McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring...

144
Product Guide McAfee Change Control and McAfee Application Control 6.1.0 For use with ePolicy Orchestrator 4.5.0–4.6.0

Transcript of McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring...

Page 1: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Product Guide

McAfee Change Control and McAfeeApplication Control 6.1.0For use with ePolicy Orchestrator 4.5.0–4.6.0

Page 2: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

COPYRIGHTCopyright © 2012 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States andother countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 3: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Contents

Preface 7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1 Introduction 11Change Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Application Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2 Getting started with Change Control 15Change Control modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Manage rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Create rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Import or export rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . 17View assignments for a rule group . . . . . . . . . . . . . . . . . . . . . . . . 18

Enable Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

3 Monitoring the file system and registry 21How monitoring rules work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21How do I define monitoring rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Review predefined monitoring rules . . . . . . . . . . . . . . . . . . . . . . . . . . 26Create monitoring policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Manage content changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Track content changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Manage file versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Compare files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Receive change details by email . . . . . . . . . . . . . . . . . . . . . . . . . 31Specify the maximum file size . . . . . . . . . . . . . . . . . . . . . . . . . 31

4 Protecting the file system and registry 33How protection rules work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33How do I define protection rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Create a protection policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Enable read protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

5 Monitoring and reporting 41Manage events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Review events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41View content changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Exclude events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Use dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43View queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 3

Page 4: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

6 Getting started with Application Control 47Application Control modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48How do I manage protected endpoints . . . . . . . . . . . . . . . . . . . . . . . . . 49Design the trust model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Memory-protection techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Manage rule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Create a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Import or export a rule group . . . . . . . . . . . . . . . . . . . . . . . . . . 60View assignments for a rule group . . . . . . . . . . . . . . . . . . . . . . . . 60

Manage certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Add a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Assign a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Search for a certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63View assignments for a certificate . . . . . . . . . . . . . . . . . . . . . . . . 63

Manage installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Add an installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Assign an installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Search for an installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65View assignments for an installer . . . . . . . . . . . . . . . . . . . . . . . . 66

7 Deploying Application Control in Observe mode 67What are observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67How to deploy in Observe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68How do I review and manage observations . . . . . . . . . . . . . . . . . . . . . . . 69Place the endpoints in Observe mode . . . . . . . . . . . . . . . . . . . . . . . . . . 73Manage enterprise-wide observations . . . . . . . . . . . . . . . . . . . . . . . . . 75

Configure predominant observations . . . . . . . . . . . . . . . . . . . . . . . 75Process predominant observations . . . . . . . . . . . . . . . . . . . . . . . . 76

Troubleshoot endpoint-specific observations . . . . . . . . . . . . . . . . . . . . . . . 78Review observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Analyze suggestions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Delete observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Manage exclusion rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Review exclusion rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Exclude observations manually . . . . . . . . . . . . . . . . . . . . . . . . . 83

Exit Observe mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

8 Monitoring your protection 87Enable Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Review predefined rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Review events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90How do I define rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Review suggestions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Create a policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Exclude events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Define bypass rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Allow ActiveX controls to run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

9 Managing the inventory 95How is the inventory updated . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Fetch the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Interpret the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Review the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Manage the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Set the base image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Compare the inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Contents

4 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 5: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Run the inventory comparison . . . . . . . . . . . . . . . . . . . . . . . . . 102Review the comparison results . . . . . . . . . . . . . . . . . . . . . . . . . 103

10 Managing approval requests 105Enable self approval on endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . 105Configure the Self Approval feature . . . . . . . . . . . . . . . . . . . . . . . . . . 106Review approval requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Process approval requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Allow by checksum on all endpoints . . . . . . . . . . . . . . . . . . . . . . . 109Allow by publisher on all endpoints . . . . . . . . . . . . . . . . . . . . . . . 109Ban by checksum on all endpoints . . . . . . . . . . . . . . . . . . . . . . . 109Define custom rules for specific endpoints . . . . . . . . . . . . . . . . . . . . 110Delete approval requests . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Review created rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

11 Using dashboards and queries 113Use dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113View queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

12 Maintaining your systems 117Make emergency changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Place the endpoints in Update mode . . . . . . . . . . . . . . . . . . . . . . 118Place the endpoints in Enabled mode . . . . . . . . . . . . . . . . . . . . . . 119

Change the CLI password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Collect debug information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Place the endpoints in Disabled mode . . . . . . . . . . . . . . . . . . . . . . . . . 121Send GTI feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123Purge data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Work with older Solidcore client versions . . . . . . . . . . . . . . . . . . . . . . . 124

Create the whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Run diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

13 Fine-tuning your configuration 129Configure a syslog server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129Manage the Solidcore permission sets . . . . . . . . . . . . . . . . . . . . . . . . . 130Customize end-user notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

A FAQs 133

B Change Control and Application Control events 137

Index 143

Contents

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 5

Page 6: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Contents

6 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 7: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Preface

This guide provides the information you need to configure, use, and maintain your McAfee product.

Before you can configure and use McAfee® Change Control or McAfee® Application Control, you must:

• Ensure that McAfee ePolicy Orchestrator 4.6 or 4.5 is installed and running. For more informationon installing McAfee ePO 4.6 or 4.5, refer to the ePolicy Orchestrator 4.6 Installation Guide orePolicy Orchestrator 4.5 Installation Guide, respectively.

• Ensure that Change Control or Application Control is installed and running. For more information oninstallation, refer to the McAfee Change Control and Application Control Installation Guide.

• Ensure valid licenses are added for using Change Control and Application Control. For moreinformation on adding licenses, refer to the McAfee Change Control and Application ControlInstallation Guide.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term,emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.

User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialogboxes.

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 7

Page 8: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing anoption.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.

What's in this guide This guide is organized to help you find the information you need.

This document is meant as a reference to use along with the Change Control, Application Control, andMcAfee ePO interfaces. This document provides information on configuring and using the ChangeControl and Application Control products.

Section Description Applies toChangeControl

Applies toApplicationControl

Introduction Provides an overview of the Change Controland Application Control products. √ √

Getting started withChange Control

Details the various Change Control‑relatedconcepts, such as modes and rule groups anddescribes how to enable the product.

√ NA

Monitoring the filesystem and registry

Provides concepts and instructions to help youdefine rules to monitor files and registryentries for changes.

√ NA

Protecting the filesystem and registry

Provides concepts and instructions to help youdefine rules to read‑protect and write‑protectfiles and registry entries.

√ NA

Monitoring andreporting

Describes how to use events, dashboards, andqueries to monitor the enterprise status whenusing the Change Control product.

√ NA

Getting started withApplication Control

Details the various Application Control‑relatedconcepts, such as modes, trust model, rulegroups, installers, and publishers.

NA √

Deploying ApplicationControl in Observemode

Provides detailed instructions to help youplace Application Control in the Observe modeto perform a dry run for the product.

NA √

Monitoring yourprotection

Describes how to enable Application Controland details routine tasks to perform when theproduct is running in Enabled mode.

NA √

Managing theinventory

Provides instructions to help you fetch, review,and manage the software inventory forprotected endpoints.

NA √

Managing approvalrequests

Provides instructions to help you review,process, and manage approval requestsreceived from the endpoints in the enterprise.

NA √

Using dashboards andqueries

Describes how to use dashboards and queriesto monitor the enterprise status when usingthe Application Control product.

NA √

Maintaining yoursystems

Details various tasks to help you maintain theprotected endpoints. √ √

PrefaceAbout this guide

8 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 9: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Section Description Applies toChangeControl

Applies toApplicationControl

Fine‑tuning yourconfiguration

Describes advanced configuration tasks thathelp you fine‑tune your configuration. √ √

FAQs Provides answers to frequently askedquestions. √ √

Change Control andApplication Controlevents

Provides a detailed list of all Change Controland Application Control events. √ √

Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFind product documentation

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 9

Page 10: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

PrefaceFind product documentation

10 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 11: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

1 Introduction

Get familiar with the Change Control and Application Control software and learn how they protect yourenvironment.

Contents Change Control overview Application Control overview

Change Control overviewChange Control allows you to monitor and prevent changes to the file system, registry, and useraccounts. You can view details of who made changes, which files were changed, what changes weremade to the files, and when and how the changes were made. You can write‑protect critical files andregistry keys from unauthorized tampering. You can read‑protect sensitive files. To ease maintenance,you can define trusted programs or users to allow updates to protected files and registry keys.

In effect, a change is permitted only if the change is applied in accordance with the update policies.Using Change Control, you can:

• Detect, track, and validate changes in real‑time

• Gain visibility into ad‑hoc changes

• Eliminate ad‑hoc changes using protection rules

• Enforce approved change policies and compliance

Real‑time monitoring

Change Control provides real‑time monitoring for file and registry changes. Real‑time monitoringeliminates the need to perform scan after scan on endpoints and identifies transient change violations,such as when a file is changed and restored to its earlier state. It captures every change, including thetime of the change, who made the change, what program was used to make the change, and whetherthe change was made manually or by an authorized program. It maintains a comprehensive andup‑to‑date database (on McAfee ePO) that logs all attempts to modify files, registry keys, and localuser accounts.

Customizable filters

You can use filters to ensure that only relevant changes make it to the database. You can define filtersto match the file name, directory name, registry key, process name, file extension, and user name.Using the criteria, you can define two types of filters:

• Include filters to receive information on events matching the specified filtering criteria.

• Exclude filters to ignore information on events matching the specified filtering criteria.

1

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 11

Page 12: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Filtering events is needed to control the volume of change events. Typically, a number of changes areprogram‑generated and need not be reported to the system administrator. If programmatic andautomatic change activity is high, a large number of change events can overwhelm the system. Usingfilters ensures that only relevant change events are recorded.

Read protection

Read‑protection rules prevent users from reading the content of specified files, directories, andvolumes. If a directory or volume is read‑protected, all files in the directory or volume areread‑protected. Once defined, read‑protection rules are inherited by subdirectories. You cannotread‑protect registry keys.

By default, read protection is disabled.

Write protection

Use write‑protection rules to prevent users from creating new files (including directories and registrykeys) and modifying existing files, directories, and registry keys. Write‑protecting a file or registry keyrenders it read‑only and protects it from unanticipated updates. The following actions are preventedfor a write‑protected file or registry key:

• Delete

• Rename

• Create hard links

• Modify contents

• Append

• Truncate

• Change owner

• Create Alternate Data Stream (Microsoft Windows only)

Application Control overviewToday’s IT departments face tremendous pressure to ensure that their endpoints comply with manydifferent security policies, operating procedures, corporate IT standards, and regulations. Extendingthe viability of fixed function devices such as point‑of‑sale (POS) terminals, customer serviceterminals, and legacy Windows NT platforms has become critical.

Application Control uses dynamic whitelisting to ensure that only trusted applications run on devices,servers and desktops. This provides IT with the greatest degree of visibility and control over clients,and helps enforce software license compliance. Here are some product features.

• Protects your organization against malware attacks before they occur by proactively controlling theapplications executing on your desktops, laptops, and servers.

• Locks down the protected endpoints against threats and unwanted changes, with no file systemscanning or other periodic activity that could impact system performance.

• Augments traditional security solutions and enables IT to allow only approved system andapplication software to run. Blocks unauthorized or vulnerable applications that may compromiseendpoints without imposing operational overhead. This ensures that end‑users cannot accidentallyintroduce software that poses a risk to the business.

1 IntroductionApplication Control overview

12 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 13: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

• Uses dynamic whitelisting to ensure that only trusted applications run on devices, servers, anddesktops. McAfee’s dynamic whitelisting trust model eliminates the labor and cost associated withother whitelisting technologies, thereby reducing overhead and increasing continuity.

• Provides IT control over endpoints and helps enforce software license compliance. With ApplicationControl, IT departments can eliminate unauthorized software on endpoints, while providingemployees greater flexibility to use the resources they need to get their jobs done.

• Eliminates the need for IT administrators to manually maintain lists of approved applications. Thisenables IT departments to adopt a flexible approach where a repository of trusted applications canrun on endpoints. This prevents execution of all unauthorized software scripts and dynamic linklibraries (DLLs), and further defends against memory exploits.

• Works effectively when integrated with McAfee ePO and in standalone mode without networkaccess. The product is designed to operate in a variety of network and firewall configurations.

• Runs transparently on endpoints. It can be set up quickly with very low initial and ongoingoperational overhead and minimal impact on CPU cycles.

IntroductionApplication Control overview 1

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 13

Page 14: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

1 IntroductionApplication Control overview

14 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 15: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

2 Getting started with Change Control

Before you begin using Change Control, get familiar with it and understand related concepts.

Contents Change Control modes Manage rule groups Enable Change Control

Change Control modesAt any time, Change Control can operate in one of these modes.

Enabled Indicates that the software is in effect and changes are monitored and controlled on theendpoints as per the defined policies. When in Enabled mode, Change Control monitors andprotects files and registry keys as defined by the configured policies. Enabled mode is therecommended mode of operation.

From the Enabled mode, you can switch to the Disabled or Update mode.

Update Indicates that the software is in effect, allows ad‑hoc changes to the endpoints, and tracksthe changes made to the endpoints. Use the Update mode to perform scheduled oremergency changes, such as software and patch installations.

In the Enabled mode, you cannot read the read‑protected files or modify anywrite‑protected files (as per the defined policies). However, in the Update mode, all readand write protection that is in effect is overridden. Use the Update mode to define a changewindow during which you can make changes to endpoints and authorize the made changes.

From the Update mode, you can switch to the Enabled or Disabled mode. We recommendthat you switch to the Enabled mode as soon as the changes are complete.

Disabled Indicates that the software is not in effect. Although the software is installed, theassociated features are not active. When you place the endpoints in Disabled mode, theapplication restarts the endpoints.

From the Disabled mode, you can switch to the Enabled or Update mode.

Manage rule groupsA rule group is a collection of rules. Although you can directly add rules to any McAfee ePO‑basedpolicy, the rules defined within a policy are specific to that policy. In contrast, a rule group is anindependent unit that collates a set of similar or related rules.

After you define a rule group, you can reuse the rules within the rule group by associating the rulegroup with different policies. Also, if you need to modify a rule, simply update the rule in the rulegroup and the change cascades across all associated policies automatically.

2

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 15

Page 16: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Change Control provides predefined rule groups to monitor commonly‑used applications. Although youcannot edit the predefined rule groups, you can use an existing rule group as a starting point todevelop your rule groups. You can create a copy of an existing rule group and edit it to add more rulesor create a new rule group. If needed, you can also import or export rule groups.

When do I use rule groups

If you need to define similar rules across policies, using rule groups can drastically reduce the effortrequired to define rules. If you have a large setup and are deploying the software across numerousendpoints, we recommend you use rule groups to minimize the deployment time and effort.

Consider an example. An organization runs Oracle on multiple servers. Each of these servers is usedby the HR, Engineering, and Finance departments for different purposes. To reduce rule redundancy,we define these rule groups with Oracle‑specific rules.

• An Integrity Monitor rule group (named IM‑Oracle) containing rules to monitor and trackconfiguration files and registry keys (to help audit critical changes to Oracle configuration)

• A Change Control rule group (named CC‑Oracle) containing rules to protect critical files for Oracle(to prevent unauthorized changes)

After the rule groups are defined, we can reuse these rule groups across policies for the HR,Engineering, and Finance departments. So, when defining policies for the HR Servers, add theIM‑Oracle rule group to a monitoring (Integrity Monitor) policy and CC‑Oracle rule group to aprotection (Change Control) policy along with rule groups for the other applications installed on the HRserver. Similarly, add the IM‑Oracle and CC‑Oracle rule groups to the relevant policies for the EnggServers and Fin Servers. After defining the policies, if you realize that the rule for a critical file was notcreated, directly update the rule group and all the policies will be updated automatically.

Tasks• Create rule groups on page 16

Use this task to create a rule group.

• Import or export rule groups on page 17If you need to replicate rule group configuration from one McAfee ePO server to another,export the rule group configuration from the (source) McAfee ePO server to an XML file andimport the XML file to the (target) McAfee ePO server. You can also export rule groups intoan XML file, edit the XML file to make the required changes to rule groups, and import thefile to the McAfee ePO to server use the changed rule groups.

• View assignments for a rule group on page 18Instead of navigating through all the created policies, you can directly view all the policiesin which a rule group is being used. This feature provides a convenient way to verify if eachrule group is assigned to the relevant policies.

Create rule groupsUse this task to create a rule group.

Task1 Select Menu | Configuration | Solidcore Rules.

2 Perform one of these steps from the Rule Groups tab.

• Select Integrity Monitor to view or define a rule group for monitoring changes performed on criticalresources.

• Select Change Control to view or define a rule group for preventing unauthorized changes oncritical resources.

2 Getting started with Change ControlManage rule groups

16 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 17: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

You can use an existing rule group as a starting point or define a new rule group from scratch. Tomodify and edit an existing rule group, complete steps 3, 5, 6, and 7. To define a new rule group,complete steps 4, 5, 6, and 7.

3 Create a rule group based on an existing rule group.

a Click Duplicate for an existing rule group.

The Duplicate Rule Group dialog box appears.

b Specify the rule group name.

c Click OK.

The rule group is created and listed on the Rule Groups page.

4 Define a new rule group.

a Click Add Rule Group.

The Add Rule Group dialog box appears.

b Specify the rule group name.

c Select the rule group type and platform.

d Click OK.

The rule group is created and listed on the Rule Groups page.

5 Click Edit for the rule group.

6 Specify the required rules.

For information on the how to define rules, see the How do I define monitoring rules and How do Idefine protection rules sections.

7 Click Save Rule Group.

Import or export rule groupsIf you need to replicate rule group configuration from one McAfee ePO server to another, export therule group configuration from the (source) McAfee ePO server to an XML file and import the XML file tothe (target) McAfee ePO server. You can also export rule groups into an XML file, edit the XML file tomake the required changes to rule groups, and import the file to the McAfee ePO to server use thechanged rule groups.

Use this task to import or export rule groups.

When importing or exporting rule groups containing Trusted Groups, ensure the Active Directory serveron the source McAfee ePO server and destination McAfee ePO server are configured using the samedomain name or server name (or IP address).

Task1 Select Menu | Configuration | Solidcore Rules.

2 Complete one of these tasks from the Rule Groups tab.

• To import rule groups, click Import, browse and select the rule groups file, and click OK. Whileimporting, you can specify whether to override rule groups (if you are importing a rule groupwith the same name as an existing rule group).

• To export selected rule groups to an XML file, select the rule groups, click Export, and save thefile.

Getting started with Change ControlManage rule groups 2

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 17

Page 18: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

View assignments for a rule groupInstead of navigating through all the created policies, you can directly view all the policies in which arule group is being used. This feature provides a convenient way to verify if each rule group isassigned to the relevant policies.

Use this task to view the assignments for a rule group.

Task

1 Select Menu | Configuration | Solidcore Rules.

2 Click Assignments on the Rule Groups tab to view the policies to which the selected rule group isassigned.

Enable Change ControlUse this task to enable the Change Control software.

Task

1 Select Menu | Systems | System Tree.

2 Complete these steps from the McAfee ePO 4.6 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

c Select the Solidcore 6.1.0 | SC: Enable and click Create New Task.

The Client Task Catalog page appears.

d Specify the task name and add any descriptive information.

3 Complete these steps from the McAfee ePO 4.5 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the ClientTasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Task.

The Client Task Builder page appears.

c Specify the task name and add any descriptive information.

d Select SC: Enable (Solidcore 6.1.0) and click Next

The Configuration page appears.

4 Select the platform.

5 Select the subplatform (only for the Windows and Unix platforms).

2 Getting started with Change ControlEnable Change Control

18 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 19: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

6 Select the version (only for the All except NT/2000 subplatform).

7 Ensure that the Change Control option is selected.

8 Complete the following steps to enable Change Control.

Solidcore client version Steps

On Solidcore client version:• 5.1.5 or earlier (Windows)

• 6.0.1 or earlier (UNIX)

Select the Force Reboot with the task option to restart the endpoint.Restarting the system is necessary to enable the software.

On the Windows platforms, a pop‑up message is displayed at theendpoint 5 minutes before the endpoint is restarted. This allowsthe user to save work and data on the endpoint.

On UNIX platforms, the endpoint is restarted as soon as the taskis applied.

On Solidcore client version6.0.0 or later (Windows)

No configuration is needed.

On Solidcore client version6.1.0 or later (UNIX)

Deselect the Force Reboot with the task option.When using Solidcore client version 6.1.0 or later, restarting thesystem is not necessary to enable the software.

9 Click Save (McAfee ePO 4.6 only).

10 Click Next.

The Schedule page appears.

11 Specify scheduling details and click Next.

12 Review and verify the task details and click Save.

13 Optionally, wake up the agent to send your client task to the endpoint immediately.

Getting started with Change ControlEnable Change Control 2

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 19

Page 20: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

2 Getting started with Change ControlEnable Change Control

20 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 21: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Monitoring the file system and registry

Change Control allows you to designate a set of files and registry entries to monitor for changes.

You can also choose to track attribute and content changes for monitored files. You need to definerules to specify the files and registry keys to monitor and specifically enable the user account trackingfeature (which is disabled by default) to track user activity for relevant endpoints.

Contents How monitoring rules work How do I define monitoring rules Review predefined monitoring rules Create monitoring policies Manage content changes

How monitoring rules workUsing rules, you can monitor files, directories, registry keys, file types (based on file extension),programs, and users.

What can I monitor

The following operations are tracked for a monitored file, registry key, and user account.

3

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 21

Page 22: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Element Tracked operations

File • File creation

• File modification (file contents and attributes, such as permissions or owner)

• File deletion

• File rename

• Alternate Data Stream creation

• Alternate Data Stream modification (contents and attributes, such as permissions orowner)

• Alternate Data Stream deletion

• Alternate Data Stream rename

Registry key • Registry key creation

• Registry key modification

• Registry key deletion

User account • User account creation • User log on (success and failure)

• User account modification • User log off

• User account deletion

User account tracking is disabled by default. You must enable this feature to trackoperations for user accounts. To enable this feature, execute the SC: Run Commands clienttask to run the sadmin features enable mon‑uat command on the endpoint.

Are any predefined rules available

Yes, Change Control includes predefined monitoring rules. For detailed information, see the Reviewpredefined monitoring rules section.

Does an order of precedence exist for monitoring rules

Use the table to understand the order of precedence applied (highest to lowest) when processingmonitoring rules.

Table 3-1 Order of precedence for monitoring rules

Order Rule Type Description

1. Advanced exclusion filters(AEF) rules have the highestprecedence.

For more information on AEF rules, see the What areadvanced exclusion filters or rules (AEFs) section.

2. Exclude rules are givenprecedence over includerules.

For example, if you erroneously define an include and excluderule for the same file, the exclude rule applies.

3. Rules based on user namehave the precedence over allother rule types except AEFrules.

The user name specified in the rule is compared with the username referenced in the event.

4. Rules based on programname have precedence overrules based on file extension,file name, directory name, orregistry key.

The program name specified in the rule is compared with theprogram name referenced in the event.

3 Monitoring the file system and registryHow monitoring rules work

22 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 23: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Table 3-1 Order of precedence for monitoring rules (continued)

Order Rule Type Description

5. Rules based on file extensionhave precedence over rulesbased on file or directoryname (or path).

The file extension specified in the rule is compared with fileextension referenced in the event.For example, if C:\Program Files\Oracle is excluded frommonitoring (by a file‑based rule) and the .ora extension isincluded for monitoring, events will be generated for files with .ora extension, such as listener.ora and tnsnames.ora.

6. Rules based on file names orpaths have precedence overrules based on directoryname. In effect, longer pathstake precedence forname‑based rules.

The specified path is compared with path referenced in theevent. Paths (for files or directories) are compared from thebeginning. Consider these examples.

Windows platform If the C:\temp directory is excluded, andthe C:\temp\foo.cfg file is included, thechanges to the foo.cfg file are tracked.Similarly, if you exclude the HKEY_LOCAL_MACHINE key and include the HKEY_LOCAL_MACHINE\System key, the changes to theHKEY_LOCAL_MACHINE\System key aretracked.

UNIX platform If the /usr/dir1/dir2 directory isincluded and /usr/dir1 directory isexcluded, all operations for the files in the /usr/dir1/dir2 directory are monitoredbecause the /usr/dir1/dir2 path islonger and hence, takes precedence.

In the afore‑mentioned order of precedence, all rules (except #5) apply to registry key rules also.

What are advanced exclusion filters or rules (AEFs)You can define advanced filters to exclude changes by using a combination of conditions. For example,you might want to monitor changes made to the tomcat.log file by all programs except the tomcat.exe program. To achieve this, define an advanced filter to exclude all changes made to the log file byits owner program. This will ensure you only receive events when the log file is changed by other(non‑owner) programs. In this case, the defined filter will be similar to Exclude all events wherefilename is <log‑file> and program name is <owner‑program>.

Use AEFs to prune routine system‑generated change events that are not relevant for your monitoringor auditing needs. Several applications, particularly the web browser, maintain the application state inregistry keys and routinely update several registry keys. For example, the ESENT setting is routinelymodified by the Windows Explorer application and it generates the Registry Key Modified event. Thesestate changes are routine and need not be monitored and reported upon. Defining AEFs allows you toeliminate any events that are not required for fulfilling compliance requirements and ensures theevent list includes only meaningful notifications.

How do I define monitoring rulesRegardless of whether you create a new monitoring policy or define a monitoring rule group, theframework available to define monitoring rules is the same.

Using variables in rulesThe path specified in a monitoring rule can include system environment variables (only on theWindows platform). The following table lists the supported system variables.

Monitoring the file system and registryHow do I define monitoring rules 3

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 23

Page 24: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Variable Example value (true for most Windows platforms)

%ALLUSERSPROFILE% C:\Documents and Settings\All Users

%APPDATA% C:\Documents and Settings\{username}\Application

%COMMONPROGRAMFILES% C:\Program Files\Common Files

%COMMONPROGRAMFILES (x86)% C:\Program Files (x86)\Common Files

%HOMEDRIVE% C:

%HOMEPATH% C:\Documents and Settings\{username} (\ on earlier Windowsversions)

%PROGRAMFILES% C:\Program Files

%PROGRAMFILES (x86)% C:\Program Files (x86) (only for 64‑bit versions)

%SYSTEMDRIVE% C:

%SYSTEMROOT% C:\windows (C:\WINNT on earlier Windows versions)

%TEMP% (system) %tmp% (user) C:\Documents and Settings\{username}\local Settings\Temp

C:\Temp

%USERPROFILE% C:\Documents and Settings\{username} (C:WINNT\profiles\{username} for earlier versions)

%WINDIR% C:\Windows

Understanding path considerations

These considerations apply to path‑based rules.

