What can you monitor?

These operations are tracked for a monitored file, process, registry key, and user account.

Element Tracked operations

File • File creation

• File modification (file contents and attributes, such as permissions, owner, orgroup)

• File deletion

• File rename

• Alternate Data Stream creation

• Alternate Data Stream modification (contents and attributes, such aspermissions or owner)

• Alternate Data Stream deletion

• Alternate Data Stream rename

Alternate Data Stream-related operations are applicable only on Windows.

Process • Process start

• Process stop

3


Element Tracked operations

Registry key(Windows only)

• Registry key creation

• Registry key modification

• Registry key deletion

User account(local and domainaccounts;Windows only)

• User account creation • User logon (success and failure)

• User account modification • User logoff

• User account deletion

User account tracking is disabled by default. You must enable this feature to trackoperations for user accounts. To enable this feature, execute the SC: Run Commandsclient task to run the sadmin features enable mon‑uat command on the endpoint.

Which attributes are monitored for files?

Operatingsystem

Monitored attributes

Windows • Hidden • Read-only

• Not Content Indexed • System

• Offline

Linux • Ownership

• Mode bits, such as read, write, execute permissions

• Following file system attributes:

• a: append only • t: no tail-merging

• c: compressed • u: undeletable

• d: no dump • A: no atime updates

• e: extent format • C: no copy on write

• i: immutable • D: synchronous directory updates

• j: data journaling • S: synchronous updates

• s: secure deletion • T: top of directory hierarchy

Are any predefined rules available?

Yes, Change Control includes predefined monitoring rules. For detailed information, see Reviewpredefined monitoring rules.

Order of precedence for monitoring rules

Use the table to understand the order of precedence applied (highest to lowest) when processingmonitoring rules.

3 Monitoring the file system and registryHow monitoring rules work


Table 3-1 Order of precedence for monitoring rules

Order Rule type Description

1 Advanced exclusion filters(AEF) rules have the highestprecedence.

For more information about AEF rules, see What areadvanced exclusion filters or rules (AEFs)?.

2 Exclude rules are givenprecedence over include rules.

For example, if you erroneously define an include andexclude rule for the same file, the exclude rule applies.

3 Rules based on user namehave the precedence over allother rule types except AEFrules.

The user name specified in the rule is compared with theuser name referenced in the event.

4 Rules based on program namehave precedence over rulesbased on file extension, filename, directory name, orregistry key.

The program name specified in the rule is compared with theprogram name referenced in the event.

5 Rules based on file extensionhave precedence over rulesbased on file or directoryname (or path).

The file extension specified in the rule is compared with fileextension referenced in the event.For example, if C:\Program Files\Oracle is excluded frommonitoring (by a file-based rule) and the .ora extension isincluded for monitoring, events are generated for files with .ora extension, such as listener.ora and tnsnames.ora.

6 Rules based on file names orpaths have precedence overrules based on directoryname. In effect, longer pathstake precedence forname-based rules.

The specified path is compared with path referenced in theevent. Paths (for files or directories) are compared from thebeginning. Consider these examples.

Windows platform If the C:\temp directory is excluded, andthe C:\temp\foo.cfg file is included, thechanges to the foo.cfg file are tracked.Similarly, if you exclude the HKEY_LOCAL_MACHINE key and include the HKEY_LOCAL_MACHINE\System key, the changes to theHKEY_LOCAL_MACHINE\System key aretracked.

Linux platform If the /usr/dir1/dir2 directory isincluded and /usr/dir1 directory isexcluded, all operations for the files in the /usr/dir1/dir2 directory are monitoredbecause the /usr/dir1/dir2 path islonger and hence, takes precedence.

In the order of precedence mentioned earlier, all rules (except #5) apply to registry key rules also.

What are advanced exclusion filters or rules (AEFs)?You can define advanced filters to exclude changes by using a combination of conditions. For example,you might want to monitor changes made to the tomcat.log file by all programs except the tomcat.exe program. To achieve this, define an advanced filter to exclude all changes made to the log file byits owner program. This makes sure that you only receive events when the log file is changed by other(non-owner) programs. In this case, the defined filter is similar to:

Exclude all events where filename is <log-file> and program name is <owner-program>

Use AEFs to prune routine system-generated change events that are not relevant for your monitoringor auditing needs. Several applications, particularly the web browser, maintain the application state inregistry keys and routinely update several registry keys. For example, the ESENT setting is routinely

Monitoring the file system and registryHow monitoring rules work 3


changed by the Windows Explorer application and it generates the Registry Key Modified event. Thesestate changes are routine and do not need to be monitored and reported. Defining AEFs allows you toeliminate any events that are not required for fulfilling compliance requirements and makes sure thatthe event list includes only meaningful notifications.

Defining monitoring rulesRegardless of whether you create a new monitoring policy or define a monitoring rule group, theframework available to define monitoring rules is the same.

System variablesThe path specified in a monitoring rule can include system environment variables (only on theWindows platform). This table lists the supported system variables.

Variable Example value (for most Windows platforms)

%ALLUSERSPROFILE% C:\ProgramDataC:\Documents and Settings\All Users (for earlier Windowsversions)

%APPDATA% C:\Users\(username)\AppData\RoamingC:\Documents and Settings\{username}\Application (forearlier Windows versions)

%COMMONPROGRAMFILES% C:\Program Files\Common Files%COMMONPROGRAMFILES (x86)% C:\Program Files (x86)\Common Files%HOMEDRIVE% C:%HOMEPATH% C:\Users\(username)

C:\Documents and Settings\{username} or \ (for earlierWindows versions)

%PROGRAMFILES% C:\Program Files%PROGRAMFILES (x86)% C:\Program Files (x86) (only for 64-bit versions)

%SYSTEMDRIVE% C:%SYSTEMROOT% C:\Windows (C:\WINNT on earlier Windows versions)

%TEMP% (system) %tmp% (user) C:\Users\(username)\AppData\Local\TempC:\Documents and Settings\{username}\local Settings\Temp(for earlier Windows versions)

C:\Temp (for earlier Windows versions)

%USERPROFILE% C:\Users\(username)C:\Documents and Settings\{username} (for earlier Windowsversions)

C:WINNT\profiles\{username}(for earlier Windows versions)

%WINDIR% C:\Windows

3 Monitoring the file system and registryDefining monitoring rules


Path considerationsThese considerations apply to path-based rules.

• Paths must be absolute when specifying rules to monitor files and directories.

• Paths are not required to be absolute when specifying rules to monitor program activity. Forexample, you can specify the partial path, such as AcroRd32.exe or Reader\AcroRd32.exe or fullyqualified path, such as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If youspecify the partial path, all programs with names that match the specified string are monitored. Ifyou specify the fully qualified path, activity is monitored for only the specified program.

• Paths can contain white spaces.

• Paths can include the wildcard character (*). However, it can only represent one complete pathcomponent. Here are a few examples.

Windowsplatform

Using \abc\*\def is allowed while \abc\*.doc, \abc\*.*, or \abc\doc.* is notsupported.

Linux platform Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is notsupported.

You cannot use the wildcard character while defining a rule to track content and attribute changesfor a file.

• Paths used in registry key-based rules can include the wildcard character (*). However, thewildcard character can only represent one path component in the registry path. Make sure that youdo not use the character for the component at the end of the complete registry path (if used at theend the rule is not effective).

Also, at any time, the CurrentControlSet in the Windows Registry is linked to the relevant HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX key. For example, the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet can be linked to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 key. When achange is made to either link, it is automatically updated on both the links. For a monitored key,events are always reported with the path of CurrentControlSet and not ControlSetXXX.

Monitoring rulesUse this table to define monitoring rules. You can perform these actions when creating or modifying amonitoring (Integrity Monitor) policy or rule group.

Action Steps

Monitor files anddirectories

1 Click Add on the File tab. The Add File dialog box appears.

2 Specify the file or directory name.

3 Indicate whether to include for or exclude from monitoring.

4 (Optional) To track content and attribute changes for a file, select EnableContent Change Tracking and specify the other options. For more information, seeTrack content changes.

5 Click OK.

Monitor registrykeys (Windowsplatform only)

1 Click Add on the Registry tab. The Add Registry dialog box appears.

2 Specify the registry key.

3 Indicate whether to include for or exclude from monitoring and click OK.

Monitoring the file system and registryDefining monitoring rules 3


Action Steps

Monitor specific filetypes

1 Click Add on the Extension tab. The Add Extension dialog box appears.

2 Type the file extension. Do not include the period (dot) in the extension. Forexample, log.

3 Indicate whether to include for or exclude from monitoring and click OK.

Monitor programactivity (in effectchoose to track ornot track all file orregistry changesmade by a program)

1 Click Add on the Program tab. The Add Program dialog box appears.

2 Enter the name or full path of the program.

3 Indicate whether to include for or exclude from monitoring and click OK. Werecommend that you exclude background processes, such as the lsass.exeprocess.

Specify the users toexclude frommonitoring (in effectall changes made bythe specified userare not tracked)

1 Click Add on the User tab. The Add User dialog box appears.

2 Specify the user name using these considerations:

• Spaces in user names should be specified within quotes.

• Domain name can be a part of the user name on the Windows platform. Ifthe domain name is not specified, the user name is excluded frommonitoring for all domains.

• Exclude all users in a particular domain (on the Windows platform) byusing MY-DOMAIN\* or *@MY-DOMAIN.

3 Click OK.

Specify advancedexclusion filters forevents

1 Click Add Rule on the Filters tab. A new filter row appears. You can create filtersbased on files, events, programs, registry keys, and users.

2 Edit the settings to specify the filter.

3 Click + or Add Rule to specify additional AND or OR conditions, respectively.

You can also define AEFs from the Solidcore Events page. For more information,see Exclude events.

Review predefined monitoring rules Change Control provides multiple predefined filters suitable for monitoring relevant files on variousoperating systems.By default, these filters are applied to the global root in the System Tree and hence are inherited by allMcAfee ePO-managed endpoints where Change Control is installed. When an endpoint connects to theMcAfee ePO server, the Minimal System Monitoring policy applicable to the endpoint's operatingsystem comes into play.

You can review the predefined filters included in the Minimal System Monitoring policy (applicable toyour operating system).

3 Monitoring the file system and registryReview predefined monitoring rules



1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.

2 Select the Solidcore 8.0.0: Integrity Monitor product.

Policies for all categories are listed. A Minimal System Monitoring policy exists for each supportedoperating system.

3 Open the relevant Minimal System Monitoring policy.

By default, the My Rules rule group is open (which is blank).

4 Select a rule group in the Rule Groups pane to review the filters included in the rule group.

To override any rules included in the Minimal System Monitoring policy, you can duplicate the relevant rulegroup (in which the required rules are present), edit the rule group to add the new rules, and addthe rule group to a policy. For most other purposes, make sure that the Minimal System Monitoring policyis applied on the endpoints and extra rules are applied by using a separate policy.

5 Click Cancel.

Create monitoring policiesUsing a monitoring policy, you can choose to monitor changes or exclude from monitoring variousunits of a file system and registry. You can control monitoring of files, directories, registry keys, filetypes (based on file extension), programs, and users. These are multi-slot policies; you can assignmultiple policies to one node in the System Tree.

To create a monitoring policy, you can define rules in a rule group (to allow reuse of rules) and add therule group to a policy. You can also define the rules directly in a policy.



2 Select the Solidcore 8.0.0: Integrity Monitor product.

3 Click New Policy to open the Create a new policy dialog box.

4 Select the category.

5 Select Blank Template from Create a policy based on this existing policy list to define a policy from scratch.

6 Specify the policy name, then click OK.

7 Click the policy name to open the Policy Settings page.

You can now define the rules to include in the policy. You can either add existing rule groups to thepolicy or directly add the new rules to the policy.

• To use a rule group, complete steps 8 and 10. For more information, see Create rule groups.

• To directly add the rules to the policy, complete steps 9 and 10.

Monitoring the file system and registryCreate monitoring policies 3


8 Add a rule group to the policy.

a Click Add in the Rule Groups pane to open the Select Rule Groups dialog box.

b Select the rule group to add.

c Click OK.

d Select the rule group in the Rule Groups pane.

The rules included in the rule group are displayed in the various tabs.

e Review the rules.

9 Add the monitoring rules to the policy.

For information about how to define rules, see Defining monitoring rules.

10 Save the policy.

Manage content changes Using Change Control, you can track content and attribute changes for a single monitored file or for allfiles in a directory and its subdirectories.

If you enable content changetracking for a specific file

Any attribute or content change to the file creates a new fileversion at McAfee ePO server

If you enable content changetracking for a directory

Any attribute or content change to the files present in thedirectory creates new versions of the files at McAfee ePO server

You can view and compare the different versions that are created for a file. Also, you can compare anytwo files or file versions that exist on the same or different endpoints. To send an email whenever acritical file is modified (the email highlights the exact changes made to the file), configure anautomatic response. Alternatively, you can schedule generation of a report to get an overview of thechanges made to the tracked files in your setup.

Tasks• Content change tracking settings on page 37

You can configure these settings for tracking content changes.

• Configure settings for tracking content changes on page 37Specify the maximum file size for tracking content changes, file extensions for which totrack only attributes, and maximum number of files to fetch per rule.

• Track content changes on page 38When you create or modify a monitoring (Integrity Monitor) policy or rule group, you canspecify the files for which to track content changes.

• Manage file versions on page 39Review all versions available for a file, compare file versions, reset the base version, anddelete versions.

• Compare files on page 40Compare two files or two versions of a single file. You can compare files or versions on thesame endpoint or on different endpoints.

• Receive change details on page 41You can receive notifications and reports based on the changes made to the files in yoursetup.

3 Monitoring the file system and registryManage content changes


Content change tracking settingsYou can configure these settings for tracking content changes.

Setting Description

Maximum filesize

By default, you can track changes for any file with a size of 1000 KB or lower. Ifneeded, you can configure the maximum file size for tracking content changes.

Changing the maximum file size affects the McAfee ePO database sizing requirementsand might have an impact on performance.

File extensionsfor which totrack onlyattributechanges

For executable files, the content change tracking feature track only attributes(content changes are not tracked). This is because maintaining the contentdifference for files with non-displayable contents unnecessarily uses database spaceand McAfee ePO resources. By default, only attribute changes are tracked for theseextensions.

• zip • tar

• bmp • gz

• 7z • bz

• pdf • tgz

• rar

• bz2 • tiff

• jpg • sys

• exe • png

• gif • jar

• dll

You can edit the list to specify file extensions specific to your setup for which totrack only attribute changes.

Maximumnumber of filesto retrieve perrule

When you apply the content change tracking rule on a directory, base versions of allfiles in the directory that match the specified include or exclude patterns, if any, arecollected and sent to the McAfee ePO server. These base versions are used to trackcontent changes and allow comparison with future versions of the files.If the number of qualifying files for one rule is too high, operational performance ofthe endpoint and occasionally of the McAfee ePO server can deteriorate. To preventsuch disruptions, you can specify a value to control the maximum files to retrieveper rule. This limit applies to the number of qualifying files in the directory (thatmatch the include and exclude patterns and recursive and non-recursive options)and not to the total number of files in the directory. If the number of qualifying filesfor a specified rule exceeds the set threshold value, the base versions of the files arenot retrieved to the McAfee ePO server. But, all subsequent changes to the files arereported and base versions of new files are sent to the McAfee ePO server.

By default, the limit is set to 100 files per rule. You can configure this setting, asneeded, for your setup.

Configure settings for tracking content changes Specify the maximum file size for tracking content changes, file extensions for which to track onlyattributes, and maximum number of files to fetch per rule.

For details about product features, usage, and best practices, click ? or Help.

Task1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.

2 Select the Solidcore 8.0.0: General product.

The McAfee Default policy includes customizable configuration settings.

3 In the Configuration (Client) category, click Duplicate for the McAfee Default policy.

Monitoring the file system and registryManage content changes 3



The policy is created and listed on the Policy Catalog page.

5 Click the new policy.

6 Switch to the Miscellaneous tab.

7 Specify values for the settings.

8 Save the policy and apply it to the relevant endpoints.

Track content changes When you create or modify a monitoring (Integrity Monitor) policy or rule group, you can specify thefiles for which to track content changes.


1 Navigate to the File tab.

2 Perform one of these steps.

• Click Add to monitor and track changes for a new file.

• Select an existing rule and click Edit.

3 Review or add the file information.

You cannot track changes for network files (files placed on network paths).

4 Select Enable Content Change Tracking.

5 Select the file encoding.

You can choose Auto Detect, ASCII, UTF-8, and UTF-16. Auto Detect works for most files. If you are aware ofthe file encoding, select ASCII, UTF-8, or UTF-16 (as appropriate). If needed, you can add new fileencoding values. Contact McAfee Support for assistance in adding a file encoding value.



6 Track content changes for files within a directory.

a Select Is Directory.

b Select Recurse Directory to track changes for files in all subdirectories of the specified directory.

c (Optional) Specify patterns to match file names in the Include Patterns or Exclude Patterns. Whilespecifying multiple patterns, make sure that each pattern is on a separate line.

If you do not specify a pattern, all files are included for change tracking. You can add anasterisk (*) at the beginning or end of a pattern. If you specify *.txt as an include pattern,only txt files in the directory are monitored. If you specify *.ini as an exclude pattern, all inifiles in the directory are not monitored. Also, while specifying multiple patterns, make sure thateach pattern is on a separate line. For example:

*.log

Test.txt

Test*

If you erroneously add *.log and Test.txt in one line, the software considers it as a singlepattern and matches accordingly.

Exclude patterns take precedence over include patterns. For example, if you erroneously definean include and exclude pattern for the same file, the exclude pattern applies.

7 Click OK.

Manage file versionsReview all versions available for a file, compare file versions, reset the base version, and deleteversions.The base version identifies the starting point or initial document to use for comparison or control.Typically, the oldest version of a file is set as the base version. In effect, when you start trackingchanges for a file, the initial file content and attributes are stored on the McAfee ePO database and setas the base version.


1 On the McAfee ePO console, select Menu | Reporting | Content Change Tracking.

All files for which content change tracking is enabled are listed.

2 Identify the file for which you want to review versions.

• In the Quick find text box, specify the endpoint or file name, then click Apply. The list is updatedbased on the specified search string.

• Sort the list based on the system name, file path, or status.

3 Perform file operations.

To do this... Do this...

Review thefile status.

The File Status column denotes the status of content change tracking.

Reviewversion.

Click View versions. The File Versions page displays all versions for the file. From thispage you can compare file versions, specify the base version, and delete fileversions from the McAfee ePO database.




Compare thefile versions.

1 Specify what to compare.

• Click Compare with previous for a version to compare that version with the previousversion of the file available on the McAfee ePO console.

• Click Compare with base for a version to compare that version with the baseversion.

• Select any two versions (by clicking the associated checkboxes), then selectActions | Compare Files to compare the selected versions.

The versions are compared and differences between the file content and fileattributes are displayed.

2 Click Close.

Reset thebase version.

1 Select a file version to set as the base version by clicking the associatedcheckbox.

2 Select Actions | Set as base version to open the Set as base version dialog box.

3 Click OK. This resets the base version and deletes all previous versions (olderthan the new base version) of the file.

The software can track up to 200 versions for a file. If the number of versionsexceeds 200, the application deletes the oldest versions to bring the version countto 200. Then, it automatically sets the oldest version as the base version. Ifneeded, you can configure the number of versions to maintain for a file. ContactMcAfee Support for assistance in configuring the number of versions to maintain fora file.

Delete fileversions.

Deleting file versions removes the selected file versions from the McAfee ePOdatabase. It does not change or remove the actual file present on the endpoint.1 Select one or more file versions by clicking the associated checkboxes.

2 Select Actions | Delete, then click OK.

4 Click Close.

Compare filesCompare two files or two versions of a single file. You can compare files or versions on the sameendpoint or on different endpoints.


1 On the McAfee ePO console, select Menu | Reporting | Content Change Tracking.

2 Click Advanced File Comparison.

3 Specify information for the first file.

a Select the group from the list.

b Enter the host name.

c Enter the name and path of the file.

d Select the version to compare.



4 Specify information for the second file.

5 Click Show Comparison.

The attributes and content of the files are compared and differences are displayed.

6 Review the results.

7 Click Close.

Receive change detailsYou can receive notifications and reports based on the changes made to the files in your setup.

Tasks

• Monitor all changes for a file on page 41To closely observe changes to a critical file, you can choose to receive an email detailingthe change each time the file is changed.

• Generate consolidated report on page 42To get an overview of the changes made to the tracked files in your setup, schedulegeneration of a consolidated report based on the required criteria.

Monitor all changes for a file To closely observe changes to a critical file, you can choose to receive an email detailing the changeeach time the file is changed.


1 On the McAfee ePO console, select Menu | Automation | Automatic Responses.

2 Click Actions | New Response to open the Response Builder page.

a Enter the response name and add any description information.

b Select the Event group and Event type.

c Select Enabled.

d Click Next to open the Filter page.

3 Select System from the Value list.

4 Select the file name, system name, or both from the Available Properties.

• To receive an email each time a specific tracked file changes (across all managed endpoints),specify only the file name.

• To receive an email each time any tracked file changes on an endpoint, specify only the systemname.

• To receive an email each time a specific file on an endpoint is changed, specify both file andsystem name.

5 Click Next to open the Aggregation page.

6 Specify aggregation details, then click Next to open the Actions page.

7 Select Send File Content Change Email, specify the email details, then click Next to open the Summary page.

8 Review the details, then click Save.



Generate consolidated reportTo get an overview of the changes made to the tracked files in your setup, schedule generation of aconsolidated report based on the required criteria.


1 On the McAfee ePO console, select Menu | Reporting | Queries and Reports, then select Change Controlunder McAfee Groups.


Generate areport for alltracked files inyour setup

Use the Content Change Tracking Report Generation - With Group My Organization query.

Because this query pulls information for all tracked files in your setup, it canaffect performance. We recommend that you duplicate this query to create aquery and specify criteria relevant to your setup.

Generate areport basedon specificcriteria

1 Click Duplicate for the Content Change Tracking Report Generation - With Group My Organizationquery to open the Duplicate dialog box.

2 Specify the query name and group, then click OK.

3 Navigate to the created query and click Edit to open the Query Builder wizard.

4 Switch to the Filter tab.

5 Add the required filters.

• Use the Generated Time property to fetch information about content changesmade in a specific interval.

• Use the File Path property to fetch information for one or more specific files.

• Use the System Name, Group, and Tags properties to specify the endpoints forwhich to retrieve information.

6 Click Save to open the Save Query page.

7 Click Save.

3 On the McAfee ePO console, select Menu | Automation | Server Tasks, then click Actions | New Task.

4 In the Server Task Builder wizard, type the task name, then click Next to open the Actions page.

5 From the Actions list, select Solidcore: Content Change Tracking Report Generation.

6 Configure the settings for the task.

a Specify the rule group (Integrity Monitor).

b Specify the query (from step 2).

c Specify the number of revisions to fetch for each file.

For example, consider that a file has changed 50 times in the last seven days based on thespecified interval in the query. To fetch information for the last 15 versions of the file, set thevalue for Get Last N revisions to 15. The default value for the number of revisions is 10, maximumallowed value is 100, and minimum is 1.

d Specify the email addresses (separated by a comma) to send the generated report.

Make sure that an email server is configured in the McAfee ePO server.



e Specify the email subject.

f Specify the report name.

By default, the report name is appended with the date and time when the report is created.

By default, the report generated by the server task (HTML file) is sent as an email attachment to allrecipients. A file of up to 20 MB can be sent through email. If the file size exceeds 20 MB, therecipients are notified through a failure email message. Because the generated report can be large,you can save the report to a remote location and send a link to all recipients in an email.

7 (Optional) Place the generated report on a shared folder and send the link to the report in an emailto all intended recipients.

a Select Use this option to copy report on a network share and send network share information on email.

b Specify a path where to save the generated report.

c Specify the network credentials to access the specified path.

d Click Test Connection to make sure that the specified credentials work.

8 Click Next to specify the schedule for the task, then click Next to open the Summary page.

9 Review the task summary, then click Save.

10 From the Server Tasks page, select Run for this server task.



4 Protecting the file system and registry

Using Change Control, you can prevent changes to the file system and registry.

Contents How protection rules work Defining protection rules Create a protection policy Enable read protection

How protection rules workTo prevent unauthorized access and changes, you define read-protection and write-protection rules.

Read-protectionrules

Prevent users from reading the content of specified files, directories, andvolumes.

When a directory is read protected, all files in the directory are read protected.Any unauthorized attempt to read data from protected files is prevented and anevent is generated. Writing to read-protected files is allowed.

You cannot define read-protection rules for registry keys.

Write-protectionrules

Prevent users from creating new files (including directories and registry keys)and modifying existing files, directories, and registry keys.• Define write-protection rules for files and directories to protect them from

unauthorized modifications. Only protect critical files. When a directory isincluded for write protection, all files in that directory and its subdirectories arewrite-protected.

• Define write-protection rules for critical registry keys to protect them againstchange.

Can I override defined rules?

While you can define rules to protect, you can also define additional rules to selectively override theread or write protection that is in effect.

• Specify programs that are permitted to selectively override the read or write protection.

• Specify users (on the Windows platform only) who are permitted to selectively override the read orwrite protection.

4


Order of precedence for protection rules

These considerations are used when protection rules are applied at the endpoint.

• Exclude rules are given precedence over include rules.

For example, if you erroneously define an include and exclude rule for the same file, the excluderule applies.

• Longer paths are given precedence.

For example, if C:\temp is included for write protection, and C:\temp\foo.cfg is excluded, thechanges to foo.cfg are permitted. Similarly, if you exclude the HKEY_LOCAL_MACHINE key andinclude the HKEY_LOCAL_MACHINE\System key for write protection, the changes to the HKEY_LOCAL_MACHINE\System key are prevented.

Defining protection rulesRegardless of whether you use a rule group or policy, the framework available to define protectionrules is the same.

System variablesThe path specified in a protection rule can include system environment variables (only on the Windowsplatform). This table lists the supported system variables.

Variable Example value (for most Windows platforms)

%ALLUSERSPROFILE% C:\Documents and Settings\All Users%APPDATA% C:\Documents and Settings\{username}\Application%COMMONPROGRAMFILES% C:\Program Files\Common Files%COMMONPROGRAMFILES (x86)% C:\Program Files (x86)\Common Files%HOMEDRIVE% C:%HOMEPATH% C:\Documents and Settings\{username} (\ on earlier Windows

versions)

%PROGRAMFILES% C:\Program Files%PROGRAMFILES (x86)% C:\Program Files (x86) (only on 64-bit versions)

%SYSTEMDRIVE% C:%SYSTEMROOT% C:\windows (C:\WINNT on earlier Windows versions)

%TEMP% (system) %tmp% (user) C:\Documents and Settings\{username}\local Settings\TempC:\Temp

%USERPROFILE% C:\Documents and Settings\{username} (C:WINNT\profiles\{username} for earlier versions)

%WINDIR% C:\Windows

4 Protecting the file system and registryDefining protection rules


Path considerationsThese considerations apply to path-based rules.

• Paths must be absolute when specifying rules to read-protect or write-protect files and directories.

• Paths need not be absolute when specifying rules to add a trusted program or updater. Forexample, you can specify the partial path, such as AcroRd32.exe or Reader\AcroRd32.exe or fullyqualified path, such as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If youspecify the partial path, all programs with names that match the specified string are added astrusted programs. If you specify the fully qualified path, only the specified program is added as atrusted program.


• Paths can include the wildcard characters to specify file paths and file names. When usingwildcards, ensure that specified string matches a limited set of file paths or file names. If thespecified string matches a large number of files, we recommend you revise the string.

Windowsplatform

Paths can include the * and ? wildcard characters.When specifying a file path, C:\Test1\*\*\Test.txt, C:\Test\????*?, and C:\?Test*\Test1\Test.txt are allowed while *:\Test1\*\*\Test.txt, *\Test1\Test2\Test.txt, and *:\Test1\Test2\Test.txt are not.

Linuxplatform

Paths can include the * wildcard character.Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is notsupported.

• Paths used in registry key-based rules can include the wildcard character (*). However, thewildcard character can only represent one path component in the registry path. Make sure that youdo not use the character for the component at the end of the complete registry path (if used at theend, the rule is not effective).

Protection rulesYou can define protection rules when modifying or creating a protection (Change Control) policy orrule group.

Action Steps

Read-protect filesand directories

1 Click Add on the Read-Protect tab. The Add File dialog box appears.


3 Indicate whether to include for or exclude from read protection.

4 Click OK.

By default, the read protection feature is disabled at the endpoints.

Write-protect filesand directories

1 Click Add on the Write-Protect File tab. The Add File dialog box appears.


3 Indicate whether to include for or exclude from write protection.

4 Click OK.

Protecting the file system and registryDefining protection rules 4


Action Steps

Write-protectregistry keys

1 Click Add on the Write-Protect Registry tab. The Add Registry dialog box appears.

2 Specify the registry key.

3 Indicate whether to include for or exclude from write protection.

4 Click OK.

Specify trustedprogramspermitted tooverride the readand writeprotection rules

1 Click Add on the Updater Processes tab. The Add Updater dialog box appears.

2 Specify whether to add the updater based on the file name, SHA-1, orSHA-256. If you add the updater by name, the updater is not authorizedautomatically. However, when you add the updater by SHA-1 or SHA-256, theupdater is authorized.

3 Enter the location of the file (when adding by name), SHA-1, or SHA-256 ofthe executable file.

4 Enter a unique identification label for the executable file. For example, if youspecify Adobe Updater Changes as the identification label for the Adobe_Updater.exe file, all change events made by the Adobe_Updater.exe file are taggedwith this label.

5 When adding an updater by name, specify conditions that the file must meet torun as an updater.

• Select None to allow the file to run as an updater without any conditions.

• Select Library to allow the file to run as updater only when it has loaded thespecified library. For example, when configuring iexplore.exe as an updaterto allow Windows Updates using Internet Explorer, specify wuweb.dll as thelibrary. This makes sure that the iexplore.exe program has updaterprivileges only until the web control library (wuweb.dll) is loaded.

• Select Parent to allow the file to run as an updater only if it is launched by thespecified parent. For example, when configuring updater.exe as an updaterto allow changes to Mozilla Firefox, specify firefox.exe as the parent.Although updater.exe is a generic name that can be part of any installedapplication, using the parent makes sure that only the correct program isallowed to run as an updater.

6 When adding an updater by name, indicate whether to disable inheritance forthe updater. For example, if Process A (that is set as an updater) startsProcess B, disabling inheritance for Process A makes sure that Process B doesnot become an updater.

7 When adding an updater by name, indicate whether to suppress eventsgenerated for the actions performed by the updater. Typically, when an updaterchanges a protected file, a File Modified event is generated for the file. If youselect this option, no events are generated for changes made by the updater.

8 Click OK.

4 Protecting the file system and registryDefining protection rules


Action Steps

Specify userspermitted tooverride the readand writeprotection rules

You can either enter user details or import user or group details from an ActiveDirectory. Make sure that the Active Directory is configured as a registeredserver.

Specify details to authorize users to override the read or write protection rules.(Windows only)

1 On the Users tab, click Add. The Add User dialog box appears.

2 Create 2 rules for each user.

• With UPN/SAM and domain account name (in domainName\user format)

• With domain netbiosName (in netbiosName\user format)

3 Specify a unique identification label for the user. For example, if you specifyJohn Doe Changes as the identification label for the John Doe user, all changesmade by the user are tagged with this label.

4 Type the user name.

5 Click OK.

Import user details from an Active Directory.

1 Click AD Import on the Users tab. The Import from Active Directory dialog box appears.

2 Select the server.

3 Select Global Catalog Search to search for users in the catalog (only if the selectedActive Directory is a Global Catalog server).

4 Specify whether to search for users based on the UPN (User Principal Name) orSAM account name. Your search criteria determines the authorized user. Makesure that you use the trusted account to log on to the endpoint. If you use theUPN name while adding a user, make sure that the user logs on with the UPNname at the endpoint to enjoy trusted user privileges.

5 Enter the user name. The Contains search criteria is applied for the specifieduser name.

6 Specify a group name to search for users within a group. You cannot directlyadd a group present in the Active Directory to a policy. To authorize all users ina group, add the user group to a rule group and include the rule group in apolicy. When you include a user group in a rule group, the following actionsoccur.

a Application Control runs a task in the background to query the configuredActive Directory server and fetch user details.

b Active Directory server sends list of users and associated attributes, such asnetbiosName and user name, for all users in the specified user group. Thesedetails are saved to the rule group.

c Application Control adds each user in the user group as a trusted user. Theseusers are not listed as individual users on the user interface but the user listis available when you export the rule group information to an XML file.

Adding user groups makes sure that all changes to a user group automaticallycascade across all rule groups and associated policies.

7 Click Find. The search results are displayed.

8 Select the users to add in the search results, then click OK.

Protecting the file system and registryDefining protection rules 4


Create a protection policyProtection policies are multi-slot policies; you can assign multiple policies to one node in the SystemTree.



2 Select the Solidcore 8.0.0: Change Control product.

3 Click New Policy to open the Create a new policy dialog box.


5 Select Blank Template from Create a policy based on this existing policy list to define a policy from scratch.

6 Specify the policy name, then click OK to save the policy.

7 Click the policy and specify protection rules.

The read-protect feature is disabled by default. To use read protection rules, enable the read-protectfeature for the endpoints.

Enable read protectionBy default, the read-protect feature is disabled for optimal system performance. Run a command onthe endpoint to enable read protection.





• Endpoint — Select the endpoint on the Systems page and click Actions | Agent | Modify Tasks on a SingleSystem.

a Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

b Select the Solidcore 8.0.0 product, SC: Run Commands task type, and click Create New Task.

The Client Task Catalog page appears.

c Specify the task name and add any descriptive information.

3 Type this command.

features enable deny-read

4 Select Requires Response if you want to view the status of the commands in Menu | Automation | SolidcoreClient Task Log tab.

5 Click Save.

4 Protecting the file system and registryCreate a protection policy






Protecting the file system and registryEnable read protection 4


4 Protecting the file system and registryEnable read protection


5 Monitoring and reporting

When a monitored file or registry key is changed or an attempt is made to access or change aprotected resource, an event is generated on the endpoint and sent to the McAfee ePO server. Reviewand manage the generated events to monitor the network status.

You can also use customizable dashboards to monitor critical security status at-a-glance, and reportthat status to stakeholders and decision makers using preconfigured queries.

Contents Manage events Dashboards Queries View queries

Manage events View and manage the events from the McAfee ePO console.

Tasks

• Review events on page 53Review the events by specifying the time duration and endpoint details.

• View content changes on page 54An event is generated each time the attributes or contents change for a file that is beingtracked for changes.

• Exclude events on page 55You can define rules to prune routine system-generated change events not relevant formonitoring or auditing.

Review events Review the events by specifying the time duration and endpoint details.


1 On the McAfee ePO console, select Menu | Reporting | Solidcore Events.

2 Specify the time duration for which to view events by selecting an option from the Time Filter list.

3 Specify the endpoints for which to view events.

a Select the required group in the System Tree.

b Select an option from the System Tree Filter list.

5


4 (Optional) View only specific events by applying one or more filters.

a Click Advanced Filters to open the Edit Filter Criteria page.

b Select an available property.

c Specify the comparison and value for the property.

For example, to view only File Modified events, select the Event Display Name property, setcomparison to Equals, and select the File Modified value.

d Click Update Filter.

Events matching the specified criteria are displayed.

5 (Optional) Click What's reputation-based execution? to review the checks that Application Controlperforms in a set order to allow or ban the execution for a file.

6 (Optional) Record additional information for an event.

a Perform one of these steps:

• To add user comments for one event, click Add a comment link.

• To add user comments for multiple events, select the events and click Actions | Add Comments.

The Add Comments dialog box appears.

Site administrator has the permissions to overwrite the user comments which are added by aglobal administrator.

b Enter your comments.

c Click OK.

7 View details for an event.

a Click an event row.

b Review event details.

c Click Back.

8 Review endpoint details for one or more events.

a Select one or more events.

b Click Actions | Show Related Systems.

The Related Systems page lists the endpoints corresponding to the selected events.

c Click a row to review detailed information for the endpoint.

d (Optional) Perform any action on the endpoint.

View content changes An event is generated each time the attributes or contents change for a file that is being tracked forchanges.Based on the change made to the file, one of these events is generated.

• FILE_CREATED • FILE_ATTR_SET

• FILE_DELETED • FILE_ATTR_CLEAR

• FILE_MODIFIED • ACL_MODIFIED

5 Monitoring and reportingManage events


• FILE_RENAMED • OWNER_MODIFIED

• FILE_ATTR_MODIFIED

If any of the events mentioned earlier is generated for a file for which you are tracking contentchanges, you can review details of the change made to the file. View details of changes made to a filefor which you are tracking content changes.



2 Click View Content Change for the event.

The page compares two versions of the file.

3 Review the host, file attribute, and file content information.

The change made to the file is highlighted.

4 Click Close.

Exclude eventsYou can define rules to prune routine system-generated change events not relevant for monitoring orauditing.You can exclude or ignore events not required to meet compliance requirements. You must have therequired permissions to perform this task. If you do not have the permissions, contact the McAfee ePOadministrator. For more information about permissions, see Permissions for rule configuration.



2 Select the events to exclude.

3 Click Actions | Exclude Events to open the Events Exclusion Wizard.

4 Select the target platform for the rules.

5 Select the rule group type, then click Next to open the Define Rules page.

6 Rules are auto-populated based on the selected events.

7 Review and refine existing rules and add new rules, as needed.

8 Click Next to open the Select Rule Group page.

9 Add the rules to an existing or new rule group, then click Save.

10 Make sure that the rule group is added to the relevant policy and the policy is assigned to theendpoints.

Once excluded, similar new events are no longer displayed on the McAfee ePO console. Excludingevents does not remove the existing or similar events from the Solidcore Events page.

Monitoring and reportingManage events 5


DashboardsDashboards are collections of monitors that help you keep an eye on your environment.

Change Control provides these default dashboards.