• Path should be absolute when specifying rules to monitor files and directories.

• Path need not be absolute when specifying rules to monitor program activity. For example, you canspecify the partial path, such as AcroRd32.exe or Reader\AcroRd32.exe or fully‑qualified path,such as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If you specify the partialpath, all programs with names that match the specified string are monitored. If you specify thefully‑qualified path, activity is monitored for only the specified program.

• Paths can contain white spaces.

• Paths can include the wildcard character (*). However, it can only represent one complete pathcomponent. Here are a few examples.

Windowsplatform

Using \abc\*\def is allowed while \abc\*.doc, \abc\*.*, or \abc\doc.* is notsupported.

UNIX platform Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is notsupported.

• Paths used in registry key‑based rules can include the wildcard character (*). However, the wildcardcharacter can only represent one path component in the registry path. Ensure that you do not usethe character for the component at the end of the complete registry path (if used at the end therule will not be effective).

Also, at any time, the CurrentControlSet in the Windows Registry is linked to the relevant HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX key. For example, the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet can be linked to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 key. When achange is made to either link, it is automatically updated on both the links. For a monitored key,events are always reported with the path of CurrentControlSet and not ControlSetXXX.

3 Monitoring the file system and registryHow do I define monitoring rules

24 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 25: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Defining monitoring rules

Use this table to define monitoring rules. You can perform these actions when creating or modifying amonitoring (Integrity Monitor) policy or rule group.

Table 3-2 Defining Monitoring Rules

Action Steps

Monitor files anddirectories

1 Click Add on the File tab. The Add File dialog box appears.

2 Specify the file or directory name.

3 Indicate whether to include for or exclude from monitoring.

4 Optionally, to track content and attribute changes for a file, select Enablecontent change tracking and specify the file encoding.

5 Click OK.

Monitor registry keys(Windows platformonly)

1 Click Add on the Registry tab. The Add Registry dialog box appears.

2 Specify the registry key.

3 Indicate whether to include for or exclude from monitoring and click OK.

Monitor specific filetypes

1 Click Add on the Extension tab. The Add Extension dialog box appears.

2 Type the file extension. Do not include the period (dot) in the extension. Forexample, log.

3 Indicate whether to include for or exclude from monitoring and click OK.

Monitor programactivity (in effectchoose to track ornot track all file orregistry changesmade by a program)

1 Click Add on the Program tab. The Add Program dialog box appears.

2 Enter the name or full path of the program.

3 Indicate whether to include for or exclude from monitoring and click OK. Werecommend that you exclude background processes, such as the lsass.exeprocess.

Specify the users toexclude frommonitoring (in effectall changes made bythe specified user arenot tracked)

1 Click Add on the User tab. The Add User dialog box appears.

2 Specify the user name. Consider the following:

• Spaces in user names should be specified within quotes.

• Domain name can be a part of the user name on the Windows platform. Ifthe domain name is not specified, the user name is excluded frommonitoring for all domains.

• Exclude all users in a particular domain (on the Windows platform) byusing MY‑DOMAIN\* or *@MY‑DOMAIN.

3 Click OK.

Specify advancedexclusion filters forevents

1 Click Add Rule on the Filters tab. A new filter row appears. You can createfilters based on files, events, programs, registry keys, and users.

2 Edit the settings to specify the filter.

3 Click + or Add Rule to specify additional AND or OR conditions, respectively.

You can also define AEFs from the Events page. For more information, see theExclude events section.

Monitoring the file system and registryHow do I define monitoring rules 3

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 25

Page 26: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Review predefined monitoring rulesChange Control provides multiple predefined filters suitable for monitoring relevant files on variousoperating systems. By default, these filters are applied to the global root in the system tree and henceare inherited by all McAfee ePO‑managed endpoints on which Change Control is installed. As soon asan endpoint connects to the McAfee ePO server, the Minimal System Monitoring policy applicable to theendpoint's operating system comes into play.

Use this task to review the predefined filters included in the Minimal System Monitoring policy(applicable to your operating system).

Task1 Select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.0: Integrity Monitor product.

All policies for all categories are listed. Note that a Minimal System Monitoring policy exists for eachsupported operating system.

3 Open the relevant Minimal System Monitoring policy.

By default, the My Rules rule group is open (which is blank).

4 Select a rule group in the Rule Groups pane to review the filters included in the rule group.

To override any rules included in the Minimal System Monitoring policy, you can duplicate the relevant rulegroup (in which the required rules are present), edit the rule group to add the new rules, and addthe rule group to a policy. For most other purposes, ensure that the Minimum System Monitoring policy isapplied on the endpoints and additional rules are applied by using a separate policy.

5 Click Cancel.

Create monitoring policiesUsing a monitoring policy, you can choose to monitor changes or exclude from monitoring variousunits of a file system and registry. You can control monitoring of files, directories, registry keys, filetypes (based on file extension), programs, and users. These are multi‑slot policies; a user can assignmultiple policies to a single node in the system tree.

To create a monitoring policy, you can either define rules in a rule group (to allow reuse of rules) andadd the rule group to a policy or define the rules directly in a policy. Use this task to create a newmonitoring policy.

Task1 Select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.0: Integrity Monitor product.

3 Click Actions | New Policy.

The New Policy dialog box appears.

4 Select the category.

5 Select the policy you want to duplicate from Create a policy based on this existing policy list.

6 Specify the policy name and click OK.

3 Monitoring the file system and registryReview predefined monitoring rules

26 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 27: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

The Policy Settings page opens. You can now define the rules to include in the policy. You can eitheradd existing rule groups to the policy or directly add the new rules to the policy.

• To use a rule group, complete steps 7 and 9. For more information on how to create a rulegroup, see the Create rule groups section.

• To directly add the rules to the policy, complete steps 8 and 9.

7 Add a rule group to the policy.

a Select the rule group in the Rule Groups pane.

The rules included in the rule group are displayed in the various tabs.

b Review the rules.

c Click Add in the Rule Groups pane.

The Select Rule Groups dialog box appears.

d Select the rule group to add.

e Click OK.

8 Add the monitoring rules to the policy.

For information on the how to define rules, see the How do I define monitoring rules? section.

9 Save the policy.

Manage content changesUsing Change Control, you can track content and attribute changes for a monitored file. If you enablecontent change tracking for a file, any attribute or content change to the file creates a new file versionat McAfee ePO.

You can view and compare the different versions that are created for a file. You can also compare anytwo files or file versions that exist on the same or different endpoints. You can also configure anAutomatic Response to send an email whenever a critical file is modified (the email will highlight theexact changes made to the file).

Tasks• Track content changes on page 28

Use this task to track content changes for files. You can perform these actions whencreating or modifying a monitoring (Integrity Monitor) policy or rule group.

• Manage file versions on page 28Use this task to review all versions available for a file, compare file versions, reset the baseversion, and delete versions.

• Compare files on page 30Use this task to compare any two files (or file versions) on an endpoint or on two differentendpoints.

• Receive change details by email on page 31To closely observe changes to a critical file, you can choose to receive an email (withchange details) each time the file is changed.

• Specify the maximum file size on page 31By default, you can track changes for any file with a size of 1000 KB or lower. If needed,you can configure the maximum file size for tracking content changes.

Monitoring the file system and registryManage content changes 3

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 27

Page 28: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Track content changesUse this task to track content changes for files. You can perform these actions when creating ormodifying a monitoring (Integrity Monitor) policy or rule group.

Task1 Navigate to the File tab.

2 Perform one of these steps.

• Click Add to monitor and track changes for a new file.

• Select an existing rule and click Edit.

The Add File dialog box appears.

3 Review or add the file information.

4 Select the Enable Content Change Tracking option.

5 Select the file encoding.

You can choose between Auto Detect, ASCII, UTF‑8, and UTF‑16. Auto Detect works for most files.If you are aware of the file encoding, select ASCII, UTF‑8, or UTF‑16 (as appropriate). If needed,you can add new file encoding values. Contact McAfee Support for assistance in adding a fileencoding value.

6 Click OK.

You cannot track changes for directories or network files.

Manage file versionsUse this task to review all versions available for a file, compare file versions, reset the base version,and delete versions.The base version identifies the starting point or initial document to use for comparison or control.Typically, the oldest version of a file is set as the base version. In effect, when you start trackingchanges for a file, the initial file content and attributes are stored on the McAfee ePO database and setas the base version.

Task1 Select Menu | Reporting | Content Change Tracking.

All files for which content change tracking is enabled are listed.

2 Identify the file for which to review versions.

• Specify the endpoint or file name in the Quick find text box and click Apply. The list is updatedbased on the specified search string.

• Sort the list based on the system name, file path, or status.

3 Monitoring the file system and registryManage content changes

28 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 29: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Review the file status.

The File Status column denotes the current status of content change tracking. Possible status valuesinclude:

Success Indicates that content changes for the file are being trackedsuccessfully.

File not found Indicates that the file was not found at the specified path. Verify thefile exists and check the specified path.

Content change tracking isnot supported for adirectory

Indicates that the file specified for content tracking is a directory.Note that you cannot track changes for directories.

Content change tracking isnot supported for filename with wildcard

Indicates that the specified file path includes wildcard characters.Note that you cannot use wildcard characters while specifying the filepath for content change tracking.

File size exceedsmaximum size limit

Indicates that the file size has exceeded the specified size limit forcontent change tracking. If needed, you can change the size limit forcontent change tracking for the endpoints. For more information, seethe Specify the maximum file size section.

File removed from contentchange tracking

Indicates that the file has been removed from content changetracking and further changes to the file will not generate a newversion.

Content change tracking isnot supported for files ona network volume

Indicates that the file specified for content tracking is stored on anetwork volume. Note that you cannot track changes for files onnetwork volumes.

Content change tracking isnot supported forencrypted file

Indicates that the file specified for content tracking has beenencrypted on the endpoint.

File Deleted Indicates that the file specified for content tracking has been deletedfrom the endpoint.

File Renamed Indicates that the file specified for content tracking has been renamedon the endpoint.

Multiple file encodingsdefined

Indicates that multiple and conflicting file encoding values arespecified for the file. This can occur if two monitoring rules, each witha different file encoding value, are applied to track content changesfor the file.

4 Click View versions.

The File revisions page displays all versions for the file. From this page you can compare fileversions, specify the base version, and delete file versions from the McAfee ePO database.

5 Compare the file versions.

a Specify what to compare.

• Click Compare with previous for a version to compare that version with the previous version ofthe file available at the McAfee ePO console.

• Click Compare with base for a version to compare that version with the base version.

• Select any two versions (by clicking the associated check boxes) and select Actions | CompareFiles to compare the selected versions.

The versions are compared and differences between the file content and file attributes aredisplayed.

b Click Close.

Monitoring the file system and registryManage content changes 3

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 29

Page 30: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

6 Reset the base version.

a Select a file version to set as the base version (by clicking the associated check box).

b Select Actions | Set as base version.

The Set as base version dialog box displays.

c Click OK.

This resets the base version and deletes all previous versions (older than the new base version)of the file.

At a time, the software can track up to 200 versions for a file. If the number of versions exceeds200, the application deletes the oldest versions to bring the version count to 200. Then, itautomatically sets the oldest version as the base version. If needed, you can configure the numberof versions to maintain for a file. Contact McAfee Support for assistance in configuring the number ofversions to maintain for a file.

7 Delete file versions.

Deleting file versions removes the selected file versions from the McAfee ePO database. It does notalter or remove the actual file present on the endpoint.

a Select one or more file versions by clicking the associated check boxes.

b Select Actions | Delete.

The Delete dialog box displays.

c Click OK.

8 Click Close.

Compare filesUse this task to compare any two files (or file versions) on an endpoint or on two different endpoints.

Task1 Select Menu | Reporting | Content Change Tracking.

2 Click Advanced File Comparison.

3 Specify information for file 1.

a Select the group from the list.

b Enter the host name.

c Enter the name and path of the file.

d Select the version to compare.

4 Specify information for file 2.

5 Click Show Comparison.

The files (attributes and content) are compared and differences are displayed.

6 Review the results.

7 Click Close.

3 Monitoring the file system and registryManage content changes

30 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 31: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Receive change details by emailTo closely observe changes to a critical file, you can choose to receive an email (with change details)each time the file is changed.

Use this task to receive an email each time a change is made to a file for which you are trackingcontent changes.

Task1 Select Menu | Automation | Automatic Responses.

2 Click Actions | New Response.

The Response Builder page opens to the Description page.

3 Enter the response name.

4 Select the Solidcore Events group and File Content Change Event type.

5 Select Enabled.

6 Click Next.

The Filter page appears.

7 Specify the file name, system name, or both.

• To receive an email each time a specific tracked file changes (across all managed endpoints),specify only the file name.

• To receive an email each time any tracked file changes on an endpoint, specify only the systemname.

• To receive an email each time a specific file on an endpoint is changed, specify both file andsystem name.

8 Click Next.

The Aggregation page appears.

9 Specify aggregation details and click Next.

The Actions page appears.

10 Select Send File Content Change Email, specify the email details, and click Next.

The Summary page appears.

11 Review the details and click Save.

Specify the maximum file sizeBy default, you can track changes for any file with a size of 1000 KB or lower. If needed, you canconfigure the maximum file size for tracking content changes.

Modifying the maximum file size will affect the McAfee ePO database sizing requirements.

Use this task to specify the maximum file size to track content changes.

Task1 Select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.0: General product.

The McAfee Default policy includes customizable configuration settings.

Monitoring the file system and registryManage content changes 3

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 31

Page 32: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Click Duplicate for the McAfee Default policy in the Configuration (Client) category.

The Duplicate Existing Policy dialog box appears.

4 Specify the policy name and click OK.

The policy is created and listed on the Policy Catalog page.

5 Open the policy.

• If you are using McAfee ePO 4.6, click the new policy.

• If you are using McAfee ePO 4.5, click Edit Settings for the policy.

6 Switch to the Miscellaneous Settings tab.

7 Specify the file size.

8 Save the policy and apply to the relevant endpoints.

3 Monitoring the file system and registryManage content changes

32 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 33: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

4 Protecting the file system and registry

Using Change Control, you can prevent changes to the file system and registry.

Contents How protection rules work How do I define protection rules Create a protection policy Enable read protection

How protection rules workTo prevent unauthorized access and changes, you define read‑protection and write‑protection rules.

Read‑protectionrules

Prevent users from reading the content of specified files, directories, andvolumes.

When a directory is read protected, all files in the directory are read protected.Any unauthorized attempt to read data from protected files is prevented and anevent is generated. Writing to read‑protected files is allowed.

You cannot define read‑protection rules for registry keys.

Write‑protectionrules

Prevent users from creating new files (including directories and registry keys) andmodifying existing files, directories, and registry keys.• Define write‑protection rules for files and directories to protect them from

unauthorized modifications. Only protect critical files. When a directory isincluded for write protection, all files contained in that directory and itssubdirectories are write protected.

• Define write‑protection rules for critical registry keys to protect them againstchange.

Can I override defined rules

While you can define rules to protect, you can also define additional rules to selectively override theread or write protection that is in effect.

• Specify programs that are permitted to selectively override the read or write protection.

• Specify users (on the Windows platform only) who are permitted to selectively override the read orwrite protection.

4

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 33

Page 34: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Does an order of precedence exist for protection rules

These considerations are used when protection rules are applied at the endpoint:

• Exclude rules are given precedence over include rules.

For example, if you erroneously define an include and exclude rule for the same file, the excluderule applies.

• Longer paths are given precedence.

For example, if C:\temp is included for write protection, and C:\temp\foo.cfg is excluded, thechanges to foo.cfg are permitted. Similarly, if you exclude the HKEY_LOCAL_MACHINE key andinclude the HKEY_LOCAL_MACHINE\System key for write protection, the changes to the HKEY_LOCAL_MACHINE\System key are prevented.

How do I define protection rulesRegardless of whether you use a rule group or policy, the framework available to define protectionrules is the same.

Using variables in rules

The path specified in a protection rule can include system environment variables (only on the Windowsplatform). The following table lists the supported system variables.

Variable Example value (true for most Windows platforms)

%ALLUSERSPROFILE% C:\Documents and Settings\All Users

%APPDATA% C:\Documents and Settings\{username}\Application

%COMMONPROGRAMFILES% C:\Program Files\Common Files

%COMMONPROGRAMFILES (x86)% C:\Program Files (x86)\Common Files

%HOMEDRIVE% C:

%HOMEPATH% C:\Documents and Settings\{username} (\ on earlier Windowsversions)

%PROGRAMFILES% C:\Program Files

%PROGRAMFILES (x86)% C:\Program Files (x86) (only on 64‑bit versions)

%SYSTEMDRIVE% C:

%SYSTEMROOT% C:\windows (C:\WINNT on earlier Windows versions)

%TEMP% (system) %tmp% (user) C:\Documents and Settings\{username}\local Settings\Temp

C:\Temp

%USERPROFILE% C:\Documents and Settings\{username} (C:WINNT\profiles\{username} for earlier versions)

%WINDIR% C:\Windows

Understanding path considerations

These considerations apply to path‑based rules.

4 Protecting the file system and registryHow do I define protection rules

34 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 35: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

• Path should be absolute when specifying rules to read or write‑protect files and directories.

• Path need not be absolute when specifying rules to add a trusted program or updater. For example,you can specify the partial path, such as AcroRd32.exe or Reader\AcroRd32.exe or fully‑qualifiedpath, such as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If you specify thepartial path, all programs with names that match the specified string are added as trustedprograms. If you specify the fully‑qualified path, only the specified program is added as a trustedprogram.

• Paths can contain white spaces.

• Paths can include the wildcard character (*). However, it can only represent one complete pathcomponent. Here are a few examples.

Windowsplatform

Using \abc\*\def is allowed while \abc\*.doc, \abc\*.*, or \abc\doc.* is notsupported.

UNIX platform Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is notsupported.

• Paths used in registry key‑based rules can include the wildcard character (*). However, the wildcardcharacter can only represent one path component in the registry path. Ensure that you do not usethe character for the component at the end of the complete registry path (if used at the end, therule will not be effective).

Defining protection rules

Use this table to define protection rules. You can perform these actions when modifying or creating aprotection (Change Control) policy or rule group.

Table 4-1 Defining Protection Rules

Action Steps

Read‑protect filesand directories

1 Click Add on the Read Protect tab. The Add File dialog box appears.

2 Specify the file or directory name.

3 Indicate whether to include for or exclude from read protection.

4 Click OK.

By default, the read protection feature is disabled at the endpoints.

Write‑protect filesand directories

1 Click Add on the Write Protect File tab. The Add File dialog box appears.

2 Specify the file or directory name.

3 Indicate whether to include for or exclude from write protection.

4 Click OK.

Write‑protectregistry keys

1 Click Add on the Write Protect Registry tab. The Add Registry dialog box appears.

2 Specify the registry key.

3 Indicate whether to include for or exclude from write protection.

4 Click OK.

Protecting the file system and registryHow do I define protection rules 4

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 35

Page 36: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Table 4-1 Defining Protection Rules (continued)

Action Steps

Specify trustedprogramspermitted tooverride the readand writeprotection rules

1 Click Add on the Updaters tab. The Add Updater dialog box appears.

2 Specify whether to add the updater based on the file name or checksum. Notethat if you add the updater by name, the updater is not authorizedautomatically. However, when you add the updater by checksum, the updateris authorized.

3 Enter the location of the file (when adding by name) or SHA1 value (whenadding by checksum) of the executable binary.

4 Enter a unique identification label for the executable file. For example, if youspecify Adobe Updater Changes as the identification label for the Adobe_Updater.exe file, all change events made by the Adobe_Updater.exe file will betagged with this label.

5 When adding an updater by name, specify conditions that the binary file mustmeet to run as an updater.

• Select None to allow the binary file to run as an updater without anyconditions.

• Select Library to allow the binary file to run as updater only when it hasloaded the specified library. For example, when configuring iexplore.exe asan updater to allow Windows Updates using Internet Explorer, specify wuweb.dll as the library. This ensures that the iexplore.exe program hasupdater privileges only till the web control library (wuweb.dll) is loaded.

• Select Parent to allow the binary file to run as an updater only if it is launchedby the specified parent. For example, when configuring updater.exe as anupdater to allow changes to Mozilla Firefox, specify firefox.exe as theparent. Although updater.exe is a generic name that can be part of anyinstalled application, using the parent ensures that only the correct programis allowed to run as an updater.

6 When adding an updater by name, indicate whether to disable inheritance forthe updater. For example, if Process A (that is set as an updater) launchesProcess B, disabling inheritance for Process A ensures that Process B will notbecome an updater.

7 When adding an updater by name, indicate whether to suppress eventsgenerated for the actions performed by the updater. Typically, when anupdater changes a protected file, a File Modified event is generated for the file.If you select this option, no events are generated for changes made by theupdater.

8 Click OK.

4 Protecting the file system and registryHow do I define protection rules

36 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 37: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Table 4-1 Defining Protection Rules (continued)

Action Steps

Specify authorizedusers permitted tooverride the readand writeprotection rules

You can either enter user details or import user or group details from an ActiveDirectory. Ensure that the Active Directory is configured as a registered server.

Specify details to authorize users to override the read or write protection rules.(Windows only)

1 Click Add on the Trusted User tab. The Add User dialog box appears.

2 Create two rules for each user:

• With UPN/SAM and domain account name (in domainName\user format)

• With domain netbiosName (in netbiosName\user format)

3 Specify a unique identification label for the user. For example, if you specifyJohn Doe Changes as the identification label for the John Doe user, all changesmade by the user will be tagged with this label.

4 Type the user name.

5 Click OK.

Import user details from an Active Directory.

1 Click AD Import on the Trusted User tab. The Import from Active Directory dialog boxappears.

2 Select the server.

3 Select Global Catalog Search to search for users in the catalog (only if the selectedActive Directory is a Global Catalog server).

4 Specify whether to search for users based on the UPN (User Principal Name)or SAM account name. Note that your search will determine the authorizeduser. Ensure that you use the trusted account to log on to the endpoint. If youuse the UPN name while adding a user, ensure that the user logs on with theUPN name at the endpoint to enjoy trusted user privileges.

5 Enter the user name. The Contains search criteria is applied for the specifieduser name.

6 Specify a group name to search for users within a group.

You cannot directly add a group present in the Active Directory to a policy. Toauthorize all users in a group, add the user group to a rule group and includethe rule group in a policy. Using groups ensures that all changes to a usergroup automatically cascade across all rule groups and associated policies.

7 Click Find. The search results are displayed.

8 Select the users to add in the search results and click OK.

Protecting the file system and registryHow do I define protection rules 4

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 37

Page 38: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Create a protection policyUse this task to create a new protection policy. These are multi‑slot policies; a user can assign multiplepolicies to a single node in the system tree.

Task1 Select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.0:Change Control product.

3 Click New Policy.

The New Policy dialog box appears.

4 Select the category.

5 Select the policy you want to duplicate from Create a policy based on this existing policy list.

6 Specify the policy name and click OK.

The Policy Settings page opens.

7 Specify protection rules.

The read‑protect feature is disabled by default. To use read‑protection rules, enable the read‑protectfeature for the endpoints.

8 Save the policy.

Enable read protectionBy default, the read‑protect feature is disabled for optimal system performance. Use this task to run acommand on the endpoint to enable read protection.

Task1 Select Menu | Systems | System Tree.

2 Complete these steps from the McAfee ePO 4.6 console and perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and click Actions |Agent | Modify Tasks on a Single System.

a Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

b Select the Solidcore 6.1.0 product, SC: Run Commands task type, and click Create New Task.

The Client Task Catalog page appears.

c Specify the task name and add any descriptive information.

4 Protecting the file system and registryCreate a protection policy

38 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 39: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Complete these steps from the McAfee ePO 4.5 console and perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the Client Taskstab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and click Actions |Agent | Modify Tasks on a Single System.

a Click Actions | New Task.

The Client Task Builder page appears.

b Specify the task name and add any descriptive information.

c Select SC: Run Commands (Solidcore 6.1.0) and click Next

The Configuration page appears.

4 Type the following command.

features enable deny‑read

5 Select Requires Response if you want to view the status of the commands in Menu | Change Control | ClientTask Log tab.

6 Click Save (McAfee ePO 4.6 only).

7 Click Next.

The Schedule page appears.

8 Specify scheduling details and click Next.

9 Review and verify the task details and click Save.

10 Optionally, wake up the agent to send your client task to the endpoint immediately.

Protecting the file system and registryEnable read protection 4

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 39

Page 40: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

4 Protecting the file system and registryEnable read protection

40 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 41: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

5 Monitoring and reporting

When a monitored file or registry key is changed or an attempt is made to access or change aprotected resource, an event is generated on the endpoint and sent to the McAfee ePO server. Reviewand manage the generated events to monitor the network status.

You can also use customizable dashboards to monitor critical security status at‑a‑glance, and reportthat status to stakeholders and decision makers using preconfigured queries.

Contents Manage events Use dashboards View queries

Manage eventsView and manage the events from the McAfee ePO console.

Tasks• Review events on page 41

Use this task to review the events.

• View content changes on page 42An event is generated each time the attributes or contents change for a file that is beingtracked for changes.

• Exclude events on page 43You can define rules to prune routine system‑generated change events not relevant formonitoring or auditing.

Review eventsUse this task to review the events.

Task1 Select Menu | Reporting | Solidcore Events.

2 Specify the time duration for which to view events by selecting an option from the Time Filter list.

3 Specify the endpoints for which to view events.

a Select the required group in the System Tree.

b Select an option from the System Tree Filter list.

5

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 41

Page 42: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

4 Optionally, view only specific events by applying one or more filters.

a Click Advanced Filters.

The Edit Filter Criteria page appears.

b Select an available property.

c Specify the comparison and value for the property.

For example, to view only File Modified events, select the Event Display Name property, setcomparison to Equals, and select the File Modified value.

d Click Update Filter.

Events matching the specified criteria are displayed.

5 View details for an event.

a Click an event row.

b Review event details.

c Click Back.

6 Review endpoint details for one or more events.

a Select one or more events.

b Click Actions | Show Related Systems.

The Related Systems page lists the endpoints corresponding to the selected events.

c Click a row to review detailed information for the endpoint.

d Optionally, perform any action on the endpoint.

View content changesAn event is generated each time the attributes or contents change for a file that is being tracked forchanges.Based on the change made to the file, one of these events is generated:

• FILE_CREATED • FILE_ATTR_SET

• FILE_DELETED • FILE_ATTR_CLEAR

• FILE_MODIFIED • ACL_MODIFIED

• FILE_RENAMED • OWNER_MODIFIED

• FILE_ATTR_MODIFIED

If any of the afore‑mentioned events is generated for a file for which you are tracking contentchanges, you can review details of the change made to the file. Use this task to view details ofchanges made to a file for which you are tracking content changes.

Task1 Select Menu | Reporting | Solidcore Events.

2 Click View Content Change for the event.

The page compares two versions of the file.

5 Monitoring and reportingManage events

42 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 43: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Review the host, file attribute, and file content information.

Not that the change made to the file is highlighted.

4 Click Close.

Exclude eventsYou can define rules to prune routine system‑generated change events not relevant for monitoring orauditing.Use this task to exclude or ignore events not required to meet compliance requirements.

Task1 Select Menu | Reporting | Solidcore Events.

2 Select the events to exclude.

3 Click Actions | Exclude Events.

The Events Exclusion Wizard appears.

4 Select the target platform for the rules.

5 Select the rule group type and click Next.

The Define Rules page appears.

6 Rules are auto‑populated based on the selected events.

7 Review and refine existing rules and add new rules, as needed.

8 Click Next.

The Select Rule Group page appears.

9 Add the rules to an existing or new rule group and click Save.

10 Ensure the rule group is added to the relevant policy and the policy is assigned to the endpoints.

Once excluded, similar new events are no longer displayed on the McAfee ePO console. Excludingevents does not remove the existing or similar events from the Events page.

Use dashboardsDashboards are collections of monitors that help you keep an eye on your environment.Change Control provides these default dashboards:

• Solidcore: Integrity Monitor dashboard allows you to observe the monitored endpoints

• Solidcore: Change Control dashboard helps you keep a check on the protected endpoints

You can create, modify, duplicate, and export dashboards. For more information on working withdashboards, see the McAfee ePolicy Orchestrator Software Product Guide.

View queriesUse the available queries to review information for the endpoints based on the data stored in theMcAfee ePO database.The following Change Control queries are available from the McAfee ePO console.

Monitoring and reportingUse dashboards 5

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 43

Page 44: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Table 5-1 Change Control Queries

Query Description

Solidcore: Alerts Displays all alerts generated in the last 3 months.

Solidcore: AttemptedViolations Detected in theLast 24 Hours

Displays the attempted violation events detected during the last 24hours. The line chart plots data on a per hour basis. Click a value on thechart to review event details.

Solidcore: AttemptedViolations Detected in theLast 7 Days

Displays the attempted violation events detected during the last 7 days.The line chart plots data on a per day basis. Click a value on the chartto review event details.

Solidcore: Integrity MonitorAgent Status

Displays the status of all endpoints with the Change Control licensewhich are managed by the McAfee ePO console. The pie chartcategorizes the information based on the client status. Click a segmentto review endpoint information.

Solidcore: Agent StatusReport

Displays the status of all endpoints managed by the McAfee ePOconsole. This report combines information for both the ApplicationControl and Change Control licenses. The pie chart categorizes theinformation based on the client status. Click a segment to reviewdetailed information.

Solidcore: Agent LicenseReport

Indicates the number of Solidcore Agents that are managed by theMcAfee ePO console. The information is categorized based on thelicense information, namely Application Control and Change Control,and further sorted based on the operating system on the endpoint.

Solidcore: Integrity MonitorEvents Detected in the Last24 Hours

Displays monitoring‑related events detected during the last 24 hours.The line chart plots data on a per hour basis. Click a value on the chartto review event details.

Solidcore: Integrity MonitorEvents Detected in the Last7 Days

Displays monitoring‑related events detected during the last 7 days. Theline chart plots data on a per day basis. Click a value on the chart toreview event details.

Solidcore: Non CompliantSolidcore Agents

Lists the endpoints that are currently not compliant. The list is sortedbased on the reason for non‑compliance. An endpoint can be noncompliant if it is in Disabled or Update mode or if the local CommandLine Interface (CLI) access is recovered.

Solidcore: Out of BandChange Events detected inthe Last 24 Hours

Displays change events generated in the last 24 hours which are notcompliant with the update policy. The line chart plots data on a per hourbasis. Click a value on the chart to review event details.

Solidcore: Out of BandChange Events detected inthe Last 7 Days

Displays change events generated in the last 7 days which are notcompliant with the update policy. The line chart plots data on a per daybasis. Click a value on the chart to review event details.

Solidcore : PCI Req 10.3:File Integrity Monitoring ‑Rolling 90 Days

Displays the summary of changes that are grouped by the programname. This report allows you to comply with Payment Card Industry(PCI) requirement 10.3.

Solidcore : PCI DSS Req11.5: Detailed PCI FileIntegrity Monitoring ‑Rolling 90 Days

Displays a detailed audit log of the critical systems, critical applications,and configuration files. This report allows you to comply with PCI DataSecurity Standards (DSS) requirement 11.5.

Solidcore : PCI DSS Req11.5: Summary PCI FileIntegrity Monitoring ‑Rolling 90 Days

Displays a summarized audit log of the critical systems, criticalapplications, and configuration files. This report allows you to complywith PCI DSS requirement 11.5.

Solidcore : PCI DSS Req10.3.1: User Report Detail ‑Rolling 90 Days

Displays a detailed list of changes that are grouped by the user name.This report allows you to comply with PCI DSS requirement 10.3.1.

Solidcore : PCI DSS Req10.3.1: User ReportSummary ‑ Rolling 90 Days

Displays the summarized list of changes that are sorted based on theuser name and date. This report allows you to comply with PCI DSSrequirement 10.3.1.

5 Monitoring and reportingView queries

44 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 45: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Table 5-1 Change Control Queries (continued)

Query Description

Solidcore: PolicyAssignments By System

Lists the number of policies applied on the managed endpoints. Click asystem to review information on the applied policies.

Solidcore: Policy Details Categorizes and lists the rules defined in a selected monitoring orprotection policy. To view the report, click Edit for the query, navigate tothe Filter page, select a policy name, and click Run. Click a category toreview all the rules in the category.

Solidcore: Top 10 ChangeEvents in the Last 7 Days

Displays the top 10 change events that were generated during the last7 days. The chart includes a bar for each event type and indicates thenumber of events generated for each event type. The bar chart sortsthe data in descending order. Click a bar on the chart to review detailedinformation.

Solidcore: Top 10 Programswith Most Change Events inthe Last 7 Days

Displays the top 10 programs with most changes during the last 7 days.The chart includes a bar for each program and indicates the number ofevents generated by each program. The bar chart sorts the data indescending order. Click a bar on the chart to review detailedinformation.

Solidcore: Top 10 Systemswith Most Change Events inthe Last 7 Days

Displays the top 10 systems with the most changes during the last 7days. The chart includes a bar for each system and indicates thenumber of events generated for each system. The bar chart sorts thedata in descending order. Click a bar on the chart to review detailedinformation.

Solidcore: Top 10 Systemswith Most ViolationsDetected in the Last 24Hours

Displays the top 10 systems with the maximum number of violations inthe last 24 hours. The chart includes a bar for each system andindicates the number of violations for each system. Click a bar on thechart to review detailed information.

Solidcore: Top 10 Systemswith Most ViolationsDetected in the Last 7 Days

Displays the top 10 systems with the maximum number of violations inthe last 7 days. The chart includes a bar for each system and indicatesthe number of violations for each system. Click a bar on the chart toreview detailed information.

Solidcore: Top 10 Userswith Most Change Events inthe Last 7 Days

Displays the top 10 users with the most changes during the last 7 days.The chart includes a bar for each user and indicates the number ofevents generated by each user. The bar chart sorts the data indescending order. Click a bar on the chart to review detailedinformation.

Solidcore: Top 10 Userswith Most ViolationsDetected in the Last 24Hours

Displays the top 10 users with the most policy violation attempts in thelast 24 hours. The chart includes a bar for each user and indicates thenumber of policy violation attempts for each user. The bar chart sortsthe data in descending order. Click a bar on the chart to review detailedinformation.

Solidcore: Top 10 Userswith Most ViolationsDetected in the Last 7 Days

Displays the top 10 users with the most policy violation attempts in thelast 7 days. The chart includes a bar for each user and indicates thenumber of policy violation attempts for each user. The bar chart sortsthe data in descending order. Click a bar on the chart to review detailedinformation.

Use this task to view a query.

Task

1 Select Menu | Reporting.

2 Perform one of these tasks.

• From the McAfee ePO 4.6 console, select Queries & Reports.

• From the McAfee ePO 4.5 console, select Queries.

Monitoring and reportingView queries 5

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 45

Page 46: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Select the Change Control group under Shared Groups.

4 Review the queries in the list.

5 Navigate to the required query and click Run.

The results for the selected query are displayed.

6 Click Close to return to the previous page.

5 Monitoring and reportingView queries

46 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 47: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

6 Getting started with Application Control

Before you begin using Application Control, get familiar with it and understand related concepts.

Contents Application Control modes How do I manage protected endpoints Design the trust model Memory-protection techniques Manage rule groups Manage certificates Manage installers

6

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 47

Page 48: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Application Control modesAt any time, Application Control can operate in one of these modes.

Enabled Indicates that the application is in effect and no unauthorized changes are allowed on theendpoints. When in Enabled mode, Application Control:

• Allows only authorized applications to run on servers and endpoints

• Prevents all unauthorized code including binaries and scripts from running

• Protects against memory‑based attacks and application tampering

Enabled mode is the recommended mode of operation. From the Enabled mode, you canswitch to the Disabled, Update, or Observe mode.

Observe Indicates that the application is in effect but is not preventing any changes made on theendpoints. Using the Observe mode is similar to doing a dry run for Application Control.Observe mode is available only on the Windows platform.

When running in Observe mode, Application Control emulates the Enabled mode but logsobservations instead of preventing any applications or code from running. An observation islogged corresponding to each action Application Control will take when in Enabled mode.For example, if not authorized, the execution of the Adobe Reader application will beprevented in Enabled mode. In Observe mode, the Adobe Reader application is allowed toexecute and an observation is generated to indicate that the execution was permitted.

You can place Application Control in Observe mode to:• Check the compatibility of Application Control with existing software during initial

deployment

• Test an application prior to enterprise‑wide deployment on endpoints already runningApplication Control

If you switch to the Observe mode from the Disabled mode, the endpoints need to berestarted. From the Observe mode, you can switch to the Enabled or Disabled mode. Whenswitching to Enabled or Disabled mode, you can choose to either allow or discard allchanges made during Observe mode (all changes made in Observe mode are tracked). Formore information on the Observe mode, see the Deploying Application Control in Observemode section.

6 Getting started with Application ControlApplication Control modes

48 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 49: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Update Indicates that the application is in effect, allows ad‑hoc changes to the system, and tracksthe changes made to the endpoints. We recommend that you use the Update mode only forinstalling minor software updates. Only use the Update mode to perform scheduled oremergency changes that cannot be made when Application Control is running in Enabledmode. Note that whenever possible utilize other preferred methods, such as trusted users,directories, publishers, updaters, or installers to allow changes.

In the Enabled mode, if you install any new software or add new binary files, the files willnot be added to the whitelist or allowed to execute (unless performed by trusted changemethod). However, if you install or uninstall software or add new binary files in the Updatemode, all changes are tracked and added to the whitelist.

To authorize or approve changes to endpoints, a change window is defined during whichusers and programs can make changes to the endpoint. In effect, the Update mode allowsyou to schedule software and patch installations, remove or modify software, anddynamically update the local whitelist. The application generates the FILE_SOLIDIFIEDevent for files added during Update mode and FILE_UNSOLIDIFIED event for files deletedduring Update mode. Also, when an endpoint is in Update mode, all changes to existingfiles in the inventory generate corresponding update mode events, such asFILE_MODIFIED_UPDATE and FILE_RENAMED_UPDATE.

Memory‑protection techniques are enabled in Update mode. This ensures that runningprograms cannot be exploited.

From the Update mode, you can switch to the Enabled or Disabled mode.

Disabled Indicates that the application is not in effect. Although the application is installed, theassociated features are not active.

From the Disabled mode, you can switch to the Enabled, Update, or Observe mode.

How do I manage protected endpointsWhen you deploy Application Control to protect an endpoint, it creates a whitelist of all executablebinary and script files present on the endpoint. The whitelist lists all authorized files and is used todetermine trusted or known files. In Enabled mode, only files present in whitelist are allowed toexecute. Also, all files in the whitelist are protected and cannot be modified or deleted. An executablebinary or script file that is not in the whitelist is said to be unauthorized and is prevented fromrunning.

Authorizing files and programs

The whitelist is the most‑common method to determine trusted or known files. You can authorize aprogram or file on a protected endpoint by using one of these methods:

• By checksum

• By certificate or publisher

• By name

• By adding to the whitelist

The order in which the methods are listed indicates the precedence the software applies to themethods. For example, if you ban a program based on its checksum value and it is present in thewhitelist (and hence is authorized), the program is banned. Similarly, if a program is allowed based onits checksum value and is banned by name, the program will be allowed to execute and run.

Getting started with Application ControlHow do I manage protected endpoints 6

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 49

Page 50: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Allowing changes to endpoints

Typically, most applications and executable files remain unchanged over prolonged periods of time.However, if needed, you can allow certain applications and executable files to create, modify, or deletefiles in the whitelist. To design a trust model and allow additional users or programs to modify aprotected endpoint, you can use one these methods.

Updater Refers to an application permitted to update the endpoint. If a program is configured asan updater, it is allowed to install new software and update existing software. Forexample, if you configure Adobe 8.0 updater program as an updater, it can periodicallypatch all needed files.

Updaters work at a global‑level and are not application‑ or license‑specific. After a programis defined as an updater, it can modify any protected file. If you are using both ApplicationControl and Change Control, an updater defined via an Application Control policy will alsobe able to modify files protected by rules defined in a Change Control policy.

Note that an updater is not authorized automatically. To be authorized, an updater mustbe present in the whitelist or given explicit authorization (defined as an allowed binary viaa policy or added as updater based on checksum). We recommend that you use cautionand judiciously assign updater privileges to binary files. For example, if you set cmd.exeas an updater and invoke any executable from it, the executable can perform any changeon the protected endpoints.

To avoid a security gap, it is not recommended to have a file configured as an allowedbinary and updater concurrently.

Common candidates to set as updaters include software distribution applications, such asTivoli, Opsware, Microsoft Systems Management Server (SMS), and Bladelogic andprograms that need to frequently update themselves. Application Control includespredefined rules for commonly‑used applications that might need to update the endpointsfrequently. For example, rule groups are defined for the Altiris, SCCM, and McAfeeproducts.

Publisher Refers to a publisher or trusted certificate (associated with a software package) that ispermitted to run on a protected endpoint. After you add a certificate as a publisher, youcan run all software that is signed by the certificate. You can configure publishers only forthe Windows platform. For example, if you add Adobe’s code signing certificate as apublisher, all software issued by Adobe and signed by Adobe's certificate will be permittedto run.

To allow any in‑house applications to run on protected endpoints, you can sign theapplications with an internal certificate and define the internal certificate as a trustedpublisher. After you do so, all applications signed by the certificate are allowed. Also, allapplications and binary files either added or modified on an endpoint that are signed bythe certificate are automatically added to the whitelist.

When adding a publisher, you can also choose to provide updater privileges to thepublisher. We recommend that you use this option judiciously because selecting thisoption will ensure that all the binary files signed by publisher acquire updater privileges.For example, if you set the Microsoft certificate that signs the Internet Explorerapplication as an updater, Internet Explorer can download and execute any applicationfrom the internet. In effect, any files added or modified by an application that is signedby the publisher (with updater privileges) will be added to the whitelist automatically.

6 Getting started with Application ControlHow do I manage protected endpoints

50 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 51: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Installer Refers to an application installer identified by its checksum (SHA1) that is allowed toinstall or update software. When a program (or an installer) is configured as anauthorized installer, it gets both the attributes ‑ authorized binary and updater. Hence,regardless of whether the installer was originally present on the endpoint or not, it isallowed to execute and update software on the endpoint. You can configure installers onlyfor the Windows platform.

An authorized installer is allowed on the basis of the checksum (SHA1) value of theinstaller (specified while configuring the policy). This ensures that regardless of thesource of installer (and how one gets this installer to the endpoint), if the checksum valuematches, the installer will be allowed to run. For example, if you add the installer for theMicrosoft Office 2010 suite as an installer, if the checksum matches the installer will beallowed to install the Microsoft Office suite on the protected endpoints.

TrustedDirectory

Refers to a directory (local or network share) identified by its Universal NamingConvention (UNC) path. After you add a directory as a trusted directory, endpoints arepermitted to run any software present on that directory.

When enabled, Application Control prevents protected endpoints from executing any coderesiding on a network share. If you maintain shared folders containing installers forlicensed applications on the internal network in your organization, add trusted directoriesfor such network shares.

Additionally, if needed, you can also allow the software located at that UNC path to installsoftware on the protected endpoints. For example, when logging on to a DomainController from a protected endpoint, you will need to define \\domain‑name\SYSVOL as atrusted directory (to allow execution of scripts).

TrustedUser

Refers to an authorized Windows user with privileges to dynamically add to the whitelist.For example, add the administrator as a trusted user to allow the administrator to installor update any software. While adding the user details, you must also provide the domaindetails.

Of all the strategies available to allow changes to protected endpoints, this is the leastpreferred because it offers minimal security. We suggest that you define trusted usersjudiciously because after a trusted user is added, there are no restrictions on what theuser can modify or run on an endpoint.

Updatemode

Refers to a time‑window during which all changes are allowed on a protected endpoint.Place the protected endpoints in the Update mode to perform ad‑hoc changes to theendpoints.

Use this method when none of the other strategies, such as trusted users, trusteddirectories, publishers, or installers meet you requirements. For example, define a timewindow to allow the IT team to complete maintenance tasks, such as install patches orupgrade software. For more information on the Update mode, see the Application Controlmodes section.

Design the trust modelRegardless of whether you use a rule group or policy, the framework available to define rules is thesame.

For more information on the type of rules you can define, see the How do I manage protectedendpoints section.

Using variables in rules

The path specified in a rule can include system environment variables (only on the Windows platform).The following table lists the supported system variables.

Getting started with Application ControlDesign the trust model 6

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 51

Page 52: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Variable Example value (true for most Windows platforms)

%ALLUSERSPROFILE% C:\Documents and Settings\All Users

%APPDATA% C:\Documents and Settings\{username}\Application

%COMMONPROGRAMFILES% C:\Program Files\Common Files

%COMMONPROGRAMFILES (x86)% C:\Program Files (x86)\Common Files

%HOMEDRIVE% C:

%HOMEPATH% C:\Documents and Settings\{username} (\ on earlier Windowsversions)

%PROGRAMFILES% C:\Program Files

%PROGRAMFILES (x86)% C:\Program Files (x86) (only for 64‑bit versions)

%SYSTEMDRIVE% C:

%SYSTEMROOT% C:\windows (C:\WINNT on earlier Windows versions)

%TEMP% (system) %tmp% (user) C:\Documents and Settings\{username}\local Settings\Temp

C:\Temp

%USERPROFILE% C:\Documents and Settings\{username} (C:WINNT\profiles\{username} for earlier versions)

%WINDIR% C:\Windows

Understanding path considerations

These considerations apply to path‑based rules.

• Path need not be absolute when specifying rules.

For example, when defining an updater you can specify the partial path, such as AcroRd32.exe orReader\AcroRd32.exe or fully‑qualified path, such as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If you specify the partial path, all programs with names that match thespecified string are assigned updater privileges. If you specify the fully‑qualified path, only thespecified program is assigned updater privileges.

Similarly, when banning a file if you specify the partial path, such as notepad.exe, all programswith names that match the specified string are banned. However, if you specify the fully‑qualifiedpath, for example C:\Windows\system32\notepad.exe, only the specified file is banned.Alternatively, if you specify the checksum value, only the file with the specified checksum value isbanned.

• Paths can contain white spaces.

• Paths can include the wildcard character (*). However, it can only represent one complete pathcomponent. Here are a few examples.

Windowsplatform

Using \abc\*\def is allowed while \abc\*.doc, \abc\*.*, or \abc\doc.* is notsupported.

UNIX platform Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is notsupported.

Are any predefined rules available

Yes, Application Control includes predefined rules for commonly‑used applications. The followingpredefined rules are included:

6 Getting started with Application ControlDesign the trust model

52 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 53: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

• McAfee Default (one each for UNIX and Windows). For detailed information, see the Reviewpredefined rules section.

• McAfee Applications (McAfee Default). This policy includes McAfee‑specific rules that allow otherMcAfee products to run successfully on protected endpoints. These rules are also included in theMcAfee Default (Windows) policy.

How do I define rules

Use this table to define the rules to design the trust model. You can perform these actions whencreating or modifying an Application Control policy or rule group.

Add an updater

1 Select the Updaters tab and click Add. The Add Updater dialog box appears.

2 Specify whether to add the updater based on the file name or checksum. Note that if you add theupdater by name, the updater is not authorized automatically. However, when you add the updaterby checksum, the updater is authorized.

3 Enter the location of the file (when adding by name) or SHA1 value (when adding by checksum) ofthe executable binary.

4 Specify an identification label for the program. For example, if you specify Adobe Updater changesas the label, all changes made by Adobe 8.0 updater are tagged with this label.

5 When adding an updater by name, specify conditions that the binary file must meet to run as anupdater.

• Select None to allow the binary file to run as an updater without any conditions.

• Select Library to allow the binary file to run as updater only when it has loaded the specifiedlibrary. For example, when configuring iexplore.exe as an updater to allow Windows Updatesusing Internet Explorer, specify wuweb.dll as the library. This ensures that the iexplore.exeprogram has updater privileges only until the web control library (wuweb.dll) is loaded.

• Select Parent to allow the binary file to run as an updater only if it is launched by the specifiedparent. For example, when configuring updater.exe as an updater to allow changes to MozillaFirefox, specify firefox.exe as the parent. Although updater.exe is a generic name that canbe part of any installed application, using the parent ensures that only the correct program isallowed to run as an updater.

6 When adding an updater by name, indicate whether to disable inheritance for the updater. Forexample, if Process A (that is set as an updater) launches Process B, disabling inheritance forProcess A ensures that Process B will not become an updater.

7 When adding an updater by name, indicate whether to suppress events generated for the actionsperformed by the updater. Typically, when an updater changes a protected file, a File Modifiedevent is generated for the file. If you select this option, no events are generated for changes madeby the updater.

8 Click OK.

Allow or ban a binary file

1 Select the Binary tab and click Add. The Add Binary dialog box appears.

2 Specify an identifier for the rule in the Rule Name field. You can use the identifier to group relatedrules. For example, you can specify Banning unauthorized programs as the identifier for all rulesthat you define to ban unauthorized programs in your organization.

Getting started with Application ControlDesign the trust model 6

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 53

Page 54: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Indicate whether to allow or ban the binary file.

4 Indicate whether to allow or ban the binary file based on the file's name or checksum value.

5 Enter the name or checksum value.

6 Click OK.

Specify authorized users permitted to override the protection in effect (only forthe Windows platform)

You can either enter user details or import user or group details from an Active Directory. Ensure thatthe Active Directory is configured as a registered server.

Specify details to authorize users to override the protection in effect. (Windows only)

1 Click Add on the Trusted Users tab. The Add User dialog box appears.

2 Create two rules for each user:

• With UPN/SAM and domain account name (in domainName\user format)

• With domain netbiosName (in netbiosName\user format)

3 Specify a unique identification label for the user. For example, if you specify John Doe's Changes as theidentification label for the John Doe user, all changes made by the user will be tagged with thislabel.

4 Type the user name.

5 Click OK.

Import user details from an Active Directory.

1 Click AD Import on the Trusted Users tab. The Import from Active Directory dialog box appears.

2 Select the server.

3 Select Global Catalog Search to search for users in the catalog (only if the selected Active Directory is aGlobal Catalog server).

4 Specify whether to search for users based on the UPN (User Principal Name) or SAM account name.Note that your search will determine the authorized user. If you search using the UPN or commonname, the user will be trusted with the UPN and if you search using the SAM account name, theuser will be trusted with the SAM account name.

5 Enter the user name. The Contains search criteria is applied for the specified user name.

6 Specify a group name to search for users within a group.

You cannot directly add a group present in the Active Directory to a policy. To authorize all users in agroup, add the user group to a rule group and include the rule group in a policy. Using groupsensures that all changes to a user group automatically cascade across all rule groups and associatedpolicies.

7 Click Find. The search results are displayed.

8 Select the users to add in the search results and click OK.

6 Getting started with Application ControlDesign the trust model

54 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 55: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Add a publisher

1 Select the Publishers tab and click Add. The Add Publisher dialog box appears.

2 Search for and add the certificate. For example, you can search for and add the Microsoftcertificate. For information on how to add publishers, see the Manage certificates section.

3 Optionally, select the Add Publisher(s) as Updater option to provide updater privileges to the publisher.

4 Specify an identification label for the publisher. Note that if you select the Add Publisher(s) as Updateroption, you must specify an identification label for the publisher.

5 Click OK.

Add an installer

1 Select the Installers tab and click Add. The Add Installer dialog box appears.

2 Search for and add the installer. For example, you can add the installer for the Adobe Reader toallow users to run the installer on the endpoints. For more information on how to add installers, seethe Manage installers section.