• Solidcore: Integrity Monitor dashboard allows you to observe the monitored endpoints

• Solidcore: Change Control dashboard helps you keep a check on the protected endpoints

• Solidcore: Health Monitoring dashboard helps you monitor the health of the protected endpoints in yourenterprise

You can create, duplicate, and export dashboards. For more information about working withdashboards, see McAfee ePolicy Orchestrator Product Guide.

QueriesUse the available queries to review information for the endpoints based on the data stored in theMcAfee ePO database.

These Change Control and Health Monitoring queries are available from the McAfee ePO console.

Table 5-1 Change Control queries

Query Description

Alerts Displays the active alerts by severity in the last 3 months.

Attempted Violations in theLast 24 Hours

Displays the attempted violation events detected during the last 24 hours.The line chart plots data on a per hour basis. Click a value on the chart toreview event details.

Attempted Violations in theLast 7 Days

Displays the attempted violation events detected during the last 7 days.The line chart plots data on a per day basis. Click a value on the chart toreview event details.

Content Change TrackingReport Generation - WithGroup My Organization

Pulls information from the McAfee ePO database for all files in your setupfor which you are tracking content changes. The fetched information is thenused when you run the Content Change Tracking Report Generation server task togenerate a report that details content and attribute changes made to thefiles for which you are tracking content changes.

Change Control Agent Status Displays the status of all endpoints with the Change Control license whichare managed by the McAfee ePO server. The pie chart categorizes theinformation based on the client status. Click a segment to review endpointinformation.

Change Control Events in theLast 24 Hours

Displays Change Control events detected during the last 24 hours. The linechart plots data on a per hour basis. Click a value on the chart to reviewevent details.

Change Control Events in theLast 7 Days

Displays Change Control events detected during the last 7 days. The linechart plots data on a per day basis. Click a value on the chart to reviewevent details.

Non Compliant SolidcoreAgents

Lists the endpoints that are currently not compliant. The list is sorted basedon the reason for noncompliance. An endpoint can be noncompliant if it isin Disabled or Update mode or if the local command line interface (CLI)access is recovered.

Out of Band Change Events inLast 24 Hours

Displays change events generated in the last 24 hours which are notcompliant with the update policy. The line chart plots data on a per hourbasis. Click a value on the chart to review event details.

5 Monitoring and reportingDashboards


Table 5-1 Change Control queries (continued)

Query Description

Out of Band Change Events inLast 7 Days

Displays change events generated in the last 7 days which are notcompliant with the update policy. The line chart plots data on a per daybasis. Click a value on the chart to review event details.

PCI DSS Requirement 10.3.1:User Report Detail - Rolling 90Days

Displays a detailed list of changes that are grouped by the user name. Thisreport allows you to comply with PCI DSS requirement 10.3.1.

PCI DSS Requirement 10.3.1:User Report Summary - Rolling90 Days

Displays the summarized list of changes that are sorted based on the username and date. This report allows you to comply with PCI DSS requirement10.3.1.

PCI DSS Requirement 11.5:Detailed PCI File IntegrityMonitoring - Rolling 90 Days

Displays a detailed Audit Log of the critical systems, critical applications,and configuration files. This report allows you to comply with PCI DataSecurity Standards (DSS) requirement 11.5.

PCI DSS Requirement 11.5:Summary PCI File IntegrityMonitoring - Rolling 90 Days

Displays a summarized Audit Log of the critical systems, criticalapplications, and configuration files. This report allows you to comply withPCI DSS requirement 11.5.

PCI Requirement 10.3: FileIntegrity Monitoring - Rolling90 Days

Displays the summary of changes that are grouped by the program name.This report allows you to comply with Payment Card Industry (PCI)requirement 10.3.

Policy Assignments By System Lists the number of policies applied on the managed endpoints. Click asystem to review information about the applied policies.

Policy Details Categorizes and lists the rules defined in a selected monitoring orprotection policy. To view the report, click Edit for the query, navigate to theFilter page, select a policy name, and click Run. Click a category to reviewall rules in the category.

Solidcore Agent LicenseReport

Indicates the number of Solidcore Agents that are managed by the McAfeeePO server. The information is categorized based on the licenseinformation, namely Application Control and Change Control, and furthersorted based on the operating system on the endpoint.

Solidcore Agent Status Report Displays the status of all endpoints managed by the McAfee ePO server.This report combines information for both the Application Control andChange Control licenses. The pie chart categorizes the information basedon the client status. Click a segment to review detailed information.

Top 10 Change Events in theLast 7 Days

Displays the top 10 change events that were generated during the last 7days. The chart includes a bar for each event type and indicates thenumber of events generated for each event type. The bar chart sorts thedata in descending order. Click a bar on the chart to review detailedinformation.

Top 10 Programs with MostChange Events in the Last 7Days

Displays the top 10 programs with most changes during the last 7 days.The chart includes a bar for each program and indicates the number ofevents generated by each program. The bar chart sorts the data indescending order. Click a bar on the chart to review detailed information.

Top 10 Systems with MostChange Events in the Last 7Days

Displays the top 10 systems with the most changes during the last 7 days.The chart includes a bar for each system and indicates the number ofevents generated for each system. The bar chart sorts the data indescending order. Click a bar on the chart to review detailed information.

Top 10 Systems with MostViolations in the Last 24 Hours

Displays the top 10 systems with the maximum number of violations in thelast 24 hours. The chart includes a bar for each system and indicates thenumber of violations for each system. Click a bar on the chart to reviewdetailed information.

Top 10 Systems with MostViolations in the Last 7 Days

Displays the top 10 systems with the maximum number of violations in thelast 7 days. The chart includes a bar for each system and indicates thenumber of violations for each system. Click a bar on the chart to reviewdetailed information.

Monitoring and reportingQueries 5


Table 5-1 Change Control queries (continued)

Query Description

Top 10 Users with MostChange Events in the Last 7Days

Displays the top 10 users with the most changes during the last 7 days.The chart includes a bar for each user and indicates the number of eventsgenerated by each user. The bar chart sorts the data in descending order.Click a bar on the chart to review detailed information.

Top 10 Users with MostViolations in the Last 7 Days

Displays the top 10 users with the most policy violation attempts in the last7 days. The chart includes a bar for each user and indicates the number ofpolicy violation attempts for each user. The bar chart sorts the data indescending order. Click a bar on the chart to review detailed information.

Top 10 Users with MostViolations in the Last 24 Hours

Displays the top 10 users with the most policy violation attempts in the last24 hours. The chart includes a bar for each user and indicates the numberof policy violation attempts for each user. The bar chart sorts the data indescending order. Click a bar on the chart to review detailed information.

Table 5-2 Health Monitoring queries

Query Description

Client Task Logs Data Congestion Trendin Last 7 Days

Displays the data congestion trend for client task logs in the last 7days. The line chart plots data on a per day basis. Click a value onthe chart to review details.

Number of Systems where ThrottlingInitiated in Last 7 Days

Displays the number of systems on which Event throttling isinitiated in last 7 days. The summary table sorts the data indescending order.

Top 10 Events for 10 Most Noisy Systemsin Last 7 Days

Displays the top 10 events for the most noisy systems in last 7days. The bar chart sorts the data in descending order. Click a baron the chart to review detailed information.

View queriesView a Change Control or Solidcore Health Monitoring query.


1 On the McAfee ePO console, select Menu | Reporting | Queries & Reports.

2 Select the Change Control or Solidcore Health Monitoring group under McAfee Groups.

3 Review the queries in the list.

4 Navigate to the required query, then click Run.

The results for the selected query are displayed.

5 Click Close to return to the previous page.

5 Monitoring and reportingView queries


6 Getting started with Application Control

Before you begin using Application Control, review this chapter to get familiar with the product andunderstand related concepts.

Contents Application Control modes File and certificate reputation Memory-protection techniques What are rule groups? What are certificates? What are updater processes? What are installers? Permissions for rule configuration Configure and manage rule groups Manage certificates Manage installers Configure Package Control

6


Application Control modesApplication Control operates in one of these supported modes.

Observe Indicates that the application is in effect but does not prevent any execution or changesmade on the endpoints. Using Observe mode is a practice run for Application Control togather information without taking action. Observe mode is available only on the Windowsplatform.

Memory-protection techniques are not enabled in Observe mode.

Observe mode helps you discover relevant policies for your enterprise. The productidentifies policy candidates by monitoring execution activities and comparing them withthe local inventory and predefined rules. When running in Observe mode, ApplicationControl emulates Enabled mode but only logs observations.

Observe mode also supports reputation-based execution. When you execute a file at anendpoint, the software fetches its reputation and reputation of all certificates associatedwith the file to determine whether to allow or ban the file execution.• Trusted files — If the reputation for an executable file or its associated certificate is

trusted, the file is allowed to run, unless blocked by a predefined ban rule. Nocorresponding observation or event is generated.

• Malicious files — If the reputation for an executable file or its associated certificate ismalicious, the file is not allowed to execute and no corresponding observation isgenerated. A corresponding event is generated and displayed on the Solidcore Events page.The settings configured for your enterprise determine the reputation value that isbanned. You can choose to ban only Known Malicious, Most Likely Malicious, Might beMalicious files, or all such files.

• Unknown — If the reputation for an executable file or its associated certificate isunknown, reputation is not used to determine execution. Application Control performsmultiple other checks to determine whether to allow or block the file. For moreinformation, see Checks that Application Control runs for a file.

Regardless of the file's reputation, if a ban by name, SHA-1, or SHA-256 rule exists for anexecutable file, its execution is banned. No corresponding observation is generated. Acorresponding event is generated and displayed on the Solidcore Events page.

All files that are allowed to execute in Observe mode are automatically added to thewhitelist, if not already present in the whitelist. An observation is logged that correspondsto the action Application Control takes in Enabled mode. For example, if not authorized,the execution of Adobe Reader is prevented in Enabled mode. In Observe mode, the file isallowed to execute unless banned by a specific rule or has malicious reputation.

Place Application Control in Observe mode to:• Check the compatibility of Application Control with existing software during initial

deployment.

• Test an application before enterprise-wide deployment to endpoints already runningApplication Control.

• Create trusted updater policies for the applications in your enterprise.

For more information about Observe mode, see Deploying Application Control in Observemode.

Enabled Indicates that protection is effective. Enabled mode is the recommended mode ofoperation.

Enabled mode supports reputation-based execution. When you execute a file at anendpoint, the software fetches its reputation and reputation of all certificates associatedwith the file to determine whether to allow or ban the file execution.

6 Getting started with Application ControlApplication Control modes


• Trusted files — If the reputation for an executable file or its associated certificate istrusted, the file is allowed to run, unless blocked by a predefined ban rule. Nocorresponding event or observation is generated.

• Malicious files — If the reputation for an executable file or its associated certificate ismalicious, the file is not allowed to execute and no corresponding observation isgenerated. A corresponding event is generated and displayed on the Solidcore Events page.The settings configured for your enterprise determine the reputation value that isbanned. You can choose to ban only Known Malicious, Most Likely Malicious, Might beMalicious files, or all such files.

• Unknown — If the reputation for an executable file or its associated certificate isunknown, reputation is not used to determine execution. Application Control performsmultiple other checks to determine whether to allow or block the file. For moreinformation, see Checks that Application Control runs for a file.


In Enabled mode, Application Control:

• Allows only trusted (based on reputation) or authorized (based on rules) applicationsand installers to run on servers and endpoints

• Protects against memory-based attacks and application tampering

Getting started with Application ControlApplication Control modes 6


Update Indicates that the application is effective, allows ad-hoc changes to the system, and trackschanges made to the endpoints. Update mode refers to an interval during which changesare allowed on a protected endpoint. If a ban by name, SHA-1, or SHA-256 rule exists foran executable file, its execution is not allowed.

Update mode supports reputation-based execution. When you execute a file at anendpoint, the software fetches its reputation and reputation of all certificates associatedwith the file to determine whether to allow or ban the file execution.• Trusted and Unknown files — If the reputation for an executable file or its associated

certificate is trusted or unknown, the file is allowed to run, unless blocked by apredefined ban rule. No corresponding event or observation is generated.

• Malicious files — If the reputation for an executable file or its associated certificate ismalicious, the file is not allowed to execute and no corresponding observation isgenerated. A corresponding event is generated and displayed on the Solidcore Events page.


Recommended for — Use Update mode only for Installing minor software updates. Forexample, define a time window to allow the IT team to complete maintenance tasks, suchas install patches or upgrade software. Only use Update mode to perform scheduled oremergency changes that cannot be made when Application Control is running in Enabledmode. Whenever possible use other preferred methods, such as users, directories,certificates, updater processes, or installers to allow changes.

In Enabled mode, if you install any new software or add new executable files, the files arenot added to the whitelist or allowed to execute (unless performed by trusted changemethod). However, if you install or uninstall software or add new files in Update mode, allchanges are tracked and added to the whitelist.

To authorize or approve changes to endpoints, a change window is defined during whichusers and programs can make changes to the endpoint. In effect, Update mode allows youto schedule software and patch installations, remove or modify software, and dynamicallyupdate the local whitelist. The application generates the FILE_SOLIDIFIED event for filesadded during Update mode and FILE_UNSOLIDIFIED event for files deleted during Updatemode. Also, when an endpoint is in Update mode, all changes to existing files in theinventory generate corresponding update mode events, such as FILE_MODIFIED_UPDATEand FILE_RENAMED_UPDATE.

Memory-protection techniques are enabled in Update mode. This makes sure that runningprograms cannot be exploited.

Disabled Indicates that the application is not effective. Although the application is installed, theassociated features are not active.

Switching between modes

• From Observe mode, you can switch to Enabled or Disabled mode.

• From Enabled mode, you can switch to Disabled, Update, or Observe mode.

• From Update mode, you can switch to Enabled or Disabled mode.

• From the Disabled mode, you can switch to the Enabled, Update, or Observe mode.

6 Getting started with Application ControlApplication Control modes


File and certificate reputationApplication Control can work with multiple sources to fetch reputation information for files andcertificates.On the McAfee ePO console, the reputation information helps you make quick and informed decisionsfor executable files and certificates in your enterprise. Reputation information, readily available toadministrators, reduces the administrators' effort and allows them to quickly define policies for theenterprise on the McAfee ePO server.

On the endpoints, this integration allows reputation-based execution. When you execute a file at anendpoint, the software fetches its reputation and reputation of all certificates associated with the fileto determine whether to allow or ban the file execution. The settings configured for your enterprisedetermine the reputation values that are allowed and banned.

• Trusted files — If the reputation for an executable file or its associated certificate is trusted, thefile is allowed to run, unless blocked by a predefined ban rule.

• Malicious files — If the reputation for an executable file or its associated certificate is malicious,the file is not allowed to execute.

• Unknown — If the reputation for an executable file or its associated certificate is unknown,reputation is not used to determine execution. Application Control performs multiple other checksto determine whether to allow or block the file. For more information, see Checks that ApplicationControl runs for a file.

Regardless of reputation, if a file is blocked or unauthorized based on a rule, it is prevented fromexecuting.

Reputation-based execution is available on all supported Windows platforms except Windows 2008.Reputation-based execution is not available on the Linux platform.

Reputation sourcesApplication Control can work with multiple sources to fetch reputation information.Based on the configuration, the software regularly synchronizes with these sources:

TIE servermodule

The TIE server is a local reputation server that communicates with multiple reputationsources. It effectively combines and collates intelligence from global sources with localthreat intelligence and customized organizational knowledge to provide aggregatedreputation values.The TIE server can communicate with McAfee GTI, McAfee® Advanced Threat Defense, orthird-party feeds that include local threat intelligence sourced from real-time and existingevent data delivered by endpoints, gateways, and other security components.

TIE empowers administrators to assemble, override, augment, and tune the intelligencesource information so that they can customize data for their environment andorganization. For more information, see the McAfee Threat Intelligence Exchange ProductGuide for your version of the software.

McAfeeGTIserver

The McAfee GTI file reputation service is a cloud-based service that functions as areputation source. Application Control periodically synchronizes with the McAfee GTIserver to fetch ratings for executable files and certificates. The Fetch File Details from McAfeeGTI Server and Fetch Certificate Reputation from McAfee GTI Server server tasks are internal tasks thatrun automatically several times a day to fetch McAfee GTI ratings for executable files andcertificates.

Starting with the 8.0.0 release, Application Control and Change Control support SHA-256 values ofexecutable files. However, reputation-based execution workflows work on SHA-1 values only. Reputationsources, such as McAfee GTI and TIE server do not support file SHA-256 values.

Here is how Application Control communicates with the TIE server and McAfee GTI server.

Getting started with Application ControlFile and certificate reputation 6


• TIE server — Application Control communicates directly with the TIE server configured in yourenvironment.

• McAfee GTI server — Application Control communicates directly with the McAfee GTI server.However, if a proxy server is configured in your setup, Application Control uses the proxy server tocommunicate with the McAfee GTI server. The proxy server is configured on the Menu | Configuration |Server Settings | Proxy Settings page.

Solidcore ePO extension and endpoints communicate with McAfee GTI server for reputation lookup.Make sure that McAfee ePO server is able to communicate with cwl.gti.mcafee.com on port 443 byconfiguring appropriate firewall or proxy settings. Also, make sure that time is accurately set on theendpoints to allow communication with the McAfee GTI server.

Reputation-based workflowApplication Control receives reputation for executable files and certificates from relevant sources, suchas McAfee GTI and TIE server.

McAfee ePO workflowHere is the reputation-based workflow available in Application Control from the McAfee ePO console.

Application Control communicates with the McAfee GTI server at regular intervals to fetch reputationinformation for executable files and certificates in the enterprise. However, if the TIE server isconfigured in your environment, Application Control also continuously listens to reputation changenotifications received from the TIE server.

A change to the enterprise reputation of any file triggers a Reputation change notification that is displayedon the Server Task Log page. Based on the changes to enterprise reputation of files in the last minute,values are updated on the pages and a corresponding Reputation changed entry is added to the Server TaskLog Details page for Reputation change notification. Review the Reputation changed entries for information on thereputation change for inventory items. Each entry includes information for one or more impactedexecutable files. For each impacted item, you can review the old reputation, updated reputation, andfile SHA-1. If communication with the TIE server is temporarily suspended due to any reason, allmissed notifications are synced after communication resumes.

6 Getting started with Application ControlFile and certificate reputation


Endpoint workflowHere is the reputation-based workflow available in Application Control at the endpoints.

The Solidcore client supports reputation-based execution on the endpoints. When the user executes afile, Application Control contacts the reputation source to fetch reputation information as follows:

• If the TIE server is configured, the endpoint communicates with the server to fetch reputation forthe executable file or all certificates associated with the file.

• If the TIE server is not installed or is unavailable, the endpoint communicates with the McAfee GTIserver to fetch reputation for the executable file or all certificates associated with the file.

To verify if fetching reputation from TIE server or McAfee GTI server is enabled for an endpoint, reviewthe value for the Reputation (TIE) or Reputation (GTI) property for the endpoint, respectively. To navigate to theproperty, click the row corresponding to the endpoint on the Systems page and click the Solidcore row inthe Products tab.

Here is a high-level description of how the endpoint determines whether to execute a file.



1 Check if an explicit ban rule exists for the file.

• If yes, prevent file execution.

• If not, verify the file and certificate reputation.

2 Allow or block file execution based on reputation as per the defined reputation settings.

In addition to reputation, Application Control uses defined rules and policies to determine fileexecution status. For more information, see Checks that Application Control runs for a file.

Reputation values received from sourcesHere are the reputation values provided by the TIE and McAfee GTI servers.

From TIE server

For an executable file or certificate, the TIE server provides scores from various providers, such asATD, McAfee GTI, and ETL that Application Control uses to compute reputation. Here are the providedvalues.



• Known trusted • Might be malicious

• Most likely trusted • Most likely malicious

• Might be trusted • Known malicious

• Unknown • Not set

From McAfee GTI

For each executable file, McAfee GTI provides the reputation and classification values.

• File Hash Reputation — Indicates if the file is trusted or malicious. Based on information fetchedfrom McAfee GTI, the application and files are sorted into categories on the Application Controlpages.

• File Hash Classification — Indicates the reliability or credibility of the file. The assigned valueindicates if the file is trusted, unknown, or malicious.

For each certificate, McAfee GTI provides a score that indicates its reputation.

McAfee GTI classification for files McAfee GTI score for certificates Description

known_clean 99 Known trusted

analysed_clean, assumed_clean 85 Most likely trusted

raiden_analyzed_clean, noise_clean 70 Might be trusted

unknown 50 Unknown

assumed_dirty, assumed_dirty2 30 Might be malicious

assumed_dirty3, assumed_dirty4 15 Most likely malicious

pup, trojan, virus, app 1 Known malicious

Not available 0 Not set

How reputation is computedOn the McAfee ePO console, reputation information for a file is received from various sources, thencollated to compute reputation.

When determining final reputation for an executable file in your enterprise, Application Control usesvalues and parameters provided by the configured sources. Here are the parameters that areconsidered while computing reputation, and their possible values.



Parameter Description Possible values Used for

TIE server See Reputation sources. • Known Trusted

• Most LikelyTrusted

• Might be Trusted

• Unknown

• Might beMalicious

• Most LikelyMalicious

• Known Malicious

• Executablefiles

• Certificates

Reputation byApplication ControlThis is the formerEnterprise Trust Level andis primarily for usersmigrating from olderreleases to the 7.0release. It ensurescontinuity for existingcustomers and honorsall Application Controltrust level values setbefore migrating tothe 7.0 release. If set,this value is not usedto determine fileexecution on theendpoints. It is onlyused to compute finalfile reputation that isdisplayed on theMcAfee ePO console.

Application Control can track theenterprise trust level or reputation byApplication Control value for eachexecutable file. When edited, this valuefor a file overrides the existingreputation for the file.

For example, your organization uses aninternally developed application that isset as an unknown application becauseit is specific to your organization.Because you trust the application, youcan recategorize it as a trusted file byediting its reputation. To edit thereputation, select the file and selectActions | Set Reputation by Application Controlon the Executable Files pane of the ByApplications page.

• Known Malicious

• Unknown

• Known Trusted

Executablefiles



Parameter Description Possible values Used for

Advanced ThreatDefense Trust Level

If ATD is configured in your setup, theTIE server integrates in real time withATD to provide detailed assessment anddata on malware classification. Itcombines low-touch anti-virussignatures, reputation, and real-timeemulation defenses with in-depth staticcode and dynamic analysis (sandboxing)to analyze actual behavior.

To verify if ATD submission isenabled for an endpoint, review thevalue for the ATD Submission propertyfor the endpoint. To navigate to theproperty, click the rowcorresponding to the endpoint onthe Systems page and click theSolidcore row in the Products tab.

• Unknown



• Known Malicious

Executablefiles

McAfee GTI TrustClassification

See Reputation sources. • Known Trusted

• Most LikelyTrusted

• Might be Trusted

• Unknown



• Known Malicious

• Executablefiles

• Certificates

On the McAfee ePO console, when computing final reputation, Application Control uses the reputationvalue for an executable file and its associated certificates.



Here is how final reputation is computed for an unsigned file.



Here is how final reputation is computed for a signed file.

If reputation for a file or its associated certificate is set to Unknown on the TIE server, McAfee GTIrating for the file or certificate is not considered. Also, reputation source for a file is determined basedon the logic used to determine final reputation. Contact McAfee support for more information.



http://mysupport.mcafee.com

Configure reputation sourcesHere is how you can configure Application Control to work with TIE server and McAfee GTI server.

The Solidcore extension and Solidcore client both communicate with the TIE server. If the TIE server isunavailable in your environment, Application Control endpoints communicate with the McAfee GTIserver to fetch file and certificate reputation. The Solidcore extension listens for change notificationsfrom the TIE server and fetches file and certificate reputation from the McAfee GTI server.



Component TIE server McAfee GTI server

Solidcoreextension

If the TIE server is installed andconfigured in your environment withMcAfee Agent 5.0 and McAfee® DataExchange Layer (DXL), ApplicationControl automatically communicateswith the TIE server. For moreinformation on installing andconfiguring the TIE server, seeMcAfee Threat Intelligence ExchangeInstallation Guide.

When you install the Solidcore extension, aregistered server with McAfee GTI serversettings is added to the McAfee ePO console.The server fetches file and certificate reputationinformation.Complete these steps to edit the configurationfor the McAfee GTI server.1 Select Menu | Configuration | Registered Servers.

2 Select McAfee GTI Server and click Actions | Edit.The Registered Server Builder page is displayed.

3 Click Next.

4 Edit the McAfee GTI server configuration,including address, certificates, host name,and user credentials.

5 Click Test Connection to verify connectivity.

6 Click Save.

The specified settings are used by the Solidcoreextension and Solidcore endpoints tocommunicate with the McAfee GTI server.

Solidcoreendpoints

By default, a policy is applied to all endpoints running the Solidcore client to enablereputation-based execution. The settings in the policy indicate how endpointscommunicate with the configured reputation sources. To edit the settings forendpoints, follow these steps.1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.

2 Select the Solidcore 8.0.0: Application Control product.

3 Select the Application Control Options (Windows) category.

4 Click the My Default policy to edit it.

5 On the Reputation tab, click What's reputation-based execution for information about howreputation is used to determine file execution.

6 Specify the reputation source.You can use the TIE server, McAfee GTI server, or both. If you use both, the TIEserver serves as the primary reputation source. The McAfee GTI server serves as analternate source that is used only when the TIE server is unavailable.

7 Specify the reputation levels to automatically allow or block execution at theendpoints.

8 Specify the ATD settings if you have ATD configured in your environment.

• Specify the reputation levels to automatically send files to ATD for analysis.

• Specify the maximum file size for sending files to ATD.

9 Save the policy and apply to the relevant endpoints.



Using reputation information Reputation information helps you make informed decisions for your enterprise and stay updated aboutmalicious files discovered in your setup.

Reputation information is available on various Application Control pages, such as Policy Discovery and ByApplications. You can use the available reputation information to make decisions while processingrequests and defining rules and policies.

By default, for Known Malicious and Might be Malicious files or certificates encountered in your setup,the software generates the Malicious File Found event. Also, if the reputation for a file changes frommalicious to trusted, the Malicious File is Trusted event is generated. You can view these events on the Menu| Reporting | Solidcore Events and Menu | Reporting | Threat Event Log pages. View event details to review thethreat type and identify if the threat source is the TIE server or McAfee GTI server. If needed, you canedit the Bad Binary has been detected in Enterprise automatic response to enable it and specify the emailaddress where you want to receive a notification for these events. For more information about creatingautomatic responses, see McAfee ePolicy Orchestrator Product Guide.

Memory-protection techniques Application Control offers multiple memory-protection techniques to prevent zero-day attacks.

Memory-protection techniques provide extra protection over the protection from native Windowsfeatures or signature-based buffer overflow protection products. These memory-protection techniquesare available on all Windows operating systems, including 64-bit platforms. They are unavailable onthe Linux platform.

At a high-level, the available techniques stop two kinds of exploits.

• Buffer overflow followed by direct code execution

• Buffer overflow followed by indirect code execution using Return-Oriented Programming

For a detailed and updated list of exploits prevented by memory-protection techniques, subscribe toMcAfee Threat Intelligence Services (MTIS) security advisories.

Technique Description

CASP — Critical AddressSpace Protection (mp-casp)

CASP is a memory-protection technique that renders useless anyshellcode running from the non-code area. Code running from thenon-code area is an abnormal event that usually happens because abuffer overflow is exploited.

CASP allows code to execute from non-code area but disallows thecode from invoking any meaningful API calls, such asCreateProcess() and DeleteFile(). Any meaningful exploit code wantsto invoke at least one of these APIs and because CASP blocks them,the exploit fails to do any damage.

When you use CASP, it protects all processes running on yourWindows system with some exceptions. These exceptions include afew processes that are already protected by the integrity protectionfeature of Windows.

Supported operatingsystems

32-bit and 64-bit — Windows Server 2008,Windows 7, Windows Embedded 7, Windows8, Windows Embedded 8, Windows 8.1,Windows Embedded 8.1, Windows 10, andWindows 10 IoT Enterprise

Default state Enabled

Event generated PROCESS_HIJACK_ATTEMPTED

6 Getting started with Application ControlMemory-protection techniques


http://www.mcafee.com/apps/mcafee-labs/signup.aspx?region=us

Technique Description

NX — No eXecute (mp-nx) The NX feature uses the Windows Data Execution Prevention (DEP)feature to protect processes against exploits that try to execute codefrom writable memory area (stack/heap). On top of native DEP,MP-NX provides granular bypass capability and raises violationevents that can be viewed on the McAfee ePO console.Windows DEP prevents code from being run from a non-executablememory region. Usually, code running from the non-executablememory region is an abnormal event. This mostly occurs because ofa buffer overflow. The malicious exploit attempts to execute codefrom these non-executable memory regions.


64-bit — Windows Server 2008, WindowsServer 2008 R2, Windows 7, WindowsEmbedded 7, Windows 8, Windows Embedded8, Windows 8.1, Windows Embedded 8.1,Windows 10, Windows 10 IoT Enterprise,Windows Server 2012, and Windows Server2012 R2This feature is not available on the IA64architecture.


Event generated NX_VIOLATION_DETECTED

Forced DLL Relocation(mp-vasr-forced-relocation)

This feature forces relocation of those dynamic-link libraries (DLLs)that have opted out of the Windows native ASLR feature. Somemalware relies on these DLLs always being loaded at the same andknown addresses. By relocating such DLLs, these attacks areprevented.


32-bit and 64-bit — Windows Server 2008,Windows Server 2008 R2, Windows 7,Windows Embedded 7, Windows 8, WindowsEmbedded 8, Windows 8.1, WindowsEmbedded 8.1, Windows 10, Windows 10 IoTEnterprise, Windows Server 2012, andWindows Server 2012 R2


Event generated VASR_VIOLATION_DETECTED

Occasionally, some applications (as part of their day-to-day processing) might run code in an atypicalway and be prevented from running by the memory-protection techniques. To allow such applicationsto run, you can define specific rules to bypass the memory-protection techniques. See Define bypassrules.

What are rule groups?A rule group is a collection of rules. Although you can directly add rules to any McAfee ePO-basedpolicy, the rules defined within a policy are specific to that policy. In contrast, a rule group is anindependent unit that collates a set of similar or related rules.

After you define a rule group, you can reuse the rules within the rule group by associating the rulegroup with different policies. Also, to modify a rule, update the rule in the rule group and the changecascades across all associated policies automatically.

Getting started with Application ControlWhat are rule groups? 6


The software provides predefined rule groups to allow commonly used applications to run smoothly.Although you cannot edit the predefined rule groups, you can use an existing rule group as a startingpoint to develop rule groups. If needed, you can also import or export rule groups.

Rule groups can drastically reduce the effort required to define similar rules across policies. If youhave a large setup and are deploying the software across numerous endpoints, use rule groups tominimize the deployment time and effort.

Rule group exampleHere is an example of how rule groups are used.

An organization runs Oracle on multiple servers. Each of these servers is used by the HR, Engineering,and Finance departments for different purposes. To reduce rule redundancy, we define an ApplicationControl rule group (named AC-Oracle) containing rules to define the relevant updaters for Oracle tofunction.

After the rule group is defined, we can reuse these rule groups across policies for the differentdepartments. So, when defining the HR Servers policy, add the AC-Oracle rule group to the policy withrule groups for the other applications installed on the HR server. Similarly, add the AC-Oracle rulegroup to the relevant policies for the Engineering Servers and Finance Servers. After defining thepolicies, if the rule for a critical file was not created, directly update the rule group to automaticallyupdate all policies.

Rule group ownershipUsers are allowed to edit and delete only the rule groups that they own.

A user who creates a rule group, is automatically set as the owner of the rule group. Only the ownerand McAfee ePO administrator can edit and delete the rule group. Also, the administrator can assignownership to other users or revoke ownership from the owner. In this case, the ownership isautomatically granted to the McAfee ePO administrator.

When you upgrade to the 6.2.0 or later extension, the McAfee ePO administrator becomes the owner ofall existing rule groups in the enterprise. The rule groups created by all owners are editable only by theMcAfee ePO administrator. The McAfee ePO administrator must assign rule group ownership to otherusers, as needed.

Users who do not own a rule group can only view the rule group and its policy assignments, duplicatethe rule group, and add the rule group to policies. However, if the owner or the McAfee ePOadministrator updates a rule in the rule group, the change cascades across all associated McAfee ePOpolicies.

This scenario suits non-global administrators who want to use a rule group (created by the McAfeeePO administrator) without maintaining it. If this scenario does not suit your requirements, duplicatethe rule group that you do not own, then assign the duplicate to policies. This method provides youownership of the duplicated rule group.

What are certificates?A certificate refers to a trusted certificate, associated with a software package, that permits theassociated applications to run on a protected endpoint. After you add a certificate as a trustedcertificate, all applications signed by the certificate are allowed.

Application Control supports only X.509 certificates.

6 Getting started with Application ControlWhat are certificates?


Trusted certificates are available only for the Windows operating system and are unavailable on theLinux operating system. Also, all executable and script files added or modified on an endpoint by a filethat is signed by a trusted certificate are automatically added to the whitelist. You can configuretrusted certificates only for the Windows platform. For example, if you add Adobe’s code signingcertificate as a trusted certificate, all software issued by Adobe and signed by Adobe's certificate ispermitted to run.

To allow any in-house applications to run on protected endpoints, you can sign the applications with aninternal certificate. After you do, all applications signed by the certificate are allowed. Also, allexecutable and script files added or modified on an endpoint by a file that is signed by the certificateare automatically added to the whitelist.

What are updater processes?An updater process is an application permitted to update the endpoint.If a program is configured as an updater, it can install new software and update existing software. Forexample, if you configure Adobe 8.0 updater program as an updater, it can periodically patch allneeded files.

Updaters work at a global level and are not application- or license-specific. After a program is defined asan updater, it can modify any protected file. If you are using both Application Control and ChangeControl, an updater defined via an Application Control policy can also modify files protected by rulesdefined in a Change Control policy.

An updater is not authorized automatically. To be authorized, an updater must be in the whitelist orgiven explicit authorization (defined as allowed via a policy or added as updater based on SHA-1 orSHA-256). Use caution and carefully assign updater privileges to executable files. For example, if youset cmd.exe as an updater and invoke any executable from it, the executable can perform any changeon the protected endpoints.

To avoid a security gap, it is not recommended to have a file configured as an allowed executable andupdater concurrently.

Common candidates to set as updaters include software distribution applications, such as Tivoli,Opsware, Microsoft Systems Management Server (SMS), Bladelogic, and programs that need tofrequently update themselves. Application Control includes predefined rules for commonly usedapplications that might need to update the endpoints frequently. For example, rule groups are definedfor Altiris, SCCM, and McAfee products.

You can also add scripts as updaters. However, this is not applicable for the Windows 8, WindowsEmbedded 8, Windows 8.1, Windows Embedded 8.1, Windows 10, Windows Embedded 10, WindowsServer 2012, and Windows Server 2012 R2 platforms.

What are installers?When a program (or an installer) is configured as an authorized installer, it gets both the attributes—authorized executable and updater. Regardless of whether the installer was originally on the endpoint,it is allowed to execute and update software on the endpoint. You can configure installers only for theWindows platform.An authorized installer is allowed based on the SHA-1 or SHA-256 of the installer (specified whileconfiguring the policy). Regardless of the source of installer (or how one gets this installer to theendpoint), if the SHA-1 or SHA-256 matches, the installer is allowed to run. However, if the reputationof the installer is malicious, it is not allowed to execute. The reputation of the installer is determined

Getting started with Application ControlWhat are updater processes? 6


based on the SHA-1 value of an executable file. Reputation sources, such as McAfee GTI and TIEserver do not support SHA-256 reputation-based workflows. For example, if you add the installer forthe Microsoft Office 2010 suite as an installer and if the SHA-1 or SHA-256 matches, the installer isallowed to install the Microsoft Office suite on the protected endpoints.

Control installation and uninstallation

Manage the installation and uninstallation of software packages using the Package Control feature.

This feature allows or denies installation, uninstallation, upgrade, and repair actions for softwarepackages. Any unauthorized installation and uninstallation is prevented by the feature.

Package Control is identified as pkg-ctrl in the features list and it supports all types of installers on theWindows platform. By default, this feature is enabled. This feature allows or blocks the installationbased on the reputation information and defined rules.

• If the reputation information is available, this feature allows or blocks installation of softwarepackages based on these conditions.

Installer type Description Condition

MicrosoftInstallers (MSI)

Includes multiplevariants such as .msp, .mst, and .msm.

If the reputation of the certificate (that has signed theinstaller file) is trusted, installation of software packages isallowed.

EXE-basedinstaller

Includes MSI filesembedded withthe installer.

If the installer file is configured as an updater orreputation of the installer file is trusted, or the reputationof any associated certificate (that has signed the MSI filesembedded with the installer) is trusted, installation ofsoftware packages is allowed.

Non-MSI-basedinstallers

Does not includean MSI fileembedded withthe installer.

Package Control considers these conditions to allow orblock installation:• Considers the reputation of the installer file or the

reputation of the certificate (that has signed the installerfile). The reputation must be trusted.

• Uses a heuristics-based identification for the installerfile.

• Considers whether the installer file is included orexcluded from the list of generic launcher processes,such as explorer.exe and svchost.exe.

For example, software installation is allowed only if thereputation of the installer file or reputation of thecertificate that has signed the installer file is trusted,Package Control heuristics identified the file as an installerfile, and the installer file is excluded from the list ofgeneric launcher processes. If any of these conditions arenot met, then installation will not be allowed.

• If the reputation information is not available, installation is allowed or blocked based on the definedrules such as updater by name or path, users, directories, certificate as an updater, SHA-1 orSHA-256 as an updater. For more information about these rules, see Allowing changes toendpoints.

When this feature is disabled, software installation and uninstallation is blocked.

Package Control includes these subfeatures.

6 Getting started with Application ControlWhat are installers?


Subfeature Description

Allow Uninstallation Controls the uninstallation of software packages. When this feature is enabled,software uninstallation, upgrade, and repair actions are allowed. By default, thisfeature is enabled and identified as pkg-ctrl-allow-uninstall in the features list.

Bypass PackageControl

Controls bypassing from the Package Control feature. When this feature isenabled, Package Control feature is bypassed and software installation anduninstallation is allowed. By default, this feature is disabled and identified aspkg-ctrl-bypass in the features list.

By default, the Package Control and Allow Uninstallation features are enabled. You can uninstall anysoftware from the system. However, if the reputation of the uninstall file is malicious (KnownMalicious, Most Likely Malicious, or Might be Malicious), software uninstallation is not allowedregardless of the Package Control configuration. If the reputation of the installer file or MSI file ismalicious, software installation is not allowed regardless of the Package Control configuration. Use thisdefault configuration for desktop and System Center Configuration Manager (SCCM)-managedenvironments. This configuration allows change, repair, remove, or upgrade operations for softwarethat are useful in these scenarios.

• Explicit software upgrades.

• Software upgrades through Windows update mechanisms.

• Software upgrades of existing software while installing new software packages in chainedinstallations.

• Rollback if there is a power failure or if you restart your system during installation. This is called asuspended installation. The installer tracks the installation that is in progress. When resumed, youcan roll back the suspended installation or continue the suspended installation.

If needed, you can also change the default configuration to:

• Disable the Allow Uninstallation feature — Prevents you from uninstalling software from thesystem. Use this configuration for fixed-function devices and server environments for all actionsexcept upgrades. For upgrading software in server environments, you must switch to the defaultconfiguration because this configuration blocks change, repair, remove, or upgrade operations forsoftware.

• Enable the Bypass Package Control feature — Allows software installation and uninstallation on thesystem except when the file has malicious reputation.

• Disable the Package Control feature — Prevents software installation and uninstallation on thesystem.

• Place the system in Update mode — Allows software installation and uninstallation on the systemexcept when the file has malicious reputation.

For information about how to configure Package Control, see Configure Package Control.

Permissions for rule configurationThe McAfee ePO administrator can configure permissions for Solidcore configuration, as needed.

If you have multiple administrators working in your enterprise, review and manage permissions foreach administrator.

Getting started with Application ControlPermissions for rule configuration 6


When do I assign permissions?

Typically, the McAfee ePO administrator is the global administrator who manages the whole enterpriseand has access to all Solidcore pages. In contrast, the non-global administrator can be a site or localadministrator who manages a particular site or group of systems. In the enterprise, the sites can becategorized based on locations, sectors, or functional groups.

For example, in an organization with multiple sites across different locations (north, south, east, andwest), the McAfee ePO administrator manages the whole organization and a site administrator ornon-global administrator manages each site.

Permissions for the Rule Groups, Certificates, and Installers pages

You can configure permissions for the Rule Groups, Certificates, and Installers pages that appear on the Menu| Configuration | Solidcore Rules page. The permissions determine the actions you can take from thesepages and control whether these pages are visible from other Solidcore pages.

You can assign one of these permissions for the Rule Groups, Certificates, and Installers pages. By default,the McAfee ePO administrator has edit permissions for all pages.

Permission Details

No Permissions Indicates that the page is not visible to the user.For example, if no permissions are granted to a user for the Rule Groups page, the tabis not visible from the Solidcore Rules and Policy Catalog (rule group assignments) pages.Also, the user inherits no permissions on the Updater Processes, Certificates, Installers,Directories, Users, Executable Files, Exclusions, Filters, and Execution Control tabs.

ViewPermissions

Indicates that the page is visible to the user. But, the user cannot perform modify,delete, or user operations from the page.For example, if view permissions are granted to a user for the Rule Groups page, thetab is visible from the Solidcore Rules and Policy Catalog (rule group assignments) pages.While the user can view rule group information and check assignments, the user isnot allowed to edit, duplicate, or add rule groups.

EditPermissions

Indicates that the tab is visible and the user can perform all actions available on thepage.For example, if edit permissions are granted to a user on the Rule Groups page, thepage is visible from the Solidcore Rules and Policy Catalog (rule group assignments)pages and the user is allowed to perform all operations.

Permissions for the tabs contained in rule group and policy pages

User permissions for the Rule Groups page control the permissions for the Updater Processes, Certificates,Installers, Directories, Users, Executable Files, Exclusions,Filters, and Execution Control tabs. The permissionsavailable for the Rule Groups page indicate the permissions for the contained tabs. If needed, the McAfeeePO administrator can selectively change the permissions for individual tabs.

When No Permissions or View Permissions are granted to a user, some actions are impacted and might notbe available.

6 Getting started with Application ControlPermissions for rule configuration


Blocked actions Impacted pages Permissions required for...

Add Rule Group action isblocked.

Certificates and Installers pages Edit or change permissions onthese:• Solidcore 8.0.0: Application Control

(policy permissions)

• Rule Groups page

• Installer (tab permissions)

• Certificate (tab permissions)

Exclude Events action isblocked.

Solidcore Events page Filters tab

Allow by Certificate is disabled. For ActiveX Installation activity andall requests associated with acertificate on Policy Discovery: CustomRules page

Certificates tab

Bypass Memory Protection actionis disabled.

For Memory Protection Violationactivity on the Policy Discovery: CustomRules page

Exclusions tab

Allow Trusted Path action isdisabled.

For Network path execution activityon the Policy Discovery: Custom Rules page

Directories tab

Approve Request action isdisabled.

For File Addition, File Modification,Application execution, or SoftwareInstallation activities on the PolicyDiscovery: Custom Rules page

Updater Processes, Executable Files,or Installers tab

Ban Request action is disabled

Allow Files and Ban Files actionsare disabled.

For a file on the By Applications and Filedetails pages

Executable Files tab

Import action is unsuccessfulbecause tab-specific rulesare not imported.

Rule Groups page Contained tab on the Rule Groupspage

Show Suggestions action isdisabled.

Observations (Deprecated) page Contained tab on the Rule Groupspage

Configure and manage rule groups Configure rule group permissions and create rule groups to collate related rules.Also, you can import or export rule groups to manage rule group configuration.

Getting started with Application ControlConfigure and manage rule groups 6


Tasks• Change rule group ownership on page 22

Assign rule group ownership to more users or remove ownership from users.

• Manage permissions for rule group tabs on page 82Specify permissions for the Rule Groups, Certificates, Installers pages, and the tabs contained inrule group and policy pages.

• Create a rule group on page 83Create a rule group to specify the required rules.

• Delete or rename rule groups on page 24Delete or rename a rule group, as needed.

• Import or export a rule group on page 24To replicate rule group configuration from one McAfee ePO server to another, export therule group configuration from the source McAfee ePO server to an XML file and import theXML file to the target McAfee ePO server.

• Verify the import for a rule group on page 27You can verify whether the import operation for a rule group was successful.

• View assignments for a rule group on page 87Instead of navigating through all the created policies, you can directly view all policies inwhich a rule group is being used. This feature provides a convenient way to verify if eachrule group is assigned to the relevant policies.

Change rule group ownershipAssign rule group ownership to more users or remove ownership from users.

Before you beginYou must be a global administrator to perform this task.



2 On the Rule Groups tab in the Owners column, click the owner for a rule group to open the Rule GroupOwnership page.

3 Change the default ownership by selecting or deselecting users listed on the page.

4 Click Save.

Changes made to owners are reflected in the Owners column for the selected rule group.

Manage permissions for rule group tabsSpecify permissions for the Rule Groups, Certificates, Installers pages, and the tabs contained in rule groupand policy pages.


6 Getting started with Application ControlConfigure and manage rule groups



1 On the McAfee ePO console, select Menu | User Management | Permission Sets.

2 Click New to create a permission set.

3 Provide a name for the permission set.

4 Select the users you want to assign the permission set to.

The selected level of permissions is granted to the user.

When multiple permission sets are applied to a user account, they aggregate. Consider this as youplan your strategy for granting permissions to the users in your environment. See Solidcorepermission sets.

5 Click Save.

6 Click Edit on the Solidcore General permissions category.

7 Grant permissions for Certificates, Installers, and Rule Groups, as needed.

8 Grant permissions selectively for the tabs (Updater Processes, Certificates, Installers, Directories, Users,Executable Files, Exclusions, Filters, and Execution Control) contained in rule group and policy pages, asneeded.

This is based on the permissions the user has on the Rule Groups page. For information, seePermissions for rule configuration.

9 Click Save.

Create a rule group Create a rule group to specify the required rules.



2 Select Application Control from the Rule Groups tab.

You can use an existing rule group as a starting point or define a new rule group. To modify anexisting rule group, complete steps 3, 5, 6, and 7. To define a new rule group, complete steps 4, 5,6, and 7.

3 Create a rule group based on an existing rule group.

a Click Duplicate for an existing rule group to open the Duplicate Rule Group dialog box.

b Specify the rule group name, then click OK.


4 Define a new rule group.

a Click Add Rule Group to open the Add Rule Group dialog box.

b Specify the rule group name.



c Select the rule group type and platform.

d Click OK.



6 Specify the required rules.

For information about defining rules, see Allowing changes to endpoints.


Delete or rename rule groupsDelete or rename a rule group, as needed.

Before you beginYou must be the global administrator or owner of the rule group to perform this task.




• To rename a rule group, click Rename, specify a new name, and click OK to close the Rename RuleGroup dialog box.

• To delete a rule group, click Delete and click Yes to close the Delete Rule Group dialog box.

Import or export a rule groupTo replicate rule group configuration from one McAfee ePO server to another, export the rule groupconfiguration from the source McAfee ePO server to an XML file and import the XML file to the targetMcAfee ePO server.

If you are the owner of the rule group or the global administrator, you can import the rule group XMLfile to the target McAfee ePO server. However, if you are a non-global administrator, you can importrules only for the tabs where you have permissions. All other rules are not imported and details areavailable on the Server Task Log page. For information on permissions, see Permissions for ruleconfiguration.

Also, when you import rule groups to a (target) McAfee ePO server, the user logged on to the McAfeeePO server becomes the owner of the imported rule group. When you export rule groups from asource McAfee ePO server, the owner information is not exported.

When importing or exporting rule groups containing Trusted Groups, make sure that the ActiveDirectory server on the source and destination McAfee ePO servers are configured using the samedomain name, server name, or IP address.

You can import or export rule groups using the McAfee ePO console or web service APIs.



Tasks• Use the McAfee ePO console on page 25

Based on your setup, you can import or export rule groups using the McAfee ePO console.

• Use web service APIs on page 25Based on your setup, you can import or export rule groups using web service APIs providedby Application Control and Change Control.

Use the McAfee ePO consoleBased on your setup, you can import or export rule groups using the McAfee ePO console.

You can also export rule groups to an XML file, edit the XML file to make the required changes to rulegroups, and import the file to the McAfee ePO server to use the changed rule groups.




• To import rule groups, click Import, browse to and select the rule groups file, and click OK. Whileimporting, you can specify whether to override rule groups (if you are importing a rule groupwith the same name as an existing rule group).

• To export selected rule groups to an XML file, select the rule groups, click Export, and save thefile.

Use web service APIsBased on your setup, you can import or export rule groups using web service APIs provided byApplication Control and Change Control.

Task1 Open the command prompt, then navigate to this directory.

<ePO installation directory>\Remote‑Client\For example, C:\Program Files\McAfee\ePolicy Orchestrator\Remote‑Client\

2 Run this command to connect to the McAfee ePO shell client.

shell-client.bat <eposerverip:epoport> <epouserid> <epopassword> https postFor example, shell-client.bat <xxx.xx.xx.xxx:xxxx> admin testP@ssword https post

3 Use these web service APIs, as needed.


scor.rulegroup.find(ruleGroupOS,ruleGroupType,ruleGroupName)

Searches for the required rule group in the list of all Solidcore rulegroups. This service takes these parameters.







scor.rulegroup.export(ruleGroupOS,ruleGroupType,ruleGroupName,exportFileName)

Exports the rule group information from the (source) McAfee ePOserver. Optionally, you can export the rule group information to anXML file on the McAfee ePO server. This service takes theseparameters.




If you do not provide a rule group name, alleditable rules are exported for the specifiedoperating system and rule group type.

exportFileName (Optional) Name of the XML file, such as c:\foo.xml, c:\foo\foo.xml, where you want to storethe exported rule group information. The locationof the XML file must be on the McAfee ePO server.Make sure that you provide the absolute path tothe location and not the relative path as thevalue.

scor.rulegroup.import(file, override)

Imports the rule group information from an XML file to the (target)McAfee ePO server. This service takes these parameters.

file (Required) Path to the XML file. Follow theseconsiderations based on the location of the XMLfile.• If the XML file is located on the McAfee ePO

server, specify the fully qualified name as thevalue for this parameter. For example,scor.rulegroup.import c:\abc.xml.

• If the XML file is located on a local system,specify the value for this parameter as file:/// followed by the location on the local system.For example, scor.rulegroup.importfile=file:///c:/abc.xml.

override (Optional) Overwrites an existing matching rulegroup on the target McAfee ePO server. Bydefault, the value for this parameter is set tofalse, so that the parameter does not overwritean existing matching rule group on the targetMcAfee ePO server.

Verify the import for a rule groupYou can verify whether the import operation for a rule group was successful.

You can view details about the import operations for a rule group to verify whether the operation issuccessful.





2 Specify the task name Import Solidcore Rule Groups in the Quick find text box, then click Apply.


If the status of the task shows Failed, the import operation was not successful.

4 Click the server task to open the Server Task Log Details page.

Review the Log Messages tab for details about the rules.

View assignments for a rule groupInstead of navigating through all the created policies, you can directly view all policies in which a rulegroup is being used. This feature provides a convenient way to verify if each rule group is assigned tothe relevant policies.



2 On the Rule Groups tab, click Assignments for a rule group to view the policies to which the selectedrule group is assigned.

Manage certificatesAdd a certificate before defining rules to permit installation and execution of software signed by thecertificate.

You can add a certificate regardless of whether the certificate is an internal certificate or is issued tothe vendor by a certificate authority. When adding a certificate, you can also provide updaterprivileges to the certificate. Use this option carefully because it makes sure that all executable filessigned by certificate acquire updater privileges. For example, if you set the Microsoft certificate thatsigns the Internet Explorer application as an updater, Internet Explorer can download and execute anyapplication from the Internet. In effect, any file added or modified by an application that is signed bythe certificate (with updater privileges) is added to the whitelist automatically.

Tasks• Add a certificate to McAfee ePO on page 88

You can use one of these methods to add a certificate.

• Search for a certificate on page 89Search for a certificate based on its category.

• View assignments for a certificate on page 89Verify if each certificate is assigned to the appropriate policies and rule groups.

Getting started with Application ControlManage certificates 6


Add a certificate to McAfee ePOYou can use one of these methods to add a certificate.

• Upload an existing certificate.

• Immediately extract certificates from signed executable files on a network share.

• Schedule a server task to routinely extract certificates from signed executable files on a networkshare.


1 Upload an available certificate.

a On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.

b On the Certificates tab, select Actions | Upload to open the Upload Certificate page.

c Browse to and select the certificate file to import, then click Upload.

2 Extract certificates associated with signed executable files on a network share.

a Select Menu | Configuration | Solidcore Rules.

b On the Certificates tab, select Actions | Extract Certificates to open the Extract Certificate from File page.

c Type the path of the file.

Make sure that the file path is accessible from the McAfee ePO server.

d Type your network credentials to access the specified network location.

e Click Extract.

3 Schedule and regularly extract the certificates associated with signed executable files on a networkshare.

a Select Menu | Automation | Server Tasks.

b Click New Task to open the Server Task Builder wizard.

c Type the task name, then click Next.

d Select Solidcore: Scan a Software Repository from the Actions drop-down list.

e Specify the repository path.

All subfolders in the specified path are also scanned for installers and certificates. TO DO: 8.0.0

f Type your network credentials to access the specified network location.

g Click Test Connection to make sure that the specified credentials work.

h Select Add extracted certificates and installers to Rule Group to add the certificates and installers extractedby the task to a user-defined rule group and select the user-defined rule group from the list.

You can add extracted certificates and installers only to user-defined rule groups.

i Click Next, specify the schedule for the task, then click Next.

j Review the task summary, then click Save.

6 Getting started with Application ControlManage certificates


4 (Optional) Specify an alias or friendly name for a certificate.

a Select Menu | Configuration | Solidcore Rules.

b On the Certificates tab, select a certificate.

c Click Actions | Edit to open the Edit window.

d Enter the friendly name, then click OK.

Search for a certificateSearch for a certificate based on its category.



2 On the Certificates tab, select a category to sort the listed certificates.

• Issued To — Sorts the list by the name of the organization that publishes the certificate.

• Issued By — Sorts the list by the name of the signing authority.

• Extracted From — Sorts the list by the path of the file from which the certificate was extracted.

• Friendly Name — Sorts the list by the friendly name of the certificate.

3 Type the string to search for and click Search.

View assignments for a certificateVerify if each certificate is assigned to the appropriate policies and rule groups.



2 On the Certificates tab, select a certificate, then click Actions | Check Assignments.

The Certificate Assignments dialog box lists the rule groups and policies where the selected certificate isassigned.

Manage installers Before defining rules to permit an installer to install or update software on endpoints, you must addthe installer. You can add an executable or script file as an installer.

Tasks

• Add an installer to McAfee ePO on page 90Use one of these methods to add an installer.

• Search for an installer on page 90Search for an installer based on the category.

• View assignments for an installer on page 91This feature provides a convenient way to verify if each installer is assigned to the relevantpolicies and rule groups.

Getting started with Application ControlManage installers 6


Add an installer to McAfee ePO Use one of these methods to add an installer.

• Add an existing installer.

• Schedule a server task to routinely add installers.


1 Add an existing installer.


b On the Installers tab, select Actions | Add Installer to open the Add Installer page.

c Enter the installer details.

d Click Add.

2 Schedule and regularly add installers that are on a network share.

a Select Menu | Automation | Server Tasks.

b Click New Task to open the Server Task Builder wizard.

c Type the task name, then click Next.

d Select Solidcore: Scan a Software Repository from the Actions drop-down list.

e Specify the repository path.

All subfolders in the specified path are also scanned for installers and certificates.

f Specify the network credentials to access the specified network location.

g Click Test Connection to make sure that the specified credentials work.

h Select Add extracted certificates and installers to Rule Group to add the certificates and installers extractedby the task to a user-defined rule group and select the user-defined rule group from the list.

You can add extracted certificates and installers only to user-defined rule groups.

i Click Next.

j Specify the schedule for the task.

k Click Next to open the Summary page.

l Review the task summary, then click Save.

Search for an installerSearch for an installer based on the category.

6 Getting started with Application ControlManage installers




2 On the Installers tab, select a category to sort the listed installers.

• Installer Name — Sorts the list by the name of the installer.

• Vendor — Sorts the list by the name of the vendor who published the installer.

3 Type the installer or vendor name to search for, then click Search.

View assignments for an installerThis feature provides a convenient way to verify if each installer is assigned to the relevant policiesand rule groups.



2 On the Installers tab, select an installer, then click Actions | Check Assignments.

The Installer Assignments dialog box lists the rule groups and policies where the selected installer isassigned.

3 Click OK.

Configure Package ControlConfigure Package Control to control the installation and uninstallation of software packages on asystem.






By default, the My Default policy is applied to all endpoints in your enterprise. If you want to configurethe feature for selected endpoints, duplicate the My Default policy, edit the settings, and apply thepolicy to only the relevant endpoints.

5 On the Features tab:

a Select Enforce feature control from McAfee ePO.

By default, the Package Control and Allow Uninstallation options are selected.

Getting started with Application ControlConfigure Package Control 6


b Select an option for configuring Package Control.

Option Action Description

Package Control Enable When enabled, all subfeatures revert to their default state. But, ifyou enable the Bypass Package Control subfeature, disable andre-enable Package Control, the Bypass Package Controlsubfeature is still enabled and in effect.

Disable Disabling this feature also disables all its subfeatures.

Allow Uninstallation Enable When enabled, this feature allows uninstallation of softwarepackages on endpoints.

Disable When disabled, it prevents uninstallation of software packages onendpoints.

Bypass Package Control Enable When enabled, Package Control is bypassed and you cannotcontrol the installation and uninstallation of software packages.

Disable Disables the feature.

6 Getting started with Application ControlConfigure Package Control


7 Designing the trust model

When you deploy Application Control to protect an endpoint, it prevents execution of unauthorizedapplications and allows only trusted applications to run. Your trust model dictates the changes that arepermitted in your setup.

Contents How Application Control allows execution Designing the trust model

How Application Control allows execution Application Control accepts new software only when it is added through an authorized process. Thisdynamic trust model allows you to configure what is allowed to run on devices in your environment.

Before allowing or blocking a file, Application Control considers the file reputation and whether it isadded to the whitelist, and checks other existing rules. While reputation and whitelist are the mostcommon methods to determine trusted files, existing rules in your enterprise also impact whether afile is allowed to run.

Reputation Application Control supports reputation-based execution. When you run an executablefile, Application Control checks the reputation of the file and its associated certificateand allows or blocks the file execution based on the reputation settings for yourenterprise. For more information, see Configure reputation sources.

Whitelist Application Control creates a whitelist of executables (binaries, libraries, and drivers)and scripts files on the endpoint. The whitelist includes all authorized files anddetermines trusted or known files. In Enabled mode, only files in the whitelist or fileswith trusted reputation are allowed to execute. Also, all files in the whitelist areprotected and cannot be modified or deleted. An executable or script file that is not inthe whitelist is considered unauthorized and is prevented from running.

Othermethods

Application Control provides multiple other methods to authorize execution of aprogram or file on a protected endpoint.• Updater processes or users • Authorized executable by name

• SHA-1 or SHA-256 • Directories

• Certificates

Designing the trust modelSet reputations and design trust policies for your environment based on your requirements.

To design the trust model for your enterprise, we recommend that you:

7


1 Understand the checks Application Control performs when you try to execute a file. See ChecksApplication Control runs for a file.

2 Define additional attribute-based and granular rules for files, if needed. See Definingattribute-based rules for file execution.

3 Review the predefined rules provided with Application Control. See Predefined rules in defaultpolicies.

4 Run the software in Observe mode to identify policy suggestions and quickly develop policies anddefine rules for your enterprise. See Deploying Application Control in Observe mode.

5 Define rules manually, as needed, for your environment. See Allowing changes to endpoints.

Checks that Application Control runs for a fileWhen you execute a file, Application Control performs multiple checks in a set order and allows orblocks execution based on the result.

Application Control starts with the check that has the highest precedence and moves down the list todetermine whether to allow or block the executable or script file.

Precedence Check Description

1 Fileunauthorizedcheck

If the file is always unauthorized by name, the file is not allowed toexecute. This is set by a rule. See Allow or ban an executable file.

2 Banned SHA-1or SHA-256

If the file is banned by SHA-1 or SHA-256, the file is not allowed toexecute. This is set by a rule. See Allow or ban an executable file.

7 Designing the trust modelDesigning the trust model



3 TIE reputation If the TIE server is configured based on the reputation settings for yourenterprise, these checks are performed. For more information aboutconfiguring reputation settings, see File and certificate reputation.1 Check if the executable file is signed.

• If yes, fetch reputation for all certificates associated with the file.

• If no, use file reputation to allow or deny execution.

2 Verify if reputation for any associated certificate is set to Unknown onthe TIE server.

• If yes, ignore certificate reputation and use file reputation to allowor deny file execution.

• If no, compute reputation based on reputation of all certificatesassociated with the file and use resultant reputation to allow ordeny file execution.

Trusted reputation takes precedence over malicious reputationwhen determining resultant certificate reputation. For example, ifa file is signed by two malicious and one trusted certificate,resultant reputation based on certificates associated with the fileis trusted.

If the resultant reputation for certificates associated with the file or filereputation is:

• Known Trusted, Most Likely Trusted, Might be Trusted — File isallowed to execute.

• Might be Malicious, Most Likely Malicious, Known Malicious — File isnot allowed to execute.

• Unknown — If the reputation for any certificate associated with thefile is Unknown, certificate reputation is ignored and file reputation isused to determine execution. If file reputation is Unknown,Application Control proceeds with the next check.

• Not set — Application Control proceeds with the next check.

4 Fileauthorizedcheck

If the file is always authorized by file name, it is allowed to execute.This is set by a rule. See Allow or ban an executable file.

5 AllowedSHA-1 orSHA-256

If the file is allowed by SHA-1 or SHA-256, it is allowed to execute.This is set by a rule. See Allow or ban an executable file.

6 Allowedcertificate

If the certificate associated with a file is allowed, the file is allowed toexecute. This is set by a rule. See Add a certificate to a policy or rulegroup.

This check does not apply to script files.

Designing the trust modelDesigning the trust model 7



7 McAfee GTIreputation

These checks are performed.

1 Check if the file is signed with one or more certificates.

• If yes and reputation for any associated certificate is not set on theTIE server, fetch GTI reputation for certificates associated with thefile from TIE server or McAfee GTI file reputation service.

• If not, fetch file GTI reputation from the TIE server or McAfee GTIfile reputation service to allow or deny execution.

If certificate reputation on the TIE server is set to Unknown, McAfeeGTI certificate reputation is not checked. Similarly, if file reputationon the TIE server is set to Unknown, McAfee GTI file reputation isnot checked for the file.

2 Compute reputation based on reputation of all certificates associatedwith the file. Use resultant reputation to allow or deny file execution.Certificate reputation is not available, fetch file GTI reputation fromTIE server or McAfee GTI file reputation service to allow or denyexecution.

Trusted reputation takes precedence over malicious reputation whiledetermining resultant certificate reputation. For example, if a file issigned by two malicious and one trusted certificate, resultantreputation based on certificates associated with the file is trusted.

If the resultant reputation for certificates associated with the file or filereputation is:

• Known Trusted, Most Likely Trusted, Might be Trusted — File isallowed to execute.

• Might be Malicious, Most Likely Malicious, Known Malicious — File isnot allowed to execute.

• Unknown — Application Control proceeds with the next check.

• Not set — Application Control proceeds with the next check.

8 AdvancedThreatDefensereputation

If ATD is configured in your setup, the TIE server integrates in realtime with ATD to provide detailed assessment and data on malwareclassification. If ATD is configured and the reputation received is:• Might be Malicious, Most Likely Malicious, Known Malicious — File is

not allowed to execute.

• Unknown or Not set — Application Control proceeds with the nextcheck.

9 Updater rule If the file or its parent process is set as an updater, it is allowed toexecute. See Add as an updater.

10 Update mode If the endpoint is running in Update mode, the file is allowed toexecute. See Make emergency changes.

11 Userpermissions

If the user is added as a trusted user, the user can execute the file.See Specify trusted or authorized users.

12 Volume status If the file is stored on a trusted volume, the file is allowed to execute.If the volume is defined as a trusted network path, the file is allowedto execute.




13 Removablemedia

If the file is stored on a removable media, the file is not allowed to run.

14 Whitelist Application Control checks the whitelist.• If the file is in the whitelist, it is allowed to execute.

• If the file is not in the whitelist, Application Control checks theskiplist rules. For more information about skiplist rules, see Definebypass rules.

• If a corresponding rule for the file is in the skiplist, the file isallowed to execute.

• If no rule is present for the file in the skiplist, the file in not allowedto execute.

Defining attribute-based rules for file execution You can define additional execution control attribute-based rules for files in your setup for protectionfrom fileless malware and script-based attacks. Application Control performs multiple checks todetermine whether to allow or block a file's execution. If a file's execution is allowed after theApplication Control checks, attribute-based or granular rules, if any are defined, come into play. Therules are based on the concept of fine-grained whitelisting and can be created on the attributes of afile.

You can define specific rules using one or more attributes (such as path, parent process,command_line argument and user) of the file to allow, block, or monitor the file. When multiple rulesare matched for a particular scenario, allow rules have the highest precedence, followed by block andmonitor rules, respectively.

Attribute-based rules help you allow or block files in different scenarios based on file context and offerflexibility.

• Context-based allowing or blocking of files — On a protected system, only whitelisted interpretersare allowed to execute. But, in certain scenarios, whitelisted interpreters might be misused toexecute malicious scripts. For example, a powershell.exe script can be used to execute unsolidifiedscripts and execute file-less scripts by invoking its execution with atypical input arguments. Youcan prevent misuse of interpreters by defining attribute-based rules to block potentially maliciousscenarios.

• Flexibility and control — Attribute-based rules provide flexibility to allow or block file execution, asneeded. You might need to block a user from running a specific file. If an administrator wants toblock the execution of powershell.exe for a specific user, a rule can be added to prevent itsexecution by the user. Other users in your setup can execute powershell.exe. You can achieve suchscenarios using attribute-based rules.

Similarly, you might choose to block execution of a certain file in your setup completely, unlesswhen run by a specific parent process. You can achieve this by creating a generic block rule and aparent process-based allow rule for the file. Because the allow rule has precedence over the blockrule, it overrides the block rule when applied.

Or, you might choose to only observe or monitor a file to determine its execution in your setup. Todo this, you can define a monitor rule for the file.

We recommend that before creating a block rule for a file, create a monitor rule to observe the file'suse and execution in your setup. After you define the monitoring rule, if no OBSERVED_FILE_EXECUTIONevents are generated for the file over a reasonable time window, you can safely define a block rulefor a file. But, the applied rules are ineffective when the system is in update mode, observe mode,or any process is marked as updater process. Only the events are generated.




1 On the McAfee ePO console, create or modify an Application Control policy or rule group.

2 Select the Execution Control tab and click Add.


• To define an attribute-based rule for a file, select Based on specified attributes and proceed with step4.

• To block interactive mode for a process, select Block interactive mode for console-based process, specifythe file name, and proceed with step 8.

Block interactive mode for console-based process does not work in Update mode, Observe mode, or whenusing reboot-free activation. Also, it does not work for processes that are assigned updaterprivileges. Similarly, if you define a block rule for an open file, the rule will not come into effect.

4 Specify the type of rule to define.

You can choose to allow, block, or monitor a file. The order in which the type of rules are listedindicates the precedence the rules are applied.

5 Specify the file name.

6 Specify the attributes to define the rule.

You can use one or all attributes to define the rule. Available attributes are path, command line,user, and parent process. You can use the AND operator to combine rules based on differentattributes.

a Select the checkbox associated with the attribute.

b Select the operator for the attribute.

c Enter the string.

7 (Optional) Enter the rule description.

8 Click OK.

Predefined rules in default policiesApplication Control includes predefined rules for commonly used applications for all supportedoperating systems.

Apply these default policies to the endpoints to ensure proper product functionality. If available, youcan use the blank template or duplicate these policies to configure the settings. These are thepredefined rules included in these policies. For information on how to review rules included in thepolicies, see Review predefined rules.

Defaultpolicy

Product Category Policytype

Description Blanktemplateavailable

McAfee Default Solidcore 8.0.0:General

Configuration(Client)

Single-slot Default settings for CLI,throttling, and more for theSolidcore client.

No


Exception Rules(Unix)

Multi-slot Default exception rules for theUNIX platform.

Yes



Defaultpolicy




Exception Rules(Windows)

Multi-slot Default rules for memoryprotection and other bypasstechniques on the Windowsplatform.

Yes

McAfee Default Solidcore 8.0.0:ApplicationControl

ApplicationControl Options(Windows)

Single-slot Default settings forself-approval, end-usernotifications, inventory,reputation, and ApplicationControl features on the Windowsplatform.

No

My Default Solidcore 8.0.0:ApplicationControl

ApplicationControl Options(Windows)

Single-slot Default settings forself-approval, end-usernotifications, inventory,reputation, and ApplicationControl features on the Windowsplatform.

No


ApplicationControl Rules(Unix)

Multi-slot Default rules to design the trustmodel on the UNIX platform.This policy also includes defaultfilters to exclude events that arenot relevant for your setup.

Yes


ApplicationControl Rules(Windows)

Multi-slot Default rules to design the trustmodel on the Windows platform.This policy also includes defaultfilters to exclude events that arenot relevant for your setup.

Yes

McAfeeApplications(McAfeeDefault )

Solidcore 8.0.0:ApplicationControl


Multi-slot McAfee-specific rules that allowother McAfee products to runsuccessfully on protectedendpoints. These rules are alsoincluded in the McAfee Defaultpolicy for the Application ControlRules (Windows) category.

No

CommonActiveX Rules



Multi-slot Predefined read-only rules toinstall commonly used ActiveXcontrols on endpoints.

No



Defaultpolicy



ThrottlingRules



Multi-slot Predefined read-only rules tofilter and stop observationsreceived from endpoints running6.1.2 or later versions.When the number ofobservations received at theMcAfee ePO server reaches thedefined threshold, this policy isapplied to all systems andgroups in your organization.

No

ThrottlingRules(Deprecated)



Multi-slot Predefined read-only rules tofilter and stop observationsreceived from endpoints running6.1.1 or earlier versions.When the number ofobservations received at theMcAfee ePO server reaches thedefined threshold, this policy isapplied to all systems andgroups in your organization.

No

Allowing changes to endpointsMost application environments are dynamic in nature, some more than others. Application Controlprovides several mechanisms to help you create a dynamic whitelisting solution.

If you deploy the software in Observe mode, relevant rules are identified and automatically applied toendpoints as you process requests. Also, when endpoints are running in Enabled mode, you canquickly identify and apply relevant rules while processing events. Application Control features minimizethe need to manually define rules specific to your setup. However, if needed, you can manually definerules that are relevant for your environment.

Depending on the enterprise environment, administrators can use one of these mechanisms to allowauthorized change agents to create, modify, or delete files in the whitelist. Before defining new rulesto allow authorized changes, review the default rules included in Application Control. When definingenterprise-specific rules, you can use a rule group or policy. Whichever you use, the framework todefine rules is the same.

To design a trust model and allow additional users or programs to execute or modify files on aprotected endpoint, you can use one these methods on endpoints running in Enabled mode.

Updaterprocess

An application permitted to update the endpoint. See What are updaters?

Executable file An executable file permitted or restricted from running on the endpoints.

Certificate A trusted certificate (associated with a software package) that is permitted to installand modify files on a protected endpoint. See What are certificates? and Managecertificates.

Installer An application installer identified by its SHA-1 or SHA-256 that is allowed to installor update software. See What are installers? and Manage installers.



Directory A trusted directory (local or network share) identified by its Universal NamingConvention (UNC) path.

User An authorized Windows user with privileges to dynamically add to the whitelist.

Of all strategies available to allow changes to protected endpoints, this is the leastpreferred because it offers minimal security. We suggest that you define trustedusers carefully because after a trusted user is added, there are no restrictions onwhat the user can modify or run on an endpoint.

These methods cater to most requirements. If not, you can use other methods, such as placing theendpoints in Observe mode or Update mode, as needed. See Application Control modes.

See also Manage certificates on page 87Manage installers on page 89

Guidelines for defining rulesReview these guidelines before defining rules.

Supported system variables

The path specified in a rule can include system environment variables (Windows only). This table liststhe supported system variables.

Variable Example value (most Windows platforms)

%ALLUSERSPROFILE% C:\Documents and Settings\All Users%APPDATA% C:\Documents and Settings\{username}\Application%COMMONPROGRAMFILES% C:\Program Files\Common Files%COMMONPROGRAMFILES (x86)% C:\Program Files (x86)\Common Files%HOMEDRIVE% C:%HOMEPATH% C:\Documents and Settings\{username} (\ on earlier Windows

versions)

%PROGRAMFILES% C:\Program Files%PROGRAMFILES (x86)% C:\Program Files (x86) (only for 64-bit versions)

%SYSTEMDRIVE% C:%SYSTEMROOT% C:\windows (C:\WINNT on earlier Windows versions)

%TEMP% (system) %tmp% (user) C:\Documents and Settings\{username}\local Settings\TempC:\Temp

%USERPROFILE% C:\Documents and Settings\{username} (C:WINNT\profiles\{username} for earlier versions)

%WINDIR% C:\Windows

Path considerations

These considerations apply to path-based rules.



• Paths do not need to be absolute when specifying rules. For example, when defining an updater,you can specify partial or fully qualified paths.

Partialpaths

If you specify partial paths, such as AcroRd32.exe or Reader\AcroRd32.exe, allprograms with names that match the specified string are assigned updaterprivileges.If you specify the partial path, such as notepad.exe, when blocking a file,allprograms with names that match the specified string are blocked.

Fullyqualifiedpaths

Use fully qualified paths in rules, such as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe or \Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. When you specify the fully qualified paths, only the specified program isassigned updater privileges.When blocking a file if you specify the fully qualified path, for example C:\Windows\system32\notepad.exe, only the specified file is blocked.


• Paths can include the wildcard characters to specify file paths and file names. When usingwildcards, ensure that specified string matches a limited set of file paths or file names. If thespecified string matches a large number of files, we recommend you revise the string.

Windowsplatform

Paths caninclude the *and ? wildcardcharacters.

• When specifying a trusted directory, \\10.10.10.10\*****\User2,\\10.10.10.10\????\User2, \\10.10.10.10\*AD*\* and \\10.10.10.10\?AD?***\User1 are allowed while \\*\AD\User1, \\*.10.10.10\AD*\User1, and \\10.**10.10\AD*\User1 are notsupported.

• When specifying a file path for an updater rule, ?:\Test1\Test2\Test.exe, C:\?Test*QA\Test1\Test.exe, C:\Test1\?\?\Test.exe and C:\*\*\Test.exe are allowed while *:\Test1\Test2\Test.exe and *:\Test1\*\*\Test.exe are notsupported.

Linuxplatform

Paths caninclude the *wildcardcharacter.

Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is not supported.

Add as an updaterSome components are frequently required to install new software or update existing softwarecomponents. You can specify the components as updaters.Define an updater to allow the file to install new software or update existing software components.

You must have the required permissions to perform this task. If you don't, contact the McAfee ePOadministrator. For more information, see Permissions for rule configuration.



2 Select the Updater Processes tab and click Add.



3 Specify whether to add the updater based on the file name, SHA-1, or SHA-256.

Adding updater by name is available for Windows and Linux operating systems. However, addingupdater by SHA-1 or SHA-256 is available only for the Windows operating system. If you add theupdater by name, the updater is not authorized automatically. The file must be added to thewhitelist for updater by name rule to work. However, when you add the updater by SHA-1 orSHA-256, the updater is authorized.