3 Specify an identification label for the installer.

4 Click OK.

Add an exception

1 Select the Exceptions tab and click Add. The Add Attribute dialog box appears.

2 Enter the file name.

3 Select the required options. For detailed information on the available options, see the Definebypass rules section.

4 Click OK.

Add a trusted directory

1 Select the Trusted Directories tab and click Add. The Add Path dialog box appears.

2 Enter the location of the directory.

3 Select Include or Exclude. Use the Exclude option to exclude a specific folder or subfolder within atrusted directory.

4 Optionally, select the Make programs executed from this directory updaters option to allow the software locatedat that UNC path to modify the endpoints.

5 Click OK.

Specify advanced exclusion filters for observations and events

1 Click Add Rule on the Filters tab. A new filter row appears. You can create filters based on files,events, programs, registry keys, and users. By default, all defined filters are applied toobservations.

2 Edit the settings to specify the filter.

Getting started with Application ControlDesign the trust model 6

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 55

Page 56: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Click + or Add Rule to specify additional AND or OR conditions, respectively.

4 Select Apply rule to events also for a set of rules to apply the filter rules to events.

You can also define advanced exclusion filters from the Events page. For more information, see theExclude events section.

Memory-protection techniquesApplication Control offers multiple memory‑protection techniques to prevent zero‑day attacks. Thesememory‑protection techniques provide additional protection over the protection offered by nativeWindows features or signature‑based buffer overflow protection products.

These memory‑protection techniques are available on all Windows operating systems, including 64‑bitplatforms. Note that the memory‑protection techniques are unavailable on the Unix platform. At ahigh‑level, the available memory‑protection techniques stop two kinds of exploits:

• Buffer overflow followed by direct code execution

• Buffer overflow followed by indirect code execution using Return‑Oriented Programming

For a detailed and updated list of the exploits prevented by the memory ‑protection techniques,subscribe to McAfee Threat Intelligence Services (MTIS) security advisories.

Technique Description

CASP ‑ Critical Address SpaceProtection (mp‑casp)

CASP is a memory‑protection technique that renders useless anycode that is running from the non‑code area. Code running from thenon‑code area is an abnormal event that usually happens due to abuffer overflow being exploited.

Note that CASP is different from the DEP (Data Execution Prevention)feature available on 64‑bit Windows platforms. While the DEP featureprevents the code in a non‑code area from executing at all (usuallywith the help of hardware), CASP allows such code to execute butdisallows such code from making any meaningful API calls, such asCreateProcess(), DeleteFile(), and others. Any meaningful exploitcode would want to invoke at least one of these APIs and becauseCASP blocks them, the exploit fails to do any damage.

Supported OperatingSystems

This feature is available on the followingWindows operating systems:• 32‑bit ‑ Windows 2003, Windows 2003 R2,

Windows 2008, Windows XP, Windows XPE,WEPOS, Pos Ready 2009, WES 2009,Windows Vista, Windows 7, and Windows 7Embedded

Default State Enabled

Event generated PROCESS HIJACK ATTEMPTED

6 Getting started with Application ControlMemory-protection techniques

56 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 57: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Technique Description

NX ‑ No eXecute (mp‑nx) The NX feature utilizes Windows' Data Execution Prevention (DEP)feature to protect processes against exploits that try to execute codefrom writable memory area (stack/heap). On top of native DEP,MP‑NX provides granular bypass capability as well as raises violationevents that can be viewed on the McAfee ePO console.Windows DEP is a memory‑protection technique that prevents codefrom being run from a non‑executable memory region. In most cases,code running from the non‑executable memory region is an abnormalevent. This mostly occurs when a buffer overflow happens and themalicious exploit is attempting to execute code from thesenon‑executable memory regions. DEP is available on 64‑bit Windowsplatforms.

Supported OperatingSystems

This feature is available on the followingWindows operating systems:• 64‑bit ‑ Windows XP, Windows 2003,

Windows 2003 R2, Windows 2008,Windows 2008 R2, Windows Vista,Windows 7, and Windows 7 Embedded

Note that this feature is not available on theIA64 architecture.

Default State Enabled

Event generated NX_VIOLATION_DETECTED

VASR ‑ Virtual Address SpaceRandomization [mp‑vasr(sub‑features:mp‑vasr‑rebase,mp‑vasr‑reloc,mp‑vasr‑randomization)]

Although VASR is similar to the ASLR (Address Space LayoutRandomization) technique available on the Windows platform, VASRis more than just ASLR. Windows ASLR randomizes the addresseswhere modules are loaded to help prevent an attacker fromleveraging data from predictable locations. The problem with ASLR isthat all modules have to use a compile time flag to opt into this.VASR is available on older Windows operating systems that do notsupport ASLR. The aim of this technique is that malicious code thatexpects useful functions or data to be located at fixed addresses doesnot find the functions or data there. VASR will stop Return‑OrientedProgramming (ROP) based attacks by adopting the followingapproach:1 Stack or heap randomization ‑ Randomize the location of stack or

heap in each process.

2 Code relocation ‑ Randomize the location of code in memory.

If an exploit tries to work with fixed addresses, the associatedprocess may crash. No event will be generated.

Supported OperatingSystems

This feature is available on the followingWindows operating systems:• 32‑bit ‑ Windows XP, Windows 2003, and

Windows 2003 R2

• 64‑bit ‑ Windows XP, Windows 2003, andWindows 2003 R2

Default State Enabled

Event generated No event is generated

Forced DLL Relocation(mp‑vasr‑forced‑relocation)

This feature forces relocation of those dynamic‑link libraries (DLLs)that have opted out of Windows' native ASLR feature. Some malwarerely on these DLLs always getting loaded at the same and knownaddresses. By relocating such DLLs, these attacks are prevented.

Getting started with Application ControlMemory-protection techniques 6

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 57

Page 58: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Technique Description

Supported OperatingSystems

This feature is available on the Windows Vista(both 32 and 64 bit), Windows 7 (both 32and 64 bit), Windows 2008 (both 32 and 64bit), and Windows 2008 R2 (64 bit) operatingsystems.

Default State Enabled

Event generated VASR_VIOLATION_DETECTED

Occasionally, some applications (as part of their day‑to‑day processing) may run code in an atypicalway and hence may be prevented from running by the memory‑protection techniques. To allow suchapplications to run, you can define specific rules to bypass the memory‑protection techniques. Formore information, see the Define bypass rules section.

Manage rule groupsA rule group is a collection of rules. Although you can directly add rules to any McAfee ePO‑basedpolicy, the rules defined within a policy are specific to that policy. In contrast, a rule group is anindependent unit that collates a set of similar or related rules.

After you define a rule group, you can reuse the rules within the rule group by associating the rulegroup with different policies. Also, if you need to modify a rule, simply update the rule in the rulegroup and the change cascades across all associated policies automatically.

Application Control provides predefined rule groups to allow commonly‑used applications to runsmoothly. Although you cannot edit the predefined rule groups, you can use an existing rule group asa starting point to develop your rule groups. You can create a copy of an existing rule group and edit itto add more rules or create a new rule group. If needed, you can also import or export rule groups.

When do I use rule groups

If you need to define similar rules across policies, using rule groups can drastically reduce the effortrequired to define rules. If you have a large setup and are deploying the software across numerousendpoints, we recommend you use rule groups to minimize the deployment time and effort.

Consider an example. An organization runs Oracle on multiple servers. Each of these servers is usedby the HR, Engineering, and Finance departments for different purposes. To reduce rule redundancy,we define an Application Control rule group (named AC‑Oracle) containing rules to define the relevantupdaters for Oracle to function.

After the rule group is defined, we can reuse these rule groups across policies for the HR, Engineering,and Finance departments. So, when defining the HR Servers policy, add the AC‑Oracle rule group tothe policy along with rule groups for the other applications installed on the HR server. Similarly, addthe AC‑Oracle rule group to the relevant policies for the Engg Servers and Fin Servers. After definingthe policies, if you realize that the rule for a critical file was not created, directly update the rule groupand all the policies will be updated automatically.

6 Getting started with Application ControlManage rule groups

58 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 59: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Tasks• Create a rule group on page 59

Use this task to create a rule group.

• Import or export a rule group on page 60If you need to replicate rule group configuration from one McAfee ePO server to another,export the rule group configuration from the (source) McAfee ePO server to an XML file andimport the XML file to the (target) McAfee ePO server. You can also export rule groups intoan XML file, edit the XML file to make the required changes to rule groups, and import thefile to the McAfee ePO server to use the changed rule groups.

• View assignments for a rule group on page 60Instead of navigating through all the created policies, you can directly view all the policiesin which a rule group is being used. This feature provides a convenient way to verify if eachrule group is assigned to the relevant policies.

Create a rule groupUse this task to create a rule group.

Task1 Select Menu | Configuration | Solidcore Rules.

2 Select Application Control from the Rule Groups tab.

You can use an existing rule group as a starting point or define a new rule group from scratch. Tomodify an existing rule group, complete steps 3, 5, 6, and 7. To define a new rule group, completesteps 4, 5, 6, and 7.

3 Create a rule group based on an existing rule group.

a Click Duplicate for an existing rule group.

The Duplicate Rule Group dialog box appears.

b Specify the rule group name.

c Click OK.

The rule group is created and listed on the Rule Groups page.

4 Define a new rule group.

a Click Add Rule Group.

The Add Rule Group dialog box appears.

b Specify the rule group name.

c Select the rule group type and platform.

d Click OK.

The rule group is created and listed on the Rule Groups page.

5 Click Edit for the rule group.

6 Specify the required rules.

For information on the how to define rules, see the How do I manage protected endpoints and Howdo I define rules sections.

7 Click Save Rule Group.

Getting started with Application ControlManage rule groups 6

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 59

Page 60: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Import or export a rule groupIf you need to replicate rule group configuration from one McAfee ePO server to another, export therule group configuration from the (source) McAfee ePO server to an XML file and import the XML file tothe (target) McAfee ePO server. You can also export rule groups into an XML file, edit the XML file tomake the required changes to rule groups, and import the file to the McAfee ePO server to use thechanged rule groups.

Use this task to import or export rule groups.

When importing or exporting rule groups containing Trusted Groups, ensure the Active Directory serveron the source McAfee ePO server and destination McAfee ePO server are configured using the samedomain name or server name (or IP address).

Task1 Select Menu | Configuration | Solidcore Rules.

2 Complete one of these tasks from the Rule Groups tab.

• To import rule groups, click Import, browse and select the rule groups file, and click OK. Whileimporting, you can specify whether to override rule groups (if you are importing a rule groupwith the same name as an existing rule group).

• To export selected rule groups to an XML file, select the rule groups, click Export, and save thefile.

View assignments for a rule groupInstead of navigating through all the created policies, you can directly view all the policies in which arule group is being used. This feature provides a convenient way to verify if each rule group isassigned to the relevant policies.

Use this task to view the assignments for a rule group.

Task1 Select Menu | Configuration | Solidcore Rules.

2 Click Assignments on the Rule Groups tab for a rule group to view the policies to which the selectedrule group is assigned.

Manage certificatesAdd a certificate or publisher prior to defining rules to permit installation and execution of all softwaresigned by the certificate. You can add a certificate regardless of the whether the certificate is aninternal certificate or is issued to the vendor by a Certificate Authority.

Application Control supports only X.509 certificates.

After you add a certificate and define it as a trusted publisher, all applications signed by the certificateare allowed. Also, all applications and binary files either added or modified on an endpoint that aresigned by the certificate are automatically added to the whitelist.

6 Getting started with Application ControlManage certificates

60 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 61: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Tasks• Add a certificate on page 61

You can use one of these methods to add a certificate.

• Assign a certificate on page 62After you add a certificate, you can assign it to a policy or rule group. Use this task toassign a certificate or publisher to a policy or rule group.

• Search for a certificate on page 63Use this task to search for a certificate.

• View assignments for a certificate on page 63This feature provides a convenient way to verify if each certificate is assigned to therelevant policies and rule groups.

Add a certificateYou can use one of these methods to add a certificate.

• Upload an existing certificate available to you

• Immediately extract certificates from one or more signed binary files present on a network share

• Schedule a server task to routinely extract certificates from one or more signed binary files presenton a network share

Use this task to add a certificate.

Task1 Upload an available certificate by completing these steps.

a Select Menu | Configuration | Solidcore Rules.

b Switch to the Publishers tab.

c Select Actions | Upload.

The Upload Certificate page appears.

d Browse and select the certificate file to import.

e Click Upload.

2 Extract certificates associated with one or more signed binary files present on a network share bycompleting these steps.

a Select Menu | Configuration | Solidcore Rules.

b Switch to the Publishers tab.

c Select Actions | Extract Certificates.

The Extract Certificate from Binary page appears.

d Type the path of the binary file.

Ensure that the file path is accessible from the McAfee ePO server.

e Specify the network credentials to access the specified network location.

f Click Extract.

Getting started with Application ControlManage certificates 6

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 61

Page 62: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Schedule and extract the certificates associated with one or more signed binary files present on anetwork share on a regular basis by completing these steps.

a Select Menu | Automation | Server Tasks.

b Click New Task.

The Server Task Builder wizard opens.

c Type the task name and click Next.

d Select Solidcore: Scan a Software Repository from the Actions drop‑down list.

e Specify the repository path.

All subfolders in the specified path are also scanned for installers and publishers.

f Specify the network credentials to access the specified network location.

g Click Test Connection to ensure that the specified credentials work.

h Select Add extracted certificates and installers to Rule Group to add the certificates and installers extractedby the task to a user‑defined rule group and select the user‑defined rule group from the list.

You can add extracted certificates and installers only to user‑defined rule groups.

i Click Next.

j Specify the schedule for the task.

k Click Next.

The Summary page appears.

l Review the task summary and click Save.

If needed, you can specify an alias or friendly name for a certificate. Complete these steps tospecify the friendly name for a certificate:

1 Select Menu | Configuration | Solidcore Rules.

2 Switch to the Publishers tab.

3 Select a certificate.

4 Click Actions | Edit.

The Edit window appears.

5 Enter the friendly name and click OK.

Assign a certificateAfter you add a certificate, you can assign it to a policy or rule group. Use this task to assign acertificate or publisher to a policy or rule group.

Task1 Assign a certificate to a policy by defining a trusted publisher in an policy.

For more information, see the Design the trust model and How do I define rules sections.

6 Getting started with Application ControlManage certificates

62 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 63: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

2 Assign a certificate to an existing rule group.

a Select Menu | Configuration | Solidcore Rules.

b Switch to the Publishers tab.

c Select the certificates to add to a rule group.

d Click Actions | Add to Rule Group.

The Add to Rule Group dialog box appears.

e Select the user‑defined rule group in which to add the certificates and click OK.

Alternatively, you can assign a certificate to a user‑defined rule group by using the Menu | Configuration |Solidcore Rules | Rule Groups page. For more information, see the Create a rule group section.

Search for a certificateUse this task to search for a certificate.

Task1 Select Menu | Configuration | Solidcore Rules.

2 Switch to the Publishers tab.

3 Select a category to sort the listed certificates.

• Issued to — Sorts the list based on the name of the organization that publishes the certificate.

• Issued by — Sorts the list based on the name of the signing authority.

• Extracted From — Sorts the list based on the path of the binary file from which the certificate wasextracted.

• Friendly Name — Sorts the list based on the friendly name of the certificate.

4 Type the string to search for and click Search.

View assignments for a certificateThis feature provides a convenient way to verify if each certificate is assigned to the relevant policiesand rule groups.

Use this task to view assignments for a certificate.

Task1 Select Menu | Configuration | Solidcore Rules.

2 Switch to the Publishers tab.

3 Select a publisher and click Actions | Check Assignments.

The Publisher Assignments dialog box lists the rule groups and policies to which the selected certificateis assigned.

Getting started with Application ControlManage certificates 6

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 63

Page 64: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Manage installersPrior to defining rules to permit an installer to install or update software on endpoints, you must addthe installer. You can add an executable binary or script file as an installer.

Tasks

• Add an installer on page 64You can use one of these methods to add an installer.

• Assign an installer on page 65After you add an installer, you can assign it to a policy or rule group. Use this task to assignan installer to a policy or rule group.

• Search for an installer on page 65Use this task to search for an installer.

• View assignments for an installer on page 66This feature provides a convenient way to verify if each installer is assigned to the relevantpolicies and rule groups.

Add an installerYou can use one of these methods to add an installer.

• Add an existing installer available to you

• Schedule a server task to routinely add installers

Use this task to add an installer.

Task

1 Add an existing installer by completing these steps.

a Select Menu | Configuration | Solidcore Rules.

b Switch to the Installers tab.

c Select Actions | Add Installer.

The Add Installer page appears.

d Enter the installer details.

e Click Add.

2 Schedule and add installers present on a network share on a regular basis by completing thesesteps.

a Select Menu | Automation | Server Tasks.

b Click New Task.

The Server Task Builder wizard opens.

c Type the task name and click Next.

d Select Solidcore: Scan a Software Repository from the Actions drop‑down list.

e Specify the repository path.

All subfolders in the specified path are also scanned for installers and publishers.

f Specify the network credentials to access the specified network location.

g Click Test Connection to ensure that the specified credentials work.

6 Getting started with Application ControlManage installers

64 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 65: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

h Select Add extracted certificates and installers to Rule Group to add the certificates and installers extractedby the task to a user‑defined rule group and select the user‑defined rule group from the list.

You can add extracted certificates and installers only to user‑defined rule groups.

i Click Next.

j Specify the schedule for the task.

k Click Next.

The Summary page appears.

l Review the task summary and click Save.

Assign an installerAfter you add an installer, you can assign it to a policy or rule group. Use this task to assign aninstaller to a policy or rule group.

Task1 Assign an installer to a policy by defining a trusted installer in a policy.

For more information, see the Design the trust model and How do I define rules sections.

2 Assign an installer to an existing rule group.

a Select Menu | Configuration | Solidcore Rules.

b Switch to the Installers tab.

c Select the installers to assign to a rule group.

d Click Actions | Add to Rule Group.

The Add to Rule Group dialog box appears.

e Select the user‑defined rule group in which to add the installers and click OK.

Alternatively, you can assign an installer to a user‑defined rule group by using the Menu | Configuration |Solidcore Rules | Rule Groups page. For more information, see the Create a rule group section.

Search for an installerUse this task to search for an installer.

Task1 Select Menu | Configuration | Solidcore Rules.

2 Switch to the Installers tab.

3 Select a category to sort the listed installers.

• Installer Name — Sorts the list based on the name of the installer.

• Vendor — Sorts the list based on the name of the vendor who published the installer.

4 Type the installer or vendor name to search for and click Search.

Getting started with Application ControlManage installers 6

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 65

Page 66: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

View assignments for an installerThis feature provides a convenient way to verify if each installer is assigned to the relevant policiesand rule groups.

Use this task to view assignments for an installer.

Task1 Select Menu | Configuration | Solidcore Rules.

2 Switch to the Installers tab.

3 Select an installer and click Actions | Check Assignments. The Installer Assignments dialog box lists the rulegroups and policies to which the selected installer is assigned.

4 Click OK.

6 Getting started with Application ControlManage installers

66 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 67: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

7 Deploying Application Control in Observemode

Instead of directly placing endpoints in Enabled mode, you can place endpoints in Observe mode toperform a dry run for the Application Control product. You can also use the Observe mode to discoverpolicy rules to run a new application prior to enterprise‑wide deployment on endpoints already runningApplication Control.

Observe mode is available on all supported Windows platforms except Windows NT and Windows 2000.Note that Observe mode is not available on the UNIX platforms.

Contents What are observations How to deploy in Observe mode How do I review and manage observations Place the endpoints in Observe mode Manage enterprise-wide observations Troubleshoot endpoint-specific observations Manage exclusion rules Exit Observe mode

What are observationsObservations record all activity for managed endpoints.

When running in Observe mode, Application Control allows all operations on the endpoints; no actionis blocked on the endpoints. For each action that will be blocked by Application Control in Enabledmode, a corresponding observation is logged in Observe mode. For example, the installation of asoftware or modification of a package will generate corresponding observations.

Observations are generated every minute. All observations generated on an endpoint are sent to theMcAfee ePO console after the agent‑to‑server‑communication interval (ASCI) lapses. Note that whenan endpoint is in Observe mode, no Application Control events are generated for the endpoint.

Does the software mode impact observations

Observations are generated in the Enabled, Update, and Observe mode.

7

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 67

Page 68: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

• For a process or binary file that is assigned updater privileges, observations are generated for onlymemory protection‑related operations in Enabled, Update, and Observe mode. An exception to thisis that for the VASR Violation Detected event, no observations are generated if the endpoint isplaced in Observe mode. This observation is only generated in the Enabled and Update mode.

• For all processes or binary files that do not have updater privileges:

• Execution Denied, File Write Denied, ActiveX Installation Prevented, Process Hijack Attempted,Nx Violation Detected, Package Modification Prevented, Process Created, File Created, FileModified, and File Deleted observations are generated in the Enabled mode and Observe mode.

• Only memory‑protection (and corresponding Process Created) observations are generated inUpdate mode.

What are Generic Launcher processes

Certain processes on the Windows operating system, such as explorer.exe and iexplore.exe startother processes and can be used to launch any software. Such processes are referred to as GenericLauncher processes and should never be configured as updaters.

A predefined list of such processes is available in Application Control. You can review and edit the listof Generic Launcher processes for which suggestions are not required.

1 Select Menu | Configuration | Server Settings | Solidcore.

2 Review the processes listed in the Application Control: Generic Launcher Processes field.

3 Click Edit, add the process name to the end of this list (separated by a comma), and click Save.

How to deploy in Observe modeDeploying Application Control in Observe mode involves the following high‑level steps:

1 Identify the staging or test endpoints for deployment.

If you have multiple and different types of endpoints in your setup, we recommend you runApplication Control in Observe mode only on a few endpoints. This will allow you to analyze productimpact on each type of endpoint while ensuring no issues or breakage and discover relevant rulesfor your setup.

2 Place Application Control in Observe mode.

For detailed information, see the Place the endpoints in Observe mode section.

3 Run the endpoints with Application Control in Observe mode for a few days and perform day‑to‑daytasks on the endpoints.

Observations generated for the endpoints allow you to discover Application Control policy rules forthe software installed on the endpoints.

4 Periodically review and take actions for the observations generated for the enterprise. ApplicationControl provides two methods to manage observations:

• Manage enterprise‑wide observations ‑ The Predominant Observations dashboard and PredominantObservations page on the McAfee ePO console serve as the central console to manage the volumeof observations. For detailed information, see the How do I review and manage observationsand Manage enterprise‑wide observations sections.

• Manage host‑specific observations ‑ The Observations page on the McAfee ePO console serves asthe central console to manage and troubleshoot endpoint‑specific and file‑specific observations.For detailed information, see the How do I review and manage observations and Troubleshootendpoint‑specific observations sections.

7 Deploying Application Control in Observe modeHow to deploy in Observe mode

68 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 69: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

5 Review generated observations to validate that no repeat observations are generated.

If appropriate rules are applied at the endpoints, repeat observations will not appear on the McAfeeePO console.

6 Exit Observe mode and place the endpoints in Enabled mode when the number of observationsreceived reduces considerably.

For detailed information, see the Exit Observe mode section.

How do I review and manage observationsProcess and manage the generated observations by taking relevant actions for the observations.

Application Control provides two methods to manage observations:

Deploying Application Control in Observe modeHow do I review and manage observations 7

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 69

Page 70: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Manage significantobservationsgenerated across theenterprise

When you initially place the endpoints in Observe mode the volume ofgenerated observations will be high. We recommend that you frequentlyprocess enterprise‑wide observations to effectively manage generatedobservations and ensure the database is not flooded. In most cases, takingthe suggested action for a predominant observation will help define theneeded rules for your setup.

Manage allobservationsgenerated for aspecific endpoint

Issues specific to a software or endpoint will not surface as significantobservations for your enterprise because of the low count of suchobservations. You can review endpoint‑specific observations and addrelevant rules.

How are observations grouped

On thePredominantObservationspage

Because Application Control groups related and similar observations across theenterprise, the Predominant Observations dashboard and Predominant Observationspage display only the top 10 prominent observations for your setup.

Collating and grouping observations helps manage the generated observations andallows you to focus on the most significant observations. After the observations arereceived from the endpoint, Application Control collates and groups observations basedon the binary or process name associated with the observation. The dashboard sortsthe observations based on the total count of observations generated for each binary orprocess name.

Additional heuristics are applied while collating Process Created observations. This isbecause when received in large numbers, these observations can cause flooding of thedatabase. For all Process Created observations generated for a binary file, ApplicationControl determines if the count of the observations is more than a predefined thresholdvalue. The threshold value is calculated based on the time interval used to determinethe most prominent observations (specified for the Calculate Predominant Observationsserver task).

On theObservationspage

To keep the number of generated observations to a minimum level, after theobservations are received from the endpoint, Application Control collates and groupsrelated observations and only displays relevant observations on the Observations page.For example, if you try and install an application, such as googleTalk.exe on anendpoint, the installer spawns multiple child processes and each child process adds orupdates files on the endpoint. In this scenario, Application Control will generateobservations for all actions taken by the installer and its child processes. However, itwill collate the observations generated for the installer (parent process) and its childprocesses and show only relevant observations on the Observations page. ForgoogleTalk.exe, all generated child observations will be collated in a parentobservation where the object will be googleTalk.exe.

While collating observations, the software considers the identified Generic Launcherprocesses. Although observations are generated for Generic Launcher processes, nosuggestions are provided. Note that while only relevant and collated observations arelisted on the Observations page, suggestions are provided for all generated observations(including child observations).

How are suggestions provided on the Predominant Observations page

Application Control uses heuristics to determine the most‑relevant action for the each predominantobservation. When you click Actions | Create Custom Rules for an observation on the Predominant Observationspage, the most‑appropriate rules are populated on the Suggestions page.

While working with predominant observations, Application Control performs checks based on the dataor information available in the database. The availability of information for an observation determinesthe checks Application Control performs and rules that are listed on the Suggestions page.

7 Deploying Application Control in Observe modeHow do I review and manage observations

70 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 71: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

InformationAvailable For

ObservationType

Checks Performed Suggestion Provided

ParentProcess

Binary/ProcessName

Yes Yes Process Created 1. Do any File Created,File Modified, FileDeleted, File WriteDenied, or ExecutionDenied observationsexist for the binary fileat the next level in thebinary tree?

If not, no actions or suggestionsare provided for theobservations.

2. Is parent process aGeneric Launcherprocess?

If not, rules to add parentprocess as updater are populatedon the Suggestions page.

3. Is binary or process aGeneric Launcherprocess?

If not, rules to add binary file asupdater are populated on theSuggestions page.

Yes No File Created, FileModified, FileDeleted, FileWrite Denied, orExecutionDenied

Is parent process aGeneric Launcherprocess?

If not, rules to add parentprocess as updater are populatedon the Suggestions page.

No Yes Process Created 1. Do any File Created,File Modified, FileDeleted, File WriteDenied, or ExecutionDenied observationsexist for the binary fileat the next level in thebinary tree?

If not, no actions or suggestionsare provided for theobservations.

2. Is the binary orprocess a GenericLauncher process?

If not, rules to add binary file asupdater are populated on theSuggestions page.

No Yes ExecutionDenied

1. Is the binary orprocess a GenericLauncher process?

If not, perform the next check.

2. Is the checksumvalue for the binary fileavailable?

If yes, rules to authorize thebinary file based on its checksumvalue are populated on theSuggestions page.

No Yes ActiveXInstallationPrevented

Is the certificateassociated with theActiveX controlavailable?

If yes, rules to authorize theActiveX control based on thecertificate associated with thecontrol are populated on theSuggestions page.

No Yes Process HijackAttempted

Is the binary or processa Generic Launcherprocess?

If not, rules to bypass the binaryfile from appliedmemory‑protection techniquesare populated on the Suggestionspage.

Deploying Application Control in Observe modeHow do I review and manage observations 7

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 71

Page 72: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

InformationAvailable For

ObservationType

Checks Performed Suggestion Provided

ParentProcess

Binary/ProcessName

No Yes Nx ViolationDetected

Is the binary or processa Generic Launcherprocess?

If not, rules to bypass the binaryfile from appliedmemory‑protection techniquesare populated on the Suggestionspage.

No Yes PackageModificationPrevented

Is the binary or processa Generic Launcherprocess?

If not, rules to bypass the binaryfile from appliedmemory‑protection techniquesare populated on the Suggestionspage.

How are suggestions provided on the Observations page

The following table details the various checks Application Control performs for each observation type.Please note the order in which the checks are performed for each observation type. If you are runningin Observe mode with Full Feature Activation, all the listed observation types are generated. Becausememory‑protection features are not enabled in Limited Feature Activation, the related observationtypes (Process Hijack Attempted and Nx Violation Detected) are not generated if you are runningObserve mode with Limited Feature Activation.

Also, in the Observe Mode, although observations are generated for Generic Launcher processes, nosuggestions are provided. However, observations are generated and suggestions provided forprocesses spawned by the Generic Launcher processes.

Observation Type Checks Performed Suggestion Provided

Execution Denied 1. Is the file a valid installer? If yes, the Add as Installer action is displayed.

2. Is the file stored on a networkshare or removable media?

If yes, the Add as Trusted Directory action isdisplayed. Note that the added trusteddirectory will be provided updaterprivileges.

3. Is the file present in thewhitelist?

If not, the Add to Whitelist action is displayed.

4. Is the binary a GenericLauncher process?

If not, the Add as Updater action is displayed.

5. Is the checksum value for thefile available?

If yes, the Add by Checksum action isdisplayed.

6. Is the file signed by acertificate?

If yes, the Add Publisher action is displayed.Note that adding the publisher will NOTprovide updater privileges to the publisher.

File Write Denied Is the parent process a GenericLauncher process?

If not, the Add parent as Updater action isdisplayed.

ActiveX InstallationPrevented

The Add Publisher action is displayed.

Process HijackAttempted

Is the process a GenericLauncher process?

If not, the Add as Exception action isdisplayed.

Nx Violation Detected Is the process a GenericLauncher process?

If not, the Add as Exception action isdisplayed.

7 Deploying Application Control in Observe modeHow do I review and manage observations

72 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 73: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Observation Type Checks Performed Suggestion Provided

Package ModificationPrevented

1. Is the file stored on a networkshare or removable media?

If yes, the Add as Trusted Directory action isdisplayed. Note that the added trusteddirectory will be provided updaterprivileges.

2. Is the file a valid installer? If yes, the Add as Installer action is displayed.

Execution Denied/FileWrite Denied

1. The Add as Updater action is displayed.

2. Is the file signed by acertificate?

If yes, the Add Publisher action is displayed.Note that adding the publisher will NOTprovide updater privileges to the publisher.

What is filtered by default

Based on day‑to‑day and typical behavior of certain binary files on the Windows operating system,Application Control includes predefined rules to filter observations generated for these binary files.

Filters for Process Createdobservations

Process Created observations will not be generated for thefollowing processes:• SearchProtocolHost.exe • cmd.exe

• conhost.exe • audiodg.exe

• SearchIndexer.exe • taskeng.exe

• lsm.exe • lsass.exe

• SearchFilterHost.exe

Filters for File Modified, File Created,and File Deleted observations

File Modified, File Created, and File Deleted observations willnot be generated for the following processes:• vssvc.exe

• msiexec.exe

Filters for File Modified, File Created,File Deleted, File Write Denied, andExecution Denied observations

File Modified, File Created, File Deleted, File Write Denied, andExecution Denied observations will not be generated for thecmd.exe and cidaemon.exe processes.

Observations are also filtered based on the predefined rules to filter events. To view the predefinedevent filter rules, review the Filters tab of the McAfee rule group for the Application Control product.

Place the endpoints in Observe modeAfter you complete installation, we recommend that you place selected endpoints (representing thedifferent types of endpoints in your setup) in Observe mode by using the SC: Enable client task. Placean existing endpoint (running in Enabled mode) in the Observe mode by using the SC: Observe modeclient task.

Use this task to place endpoints in Observe mode.

Deploying Application Control in Observe modePlace the endpoints in Observe mode 7

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 73

Page 74: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Task1 Select Menu | Systems | System Tree.

2 Complete these steps from the McAfee ePO 4.6 console.

a Perform one of these actions.

• To apply the client task to a group, select the group in the System Tree and switch to theAssigned Client Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

c Select the Solidcore 6.1.0 | SC: Enable and click Create New Task.

The Client Task Catalog page appears.

d Specify the task name and add any descriptive information.

3 Complete these steps from the McAfee ePO 4.5 console.

a Perform one of these actions.

• To apply the client task to a group, select the group in the System Tree and switch to the ClientTasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Task.

The Client Task Builder page appears.

c Specify the task name and add any descriptive information.

d Select SC: Enable (Solidcore 6.1.0) and click Next.

The Configuration page appears.

4 Select the Windows platform.

5 Select the All except NT/2000 subplatform.

6 Select the 6.0 and later version.

7 Select the Application Control option.

8 Specify the scan priority.

The set scan priority determines the priority of the thread that is run to create the whitelist on theendpoints. We recommend you set the scan priority to Low. This ensures that Application Controlcauses minimal performance impact on the endpoints but might take longer (than when you setthe priority to High) to create the whitelist.

7 Deploying Application Control in Observe modePlace the endpoints in Observe mode

74 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 75: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

9 Specify the activation option.

Limited FeatureActivation

The endpoints are not restarted and limited features of Application Control(memory protection features are unavailable) are activated. Memory Protectionfeatures are available only after the endpoint is restarted.

Full FeatureActivation

The endpoints are restarted, whitelist created, and all features of ApplicationControl including Memory Protection are active. Restarting the endpoints isnecessary to enable the memory protection features. The endpoint is restarted 5minutes after the client task is received at the endpoint. A popup message isdisplayed on the endpoint before the endpoint is restarted.

10 Select the Start Observe Mode option.

11 Optionally, select the Pull Inventory option.

If you select this option, the inventory (including the created whitelist) is sent to McAfee ePO. Werecommend that you select this option because inventory information is used in multiple workflowsavailable from McAfee ePO.

12 Click Save (McAfee ePO 4.6 only).

13 Click Next.

The Schedule page appears.

14 Specify scheduling details and click Next.

15 Review and verify the task details and click Save.

16 Optionally, wake up the agent to send your client task to the endpoint immediately.

Manage enterprise-wide observationsTo manage enterprise‑wide observations, use the Predominant Observations dashboard andPredominant Observations page. As you process generated observations and add relevant rules foryour enterprise, the number of generated observations gradually declines.

Tasks

• Configure predominant observations on page 75Configure the frequency and data used to calculate the predominant observations for yoursetup.

• Process predominant observations on page 76Process the generated significant observations for your enterprise by taking relevantactions for the observations.

Configure predominant observationsConfigure the frequency and data used to calculate the predominant observations for your setup.

By default, the Solidcore: Calculate Predominant Observations server task runs every day todetermine the predominant observations for your enterprise based on the observations generated inthe last week. You can choose to modify the frequency to run the server task and data used todetermine predominant observations for your setup.

Task

1 Select Menu | Automation | Server Tasks.

The Server Tasks page appears.

Deploying Application Control in Observe modeManage enterprise-wide observations 7

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 75

Page 76: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

2 Locate the Solidcore: Calculate Predominant Observations server task.

3 Click Edit for the server task.

The Description page appears.

4 Click Next.

The Actions page appears.

5 Specify the time interval for which to determine the most prevalent observations.

You can choose to use data for the last 1 day, 2 days, week, fortnight, or month to calculatepredominant observations.

6 Click Next.

The Schedule page appears.

7 Specify the schedule for the server task.

8 Click Next.

The Summary page appears.

9 Review the server task details.

10 Click Save.

Process predominant observationsProcess the generated significant observations for your enterprise by taking relevant actions for theobservations.Use this task to review and manage the generated observations for your enterprise.

Task1 Select Menu | Reporting | Dashboards.

2 Select Solidcore: Application Control from the Dashboard list.

3 Navigate to the Predominant Observations dashboard.

Each bar in the chart represents a binary or process name for which a significant number ofobservations are generated in your enterprise. You can hover over each bar to review informationfor each significant observation.

4 Click on a bar to review detailed information.

The Predominant Observations page displays details for the top 10 observations for your setup. On thispage, you can review the following information for each observation:

• Parent process for the observation

• Binary or process name for the observation

• Type of observation

• Total count of observations

5 Perform one of the following tasks to review detailed information for an observation.

• Click Multiple binaries for a row to review all binary files acted upon by the parent process.

• Click Multiple processes for a row to review all parent processes that act upon the binary file.

7 Deploying Application Control in Observe modeManage enterprise-wide observations

76 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 77: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Analyze each observation row to determine whether to define exclusion rules to ignore theobservations (step 6), appropriate rules for the binary or process name associated with theobservation (step 7), or customize the rules for the binary or process name associated with theobservation (step 8). As soon as you take an action for an observation (ignore observation ordefine relevant rules), all instances of the observation are removed from the PredominantObservations page and McAfee ePO database.

6 Define exclusion rules to prevent generation of the corresponding observations.

a Click Exclude for a row.

The Exclude Observations window displays.

b Review the filter rule created for the observation.

c Click OK.

The created rule is added to the Global Observation Rules rule group which is applied to allendpoints in the enterprise. For information on how to view or edit the rule, see the Reviewexclusion rules section.

7 Define appropriate rules for the binary or process name associated with the observation.

a Click Approve for a row.

The Approve Observations window displays.

b Review the rule created to allow the binary or process name to run on all endpoints in theenterprise.

c Click OK.

The created rule is added to the Global Observation Rules rule group which is applied to allendpoints in the enterprise.

8 Customize the rules to create for the binary or process name associated with an observation.

a Select an observation row.

b Click Actions | Create Custom Rules.

The Suggestions page displays. Depending on the properties and attributes of the binary orprocess, the appropriate rule is pre‑populated on the page.

Deploying Application Control in Observe modeManage enterprise-wide observations 7

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 77

Page 78: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

c Specify the rule group for the rule.

• To add the rule to an existing rule group, select Add to an existing Rule Group and select the rulegroup from the list.

• To create a new rule group with the rules, select Create a new Rule Group and enter the rule groupname.

d Click Save.

The created rule is added to the specified rule group.

After you exclude observations or define relevant rules for observations from the PredominantObservations page, the processed observations are deleted from the database. Because there canbe a lag between rule creation at McAfee ePO and rule application on the endpoints, observationsmay get generated at endpoints for which action has already been taken on the McAfee ePO console.Such observations will flow to the McAfee ePO console when the agent‑to‑server‑communicationinterval (ASCI) lapses. To ensure that such observations that reach the McAfee ePO console afterrule creation do not show up again, these observations are automatically purged at McAfee ePO for24 hours (configurable) after rule definition. You can configure this setting from the server settingspage.

1 Select Menu | Configuration | Server Settings | Solidcore.

2 Review the setting for the Observe Mode: Specify time period (in minutes) for which to ignoreobservations in the database that match Approved/Excluded observations field.

3 Click Edit to update the value.

4 Specify the value (in minutes) and click Save.

Troubleshoot endpoint-specific observationsAlthough in most cases, taking action for a predominant observation will help define the needed rulesfor your setup. However, in some cases, in addition to taking the suggested action for the predominantobservation, you might need to review and take actions for the observations for specific endpoints.Manage observations specific to an endpoint or a file by using the Menu | Application Control | Observations |Observations page.

Tasks• Review observations on page 79

Use this task to review the generated observations.

• Analyze suggestions on page 79Use this task to analyze the suggestions available for an observation. Analyze thesuggestions available for the observations and approve or dismiss the observations.

• Delete observations on page 82Use this task to delete processed observations to preserve database size. Note thatdeleting the observations removes the selected observations from the Observations page anddatabase.

7 Deploying Application Control in Observe modeTroubleshoot endpoint-specific observations

78 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 79: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Review observationsUse this task to review the generated observations.

Task1 Select Menu | Application Control | Observations.

2 Switch to the Observations tab.

The Solidcore Observations page appears. On this page, you can review the following information foreach observation:

• Time at which the observation was logged

• Name of the host on which the observation occurred

• Name of user who caused the observation

• Name and location of the binary file for which the observation was generated

• Enterprise trust level of the binary file

• Name of the parent process that acted upon the binary file

• Type of observation

3 Review selected observations by using these methods.

• Filter observations based on the process name, binary name, or observation type by specifyingthe search criteria and clicking Search.

• Select a time window, approval status, or both to view observations that match the filtercriteria.

• Enter a search string in the Quick find field and click Apply to view observations that match thespecified search criteria.

• Sort the list based on the time, binary name, or process name by clicking the column heading.

• Select the observations of interest and click Show selected rows to review only the selectedobservations.

To ignore or dismiss one or more observations, select the observations and click Actions | DismissObservations. Alternatively, you can review observation details and provided suggestions and thenchoose to either approve or dismiss the observation. For more information, see the Analyzesuggestions section.

Analyze suggestionsUse this task to analyze the suggestions available for an observation. Analyze the suggestionsavailable for the observations and approve or dismiss the observations.

You can choose to:

• Take actions based on the available suggestions and approve the observations.

• Dismiss irrelevant or routine observations and optionally define exclusion rules to stop receivingsimilar observations.

While approving or dismissing an observation, you can choose to approve and dismiss similarobservations generated for other endpoints. Based on the observation type, all observations generatedon different hosts with the same checksum value, file name, or ActiveX control name (whichever thecase may be) are considered similar observations.

Deploying Application Control in Observe modeTroubleshoot endpoint-specific observations 7

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 79

Page 80: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Task1 Click Show Suggestions.

Detailed information for the selected observation appears on the Observations Detail page. Bydefault, the file associated with the observation is selected in the Binary Tree pane. The page includesthese components:

Binary Tree pane Allows you to review information for all the child observationsassociated with the opened collated observation. By default, thefile associated with the collated observation is selected in thispane.For information on the Cloud Trust Score and Enterprise Trust Levelfields, see the Interpret the inventory section.

Suggestions tab Binary Info pane Displays detailed information for the selected binary file and listsall the actions you can perform for the file.

Publisher Info pane Displays information for the certificate, if any, associated withthe file.

Rule Group pane Displays the various rules to be added to the rule group. Bydefault, this pane is empty and is populated based on the actionsyou perform.

Files to beWhitelisted pane

Displays the various files to be whitelisted on the endpoint. Bydefault, this pane is empty and is populated only when youchoose the Add to Whitelist action.

Observations tab Displays detailed information for observations in a tabularformat.

2 View the file list in the Binary Tree pane.

The tree hierarchically represents the relationship between the file and its parent process. It alsolists all the observations generated for the file.

3 Analyze the suggestions available for the observation.

a Ensure that the relevant node is selected in the Binary Tree pane.

b Review the available suggestions.

For all observations (except ActiveX Installation Prevented), the Binary Info pane is available onthe Suggestions tab. The Publisher Info pane is displayed only if a certificate is associated with thefile.

7 Deploying Application Control in Observe modeTroubleshoot endpoint-specific observations

80 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 81: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

BinaryInfo

Displays detailed information for the binary file. You can review the binary name,path, cloud trust score, enterprise trust level, and checksum.

Depending on the file's properties and attributes, one or more of these actions areavailable for the file.• Add as Installer • Add as Exception

• Add as Updater • Add by Checksum

• Add to Whitelist • Add as Trusted Directory

• Add Parent as Updater

The Add to Whitelist action differs from the other actions available for the file. Whenyou select the Add to Whitelist action, a client task is created and applied to thespecific endpoint. This client task invokes the solidify command for the selectedpath. Note that no changes are made to existing policies applied to the endpoints.Selecting any other action, such as Add by Checksum allows you to add rules to aspecific rule group that can be included in one or more policies.

PublisherInfo

Displays information for the certificate associated with the file. For the certificateyou can review these details:• Company name the certificate is issued to

• Certificate issuing authority

• Expiry date for the certificate

• Friendly name for the certificate

For a certificate, you can click Add Publisher to add the certificate as a trustedpublisher.

c Review the order in which the suggestions are listed.

The order indicates the preferred and suitable actions to take for the observation.

d Review the cloud trust score and trust level for the file.

This will help you easily identify malicious files and malware.

You can choose to either take actions and approve the observation (perform step 4) or dismiss theobservation (perform step 5).

4 Approve the observation.

a Take the required actions for the file. For detailed information on each action, see the How do Imanage protected endpoints section.

The Rule Group and Files to be Whitelisted panes are updated based on the selected actions.

b Review the information in the Rule Group and Files to be Whitelisted panes.

While all the rules listed in the Rule Group pane are added to a rule group (and impact all policesthat include the rule group), the files listed in the Files to be Whitelisted pane are added to a taskthat is applied to the endpoint. Note that the Add to Whitelist action does not result in the any rulegroup or policy changes.

c Specify the rule group for the rules.

• To add the rules to an existing rule group, select Add to an existing Rule Group and select the rulegroup from the list.

• To create a new rule group with the rules, select Create a new Rule Group and enter the rule groupname.

Deploying Application Control in Observe modeTroubleshoot endpoint-specific observations 7

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 81

Page 82: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

d Click Approve.

The Approve Observations window appears.

e Enter remarks to optionally provide a description for the approval.

f Select Approve Similar Observations to approve similar observations on other endpoints.

g Click OK.

h Ensure the updated rule group is included in a policy applied to the endpoint.

5 Dismiss the observation.

a Click Dismiss.

The Dismiss Observations window appears.

b Enter remarks to optionally specify the reason for dismissing.

You can choose to perform these actions:

• Ignore selected observations and set their status to Dismissed (perform only step d)

• Ignore selected observations and other similar observations and set their status to Dismissed(perform steps c and d)

c Select Dismiss Similar Observations to ignore similar observations on other endpoints.

d Click OK.

Delete observationsUse this task to delete processed observations to preserve database size. Note that deleting theobservations removes the selected observations from the Observations page and database.

Task1 Select Menu | Application Control | Observations.

2 Switch to the Observations tab.

The Solidcore Observations page displays all observations.

3 Select the observations to delete.

4 Click Actions | Delete Observations.

The Delete Observations window appears.

5 Optionally, select Delete Similar Observations to delete similar observations.

All observations with the same checksum or file name on different hosts are considered similarobservations.

6 Click OK.

Manage exclusion rulesExclusion rules help you prune routine or system‑generated observations not relevant for monitoringor auditing.

Application Control allows multiple methods to define exclusion rules:

7 Deploying Application Control in Observe modeManage exclusion rules

82 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 83: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

• Automatically create exclusion rules for the binary file associated with an observation by clickingExclude for the observation on the Predominant Observations page. Automatically defined exclusion rulesare added to the Global Observation Rules rule group.

• Manually define exclusion rules for any process by using the Filters tab in the Application Controlpolicy. While manually defining exclusion rules, you can specify the rule group in which to addrules.

Tasks• Review exclusion rules on page 83

Use this task to review and manage the defined exclusion rules.

• Exclude observations manually on page 83Use this task to define rules to exclude or ignore observations that are not relevant formonitoring.

Review exclusion rulesUse this task to review and manage the defined exclusion rules.

Task1 Select Menu | Configuration | Solidcore Rules.

2 Select the Application Control type and Windows platform on the Rule Groups tab.

3 Navigate and locate the Global Observation Rules rule group.

4 Click Edit for the Global Observation Rules rule group.

5 Switch to the Filters tab.

6 Review the included rules.

7 Click Cancel.

Exclude observations manuallyUse this task to define rules to exclude or ignore observations that are not relevant for monitoring.

Task1 Perform one of the following tasks:

• To apply exclusion rules to selected endpoints in the enterprise, open the specific ApplicationControl policy in which to add rules.

• To apply exclusion rules to all endpoints in your enterprise, open the Global Observation Rulesrule group.

2 Switch to the Filters tab.

3 Click Add Rule.

A new filter row appears. You can create filters based on files, events, programs, registry keys, andusers.

4 Edit the settings to define the filter rule.

5 Click + or Add Rule to specify additional AND or OR conditions, respectively.

Deploying Application Control in Observe modeManage exclusion rules 7

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 83

Page 84: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

6 Optionally, select Apply rule to events also to ensure events matching the filter criteria are alsoexcluded.

7 Save your changes.

Exit Observe modeUse this task to exit Observe mode and switch to Enabled mode.

Task1 Select Menu | Systems | System Tree.

2 Complete these steps from the McAfee ePO 4.6 console.

a Perform one of these actions.

• To apply the client task to a group, select the group in the System Tree and switch to theAssigned Client Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

c Select the Solidcore 6.1.0 | SC: Observe Mode and click Create New Task.

The Client Task Catalog page appears.

d Specify the task name and add any descriptive information.

3 Complete these steps from the McAfee ePO 4.5 console.

a Perform one of these actions.

• To apply the client task to a group, select the group in the System Tree and switch to the ClientTasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Task.

The Client Task Builder page appears.

c Specify the task name and add any descriptive information.

d Select SC: Observe Mode (Solidcore 6.1.0) and click Next.

The Configuration page appears.

4 Select End Observe Mode.

5 Specify whether to place the endpoints in Enabled or Disabled mode.

6 Indicate whether to update the whitelist based on the changes made in Observe mode.

If you have modified existing files on the endpoint running in Observe mode, make sure you updatethe whitelist based on changes made to the endpoint.

7 Click Save (McAfee ePO 4.6 only).

7 Deploying Application Control in Observe modeExit Observe mode

84 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 85: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

8 Click Next.

The Schedule page appears.

9 Specify scheduling details and click Next.

10 Review and verify the task details and click Save.

11 Optionally, wake up the agent to send your client task to the endpoint immediately.

Deploying Application Control in Observe modeExit Observe mode 7

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 85

Page 86: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

7 Deploying Application Control in Observe modeExit Observe mode

86 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 87: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

8 Monitoring your protection

When Application Control is running in Enabled mode, only authorized programs can run (executablebinary and script files), unauthorized programs cannot run, and authorized programs cannot bechanged. Application Control provides various methods to allow changes to the managed endpointswhile in Enabled mode.

You can choose to define updaters, publishers, installers, trusted users, and trusted directories. Also,to perform ad‑hoc changes to the endpoints, you can place the endpoints in Update mode. For detailedinformation on each method, see the How do I manage protected endpoints section.

Contents Enable Application Control Review predefined rules Review events How do I define rules Allow ActiveX controls to run

Enable Application ControlUse this task to activate the Application Control software.

If the endpoints are running in Observe mode, we recommend you use the SC: Observe Mode client task toexit Observe mode and place the endpoints in Enabled mode. For detailed instructions, see the ExitObserve mode section.

Task1 Select Menu | Systems | System Tree.

2 Complete these steps from the McAfee ePO 4.6 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

c Select the Solidcore 6.1.0 | SC: Enable and click Create New Task.

The Client Task Catalog page appears.

d Specify the task name and add any descriptive information.

8

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 87

Page 88: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Complete these steps from the McAfee ePO 4.5 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the ClientTasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Task.

The Client Task Builder page appears.

c Specify the task name and add any descriptive information.

d Select SC: Enable (Solidcore 6.1.0) and click Next.

The Configuration page appears.

4 Select the platform.

5 Select the subplatform (only for the Windows and Unix platforms).

6 Select the version (only for the All except NT/2000 subplatform).

7 Select the Application Control option.

8 Complete the following steps to enable Application Control.

Solidcore client version Steps

On Solidcore client version:• 5.1.2 or earlier (UNIX)

• 5.1.5 or earlier (Windows)

1 Select the Perform Initial Scan to create whitelist option to create thewhitelist when enabling Application Control.Application Control requires the creation of a list of all trustedexecutable files present on the endpoint system (known as thewhitelist). The one‑time activity of creating the whitelist is knownas whitelisting or solidification. You can choose to create theinventory while enabling the Solidcore client or defer to create itlater.

If you defer the scan, run the SC: Initial Scan to create whitelist clienttask after the SC: Enable task is applied and system is restarted.

2 Select Force Reboot with the task to restart the endpoint aftersolidification is complete.Restarting the system is necessary to enable the software. Apop‑up message is displayed at the endpoint 5 minutes before theendpoint is restarted. This allows the user to save work and dataon the endpoint.

On Solidcore client version6.1.0 or later (UNIX)

Deselect the Force Reboot with the task option.When using Solidcore client version 6.1.0 or later, restarting thesystem is not necessary to enable the software.