4 Enter the location of the file (when adding by name), SHA-1, or SHA-256 value of the executablefile.

5 Specify an identification label for the program.

For example, to specify multiple updaters, you can specify the identification label asupdater_label_number, such as Adobe1, Adobe2, and so on. If you specify Adobe1 as the label, allchanges made by Adobe 8.0 updater are tagged with this label.

6 When adding an updater by name, specify conditions that the file must meet to run as an updater.

• Select None to allow the file to run as an updater without any conditions.

• Select Library to allow the file to run as updater only when it has loaded the specified library. Forexample, when configuring iexplore.exe as an updater to allow Windows Updates usingInternet Explorer, specify wuweb.dll as the library. This makes sure that the iexplore.exeprogram has updater privileges only until the web control library (wuweb.dll) is loaded.

• Select Parent to allow the file to run as an updater only if it is launched by the specified parent.For example, when configuring updater.exe as an updater to allow changes to Mozilla Firefox,specify firefox.exe as the parent. Although updater.exe is a generic name that can be part ofany installed application, using the parent makes sure that only the correct program is allowedto run as an updater.

7 When adding an updater by name, indicate whether to disable inheritance for the updater.

For example, if Process A (that is set as an updater) starts Process B, disabling inheritance forProcess A makes sure that Process B does not become an updater.

8 When adding an updater by name, indicate whether to suppress events generated for the actionsperformed by the updater.

Typically, when an updater changes a protected file, a File Modified event is generated for the file. Ifyou select this option, no events are generated for changes made by the updater.

9 Click OK.

Allow or block an executable fileIf a reputation source is available in your environment, executable files are automatically allowed orblocked from executing based on their reputation. However, based on your requirements, you canmanually authorize or restrict execution for an executable file (based on its name, SHA-1, orSHA-256).

Allowing an executable file based on the SHA-1 or SHA-256 ensures that regardless of the source ofthe file (such as the Internet or an in-house repository), if the SHA-1 or SHA-256 matches, the file isallowed to run.






2 Select the Executable Files tab and click Add.

3 Specify an identifier for the rule in the Rule Name field.

You can use the identifier to group related rules.

For example, you can specify Blocking unauthorized programs as the identifier for all rules that youdefine to block unauthorized programs in your organization.

4 Indicate whether to allow or block the file.

5 Indicate whether to allow or block the file based on the file's name, SHA-1, or SHA-256.

Allow or ban by name is available for Windows and Linux operating systems. However, allow or banby SHA-1 or SHA-256 is available only for the Windows operating system.

6 Enter the name, SHA-1 value, or SHA-256 value.

7 Click OK.

Add a certificate to a policy or rule group After you add a certificate to McAfee ePO, you can assign it to a policy or rule group. ApplicationControl allows software packages that are associated with trusted certificates to run on a protectedsystem. After you add a certificate as trusted or authorized, you can run all software, signed by thecertificate on a protected system without entering Update mode. Trusted certificates are available onlyfor the Windows operating system and are unavailable on the Linux operating system.



1 Assign a certificate to a policy by defining a trusted certificate in a policy.

a On the McAfee ePO console, create or modify an Application Control policy.

b On the Certificates tab, click Add.

c Search for and add the certificate.

For example, you can search for and add the Microsoft certificate. For more information, seeManage certificates.

d (Optional) Select Add Certificate as Updater to provide updater privileges to the certificate.

e Specify an identification label for the certificate.

If you select Add Certificate as Updater, you must specify an identification label for the certificate.

f Click OK.

2 Assign a certificate to an existing rule group.


b On the Certificates tab, select the certificates to add to a rule group.



c Click Actions | Add to Rule Group to open the Add to Rule Group dialog box.

d Select the user-defined rule group for adding the certificates, then click OK.

Alternatively, you can assign a certificate to a user-defined rule group by using the Menu | Configuration |Solidcore Rules | Rule Groups page. See Create a rule group.

Add an installer to a policy or rule groupAfter you add an installer, you can assign it to a policy or rule group to allow users to install newsoftware and update the software components on a protected endpoint.



1 Assign an installer to a policy.

a On the McAfee ePO console, create or modify an Application Control policy.

b On the Installers tab, click Add.

c Search for and add the installer. For example, you can add the installer for the Adobe Reader toallow users to run the installer on the endpoints.

d Specify an identification label for the installer.

e Click OK.

2 Assign an installer to an existing rule group.


b On the Installers tab, select the installers to assign to a rule group.

c Click Actions | Add to Rule Group to open the Add to Rule Group dialog box.

d Select the user-defined rule group for adding the installers, then click OK.

Alternatively, you can assign an installer to a user-defined rule group by using the Menu | Configuration |Solidcore Rules | Rule Groups page. See Create a rule group.

Add an exclusionAdd exclusion rules to bypass applied memory-protection and other techniques.




2 On the Exclusions tab, click Add.

3 Enter the file name.

4 Select the required options. For detailed information, see Define bypass rules.

5 Click OK.



Add a trusted directoryAdd directories (local or network share) as trusted directories to run any software in these directorieson a protected endpoint. This feature is available on both Windows and Linux operating systems.A trusted directory refers to a directory (local or network share) identified by its Universal NamingConvention (UNC) path. After you add a directory as a trusted directory, endpoints can run anysoftware in that directory. When enabled, Application Control prevents protected endpoints fromexecuting any file residing on a network share. If you maintain shared folders containing installers forlicensed applications on the internal network in your organization, add trusted directories for suchnetwork shares.

If needed, you can also allow the software at that UNC path to install software on the protectedendpoints. For example, when logging on to a Domain Controller from a protected endpoint, you mustdefine \\domain‑name\SYSVOL as a trusted directory (to allow execution of scripts).

TaskYou must have the required permissions to perform this task. If you don't, contact the McAfee ePOadministrator. For more information, see Permissions for rule configuration. For details about productfeatures, usage, and best practices, click ? or Help.


2 On the Directories tab, click Add.

3 Enter the location of the directory.

4 Select Include or Exclude.

Use Exclude to exclude a specific folder or subfolder within a trusted directory.

5 (Optional) Select Assign updater privileges to executed programs to allow the software at that UNC path tomodify the endpoints.

6 Click OK.

Specify trusted or authorized usersA trusted user is an authorized user (Windows only) with privileges to dynamically add to the whitelist.


TaskFor example, add the administrator as a trusted user to allow the administrator to install or updateany software. While adding the user details, you must also provide the domain details. Specifyauthorized users permitted to override protection. This allows users to perform update operations on aprotected endpoint. For details about product features, usage, and best practices, click ? or Help.


You can enter user details or import user or group details from an Active Directory.

2 Specify details to authorize users to override the protection in effect.

a On the Users tab, click Add.

b Create two rules for each user.

• With UPN/SAM and domain account name (in domainName\user format)

• With domain netbiosName (in netbiosName\user format)



c Specify a unique identification label for the user. For example, if you specify John Doe's Changesas the identification label for the John Doe user, all changes made by the user is tagged withthis label.

d Type the user name.

e Click OK.

3 Import user details from an Active Directory.

a Make sure that the Active Directory is configured as a registered server.

b On the Users tab, click AD Import to open the Import from Active Directory dialog box.

c Select the server.

d Select Global Catalog Search to find users in the catalog (only if the selected Active Directory is aGlobal Catalog server).

e Specify whether to search for users based on the UPN (User Principal Name) or SAM accountname.

Your search determines the authorized user. If you use the UPN or common name, the user istrusted with the UPN; if you use the SAM account name, the user is trusted with the SAMaccount name.

f Enter the user name.

The Contains search criteria is applied for the specified user name.

g Specify a group name to search for users within a group.

If a group is in the Active Directory, you can't add it directly to a policy. To authorize all users ina group, add the user group to a rule group and include the rule group in a policy. Using groupsmakes sure that all changes to a user group automatically cascade across all rule groups andassociated policies.

h Click Find to display the results.

i Select the users to add in the search results and click OK.



8 Deploying Application Control in Observemode

You can also use Observe mode to discover policy rules to run a new application beforeenterprise-wide deployment on endpoints already running Application Control.

Observe mode offers two benefits.

• Helps you develop policies and determine rules that allow applications to run in Enabled mode.

• Performs a dry run for the product to run or install software without any blockages.

Observe mode is available on all supported Windows platforms except Windows NT and Windows 2000.Observe mode is not available on the Linux platform.

Contents What are observations? Deploying in Observe mode Configure the feature Place endpoints in Observe mode Policy discovery permissions Manage requests Specify filters for observations and events Specify filters for user comments Throttle observations Exit Observe mode

What are observations?Observations record execution, installation, and uninstallation activities for managed endpoints.

Generally speaking, when Application Control is running in Observe mode, it allows most operations onthe endpoints. In Observe mode, a file is allowed to execute unless it is banned by a specific rule orhas malicious reputation. In Enabled mode, for each action that is blocked by Application Control, acorresponding observation is logged in Observe mode. For example, the installation of software ormodification of a package generates corresponding observations. All observations generated on anendpoint are sent to the McAfee ePO server after agent-server communication interval (ASCI). Whenan endpoint is in Observe mode, no Application Control events are generated for the endpoint.

Observe mode also supports reputation-based execution. When you execute a file at an endpoint, thesoftware fetches its reputation and reputation of all certificates associated with the file to determinewhether to allow or ban the file execution.

8


• Trusted files — If the reputation for an executable file or its associated certificate is trusted, thefile is allowed to run, unless blocked by a predefined ban rule. No corresponding observation orevent is generated.

• Malicious files — If the reputation for an executable file or its associated certificate is malicious,the file is not allowed to execute and no corresponding observation is generated. A correspondingevent is generated and displayed on the Solidcore Events page. The settings configured for yourenterprise determine the reputation value that is banned. You can choose to ban only KnownMalicious, Most Likely Malicious, Might be Malicious files, or all such files.

• Unknown — If the reputation for an executable file or its associated certificate is unknown,reputation is not used to determine execution. Application Control performs multiple other checksto determine whether to allow or block the file. For more information, see Checks that ApplicationControl runs for a file.

Regardless of the file's reputation, if a ban by name, SHA-1, or SHA-256 rule exists for an executablefile, its execution is banned. No corresponding observation is generated. A corresponding event isgenerated and displayed on the Solidcore Events page.

Observations are generated in both Enabled mode and Observe mode.

• For all processes that do not have updater privileges, these observations are generated in Enabledmode and Observe mode.

• Execution Denied • Process Hijack Attempted

• File Write Denied • Nx Violation Detected

• ActiveX Installation Prevented • Installation Denied

• For a process that is assigned updater privileges, observations are generated for these memoryprotection-related operations in Enabled mode and Observe mode.

• Process Hijack Attempted

• Nx Violation Detected

Deploying in Observe modeDeploying Application Control in Observe mode involves these high-level steps.

1 Identify the staging or test endpoints for deployment.

If you have multiple types of endpoints in your setup, group similar types of endpoints to roll outObserve mode. This allows you to analyze product impact on each group of endpoints, discoverpolicy groups, and validate the policies that apply to each group of endpoints.

2 Place Application Control in Observe mode for a few days and perform day-to-day tasks on theendpoints.

If a reputation source is available and configured, you can review the reputation of files andcertificates in your enterprise. This helps you make informed decisions for the received requests.The settings configured for your enterprise determine the reputation values that are allowed andbanned.

Requests are created based on observations generated for the endpoints. These requests allow youto discover Application Control policy rules for the software installed on the endpoints.

For detailed information, see Place endpoints in Observe mode.

8 Deploying Application Control in Observe modeDeploying in Observe mode


3 Periodically review and create rules for the received requests.

For detailed information, see Manage requests.

4 Validate the recently added policies by running frequently used workflows. This helps you verify ifmore requests are received for the applications.

If appropriate rules are applied at the endpoints, repeat requests do not appear on the McAfee ePOconsole.

5 When the number of requests received reduces considerably, exit Observe mode and place theendpoints in Enabled mode.

For detailed information, see Exit Observe mode.

Configure the featureReview and edit the list of generic launcher processes and restricted certificate names.

You can configure these settings for the feature.

• Generic launcher processes — Certain processes on the Windows operating system, such asexplorer.exe and iexplore.exe, start other processes and can be used to start any software. Suchprocesses are referred to as generic launcher processes and must never be configured as updaters.A predefined list of such processes is available on the Application Control configuration interface.You can review and edit the list of generic launcher processes. No updater rules are generated forgeneric launcher processes at the endpoints.

• Restricted certificate names — Certificates from certain vendors such as Microsoft areassociated with multiple commonly used applications. They should not be used to define rulesbased on the certificate. A predefined list of such certificates is available on the Application Controlconfiguration interface. You can review and edit the list of restricted certificate names. If the file ina request is signed by one of these certificates, you cannot create rules based on the certificateassociated with the file.


1 On the McAfee ePO console, select Menu | Configuration | Server Settings | Solidcore.

2 Review and edit the list of generic launcher processes.

a Review the processes listed in the Generic launcher processes field.

b Click Edit to update the list.

c Add the process name to the end of this list (separated by a comma), then click Save.

3 Review and edit the list of restricted certificates.

a Review the names listed in the Restricted certificate names field.


c Add the vendor name to the end of this list (separated by a comma), then click Save.

For example, to prevent creation of rules based on the Microsoft certificate, add Microsoft tothe list. Use the value listed in the ISSUED TO field of the certificate.

Deploying Application Control in Observe modeConfigure the feature 8


Place endpoints in Observe modeAfter installation, we recommend placing selected endpoints in Observe mode to perform a test run forthe Application Control product.

Select at least one endpoint for each type you have in your environment. Use one of these client tasksto place the endpoints in Observe mode.

• SC: Enable — Use this client task to place the endpoints in Observe mode after fresh installation ofApplication Control.

• SC: Observe Mode — Use this client task to place the existing endpoints (running in Enabledmode) in Observe mode.




• Group — Select the group in the System Tree and click the Assigned Client Tasks tab.

• Endpoint — Select the endpoint on the Systems page and click Actions | Agent | Modify Tasks on a SingleSystem.



a Specify the task name and add any descriptive information.

b Select Windows for the platform, All except NT/2000 for the subplatform, then select Application Control.

c Specify the scan priority.

The set scan priority determines the priority of the thread that is run to create the whitelist onthe endpoints. We recommend setting the scan priority to Low. This makes sure that ApplicationControl causes minimal performance impact on the endpoints but might take longer (than whenyou set the priority to High) to create the whitelist.

d Specify the activation option.

• Limited Feature Activation — Endpoints are not restarted, whitelist created, and limitedfeatures of Application Control (memory protection features are unavailable) are activated.Memory protection features are available only after the endpoint is restarted.

• Full Feature Activation — Endpoints are restarted, whitelist created, and all features ofApplication Control including memory protection are active. Restarting the endpoints isneeded to enable the memory protection features. The endpoint is restarted 5 minutes afterthe client task is received at the endpoint. A pop-up message is displayed on the endpointbefore the endpoint is restarted.

e Select Start Observe Mode.

f (Optional) Select Pull Inventory.

If you select this option, the inventory (including the created whitelist) is sent to McAfee ePO.Select this option because inventory information is used in multiple workflows available fromMcAfee ePO.

g Click Save.


8 Deploying Application Control in Observe modePlace endpoints in Observe mode





Policy discovery permissionsBy default, non-global administrators can view, manage, and delete requests generated only byendpoints in their associated group (within My Organization).

If you review request details on the Request Details page, the number of requests listed in the EnterpriseLevel Activity pane might be less than the value displayed in the Global Prevalence column on the PolicyDiscovery page. This is because the Global Prevalence column indicates the enterprise-wide prevalence forthe requests regardless of any groups. For example, if a request is generated by two systems indifferent groups across the enterprise, the value in the Global Prevalence is 2. However, becausenon-global administrators can only view the requests generated for their group, the non-globaladministrator might see only one request generated by the system in their group in the Enterprise LevelActivity pane.

The McAfee ePO administrator can review and manage all requests generated in the enterprise (MyOrganization). Also, McAfee ePO administrator can add rules to any rule group, and provide permissions toall non-global administrators to review and take custom actions on the requests generated in theenterprise.

If you are a non-global administrator, you can add rules (for a request) to only the rule groups thatyou own. Rule groups that you do not own are not displayed on the Policy Discovery: Custom Rules page.Also, if you take an action for a request, the action does not impact the same request generated bythe system in a different group.

Allow non-global administrators to manage enterprise-widerequests If you are a McAfee ePO administrator, you can assign permissions to all non-global administrators(who have access to groups in My Organization) to review and manage requests generated in yourenterprise.


1 On the McAfee ePO console, select Menu | Configuration | Server Settings.

2 From the Setting Categories pane, select Solidcore, then click Edit to open the Edit Solidcore page.

3 Change the value of Allow group administrators to manage Policy Discovery requests for entire System Tree to Yes(overrides System Tree group access permissions).

4 Click Save.

All non-global administrators are allowed to review and take custom actions on enterprise-widerequests. Non-global administrators cannot perform global actions.

Deploying Application Control in Observe modePolicy discovery permissions 8


Manage requestsUse the Policy Discovery page to manage requests received from your administered groups. If you are aMcAfee ePO administrator, you can manage enterprise-wide requests using the Policy Discovery page.For information on permissions for this page, see Policy discovery permissions. As you processgenerated requests and add relevant rules for your enterprise, the number of requests graduallydeclines.

Starting with the 6.1.2 release, the Policy Discovery page serves as a central console to help you manageall observation and self-approval requests. In 6.1.1 and earlier releases, the Observations page served asa central console to help you manage observations. After you install the 6.1.2 or later extension,observations received from endpoints running version 6.1.1 and earlier can be viewed using thedeprecated Observations page.

Tasks• Review requests on page 114

Review the requests received from endpoints.

• Process requests on page 116Process the received requests for your administered groups by taking relevant actions forthe requests. If you are a McAfee ePO administrator, you can process the received requestsfor the enterprise.

• Review created rules on page 123Review and manage the global rules created for the processed requests.

Review requestsReview the requests received from endpoints.On the Solidcore: Health Monitoring dashboard, check these monitors to take notice of the data that mightrequire immediate action.

• Top 10 Pending Policy Discovery Requests

• Systems with Most Pending Requests Generated in Observe Mode

For information about the Solidcore: Health Monitoring dashboard, see Monitor enterprise health.


1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery to open the Policy Discoverypage.

After requests are received from the endpoints, Application Control collates and groups requestsbased on these parameters:

• SHA-1 of the executable or cab file (if there is a request for an ActiveX control) for which therequest is received.

Although, Application Control supports SHA-256 values of files, only SHA-1 values are used forcollating and grouping requests on the Policy Discovery page.

• Status of the request.

The Activity field for each request indicates the action performed by the user on the endpoint. Forexample, if the user installs MSI-based software, the Activity field lists Software Installation for therequest.

Memory protection violation requests are grouped based on SHA-1 and activity type. Network pathexecution requests are grouped based on file path and activity type.

8 Deploying Application Control in Observe modeManage requests


2 Review the listed requests using one of these methods.

• Specific interval — Select an option from the Time Filter list, then click Update Results to viewrequests received during a specific interval.

• Request status — Select a value for the request status from the Approval Status list, then clickUpdate Results to view requests that match the selected status.

• Activity — Click Additional filters and select a value from the Activity list. Click Update Results to viewrequests for a certain activity.

• Reputation — Click Additional filters and select a value from the Final Reputation list. Click UpdateResults to view requests for files that match the selected reputation value. For more informationabout how the software determines final reputation for files or certificates, click What's FinalReputation.

• Specific endpoint — Click Additional filters and enter an endpoint name in the System Name field.Click Update Results to view requests received from the endpoint. Make sure that you specify thecomplete system name because no partial matches are performed.

• Multiple criteria — Specify values for the Time Filter, Approval Status, Activity, Final Reputation, andSystem Name fields, as needed, then click Update Results to perform a search based on the specifiedcriteria.

• Specific search string — Enter a search string in the Quick find field for Object Name, ApplicationName, Certificates, and User Comments, then click Apply to view requests that match the specifiedsearch string. Partial matches are performed based on the text you specify.

• Sort — Sort the list based on the global prevalence, final reputation, reputation source,execution time, activity, object name, application name, certificate, or user comments byclicking the column heading.

• Selected requests — Select requests of interest, then click Show selected rows to review only theselected requests.

The Policy Discovery page lists only the requests for which the McAfee ePO administrator can makerules. To view other requests, such as those for installers with trusted reputation, run the PolicyDiscovery Requests for Automatically-Approved Installations query. The query lists all files with trusted reputationthat were executed automatically on the endpoints with installer permission in the last one month.For information about how to run queries, see View queries.

3 (Optional) Record additional information for a request.


• To add user comments for one request, click Add a comment link.

• To add user comments for multiple requests, select the requests and click Actions | AddComments.



c Click OK.

Site administrator has the permissions to overwrite the user comments already added by aglobal administrator.

Deploying Application Control in Observe modeManage requests 8


4 Review individual requests that make up a collated request and detailed information for the file.

a Click a row to open the Request Details page.

b Review file details, such as name, version, path, parent process, files changed, final reputation,and user comments, if any.

c Review the SHA-1, SHA-256, and MD5 information for the file.

d Click the file SHA-1 value to review file details about the File Details page.

e Review the certificate vendor name for the file. The certificate vendor name for a file is colorcoded to indicate trusted (green), malicious (red), or unknown (orange) reputation.

f Click certificate name to view certificate details, such as issuer, certificate reputation, reputationsource, public key algorithm, public key length, public key hash, certificate hash, valid from,and valid to.

g Review the individual requests that make up the collated request in the Enterprise Level Activitypane.

h Click Close.

Process requestsProcess the received requests for your administered groups by taking relevant actions for therequests. If you are a McAfee ePO administrator, you can process the received requests for theenterprise.

Review each request and determine the action to take for the request. For each request, informationabout the final reputation, reputation source, file SHA-1, certificate, and global prevalence is alsoavailable to help you take relevant actions.

The reputation value for a file is color-coded to indicate trusted, malicious, and unknown reputation:

• Values in green indicate that the file is Known Trusted, Most Likely Trusted, or Might be Trusted.

• Values in orange indicate that the file is unknown.

• Values in red indicate that the file is Known Malicious, Most Likely Malicious, or Might be Malicious.

• Values in grey indicate that reputation value is Not applicable (only for network path executionrequests).

The reputation source indicates the source from where the reputation is fetched. Possible values forreputation source are TIE, GTI, Application Control, Not synchronized, or Not Applicable. If you clickthe TIE value, it opens the TIE Reputations page where you can view relevant details for the selected file.For more information about how the reputation is computed, see File and certificate reputation.

The status of the request is based on the action you take for the request.

• If you define only allow rules for the associated file, the Approval Status for the request is set toAllowed and the file is allowed to execute on the endpoints.

• If you define one or more ban rules with allow rules for a file, the Approval Status for the request isset to Banned and the file is not allowed to execute on endpoints.

In the last few releases, we have optimized the software to make sure that only meaningful andrelevant requests are received on the McAfee ePO console. However, you can define exclusion rules tofurther prune routine or system-generated observations not relevant for your setup. Manually defineexclusion rules for any process by using the Filters tab in the Application Control policy.



Tasks

• Allow the file on all endpoints on page 117Define rules to allow an application or executable file to run on all endpoints in theenterprise.

• Allow by certificate on all endpoints on page 118Define rules to allow an application, executable file, or ActiveX control to run on allendpoints in the enterprise based on the certificate associated with the file.

• Allow network files on all endpoints on page 118Define rules to allow a network file (file placed on a network path) to run on all endpointsin the enterprise.

• Ban by SHA-1 or SHA-256 on all endpoints on page 119Define rules to ban an application or executable file from running on all endpoints in theenterprise based on the SHA-1 or SHA-256 value of the file.

• Define rules for specific endpoints on page 120Add prepopulated rules to allow or ban an application, executable file, or ActiveX control forspecific endpoints in your administered groups. Or, you can define custom rules for specificendpoints or groups, as needed. If you are a McAfee ePO administrator, you can definerules for specific endpoints in your enterprise.

• Allow by adding to whitelist for specific endpoints on page 121Add one or more executable files to the whitelist of an endpoint to allow the files to run onthe endpoint.

• Define bypass rules for all endpoints on page 122Define rules to allow an application or executable file to bypass applied memory protectionand other techniques.

• Change file reputation on page 122Review or edit the reputation for a file on the TIE Reputations page.

• View file details on page 122Review details for the file.

• View events on page 123Review the events associated with a request.

• Delete requests on page 123Remove selected requests from the Policy Discovery page and database.

Allow the file on all endpointsDefine rules to allow an application or executable file to run on all endpoints in the enterprise.


Based on activity type, rules are created for the file SHA-1, SHA-256, name, or all. Sometimes,updater privileges are granted to the file. For more information, see Deployment recommendationsand guidelines in the McAfee Application Control Best Practices Guide.



2 Select the requests for which you want to define rules.



3 Click Actions | Allow File Globally.

The Allow File Globally dialog box provides details and prompts you to confirm the action.

4 Click OK.

Rules are created for the files associated with the selected requests and added to the Global Rules rulegroup included in the McAfee Default policy. For information about how to view or edit the rules, seeReview created rules.

Allow by certificate on all endpointsDefine rules to allow an application, executable file, or ActiveX control to run on all endpoints in theenterprise based on the certificate associated with the file.




2 Select the request for which you want to define rules.

3 Click Actions | Allow by Certificate Globally.

The Allow by Certificate Globally action is unavailable if the main executable associated with the request issigned by a certificate included in the Restricted certificate names list.

The Allow by Certificate Globally dialog box provides details and prompts you to confirm the action.Based on the file associated with a selected request, the certificate is assigned or not assignedupdater privileges. If the certificate has updater privileges, allowing based on certificate allows allapplications signed by the certificate to make changes to existing executable files or start newapplications on the endpoints.

4 Click OK.

Rules are created for the certificate associated with the selected request and added to the Global Rulesrule group included in the McAfee Default policy. For information about how to view or edit the rules, seeReview created rules.

Allow network files on all endpointsDefine rules to allow a network file (file placed on a network path) to run on all endpoints in theenterprise.







3 Click Actions | Allow Trusted Path Globally.

The Allow Trusted Path Globally dialog box provides details and prompts you to confirm the action. Basedon the network path associated with a selected request, suggested alternate paths (sorted basedon path length) and corresponding number of matching requests that are pending for eachsuggested path are displayed.

When you allow the path, updater privileges are provided to all software present in that networkpath and its subdirectories. Use caution and carefully add the trusted path.

When a request from a network path is approved globally, no further requests for the approvednetwork path and its subdirectories are received at McAfee ePO.

4 Click OK.

Rules to allow the specified network path (with updater privileges to all software present in thatnetwork path and its subdirectories) are added to the Global Rules rule group included in the McAfeeDefault policy. For information about how to view or edit the rules, see Review created rules.

Ban by SHA-1 or SHA-256 on all endpoints Define rules to ban an application or executable file from running on all endpoints in the enterprisebased on the SHA-1 or SHA-256 value of the file.





3 Click Actions | Ban File Globally.

The Ban File Globally dialog box provides details and prompts you to confirm the action.

4 Click OK.

Rules are created for the files associated with the selected requests and added to the Global Rulesrule group included in the McAfee Default policy. For information about how to view or edit the rules,see Review created rules.

To ban an installer, such as an MSI-based installer, in addition to banning the installer globally(completed in steps 3 and 4), you must also ban the files added by the installer on the endpointwhere the installer was executed by completing step 5. For example, if the MSI-based installer forMozilla Firefox 12 (Firefox-12.0-af.msi) was executed and installed on an endpoint, you must banthe files added by the installer on the endpoint.

5 Ban the files that have already been added to the endpoint.

a Click the application name link.

The Files page lists all executable files installed on the endpoint.

b Select all listed files.

c Click Actions | Ban Files to open the Allow or Ban Files wizard.



d Specify the rule group for the rules.

• To add the rules to an existing rule group, select Add to Existing Rule Group, select the rule groupfrom the list, and specify the operating system.

• To create a rule group with the rules, select Create a New Rule Group, enter the rule group name,and specify the operating system.

e Make sure that the rule group where you add the rules is added to a policy that is applied on theendpoint where the request was received.

f Click Next.

g Review the rules, then click Save.

Banning an installer that is not MSI-based or for which no executable is displayed on the Inventoryuser interface is also a two-step process. Ban the installer globally to make sure it cannot run onother endpoints in the enterprise (completed in steps 3 and 4). Next, you must manually search forthe executable files corresponding to the application and ban the files using the Inventory userinterface.

Define rules for specific endpointsAdd prepopulated rules to allow or ban an application, executable file, or ActiveX control for specificendpoints in your administered groups. Or, you can define custom rules for specific endpoints orgroups, as needed. If you are a McAfee ePO administrator, you can define rules for specific endpointsin your enterprise.You must have the required permissions to perform this task. If you do not have the permissions,contact the McAfee ePO administrator. For more information about permissions, see Permissions forrule configuration.



2 Select the request for which you want to define custom rules.

3 Click Actions | Create Custom Policy to open the Policy Discovery: Custom Rules page.

4 Perform one of the following.


Review and addprepopulated rules

1 Select Approve Request, Ban Request, Allow By Certificate, Allow Trusted Path, or BypassMemory Protection.

The Bypass Memory Protection option is available only for observations. It isunavailable for approval requests because you cannot self-approve andperform actions prevented by Application Control memory-protectiontechniques.

2 Review the prepopulated rule.

3 Define more rules, as needed.

Define custom rules 1 Select Clear and define Rules.

2 Review the displayed request details.

3 Define the relevant rules.



5 Specify the rule group for the rules.

• To add the rules to an existing rule group, select Choose existing and select the rule group from thelist.

When adding rules to allow a network path, select your rule group carefully. If you add rules tothe Global Rules rule group, all future requests received from that network path are automaticallyapproved. Or, if you add your rules to a custom rule group, future requests from that networkpath are not automatically approved.

• To create a rule group with the rules, select Create new and enter the rule group name.

6 (Optional) Add the changed or created rule group to a policy.

a Select Add rule group to existing policy.

b Select the policy where you want to add the rule group.

7 Click Save.

This approves all grouped requests. For requests received from network paths, when you click Save,the Approve Requests for Subdirectories pop-up window appears that includes a checkbox to approve allrelated requests. If needed, you can select the checkbox, then click OK to approve all requestsreceived from the network path and its subdirectories.

Allow by adding to whitelist for specific endpointsAdd one or more executable files to the whitelist of an endpoint to allow the files to run on theendpoint.



2 Click a row to review request details in the Request Details page.

Each row in the Enterprise level activity pane represents a executable file and endpoint combination.

3 Click Allow Locally for a row.

The Allow Locally dialog box lists one or more paths to add to the whitelist.

The Allow Locally action is available only for requests that are generated when you execute anapplication that is not in the whitelist (Application Execution activity).

4 Review and customize the listed paths.

For example, if you execute proc.exe for an endpoint, these paths might be listed.

C:\Program Files\<App Name>\proc.exe

C:\Program Files\<App Name>\a.dll

C:\Program Files\<App Name>\b.dll

To avoid redundancy, add only the C:\Program Files\App Name path.

5 Click OK.

The specified paths are added to the whitelist and allowed to run on the endpoint.



Define bypass rules for all endpointsDefine rules to allow an application or executable file to bypass applied memory protection and othertechniques.




2 Select the request for which you want to define bypass rules.

3 Click Actions | Bypass Memory Protection Globally.

4 When prompted to confirm, click OK.

Rules are created for file associated with the selected request and added to the Global Rules rule groupincluded in the McAfee Default policy. For information about how to view or edit the rules, see Reviewcreated rules.

Change file reputationReview or edit the reputation for a file on the TIE Reputations page.



• On the Solidcore Events page, navigate to an event.

• On the Policy Discovery page, select a request and click Actions | More.

2 Select Change File Reputation (TIE) to open the TIE Reputations page.

3 Review the file information.

4 (Optional) Edit file reputation: click Actions, then select an action.

For information about the available actions, see the Threat Intelligence Exchange Product Guide foryour version of the software.

View file detailsReview details for the file.







2 Select View File Details to open the File Details page.


For more information, see Review the inventory.

View eventsReview the events associated with a request.



2 Select the request for which to view related events.

3 Click Actions | More | View Related Events to open the Solidcore Events page.

4 Review the event information.

For more information, see Review events and Define rules.

Delete requestsRemove selected requests from the Policy Discovery page and database.

To ensure optimal performance, the Solidcore: Auto Purge Policy Discovery Requests server task is run weekly topurge policy discovery requests older than three months.



2 Select the requests to delete.

3 Click Actions | Delete Requests.


All selected collated requests and contained individual requests are deleted from the page anddatabase.

Review created rulesReview and manage the global rules created for the processed requests.

Before you beginYou must be a McAfee ePO administrator or owner of the Global Rules rule group to use thistask.





2 On the Rule Groups tab, select these options.

• Application Control type.

• Windows platform.

3 Navigate and locate the Global Rules rule group.


5 Review the included rules.

6 Edit the defined rules, if needed.


Specify filters for observations and eventsSpecify advanced exclusion filters to exclude non-meaningful observations and events from theendpoints.



2 Select the Filters tab and expand Observations & Events.

3 Click Add Rule. A new filter row appears.

You can create filters based on files, events, programs, registry keys, and users. By default, alldefined filters are applied to observations.


5 Click + or Add Rule to specify additional AND or OR conditions, respectively.

6 Select Apply rule to events also for a set of rules to apply the filter rules to events.

You can also define advanced exclusion filters from the Solidcore Events page. For more information,see Exclude events.

Specify filters for user commentsApply a filter on user comments to view the requests and identify which requests are to be processed.Only the requests matching the specified filter criteria are displayed.

8 Deploying Application Control in Observe modeSpecify filters for observations and events




2 Click New Query to open the Query Builder page.

3 Select ePO | Solidcore | Policy Discovery Collated Requests.

4 Click Next to open the Chart tab.

5 Click Next.

User Comments is displayed in the table if selected.

6 Click Next to open the filters tab.

7 Select User Comments from the available properties.

8 Specify the comparison and value for User Comments.

For example, to view only those requests where User Comments is blank, set comparison to Valueis blank.

9 Click Run to apply the filter.

Requests matching the specified criteria are displayed.

10 Click Activity bar on the chart or click a row to open the Request Details page.

11 Click Back to return to the previous page.

12 Click Save to save the query.

This query is saved to the Query Group.

Throttle observationsFrequently reviewing and managing requests for the generated observations allows you to define therelevant rules for your setup. If you do not process observations in a timely manner, you continue toget similar and repeated observations from endpoints.Also, if you place additional endpoints in Observe mode or perform multiple activities simultaneouslyon existing endpoints (in Observe mode), the absence of relevant rules might result in excessivegeneration of observations. If a high number of observations are received at the McAfee ePO serverfrom the endpoints, the McAfee ePO interface might become sluggish.

Observation throttling helps you take care of the non-responsiveness of the McAfee ePO interface.When the number of observations received at the McAfee ePO server reaches the defined threshold,observation throttling is initiated. When observation throttling starts, these actions are taken.

• Stops further processing of observations at McAfee ePO to prevent non-responsiveness of theMcAfee ePO interface.

• Applies the Throttling Rules policy to the My Organization group to prevent the generation of observationson all endpoints after agent-server communication interval.

Deploying Application Control in Observe modeThrottle observations 8


• Generates the Observation Request Threshold Exceeded event. This event is displayed on the Threat Event Logpage and can be used to create an automatic response. For more information about creatingautomatic responses, see McAfee ePolicy Orchestrator Product Guide.

• Displays a warning message on the Policy Discovery page stating that observation generation hasstopped.

Tasks

• Define the threshold value on page 126By default, Application Control can process 100,000 observations in 24 hours. You canconfigure this setting to define the threshold value for your enterprise.

• Review filter rules on page 126To implement throttling, rules to filter and stop all observations are added to the StopObservation Requests rule group.

• Manage accumulated requests on page 127Process the received requests for your administered group by taking relevant actions forthe requests.

• Restart observation generation on page 127After you process existing requests and define rules for the accumulated requests, restartobservation generation at endpoints.

Define the threshold valueBy default, Application Control can process 100,000 observations in 24 hours. You can configure thissetting to define the threshold value for your enterprise.When the number of observations received at the McAfee ePO server in the last 24 hours reaches thedefined threshold, observation throttling is initiated.



2 From the Setting Categories pane, select Solidcore.

3 Modify the value of Threshold count at which to initiate throttling and suspend observation generation (6.1.1 and olderendpoints) setting.

Review filter rulesTo implement throttling, rules to filter and stop all observations are added to the Stop Observation Requestsrule group.

This rule group is read only and is assigned to the default read-only Throttling Rules policy. Initially, thispolicy is not assigned to any system or group. When the number of observations reaches the definedthreshold, this policy is applied to My Organization (all systems and groups in your organization).




3 Click the Throttling Rules policy.

4 From the Rule Groups pane, select Stop Observation Requests.

8 Deploying Application Control in Observe modeThrottle observations


5 Select the Filters tab.

6 Review the listed rules.

Manage accumulated requestsProcess the received requests for your administered group by taking relevant actions for the requests.

If you are a McAfee ePO administrator, you can process the received requests for your enterprise. Formore information, see Policy discovery permissions.

Task• Review each request and determine the rules to define for the request. For information about how

to manage requests, see Manage requests.

Restart observation generationAfter you process existing requests and define rules for the accumulated requests, restart observationgeneration at endpoints.


1 On the McAfee ePO console, select Menu | Application Control | Policy Discovery.

The Policy Discovery page displays a message stating that the observation generation has stopped.

2 In the warning message, click Enable Observation Generation.

Exit Observe modePerform these steps to exit Observe mode.




• To apply a client task to a group, select the group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply a client task to an endpoint, select the endpoint on the Systems page and click Actions |Agent | Modify Tasks on a Single System.


4 Select Solidcore 8.0.0 | SC: Observe Mode and click Create New Task to open the Client Task Catalog page.


6 Select End Observe Mode.

7 Specify whether to place the endpoints in Enabled or Disabled mode.

8 Click Save, then click Next to open the Schedule page.

9 Specify scheduling details and click Next.

Deploying Application Control in Observe modeExit Observe mode 8


10 Review and verify the task details and click Save.


8 Deploying Application Control in Observe modeExit Observe mode


9 Monitoring your protection

When Application Control is running in Enabled mode, only trusted and authorized programs can run(executable binary and script files), malicious or unauthorized programs cannot run, and authorizedprograms cannot be changed. Application Control provides various methods to allow changes to themanaged endpoints while in Enabled mode.

You can choose to define updater processes, certificates, installers, trusted users, and trusteddirectories. Also, to perform ad-hoc changes to the endpoints, you can place the endpoints in Updatemode. For detailed information about each method, see Allowing changes to endpoints.

Contents Enable Application Control Review predefined rules Review events Define rules ActiveX controls

Enable Application ControlPlace the endpoints in Enabled mode to activate the Application Control software.

If the endpoints are running in Observe mode, use the SC: Observe Mode client task to exit Observe modeand place the endpoints in Enabled mode. For detailed instructions, see Exit Observe mode. Also, if yourendpoints are running in Disabled mode, use the SC: Pull Inventory client task to fetch the inventory beforeplacing the endpoints in Enabled mode. This ensures that the inventory is updated to prevent anymismatch. For detailed instructions, see Fetch the inventory.









6 Select the platform and subplatform, then select Application Control.

9


7 Complete these steps to enable Application Control.Solidcoreclientsrunning

Steps

Windows all(exceptWindows NTandWindows2000)

1 Specify the scan priority.The set scan priority determines the priority of the thread that is run to createthe whitelist on the endpoints. Set the scan priority to Low. This makes sure thatApplication Control causes minimal performance impact on the endpoints butmight take longer (than when you set the priority to High) to create the whitelist.

2 Specify the activation option.

• Limited Feature Activation — The endpoints are not restarted and limited features ofApplication Control (memory protection features are unavailable) are activated.Memory Protection features are available only after the endpoint is restarted.

• Full Feature Activation — The endpoints are restarted, whitelist created, and allfeatures of Application Control including Memory Protection are active.Restarting the endpoints is needed to enable the memory protection features.The endpoint is restarted 5 minutes after the client task is received at theendpoint. A pop-up message is displayed on the endpoint before the endpoint isrestarted.

3 Select Start Observe Mode to place the endpoints in Observe mode.The Observation mode feature is available only on Windows.

4 (Optional) Select Pull Inventory.If you select this option, the software fetches the inventory details for theendpoints (after the whitelist is created) and makes the details available on theMcAfee ePO console when the ASCI lapses. Select this option if you want tomanage the inventory using the McAfee ePO server.

Windows NTor Windows2000

Select Reboot endpoint to restart the endpoint after solidification is complete.

Restarting the system is needed to enable the software. A pop-up message isdisplayed at the endpoint 5 minutes before the endpoint is restarted. This allowsthe user to save work and data on the endpoint.

Linux Deselect Reboot endpoint.When using Solidcore client version 6.1.0 or later, restarting the system is notneeded to enable the software.

8 Click Save.





Review predefined rulesApplication Control includes predefined rules to allow multiple commonly used applications, such asOracle and Adobe Acrobat to run. By default, these rules are applied to the global root in the SystemTree and hence are inherited by all McAfee ePO-managed endpoints.When an endpoint connects to the McAfee ePO, the McAfee Default policy applicable to the endpoint'soperating system comes into play. Do not remove McAfee Applications (McAfee Default) and McAfee Defaultpolicies from My Organization.

9 Monitoring your protectionReview predefined rules


Review the predefined rules included in the McAfee Default policy.




All policies for all categories are listed. A McAfee Default policy exists for each supported operatingsystem.

3 Open the relevant policy.

4 Review the rules.

5 Click Cancel.

Review events Any action to change or execute a file or program on a protected system causes Application Control toprevent the action and generate a corresponding event on the endpoint. All generated events formanaged systems are sent to the McAfee ePO server. Review and manage the generated events tomonitor the status of the managed endpoints.

On the Solidcore: Health Monitoring dashboard, check the Top 10 Events for 10 Most Noisy Systems in Last 7 Daysmonitor to take notice of the data that might require immediate action.



2 Specify the time duration for which to view events by selecting an option from the Time Filter list.

3 Specify the endpoints for which to view events.



4 (Optional) View only specific events by applying one or more filters.

a Click Advanced Filters to open the Edit Filter Criteria page.

b Select an available property.

c Specify the comparison operator and property value.

For example, to view only Execution Denied events, select the Event Display Name property, setcomparison to Equals, and select the Execution Denied value.

d Click Update Filter.

Events matching the specified criteria are displayed.

5 (Optional) Click What's reputation-based execution? to review the checks that Application Controlperforms in a set order to allow or ban the execution for a file. But, these checks are not applicablefor Change Control product.

Monitoring your protectionReview events 9


6 (Optional) Record any additional information for an event.


• To add user comments for one event, click Add a comment link.

• To add user comments for multiple events, select the events and click Actions | Add Comments.



c Click OK.

Tasks

• View event details on page 132Review detailed information for the events.

• Review endpoint details on page 132Review endpoint details for one or more events.

• View requests on page 133Review the requests associated with an event.



View event detailsReview detailed information for the events.


1 Click an event row.

The Monitoring Events Details page opens. This page displays event information, such as event displayname, file SHA-1, file SHA-256, file MD5, reputation (at the time of execution), and deny reason(for Execution Denied events).

2 Review event details.

3 (Optional) Click Actions | Add Comments to record additional information for an event.


4 Enter your comments.

5 Click OK to save your comments.

6 Click Close.

For most events, you do not need to take any actions. But, if the protection that is in effect ispreventing a legitimate application from executing, you might need to define rules. For theExecution Denied, Nx Violation Detected, File Write Denied, ActiveX Installation Prevented, ProcessHijack Attempted, Installation Denied, Blocked Interactive Mode for Process, and Prevented FileExecution events, review requests on the Policy Discovery page and define rules, if needed.

Review endpoint detailsReview endpoint details for one or more events.

9 Monitoring your protectionReview events



1 Select one or more events.

2 Click Actions | Show Related Systems.

The Related Systems page lists the endpoints corresponding to the selected events.

3 Click a row to review detailed information for the endpoint.

4 (Optional) Perform any action on the endpoint.

View requestsReview the requests associated with an event.


1 Select View Related Requests to open the Request Details page.

2 Review the request information.

For more information, see Review requests and Process requests.















Monitoring your protectionReview events 9





Define rules Define rules to allow changes and override the applied protection.

Use one of the available methods to define rules.

Tasks• Create custom rules on page 134

For most events, you do not need to take any action. But, if the protection that is in effectis preventing a legitimate application from executing, you must define rules.

• Create a policy on page 135Add specific rules to a rule group or policy. Except the policies in the Application ControlOptions (Windows) category, all Application Control policies are multi-slot policies; a usercan assign multiple policies to a single node in the System Tree.

• Exclude events on page 136You can define rules to prune routine system-generated events not relevant for monitoringor auditing. Exclude or ignore events not required to meet compliance requirements.

• Define bypass rules on page 136Define specific rules in a policy to bypass applied memory-protection and other techniqueson the Windows platform. But, on the Linux platform, you can only create rules to excludefile from write-protection rules and allow script execution.

Create custom rulesFor most events, you do not need to take any action. But, if the protection that is in effect ispreventing a legitimate application from executing, you must define rules.

To allow you to define rules with ease, Application Control generates events and correspondingobservations for these events.

• Execution Denied • Installation Denied

• File Write Denied • VASR Violation Detected

• Process Hijack Attempted • Blocked Interactive Mode of Process

• Nx Violation Detected • Prevented File Execution

• ActiveX Installation Prevented



2 Specify the time duration for viewing events by selecting an option from the Time Filter list.

9 Monitoring your protectionDefine rules


3 Specify the endpoints whose events you want to view.



4 Click Create Policy for an event.

Detailed information for the selected event appears.

5 Define the needed rules.




7 (Optional) Add the modified or created rule group to a policy.



8 Click Save.

9 Make sure that the updated rule group is included in a policy applied to the endpoint.

Create a policyAdd specific rules to a rule group or policy. Except the policies in the Application Control Options(Windows) category, all Application Control policies are multi-slot policies; a user can assign multiplepolicies to a single node in the System Tree.

For more information on Application Control policies, see Predefined rules in default policies.




3 Click Actions | New Policy to open the New Policy dialog box.



• If you selected Application Control Options (Windows) category, select the policy you want to duplicatefrom Create a policy based on this existing policy list.

• If you selected any other category, select Blank Template from Create a policy based on this existing policylist to define a policy from scratch.

6 Specify the policy name, then click OK to open the Policy Settings page.

You can now define the rules to include in the policy. You can either add the rules to a rule group ordirectly add the new rules to the policy.

• To use a rule group, complete steps 7 and 9. For more information about how to create a rulegroup, see Create a rule group.

• To directly add the rules to the policy, complete steps 8 and 9.

Monitoring your protectionDefine rules 9


7 Add a rule group to the policy.

a Select the rule group in the Rule Groups tab.

The rules included in the rule group are displayed in the various tabs.

b Review the rules.

For more information about adding new rules to the rule group, see Manage rule groups.

c Select Add in the Rule Groups tab to open the Select Rule Groups dialog box.

d Select the rule group to add, then click OK.

8 Add the rules to the policy.

For information about the rules, see Allowing changes to endpoints.

9 Save the policy.

Exclude eventsYou can define rules to prune routine system-generated events not relevant for monitoring or auditing.Exclude or ignore events not required to meet compliance requirements.

You must have the required permissions to perform this task. If you do not have the permissions,contact the McAfee ePO administrator. For more information about permissions, see Permissions forrule configuration.



2 Select the events to exclude.

3 Click Actions | Exclude Events to open the Events Exclusion wizard.

4 Select the target platform for the rules.

5 Select the rule group type, then click Next to open the Define Rules page.

6 Rules are auto-populated based on the selected events.

7 Review and refine existing rules and add new rules, as needed.

8 Click Next to open the Select Rule Group page.

9 Add the rule to an existing or new rule group, then click Save.

10 Make sure that the rule group is added to the relevant policy and the policy is assigned to theendpoints.

Define bypass rules Define specific rules in a policy to bypass applied memory-protection and other techniques on theWindows platform. But, on the Linux platform, you can only create rules to exclude file fromwrite-protection rules and allow script execution.

Some applications (as part of their day-to-day processing) run code in an atypical way and hence areprevented from running. To allow such applications to run, define appropriate bypass rules. Abypassed file or application is no longer considered by the memory-protection features of ApplicationControl. Bypassing a file must be the last-resort to allow an application to run and should be usedcarefully.




1 Perform one of these tasks.

• Define a new Application Control rule group (to define bypass rules to reuse across multipleendpoints). For detailed instructions, see Create a rule group.

• Create a Application Control policy (to apply bypass rules to one endpoint). For detailedinstructions, see Create a policy.

2 Select the Exclusions tab.

3 Click Add to open the Add exclusion rules window.

4 Expand nodes for the options for which you want to add bypass rules.

• Memory protection

• Installation detection

• Advanced options

5 (Optional) Select the Memory protection options for which you want to add bypass rules, then providethe needed information.

a For Disable buffer overflow protection (CASP) for a process, specify a process in the Process Name field tobypass the process from the Critical Address Space Protection (CASP) technique.

b For Disable buffer overflow protection (NX) for a process on 64-bit Windows, specify a process in the Process Namefield to bypass the process from the No eXecute (NX) technique. Select Enable Inheritance to bypasschild processes launched by the file from the No eXecute (NX) technique.

c For Disable ROP protection for a process using Forced Relocation (VASR), specify a process in the Process Namefield to bypass the process from the VASR Forced-Relocation technique. Optionally, specify thename of the DLL file associated with the process in the Library Name field.

d For Disable ROP protection for a DLL using DLL Relocation (VASR), specify a DLL file in the Library Name field tobypass the DLL file from the VASR DLL Relocation technique. The file is not rebased and isloaded from its preferred base address.

e For Disable ROP protection for a process using Stack Randomization (VASR), specify a process in the ProcessName field to bypass the process from the VASR Process Stack Randomization technique.

Typical use cases where you might need to add bypass rules for memory-protection techniquesare:

• When Windows updates or an application, such as a browser fails to run and an internal errorappears.

For example, Adobe Reader application fails to run on the system and shows an internal error.

• When a browser, such as Google Chrome starts but the webpages are blank.

To resolve these issues, follow these steps.

a Provide updater privileges to the installer file for the application or browser.

b Start the application or browser in Update mode at the endpoint.

c Bypass the installer file from CASP or NX technique, based on the Windows architecture (32-bitor 64-bit) that you are using.



d Bypass the installer file from VASR-Forced Relocation technique.

e Bypass the installer file from VASR-Forced Relocation and CASP (for 32-bit) or NX (for 64-bit)techniques, based on the Windows architecture that you are using.

6 (Optional) Select the Allow uninstallations option and provide the needed information.

On endpoints running version 6.1.1 or later, this option allows execution of EXE-based uninstall filesthat come with the installer package. When the Allow Uninstallation subfeature(pkg-ctrl-allow-uninstall) for Package Control is disabled, the execution of uninstall files is blockedbecause there is no method to identify whether they are completing the installation process orperforming uninstallation. But, this option bypasses the uninstall files from the Allow Uninstallationsubfeature, thereby allowing the execution.

For example, in case of Firefox browser, the helper.exe is the uninstall file. This file performsuninstallation and multiple other tasks, such as import settings from other browsers. When you tryto uninstall the Firefox browser using the Control Panel, the helper.exe file performs theuninstallation. Also, this file performs multiple other tasks. But, when the Allow Uninstallationsubfeature is disabled, such tasks are denied because the file is not allowed to run.

To allow the uninstall file to run when performing tasks other than uninstalling the software, wehave designed a mechanism. The mechanism is based on applying a process-based rule. Theprocess-based rule provides a specific context for bypassing the uninstall file from the AllowUninstallation subfeature using the following command.

sadmin attr add -o parent=<parent_process_name> -i <process_name>

Using this rule, only when the <process_name> is launched by process <parent_process_name>, itis bypassed from the Allow Uninstallation subfeature and allowed to execute.

Specify the process name (uninstall file) in the Process Name field and the parent process name in theParent Process Name field. Specifying the parent process name is mandatory to provide specific contextfor bypassing the file.

For endpoints running versions earlier than 6.1.1, this option applies the default rules for InstallationDetection bypass technique and the new behavior for uninstallation of EXE-based uninstall files ispartially applied without an option to specify the parent process name.

7 (Optional) Select the Advanced options for which you want to add bypass rules, then provide theneeded information.

Contact McAfee Support before applying these exclusions.

a For Exclude file from write-protection rules and allow script execution, specify a process in the Process Name fieldto bypass the process from write-protection rules and also allow execution for a script file usingthe Process Context File Operations bypass technique. Optionally, specify the name of theparent process in the Parent Process Name field to allow the file to bypass only if it is launched bythe specified parent.

In certain scenarios, Application Control can prevent legitimate applications from running. Usethis option to define a bypass rule for a file on 32-bit or 64-bit Windows platforms. Use thisoption carefully because it can affect default Application Control functionality.



b For Ignore path for file operations, specify a relative path in the Relative Path field to ignore the relativepath for file operations using the skiplist -i command.

Use case for this option is when an application or a process performs continuous high input andoutput operations (reads or writes) on many files, such as .dat, .log, or .txt files. BecauseApplication Control tracks and processes file activities on the system, high input or output mightcause performance degradation for the application. You can bypass the relative path to the logfiles or other unsupported files with high input and output activities from file operations toprevent tracking of file activities for that path. Modification is allowed for all files under thespecified path. Also, all script files present in the specified path and its subdirectories and areallowed to execute. But, restart the system to make the bypass rules in effect.

c For Exclude path from file operations, specify a relative path in the Relative Path field to bypass therelative path from file operations using the skiplist -f command.

d For Exclude path from write-protection rules, specify a relative path in the Relative Path field to bypass therelative path from file write-protection rules using the skiplist -d command.

Use case for this option is when a generic process, such as svchost.exe, services.exe, or cmd.exe tries to write on a protected file and is denied from making changes. Because you cannotgrant updater privileges to a generic process, use this option to bypass the file or file path fromwrite-protection rules to allow the generic process to write on a protected file. But, for a file thatis present in the whitelist or allowed by checksum, its execution will be denied because ofchecksum mismatch after the file is modified.

e For Exclude local path and all its contained files and sub-directories from the whitelist, specify a local path in thePath field to bypass the local path and all its contained files and subdirectories from the whitelistusing the skiplist -s command.

Use cases for this option are:

• When a user wants to allow modification to the files in a folder or directory.

• When Application Control-enabled system with folders configured as network shares to allowusers to copy, modify, or download files but not execute.

• When a temporary folder or directory used by the operating system, application, process, oruser to copy, backup, or delete the files.

Because, solidified files are protected from modification by any process or user except updaterprocesses. Configuring the file or path using this option bypasses the files from the whitelist.This allows any process or user to modify or delete the files under the path. But, files in thepath are not whitelisted and denied from execution. To allow execution, you need to allow thefiles by name. Also, new files created by an updater process are not dynamically added to thewhitelist.

f For Exclude volume from Application Control protection, specify a volume in the Volume field to bypass thevolume from Application Control protection using the skiplist -v command. This optiondetaches the specified volume from the whitelist and the volume is not protected by ApplicationControl.

By default, Application Control attaches to each volume and tracks the file operations fromsupported file system. Use this option to bypass any volume from Application Control trackingand protection. But, you must restart the system to make the configuration in effect.

Best Practice: Do not bypass any system volume or drive.

8 Click OK to apply the rules.



ActiveX controlsBy default, Application Control prevents the installation of ActiveX controls on endpoints.

You can use the ActiveX feature to install and run ActiveX controls on endpoints. This feature is notintegrated with reputation-based execution workflows. However, if an executable file downloaded byan ActiveX control launches another file with malicious reputation, it can cause runtime issues.

This feature is enabled by default and available only on the Windows operating system. This feature isunavailable on the Linux operating system. For Windows, this feature is unavailable on Windows 8,Windows Embedded 8, Windows 8.1, Windows Embedded 8.1, Windows 10, Windows Embedded 10,Windows Server 2012, and Windows Server 2012 R2 platforms. This implies that policies and rulesidentified for ActiveX events using the Policy Discovery page are not applicable for the unsupportedplatforms.

Only the Internet Explorer browser is supported for ActiveX control installations. If you are using a64-bit operating system, installation of ActiveX controls is supported only for the 32-bit InternetExplorer application. Simultaneous installation of ActiveX controls using multiple tabs of InternetExplorer is not supported.

Here are high-level steps to help you use the ActiveX feature.

1 Apply the Common ActiveX Rules policy to the endpoints to allow users to install commonly usedActiveX controls on the endpoints. This policy is listed when you select Menu | Policy | Policy Catalogand then select the Solidcore 8.0.0: Application Control product.

2 Perform one of these tasks.

• If the ActiveX control you want to install is listed in the predefined rules, directly install theActiveX control on the endpoint.

• If the ActiveX control you want to install is not listed in the predefined rules, Application Controlprevents the installation of the ActiveX control on the endpoint. To allow installation of theActive X control, add the certificate associated with the ActiveX control as a trusted certificate.For detailed information, see Manage certificates.

3 Make sure that the updated rule group is included in a policy applied to the endpoint.

9 Monitoring your protectionActiveX controls


10 Managing the inventory

You can review, fetch, and manage the software inventory for protected endpoints. The softwareinventory for an endpoint contains information about the executable files and script files present onthe endpoint. The information stored in the inventory includes complete file name, file size, SHA-1,SHA-256, file reputation, file type, embedded application name, certificate details, and version.

The software inventory for a managed endpoint is available on the McAfee ePO console and updatedregularly based on changes made to the endpoint. For information about how the inventory data issent to McAfee ePO, see KB84247.

You can review and manage the inventory for endpoints from the McAfee ePO console. If needed, youcan also fetch inventory for endpoints. You can perform multiple tasks, such as allow or ban specificexecutable files, review all occurrences of an application or executable file in the enterprise, andcompare the endpoint inventory with a gold system to view image deviation.

Contents How the inventory is updated Configure inventory updates Guidelines for fetching inventory Configure settings for fetching the inventory Fetch the inventory Fetch McAfee GTI ratings for isolated McAfee ePO environments Set enterprise reputation for files and certificates Review the inventory Optimize your inventory view Manage the inventory Specify filters for inventory data Set the base image Compare the inventory

How the inventory is updatedInventory information available on the McAfee ePO console for endpoints is updated at regularintervals based on changes made at the endpoints.

A change to an endpoint's inventory triggers inventory information to be pushed to the McAfee ePOserver after the agent-server communication interval. This keeps the inventory information on theMcAfee ePO server updated with changes to inventory at the endpoints. Also, this avoids the need tomanually fetch inventory for an endpoint to get the updated inventory.

These changes on an endpoint cause corresponding changes to the inventory information on theMcAfee ePO server.

10


https://kc.mcafee.com/corporate/index?page=content&id=KB84247

• Addition of a file • Deletion of a file

• Modification of an existing file • Solidification or unsolidification of a file

• Rename of a file

Configure inventory updatesInventory information is updated at regular intervals based on changes made at the endpoints runningApplication Control version earlier than 6.2.0, 6.2.0 and later, or both. By default, this configuration isenabled for endpoints running version 6.2.0 and later.

If needed, you can edit this value.






5 Open the policy and switch to the Miscellaneous tab.

6 Edit the value for the Inventory Updates: Configuration field.


Guidelines for fetching inventoryApplication Control provides multiple methods to help you fetch the software inventory for anendpoint.

The minimum interval between consecutive inventory runs (when the inventory information is fetchedfrom the endpoints) is set to seven days. This is the default value and implies that for an endpoint youcan pull inventory once a week. But, if needed, you can configure this value for your enterprise. SeeConfigure settings for fetching the inventory.

When throttling of inventory updates is initiated, the Pull Inventory client task is disabled. This indicatesthat you cannot fetch inventory until throttling resets. Throttling resets 24 hours after the first inventoryupdate for the day was generated. For more information about throttling of inventory updates, seeAdminister throttling for your enterprise.


Fetch inventory forendpoints whenplacing in Enabledmode

Use the Enable client task. For more information, see Enable Application Control.

Fetch the inventoryfor one endpoint

Use the Fetch link on the Menu | Application Control | Inventory | By Systems page toquickly fetch inventory for an endpoint.

10 Managing the inventoryConfigure inventory updates



Fetch the inventoryfor multipleendpoints

• Use the Fetch Inventory action on the System Tree page to fetch inventory for fewendpoints simultaneously. Select one or more endpoints on the Menu | Systems| System Tree | Systems tab and click Actions | Application Control | Fetch Inventory toquickly fetch inventory for the endpoints.

• Use the Pull Inventory client task to fetch inventory details for a group. Use thisclient task to fetch inventory from 500 or fewer endpoints simultaneously.

Import inventorydetails for endpointsnot connected toMcAfee ePO


• Execute the sadmin ls -lax > <XML file name> command on theendpoint using the CLI.This command generates an XML file with complete inventory details.

• Execute the sadmin ls -rax > <XML file name> command on theendpoint using the CLI.This command generates an XML file with inventory details specific to yoursetup (excluding the files that are filtered by AEFs).

2 On the McAfee ePO console, select the endpoint on the Menu | Systems | SystemTree | Systems page, then click Actions | Application Control | Import Inventory.

The inventory for the selected endpoint is updated based on the inventorydetails included in the XML file.

Specify the filepaths to ignorewhen fetchinginventory

To ignore and not include certain files in the inventory:1 Select Menu | Configuration | Server Settings | Solidcore.

2 Review the file paths listed in the File paths to ignore while fetching inventory field.

3 Click Edit to update the list.The Edit Solidcore page appears.

4 Use regular expressions to specify file path string at the end of the list(separated by a comma), then click Save.

Fetch McAfee GTIratings whenMcAfee ePO serveris not connected tothe Internet

Use the Offline GTI tool to fetch McAfee GTI ratings for endpoints that aremanaged by a McAfee ePO server that is not connected to the Internet. Formore information, see Fetch McAfee GTI ratings for isolated McAfee ePOenvironments.

Configure settings for fetching the inventoryFor most enterprises, the default settings configured for fetching the inventory suffice. But, if needed,you can change the default settings.






Managing the inventoryConfigure settings for fetching the inventory 10


5 Switch to the Inventory tab.

6 Click Hide Windows OS files to include the Windows operating system-specific files in the inventory.

By default, the Windows operating system-specific files are excluded from the inventory. Thisprevents overwhelming the inventory with legitimate Windows files in the <system drive>\Windows folder (that are signed by the Microsoft certificate) and files in the <system drive>\Windows\winsxs folder.

7 Specify a value for the Pull Complete Inventory Interval field. This value indicates the minimum interval (innumber of days) between consecutive inventory runs. By default, this value is set to seven days.

This value takes precedence over any scheduled tasks to fetch inventory.

8 Specify a value for the Receive Inventory Updates Interval field. This value indicates the minimum lag (innumber of hours) between the generation of consecutive inventory updates. By default, this valueis set to three hours.


Fetch the inventoryAlthough Application Control maintains the current inventory for managed endpoints, you can fetchthe inventory for one or more managed endpoints, as needed.

When you fetch inventory for an endpoint, one of these occur:

• If inventory for an endpoint was fetched in the last seven days, inventory updates are fetched forthe endpoint.

• If inventory for an endpoint was not fetched in the last seven days, complete inventory details arefetched for the endpoint.




• To apply a client task to a group, select a group in the System Tree and switch to the Assigned ClientTasks tab.

• To apply a client task to an endpoint, select the endpoint on the Systems page, then click Actions |Agent | Modify Tasks on a Single System.


4 Select Solidcore 8.0.0 for the product and SC: Pull Inventory for the task type, then click Create New Task toopen the Client Task Catalog page.


6 Click Save.


8 Specify schedule details, then click Next.

10 Managing the inventoryFetch the inventory



10 (Optional) Wake up the agent to send your client task to endpoints immediately.

Fetch McAfee GTI ratings for isolated McAfee ePO environmentsUse the Offline GTI tool to fetch McAfee GTI ratings for isolated McAfee ePO environments with noaccess to the Internet.In some organizations, for security reasons Internet access might not be available to systems. In suchcases, if the McAfee ePO server is not connected to the Internet, the Solidcore extension cannot fetchMcAfee GTI ratings for files and certificates, such as reputation and classification from the McAfee GTIserver. As a result, the executable files and certificates in the inventory remain unknown, making itdifficult for the McAfee ePO administrator to distinguish between trusted, malicious, or unknown filesin the inventory.

For optimal performance in isolated McAfee ePO environments, navigate to the Menu | Configuration | ServerSettings | Solidcore page, click Edit, then set the Synchronize reputation information with GTI option to No.

Tasks• Export SHA-1s on page 145

Export SHA-1s of executable files and public key SHA-1s of certificates in the ApplicationControl inventory to a file. The created file is compressed and encrypted.

• Run the Offline GTI tool on page 146Run the Offline GTI tool to fetch McAfee GTI ratings for files and certificates.

• Import the GTI result file on page 147Import the GTI result file to a system connected to the McAfee ePO server to update theApplication Control inventory with the fetched McAfee GTI ratings.

• Verify the import on page 147Review the Server Task Log to verify if McAfee GTI ratings were successfully imported to theMcAfee ePO server.

Export SHA-1sExport SHA-1s of executable files and public key SHA-1s of certificates in the Application Controlinventory to a file. The created file is compressed and encrypted.


1 On the McAfee ePO console, select Menu | Application Control | Inventory.

2 On the By Applications tab, select Actions | Export Inventory for Offline GTI Tool to create the inventory file.

The file name is appended with the date and time when the file is created. Here is the syntax of thefile name.

App‑Control‑Inventory‑<year>‑<month>‑<day>_<hour>‑<minute>‑<second>.zip

3 Save the inventory file.

Application Control and Change Control support SHA-256 values of executable files. But,reputation-based execution workflows do not work on SHA-256 values because reputation sources,such as McAfee GTI and TIE server do not support file SHA-256 values. So, only SHA-1 values ofexecutable files and certificates are exported in the inventory file.

4 Copy the inventory file to a system with access to the Internet.

Managing the inventoryFetch McAfee GTI ratings for isolated McAfee ePO environments 10


Run the Offline GTI toolRun the Offline GTI tool to fetch McAfee GTI ratings for files and certificates.

Before you begin• Make sure that Java Runtime Environment (JRE) 1.6.0_33 or later is installed on the

system.

• Verify that the system is connected to the Internet.

• Make sure that you have downloaded and saved the OfflineGTITool.zip file from theMcAfee download site.

For all file SHA-1s, File Hash Reputation and File Hash Classification values are fetched from theMcAfee GTI file reputation service. Similarly, for public key SHA-1s of certificates, correspondingreputation values are fetched from the McAfee GTI server. The Offline GTI tool fetches the McAfee GTIratings and saves the information to a result file.

McAfee GTI file reputation service and the server do not support SHA-256 files and public key SHA-256certificates.

Task1 Set the GTI_TOOL_JAVA_HOME environment variable.

a Open a command window.

b Type this command and provide the path to the JRE.

set GTI_TOOL_JAVA_HOME=<JRE path>For example:

set GTI_TOOL_JAVA_HOME=C:\Program Files\Java\jre6

2 Run the Offline GTI tool.

a Extract the OfflineGTITool.zip file to a system with access to the Internet.

The OfflineGTITool directory is created. This directory contains the readme.txt file thatexplains the prerequisites, procedure, configuration, and logging details. For detailedinformation about using the Offline GTI tool, we recommend that you read this file.

b Change to the OfflineGTITool directory.

cd <directory path>Make sure that you specify the absolute path to the OfflineGTITool directory.

c Verify that the current directory is OfflineGTITool.

cd

d Run the tool.

runOfflineGTITool.cmd <Inventory file path>Specify the tool name followed by the path to the inventory file that you saved on this system

For example:

runOfflineGTITool.cmd c:\inventory\App-Control-Inventory-yyyy-MM-dd_HH-mm-SS.zip

The Offline GTI tool connects to the McAfee GTI server and fetches McAfee GTI ratings for the fileSHA-1s and certificate public key SHA-1s. When ratings for all SHA-1s and public key SHA-1s arefetched, a success or failure message is displayed at the command prompt. The created GTI result

10 Managing the inventoryFetch McAfee GTI ratings for isolated McAfee ePO environments


file contains the McAfee GTI ratings and its contents are encrypted. The file name is appended withthe date and time when the file is created.

GTI‑Result‑<year>‑<month>‑<day>_<hour>‑<minute>‑<second>.zip

3 Copy the GTI result file to a system connected to the McAfee ePO server.

Import the GTI result fileImport the GTI result file to a system connected to the McAfee ePO server to update the ApplicationControl inventory with the fetched McAfee GTI ratings.

After the GTI result file is successfully generated, you must import the McAfee GTI ratings to McAfeeePO within seven days. If you exceed seven days, you can't update the Application Control inventorywith the McAfee GTI ratings. Although the default setting is seven days, you can configure it, asneeded. To configure this setting, contact McAfee Support.



2 On the By Applications tab, select Actions | Import GTI ratings to open the Import GTI ratings dialog box.

3 Click Browse to select the GTI result file, then click OK.

The Import GTI ratings dialog box states that the McAfee GTI ratings are uploaded to the McAfee ePOserver and processing of the McAfee GTI ratings has started. Review the Server Task Log to verify thatthe processing has completed.

4 Click OK.

Verify the importReview the Server Task Log to verify if McAfee GTI ratings were successfully imported to the McAfee ePOserver.



2 Specify the task name Imports GTI ratings from file to Inventory in the Quick find text box, then click Apply.

The list is updated based on the specified search string.


Set enterprise reputation for files and certificatesYou can change the enterprise reputation for files and certificates on the TIE server to suit yourenvironment. However, changing the enterprise reputation has a global impact on your environment.When you change the enterprise reputation for a file or a certificate, the information is immediatelyupdated in the database and sent to devices in your environment that are listening to TIE changenotifications, such as endpoints running Application Control or other clients.

For more information about how a file or certificate reputation is computed, see File and certificatereputation.

Managing the inventorySet enterprise reputation for files and certificates 10



1 On the McAfee ePO console, select Menu | Systems | TIE Reputations.

2 Click the File Search or Certificate Search tab.

3 Search for files or certificates, then use the Actions menu to set enterprise reputation.

For more information about how to change the reputation for a file or certificate, see McAfee ThreatIntelligence Exchange Product Guide for your version of the software.

Review the inventoryYou can manage and take actions on the software inventory for an endpoint.




• To manage the inventory for all managed endpoints, click the By Applications tab.

• To manage the inventory for a selected endpoint, click the By Systems tab and click View for therelevant endpoint. The inventory for the selected endpoint is listed.

3 Review the applications in the inventory. By default, based on the information received from theconfigured reputation source, the applications are sorted into Trusted Applications, Malicious Applications,and Unknown Applications categories. The executable files are assigned one of these reputation values.

• Known Trusted • Might be Malicious

• Most Likely Trusted • Most Likely Malicious

• Might be Trusted • Known Malicious

• Unknown

To know about how Application Control determines the final reputation for executable files andcertificates, click What's Final Reputation?. The reputation value for a file is color coded to indicatetrusted, malicious, or unknown reputation. Values in green indicate that the file is Known Trusted,Most Likely Trusted, or Might be Trusted. Values in orange indicate that the file is unknown. Valuesin red indicate that the file is Known Malicious, Most Likely Malicious, or Might be Malicious.

Here are some alternate views you can use.

Review all executablefiles

To view files sorted by name, select File Name filter, leave the filter blank,and click Search.

Review the finalreputation

To view the files and certificates sorted by a final reputation value, selectthe Final Reputation filter and select a reputation value, then click Search.

Review the certificate To sort the inventory based on certificates, select the Certificate filter, donot specify a certificate name, and click Search. The applications and filesare sorted by the certificate.

10 Managing the inventoryReview the inventory


Review all files sortedby applications

Select Application filter, leave the file name filter blank, and click Search. Theapplications a are sorted into Trusted Applications, Malicious Applications, andUnknown Applications categories.For applications with MSI-based installers, application and files aregrouped and categorized by product name and version.

Sort the applicationand files based onvendor

Select the Vendor filter, do not specify a vendor name, and click Search. Theapplications and files are sorted by the vendor. For each vendor, you canview the Trusted, Malicious, and Unknown categories.

4 Review application details (only when you review all files sorted by applications).

a Click Inventory Actions | Application Details to open the Application Details page.

b View the details for the application.

c In the Executable Files pane, review the files associated with the selected application.

d In the Systems pane, review the endpoints where the selected application is present.

e (Optional) Perform any action on the listed endpoints.

f Click Close.

5 (Optional) Apply available filters, create new filters, or search for specific files.

Use seeded filters Select a value from the Filters list.• Default View

• Hidden Files

• All Malicious Files

• Allowed Malicious Files

• Allowed Unknown Signed Files

• Allowed Unknown Unsigned Files

• Banned Trusted Files

• Files Discovered in Last Week (Only on By Applications tab)

Create a new filter 1 Select Add Saved Filter from the Filters list.By default, the Hidden property with Equals comparison, and False value isapplied to the Add Saved Filter. This implies that all hidden applications,vendors, and files are not displayed.

2 Select an available property. For example, to identify all unknownapplications that are signed, select Has Certificates and Final Reputationproperties.

3 Specify the comparison and value for the property.

• For Has Certificates, set comparison to Equals, and select True.

• For Final Reputation, set comparison to Equals, and select Unknown.

4 Click Update Filter.

Search for specificfiles, for examplesearch for a filebased on itsSHA-1, SHA-256,or MD5

Select the File SHA-1, File SHA-256, or File MD5 filter, enter a value, and click Search.The file with the specified SHA-1, SHA-256, or MD5 is displayed.

Managing the inventoryReview the inventory 10


6 Review the executable files.

When you view files sorted by applications or vendors, the Applications or Vendors pane is displayed.The tree structure helps you navigate and view the files under each category. Select a node in thetree to review associated files in the Executable Files pane. For all other views, only the Executable Filespane is displayed. For each file, the Executable Files pane lists the relevant information.

a Review the reputation information. The reputation information includes values for finalreputation, reputation source, and GTI reputation. Possible values for reputation source are TIE,GTI, or Application Control. If you click the TIE value, it opens the TIE Reputations page where youcan view details for the selected file. For information about how reputation is computed, see Fileand certificate reputation.

b Review the time and date when the file was first detected in the enterprise.

The first seen time is based on the time when the file was first fetched after installing orupgrading to the 6.2.0 or later version of Solidcore extension.

7 Click a file to view these details.

Path Review the full path to the file. Optionally, click Lookup in TIE to open the TIEReputations page that allows you to view or edit the file reputation.

First seeninformation

Review the information including date, time, and system name where the file firstwas detected in the enterprise. The first seen information is based on the timewhen the was first fetched after installing or upgrading to the 6.2.0 or laterversion of the Solidcore extension.

Hash Review the SHA-1, SHA-256, and MD5 information for the file.

Certificatedetails

• Certificate vendor name — The certificate vendor name for a file is color codedto indicate trusted, malicious, or unknown reputation. Values in Green colorindicate that the certificate is Known Trusted, Most Likely Trusted, or Might beTrusted. Values in Orange color indicate that the certificate is unknown. While,the values in Red color indicate that the certificate is Known Malicious, MostLikely Malicious, or Might be Malicious.

• Certificate name — Click to view certificate details, such as issuer, reputation,reputation source, public key algorithm, and public key length.

• Lookup in TIE — Click to review certificate details on the TIE Certificates ReputationsDetails page.

Endpointinformation

Review the endpoints listed in the File observed on systems pane. The detection timecolumn shows the time when the file was detected on the corresponding system.

Executionstatus

Review the execution status for the file. The execution status indicates whetherthe file was allowed or blocked on the endpoint. The execution permission columnshows the method by which the execution is allowed or blocked on the endpoint.