8 Monitoring your protectionEnable Application Control

88 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 89: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Solidcore client version Steps

On Solidcore client version6.0.0 or later (Windows)

Solidcore clientversion 6.1 is notavailable for theWindows NT, Windows2000, HP‑UX, Solaris,and WindRiver Linuxplatforms.

1. Specify the scan priority.

The set scan priority determines the priority of the thread that isrun to create the whitelist on the endpoints. We recommend you setthe scan priority to Low. This ensures that Application Control causesminimal performance impact on the endpoints but might take longer(than when you set the priority to High) to create the whitelist.

2. Specify the activation option.

Limited Feature Activation The endpoints are not restarted and limitedfeatures of Application Control (memoryprotection features are unavailable) areactivated. Memory Protection features areavailable only after the endpoint is restarted.

Full Feature Activation The endpoints are restarted, whitelist created,and all features of Application Controlincluding Memory Protection are active.Restarting the endpoints is necessary toenable the memory protection features. Theendpoint is restarted 5 minutes after the clienttask is received at the endpoint. A pop‑upmessage is displayed on the endpoint beforethe endpoint is restarted.

3. Select the Start Observe Mode option to place the endpoints inObserve mode.

The Observation mode feature is available only on the Windowsoperating system.

4. Optionally, select the Pull Inventory option.

If you select this option, the software fetches the inventory detailsfor the endpoints (after the whitelist is created) and makes thedetails available on the McAfee ePO console when the ASCI lapses.We recommend you select this option if you wish to manage theinventory using the McAfee ePO console.

9 Click Save (McAfee ePO 4.6 only).

10 Click Next.

The Schedule page appears.

11 Specify scheduling details and click Next.

12 Review and verify the task details and click Save.

13 Optionally, wake up the agent to send your client task to the endpoint immediately.

Review predefined rulesApplication Control includes predefined rules to allow multiple commonly‑used applications, such asOracle and Adobe Acrobat to run. By default, these rules are applied to the global root in the systemtree and hence are inherited by all McAfee ePO‑managed endpoints. As soon as an endpoint connectsto the McAfee ePO, the McAfee Default policy applicable to the endpoint's operating system comes intoplay.

Use this task to review the predefined rules included in the McAfee Default policy.

Monitoring your protectionReview predefined rules 8

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 89

Page 90: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Task1 Select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.0: Application Control product.

All policies for all categories are listed. Note that a McAfee Default policy exists for each supportedoperating system.

3 Open the relevant policy.

4 Review the rules.

5 Click Cancel.

Review eventsAny action to change or execute a file or program on a protected system causes Application Control toprevent the action and generate a corresponding event on the endpoint. All generated events formanaged systems are sent to the McAfee ePO server. Review and manage the generated events tomonitor the status of the managed endpoints.

Use this task to review and manage the events from the McAfee ePO console.

Task1 Select Menu | Reporting | Solidcore Events.

2 Specify the time duration for which to view events by selecting an option from the Time Filter list.

3 Specify the endpoints for which to view events.

a Select the required group in the System Tree.

b Select an option from the System Tree Filter list.

4 Optionally, view only specific events by applying one or more filters.

a Click Advanced Filters.

The Edit Filter Criteria page appears.

b Select an available property.

c Specify the comparison and value for the property.

For example, to view only Execution Denied events, select the Event Display Name property, setcomparison to Equals, and select the Execution Denied value.

d Click Update Filter.

Events matching the specified criteria are displayed.

5 View event details.

a Click an event row.

b Review event details.

c Click Close.

8 Monitoring your protectionReview events

90 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 91: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

6 Review endpoint details for one or more events.

a Select one or more events.

b Click Actions | Show Related Systems.

The Related Systems page lists the endpoints corresponding to the selected events.

c Click a row to review detailed information for the endpoint.

d Optionally, perform any action on the endpoint.

How do I define rulesUse this section to define rules to allow changes and override the applied protection.

Use one of the available methods to define rules to allow changes and override the applied protection:

Tasks• Review suggestions on page 91

For most events, you do not need to take any actions. However, if the protection that is ineffect is preventing a legitimate application from executing, you will need to define rules.

• Create a policy on page 92Use this task to add specific rules to a rule group or policy. Note that Application Controlpolicies are multi‑slot policies; a user can assign multiple policies to a single node in thesystem tree.

• Exclude events on page 93You can define rules to prune routine system‑generated events not relevant for monitoringor auditing. Use this task to exclude or ignore events not required to meet compliancerequirements.

• Define bypass rules on page 93Define specific rules in a policy to bypass applied memory‑protection and other techniques.

Review suggestionsFor most events, you do not need to take any actions. However, if the protection that is in effect ispreventing a legitimate application from executing, you will need to define rules.

To allow you to define rules with ease, Application Control generates events and correspondingobservations for these events:

• Execution Denied • Nx Violation Detected

• File Write Denied • ActiveX installation Prevented

• Process Hijack Attempted • Package Modification Prevented

Use this task to review suggestions available for the generated events and take actions based on theavailable suggestions.

Task1 Select Menu | Reporting | Solidcore Events.

2 Specify the time duration for which to view events by selecting an option from the Time Filter list.

Monitoring your protectionHow do I define rules 8

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 91

Page 92: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Specify the endpoints for which to view events.

a Select the required group in the System Tree.

b Select an option from the System Tree Filter list.

4 Click Show Suggestions.

Detailed information for the selected event appears.

5 Approve or dismiss the observation corresponding to the suggestions.

For more information, see the Analyze suggestions section.

6 Ensure the updated rule group is included in a policy applied to the endpoint.

Create a policyUse this task to add specific rules to a rule group or policy. Note that Application Control policies aremulti‑slot policies; a user can assign multiple policies to a single node in the system tree.

Task1 Select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.0: Application Control product.

3 Click Actions | New Policy.

The New Policy dialog box appears.

4 Select the category.

5 Select the policy you want to duplicate from Create a policy based on this existing policy list.

To define a policy from scratch, select the Blank Template policy.

6 Specify the policy name and click OK.

The Policy Settings page opens. You can now define the rules to include in the policy. You can eitheradd the rules to a rule group or directly add the new rules to the policy.

• To use a rule group, complete steps 7 and 9. For more information on how to create a rulegroup, see the Create a rule group section.

• To directly add the rules to the policy, complete steps 8 and 9.

7 Add a rule group to the policy.

a Select the rule group in the Rule Groups tab.

The rules included in the rule group are displayed in the various tabs.

b Review the rules.

For more information on adding new rules to the rule group, see the Manage rule groupssection.

c Select Add in the Rule Groups tab.

The Select Rule Groups dialog box appears.

d Select the rule group to add.

e Click OK.

8 Monitoring your protectionHow do I define rules

92 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 93: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

8 Add the rules to the policy.

For information on the rules, see the Design the trust model section.

9 Save the policy.

Exclude eventsYou can define rules to prune routine system‑generated events not relevant for monitoring or auditing.Use this task to exclude or ignore events not required to meet compliance requirements.

Task

1 Select Menu | Reporting | Solidcore Events.

2 Select the events to exclude.

3 Click Actions | Exclude Events.

The Events Exclusion wizard appears.

4 Select the target platform for the rules.

5 Select the rule group type and click Next.

The Define Rules page appears.

6 Rules are auto‑populated based on the selected events.

7 Review and refine existing rules and add new rules, as needed.

8 Click Next.

The Select Rule Group page appears.

9 Add the rule to an existing or new rule group and click Save.

10 Ensure the rule group is added to the relevant policy and the policy is assigned to the endpoints.

Define bypass rulesDefine specific rules in a policy to bypass applied memory‑protection and other techniques.

Some applications (as part of their day‑to‑day processing) run code in an atypical way and hence areprevented from running. To allow such applications to run, define appropriate bypass rules. Note thata bypassed file or application is no longer considered by the memory‑protection features of ApplicationControl. Bypassing a file should be the last‑resort to allow an application to run and should be usedjudiciously.

Use this task to override or bypass the applied memory‑protection and other techniques.

Task

1 Perform one of these tasks.

• Define a new Application Control rule group (to define bypass rules to reuse across multipleendpoints). For detailed instructions, see the Create a rule group section.

• Create a new Application Control policy (to apply bypass rules to a single endpoint). For detailedinstructions, see the Create a policy section.

2 Select the Exceptions tab.

3 Click Add. The Add Attribute window appears.

4 Enter the file name.

Monitoring your protectionHow do I define rules 8

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 93

Page 94: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

5 Select the required options.

6 Optionally, for the Process Context File Operations Bypass option, specify the parent to allow the file tobypass file operations only if it is launched by the specified parent.

7 Optionally, for the VASR Forced‑Relocation Bypass option, specify the name of the DLL to relocate.

8 Click OK.

Allow ActiveX controls to runBy default, Application Control prevents the installation of ActiveX controls on endpoints.

You can use the ActiveX feature to install and run ActiveX controls on endpoints. This feature isenabled by default and available only on the Windows platform.

Only the Internet Explorer browser is supported for ActiveX control installations. If you are using a64‑bit operating system, installation of ActiveX controls is supported only for the 32‑bit InternetExplorer application. Simultaneous installation of ActiveX controls using multiple tabs of InternetExplorer is not supported.

Here are high‑level steps to help you use the ActiveX feature.

1 Apply the Common ActiveX Rules policy to the endpoints to allow users to install commonly‑usedActiveX controls on the endpoints. This policy is listed when you select Menu | Policy | Policy Catalogand then select the Solidcore 6.1.0: Application Control product.

2 Perform one of these tasks.

• If the ActiveX control you need to install is listed in the predefined rules, you can directly installthe ActiveX control (complete step 3).

• If the ActiveX control you need to install is not listed in the predefined rules, Application Controlprevents the installation of the ActiveX control on the endpoint and generates the ActiveXInstallation Prevented event (complete steps 3, 4, and 5).

3 Install the required ActiveX control on the endpoint.

4 Review and take actions for ActiveX Installation Prevented event. Click Add Publisher to add thecertificate associated with the ActiveX control as a trusted publisher. For detailed information, seethe Review suggestions section.

5 Ensure the updated rule group is included in a policy applied to the endpoint.

8 Monitoring your protectionAllow ActiveX controls to run

94 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 95: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

9 Managing the inventory

You can review, fetch, and manage the software inventory for protected endpoints. The softwareinventory for an endpoint contains information about the executable binary and script files present onthe endpoint. The information stored in the inventory includes complete file name, file size, checksum,file type, embedded application name, version, and so on.

The software inventory for a managed endpoint is available on the McAfee ePO console and updatedregularly based on changes made to the endpoint. You can review and manage the inventory forendpoints from the McAfee ePO console. If needed, you can also fetch inventory for endpoints. Youcan perform multiple tasks, such as allow or ban specific binary files, review all the occurrences of anapplication or binary file in the enterprise, and compare the endpoint inventory with a gold system toview image deviation.

Contents How is the inventory updated Fetch the inventory Interpret the inventory Review the inventory Manage the inventory Set the base image Compare the inventory

How is the inventory updatedInventory information available at the McAfee ePO console for endpoints is updated at regular intervalsbased on changes made at the endpoints. A change to an endpoint's inventory triggers inventoryinformation to be pushed to the McAfee ePO server after the agent‑to‑server‑communication interval(ASCI) lapses. This keeps the inventory information at the McAfee ePO server updated with changes toinventory at the endpoints. Additionally, this avoids the need to manually fetch inventory for anendpoint to get the updated inventory.

The following changes on an endpoint cause corresponding changes to the inventory information atthe McAfee ePO server:

• Addition of a file • Deletion of a file

• Modification of an existing file • Solidification or unsolidification of a file

• Rename of a file

9

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 95

Page 96: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Fetch the inventoryAlthough Application Control maintains the current inventory for managed endpoints, it providesmultiple methods to help you fetch the software inventory for an endpoint, if needed.

1 Use the Enable client task to fetch the inventory for endpoints when you place the endpoints inEnabled mode. For more information, see the Enable Application Control section.

2 Use the Fetch link on the Menu | Application Control | Inventory | By Systems page to fetch the inventory forselected endpoints.

3 Use the Fetch Inventory action (Actions | Application Control | Fetch Inventory) for a selected endpoint onthe Menu | Systems | System Tree | Systems page to fetch the inventory for an endpoint.

4 Use the Pull Inventory client task to fetch the inventory for one or more endpoints.

Application Control also allows you to import inventory details for endpoints not connected to theMcAfee ePO console. Execute the sadmin ls ‑lax > <XML file name> command on the endpoint usingthe CLI to generate an XML file with inventory details. On the McAfee ePO console, select the endpointon the Menu | Systems | System Tree | Systems page and click Actions | Application Control | Import Inventory. Theinventory for the selected endpoint is updated based on the inventory details included in the XML file.

Use the Fetch link and Fetch Inventory action to quickly fetch inventory for an endpoint. Werecommend you use the Pull Inventory client task to fetch inventory details for a group.

When fetching or importing inventory details for endpoints to the McAfee ePO console, you can ignoreand not include certain files into the inventory. To specify the file paths to ignore:

1 Select Menu | Configuration | Server Settings | Solidcore.

2 Review the file paths listed in the Inventory: Ignored file paths for Inventory items field.

3 Click Edit to update the list.

The Edit Solidcore page displays.

4 Use regular expressions to specify file path string at the end of the list (separated by acomma) and click Save.

Use this task to fetch the software inventory for one or more endpoints.

Task1 Select Menu | Systems | System Tree.

2 Complete these steps for the McAfee ePO 4.6 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

c Select the Solidcore 6.1.0 product, SC: Pull Inventory task type, and click Create New Task.

The Client Task Catalog page appears.

d Specify the task name and add any descriptive information.

9 Managing the inventoryFetch the inventory

96 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 97: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Complete these steps for the McAfee ePO 4.5 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the ClientTasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Task.

The Client Task Builder page appears.

c Specify the task name and add any descriptive information.

d Select SC: Pull Inventory (Solidcore 6.1.0) and click Next.

The Configuration page appears.

4 Click Save (McAfee ePO 4.6 only).

5 Click Next.

The Schedule page appears.

6 Specify schedule details and click Next.

7 Review and verify the task details and click Save.

8 Optionally, wake up the agent to send your client task to the endpoint immediately.

Interpret the inventoryApplication Control is integrated with the McAfee GTI file reputation service. The software synchronizeswith the GTI file reputation service on a regular basis to fetch information.

For each binary file, GTI provides these values:

CloudTrustLevel

Indicates if the file is a good, bad, or unknown file. Based on information fetched from GTI,the application and binary files in the inventory are sorted into Good, Bad, and Unclassifiedcategories.

For every Bad binary file encountered in your setup, the software generates the Bad FileFound event. Also, if the trust level for a binary file changes from Bad to Good, the AssumedBad File is Clean event is generated. You can view these events on the Menu | Reporting | ThreatEvent Log page. If needed, you can set up responses to receive a notification for theseevents.

CloudTrustScore

Indicates the reliability or credibility of the file. The assigned value ranges between 1 to 5.A value of 1 or 2 represents known bad files, such as trojan, virus, and potentiallyunwanted programs (PUP) files. A value of 3 indicates an Unclassified file. A value of 4 or 5represents known and trusted good files.

Value Description Details

5 Known Clean Represents files that belong toknown, trusted software vendors thatMcAfee considers clean due to theanalysis and reputation of the file,application, software vendor, ordigital signature.

Managing the inventoryInterpret the inventory 9

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 97

Page 98: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

4 Assumed Clean Indicates a high probability thatthese files are clean based onMcAfee's heuristic analysis computedfrom file reputation and telemetrydata.

3 Unknown Indicates that McAfee did not havesufficient data on these files toconclusively categorize the files asgood or bad.

2 Suspicious Indicates that the files are suspiciousand maybe malware (based onMcAfee's heuristic and behavioralanalysis computed from filereputation, telemetry data, andemulation).

1 Malicious Indicates that the files have beenanalyzed and determined to bemalware.

In addition to the above values, Application Control also tracks the Enterprise Trust Level value for eachbinary file. By default, the enterprise trust level for a file is the same as the cloud trust level. Whenedited, the enterprise trust level for a file overrides the cloud trust level for the file.

For example, if your organization uses an internally‑developed application, GTI will mark it as anUnclassified application because it is specific to your organization. However, because you trust theapplication, you can recategorize it as a Good file by editing the enterprise trust level for the file. Toedit the enterprise trust level for a file, select the file and select Actions | Change Enterprise Trust Level.

Review the inventoryUse this task to manage and take actions on the software inventory for an endpoint.

Task

1 Select Menu | Application Control | Inventory.

2 Perform one of these tasks.

• To manage the inventory for all managed endpoints, select the By Applications tab.

• To manage the inventory for a selected endpoint, switch to the By Systems tab and click View forthe relevant endpoint. The inventory for the selected endpoint is listed.

3 Review the applications in the inventory. By default, based on information received from GTI, theapplication and binary files are sorted into Good, Bad, and Unclassified categories.

Here are some alternate views you can use.

Review all binary files To view files sorted by name, select Binary Name filter, leave the filterblank, and click Search.

Review all files sortedby applications

Select Application filter, leave the file name filter blank, and click Search.The applications and binary files are sorted into Good, Bad, andUnclassified categories.For applications with MSI‑based installers, application and binary filesare grouped and categorized based on the product name and version.

Sort the application andbinary files based onvendor

Select the Vendor filter, do not specify a vendor name, and click Search.The applications and binary files are sorted by the vendor. For eachvendor, you can view the Good, Bad, and Unclassified categories.

9 Managing the inventoryReview the inventory

98 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 99: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

4 Review application details (only when you review all files sorted by applications).

a Click App Details.

The Application Details page appears.

b View the details for the application.

c Review the binary files associated with the selected application in the Binaries pane.

d Review the endpoints on which the selected application is present in the Systems pane.

e Optionally, perform any action on the listed endpoints.

f Click Close.

5 Optionally, apply seeded filters, create new filters, or search for specific files, as needed.

Use seeded filters Select a value from the Saved Filters list. You can choose from these filters:• All Bad Binaries • Allowed Unclassified Unsigned

Binaries

• Allowed Bad Binaries • Banned Good Binaries

• Allowed Unclassified SignedBinaries

Create a new filter To create a new filter:1. Select the Add Saved Filter option from the Saved Filters list.

2. Select an available property. For example, to identify all unclassifiedapplications that are signed, select the Has Cert and Trust Level (Enterprise)properties.

3. Specify the comparison and value for the property.• For the Has Cert property, set comparison to Equals, and select the True

value.

• For the Trust Level (Enterprise) property , set comparison to Equals, and selectthe Unclassified value.

4. Click Update Filter.

Search for specificfiles, for examplesearch for a filebased on itschecksum value

Select the Binary SHA1 or Binary MD5 filter, enter a checksum value, and clickSearch. The binary file with the specified checksum value is displayed.

6 Review the binary files.

When you view files sorted by applications or vendors, the Applications or Vendors pane is displayed.The pane provides a tree structure to help you navigate and view the files under each category.Select a node in the tree to review associated binary files in the Binaries pane. For all other views,only the Binaries pane is displayed. For each file, the Binaries pane lists the name, version, trustscore, trust level (cloud and enterprise), allowed system count, and banned system count.

7 View binary details.

a Click a binary file.

The Binary Details page appears.

b Click the cloud trust score to view the details fetched from the GTI server for the binary file.

c Review the endpoints listed in the Systems for this Binary pane.

Managing the inventoryReview the inventory 9

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 99

Page 100: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

d Click View Events for an endpoint to view events generated for the endpoint.

e Click Ban to ban the binary file from an endpoint.

f Click Close.

Manage the inventoryUse this task to manage the files in the inventory.

Application Control sorts your inventory files into these categories:

Good Includes known good or trusted applications (effectively creating the Whitelist for yourenterprise). Because these applications are known files, you do not need to performextensive management activities for the good files. If your organization needs todisallow a known good file, you can ban the file.

Bad Includes known malware or bad applications (effectively creating the Blacklist for yourenterprise). Because these applications are known bad files, for the most part, you willneed to ban the bad applications. If needed, you can categorize any in‑house or trustedapplications in the bad list as a good file.

Unclassified Includes all unknown applications (effectively creating the Graylist for your enterprise).You should routinely review and manage the graylist for your enterprise to keep it to aminimum size (ideally zero). You might need to reclassify internally developed,recognized, or trusted (from a reputed vendor) files that are currently in the unclassifiedlist.

Any pre‑existing advanced persistent threat (APTs) will reside in the Graylist orUnclassified category.

Task1 Perform one of these tasks.

• To manage the inventory for all managed endpoints, navigate to the Menu | Application Control |Inventory | By Applications page.

• To manage the inventory for a selected endpoint, navigate to the Menu | Application Control |Inventory | By Systems page and click View for the relevant endpoint.

2 Prevent bad binary or script files from running.

a Select the files to ban.

b Select Actions | Ban Binaries.

The Allow or Ban Binaries wizard appears.

c Specify the rule group for the rules.

• To add the rules to an existing rule group, select Add to Existing Rule Group, select the rule groupfrom the list, and specify the operating system.

• To create a new rule group with the rules, select Create a New Rule Group, enter the rule groupname, and specify the operating system.

d Click Next.

e Review the rules and click Save.

9 Managing the inventoryManage the inventory

100 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 101: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Allow known binary or script files to run.

a Select the files to allow.

b Select Actions | Allow Binaries.

The Allow or Ban Binaries wizard appears.

c Perform one of these tasks.

• To allow the binary file only on the selected endpoint, add the binary file to the whitelist ofthe endpoint by selecting the Add Binaries to Whitelist option. This option is available only if youare managing the inventory for an endpoint (by clicking the View link for an endpoint on theBy Systems page).

• To allow the binary file on multiple endpoints, to add the rules to a rule group.

Add the rules to an existingrule group

Select Add to Existing Rule Group, select the rule group fromthe list, and specify the operating system.

Create a new rule group withthe rules

Select Create a New Rule Group, enter the rule group name,and specify the operating system.

d Click Next.

e Review the rules and click Save.

4 Recategorize an unclassified binary or script file as a good file by editing the enterprise trust levelfor the file.

a Select the files.

b Select Actions | Change Enterprise Trust Level.

The Change Enterprise Trust Level window appears.

c Set the trust level.

By default, the enterprise trust level for a file is the same as the cloud trust level. When edited,the enterprise trust level for a file overrides the cloud trust level for the file.

5 Add the updated rule group to the policies applied to the endpoints.

Set the base imageUse this task to set the base image for your enterprise.

If the inventory for an endpoint in your setup includes known and trusted applications, you can set itas a base image for your enterprise. This creates an approved repository of known applications,including internally developed, recognized, or trusted (from a reputed vendor) applications. Also, thismakes management of desktop systems easier by verifying the corporate applications.

Task1 Select Menu | Application Control | Inventory | By Systems.

The endpoints in your setup are listed.

Managing the inventorySet the base image 9

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 101

Page 102: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

2 Navigate to the endpoint on which the known and trusted applications exist.

3 Select Mark Good for the endpoint.

This recategorizes all unclassified binary or script files on the endpoint as good files and edits theenterprise trust level for the files. Note that no changes are made to the Bad binary or script fileson the endpoint.

You can also perform this action from the Systems page. Select the endpoint on the Menu | Systems |System Tree | Systems page and click Actions | Application Control | Mark Good.

Compare the inventoryImage deviation is used to compare the inventory of an endpoint with the inventory that is fetchedfrom a designated gold system. This helps you to track the inventory present on an endpoint andidentify any differences that occur.

To accomplish this, complete these steps.

1 Fetch the inventory for your gold host. For detailed information, see the Fetch the inventorysection.

2 Fetch the inventory for the endpoint. For detailed information, see the Fetch the inventory section.

3 Review the Menu | Automation | Solidcore Client Task Log page to ensure that both client tasks completedsuccessfully.

4 Compare the inventory of gold host with the inventory of the endpoint. This is known as ImageDeviation.

5 Review the comparison results.

Tasks• Run the inventory comparison on page 102

Use this task to compare the inventory of the gold host with the inventory of an endpoint.

• Review the comparison results on page 103Use this task to review the results of inventory comparison (image deviation).

Run the inventory comparisonUse this task to compare the inventory of the gold host with the inventory of an endpoint.

Task1 Select Menu | Automation | Server Tasks.

2 Click Actions | New Task.

The Server Task Builder wizard opens.

3 Type the task name and click Next.

4 Select Solidcore: Run Image Deviation from the Actions drop‑down list.

5 Specify the gold system.

9 Managing the inventoryCompare the inventory

102 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 103: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

6 Configure these options to select the endpoint to compare with the gold system.

• System to compare with Gold System — Click Add to search for the endpoint that you want to comparewith the gold system. Type the name of the endpoint in the System Name field and click Search.

• Groups to compare with Gold System — Click Add to search for the group that you want to compare withthe gold system. Type the name of the group in the Group Name field and click Search.

• Include Systems with Tags — Click Add to search for endpoints based on their tag names. Type the tagname in the Tag Name field and click Search.

• Exclude Systems with Tags — Click Add to search for endpoints based on their tag names. Type thetag name in the Tag Name field and click Search. Select the required tag from the search result. Allendpoints with the selected tags are excluded from comparison with the gold system.

7 Click Next.

The Schedule page appears.

8 Specify the schedule for the task.

9 Click Next.

The Summary page appears.

10 Review the task summary and click Save.

11 Run the server task immediately to instantly review the comparison results.

Review the comparison resultsUse this task to review the results of inventory comparison (image deviation).

Task1 Select Menu | Application Control | Image Deviation.

2 Locate the comparison of the gold host and endpoint.

To quickly find the corresponding row, enter the endpoint name in the Search Target System field andclick Search.

3 Click Show Deviations.

4 Review the comparison details.

• Select the view type. You can organize the results based on applications or binary files.

• Use the available filters to sort the results. Using the filters, you can view new (added),modified, and removed (missing) files. Use the Execution Status Mismatch filter to view files withchanges to the execution status. Use the path filter to sort the results based on the file path.

Managing the inventoryCompare the inventory 9

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 103

Page 104: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

9 Managing the inventoryCompare the inventory

104 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 105: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

10 Managing approval requests

Application Control prevents any new or unknown applications from running on protected endpoints.When the self approval feature is enabled and users try to run an unknown or new application on aprotected endpoint, they are prompted to approve or deny the application execution.