Events Click View Events for an endpoint to view its generated events.

8 Click Allow or Ban to allow or block the file on an endpoint.

Optimize your inventory viewTo optimize your view, hide or show inventory items, such as applications, executable files, andvendors.

You can hide all non-relevant items from the Applications, Vendors, and Executable Files pane. Also, you canshow (unhide) hidden items to allow them to appear on their respective panes, as needed.

10 Managing the inventoryOptimize your inventory view




2 Make sure that the By Applications tab is selected.

3 Optimize your inventory view by hiding inventory items.

a Hide the non-relevant inventory items.

Inventory item Steps

Applications 1 Select applications from the Applications pane.

2 Click Inventory Actions | Hide Applications.

Executable files 1 Select the File Name filter, leave the filter blank, and click Search.

2 Select files from the Executable Files pane.

3 Click Actions | Hide Files.

Vendors 1 Select the Vendor filter, do not specify a vendor name, and click Search.

2 Select vendors from the Vendors pane.

3 Click Inventory Actions | Hide Vendor.

This action hides the selected inventory item from the pane and all applicable seeded filters(except the Hidden Files filter). Based on your selection, the corresponding dependent orassociated inventory items are also hidden.

• When you hide an application, all files for that application are also hidden.

• When you update a hidden application, any new files added by the application areautomatically hidden.

• When you hide all files for an application, the application is also hidden.

• When you hide a vendor, all its applications and files are also hidden.

Also, all hidden files for which the reputation is malicious are listed in the All Malicious Files view.

b Select the Hidden Files filter and review the Applications, Executable Files, and Vendors pane for hiddenapplications, files, and vendors, respectively.

4 Show (unhide) the hidden inventory items.

a Select the Hidden Files filter to view the hidden inventory items.

b Show the inventory items.

Managing the inventoryOptimize your inventory view 10


Inventory item Steps

Applications 1 Select an application.

2 Click Inventory Actions | Show Applications.

Executable files 1 Select the File Name filter, leave the filter blank, and click Search.

2 Select files from the Executable Files pane.

3 Click Actions | Show Files.

Vendors 1 Select the Vendor filter, do not specify a vendor name, and click Search.

2 Select vendors from the Vendors pane.

3 Click Inventory Actions | Show Vendor.

This action shows the selected inventory item so that it appears in all applicable seeded filters(except the Hidden Files filter). Based on your selection, the corresponding dependent orassociated inventory items are also unhidden.

• When you show an application, all files for that application are also unhidden.

• When you show a file for a hidden application, the application is unhidden and appear in theApplications pane. Use the Default View filter to view all unhidden applications.

When viewing results for the Allowed Malicious Files or All Malicious Files filter, you can use the availableoptions to show or hide applications, vendors, or files. Any action taken to show or hide inventoryitems is effectively applied, but the actions do not reflect accurately on the user interface. Forexample, if you hide an application, it continues to show in the Applications pane for the All Malicious Filesfilter.

Manage the inventoryApplication Control sorts your inventory items based on reputation received from the configuredreputation source.

Before you beginTo review and manage inventory items for all systems in your setup, you must be a McAfeeePO administrator. If you are a non-global administrator, you can only review and manageinventory items for systems for which you have the required permissions. If you needpermissions to manage enterprise-wide inventory items, contact the McAfee ePOadministrator.

If a reputation source is configured in your environment, Application Control sorts the applications andfiles into these categories.

Applications Files Description

Trusted KnownTrusted

Includes trusted inventory items with Known Trusted, Most LikelyTrusted, and Might be Trusted reputations, as received from thereputation source(effectively creating the whitelist for your enterprise).Because these are trusted files, you do not need to perform extensivemanagement activities for these files. If your organization wants todisallow a trusted file, you can block it.

Most LikelyTrusted

Might beTrusted

Malicious KnownMalicious

Includes malware or malicious inventory items with Known Malicious,Most Likely Malicious, and Might be Malicious reputations, as received

10 Managing the inventoryManage the inventory


Applications Files Description

Most LikelyMalicious

from the reputation source (effectively creating the blacklist for yourenterprise). Because these applications are malicious files, usually, youmust block these applications. If needed, you can recategorize anyin-house or trusted applications in the malicious list as a trusted file.Might be

Malicious

Unknown Unknown Includes inventory items with unknown reputation or items that are notsynchronized with the reputation source (effectively creating the graylistfor your enterprise). You must routinely review and manage the graylistfor your enterprise to keep it to a minimum size (ideally zero). You mightneed to reclassify internally developed, recognized, or trusted (from areputed vendor) files that are currently in the unknown list.

Any pre-existing advanced persistent threat (APT) resides in the graylistor unknown category.



• To manage the inventory for all managed endpoints, navigate to Menu | Application Control | Inventory| By Applications.

• To manage the inventory for a selected endpoint, navigate to Menu | Application Control | Inventory |By Systems and click View for the relevant endpoint.

2 Prevent malicious executable files or script files from running.

a Select the files to block.

b Select Actions | Ban Files to open the Allow or Ban Files wizard.

c Specify the rule group for the rules.



You can define rules to allow or ban a file based on both SHA-1 and SHA-256 values of the file.

d Click Next.

e Review the rules, then click Save.

3 Allow trusted executable files or script files to run.

a Select the files to allow.

b Select Actions | Allow Files to open the Allow or Ban Files wizard.

Managing the inventoryManage the inventory 10


c Perform one of these steps.

• To allow the file only on the selected endpoint, add the file to the whitelist of the endpoint byselecting Add Files to Whitelist. This option is available only if you are managing the inventory foran endpoint (by clicking the View link for an endpoint on the By Systems page).

• To allow the file on multiple endpoints, and to add the rules to a rule group.

Add the rules to an existingrule group.

Select Add to Existing Rule Group, select the rule group from thelist, and specify the operating system.

Create a rule group with therules.

Select Create a New Rule Group, enter the rule group name, andspecify the operating system.

d Click Next.

e Review the rules, then click Save.

4 Recategorize an unknown executable file or script file as a trusted file by editing the reputation byApplication Control for the file.

a Select the files.

b Select Actions | Set Reputation by Application Control to open the Set Reputation by Application Control window.

c Select the reputation value.

When edited, the reputation by Application Control for a file overrides the File Hash Reputation(GTI) for the file.

5 Add the updated rule group to the policies applied to the endpoints.

Specify filters for inventory dataSpecify advanced exclusion filters to exclude non-meaningful inventory data from the endpoints.



2 Select the Filters tab and expand Inventory.

3 Click Add Rule.

A new filter row appears. You can create filters based on file, file type, application, applicationversion, application vendor, and file signed by certificate (Microsoft certificate only).

When you create a filter to exclude inventory items based on the application name, version, orvendor, the filter works on the embedded values associated with the application.


5 Click + or Add Rule to specify more AND or OR conditions, respectively.

6 Click Save.

10 Managing the inventorySpecify filters for inventory data


Set the base image Set the base image for your enterprise to create an approved repository of known applications.

If the inventory for an endpoint in your setup includes known and trusted applications, you can set itas a base image for your enterprise. This creates an approved repository of known applications,including internally developed, recognized, or trusted (from a reputed vendor) applications. Also, thismakes management of desktop systems easier by verifying the corporate applications.


1 On the McAfee ePO console, select Menu | Application Control | Inventory | By Systems to display theendpoints in your setup.

2 Navigate to the endpoint where the known and trusted applications exist.

3 Select Mark Trusted for the endpoint.

This recategorizes all unknown executables (binaries, libraries, and drivers) and scripts on theendpoint as trusted files and edits the enterprise trust level for the files. No changes are made tothe malicious executable file or script files on the endpoint.

You can also perform this action from the Systems page. Select the endpoint on the Menu | Systems |System Tree | Systems page and click Actions | Application Control | Mark Trusted.

Compare the inventory Image deviation is used to compare the inventory of an endpoint with the inventory that is fetchedfrom a designated gold system. This helps you to track the inventory present on an endpoint andidentify any differences that occur.

This feature is available on both Windows and Linux operating systems. To accomplish this, completethese steps.


1 Fetch the inventory for your gold host. For detailed information, see Fetch the inventory.

2 Fetch the inventory for the endpoint. For detailed information, see Fetch the inventory.

3 Review the Menu | Automation | Solidcore Client Task Log page to make sure that both client taskscompleted successfully.

4 Compare the inventory of gold host with the inventory of the endpoint. This is known as ImageDeviation.

5 Review the comparison results.

Tasks• Run the inventory comparison on page 156

Compare the inventory of the gold host with the inventory of an endpoint.

• Review the comparison results on page 156Review the results of inventory comparison (image deviation).

Managing the inventorySet the base image 10


Run the inventory comparisonCompare the inventory of the gold host with the inventory of an endpoint.


1 On the McAfee ePO console, select Menu | Automation | Server Tasks.

2 Click Actions | New Task to open the Server Task Builder wizard.

3 Type the task name, then click Next.

4 Select Solidcore: Run Image Deviation from the Actions drop-down list.

5 Specify the gold system.

6 Configure these options to select the endpoint to compare with the gold system.

• Systems to compare with Gold System — Click Add to search for the endpoint that you want to comparewith the gold system. Type the name of the endpoint in the System Name field and click Search.

• Groups to compare with Gold System — Click Add to search for the group that you want to compare withthe gold system. Type the name of the group in the Group Name field and click Search.

• Include Systems with Tags — Click Add to search for endpoints based on their tag names. Type the tagname in the Tag Name field and click Search.

• Exclude Systems with Tags — Click Add to search for endpoints based on their tag names. Type thetag name in the Tag Name field and click Search. Select the required tag from the search result. Allendpoints with the selected tags are excluded from comparison with the gold system.


8 Specify the schedule for the task.

9 Click Next to open the Summary page.

10 Review the task summary, then click Save.

11 Run the server task immediately to instantly review the comparison results.

Review the comparison resultsReview the results of inventory comparison (image deviation).


1 On the McAfee ePO console, select Menu | Application Control | Image Deviation.

2 Locate the comparison of the gold host and endpoint.

To quickly find the corresponding row, enter the endpoint name in the Search Target System field, thenclick Search.

3 Click Show Deviations.

10 Managing the inventoryCompare the inventory


4 Review the comparison details.

• Select the view type. You can organize the results based on applications or executable files.

• Use the available filters to sort the results. Using the filters, you can view new (added),modified, and removed (missing) files. Use the Execution Status Mismatch filter to view files withchanges to the execution status. Use the path filter to sort the results based on the file path.

Managing the inventoryCompare the inventory 10


10 Managing the inventoryCompare the inventory


11 Managing approval requests

Application Control prevents any new or unknown applications from running on protected endpoints.When the self-approval feature is enabled and users try to run an unknown or new application on aprotected endpoint, they are prompted to approve or deny the application execution.

Contents What is self-approval? Enable self-approval on endpoints Configure the feature Policy discovery permissions Review requests Process requests Review created rules

What is self-approval?Any application or executable file for which the reputation is unknown or execution is blocked (forreasons other than Application Control ban by name, SHA-1 or SHA-256 rules), users can approve theexecution and run the application on the endpoint. When a user approves the execution, the businessneed or justification, if any, provided by the user for running the application is sent to the McAfee ePOadministrator. The administrator reviews the approval request and can define rules to allow or ban theapplication for one or all endpoints in the enterprise.

The rules that are applied through policies have precedence over the self-approval feature. Forexample, if the self-approval feature is enabled and the user tries to run an application that is bannedthrough a policy, the user is not prompted to take any action for the application. Also, you cannot selfapprove and perform any actions that are prevented by Application Control memory-protectiontechniques.

The self-approval feature is available for binary or executable files, scripts, installers, ActiveX controls,and supported files that you run from network shares and removable devices. This feature is availableon all supported Windows platforms except Windows NT, Windows 2000, and Windows 2003 (IA-64platform). This feature is not available on the Linux platform. This diagram details the self-approvalfeature.

11


Although the self-approval feature is available in Limited Feature Activation mode, use this feature inFull Feature Activation mode (after restarting the endpoints). This is because this feature requirespatching of some system libraries and patching might require a restart to work effectively.

Enable self-approval on endpointsBy default, the self-approval feature is disabled on endpoints. You can configure a policy to enable thisfeature on selected endpoints.

After the feature is enabled, users can approve an unknown or new application on a protectedendpoint and run it.






By default, the My Default policy is applied to all endpoints in your enterprise. To enable theself-approval feature for selected endpoints, duplicate the My Default policy, edit the settings, andapply the policy to only the relevant endpoints.

11 Managing approval requestsEnable self-approval on endpoints


5 Select Enable Self-Approval.

6 (Optional) Specify the message to display to the users on the endpoints when they try to run a newor unknown application.

This specified text is displayed on the endpoint in the McAfee Application Control - Self-Approval dialog box.

7 Specify a timeout value for the McAfee Application Control - Self-Approval dialog box.

The specified value determines the duration for which the McAfee Application Control - Self-Approval dialogbox is displayed on the endpoint after an action is performed by the user. If the user does not takean action in the specified time, the action is automatically denied and the McAfee Application Control -Self-Approval dialog box closes.

8 Specify whether it is mandatory or optional for the user to provide a business need while allowingan action on the endpoint.

9 (Optional) Specify the advanced options.

If you select this option, all applications that run on the system while it is booting or when aninteractive session is unavailable are allowed to execute.

10 Save the policy and apply to endpoints.

After the policy is applied, the self-approval feature is enabled on the endpoints.

11 When users try to run a new application on the endpoints, the McAfee Application Control - Self-Approvaldialog box indicates that execution of the application has been detected and prompts the user totake an action.

For trusted and malicious executable files and certificates, execution is determined based onreputation received from the configured reputation source. So, the McAfee Application Control -Self-Approval dialog box is not displayed for trusted and malicious files. But, if the file or certificatereputation is unknown, the McAfee Application Control - Self-Approval dialog box prompts the user to takean action. Perform one of these tasks:

• Provide a justification (if mandatory) and click Allow to allow the action immediately. When youchoose to self-approve the action, an approval request is sent to the administrator who reviewsthe provided justification to determine whether to allow or ban the action for one or moreendpoints in the enterprise. The McAfee ePO administrator allows the action only if it is inaccordance with the corporate policies and application is trusted and known.

• Click Deny to deny the action. Users can deny the action when it is not user-initiated or thechanges seem irrelevant. The deny action is event-specific. If the same event is generatedagain, the user is prompted again to take an action.

Users can review the event notifications and request approval for certain actions.

1 Right-click the McAfee Agent icon in the notification area on the endpoint.

2 Select Quick Settings | Application and Change Control Events.

3 In the Application and Change Control Events window, review the events.

4 Request approval for an action from the McAfee ePO administrator by selecting the event andclicking Request Approval. The McAfee ePO administrator receives an email including all relevantevent details and a link. The administrator can click the link to open the needed event in theSolidcore Events page and define needed rules.

Managing approval requestsEnable self-approval on endpoints 11


Configure the featureReview and edit the list of generic launcher processes and restricted certificate names.

You can configure these settings for the feature.

• Generic launcher processes — Certain processes on the Windows operating system, such asexplorer.exe and iexplore.exe, start other processes and can be used to start any software. Suchprocesses are referred to as generic launcher processes and must never be configured as updaters.A predefined list of such processes is available on the Application Control configuration interface.You can review and edit the list of generic launcher processes. No updater rules are generated forgeneric launcher processes at the endpoints.

• Restricted certificate names — Certificates from certain vendors such as Microsoft areassociated with multiple commonly used applications. They should not be used to define rulesbased on the certificate. A predefined list of such certificates is available on the Application Controlconfiguration interface. You can review and edit the list of restricted certificate names. If the file ina request is signed by one of these certificates, you cannot create rules based on the certificateassociated with the file.


1 On the McAfee ePO console, select Menu | Configuration | Server Settings | Solidcore.

2 Review and edit the list of generic launcher processes.

a Review the processes listed in the Generic launcher processes field.


c Add the process name to the end of this list (separated by a comma), then click Save.

3 Review and edit the list of restricted certificates.

a Review the names listed in the Restricted certificate names field.


c Add the vendor name to the end of this list (separated by a comma), then click Save.

For example, to prevent creation of rules based on the Microsoft certificate, add Microsoft tothe list. Use the value listed in the ISSUED TO field of the certificate.

Policy discovery permissionsBy default, non-global administrators can view, manage, and delete requests generated only byendpoints in their associated group (within My Organization).

If you review request details on the Request Details page, the number of requests listed in the EnterpriseLevel Activity pane might be less than the value displayed in the Global Prevalence column on the PolicyDiscovery page. This is because the Global Prevalence column indicates the enterprise-wide prevalence forthe requests regardless of any groups. For example, if a request is generated by two systems indifferent groups across the enterprise, the value in the Global Prevalence is 2. However, because

11 Managing approval requestsConfigure the feature


non-global administrators can only view the requests generated for their group, the non-globaladministrator might see only one request generated by the system in their group in the Enterprise LevelActivity pane.

The McAfee ePO administrator can review and manage all requests generated in the enterprise (MyOrganization). Also, McAfee ePO administrator can add rules to any rule group, and provide permissions toall non-global administrators to review and take custom actions on the requests generated in theenterprise.

If you are a non-global administrator, you can add rules (for a request) to only the rule groups thatyou own. Rule groups that you do not own are not displayed on the Policy Discovery: Custom Rules page.Also, if you take an action for a request, the action does not impact the same request generated bythe system in a different group.

Allow non-global administrators to manage enterprise-widerequests If you are a McAfee ePO administrator, you can assign permissions to all non-global administrators(who have access to groups in My Organization) to review and manage requests generated in yourenterprise.



2 From the Setting Categories pane, select Solidcore, then click Edit to open the Edit Solidcore page.

3 Change the value of Allow group administrators to manage Policy Discovery requests for entire System Tree to Yes(overrides System Tree group access permissions).

4 Click Save.

All non-global administrators are allowed to review and take custom actions on enterprise-widerequests. Non-global administrators cannot perform global actions.

Review requestsReview the requests received from the endpoints.On the Solidcore: Health Monitoring dashboard, check the Top 10 Pending Policy Discovery Requests monitor to takenotice of the data that might require immediate action. For information about the Solidcore: HealthMonitoring dashboard, see Monitor enterprise health.



After the requests are received from the endpoints, Application Control collates and groupsrequests based on these parameters.

• SHA-1 value of the executable file or .cab file (if there is a request for an ActiveX control) forwhich the request is received

Although Application Control supports SHA-256 value of files, only SHA-1 values are used forcollating and grouping requests on the Policy Discovery page.

Managing approval requestsReview requests 11


• Status of the request

The Activity field for each request indicates the action performed by the user on the endpoint. Forexample, if the user installs an MSI-based software, the Activity field lists Software Installation for therequest.

2 Review the listed requests using one of these methods.

• Specific interval — Select an option from the Time Filter list and click Update Results to viewrequests received in a specific interval.

• Request status — Select a value for the request status from the Approval Status list and clickUpdate Results to view requests that match the selected status.

• Activity — Select a value from the Activity list and click Update Results to view requests for acertain activity.

• Reputation — Select a value from the Final Reputation list and click Update Results to view requestsfor files that match the selected reputation level. For more information about how the softwaredetermines final reputation for files or certificates, click What's Final Reputation.

• Specific endpoint — Enter an endpoint name in the System Name field and click Update Results toview requests received from the endpoint. Make sure that you specify the complete systemname because no partial matches are performed.

• Multiple criteria — Specify values for the Time Filter, Approval Status, Activity, Final Reputation, andSystem Name fields, as needed, and click Update Results to perform a search based on multiplecriteria.

• Specific search string — Enter a search string in the Quick find field and click Apply to viewrequests that match the specified search string. Partial matches are performed based on thetext you specify.

You can enter User Comments field value as a search string. For information about how to runqueries on User Comments, see Specify filters on User Comments.

• Sort — Sort the list based on the global prevalence, execution time, activity, object name,application name, certificate, final reputation, or reputation source by clicking the columnheading.

• Selected requests — Select requests of interest and click Show selected rows to review only theselected requests.

The Policy Discovery page lists only the requests for which the McAfee ePO administrator can makerules. To view other requests, such as those for software uninstall, run the Self-Approval Audit Reportquery. This report lists all requests received from the endpoints in the last month. For informationabout how to run queries, see View queries.

3 (Optional) Record additional information for a request.


• To add user comments for one request, click Add a comment link.

• To add user comments for multiple requests, select the events and click Actions | Add Comments.



c Click OK.

11 Managing approval requestsReview requests


4 Review individual requests that make up a collated request and detailed information for the file.

a Click a row to open the Request Details page.

b Review file details, such as name, version, path, parent process, files changed, and finalreputation.

c Review the SHA-1, SHA-256, and MD5 information for the file.

d Click the file SHA-1 to review file details about the File Details page.

e Review the certificate vendor name for the file. The certificate vendor name for a file is colorcoded to indicate trusted (green), malicious (red), or unknown (orange) reputation.

f Click certificate name to view certificate details, such as issuer, certificate reputation, reputationsource, public key algorithm, public key length, public key hash, certificate hash, valid from,and valid to.

g Review the individual requests that make up the collated request in the Enterprise Level Activitypane.

h Click Close.

Process requestsProcess the received requests for your administered groups by taking relevant actions for therequests. If you are a McAfee ePO administrator, you can process the received requests for theenterprise.

Review each request and determine the action to take for the request. For each request, informationabout the final reputation, reputation source, SHA-1, SHA-256, certificate, and global prevalence isalso available to help you take relevant actions.

The reputation value for a file is color-coded to indicate trusted, malicious, and unknown reputation:

• Values in green indicate that the file is Known Trusted, Most Likely Trusted, or Might be Trusted.

• Values in orange indicate that the file is unknown.

• Values in red indicate that the file is Known Malicious, Most Likely Malicious, or Might be Malicious.

• Values in grey indicate that reputation value is Not applicable (only for network path executionrequests).

The reputation source indicates the source from where the reputation is fetched. Possible values forreputation source are TIE, GTI, Application Control, Not synchronized, or Not Applicable. If you clickthe TIE value, it opens the TIE Reputations page where you can view relevant details for the selected file.For more information about how the reputation is computed, see File and certificate reputation.

Managing approval requestsProcess requests 11


Tasks• Allow the file on all endpoints on page 117

Define rules to allow an application or executable file to run on all endpoints in theenterprise.

• Allow by certificate on all endpoints on page 118Define rules to allow an application, executable file, or ActiveX control to run on allendpoints in the enterprise based on the certificate associated with the file.

• Ban by SHA-1 or SHA-256 on all endpoints on page 119Define rules to ban an application or executable file from running on all endpoints in theenterprise based on the SHA-1 or SHA-256 value of the file.

• Define rules for specific endpoints on page 168Add prepopulated rules to allow or ban an application, executable file, or ActiveX control forspecific endpoints in your administered groups. Or, you can define custom rules for specificendpoints or groups, as needed. If you are a McAfee ePO administrator, you can definerules for specific endpoints in your enterprise.

• Allow by adding to whitelist for specific endpoints on page 121Add one or more executable files to the whitelist of an endpoint to allow the files to run onthe endpoint.



• View events on page 123Review the events associated with a request.

• Delete requests on page 123Remove selected requests from the Policy Discovery page and database.

Allow the file on all endpointsDefine rules to allow an application or executable file to run on all endpoints in the enterprise.


Based on activity type, rules are created for the file SHA-1, SHA-256, name, or all. Sometimes,updater privileges are granted to the file. For more information, see Deployment recommendationsand guidelines in the McAfee Application Control Best Practices Guide.




3 Click Actions | Allow File Globally.

The Allow File Globally dialog box provides details and prompts you to confirm the action.

4 Click OK.

Rules are created for the files associated with the selected requests and added to the Global Rules rulegroup included in the McAfee Default policy. For information about how to view or edit the rules, seeReview created rules.

11 Managing approval requestsProcess requests


Allow by certificate on all endpointsDefine rules to allow an application, executable file, or ActiveX control to run on all endpoints in theenterprise based on the certificate associated with the file.





3 Click Actions | Allow by Certificate Globally.

The Allow by Certificate Globally action is unavailable if the main executable associated with the request issigned by a certificate included in the Restricted certificate names list.

The Allow by Certificate Globally dialog box provides details and prompts you to confirm the action.Based on the file associated with a selected request, the certificate is assigned or not assignedupdater privileges. If the certificate has updater privileges, allowing based on certificate allows allapplications signed by the certificate to make changes to existing executable files or start newapplications on the endpoints.

4 Click OK.

Rules are created for the certificate associated with the selected request and added to the Global Rulesrule group included in the McAfee Default policy. For information about how to view or edit the rules, seeReview created rules.

Ban by SHA-1 or SHA-256 on all endpoints Define rules to ban an application or executable file from running on all endpoints in the enterprisebased on the SHA-1 or SHA-256 value of the file.





3 Click Actions | Ban File Globally.

The Ban File Globally dialog box provides details and prompts you to confirm the action.



4 Click OK.

Rules are created for the files associated with the selected requests and added to the Global Rulesrule group included in the McAfee Default policy. For information about how to view or edit the rules,see Review created rules.

To ban an installer, such as an MSI-based installer, in addition to banning the installer globally(completed in steps 3 and 4), you must also ban the files added by the installer on the endpointwhere the installer was executed by completing step 5. For example, if the MSI-based installer forMozilla Firefox 12 (Firefox-12.0-af.msi) was executed and installed on an endpoint, you must banthe files added by the installer on the endpoint.

5 Ban the files that have already been added to the endpoint.

a Click the application name link.

The Files page lists all executable files installed on the endpoint.

b Select all listed files.

c Click Actions | Ban Files to open the Allow or Ban Files wizard.

d Specify the rule group for the rules.



e Make sure that the rule group where you add the rules is added to a policy that is applied on theendpoint where the request was received.

f Click Next.

g Review the rules, then click Save.

Banning an installer that is not MSI-based or for which no executable is displayed on the Inventoryuser interface is also a two-step process. Ban the installer globally to make sure it cannot run onother endpoints in the enterprise (completed in steps 3 and 4). Next, you must manually search forthe executable files corresponding to the application and ban the files using the Inventory userinterface.

Define rules for specific endpointsAdd prepopulated rules to allow or ban an application, executable file, or ActiveX control for specificendpoints in your administered groups. Or, you can define custom rules for specific endpoints orgroups, as needed. If you are a McAfee ePO administrator, you can define rules for specific endpointsin your enterprise.

You must have the required permissions to perform this task. If you do not have the permissions,contact the McAfee ePO administrator. For more information about permissions, see Permissions forrule configuration.



2 Select the request for which you want to define custom rules.

3 Click Actions | Create Custom Policy to open the Policy Discovery: Custom Rules page.





Review and add prepopulated rules 1 Select Approve Request, Ban Request, or Allow By Certificate.

2 Review the prepopulated rule.

3 Define more rules, as needed.

Define custom rules 1 Select Clear and define Rules.

2 Review the displayed request details.

3 Define the relevant rules.




6 (Optional) Add the changed or created rule group to a policy.



7 Click Save.

This approves all grouped requests.

Allow by adding to whitelist for specific endpointsAdd one or more executable files to the whitelist of an endpoint to allow the files to run on theendpoint.



2 Click a row to review request details in the Request Details page.

Each row in the Enterprise level activity pane represents a executable file and endpoint combination.

3 Click Allow Locally for a row.

The Allow Locally dialog box lists one or more paths to add to the whitelist.

The Allow Locally action is available only for requests that are generated when you execute anapplication that is not in the whitelist (Application Execution activity).



4 Review and customize the listed paths.

For example, if you execute proc.exe for an endpoint, these paths might be listed.

C:\Program Files\<App Name>\proc.exe

C:\Program Files\<App Name>\a.dll

C:\Program Files\<App Name>\b.dll

To avoid redundancy, add only the C:\Program Files\App Name path.

5 Click OK.

The specified paths are added to the whitelist and allowed to run on the endpoint.


















View eventsReview the events associated with a request.





2 Select the request for which to view related events.

3 Click Actions | More | View Related Events to open the Solidcore Events page.

4 Review the event information.

For more information, see Review events and Define rules.

Delete requestsRemove selected requests from the Policy Discovery page and database.

To ensure optimal performance, the Solidcore: Auto Purge Policy Discovery Requests server task is run weekly topurge policy discovery requests older than three months.



2 Select the requests to delete.

3 Click Actions | Delete Requests.


All selected collated requests and contained individual requests are deleted from the page anddatabase.

Review created rulesReview and manage the global rules created for the processed requests.

Before you beginYou must be a McAfee ePO administrator or owner of the Global Rules rule group to use thistask.



2 On the Rule Groups tab, select these options.

• Application Control type.

• Windows platform.

3 Navigate and locate the Global Rules rule group.

Managing approval requestsReview created rules 11



5 Review the included rules.

6 Edit the defined rules, if needed.


11 Managing approval requestsReview created rules


12 Using dashboards and queries

Use dashboards to view the status of the endpoints and queries to review reports based on the datastored in the McAfee ePO database.

Contents Dashboards Queries View queries

DashboardsDashboards are collections of monitors that help you keep an eye on your environment.

Application Control provides these default dashboards.

• Solidcore: Inventory dashboard allows you to observe the inventory for the endpoints

• Solidcore: Application Control dashboard helps you keep a check on the protected endpoints

• Solidcore: Health Monitoring dashboard helps you monitor the health of the protected endpoints in yourenterprise

You can create, duplicate, and export dashboards. For more information about working withdashboards, see McAfee ePolicy Orchestrator Product Guide.

QueriesUse the available queries to review information for the endpoints based on the data stored in theMcAfee ePO database.

These Application Control and Health Monitoring queries are available from the McAfee ePO console.

Table 12-1 Application Control queries

Query Description

Alerts Displays all alerts generated in the last 3 months.

Application Control Agent Status Displays the status of all endpoints with the Application Controllicense which are managed by the McAfee ePO server. The pie chartcategorizes the information based on the client status. Click asegment to review endpoint information.

Attempted Violations in the Last 24Hours

Displays the attempted violation events detected during the last 24hours. The line chart plots data on a per hour basis. Click a value onthe chart to review event details.

12


Table 12-1 Application Control queries (continued)

Query Description

Attempted Violations in the Last 7 Days Displays the attempted violation events detected during the last 7days. The line chart plots data on a per day basis. Click a value onthe chart to review event details.

Non Compliant Solidcore Agents Lists the endpoints that are currently not compliant. The list is sortedbased on the reason for noncompliance. An endpoint can benon-compliant if it:• Is in Disabled, Observe, or Update mode.

• Is operating in limited feature activation mode.

• If the local command line interface (CLI) access is recovered.

Policy Assignments By System Lists the number of policies applied on the managed endpoints. Clicka system to review information about the applied policies.

Policy Discovery Requests forAutomatically-Approved Installations

Lists all files that were identified as installers on the endpoints andexecuted automatically with installer privileges in the last 1 month.

Self-Approval Audit Report Displays a list of all approval requests that are received from theendpoints in the last month.

Solidcore Agent License Report Indicates the number of Solidcore Agents that are managed by theMcAfee ePO server. The information is categorized based on thelicense information and further sorted based on the operating systemon the endpoint.

Solidcore Agent Status Report Displays the status of all endpoints managed by the McAfee ePOserver. This report combines information for both the ApplicationControl and Change Control licenses. The pie chart categorizes theinformation based on the client status. Click a segment to reviewdetailed information.

Summary Server Reboot Log - Rolling30 Days

Displays the reboot log grouped by system name.

Systems for which Inventory Cannot beFetched Currently

List the systems in your enterprise for which inventory informationcannot be fetched currently. You cannot fetch inventory for a systemif the specified interval between consecutive inventory runs has notbeen reached. This interval value is configurable.

Systems for which InventoryInformation has not been Fetched for inLast 1 Month

Lists the systems in your enterprise for which inventory has not beenfetched in the last 1 month. We recommend that you fetch inventoryweekly.

Top 10 Application Vendors Displays the top 10 application vendors in the enterprise with themaximum number of applications. The chart includes a bar for eachvendor and lists the applications for each vendor. The bar chart sortsthe data in descending order. Click a section on a bar on the chart toreview detailed information for the associated application.

Top 10 Systems with Most Violations inthe Last 24 Hours

Displays the top 10 systems with the maximum number of violationsin the last 24 hours. The chart includes a bar for each system andindicates the number of violations for each system. Click a bar on thechart to review detailed information.

Top 10 Systems with Most Violations inthe Last 7 Days

Displays the top 10 systems with the maximum number of violationsin the last 7 days. The chart includes a bar for each system andindicates the number of violations for each system. Click a bar on thechart to review detailed information.

12 Using dashboards and queriesQueries


Table 12-1 Application Control queries (continued)

Query Description

Top 10 Users with Most Violations inthe Last 7 Days

Displays the top 10 users with the most policy violation attempts inthe last 7 days. The chart includes a bar for each user and indicatesthe number of policy violation attempts for each user. The bar chartsorts the data in descending order. Click a bar on the chart to reviewdetailed information.

Top 10 Users with Most Violations inthe Last 24 Hours

Displays the top 10 users with the most policy violation attempts inthe last 24 hours. The chart includes a bar for each user andindicates the number of policy violation attempts for each user. Thebar chart sorts the data in descending order. Click a bar on the chartto review detailed information.

Table 12-2 Health Monitoring queries

Query Description

Client Task Logs Data CongestionTrend in Last 7 Days

Displays the data congestion trend for client task logs in the last 7days. The line chart plots data on a per day basis. Click a value onthe chart to review details.

Inventory Data Congestion Trend inLast 7 Days

Displays the data congestion trend for inventory in the last 7 days.The line chart plots data on a per day basis. Click a value on the chartto review details.

Number of Systems where ThrottlingInitiated in Last 7 days

Displays the number of systems on which Events, Inventory Updates,or Policy Discovery (Observations) throttling is initiated in last 7 days.The summary table sorts the data in descending order.

Observations Data Congestion Trendin Last 7 Days

Displays the data congestion trend for observations in the last 7 days.The line chart plots data on a per day basis. Click a value on the chartto review details.

Self-Approval Data Congestion Trendin Last 7 Days

Displays the data congestion trend for self-approval requests in thelast 7 days. The line chart plots data on a per day basis. Click a valueon the chart to review details.

Systems with Most Pending RequestsGenerated in Observe Mode

Displays systems running in Observe mode with pending PolicyDiscovery requests. The summary table sorts the data in descendingorder.

Top 10 Events for 10 Most NoisySystems in Last 7 days

Displays the top 10 events for the most noisy systems in last 7 days.The bar chart sorts the data in descending order. Click a bar on thechart to review detailed information.

View queriesView an Application Control or Solidcore Health Monitoring query.



2 Select the Application Control or Solidcore Health Monitoring group under McAfee Groups.

3 Review the queries in the list.

4 Navigate to the required query and click Run.

The results for the selected query are displayed.

5 Click Close to return to the previous page.

Using dashboards and queriesView queries 12


12 Using dashboards and queriesView queries


13 Maintaining your systems

After Change Control or Application Control is deployed, you can perform various tasks to maintain theendpoints. Review these topics for details about maintenance tasks.

Contents Monitor enterprise health Make emergency changes Administer throttling for your enterprise Configure CLI breach notifications Change the CLI password Collect debug information Place the endpoints in Disabled mode Send McAfee GTI feedback Purge data

Monitor enterprise healthReview and monitor the health of the protected endpoints in the enterprise. The Solidcore: Health Monitoringdashboard provides health status at-a-glance.The Solidcore: Health Monitoring dashboard includes specific monitors to indicate congestion levels forinventory items and observations on the McAfee ePO console. You can also add more monitors toreview congestion for self-approval requests and client task logs. For each monitor, possible values forthe congestion levels are No congestion, Low, Moderate, High, and Data deleted.

Congestionlevel value

Correspondingvalue for trendmonitors

Description

No congestion 0 Indicates that no congestion is present in the McAfee ePOdatabase.

Low 1 Indicates that data older than 5 days is present in the McAfeeePO database and is yet to be parsed by the software.Typically, Low congestion levels are automatically resolved.When congestion begins, the Data Congestion Detected event isgenerated to notify the user.

Moderate 2 Indicates that data older than 5 days is still present in theMcAfee ePO database and is yet to be parsed by the software.You might experience sluggish responses from the userinterface at this stage. When congestion levels reach Moderate,the Data Congestion Detected event is generated to notify the user.

13


Congestionlevel value

Correspondingvalue for trendmonitors

Description

High 3 Indicates that data older than 5 days is still not parsed by thesoftware and the McAfee ePO database is choked. If thecongestion level reaches High, old data is deleted from theMcAfee ePO database to resolve congestion. When congestionlevels reach High, the Data Congestion Detected event is generatedto notify the user.

Data deleted 3 Indicates that data pending for parsing for the feature hasbeen deleted from endpoints to resolve congestion. When datais deleted from the McAfee ePO database, the Clogged Data Deletedevent is generated to notify the user.

Tasks

• Review congestion status and trend on page 178Review the monitors on the Solidcore: Health Monitoring dashboard to assess enterprise healthstatus and trend.

• Configure notifications on page 179Configure alerts or automatic responses to receive a notification when data congestionbegins for your environment.

Review congestion status and trendReview the monitors on the Solidcore: Health Monitoring dashboard to assess enterprise health status andtrend.


1 Select Menu | Reporting | Dashboards.

2 Select the Solidcore: Health Monitoring dashboard from the Dashboard list.

3 Review the overall health of the enterprise.

4 Review congestion levels for inventory items and observation requests.

Feature Steps

Inventory 1 Review the Inventory Data Congestion Level monitor to validate if congestion is currentlypresent for inventory items in the McAfee ePO database.

2 Check the Inventory Data Congestion Trend in Last 7 Days monitor to review the weeklytrend.

Observations 1 Review the Observations Data Congestion Level monitor to validate if congestion iscurrently present for observations in the McAfee ePO database.

2 Check the Observations Data Congestion Trend in Last 7 Days monitor to review the weeklytrend.

5 (Optional) Review congestion levels for self-approval requests and client task logs.

a From the McAfee ePO console, select Dashboard Actions | Duplicate for Solidcore: Health Monitoringdashboard, click OK in the Duplicate Dashboard dialog box, then click Add Monitor.

b Select Solidcore from the Category list.