For any blocked application or file, users can choose to approve the execution and run the applicationon the endpoint. When a user approves the execution, the business need or justification provided bythe user for running the application is sent to the McAfee ePO administrator. The administrator reviewsthe approval request and justification provided by the user and can choose to define rules to allow orban the application for one or all endpoints in the enterprise.

The rules that are applied via policies have precedence over the self approval feature. For example, ifthe self approval feature is enabled and the user tries to run an application that is banned through apolicy, the user will not be prompted to take any action for the application. Also, you cannot selfapprove and perform any actions that are prevented by Application Control memory‑protectiontechniques.

The self approval feature is available for binary or executable files, scripts, installers, ActiveX controls,and supported files you run from network shares and removable devices. This feature is available onall supported Windows platforms except Windows NT, Windows 2000, and Windows 2003 (IA‑64platform). Note that this feature is not available on the UNIX platforms.

Although the self approval feature is available in Limited Feature Activation mode, we recommend thatyou use this feature in Full Feature Activation mode (after restarting the endpoints). This is because thisfeature requires patching of some system DLLs and patching may require a reboot to work effectively.

Contents Enable self approval on endpoints Configure the Self Approval feature Review approval requests Process approval requests Review created rules

Enable self approval on endpointsBy default, the self approval feature is disabled on endpoints. You can configure a policy to enable thisfeature on selected endpoints.

Use this task to enable the self approval feature on endpoints. After the feature is enabled, end userscan self approve and run an unknown or new application on a protected endpoint.

Task

1 Select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.0: Application Control product.

10

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 105

Page 106: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Select the Application Control Options (Windows) category.

4 Edit the My Default policy.

• If you are using McAfee ePO 4.6, click the policy.

• If you are using McAfee ePO 4.5, click Edit Settings for the policy.

By default, the My Default policy is applied to all endpoints in your enterprise. If you wish to enablethe self approval feature for selected endpoints, duplicate the My Default policy, edit the settings, andapply the policy to only the relevant endpoints.

5 Select the Enable Self Approval option.

6 Optionally, specify the message to display to the users on the endpoints when they try to run anew or unknown application.

This specified text is displayed on the endpoint in the McAfee Application Control ‑ Self Approval dialog box.

7 Specify a timeout value for the McAfee Application Control ‑ Self Approval dialog box.

The specified value determines the time duration for which the McAfee Application Control ‑ Self Approvaldialog box displays on the endpoint after an action is performed by the user. If the user does nottake an action in the specified time duration, the action is automatically denied and the McAfeeApplication Control ‑ Self Approval dialog box closes.

8 Save the policy and apply to the relevant endpoints.

After the policy is applied, the self approval feature is enabled on the endpoints.

9 When users try to run a new application on the endpoints, the McAfee Application Control ‑ Self Approvaldialog box indicates that execution of the application has been detected and prompts the user totake an action. Perform one of the following tasks:

• Provide a justification and click Allow to allow the action immediately. When you self approve theaction, an approval request is sent to the administrator who reviews the provided justification todetermine whether to allow or ban the action for one or more endpoints in the enterprise. TheMcAfee ePO administrator will allow the action only if it is in accordance with the corporatepolicies and application is trusted and known.

• Deny the action by clicking Deny. Users can deny the action when it is not user initiated or thechanges seem irrelevant. The deny action is event‑specific. If the same event is generatedagain, the user will be prompted again to take an action.

Configure the Self Approval featureUse this task to configure the Self Approval feature.

You can configure the following two settings for the Self Approval feature:

10 Managing approval requestsConfigure the Self Approval feature

106 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 107: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

• Certain processes on the Windows operating system, such as explorer.exe and iexplore.exe startother processes and can be used to launch any software. Such processes are referred to as GenericLauncher processes and should never be configured as updaters. A predefined list of suchprocesses is available in Application Control. You can review and edit the list of Generic Launcherprocesses. Note that no updater rules are generated for Generic Launcher processes at theendpoints.

• Certificates from certain vendors, such as Microsoft and Adobe are associated with multiplecommonly‑used applications and should not be used to define rules based on the publisher. Apredefined list of such certificates is available on the Application Control configuration userinterface. You can review and edit the list of Restricted Publisher Names. Note that if the binary in aself approval request is signed by one of these certificates, you cannot create rules based on thecertificate associated with the binary file.

Task1 Select Menu | Configuration | Server Settings | Solidcore.

2 Review and edit the list of generic launcher processes.

a Review the processes listed in the Application Control: Generic Launcher Processes field.

b Click Edit to update the list.

The Edit Solidcore page displays.

c Add the process name to the end of this list (separated by a comma) and click Save.

3 Review and edit the list of restricted publishers.

a Review the names listed in the Self Approval: Restricted Publisher Names field.

b Click Edit to update the list.

The Edit Solidcore page displays.

c Add the vendor name to the end of this list (separated by a comma) and click Save.

For example, to prevent creation of rules based on the Microsoft certificate, add Microsoft tothe list.

Review approval requestsUse this task to review the received approval requests.

Task1 Select Menu | Application Control | Self Approval.

The Self Approval page appears. After the approval requests are received from the endpoints,Application Control collates and groups approval requests based on the following parameters:

• Checksum value of binary file or cab file (in case of a request for an ActiveX control) for whichthe request is received

• Status of the approval request

The Activity field for each request indicates the action performed by the user on the endpoint. Forexample, if the user installs an MSI‑based software, the Activity field lists Software Installation for theapproval request.

Managing approval requestsReview approval requests 10

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 107

Page 108: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

2 Review the listed approval requests by using one of these methods.

• Select a value for the request status from the Preset list to view approval requests that matchthe filter criteria.

• Enter a search string in the Quick find field and click Apply to view approval requests that matchthe specified search string.

• Sort the list based on the notification time, file name, application name, or trust level by clickingthe column heading.

• Select the approval requests of interest and click Show selected rows to review only the selectedrequests.

The Self Approval page lists only the requests for which the McAfee ePO administrator can make rules.To view other approval requests, such as those for software uninstall, run the Self Approval Audit Reportquery. This report lists all approval requests received from the endpoints in the last month. Forinformation on how to run queries, see View queries section.

3 Review individual requests that make up a collated request and detailed information for the binaryfile.

a Click a row to review detailed information.

The Self Approval Request Details page appears.

b Review binary details, such as cloud trust score, properties, and publisher information.

c Review the individual requests that make up the collated request.

d Click Close.

Process approval requestsProcess the received approval requests for your enterprise by taking relevant actions for the requests.

Review each request, the justification sent by the user for the request, and determine the action totake for the request.

Tasks• Allow by checksum on all endpoints on page 109

Use this task to define rules to allow an application or binary file to run on all endpoints inthe enterprise based on the checksum value of the binary file.

• Allow by publisher on all endpoints on page 109Use this task to define rules to allow an application, binary file, or ActiveX control to run onall endpoints in the enterprise based on the publisher associated with the binary file.

• Ban by checksum on all endpoints on page 109Use this task to define rules to ban an application or binary file from running on allendpoints in the enterprise based on the checksum value of the binary file.

• Define custom rules for specific endpoints on page 110Use this task to define custom rules to allow or ban an application, binary file, or ActiveXcontrol for specific endpoints in the enterprise.

• Delete approval requests on page 111Use this task to remove selected requests from the Self Approval page and database.

10 Managing approval requestsProcess approval requests

108 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 109: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Allow by checksum on all endpointsUse this task to define rules to allow an application or binary file to run on all endpoints in theenterprise based on the checksum value of the binary file.

Task1 Select Menu | Application Control | Self Approval.

The Self Approval page appears.

2 Select the approval requests for which to define rules.

3 Click Actions | Allow Binary Globally.

The Allow Binary Globally dialog box provides details and prompts you to confirm the action.

4 Click OK.

Rules are created for the binary files associated with the selected requests and added to the GlobalSelf Approval Rules rule group included in the McAfee Default policy. For information on how toview or edit the rules, see the Review created rules section.

Allow by publisher on all endpointsUse this task to define rules to allow an application, binary file, or ActiveX control to run on allendpoints in the enterprise based on the publisher associated with the binary file.

Task1 Select Menu | Application Control | Self Approval.

The Self Approval page appears.

2 Select the approval request for which to define rules.

3 Click Actions | Allow by Publisher Globally.

The Allow by Publisher Globally action is unavailable if the main binary in self approval request is signedby a certificate included in the Restricted Publisher Names list.

The Allow by Publisher Globally dialog box provides details and prompts you to confirm the action. Basedon the binary file associated with an selected approval request, the publisher is either assigned ornot assigned updater privileges. Note that if the publisher has updater privileges, allowing based onpublisher will allow all applications signed by the publisher to make changes to existing executablefiles or launch new applications on the endpoints.

4 Click OK.

Rules are created for the selected requests and added to the Global Self Approval Rules rule groupincluded in the McAfee Default policy.

Ban by checksum on all endpointsUse this task to define rules to ban an application or binary file from running on all endpoints in theenterprise based on the checksum value of the binary file.

Task1 Select Menu | Application Control | Self Approval.

The Self Approval page appears.

2 Select the approval requests for which to define rules.

Managing approval requestsProcess approval requests 10

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 109

Page 110: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Click Actions | Ban Binary Globally.

The Ban Binary Globally dialog box provides details and prompts you to confirm the action.

4 Click OK.

Rules are created for the binary files associated with the selected requests and added to the GlobalSelf Approval Rules rule group included in the McAfee Default policy. For information on how toview or edit the rules, see the Review created rules section.

To ban an installer, such as an MSI‑based installer, for a self‑approved request is a two‑stepprocess:

• Ban the installer globally to ensure it cannot run on other endpoints in the enterprise (completesteps 3 and 4)

• Ban the files added by the installer on the endpoint on which the installer was self approved(complete step 5)

For example, if the MSI‑based installer for Mozilla Firefox 12 (Firefox‑12.0‑af.msi) was self approvedand installed on an endpoint, you will need to ban the files added by the installer on the endpoint.

Banning an installer that is not MSI‑based or for which no binary is displayed on the Inventory userinterface is also two‑step process. You must ban the installer globally to ensure it cannot run onother endpoints in the enterprise (complete steps 3 and 4). Next, you must manually search for thebinary files corresponding to the application and ban the files using the Inventory user interface.

5 Ban the files that have already been self approved on the endpoint.

a Click the application name link.

The Binaries page lists all the binary files installed on the endpoint.

b Select all listed binary files.

c Click Actions | Ban Binaries.

The Allow or Ban Binaries wizard appears.

d Specify the rule group for the rules.

• To add the rules to an existing rule group, select Add to Existing Rule Group, select the rule groupfrom the list, and specify the operating system.

• To create a new rule group with the rules, select Create a New Rule Group, enter the rule groupname, and specify the operating system.

Ensure the rule group to which you add the rules is added to a policy applied on the endpoint onwhich the request was self approved.

e Click Next.

f Review the rules and click Save.

Define custom rules for specific endpointsUse this task to define custom rules to allow or ban an application, binary file, or ActiveX control forspecific endpoints in the enterprise.

Task

1 Select Menu | Application Control | Self Approval.

The Self Approval page appears.

2 Select the approval request for which to define custom rules.

10 Managing approval requestsProcess approval requests

110 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 111: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Click Actions | Create Custom Policy.

The Self Approval: Custom Rules page appears.

4 Specify whether to allow the binary file, ban the binary file, or add the certificate as a publisher.

5 Review the pre‑populated rule.

6 Edit the rule, if needed.

7 Specify the rule group for the rules.

• To add the rules to an existing rule group, select Add to existing Rule Group and select the rule groupfrom the list.

• To create a new rule group with the rules, select Create a new Rule Group and enter the rule groupname.

8 Optionally, add the modified or created rule group to a policy.

a Select the Add the Rule Group to existing Policy option.

b Select the policy in which to add the rule group.

9 Click Save.

Delete approval requestsUse this task to remove selected requests from the Self Approval page and database.

Task1 Select Menu | Application Control | Self Approval.

The Self Approval page appears.

2 Select the approval requests to delete.

3 Click Actions | Delete Requests.

The Delete Requests dialog box prompts you to confirm the action.

4 Click OK.

All selected collated requests and contained individual requests are deleted from the page anddatabase. Note that if the McAfee ePO administrator deletes a request without defining any rulesfor the request, the changes associated with the request will by default be allowed on the endpoint.

Review created rulesUse this task to review and manage the rules created for approval requests.

Task1 Select Menu | Configuration | Solidcore Rules.

2 Select the Application Control type and Windows platform on the Rule Groups tab.

3 Navigate and locate the Global Self Approval Rules rule group.

4 Click Edit for the Global Self Approval Rules rule group.

5 Review the included rules.

Managing approval requestsReview created rules 10

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 111

Page 112: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

6 Edit the defined rules, if needed.

7 Click Save Rule Group.

10 Managing approval requestsReview created rules

112 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 113: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

11 Using dashboards and queries

Use dashboards to view the status of the endpoints and queries to review reports based on the datastored in the McAfee ePO database.

Contents Use dashboards View queries

Use dashboardsDashboards are collections of monitors that help you keep an eye on your environment.

Application Control provides these default dashboards:

• Solidcore: Inventory dashboard allows you to observe the inventory for the endpoints

• Solidcore: Application Control dashboard helps you keep a check on the protected endpoints

You can create, modify, duplicate, and export dashboards. For more information on working withdashboards, see the McAfee ePolicy Orchestrator Software Product Guide.

View queriesUse the available queries to review information for the endpoints based on the data stored in theMcAfee ePO database.

The following Application Control queries are available from the McAfee ePO console.

Table 11-1 Application Control Queries

Query Description

Self Approval Audit Report Displays a list of all approval requests received from the endpoints in thelast month.

Solidcore: Alerts Displays all alerts generated in the last 3 months.

Solidcore: ApplicationControl Agent Status

Displays the status of all endpoints with the Application Control licensewhich are managed by the McAfee ePO console. The pie chartcategorizes the information based on the client status. Click a segmentto review endpoint information.

Solidcore: AttemptedViolations Detected in theLast 24 Hours

Displays the attempted violation events detected during the last 24hours. The line chart plots data on a per hour basis. Click a value on thechart to review event details.

Solidcore: AttemptedViolations Detected in theLast 7 Days

Displays the attempted violation events detected during the last 7 days.The line chart plots data on a per day basis. Click a value on the chart toreview event details.

11

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 113

Page 114: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Table 11-1 Application Control Queries (continued)

Query Description

Solidcore: Non CompliantSolidcore Agents

Lists the endpoints that are currently not compliant. The list is sortedbased on the reason for non‑compliance. An endpoint can be noncompliant if it:• Is in Disabled, Observe, or Update mode

• Is operating in limited feature activation mode

• If the local command line interface (CLI) access is recovered

Solidcore: Solidcore AgentStatus Report

Displays the status of all endpoints managed by the McAfee ePO console.This report combines information for both the Application Control andChange Control licenses. The pie chart categorizes the information basedon the client status. Click a segment to review detailed information.

Solidcore: Solidcore AgentLicense Report

Indicates the number of Solidcore Agents that are managed by the bythe McAfee ePO console. The information is categorized based on thelicense information and further sorted based on the operating system onthe endpoint.

Solidcore: PolicyAssignments By System

Lists the number of policies applied on the managed endpoints. Click asystem to review information on the applied policies.

Solidcore: SummaryServer Reboot Log ‑ Rolling30 Days

Displays the reboot log grouped by system name.

Solidcore: Top 10 Systemswith Most ViolationsDetected in the Last 24Hours

Displays the top 10 systems with the maximum number of violations inthe last 24 hours. The chart includes a bar for each system and indicatesthe number of violations for each system. Click a bar on the chart toreview detailed information.

Solidcore: Top 10 Systemswith Most ViolationsDetected in the Last 7Days

Displays the top 10 systems with the maximum number of violations inthe last 7 days. The chart includes a bar for each system and indicatesthe number of violations for each system. Click a bar on the chart toreview detailed information.

Solidcore: Top 10 Userswith Most ViolationsDetected in the Last 24Hours

Displays the top 10 users with the most policy violation attempts in thelast 24 hours. The chart includes a bar for each user and indicates thenumber of policy violation attempts for each user. The bar chart sortsthe data in descending order. Click a bar on the chart to review detailedinformation.

Solidcore: Top 10 Userswith Most ViolationsDetected in the Last 7Days

Displays the top 10 users with the most policy violation attempts in thelast 7 days. The chart includes a bar for each user and indicates thenumber of policy violation attempts for each user. The bar chart sortsthe data in descending order. Click a bar on the chart to review detailedinformation.

Use this task to view a query.

Task1 Select Menu | Reporting.

2 Perform one of these tasks.

• From the McAfee ePO 4.6 console, select Queries & Reports.

• From the McAfee ePO 4.5 console, select Queries.

3 Select the Application Control group under Shared Groups.

4 Review the queries in the list.

11 Using dashboards and queriesView queries

114 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 115: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

5 Navigate to the required query and click Run.

The results for the selected query are displayed.

6 Click Close to return to the previous page.

Using dashboards and queriesView queries 11

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 115

Page 116: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

11 Using dashboards and queriesView queries

116 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 117: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

12 Maintaining your systems

After Change Control or Application Control is deployed, you can perform various tasks to maintain theendpoints. Review these topics for details about maintenance tasks.

Contents Make emergency changes Change the CLI password Collect debug information Place the endpoints in Disabled mode Send GTI feedback Purge data Work with older Solidcore client versions

Make emergency changesTo implement an emergency change, you can create a change window that overrides all protection andtamper proofing that is in effect. Note that memory protection (for Application Control only) remainsenabled even in Update mode. You should use a change window only when the other availablemechanisms cannot be used.

Complete these steps to make emergency changes.

1 Place the endpoints in Update mode.

2 Complete the required emergency changes.

3 Place the endpoints in Enabled mode.

Tasks• Place the endpoints in Update mode on page 118

Use this task to place the endpoints in Update mode to make emergency changes.

• Place the endpoints in Enabled mode on page 119Use this task to place the endpoints back in Enabled mode after you complete the requiredchanges in the Update mode.

12

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 117

Page 118: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Place the endpoints in Update modeUse this task to place the endpoints in Update mode to make emergency changes.

Task1 Select Menu | Systems | System Tree.

2 Complete these steps for the McAfee ePO 4.6 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

c Select the Solidcore 6.1.0 product, SC: Begin Update Mode task type, and click Create New Task.

The Client Task Catalog page appears.

d Specify the task name and add any descriptive information.

3 Complete these steps for the McAfee ePO 4.5 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the ClientTasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Task.

The Client Task Builder page appears.

c Specify the task name and add any descriptive information.

d Select SC: Begin Update Mode (Solidcore 6.1.0) and click Next.

The Configuration page appears.

4 Enter the Workflow ID and any comments.

The workflow ID provides a meaningful description for the update window.

5 Click Save (McAfee ePO 4.6 only).

6 Click Next.

The Schedule page appears.

7 Specify scheduling details and click Next.

8 Review and verify the task details and click Save.

9 Optionally, wake up the agent to send your client task to the endpoint immediately.

12 Maintaining your systemsMake emergency changes

118 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 119: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Place the endpoints in Enabled modeUse this task to place the endpoints back in Enabled mode after you complete the required changes inthe Update mode.

Task1 Select Menu | Systems | System Tree.

2 Complete these steps for the McAfee ePO 4.6 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

c Select the Solidcore 6.1.0 product, SC: End Update Mode task type, and click Create New Task.

The Client Task Catalog page appears.

d Specify the task name and add any information.

3 Complete these steps for the McAfee ePO 4.5 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the ClientTasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Task.

The Client Task Builder page appears.

c Specify the task name and add any descriptive information.

d Select SC: End Update Mode (Solidcore 6.1.0) and click Next.

The Configuration page states that no other configuration settings are required for the task.

4 Click Save (McAfee ePO 4.6 only).

5 Click Next.

The Schedule page appears.

6 Specify scheduling details and click Next.

7 Review and verify the task details and click Save.

8 Optionally, wake up the agent to send your client task to the endpoint immediately.

Maintaining your systemsMake emergency changes 12

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 119

Page 120: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Change the CLI passwordUse this task to change the default CLI password.

Task1 Select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.0: General product.

3 Click Duplicate for the McAfee Default policy in the Configuration (Client) category.

The Duplicate Existing Policy dialog box appears.

4 Specify the policy name and click OK.

The policy is created and listed on the Policy Catalog page.

5 Open the policy.

• If you are using McAfee ePO 4.6, click the new policy.

• If you are using McAfee ePO 4.5, click Edit Settings for the policy.

6 Type the new password in the CLI Settings tab.

7 Confirm the password.

8 Click Save.

9 Apply the policy to the endpoints.

Collect debug informationPrior to contacting McAfee Support to help you with a Solidcore client issue, collect configuration anddebug information for your setup. This will help McAfee Support quickly identify and resolve theencountered issue. Run the Collect Debug Info client task to create an archive with endpointconfiguration information and Solidcore client log files. The zip file is generated on the endpoint and itslocation is listed (click the record associated with the client task) on the Client Task Log page. Sendthe zip file to McAfee Support along with details of the encountered issue.

Use this task to create a zip file with configuration and debug information.

Task1 Select Menu | Systems | System Tree.

2 Complete these steps for the McAfee ePO 4.6 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

c Select the Solidcore 6.1.0 product, SC: Collect Debug Info task type, and click Create New Task.

The Client Task Catalog page appears.

12 Maintaining your systemsChange the CLI password

120 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 121: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

d Specify the task name and add any descriptive information.

3 Complete these steps for the McAfee ePO 4.5 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the ClientTasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Task.

The Client Task Builder page appears.

c Specify the task name and add any descriptive information.

d Select SC: Collect Debug Info (Solidcore 6.1.0) and click Next.

The Configuration page appears.

4 Click Save (McAfee ePO 4.6 only).

5 Click Next.

The Schedule page appears.

6 Specify scheduling details and click Next.

7 Review and verify the task details and click Save.

8 Optionally, wake up the agent to send your client task to the endpoint immediately.

Place the endpoints in Disabled modeUse this task to place the endpoints in Disabled mode.

Task1 Select Menu | Systems | System Tree.

2 Complete these steps for the McAfee ePO 4.6 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

c Select the Solidcore 6.1.0 product, SC: Disable task type, and click Create New Task.

The Client Task Catalog page appears.

d Specify the task name and add any descriptive information.

Maintaining your systemsPlace the endpoints in Disabled mode 12

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 121

Page 122: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

3 Complete these steps for the McAfee ePO 4.5 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the ClientTasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Task.

The Client Task Builder page appears.

c Specify the task name and add any descriptive information.

d Select SC: Disable (Solidcore 6.1.0) and click Next.

The Configuration page appears.

4 Complete the following steps.

License Solidcore clientversion

Steps

ApplicationControl

• 5.1.2 or earlier (UNIXand Windows)

• 6.0.0 and later(Windows)

Select Force Reboot with the task to restart the endpoints.

• 6.1.0 and later (UNIX) Deselect the Force Reboot with the task option if you aretemporarily disabling the client protection formaintenance or troubleshooting. The software isdisabled as soon as the task is applied.If you are disabling the software prior to uninstallation,select the Force Reboot with the task option.

ChangeControl

• 6.0.1 or earlier (UNIX)

• 6.0.0 and later(Windows)

Select Force Reboot with the task to restart the endpoints.

• 6.1.0 and later (UNIX) Deselect the Force Reboot with the task option if you aretemporarily disabling the client protection formaintenance or troubleshooting. The software isdisabled as soon as the task is applied.If you are disabling the software prior to uninstallation,select the Force Reboot with the task option.

5 Click Save (McAfee ePO 4.6 only).

6 Click Next.

The Schedule page appears.

7 Specify scheduling details and click Next.

8 Review and verify the task details and click Save.

9 Optionally, wake up the agent to send your client task to the endpoint immediately.

12 Maintaining your systemsPlace the endpoints in Disabled mode

122 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 123: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Send GTI feedbackApplication Control includes these seeded server tasks that allow you to send feedback to McAfee onhow you are currently using the GTI features.

• Solidcore: Send Event Feedback to Application Control GTI Cloud Server (disabled by default)

• Solidcore: Send Policy and Inventory Feedback to Application Control GTI Cloud Server (enabled bydefault to run daily)

No information about individual computers or users is sent to McAfee. In addition, McAfee stores nodata that can be used to track the feedback information to a specific customer or organization.

You can configure the server tasks to send information on how you are currently using one or all ofthese parameters.

Policies Send information on Change Control, Application Control, and General policies.

This information helps McAfee understand how you are currently using polices andapplying rules and will eventually help McAfee improve the default policies and rules.

Events Send information, such as binary name and SHA1 value for the Execution Denied,Process Hijack Attempted, and Nx Violation Detected events. You can also choose tosend information on the number of endpoints on which the event occurred with the fullpath of the binary file.

This information helps McAfee determine how frequently and effectively ApplicationControl blocks actions and will eventually help us improve product functionality andefficacy.

Inventory Send detailed information for binary files, including base name, embedded applicationname, embedded application version, embedded version, and so on. You can alsochoose to send information on the number of endpoints on which the binary file ispresent, its execution status, and full path of the binary. Note that the feedback doesnot include any information to identify the endpoints, such as system name or IPaddress.

This information helps McAfee determine how you are using (and altering) the trustscore and trust level values assigned to binary files. This information will eventuallyhelp McAfee improve the GTI file reputation service.

ePOidentifier

Send information on the unique McAfee ePO identifier.

Use this task to edit the server tasks.

Task1 Select Menu | Automation | Server Tasks.

2 Select Edit for a server task.

The Server Task Builder wizard opens.

3 Optionally, change the schedule status for the server task.

4 Click Save.

Maintaining your systemsSend GTI feedback 12

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 123

Page 124: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Purge dataUse this task to purge Solidcore reporting data by age or based on other parameters. When you purgedata, the records are permanently deleted.

Task1 Select Menu | Automation | Server Tasks.

2 Click New Task.

The Server Task Builder wizard opens.

3 Type the task name and click Next.

4 Select Solidcore: Purge from the Actions list.

5 Configure these options as required.

• Choose Feature ‑ Select the reporting feature for which to purge records.

• Purge records older than ‑ Select this option to purge the entries older than the specified age. Thisoption is not applicable for features that do not have ageing criteria, such as inventory records.