13 Maintaining your systemsMonitor enterprise health


c Click and drag the Self-Approval Data Congestion Level and Client Task Logs Data Congestion Level monitors.

d Select Queries from the Category list.

e Click and drag the Queries monitor.

f In the New Monitor dialog box, click the Monitor Content drop-down list.

g Navigate to the McAfee Groups - Solidcore Health Monitoring section (McAfee ePO console), select theSelf-Approval Data Congestion Trend in Last 7 Days query, and click OK.

h Repeat steps d through g for the Client Task Logs Data Congestion Trend in Last 7 Days query.

i Review the level and trend information.

Feature Steps

Self-approval 1 Review the Self-Approval Data Congestion Level monitor to validate if congestion iscurrently present for self-approval requests in the McAfee ePO database.

2 Check the Self-Approval Data Congestion Trend in Last 7 Days monitor to review theweekly trend.

Client task log 1 Review the Client Task Logs Data Congestion Level monitor to validate if congestionis currently present for client task logs in the McAfee ePO database.

2 Check the Client Task Logs Data Congestion Trend in Last 7 Days monitor to review theweekly trend.

Configure notificationsConfigure alerts or automatic responses to receive a notification when data congestion begins for yourenvironment.

To receive a notification when congestion begins for your setup, configure an alert for the Data CongestionDetected event. Similarly, to receive a notification when data is deleted from the McAfee ePO databaseto resolve congestion, configure an alert for the Clogged Data Deleted event.


1 Select Menu | Automation | Automatic Responses.

2 Click Actions | New Response.

3 Enter the alert name.

4 Select the ePO Notification Events group and Threat event type.

5 Select Enabled, then click Next to open the Filter page.

6 Select My Organization for the Defined at property.

7 Select Threat Name from the Available Properties pane.

8 Type DATA_CONGESTION_DETECTED in the Value field.

9 Click +.

10 Type CLOGGED_DATA_DELETED in the Value field and click Next.

11 Specify aggregation details, then click Next to open the Actions page.

Maintaining your systemsMonitor enterprise health 13


12 Select Send Email, specify the email details, then click Next to open the Summary page.

13 Review the details, then click Save.

Make emergency changes To implement an emergency change, you can create a change window that overrides all protection andtamper proofing that is in effect. Memory protection (for Application Control only) remains enabledeven in Update mode. You should use a change window only when the other available mechanismscannot be used.

Place the endpoints in Update mode, then the required emergency changes and place the endpoints inEnabled mode.

Tasks

• Place the endpoints in Update mode on page 180Place the endpoints in Update mode to make emergency changes.

• Place the endpoints in Enabled mode on page 180Place the endpoints back in Enabled mode after you complete the required changes inUpdate mode.

Place the endpoints in Update modePlace the endpoints in Update mode to make emergency changes.

Task

1 Select Menu | Systems | System Tree.





4 Select the Solidcore 8.0.0 product, SC: Begin Update Mode task type, then click Create New Task to open theClient Task Catalog page.


6 Enter the Workflow ID and any comments.

The workflow ID provides a meaningful description for the update window.

7 Click Save.





Place the endpoints in Enabled modePlace the endpoints back in Enabled mode after you complete the required changes in Update mode.

13 Maintaining your systemsMake emergency changes





• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page, then click Actions| Agent | Modify Tasks on a Single System.


4 Select the Solidcore 8.0.0 product, SC: End Update Mode task type, then click Create New Task to open theClient Task Catalog page.

5 Specify the task name and add any information.

6 Click Save.

7 Click Next to open the Specify the task name and add any information.




Administer throttling for your enterpriseWhen several events, policy discovery requests (observations), or inventory updates generated atendpoints are received on the McAfee ePO server, the McAfee ePO interface might becomeunresponsive or sluggish. The throttling feature helps avoid such scenarios.You can control the flow of events, policy discovery requests, and inventory updates from eachendpoint to the McAfee ePO server. When the data sent to the McAfee ePO server reaches the definedthreshold for an endpoint, throttling is initiated and these actions are taken.

1 Stops sending data (generated at the endpoints) to the McAfee ePO server.

2 Stores data in a cache at the endpoints. When the cache is full, data starts dropping with theoldest.

Data is stored in the cache only for event and policy discovery requests. The inventory data is notstored in the cache; instead, it is updated at the endpoints locally.

3 Resets throttling 24 hours after the first event, policy discovery request, or inventory update forthe day. However, sometimes, the reset interval for throttling of inventory updates might exceed 24hours. For more information, see KB84044.

4 Sends data stored in the cache to the McAfee ePO server in batches (starting with the oldest data).

After throttling resets for events and policy discovery requests, further generated data is stored in thecache and not sent to the McAfee ePO server until the cache is empty.

The throttling feature is available on all supported Windows platforms and not available on Linuxplatform. You can manage throttling for your setup by identifying the endpoints where throttling isinitiated and taking remedial actions. If needed, you can configure throttling for your enterprise.

Maintaining your systemsAdminister throttling for your enterprise 13


https://kc.mcafee.com/corporate/index?page=content&id=KB84044

Tasks

• Set up the feature on page 182By default, the throttling feature is enabled for events, inventory updates, and policydiscovery requests.

• Configure throttling values on page 182For most enterprises, the default settings for the throttling feature are enough. However, ifneeded, you can change the default configuration for the feature.

• Manage throttling on page 183Determine if throttling is initiated for any endpoint in your setup and take remedial actionsto manage throttling for your enterprise.

Set up the featureBy default, the throttling feature is enabled for events, inventory updates, and policy discoveryrequests.

Enabling or disabling this feature also enables or disables all its subfeatures.






5 Open the policy and switch to the Throttling tab.

6 Enable or disable throttling by clicking Enable Throttling.

This enables or disables the throttling feature for events, inventory updates, and policy discoveryrequests.

7 (Optional) Disable the throttling feature selectively for Events, Inventory Updates, and Policy Discovery(Observations).

When the throttling feature is enabled, you can disable one or more types of throttling bydeselecting the corresponding checkbox.


Configure throttling valuesFor most enterprises, the default settings for the throttling feature are enough. However, if needed,you can change the default configuration for the feature.






13 Maintaining your systemsAdminister throttling for your enterprise


5 Open the policy and switch to the Throttling tab.

6 Edit the values for events, inventory updates, and policy discovery requests, as needed.

Value Description

Events The value for threshold and cache size is defined in number of event XML files.By default, 2000 XML files can be processed per endpoint in 24 hours. Also, thedefault event cache size is set to 7000 XML files per endpoint.

Inventory Updates The value for threshold is defined in number of file elements containinginventory updates. By default, 15000 files elements can be processed perendpoint in 24 hours.

Policy Discovery(Observations)

The value for threshold and cache size is defined in number of request XMLfiles. By default, 100 XML files can be processed per endpoint in 24 hours. Also,the default event cache size is set to 700 XML files per endpoint.


Manage throttlingDetermine if throttling is initiated for any endpoint in your setup and take remedial actions to managethrottling for your enterprise.

On the Solidcore: Health Monitoring dashboard, check the Number of Systems where Throttling Initiated in Last 7 daysmonitor to take notice of the systems that might require immediate action.

For information about Solidcore: Health Monitoring dashboard, see Monitor enterprise health.

Task1 Determine if throttling is initiated and identify the affected endpoints.

Event Description

Data Throttled Generated for an endpoint when event or policy discovery request throttling isinitiated for the endpoint. After throttling resets, this event is generated daily untilthe cache is empty.

Data Dropped Generated in two scenarios for an endpoint.• When the cache is full and the oldest data is dropped from the event or request

cache.

• When throttling of inventory updates is initiated for the endpoint.

2 Review the throttling status for each affected endpoint.

3 Process data generated for affected endpoints and create relevant rules. You must process dataquickly to make sure that data is not dropped.

Tasks• Identify affected endpoints on page 184

For your enterprise, identify endpoints where throttling is initiated.

• Review throttling status on page 184For endpoints where throttling is initiated, review the throttling status.

• Process data on page 185On endpoints where throttling is initiated, create relevant rules or filters to process data.This helps in controlling the flow of data by gradually reducing the amount of received data.

Maintaining your systemsAdminister throttling for your enterprise 13


Identify affected endpointsFor your enterprise, identify endpoints where throttling is initiated.

Identify endpoints where Data Throttled and Data Dropped events are generated. Create an automaticresponse for these events in your enterprise. For more information about creating automaticresponses, see McAfee ePolicy Orchestrator Product Guide.



2 Review the event list and locate endpoints where these events are generated.

Event Action

Data Throttled Review the Object Name column for information about throttling of events or policydiscovery requests (observations) for the corresponding endpoints. Based on the typeof throttling, you must immediately review the throttling status and process data forthe endpoint to make sure that you do not lose data.

Data Dropped Review the Object Name column for information about throttling of inventory updates.This column also provides information if data has started dropping for events andpolicy discovery requests (observations). Typically, this occurs when data is notprocessed quickly for the endpoint. Based on the type of throttling, you mustimmediately process data or manage inventory updates.

Review throttling statusFor endpoints where throttling is initiated, review the throttling status.


1 From the McAfee ePO console, select Menu | Systems | System Tree.

2 On the Systems page, click the endpoint where throttling is initiated to view its details.

3 Click the Products tab.

4 Click the Solidcore row to view product details.

5 Review the values for the listed throttling properties.

Property Description

Throttling Status:Events

Provides this information.• Cache usage

This indicates the percentage of event or request cache that is already usedby the stored events or requests.

• Number of dropped events or requestsWhen the cache usage reaches 100%, events or requests start dropping andthe Data Dropped event is generated and displayed on the Threat Event Log andSolidcore Events pages.

• Time when the threshold was reachedThis indicates the time when event or request throttling was initiated.

Throttling Status:Policy Discovery(Observations)

13 Maintaining your systemsAdminister throttling for your enterprise


Property Description

Inventory Fetch Time(Last)

Indicates the time when the inventory was last fetched. When throttling ofinventory updates is initiated, the Pull Inventory client task is disabled and youcannot fetch the inventory until throttling resets.

Inventory Fetch Time(Next)

Indicates the time when you can fetch the inventory for the endpoint. Whenthrottling of inventory updates resets (24 hours after the first inventory updatewas generated), the Pull Inventory client task is enabled again to allow you to fetchthe inventory. In such scenarios, this property displays the time when throttlingresets. For more information about fetching inventory, see Fetch the inventory.

Process dataOn endpoints where throttling is initiated, create relevant rules or filters to process data. This helps incontrolling the flow of data by gradually reducing the amount of received data.


• Take relevant actions based on the type of data.

Data Action

Events 1 On the McAfee ePO console, select Menu | Reporting | Solidcore Events.

2 On the identified endpoints where throttling is initiated, review the generatedevents, then create relevant rules for events based on details such as event type,generation time, and number of occurrences.For details, see Review events and Define rules.

3 Define advanced exclusion filters to exclude non-meaningful events from theendpoints.For details, see Specify filters for observations and events.

Requests 1 Create relevant rules to process requests.For information on creating rules, see Manage requests.

2 Define advanced exclusion filters to exclude non-meaningful requests from theendpoints.For details, see Specify filters for observations and events.

Inventoryupdates

Define advanced exclusion filters to exclude non-meaningful inventory updates fromthe endpoints.For details, see Specify filters for inventory data.

Configure CLI breach notifications In your setup, the administrator needs to be aware of any attempt to recover the CLI with an incorrectpassword. In case any attempt is made to breach security, the CLI needs to be disabled immediatelyto thwart the attempt.

You can configure Application Control and Change Control products to notify the administrator of anyunsuccessful attempts to recover the CLI on the endpoint.

This feature is available only in McAfee ePO-managed configuration and unavailable in standaloneconfiguration. Also, this feature is available only for the Windows platform.

Maintaining your systemsConfigure CLI breach notifications 13







5 Open the policy and switch to the CLI tab.

6 Enable the feature by clicking Enable.

By default, this feature is disabled.

7 Specify the number of failed attempts and time window after which to disable CLI in case of asecurity breach.

By default, the CLI is disabled if a user makes three unsuccessful attempts in 30 minutes.

8 Specify the time duration for which to disable the CLI if any user makes unsuccessful logonattempts.

By default the CLI is disabled for 30 minutes.

9 Click Save.

10 Apply the policy to the endpoints.

After you enable the feature:

• Each attempt to recover the CLI with the correct password generates the Recovered Local CLI event.

• Any attempt to recover the CLI with an incorrect password generates the Unable to Recover Local CLIevent.

When the user exceeds the permitted number of failed attempts (as defined in the policy), the CLIrecovery is disabled to prevent the breach attempt. The Disabled Local CLI Access event is generated. Thisis priority event and is sent immediately to the McAfee ePO console.

Change the CLI passwordChange the default command line interface (CLI) password.





The Duplicate Existing Policy dialog box appears.


The policy is created and listed on the Policy Catalog page.

13 Maintaining your systemsChange the CLI password


5 Click the policy to open it.

6 Type the new password in the CLI tab.

7 Confirm the password.

8 Click Save.


Collect debug informationBefore contacting McAfee Support to help you with a Solidcore client issue, collect configuration anddebug information for your setup.This helps McAfee Support quickly identify and resolve the encountered issue. Run the Collect Debug Infoclient task to create an archive with endpoint configuration information and Solidcore client log files.The .zip file is generated on the endpoint and its location is listed (click the record associated with theclient task) on the Client Task Log page. Send the .zip file to McAfee Support with details of theencountered issue.

Create a .zip file with configuration and debug information.







4 Select the Solidcore 8.0.0 product, SC: Collect Debug Info task type, then click Create New Task to open theClient Task Catalog page.


6 Click Save.





Place the endpoints in Disabled modeWhen you place the endpoints in Disabled mode, the software is not in effect. Although the software isinstalled, the associated features are not active.

Maintaining your systemsCollect debug information 13



1 Select Menu | Systems | System Tree.





4 Select the Solidcore 8.0.0 product, SC: Disable task type, then click Create New Task to open the Client TaskCatalog page.


6 Complete these steps.

License Solidcore client version Steps

ApplicationControl

• 5.1.2 or earlier (Linuxand Windows)

• 6.0.0 and later (Windows)

Select Reboot endpoint to restart the endpoints.

• 6.1.0 and later (Linux) Deselect Reboot endpoint if you are temporarilydisabling the client protection for maintenance ortroubleshooting. The software is disabled when thetask is applied.If you are disabling the software beforeuninstallation, select Reboot endpoint.

Change Control • 6.0.1 or earlier (Linux)

• 6.0.0 and later (Windows)

Select Reboot endpoint to restart the endpoints.

• 6.1.0 and later (Linux) Deselect Reboot endpoint if you are temporarilydisabling the client protection for maintenance ortroubleshooting. The software is disabled when thetask is applied.If you are disabling the software beforeuninstallation, select Reboot endpoint.

7 Click Save.





13 Maintaining your systemsPlace the endpoints in Disabled mode


Send McAfee GTI feedbackApplication Control includes seeded server tasks to send feedback to McAfee about your current use ofthe McAfee GTI and Application Control features.

• Solidcore: Send Event Feedback to McAfee GTI Server (disabled by default)

• Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server (enabled by default to run daily)

• Solidcore: Send Policy Discovery Request Feedback to McAfee GTI Server (enabled by default to run daily)

No information about individual computers or users is sent to McAfee. McAfee stores no data that canbe used to track the feedback information to a specific customer or organization.

Tasks

• Server task settings on page 189You can configure the server tasks to send information about how you are currently usingone or all these parameters.

• Configure server tasks on page 189Configure the server tasks that send feedback, as needed.

Server task settingsYou can configure the server tasks to send information about how you are currently using one or allthese parameters.

Events Send information, such as file name and SHA-1 for the Execution Denied, ProcessHijack Attempted, and Nx Violation Detected events. You can also send informationabout the number of endpoints where the event occurred with the full path of thefile.

This information helps McAfee determine how frequently and effectively ApplicationControl blocks actions, and helps to improve product functionality and efficacy.

Policies Send information about user-editable Change Control, Application Control, andGeneral policies. Information is also sent for the Global Rules and Global ObservationRules (Deprecated) rule groups.

This information helps McAfee understand how you are currently using polices andapplying rules, and helps to improve the default policies and rules.

Inventory Send detailed information for files, including base name, application name,application version, file version, and enterprise trust level. You can also sendinformation about the number of endpoints where the file is present, its executionstatus, and full path of the file. The feedback does not include any information toidentify the endpoints, such as system name or IP address.

This information helps McAfee determine how you are using (and changing) the FileHash Trust Score (GTI) and File Hash Reputation (GTI) values assigned to files. Thisinformation also helps to improve the McAfee GTI file reputation service.

PolicyDiscoveryrequests

Send information for policy discovery requests and include details about thecertificate associated with the file.This information helps McAfee determine the type of requests generated for yoursetup and identify certificates associated with commonly used applications.

ePO baseinformation

Sends information about the number of nodes managed by McAfee ePO and numberof nodes where Application Control is installed.

Configure server tasksConfigure the server tasks that send feedback, as needed.

Maintaining your systemsSend McAfee GTI feedback 13




2 Select Edit for a server task to open the Server Task Builder wizard.

3 Change the schedule status for the task.

4 Click Save.

Purge data Purge Solidcore reporting data by age or based on other parameters. When you purge data, therecords are permanently deleted.



2 Click New Task to open the Server Task Builder wizard.

3 Type the task name, then click Next.

4 Select Solidcore: Purge from the Actions list.

5 Configure these options, as needed.

• Choose Feature — Select the reporting feature for which to purge records.

• Purge records older than — Select this option to purge the entries older than the specified age.

• Purge by query — Select this option to purge the records for the selected feature that meet thequery criteria. This option is only available for reporting features that support queries in McAfeeePO. Also, this option is supported only for tabular query results.

No seeded queries are available for purging. Before purging records, you must create the queryfrom the Menu | Reporting | Queries & Reports page.


7 Specify schedule details, then click Next open the Summary page.

8 Review and verify the details, then click Save.

13 Maintaining your systemsPurge data


14 Fine-tuning your configuration

Perform advanced configuration tasks to fine tune your configuration.

Contents Configure a syslog server Solidcore permission sets Customize end-user notifications

Configure a syslog serverYou can access more servers by registering them with your McAfee ePO server. Registered serversallow you to integrate your software with other external servers.Add the syslog server as a registered server and send information (responses or Solidcore events) tothe syslog server.


1 Add the syslog server as a registered server.

a On the McAfee ePO console, select Menu | Configuration | Registered Servers, then click New Server toopen the Registered Server Builder wizard.

b Select Solidcore Syslog Server from the Server type list.

c Specify the server name, add any notes, then click Next.

d (Optional) Modify the syslog server port.

e Enter the server address.

You can choose to specify the DNS name, IPV4 address, or IPv6 address.

f Select the type of logs the server is configured to receive by selecting a value from the SyslogFacility list.

g Click Test Syslog send to verify the connection to the server.

h Click Save.

You can choose to send specific responses to the syslog server (complete step 2) or use the seededresponse to send all Solidcore events to the syslog server (complete step 3).

2 Send responses to the syslog server.

a Select Menu | Automation | Automatic Responses.

b Click Actions | New Response.

14


c Enter the alert name.

d Select the ePO Notification Events group and Threat event type.

e Select Enabled, then click Next to open the Filter page.

f Define the relevant filters, then click Next to open the Aggregation page.

g Specify aggregation details, then click Next to open the Actions page.

h Select the Send Event To Solidcore Syslog action.

i Specify the severity and message.

You can use the listed variables to create the message string.

j Select the appropriate syslog servers (one or more), then click Next.

k Review the response details, then click Save.

3 Send all Solidcore events to the syslog server.

Application Control and Change Control include a seeded response that you can configure toautomatically send all Solidcore events to the syslog server.

a Select Menu | Automation | Automatic Responses.

b Edit the Send Solidcore events to Syslog Server response to configure these options.

• Set the status to Enabled.

• Verify that the appropriate syslog server is selected.

• Review the message string.The message string is based on the Common Exchange format. Contact McAfee Support forassistance in understanding the message string.

c Save the response.

Solidcore permission setsA permission set is a collection of permissions that can be granted to any user by assigning it to theuser's account. Permission sets control the level of access that users have to the features in thesoftware.While user accounts provide a means for users to access and use the software, each user account isassociated with one or more permission sets that define what the user is allowed to do with thesoftware.

Permission sets only grant rights and access — no permission set removes rights or access. Whenmultiple permission sets are applied to a user account, they aggregate.

For example, if one permission set does not provide any permissions to server tasks, but anotherpermission set grants all permissions to server tasks, that user account has all permissions for servertasks. Consider this as you plan your strategy for granting permissions to the users in yourenvironment.

For global administrators, all permissions to all products and features are automatically assigned.

When a new product extension is installed, it adds the product-specific permission sets to McAfee ePO.The Solidcore extension for Change Control and Application Control adds the Solidcore Admin and SolidcoreReviewer permission sets on the Menu | User Management | Permission Sets page.

14 Fine-tuning your configurationSolidcore permission sets


Privileges provided by Solidcore permission sets

Here are the permissions granted by the Solidcore permission sets.

Features Solidcore Adminpermission set

SolidcoreReviewerpermission set

Solidcore General

• Queries, Dashboards

• Events

• Responses

• Alerts

• Client Task Log

• Inventory

• Observations (Deprecated)

• Content Change Tracking

• Policy Discovery

• Certificates

• Installers

• Rule Groups

Provides view andchange permissions

Provides viewpermissions

Solidcore Policy Permission

• Application Control policies

• Change Control policies

• Integrity Monitor policies

• General policies

Provides view andchange permissions

Provides viewpermissions

Limitations of the Solidcore permission sets

By default, the Solidcore Admin and Solidcore Reviewer permission sets do not provide access to theMy Organization group in the System Tree page.

Because users do not have access to the My Organization group, they need extra permissions to accessthe following components.

Dashboards Predominant Observations monitor in the Solidcore: Application Control dashboard.

Applications Based on Final Reputation and Top 5 Malicious Files in Running State monitors in theSolidcore: Inventory dashboard.

Pages • By Applications page

• Predominant Observations (Deprecated) page

• Solidcore category on Server Settings pageOnly McAfee ePO administrators are allowed to view and edit this category.

Fine-tuning your configurationSolidcore permission sets 14


Actions These actions in the Application Control | Inventory page.

• Export Inventory for Offline GTI Tool

• Import GTI ratings

• Set Reputation by Application Control

Server tasks All Solidcore server tasksUsers who are assigned create, edit, view, run, and terminate permissions for servertasks in the Solidcore Admin permission set can create and run the Solidcore: ContentChange Tracking Report Generation server task. Only McAfee ePO administrators are allowed tocreate and run all other Solidcore server tasks.

Permission sets for Solidcore and McAfee ePOMcAfee ePO provides four default permission sets that provide permissions to McAfee ePOfunctionality. Here are the permissions that the McAfee ePO permission sets provide.

McAfee ePO permission sets Permissions for Solidcore features

Executive Reviewer No permissions

Global Reviewer View-only permissions for Solidcore policies

Group Admin No permissions

Group Reviewer No permissions

Assigning permissions to Solidcore-related McAfee ePO featuresThe global administrator can use the available permission sets (Solidcore Admin or SolidcoreReviewer) for Change Control and Application Control or create permission sets, if needed.

Global administrators can assign permissions while creating or editing user accounts or permissionsets.

To use Solidcore-related McAfee ePO features, users created with Solidcore Admin or SolidcoreReviewer permission set need extra permissions. Here are the permissions you must assign.

1 Assign at least one more permission set that grants access to needed products and groups of theSystem Tree. To make sure that users have access to the My Organization group in the System Tree pageand overcome the limitations of the Solidcore permission sets, edit the Solidcore Admin orSolidcore Reviewer permission set. Duplicate the Solidcore Admin permission set to use it as astarting point and edit it according to your requirements. For more information about working withpermission sets, see McAfee ePolicy Orchestrator Product Guide. After you edit the permission sets,assign the edited permission set to the users.

2 Assign these permissions for specific Solidcore features by navigating to Menu | User Management |Permission sets.

Solidcore features Extra permissions to assign

Solidcoredashboards

Select the Solidcore permission set, click Edit for Dashboards, select Edit publicdashboards; create and edit private dashboards; make private dashboards public, and clickSave.

Solidcore queries Select the Solidcore permission set, click Edit for Queries and Reports, select Editpublic groups; create and edit private queries/reports; make private queries/reports public, andclick Save.

Solidcore clienttasks

Select the Solidcore permission set, click Edit for McAfee Agent, select View andchange settings, and click Save.

Solidcore policies Select the Solidcore permission set, click Edit for McAfee Agent, select View andchange settings, and click Save.

14 Fine-tuning your configurationSolidcore permission sets


Customize end-user notificationsIf Application Control protection prevents an action on an endpoint, you can choose to display acustomized notification message for the event on the endpoint.

You can configure the notification to be displayed on the endpoints for these events.

• Execution Denied • ActiveX Installation Prevented

• File Write Denied • Installation Denied

• File Read Denied • VASR Violation Detected

• Process Hijack Attempted • Blocked Interactive Mode of Process

• Nx Violation Detected • Prevented File Execution






5 Switch to the End User Notifications tab.

6 Select Show the messages dialog box when an event is detected and display the specified text in the message to display amessage box at the endpoint each time any of the earlier mentioned events is generated.

7 Enter the helpdesk information.

Mail To Represents the email address to which all approval requests (fromendpoints) are sent.

Mail Subject Represents the subject of the email message sent for approval requests(from endpoints).

Link to Website Indicates the website listed in the Application and Change ControlEvents window on the endpoints.

McAfee ePO IP Address andPort

Specifies the McAfee ePO server address and port.

8 Customize the notifications for the various types of events.

a Enter the notification message.

You can use the listed variables to create the message string.

b Select Show Event in Dialog to make sure that all events of the selected event type (such asExecution Denied) are listed in the Application and Change Control Events window on the endpoints.


10 From the endpoints, users can review the notifications for the events and request for approval forcertain actions.

a Right-click the McAfee Agent icon in the notification area on the endpoint.

b Select Quick Settings | Application and Change Control Events.

The Application and Change Control Events window appears.

Fine-tuning your configurationCustomize end-user notifications 14


c Review the events.

d Request approval for a certain action by selecting the event and clicking Request Approval.

14 Fine-tuning your configurationCustomize end-user notifications


A FAQs

Here are answers to frequently asked questions.

What is an Alternate Data Stream (ADS)? Does Change Control monitor changes to ADS?

On the Microsoft NTFS file system, a file consists of multiple data streams. One stream holds thefile contents and another contains security information. You can create alternate data streams(ADS) for a file to associate information or other files with the existing file. In effect, alternatedata streams allow you to embed information or files in existing files. The ADSs associated witha file do not affect its contents or attributes and are not visible in Windows Explorer. So, forpractical purposes, the ADSs associated with a file are hidden. Malicious users can misuse theADS feature to associate malicious files with other files without the malicious files beingdetected.

Change Control monitors changes to any ADS associated with files on Windows platforms. For amonitored file, ADS-related changes, including stream creation, modification, update, deletion,and attribute changes are reported as events. If you are also using Application Control, the basefile name is retrieved and permissions for the base file are checked when an ADS is invoked. TheADS is allowed or denied execution based on the permissions of the base file and current modeof Application Control. Also, any executable programs (associated as an ADS with an existingfile) are prevented from running. To disable ADS monitoring, execute the SC: Run Commands clienttask to run the sadmin features disable mon-ads command on the endpoint.

Why am I not receiving the events for user account activity for an endpoint?

User account activity is not tracked by default for endpoints. To track operations for useraccounts, you must enable this feature specifically on endpoints where Change Control isdeployed and enabled. To enable this feature, execute the SC: Run Commands client task to run thesadmin features enable mon‑uat command on the endpoint.

In addition, you must make sure that the Audit Policy is configured on the Windows operatingsystem to allow generation of user activity events.

To successfully track user account activity for an endpoint, verify the Audit Policy configurationfor the endpoint.

1 Navigate to Control Panel | Administrative Tools.

2 Double-click Local Security Policy.

3 Select Local Policies | Audit Policy.

4 Double-click the Audit account logon events policy.

5 Select Success and Failure, then click OK.

6 Repeat steps 4 and 5 for the Audit account management and Audit logon events policies.

What are the implications of recovering the local CLI access for an endpoint?


To troubleshoot or debug issues, you might need to recover the local CLI access for an endpoint.Recovering the local CLI for an endpoint prevents the enforcement of policies from McAfee ePOto the endpoint. This implies that when the CLI is recovered for an endpoint, no existing or newpolicies (created on the McAfee ePO server) are applied to that endpoint.

What is the significance of the label specified in a policy while configuring updaterprocesses, installers, and users?

The specified labels help you correlate the generated events with the actions performed by thetrusted resources. For example, when an event is generated for an action performed by atrusted user, the Workflow ID attribute for the event includes the label specified for the trusteduser.

How do I unsolidify a file, directory, or volume?

To unsolidify a file, directory, or volume, run the SC: Run Commands client task with the sadminunso <resource name> command.

As a best practice, do not unsolidify a system drive or volume.

I recently fetched inventory for an endpoint but can't review GTI ratings for the inventoryitems. What can I do?

If GTI ratings are unavailable for inventory items after you fetched inventory, review the logsgenerated by the Fetch File Details from McAfee GTI Server and Fetch Certificate Reputation from McAfee GTI Serverserver tasks on the Server Task Log page. Log entries are added atypically for the Fetch File Details fromMcAfee GTI Server server task to the Server Task Log page.

• If the task succeeds and the previous run was unsuccessful, a log entry is added.

• If the task fails, a new log entry indicating failure is added. But, if communication with theserver fails continuously, one entry is added for a day. The time stamp indicates the failuretime and the log message provides the reason for failure.

So, on the Server Task Log page, you might see fewer entries indicating task success and multipleentries indicating failure for this task.

Do Change Control and Application Control work in Network Address Translation (NAT)environments?

If the McAfee ePO server can communicate with the McAfee Agent in a NAT environment,Change Control and Application Control work.

How can I trust applications developed for use in my organization?

Sign the applications with a self-generated certificate, then trust the certificate.


• Locate your certificate if you have an existing certificate.

• Generate an X.509 certificate pair using a tool, such as makecert.exe (see this fordetails).

2 Export the certificate in PEM (Base-64 encoded X.509 - .CER) format.

3 Upload the certificate and add it to an Application Control policy as a trusted certificate.


A FAQs


https://msdn.microsoft.com/en-us/library/bfsktky3%28VS.80%29.aspx

5 Use the certificate to sign and verify in-house applications. This can be done using a tool,such as SignTool.exe.

When working with scripts, convert the script into a self-extracting executable file, then signthe file.

6 Define the internal certificate as a trusted certificate.

Can I script sadmin commands?

Yes, you can script sadmin commands. While recovering the CLI, you are prompted to enter topassword. To achieve this in a script, suffix the sadmin recover command with -z <password>.

How can I resolve discrepancies and inconsistencies in the Solidcore rule groups afterupgrading the Solidcore extension? When I access the Rule Groups page, an InternalServer Error is displayed.

Run the Rule Group Sanity Check server task from the McAfee ePO console to fix the inconsistenciesin the rule groups. This server task reports and corrects (if possible) discrepancies andinconsistencies in the Solidcore rule groups and policies.

1 Select Menu | Automation | Server Tasks.

2 Click New Task.

The Server Task Builder wizard opens.

3 Type the task name and click Next.

4 Select Solidcore: Rule Group Sanity Check from the Actions drop-down list.

5 Click Next.

6 Specify the schedule for the task.

7 Click Next.

The Summary page appears.

8 Review the task summary and click Save.

9 Review the logs generated by the server task (on the Server Task Log page) to view thewarnings, if any.

How do I manage the predefined rules available with Change Control and ApplicationControl?

Revisit the predefined rules available with Change Control and Application Control when youinstall or upgrade the Solidcore extension. Because the software installed on the endpoints inyour enterprise might change (is added or removed), you must revise the rules periodically.Based on the software installed on the endpoints in your setup, revise the rules and removeunwanted or irrelevant rules.

How can I enable or disable selected features on endpoints from the McAfee ePO console?

Use the Application Control Options (Windows) policy to enable or disable selected features onendpoints from the McAfee ePO console.

1 Select Menu | Policy | Policy Catalog.


FAQs A



4 Click the My Default policy.

5 Switch to the Features tab.

6 Select Enforce feature control from ePO.

For more information about these features.

• ActiveX, see ActiveX controls.

• Memory Protection, see Memory-protection techniques.

• Package Control, see Package Control.

7 Select the features to enable or disable.


How can I implement change reconciliation and ticket-based enforcement in my setup?

Change reconciliation correlates change events from monitored systems with tickets in yourchange management system (CMS). This correlation categorizes events as authorized orunauthorized based on whether the change was made during an update window. Thisinformation is used for change tracking and compliance reporting. Ticket-based enforcementallows you to automatically open update windows on systems protected with Application Controland Change Control by integrating with your CMS. Based on tickets created in the CMS, updatewindows open on the protected systems to allow modification of protected files and registrykeys. Implementing ticket-based enforcement reduces system outages and improves uptime byallowing only approved changes to the systems.

Perform these steps to configure and implement change reconciliation and ticket‑basedenforcement.

1 Make sure that reconAutoReconcileEvents setting in the database is set to true. ContactMcAfee Support for instructions.

2 Set the required permissions.

• User must have System Tree access to the systems where the tasks are to be scheduled.

• User must have permission to send agent wake-up call.

• Create and edit tags permission is required to run tasks on multiple systems.

• View and change task settings permission is needed in McAfee Agent if you are usingMcAfee ePO 5.0 or later.

3 Understand and use the web service APIs provided by Application Control and ChangeControl.

Web service API Description

begin-update(systemNames/systemIds,workflowId, time,wakeupAgent)

Opens an Update window to perform ticket-related changes. Thisservice takes these parameters:

systemNames/systemIds

(Required) Comma-separated list ofsystem names, IP addresses, or systemIDs (from the McAfee ePO database). Ifyou specify system IDs and systemnames, only the specified system IDs areconsidered.

A FAQs


Web service API Description

workflowId (Required) Ticket ID from the ticketingsystem for the update window. Thespecified ticket ID is associated with theupdated records.

time (Required) Time when to open theUpdate window on the endpoints. Use theyyyy-mm-dd hh:mm:ss format to providethe value.

wakeupAgent (Optional) Flag to indicate whether towake up agents after scheduling the task.The default value for this parameter istrue.

This service returns the ID associated with the client task thatopens the Update window on the specified endpoints.

end-update(systemNames/systemIds,workflowId, time,wakeupAgent)

Closes the Update window after performing ticket-related changes.This service takes these parameters:

systemNames/systemIds

(Required) Comma-separated list ofsystem names, IP addresses, or systemIDs (from the McAfee ePO database). Ifyou specify system IDs and systemnames, only the specified system IDs areconsidered.

workflowId (Required) Ticket ID from the ticketingsystem for the update window.

time (Required) Time when to close theUpdate window at the endpoints. Use theyyyy-mm-dd hh:mm:ss format to providethe value.

wakeupAgent (Optional) Flag to indicate whether towake up agents after scheduling the task.The default value for this parameter istrue.

This service returns the ID associated with the client task thatcloses the Update window on the specified endpoints.

delete-task(taskIds)

Deletes the client tasks created to open and close the Updatewindow for a ticket. This service takes only one parameter.

taskIds (Required) Comma-separated list of IDsassociated with the client tasks that openand close the Update window on thespecified endpoints. The client tasks thatare associated with the IDs are deleted.

This service returns a list of true and false values corresponding toeach specified client task ID. True indicates that the client taskassociated with the specified ID was successfully deleted.

FAQs A


These web service APIs can be accessed through URLs. Here are a few examples to help youunderstand the type of calls you can make to the web service APIs.

• begin-update — https://<epo-server>:<port>/remote/scor.updatewindow.updateWindowCommand.do?:output=json&action=begin-update&systemNames=<comma separated IP addresses ornames>&time=2013-12-19%2011:05:00&workflowId=ticket1&wakeupAgent=true

• end-update — https://<epo-server>:<port>/remote/scor.updatewindow.updateWindowCommand.do?:output=json&action=end-update&systemNames=<comma separated IP addresses ornames>&time=2013-12-19%2012:05:00&workflowId=ticket1&wakeupAgent=true

• delete-task — https://<epo-server>:<port>/remote/scor.updatewindow.updateWindowCommand.do?:output=json&action=delete-task&taskIds=123,234

4 Review the sample Java connector that is shipped with the Solidcore extension. You candownload and save the SampleConnector.zip file from the McAfee Downloads site. This fileis available for your reference and can help you understand how to integrate with the webservice APIs in your setup.

After I deploy Application Control, how can I check the status of the memory protectiontechniques, such as Data Execution Prevention (DEP) and Address Space LayoutRandomization (ASLR), provided by the Windows operating system?

Review thestatus of thetechniques forone endpoint

1 Click the endpoint on the Systems page to view details for the selectedendpoint.

2 Click the Products tab.

3 Click the Solidcore row to view product details.

4 Review the values for the Memory Protection (ASLR) and Memory Protection (DEP)properties.

Review thestatus of thetechniques formultipleendpoints

1 On the McAfee ePO console, select Menu | Reporting | Queries and Reports.

2 Select the Application Control group under McAfee Groups.

3 Click New.

4 Select Solidcore Client Properties for the Result Type and click Next.

5 Select Table in the Display Results As list, select System Name in the Sort By list,and click Next.

6 Add the Memory Protection (ASLR) and Memory Protection (DEP) properties and clickNext.

7 Click Run to view details for the endpoints in your setup.

Here are the possible values for DEP and ASLR.

Technique Possible value Description

DEP Enabled (Always On) DEP is enabled for all processes.

Disabled (Always Off) DEP is disabled for all processes.

Disabled (With Opt In) DEP is enabled only for Windows system componentsand services.

A FAQs


Technique Possible value Description

Enabled (With Opt Out) DEP is enabled for all processes. You can choose toremove processes from the DEP technique.

Not Supported DEP technique is not supported on the hardware.

ASLR Enabled ASLR is enabled for all processes.

Disabled ASLR is disabled for all processes.

Enabled (Partial) ASLR is enabled and VASR bypass rules might bepresent.

The software is allowing the execution of a banned file. What could be the reason?

When defined rules are applied, the software combines or aggregates the rules defined for a file.When applying the rules, it uses the following order to determine whether the file execution isallowed or blocked. The order in which the methods are listed indicates the precedence thesoftware applies to the method.

1 Banned by SHA-1 or SHA-256

2 Executed by updater process or trusted user

3 Allowed by SHA-1 or SHA-256

4 Allowed by certificate

5 Banned by name

6 Allowed by name

7 Executed from trusted directory

8 Added to whitelist

If none of the above apply for a file, the software blocks the execution of the file.

I have defined variables on the Linux platform. Can I use these variables to define rules inApplication Control or Change Control?

User-defined variables are not supported in the McAfee ePO-managed configuration.

The McAfee ePO interface is slow or unresponsive and count of observations on thePredominant Observations page is high. What is the cause and how can I resolve thisproblem?

Application Control includes predefined rules to filter non-relevant and unnecessary observationsyou receive from endpoints. The rules are included in the Observation Filter Rules (Deprecated) rulegroup (shipped with the product). By default, these rules are applied to the global root in theSystem Tree and hence are inherited by all McAfee ePO-managed endpoints.

If you remove this rule group, you might receive many observations that cause the McAfee ePOinterface to be slow or unresponsive. Review your setup and make sure that this rule group isapplied to the endpoints.

How can I check the solidification or whitelisting status for an endpoint?

Perform these steps to review the solidification or whitelisting status for an endpoint.


2 Select the group associated with the endpoint in the System Tree pane.

The endpoints in the group are listed in the Systems tab.

FAQs A


3 Click Actions | Choose Columns.

4 Navigate to the Solidcore Client Properties list and select the Solidification Status property.

5 Click Save to return to the Systems tab.

6 Navigate to the row corresponding to an endpoint and review the value listed in theSolidification Status column.

How can I apply multiple policies to one node in the System Tree?

Perform these steps to apply multi-slot policies to a group or specific endpoints.



• Group — Select a group in the System Tree and switch to the Assigned Policies tab.

• Endpoint — Select the endpoint on the Systems page, then click Actions | Agent | Modify Policyon a Single System.

3 Click Edit Assignments for the multi-slot policy where you want to assign multiple policies.

4 Click New Policy Instance.

5 Select the policy that you want to assign from the Assigned policy field.

6 Click Save.

I am trying to fetch the software inventory for an endpoint, but the SC: Pull Inventory client taskfails and I receive a message that the inventory cannot be fetched. What is the reason andhow can I fetch the inventory successfully?

By default, you can fetch the inventory for an endpoint once in seven days. This value is set asthe minimum interval between consecutive inventory runs. But, if needed, you can configure thisvalue for your enterprise. See Configure settings for fetching the inventory.

What is the difference between custom action and taking global actions for a request?

For selected endpoints, to define custom rules to allow, ban, or allow by certificate an applicationor executable file, use the Create Custom Policy action. You can also define custom rules to allow anetwork path for selected endpoints. But, to allow, ban, allow by certificate an application orexecutable file globally (on all endpoints in your enterprise), or to allow a network path globally,take global actions.

I am using the Number of Systems where Throttling Initiated in Last 7 days monitor on the Health Monitoringdashboard. Why is no data visible when I select List events that initiated throttling for a system link?

When you select the List events that initiated throttling for a system link, the Events page lists events thatresulted in the generation of the Data Throttled or Data Dropped events. The list includes all eventsthat were generated in the 7-days period before receiving the Data Throttled or Data Dropped events.

In these two scenarios, the Events page does not list any data.

• Consecutive Data Throttled and Data Dropped events are received for a system.

• Events yet to be received at the McAfee ePO console. This can occur when the endpoint forwhich throttling initiated is parsing older data and is yet to send the newer events to theMcAfee ePO server.

Also, the same scenario can occur for policy discovery requests (observations) and inventoryupdates.

A FAQs


I want to change the value of a configuration parameter for a managed endpoint. I cannotfind a policy or method to complete this from the McAfee ePO console. How can I completetasks for which no method is available on the McAfee ePO console?

From the McAfee ePO console, you can use the SC: Run Commands client task to run any CLIcommands remotely on one or more endpoints. The commands can include tasks that can orcannot be completed using McAfee ePO, such as enable or disable the product, change the valuefor configuration parameters, or fetch the software inventory.



• To apply the client task to a group, select a group in the System Tree and switch to theAssigned Client Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page, then clickActions | Agent | Modify Tasks on a Single System.


4 Select the Solidcore 8.0.0 product, SC: Run Commands task type, then click Create New Task to openthe Client Task Catalog page.

5 Specify the task name and add any information.

6 Specify the command you want to run on the endpoints.

For example, to change the value of configuration parameters, specify the sadmin configset <ParameterName>=<ParameterValue> command.

7 (Optional) Specify the option to receive the result of the command by clicking RequiresResponse.

The command output is available on the Menu | Automation | Solidcore Client Task Log page.

8 Click Save.

How can I lock down or recover the local CLI for managed endpoints?

By default, the local CLI is locked down for McAfee ePO-managed endpoints. But, you canrecover the CLI for one or more endpoints, if needed.

When you recover the CLI, any changes to configuration, policies, tasks pushed from the McAfeeePO server are not enforced on the endpoint. So, the CLI status must be set to Restrict to enforceany changes to the endpoint.



• To apply the client task to a group, select a group in the System Tree and switch to theAssigned Client Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page, then clickActions | Agent | Modify Tasks on a Single System.


4 Select the Solidcore 8.0.0 product, SC: Change Local CLI Access task type, then click Create New Task toopen the Client Task Catalog page.

FAQs A


5 Change CLI status to Restrict or Allow.

6 Click Save.

I seem to have run into issues while applying a content update package in my setup. Howcan I resolve this?

If the McAfee ePO server is temporarily unavailable when a content update is being applied, youmight run into issues. We recommend that you wait until the update is applied. Review theContent update for Application Control and Change Control entry on the Server Task Log page to verify if thecontent update was applied successfully. If the issue isn't resolved or the update status is failed,contact McAfee Support for assistance.

I am trying to access a page and it displays the Content update is in progress warning message.Why is this happening?

We can now automatically push content updates for Application Control and Change Controlthrough the McAfee ePO console. This eliminates the need for customers to apply hotfixes forconfiguration changes, such as rules, policies, or McAfee GTI settings. For example, any changesto the McAfee GTI settings or certificate are automatically applied in your setup.

When a content update is being applied, you should not make any changes to existing rules andconfiguration. The warning message is displayed while the content update is being applied anddisappears after the update is complete. For every content update that is applied, acorresponding Content update for Application Control and Change Control entry is added to the Server Task Logpage. You can review the entry for details of the changes made.

How can I view the reputation for a specific file on an endpoint?

To view the reputation for a specific file on an endpoint, fetch the file reputation from a source(TIE server, McAfee GTI, or Advanced Threat Defense), as applicable. But, make sure that thereputation setting is enabled in Application Control (Options) policy applied to the endpoint. For moreinformation about how to enable reputation settings, see Configure reputation settings.

Use the SC: Run Commands client task to run this command on the endpoint.

sadmin getreputation [ -v | -b ] -f <filename> -m <md5> -h <sha-1> -s<reputation-source>

You must specify MD5 and SHA-1 value for a file to fetch its reputation. But, if you also specifythe file name with its MD5 and SHA-1 value, the file name is considered for fetching thereputation.

This table lists the supported arguments and their description.

Argument Description

-v Specify this argument to display all sources and the file reputation stored inthem.

-b Specify this argument to bypass the internal cache for stored file reputation andfetches the reputation from the specified source.

-f Specify the file name for which you want to fetch the reputation.

-m Specify the MD5 value of the file for which you want to fetch the reputation.

-h Specify the SHA-1 value of the file for which you want to fetch the reputation.

-s Include the source to fetch the file reputation from.

How can I recover the CLI for an endpoint if the CLI is disabled after multiple incorrectpassword attempts?

A FAQs


If the CLI is disabled after multiple incorrect password attempts, there are two methods torecover the CLI:

• To immediately recover the CLI, the administrator can send the SC: Change Local CLI Access clienttask from the McAfee ePO console.

• To recover the CLI from the endpoint, enter the correct CLI recover password on the CLI afterthe disable time period lapses.

When the CLI is recovered, the Recovered Local CLI event is sent to the McAfee ePO console tonotify the administrator.

I am reviewing inventory items and can see the Inventory for one or more systems could not be processed.Increase memory allocated for Java Virtual Machine. message. How can I resolve this?

Starting with the 8.0.0 release, Application Control can process large volume of inventory items.If inventory cannot be fetched from an endpoint due to lack of Java Virtual Machine memory onthe server, the Inventory for one or more systems could not be processed. Increase memory allocated for Java VirtualMachine. message is displayed on the By Applications and By Systems pages. To resolve this, completethese steps:

1 Navigate to the By Systems page.

2 Select the Systems with Failed Inventory Fetch filter.

3 Review the listed systems.

4 For each system where Inventory Fetch Status is set to Failed (low JVM memory), hover over the statusto review information about JVM memory needed.

5 Optionally, select Actions | Choose Columns and select JVM Memory Required (in GB) from Available Columnslist and click Save. You can review the minimum memory required for each system.

6 Increase memory according to listed requirements for the endpoints. Before upgrading to thesuggested JVM value, make sure that your system meets the needed RAM requirements. Formore information, review this link.

When using Application Control and Change Control, which features and workflow supportSHA-1 and SHA-256?

Starting with the 8.0.0 release, we have added support for file SHA-256 values (for the Windowsplatform). This table lists how existing features and workflows use SHA-1 and SHA-256 values.

Feature Capability SHA-1 SHA-256

Executable files Define allow or ban rules for executable files(in policy or rule group)

Yes Yes

Updater Processes Define allow or ban rules for updaterprocesses (in policy or rule group)

Yes Yes

Installers Define allow or ban rules for installer (inpolicy or rule group)

Yes Yes

Certificates Add rules for trusted certificates (in policy orrule group)

Yes Yes

View certificate details about Solidore pages Yes No

Policy discovery Add rules to process requests Yes Yes

Group requests for display on Policy Discoverypage

Yes No

Inventory Add rules for inventory items Yes Yes

FAQs A


https://docs.oracle.com/cd/E15523_01/web.1111/e13814/jvm_tuning.htm#PERFM160

Feature Capability SHA-1 SHA-256

Group items for display on Inventory pages Yes No

Solidcore events Review event information and file details Yes Yes

Rule groups Add rules to a rule group to associate with apolicy

Yes Yes

Reputation-based rules Add rules to allow or ban files based on theirreputation

Yes No

Scan a Software Repositoryserver task

Scan a repository to add installers andcertificates to McAfee ePO

Yes Yes

Send McAfee GTI feedback Send feedback to McAfee about your currentuse of the McAfee GTI and ApplicationControl features

Yes No

Offline GTI Tool Fetch McAfee GTI ratings for files andcertificates

Yes No

McAfee GTI reputation Determine file reputation and classification Yes No

TIE server Determine file reputation and classification Yes No

Except when stated, all other Application Control and Change Control workflows are based onfile SHA-1 values. In other words, the linking between events (on Solidcore Events page), filedetails (on Inventory pages), and requests (Policy Discovery page) are based on the file's SHA-1values.

I recently fetched inventory for an endpoint and need to fetch inventory for it again. Howcan I do this?

For Application Control, the minimum interval between consecutive inventory runs (when theinventory information is fetched from the endpoints) is set to seven days. This is the defaultvalue and implies that for an endpoint you can pull inventory once a week. But, if needed, youcan configure this value for your enterprise. See Configure settings for fetching the inventory.

One of these happen when you fetch inventory for an endpoint:

• If inventory for the endpoint was fetched in the last seven days, inventory updates arefetched.

• If inventory for the endpoint was not fetched in the last seven days, complete inventorydetails are fetched.

I received the Unable to Recover Inventory event for an endpoint. What can I do?

The Inventory Corrupted event is generated for an endpoint if the internal inventory for the endpointis corrupt. Application Control maintains inventory backup for the endpoint and recovers theinventory for the endpoint from the backup copy.• If the inventory is recovered successfully from the backup copy, the Recovered Inventory event is

generated.

• If for some reason, the inventory cannot be recovered from the backup copy, the Unable toRecover Inventory event is generated. To rectify, execute the SC: Run Commands client task with thesadmin so command.

A FAQs


B Feature availability

Here is a list of Application Control and Change Control features and their availability for operatingsystems and supported configuration.

Feature Availability for operatingsystems

Availability in supportedconfiguration

Windows Linux Managedconfiguration

Standaloneconfiguration

Prevent execution ofunauthorized binary files

Yes Yes Yes Yes

Prevent execution ofunauthorized libraries orDLLs

Yes Yes Yes Yes

Prevent execution ofunauthorized kernel drivers

Yes No Yes Yes

Prevent execution ofunauthorized scripts

Yes Yes Yes Yes

Manage execution ofAlternate Data Streams(ADSs)

Yes Not applicable Yes Yes

Configure reputation-basedexecution of trusted binaryfiles, DLLs, and drivers

Yes No Yes No

Monitor file changes Yes Yes Yes Yes

Monitor registry changes Yes Not applicable Yes Yes

Monitor changes to userlogon and logoff

Yes No Yes Yes

Track content changes forfiles

Yes Yes Yes No

Track content changes fordirectories

Yes No Yes No

Read protect files anddirectories

Yes Yes Yes Yes

Read protect drives Yes Not applicable Yes Yes

Read protect registry keys Yes Not applicable Yes Yes

Write protect files anddirectories

Yes Yes Yes Yes

Write protect drives Yes Not applicable Yes Yes

Write protect registry keys Yes Not applicable Yes Yes

Define updater by name Yes Yes Yes Yes

Define updater by checksum Yes No Yes Yes


Feature Availability for operatingsystems

Availability in supportedconfiguration

Windows Linux Managedconfiguration

Standaloneconfiguration

Manage updater privilegesfor scripts

Yes Yes Yes Yes

Manage execution of filesfrom trusted path

Yes Yes Yes Yes

Manage certificate-basedexecution and updaterprivileges (for binary files,DLLs, and drivers)

Yes No Yes Yes

Define trusted users Yes No Yes Yes

Manage installation anduninstallation of softwarepackages (Package Control)

Yes No Yes Yes

Manage installation ofActiveX controls

Yes Not applicable Yes No

Use inventory updates Yes Yes Yes Yes

Use Observation mode Yes No Yes No

Configure memory protection Yes No Yes Yes

Configure Self-Approval Yes No Yes No

Use reboot-free activation Yes Yes Yes Yes

Use reboot-free deactivation No Yes Yes Yes

Run image deviation Yes Yes Yes No

Configure CLI breachnotifications

Yes No Yes No

Configure attribute-basedrules

Yes No Yes Yes

B Feature availability


C Change Control and Application Controlevents

This table provides a detailed list of all Change Control and Application Control events.

Event names with a suffix (_UPDATE) indicate that events are generated in Update mode.

In the Event type column, these abbreviations indicate the applicable type for the event.

• SC — Solidcore client-related event

• CC — Change Control event

• AC — Application Control event

Event ID(onendpoints)

ThreateventID (onMcAfeeePO)

Event name Eventdisplaystring

Solidcoreclientseverity

McAfeeePOseverity

Eventtype

1 20700 BOOTING_DISABLED Booted inDisabledmode

Warning WarningSC

2 20701 BOOTING_ENABLED Booted inEnabledmode

Info InformationSC

3 20702 BOOTING_UPDATE

_MODE

Booted inUpdatemode

Info InformationSC

4 20703 ENABLED_DEFERRED Enabled OnReboot

Info Information SC

5 20704 DISABLED_DEFERRED Disabled OnReboot

Warning Warning SC

6 20705 BEGIN_UPDATE OpenedUpdateMode

Info InformationSC

7 20706 END_UPDATE ClosedUpdateMode

Info InformationSC

8 20707 COMMAND_EXECUTED CommandExecuted

Info Information SC

15 20714 REG_KEY_CREATED RegistryCreated

Info Information CC

16 20715 REG_KEY_DELETED RegistryDeleted

Info Information CC

18 20717 REG_VALUE_DELETED RegistryDeleted

Info Information CC






McAfeeePOseverity

Eventtype

19 20718 PROCESS_TERMINATED ProcessTerminated

Major Error AC

20 20719 WRITE_DENIED File WriteDenied

Major Error CC

21 20720 EXECUTION_DENIED ExecutionDenied

Major Error AC

29 20728 PROCESS_TERMINATED

_UNAUTH_SYSCALL

ProcessTerminated

Major ErrorAC

30 20729 PROCESS_TERMINATED

_UNAUTH_API

ProcessTerminated

Major ErrorAC

31 20730 MODULE_LOADING

_FAILED

ModuleLoadingFailed

Major ErrorSC

41 20740 FILE_ATTR_SET File AttributeSet

Info Information CC

42 20741 FILE_ATTR_CLEAR File AttributeCleared

Info Information CC

43 20742 FILE_ATTR_SET_UPDATE

File AttributeSet

Info InformationCC

44 20743 FILE_ATTR_CLEAR_UPDATE

File AttributeCleared

Info InformationCC

49 20748 REG_VALUE_WRITE_DENIED

RegistryWrite Denied

Major ErrorCC

50 20749 REG_KEY_WRITE_DENIED

RegistryWrite Denied

Major ErrorCC

51 20750 REG_KEY_CREATED_UPDATE

RegistryCreated

Info InformationCC

52 20751 REG_KEY

_DELETED_UPDATE

RegistryDeleted

Info InformationCC

54 20753 REG_VALUE

_DELETED_UPDATE

RegistryDeleted

Info InformationCC

56 20755 OWNER_MODIFIED FileOwnershipChanged

Info InformationCC

57 20756 OWNER_MODIFIED_UPDATE

FileOwnershipChanged

Info InformationCC

61 20760 PROCESS_HIJACKED ProcessHijackAttempted

Major ErrorAC

C Change Control and Application Control events






McAfeeePOseverity

Eventtype

62 20761 INVENTORY_CORRUPT InventoryCorrupted

Critical Critical AC

63 20762 BOOTING_DISABLED

_SAFEMODE

Booted inDisabledmode

Warning WarningSC

64 20763 BOOTING_DISABLED

_INTERNAL_ERROR

Booted inDisabledmode

Critical CriticalSC

70 20769 FILE_CREATED File Created Info Information CC

71 20770 FILE_DELETED File Deleted Info Information CC

72 20771 FILE_MODIFIED File Modified Info Information CC

73 20772 FILE_ATTR_MODIFIED File AttributeModified

Info Information CC

74 20773 FILE_RENAMED FileRenamed

Info Information CC

75 20774 FILE_CREATED_UPDATE

File Created Info InformationCC

76 20775 FILE_DELETED_UPDATE

File Deleted Info InformationCC

77 20776 FILE_MODIFIED_UPDATE

File Modified Info InformationCC

78 20777 FILE_ATTR

_MODIFIED_UPDATE

File AttributeModified

Info InformationCC

79 20778 FILE_RENAMED_UPDATE

FileRenamed

Info InformationCC

80 20779 FILE_SOLIDIFIED FileSolidified

Info Information AC

82 20781 FILE_UNSOLIDIFIED FileUnsolidified

Info Information AC

84 20783 ACL_MODIFIED File AclModified

Info Information CC

85 20784 ACL_MODIFIED_UPDATE File AclModified

Info Information CC

86 20785 PROCESS_STARTED ProcessStarted

Info Information CC

87 20786 PROCESS_EXITED ProcessExited

Info Information CC

88 20787 TRIAL_EXPIRED Trial licenseexpired

Major Error SC

89 20788 READ_DENIED File ReadDenied

Major Error CC

Change Control and Application Control events C






McAfeeePOseverity

Eventtype

90 20789 USER_LOGON_SUCCESS

User LoggedOn

Info InformationCC

91 20790 USER_LOGON_FAIL User LogonFailed

Info Information CC

92 20791 USER_LOGOFF User LoggedOff

Info Information CC

93 20792 USER_ACCOUNT

_CREATED

UserAccountCreated

Info InformationCC


_DELETED

UserAccountDeleted

Info InformationCC


_MODIFIED

UserAccountModified

Info InformationCC

96 20795 PKG_MODIFICATION

_PREVENTED

InstallationDenied

Critical CriticalAC


_ALLOWED_UPDATE

InstallationAllowed

Info InformationAC


_PREVENTED_2

InstallationDenied

Critical CriticalAC

99 20798 NX_VIOLATION_DETECTED

Nx ViolationDetected

Critical CriticalAC

100 20799 REG_VALUE_MODIFIED

RegistryModified

Info InformationCC

101 20800 REG_VALUE

_MODIFIED_UPDATE

RegistryModified

Info InformationCC

102 20801 UPDATE_MODE_DEFERRED

UpdateMode OnReboot

Info InformationSC

103 20802 FILE_READ_UPDATE File read inupdate mode

Info Information CC

106 20805 STREAM_CREATED AlternateData StreamCreated

Info InformationCC

107 20806 STREAM_DELETED AlternateData StreamDeleted

Info InformationCC

108 20807 STREAM_MODIFIED AlternateData StreamModified

Info InformationCC







McAfeeePOseverity

Eventtype

109 20808 STREAM_ATTR_MODIFIED

AttributeModified inData Stream

Info InformationCC

110 20809 STREAM_CREATED_UPDATE

AlternateData StreamCreated

Info InformationCC

111 20810 STREAM_DELETED_UPDATE

AlternateData StreamDeleted

Info InformationCC

112 20811 STREAM_MODIFIED_UPDATE

AlternateData StreamModified

Info InformationCC

113 20812 STREAM_ATTR

_MODIFIED_UPDATE

AttributeModified inData Stream

Info InformationCC

114 20813 STREAM_ATTR_SET AttributeAdded inData Stream

Info InformationCC

115 20814 STREAM_ATTR_CLEAR AttributeCleared inData Stream

Info InformationCC


_SET_UPDATE

AttributeAdded inData Stream

Info InformationCC


_CLEAR_UPDATE

AttributeCleared inData Stream

Info InformationCC

118 20817 STREAM_RENAMED AlternateData StreamRenamed

Info InformationCC

119 20818 STREAM_RENAMED_UPDATE

AlternateData StreamRenamed

Info InformationCC

120 20819 BEGIN_OBSERVE StartObserveMode

Info InformationAC

121 20820 BEGIN_OBSERVE_DEFERRED

StartObserveMode OnReboot

Info InformationAC

122 20821 END_OBSERVE End ObserveMode

Info Information AC

123 20822 END_OBSERVE_DEFERRED

End ObserveMode OnReboot

Info InformationAC

124 20823 INITIAL_SCAN

_TASK_COMPLETED

Initial ScanCompleted

Info InformationAC







McAfeeePOseverity

Eventtype

125 20824 BOOTING_OBSERVE Booted inObserveMode

Info InformationAC

126 20825 ACTX_ALLOW_INSTALL ActiveXinstallationAllowed

Info InformationAC

127 20826 ACTX_INSTALL_PREVENTED

ActiveXinstallationPrevented

Major ErrorAC

129 20828 VASR_VIOLATION_DETECTED

VASRViolationDetected

Critical CriticalAC

131 20830 THROTTLING_STARTED DataThrottled

Major Warning SC

132 20831 THROTTLING_CACHE_FULL

DataDropped

Major ErrorSC

Notapplicable(server-sideevent)

20950 THREAT_DETECTED * MaliciousFile Found

- Based onreputation.‡ CC,

AC


20951 ASSUMED_THREAT_NOT_PRESENT *

MaliciousFile isTrusted

- Based onreputation.‡ CC,

AC


20952 OBSERVATION_THRESHOLD_EXCEEDED *

ObservationThresholdExceeded

- WarningCC,AC


20953 OBSERVATION_REQUEST_THRESHOLD_EXCEEDED *

ObservationRequestThresholdExceeded

- WarningCC,AC


20954 DATA_CONGESTION_DETECTED DataCongestionDetected

- WarningCC,AC


20955 CLOGGED_DATA_DELETED CloggedData Deleted

- WarningCC,AC

133 20832 LOCAL_CLI_ACCESS_DISABLED DisabledLocal CLIAccess

Major Error CC,AC

134 20833 LOCAL_CLI_RECOVER_SUCCESS RecoveredLocal CLI

Info Information CC,AC

135 20834 LOCAL_CLI_RECOVER_FAILED Unable toRecoverLocal CLI

Info Information CC,AC







McAfeeePOseverity

Eventtype

136 20835 OBSERVED_FILE_EXECUTION ObservedFileExecution

Info InformationAC

137 20836 PREVENTED_FILE_EXECUTION PreventedFileExecution

Major ErrorAC

138 20837 INVENTORY_RECOVERED RecoveredInventory

Critical Error AC

139 20838 INVENTORY_RECOVER_FAILED Unable toRecoverInventory

Critical ErrorAC

140 20839 BLOCKED_PROCESS_INTERACTIVE_MODE

BlockedInteractiveMode ofProcess

Critical ErrorAC

* This event is displayed only on the Threat Event Log page.‡ The McAfee ePO severity for this event is based on reputation value. If the reputation value is Known Malicious, Most Likely

Malicious, or Might be Malicious, the severity value is Alert, Critical, or Error, respectively. If the reputation value isUnknown, the severity value is Warning. Also, if the reputation value is Might be Trusted, Most Likely Trusted, or KnownTrusted, the severity value is Warning, Notice, or Information, respectively.



Index

Aabout this guide 9ActiveX controls 140

Address Space Layout Randomization (ASLR) 74

advanced configuration tasksconfigure syslog server 191

end-user notifications 195

permission sets 192

advanced exclusion filters (AEFs)add 154

overview 29

agent-server communication interval (ASCI) 109

alerts, purge 190

Alternate Data Stream (ADS) 197

Application Controlactivation options 112

change value, configuration parameters 197

checks, file execution 93, 94

default policies 98

deploy in Observe mode 109, 110, 112

disable 187

dry run 60

enable 129, 180

fine tune, configuration 191

modes 60

overview and uses 13

predefined rules 130

reputation change notifications 64

run commands remotely 197

trust level 67

whitelist 93

attribute-based rulesabout 97

add 97

Bbinaries

add to whitelist 121, 169

allow by certificates 118, 167

allow by checksum 117, 166

ban by checksum 119, 167

bypass rules 122

checks for execution 93, 94

binaries (continued)reputation 64–66, 72

reputation values 66

set enterprise reputation 147

use reputation 74

Ccertificates

add 88, 197

assign policy or rule group 104

authorize programs or files 93, 118, 167

compute reputation 67

description 100

export public key SHA-1s 145

manage 87

reputation 63–67, 72

reputation values 66, 67

search 89


supported 87, 197

trusted 87

use reputation 74

view assignments 89

Change Controlchange value, configuration parameters 197

dashboards 56

enable 27

exclude events 55

fine tune, configuration 191

modes 19

overview and uses 16

queries 56


track content changes 37

change window 60, 180

checksumauthorize programs or files 117, 166

ban programs or files 119, 167

CLI breachabout 185

configure notifications 185

client task log, purge 190


command line interface (CLI)lockdown 197

password 186, 197

recover 197


content changescompare files 40

configure settings 37

events 54

generate report 42

manage file versions 39

monitor file changes 41

purge 190

track 36–38

conventions and icons used in this guide 9Critical Address Space Protection (CASP)

about 74

define bypass rules 136

Ddashboards

Application Control 173

Change Control 56

enterprise health 177, 178

datacongestion status 177–179

purge, alerts 190

purge, client task log 190

purge, content change tracking data 190

purge, events 190

purge, image deviation 190

purge, inventory 190

purge, policy discovery 190

review congestion levels 178

Data Execution Prevention (DEP) 74

deprecatedObservations page 114

Self-Approval page 114

directoriesadd, trusted 106

monitor 32–35

path considerations 33

read-protect 45, 47

remove from whitelist 197

track content changes 36–38

unsolidify 197

write-protect 45, 47

Disabled modeoverview, Application Control 60

overview, Change Control 19

place in 187

documentationaudience for this guide 9product-specific, finding 10

documentation (continued)typographical conventions and icons 9

Eemergency changes 60, 180

Enabled modeoverview, Application Control 60


place in, Application Control 129, 180

place in, Change Control 27


ePolicy Orchestratoraccess more servers 191

add certificates 88

add installers 90

dashboards, Application Control 173

dashboards, Change Control 56

fetch GTI ratings for isolated environments 145

import GTI result file 147

install 13

manage events 53

queries, Application Control 173

queries, Change Control 56

reputation-based workflow 64

throttle observations 125

verify the import of GTI ratings 147

view queries, Application Control 175

view queries, Change Control 58

eventsdetails 131

exclude 55, 136

for user account activity 197

list 211

purge data 190

review and manage 53, 131

throttle 181–185

view content changes 54

executable filesallow or ban 103


export SHA-1s 145

fetch GTI ratings 145

in inventory, review 148

reputation 67


Ffeatures, enable, or disable 197

filesadd to whitelist 121, 169

allow or ban, executable files 103

Alternate Data Stream (ADS) 197

authorize by certificates 118, 167

authorize by checksum 117, 166

Index


files (continued)authorized and whitelisted 93


bypass rules 122, 136

checks for execution 93, 94


configure settings, content change tracking 37

export SHA-1s 145

fetch GTI ratings 145

how to authorize 93

in inventory, review 148

manage content changes 36–39

monitor 29, 32–35

network, allow 118

path considerations 33, 47

read-protect 45, 47


reputation 63–67, 72


self approve 159

self-approve 160


track content changes 37

tracked, content change tracking report 42

unsolidify 197

use reputation 74

view and manage events, Change Control 53

view content changes, events 54


filters 124

inventory updates 154, 185

observations and events 185

overview 16

specify, observations and events 124

use seeded 148

Forced DLL Relocationabout 74


frequently asked questions (FAQs) 197

Full Feature Activation 112, 129

Ggeneric launcher processes 111, 162

graylist 152

Iimage deviation

how to 155

purge 190

review comparison results 156

installersadd 90

assign 105

description 100

installers (continued)execution 91

manage 89

search 90

view assignments 91

Integrity Monitorcreate rule groups 23

dashboards 56

manage rule groups 22

monitoring rules 33, 34

view assignments for a rule group 27

inventorycompare 155, 156

configure settings 143

configure updates 142

data congestion level 178

export SHA-1s 145

fallback 197

fetch 143, 144

fetch GTI ratings 145, 146

file categories 152

guidelines to fetch 142


manage 141, 148

optimize view 150

purge 190

recover corrupted 197

review 148

set the base image 155

specify advanced exclusion filters 154

throttle updates 181–185

update mechanism 141

Llicense 13

Limited Feature Activation 112, 129

Mmanaged platform, supported versions 10

McAfee Advanced Threat Defencereputation source 63, 72


McAfee Data Exchange Layer (DXL) 72

McAfee Global Threat Intelligence (McAfee GTI)address of cloud and feedback server 197

classification 66, 67

fetch ratings 145

file reputation service 146


proxy server 197

reputation source 63, 72


run the Offline GTI tool 146

send feedback 189

Index


McAfee Global Threat Intelligence (McAfee GTI) (continued)verify the import of GTI ratings 147

McAfee ServicePortal, accessing 10

McAfee Supportcollect information for configuration and debug 187

configure settings for GTI ratings 147

McAfee Threat Intelligence Exchange (TIE)reputation change notifications 64

reputation source 63, 72


server 63

McAfee Threat Intelligence Services (MITS) 74

memory-protection techniquesadd exception 105

bypass 122, 136

Critical Address Space Protection (CASP) 74

Forced DLL Relocation 74

mp-casp (Critical Address Space Protection) 74

mp-nx (No eXecute) 74

mp-vasr (Virtual Address Space Randomization) 74

mp-vasr-randomization (VASR Randomization) 74

mp-vasr-rebase (VASR Rebasing) 74

mp-vasr-reloc (VASR Relocation for 64-bit) 74

mp-vasr-relocation (VASR Relocation for 32-bit) 74

No eXecute (NX) 74

Virtual Address Space Randomization (VASR) 74

modesDisabled, Application Control 187

Disabled, Change Control 187

Enabled, Application Control 129, 180

Enabled, Change Control 27, 180

Observe 109, 127

overview, Application Control 60


Update 180

monitoring rulesactions 33

changes to Alternate Data Stream (ADS) 197

define 32

how it works 29

policies 35

review, predefined rules 34

NNetwork Address Translation (NAT) environments 197

No execute (NX)define bypass rules 136

No eXecute (NX)about 74

Oobservations


define threshold 126

observations (continued)description 109

manage 114

restart generation 127

review rules for throttling 126

throttle 125, 126

Observe modedescription 109

exit 127

overview 60

place in 109, 110, 112

throttle observations 125

Offline GTI tool 146

Ppackage control

allow uninstallation 91

bypass 91

configure 91

pathsadd to whitelist 121, 169

system variables and considerations 32, 33, 46

permission sets 192

permissionsallow, non-global administrators 113, 163

certificates 79, 82

exceptions 79, 82

executable files 79, 82

filters 21, 23, 79, 82

installers 79, 82

manage 23, 82

manage, enterprise-wide requests 113, 163

policy discovery 113, 162, 163

rule group tabs 21, 23, 79, 82

rule groups 21, 79

Solidcore Admin 192

Solidcore Reviewer 192

trusted directories 79, 82

trusted users 21, 23, 79, 82

updater processes 82

updaters 21, 23, 79

policiesassign certificates 104

assign installers 105

change CLI password 186

create 134, 135

default, Application Control 98

define rule groups 19, 20, 75, 76

define rules to override protection 134

exclusion rules 116

monitoring 35

protection 50

specified labels 197

throttling 126

view assignments for certificates 89

Index


policies (continued)view assignments for installers 91

prerequisites 13

Process Context File Operationsdefine bypass rules 136

programsauthorize 93

updaters 100

Qqueries

Application Control 173

Change Control 56

view, Application Control 175

view, Change Control 58

queries, User Comments 124

Rread-protection feature

enable 50

override 47

overview 16

rules 45, 47

real-time monitoring 16

recommendationsconvert scripts to self-extracting executable file 197

duplicate query for content change tracking reportgeneration 42

for allowed executable and updater configuration 100

for drives or volumes in the whitelist 197

retain default policies 130

self-approval feature, Full Feature Activation mode 159

registry keysmonitor 29, 32–35

path considerations 33, 47


reputationcertificate 63

certificates 64

change notifications 64

compute 67

endpoint workflow 65

file 63

files 64

how it is computed 67

McAfee Advanced Threat Defence 63

McAfee ePO workflow 64

McAfee Global Threat Intelligence (McAfee GTI) 63

McAfee Threat Intelligence Exchange (TIE) server 63

set 147

sources 63, 66, 67, 72

sources, configure 72

uses 74

values 66, 67

reputation (continued)workflow 64, 65

requestsadd to whitelist 121, 169

allow, non-global administrators 113, 163

bypass rules 122


define custom rules 120, 168

delete 123, 171

manage 114

manage, accumulated 127

manage, enterprise-wide 113, 163

permissions 113, 162

process 116

purge 190

review 114

review rules 123, 171

review self-approval 159, 160, 163

throttle 181–185

restricted certificate names 111, 162

Return-Oriented Programming (ROP) 74

rule groupsassign certificates 104

assign installers 105

assign permissions, Application Control 79

assign permissions, Change Control 21

change ownership 22, 82

create and manage, Application Control 81, 83

create and manage, Integrity Monitor and Change Control22


define rules to override protection 134

example, Application Control 76

example, Change Control 20

global rules 123, 171

import or export 24, 25, 84, 85

manage permissions, Application Control 82

manage permissions, Change Control 23

overview, Application Control 19, 75, 76


ownership 20, 76

resolve discrepancies and inconsistencies 197

verify import 27, 86

view assignments for certificates 89

view assignments for installers 91

view assignments, Application Control 87

view assignments, Integrity Monitor and Change Control 27

rulesdefine, custom 120, 134, 168

define, guidelines 101

manage predefined 197

monitoring 29

protection 45–47

Index


Sself-approval feature

configure 111, 162

enable 160

what is 159

ServicePortal, finding product documentation 10

SHA-1 or SHA-256authorize programs or files 93

skiplistbypass file operations 136

bypass volume 136

bypass whitelist 136

bypass write-protection rules 136

supported management platform versions 10

syslog server 191

system variables 32, 46

Ttechnical support, finding product information 10

trust modeladd certificates 88, 197

add installers 90

add to whitelist 121, 169

authorize by certificates 118, 167

authorize by checksum 117, 166


certificates 100

checks, file execution 93, 94

define rules 120, 168

how to design 93

installers 100

Observe mode 100, 109, 110

trusted directories 100

trusted users 100

Update mode 100

updaters 100

trusted directoriesadd 106

description 100

trusted usersadd 106

description 100, 106

override read-protection and write-protection 47

UUpdate mode

make emergency changes 180

Update mode (continued)overview, Application Control 60


place in 180

updatersadd 102

description 77, 100

override read-protection and write-protection 47

usersaccount activity 197

approve requests 159, 160


monitor 29

permission sets 192

review requests 163

VVirtual Address Space Randomization (VASR)

about 74


volumesread-protect 45


unsolidify 197

write-protect 45

Wwhat's in this guide 10

whitelistadd to 121, 169

compare 155

export SHA-1s 145

fetch 144

fetch GTI ratings 145, 146

file categories 152

guidelines to fetch 142


manage 141, 148

overview 93

review 148

set the base image 155

write-protection featureoverride 47

overview 16

rules 45, 47

Index


For use with McAfee ePolicy Orchestrator · PDF fileFor use with McAfee ePolicy Orchestrator....

Documents

Transcript of For use with McAfee ePolicy Orchestrator · PDF fileFor use with McAfee ePolicy Orchestrator....