• Purge by query ‑ Select this option to purge the records for the selected feature that meet thequery criteria. This option is only available for reporting features that support queries in McAfeeePO. Also, this option is supported only for tabular query results.

No seeded queries are available for purging. Prior to purging records, you must create the queryfrom the Menu | Reporting | Queries & Reports (in McAfee ePO 4.6 console) or Menu | Reporting | Queries(in McAfee ePO 4.5 console) page.

6 Click Next.

The Schedule page appears.

7 Specify schedule details and click Next.

The Summary page appears.

8 Review and verify the details and click Save.

Work with older Solidcore client versionsIf you are using Application Control with Solidcore client version 5.1.5 or earlier (Windows) or 5.1.2 orearlier (Linux or Solaris), you can choose not to create the whitelist when you enable the software. Ifyou defer creating the whitelist, you create it by running the SC: Initial Scan to create whitelist task.

To get suggestions on the updaters and memory‑protection bypass rules to add for your setup, run theSC: Get Diagnostics for programs task. This feature is available only on the Windows platform forSolidcore client version 5.1.5 or earlier.

12 Maintaining your systemsPurge data

124 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 125: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Tasks• Create the whitelist on page 125

Use this task to create the initial whitelist (if you did not create the whitelist when enablingApplication Control).

• Run diagnostics on page 126When running in Enabled mode, the Solidcore protection may prevent a legitimateapplication from executing (if the required rules are not defined). For example, certainapplications do not function correctly immediately after Solidcore is enabled. Solidcoretracks all such failed attempts made by authorized executable files to modify protected filesor run other executable files. You can review information for failed attempts to identifyupdater rules to allow legitimate applications to run successfully. This feature is availableonly on the Windows platform for Solidcore client version 5.1.5 or earlier.

Create the whitelistUse this task to create the initial whitelist (if you did not create the whitelist when enabling ApplicationControl).

This feature is available on the:

• Windows platform for Solidcore client version 5.1.5 or earlier

• Linux and Solaris platforms for Solidcore client version 5.1.2 or earlier

Task1 Select Menu | Systems | System Tree.

2 Complete these steps for the McAfee ePO 4.6 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

c Select the Solidcore 6.1.0 product, SC: Initial Scan to create whitelist task type, and click Create New Task.

The Client Task Catalog page appears.

d Specify the task name and add any descriptive information.

3 Complete these steps for the McAfee ePO 4.5 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the ClientTasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Task.

The Client Task Builder page appears.

Maintaining your systemsWork with older Solidcore client versions 12

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 125

Page 126: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

c Specify the task name and add any descriptive information.

d Select SC: Initial Scan to create whitelist (Solidcore 6.1.0) and click Next.

The Configuration page appears.

4 Click Save (McAfee ePO 4.6 only).

5 Click Next.

The Schedule page appears.

6 Specify scheduling details and click Next.

7 Review and verify the task details and click Save.

8 Optionally, wake up the agent to send your client task to the endpoint immediately.

Run diagnosticsWhen running in Enabled mode, the Solidcore protection may prevent a legitimate application fromexecuting (if the required rules are not defined). For example, certain applications do not functioncorrectly immediately after Solidcore is enabled. Solidcore tracks all such failed attempts made byauthorized executable files to modify protected files or run other executable files. You can reviewinformation for failed attempts to identify updater rules to allow legitimate applications to runsuccessfully. This feature is available only on the Windows platform for Solidcore client version 5.1.5or earlier.

Use this task to retrieve a list of potential updaters and memory‑protection bypass rules that can beadded to a policy and applied to the endpoints. This feature helps you identify updater rules (in casecertain applications do not function correctly) after the product is enabled.

Task1 Select Menu | Systems | System Tree.

2 Complete these steps for the McAfee ePO 4.6 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

b Click Actions | New Client Task Assignment.

The Client Task Assignment Builder page appears.

c Select the Solidcore 6.1.0 product, SC: Get Diagnostics for programs task type, and click Create New Task.

The Client Task Catalog page appears.

d Specify the task name and add any descriptive information.

3 Complete these steps for the McAfee ePO 4.5 console.

a Perform one of these actions.

• To apply the client task to a group, select a group in the System Tree and switch to the ClientTasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and clickActions | Agent | Modify Tasks on a Single System.

12 Maintaining your systemsWork with older Solidcore client versions

126 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 127: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

b Click Actions | New Task.

The Client Task Builder page appears.

c Specify the task name and add any descriptive information.

d Select SC: Get Diagnostics for programs (Solidcore 6.1.0) and click Next.

The Configuration page appears.

4 Click Save (McAfee ePO 4.6 only).

5 Click Next.

The Schedule page appears.

6 Specify scheduling details and click Next.

7 Review and verify the task details and click Save.

8 Optionally, wake up the agent to send your client task to the endpoint immediately.

9 Verify that the task was run successful by reviewing the Menu | Automation | Solidcore Client Task Logpage. This client task collects diagnostic data from the endpoints and sends it to the McAfee ePOconsole.

10 Use the diagnostic recommendations to define updaters in a policy.

a Edit the required policy.

b Click Diagnostic Suggestions on the Updaters tab. The Add Updater dialog box appears.

c Review the listed suggestions.

d Select the required files to add and click OK.

Exercise caution while selecting the files to mark as updaters.

e Save the policy.

Maintaining your systemsWork with older Solidcore client versions 12

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 127

Page 128: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

12 Maintaining your systemsWork with older Solidcore client versions

128 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 129: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

13 Fine-tuning your configuration

Perform advanced configuration tasks to fine tune your configuration.

Contents Configure a syslog server Manage the Solidcore permission sets Customize end-user notifications

Configure a syslog serverYou can access additional servers by registering them with your McAfee ePO server. Registered serversallow you to integrate your software with other external servers.Use this task to add the syslog server as a registered server and send information (responses orSolidcore events) to the syslog server.

Task1 Add the syslog server as a registered server.

a Select Menu | Configuration | Registered Servers and click New Server.

The Registered Server Builder wizard opens.

b Select Solidcore Syslog Server from the Server type list.

c Specify the server name, add any notes, and click Next.

d Optionally, modify the syslog server port (McAfee ePO 4.6 only).

If you are using McAfee ePO 4.5, the default port (514) is used. You cannot alter the port whenusing McAfee ePO 4.5.

e Enter the server address.

You can choose to specify the DNS name, IPV4 address, or IPv6 address.

f Select the type of logs the server is configured to receive by selecting a value from the SyslogFacility list.

g Click Test Syslog send to verify the connection to the server.

h Click Save.

You can choose to send specific responses to the syslog server (complete step 2) or use the seededresponse to send all Solidcore events to the syslog server (complete step 3).

13

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 129

Page 130: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

2 Send responses to the syslog server.

a Select Menu | Automation | Automatic Responses.

b Click Actions | New Response.

c Enter the alert name.

d Select the ePO Notification Events group and Threat event type.

e Select Enabled and click Next.

The Filter page appears.

f Define the relevant filters and click Next.

The Aggregation page appears.

g Specify aggregation details and click Next.

The Actions page appears.

h Select the Send Event To Solidcore Syslog action.

i Specify the severity and message.

You can use the listed variables to create the message string.

j Select the appropriate syslog servers (one or more) and click Next.

k Review the response details and click Save.

3 Send all Solidcore events to the syslog server.

Application Control and Change Control include a seeded response that you can configure toautomatically send all Solidcore events to the syslog server.

a Select Menu | Automation | Automatic Responses.

b Edit the Send Solidcore events to Syslog Server response to configure these options.

• Set the status to Enabled.

• Verify that the appropriate syslog server is selected.

• Review the message string.

The message string is based on the Common Exchange format. Contact McAfee Support forassistance in understanding the message string.

c Save the response.

Manage the Solidcore permission setsA permission set is a collection of permissions that can be granted to any user by assigning it to theuser's account. Permission sets control the level of access users have to the different featuresavailable in the software. While user accounts provide a means for users to access and use thesoftware, each user account is associated with one or more permission sets that define what the useris allowed to do with the software.

Permission sets only grant rights and access — no permission set removes rights or access. Whenmultiple permission sets are applied to a user account, they aggregate. For example, if one permissionset does not provide any permissions to server tasks, but another permission set applied to theaccount grants all permissions to server tasks, that user account has all permissions for server tasks.Consider this as you plan your strategy for granting permissions to the users in your environment.

13 Fine-tuning your configurationManage the Solidcore permission sets

130 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 131: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Solidcore default permission sets

When a new product extension is installed, it adds the product‑specific permission sets to McAfee ePO.The Solidcore extension for Change Control and Application Control adds these permission sets:

SolidcoreAdmin

Provides view and change permissions across McAfee ePO features. Users that areassigned this permission set each need at least one more permission set that grantsaccess to needed products and groups of the System Tree.

SolidcoreReviewer

Provides view permissions across McAfee ePO features. Users that are assigned thispermission set each need at least one more permission set that grants access toneeded products and groups of the System Tree.

If you need to create additional permission sets, use the Solidcore Admin permission set as a startingpoint and edit it as per your requirements. You can create, delete, modify, import, and exportpermission sets. For more information on working with permission sets, see the McAfee ePolicyOrchestrator Software Product Guide.

Customize end-user notificationsIf Application Control protection prevents an action on an endpoint, you can choose to display acustomized notification message for the event on the endpoint.

You can configure the notification to be displayed on the endpoints for these events:

• Execution Denied • Nx Violation Detected

• File Write Denied • ActiveX Installation Prevented

• File Read Denied • Package Modification Prevented

• Process Hijack Attempted • VASR Violation Detected

Use this task to configure end‑user notifications.

Task1 Select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.0: Application Control product.

3 Select the Application Control Options (Windows) category.

4 Edit the My Default policy.

• If you are using McAfee ePO 4.6, click the policy.

• If you are using McAfee ePO 4.5, click Edit Settings for the policy.

5 Switch to the End User Notifications tab.

6 Select the Show the messages dialog box when a event is detected and display the specified text in the message option todisplay a message box at the endpoint each time any of the afore‑mentioned events is generated.

Fine-tuning your configurationCustomize end-user notifications 13

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 131

Page 132: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

7 Enter the helpdesk information.

Mail To Represents the email address to which all approval requests (fromendpoints) are sent.

Mail Subject Represents the subject of the email message sent for approval requests(from endpoints).

Link to Website Indicates the website listed in the Application and Change ControlEvents window on the endpoints.

ePO IP Address and Port Specifies the McAfee ePO server address and port.

8 Customize the notifications for the various types of events.

a Enter the notification message.

You can use the listed variables to create the message string.

b Select Show Event in Dialog to ensure that all events of the selected event type (such as ExecutionDenied) are listed in the Application and Change Control Events window on the endpoints.

9 Save the policy and apply to the relevant endpoints.

10 From the endpoints, users can review the notifications for the events and request for approval forcertain actions.

a Right‑click the McAfee Agent icon in the system tray on the endpoint.

b Select Quick Settings | Application and Change Control Events.

The Application and Change Control Events window appears.

c Review the events.

d Request approval for a certain action by selecting the event and clicking Request Approval.

13 Fine-tuning your configurationCustomize end-user notifications

132 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 133: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

A FAQs

Here are answers to frequently asked questions.

What is an Alternate Data Stream (ADS)? Does Change Control monitor changes toADSs?

On the Microsoft NTFS file system, a file consists of multiple data streams. One stream holds the filecontents and another contains security information. You can create alternate data streams (ADS) for afile to associate information or other files with the existing file. In effect, alternate data streams allowyou to embed information or files in existing files. The ADSs associated with a file do not affect itscontents or attributes and are not visible in Windows Explorer. So, for practical purposes, the ADSsassociated with a file are hidden. Malicious users can misuse the ADS feature to associate maliciousfiles with other files without the malicious files being detected.

Change Control monitors changes to ADSs associated with files on the Windows platforms. For amonitored file, all ADS‑related changes, including stream creation, modification, updation, deletion,and attribute changes are reported as events. If you are also using Application Control, any executableprograms (associated as an ADS with an existing file) are prevented from running. To disable ADSmonitoring execute the SC: Run Commands client task to run the sadmin features disable mon‑adscommand on the endpoint.

Why am I not receiving the events for user account activity for an endpoint?

User account activity is not tracked by default for endpoints. To track operations for user accounts,you must enable this feature specifically on endpoints on which Change Control is deployed andenabled. To enable this feature, execute the SC: Run Commands client task to run the sadmin featuresenable mon‑uat command on the endpoint.

In addition, you must ensure that the Audit Policy is configured on the Windows operating system toallow generation of user activity events.

To successfully track user account activity for an endpoint, verify the Audit Policy configuration for theendpoint.

1. Navigate to Control Panel | Administrative Tools.

2. Double click Local Security Policy.

3. Select Local Policies | Audit Policy.

4. Double click the Audit account logon events policy.

5. Select Success and Failure and click OK.

6. Repeat steps 4 and 5 for the Audit account management and Audit logon events policies.

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 133

Page 134: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

What are the implications of recovering the local CLI access for an endpoint?

To troubleshoot or debug issues, you might need to recover the local CLI access for an endpoint. Notethat recovering the local CLI for an endpoint prevents the enforcement of policies from McAfee ePO tothe endpoint. This implies that when the CLI is recovered for an endpoint, no existing or new policies(created on the McAfee ePO console) are applied to that endpoint.

What is the significance of the label specified in a policy while configuringupdaters, installers, and trusted users?

The specified labels help you correlate the generated events with the actions performed by the trustedresources. For example, when an event is generated for an action performed by a trusted user, theWorkflow ID attribute for the event includes the label specified for the trusted user.

How do I unsolidify a file, directory, or volume?

To unsolidify a file, directory, or volume, run the SC: Run Commands client task with the sadmin unso<resource name> command.

Do Change Control and Application Control work in Network Address Translation(NAT) environments?

If the McAfee ePO server is able to communicate with the McAfee Agent in a NAT environment, ChangeControl and Application Control will work.

How can I trust applications developed for use within my organization?

Sign the applications with a self‑generated certificate, then trust the certificate.

1 Perform one of these actions.

• Locate your certificate if you have an existing certificate.

• Generate a X.509 certificate pair using a tool, such as makecert.exe (see http://msdn.microsoft.com/en‑us/library/bfsktky3%28VS.80%29.aspx).

2 Export the certificate in PEM (Base‑64 encoded X.509 ‑ .CER) format.

3 Upload the certificate and add it to an Application Control policy as a trusted publisher.

4 Apply the policy to the endpoints.

5 Use the certificate to sign and verify all in‑house applications. This can be done using a tool, suchas SignTool.exe.

When working with scripts, convert the script into a self extracting executable file, then sign the file.

6 Define the internal certificate as a trusted publisher.

Can I script sadmin commands?

Yes, you can script sadmin commands. Note that while recovering the CLI, you are prompted to enterto password. To achieve this within a script, suffix the sadmin recover command with ‑z <password>.

A FAQs

134 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 135: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

How can I resolve discrepancies and inconsistencies in the Solidcore rule groupsafter upgrading the Solidcore extension? When I access the Rule Groups page, anInternal Server Error is displayed.

Run the Rule Group Sanity Check server task from the McAfee ePO console to fix the inconsistencies inthe rule groups. This server task reports and corrects (if possible) discrepancies and inconsistencies inthe Solidcore rule groups and policies.

1 Select Menu | Automation | Server Tasks.

2 Click New Task.

The Server Task Builder wizard opens.

3 Type the task name and click Next.

4 Select Solidcore: Rule Group Sanity Check from the Actions drop‑down list.

5 Click Next.

6 Specify the schedule for the task.

7 Click Next.

The Summary page appears.

8 Review the task summary and click Save.

9 Review the logs generated by the server task (on the Server Task Log page) to view the warnings,if any.

What can I do to manage the predefined rules available with Change Control andApplication Control?

We recommend that you revisit the predefined rules available with Change Control and ApplicationControl when you install or upgrade the Solidcore extension. Because the software installed on theendpoints in your enterprise may change (is added or removed), you must revise the rulesperiodically. Based on the software installed on the endpoints in your setup, revise the rules andremove unwanted or irrelevant rules.

How can I enable or disable selected features on endpoints from the McAfee ePOconsole?

Use the Application Control Options (Windows) policy to enable or disable selected features onendpoints from the McAfee ePO console.

1 Select Menu | Policy | Policy Catalog.

2 Select the Solidcore 6.1.0: Application Control product.

3 Select the Application Control Options (Windows) category.

4 Edit the My Default policy.

• If you are using McAfee ePO 4.6, click the policy.

• If you are using McAfee ePO 4.5, click Edit Settings for the policy.

5 Switch to the Features tab.

6 Select the Enforce feature control from ePO option.

FAQs A

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 135

Page 136: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

7 Select the features to enable or disable.

8 Save the policy and apply to the relevant endpoints.

What proxy is used by Application Control to communicate with the GTI server?

Application Control uses the proxy server configured on the Menu | Configuration | Server Settings | ProxySettings page on the McAfee ePO console. If no proxy server is configured, Application Controlcommunicates directly with the GTI server.

What is the address of the GTI server?

Application Control communicates with the following two GTI servers:

Application Control GTI Cloud Server https://cwl.gti.mcafee.com/api/index.php/api

Application Control GTI Cloud Feedback Server https://cwl.gti.mcafee.com/api/index.php/etl

Complete the following steps to view the configuration for the GTI servers:

1 Select Menu | Configuration | Registered Servers.

2 Select the Application Control GTI Cloud Server entry and click Actions | Edit.

The Registered Server Builder page displays.

3 Click Next.

4 Review the GTI server configuration.

A FAQs

136 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 137: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

B Change Control and Application Controlevents

Provides a detailed list of all Change Control and Application Control events.

Event Name EventDisplayString

SolidcoreClientSeverity

McAfeeePOSeverity

ChangeControlEvent

ApplicationControlEvent

SolidcoreClient‑RelatedEvent

BOOTING_DISABLED Booted inDisabledmode

Warning Warning√

BOOTING_ENABLED Booted inEnabledmode

Info Information√

BOOTING_UPDATE

_MODE

Booted inUpdatemode

Info Information√

ENABLED_DEFERRED Enabled OnReboot

Info Information √

DISABLED_DEFERRED DisabledOn Reboot

Warning Warning √

BEGIN_UPDATE OpenedUpdateMode

Info Information√

END_UPDATE ClosedUpdateMode

Info Information√

COMMAND_EXECUTED CommandExecuted

Info Information √

REG_KEY_CREATED RegistryCreated

Info Information √

REG_KEY_DELETED RegistryDeleted

Info Information √

REG_VALUE_DELETED RegistryDeleted

Info Information √

PROCESS_TERMINATED ProcessTerminated

Major Error √

WRITE_DENIED File WriteDenied

Major Error √

EXECUTION_DENIED ExecutionDenied

Major Error √

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 137

Page 138: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Event Name EventDisplayString

SolidcoreClientSeverity

McAfeeePOSeverity

ChangeControlEvent

ApplicationControlEvent

SolidcoreClient‑RelatedEvent

PROCESS_TERMINATED

_UNAUTH_SYSCALL

ProcessTerminated

Major Error√

PROCESS_TERMINATED

_UNAUTH_API

ProcessTerminated

Major Error√

MODULE_LOADING

_FAILED

ModuleLoadingFailed

Major Error√

FILE_ATTR_SET FileAttributeSet

Info Information√

FILE_ATTR_CLEAR FileAttributeCleared

Info Information√

FILE_ATTR_SET_UPDATE

FileAttributeSet

Info Information√

FILE_ATTR_CLEAR_UPDATE

FileAttributeCleared

Info Information√

REG_VALUE_WRITE_DENIED

RegistryWriteDenied

Major Error√

REG_KEY_WRITE_DENIED

RegistryWriteDenied

Major Error√

REG_KEY_CREATED_UPDATE

RegistryCreated

Info Information√

REG_KEY

_DELETED_UPDATE

RegistryDeleted

Info Information√

REG_VALUE

_DELETED_UPDATE

RegistryDeleted

Info Information√

OWNER_MODIFIED FileOwnershipChanged

Info Information√

OWNER_MODIFIED_UPDATE

FileOwnershipChanged

Info Information√

PROCESS_HIJACKED ProcessHijackAttempted

Major Error√

INVENTORY_CORRUPT InventoryCorrupted

Critical Critical √

BOOTING_DISABLED

_SAFEMODE

Booted inDisabledmode

Warning Warning√

B Change Control and Application Control events

138 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 139: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Event Name EventDisplayString

SolidcoreClientSeverity

McAfeeePOSeverity

ChangeControlEvent

ApplicationControlEvent

SolidcoreClient‑RelatedEvent

BOOTING_DISABLED

_INTERNAL_ERROR

Booted inDisabledmode

Critical Critical√

FILE_CREATED FileCreated

Info Information √

FILE_DELETED File Deleted Info Information √

FILE_MODIFIED FileModified

Info Information √

FILE_ATTR_MODIFIED FileAttributeModified

Info Information√

FILE_RENAMED FileRenamed

Info Information √

FILE_CREATED_UPDATE

FileCreated

Info Information√

FILE_DELETED_UPDATE

File Deleted Info Information√

FILE_MODIFIED_UPDATE

FileModified

Info Information√

FILE_ATTR

_MODIFIED_UPDATE

FileAttributeModified

Info Information√

FILE_RENAMED_UPDATE

FileRenamed

Info Information√

FILE_SOLIDIFIED FileSolidified

Info Information √

FILE_UNSOLIDIFIED FileUnsolidified

Info Information √

ACL_MODIFIED File AclModified

Info Information √

ACL_MODIFIED_UPDATE File AclModified

Info Information √

PROCESS_STARTED ProcessStarted

Info Information √

PROCESS_EXITED ProcessExited

Info Information √

TRIAL_EXPIRED Trial licenseexpired

Major Error √

READ_DENIED File ReadDenied

Major Error √

USER_LOGON_SUCCESS

UserLogged On

Info Information√

USER_LOGON_FAIL User LogonFailed

Info Information √

Change Control and Application Control events B

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 139

Page 140: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Event Name EventDisplayString

SolidcoreClientSeverity

McAfeeePOSeverity

ChangeControlEvent

ApplicationControlEvent

SolidcoreClient‑RelatedEvent

USER_LOGOFF UserLogged Off

Info Information √

USER_ACCOUNT

_CREATED

UserAccountCreated

Info Information√

USER_ACCOUNT

_DELETED

UserAccountDeleted

Info Information√

USER_ACCOUNT

_MODIFIED

UserAccountModified

Info Information√

PKG_MODIFICATION

_PREVENTED

PackageModificationPrevented

Critical Critical√

PKG_MODIFICATION

_ALLOWED_UPDATE

PackageModificationAllowed

Info Information√

PKG_MODIFICATION

_PREVENTED_2

PackageModificationPrevented

Critical Critical√

NX_VIOLATION_DETECTED

NxViolationDetected

Critical Critical√

REG_VALUE_MODIFIED

RegistryModified

Info Information√

REG_VALUE

_MODIFIED_UPDATE

RegistryModified

Info Information√

UPDATE_MODE_DEFERRED

UpdateMode OnReboot

Info Information√

FILE_READ_UPDATE File read inupdatemode

Info Information√

STREAM_CREATED AlternateDataStreamCreated

Info Information√

STREAM_DELETED AlternateDataStreamDeleted

Info Information√

STREAM_MODIFIED AlternateDataStreamModified

Info Information√

STREAM_ATTR_MODIFIED

AttributeModified inDataStream

Info Information√

B Change Control and Application Control events

140 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 141: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Event Name EventDisplayString

SolidcoreClientSeverity

McAfeeePOSeverity

ChangeControlEvent

ApplicationControlEvent

SolidcoreClient‑RelatedEvent

STREAM_CREATED_UPDATE

AlternateDataStreamCreated

Info Information√

STREAM_DELETED_UPDATE

AlternateDataStreamDeleted

Info Information√

STREAM_MODIFIED_UPDATE

AlternateDataStreamModified

Info Information√

STREAM_ATTR

_MODIFIED_UPDATE

AttributeModified inDataStream

Info Information√

STREAM_ATTR_SET AttributeAdded inDataStream

Info Information√

STREAM_ATTR_CLEAR AttributeCleared inDataStream

Info Information√

STREAM_ATTR

_SET_UPDATE

AttributeAdded inDataStream

Info Information√

STREAM_ATTR

_CLEAR_UPDATE

AttributeCleared inDataStream

Info Information√

STREAM_RENAMED AlternateDataStreamRenamed

Info Information√

STREAM_RENAMED_UPDATE

AlternateDataStreamRenamed

Info Information√

BEGIN_OBSERVE StartObserveMode

Info Information√

BEGIN_OBSERVE_DEFERRED

StartObserveMode OnReboot

Info Information√

END_OBSERVE EndObserveMode

Info Information√

END_OBSERVE_DEFERRED

EndObserveMode OnReboot

Info Information√

Change Control and Application Control events B

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 141

Page 142: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Event Name EventDisplayString

SolidcoreClientSeverity

McAfeeePOSeverity

ChangeControlEvent

ApplicationControlEvent

SolidcoreClient‑RelatedEvent

INITIAL_SCAN

_TASK_COMPLETED

Initial ScanCompleted

Info Information√

BOOTING_OBSERVE Booted inObserveMode

Info Information√

ACTX_ALLOW_INSTALL ActiveXinstallationAllowed

Info Information√

ACTX_INSTALL_PREVENTED

ActiveXinstallationPrevented

Major Error√

VASR_VIOLATION_DETECTED

VASRViolationDetected

Critical Critical√

B Change Control and Application Control events

142 McAfee Change Control and McAfee Application Control 6.1.0 Product Guide

Page 143: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

Index

Aabout this guide 7

Cconventions and icons used in this guide 7

Ddocumentation

audience for this guide 7product-specific, finding 9typographical conventions and icons 7

MMcAfee ServicePortal, accessing 9

SServicePortal, finding product documentation 9

TTechnical Support, finding product information 9

Wwhat's in this guide 8

McAfee Change Control and McAfee Application Control 6.1.0 Product Guide 143

Page 144: McAfee Change Control and McAfee Application Control · PDF fileHow do I define monitoring rules ... Search for a certificate ... McAfee Change Control and McAfee Application Control

00