How To Set Up A Security System For A Network Security System (Netware)

Transcription

1 MCAFEE APPLICATION CONTROL / CHANGE CONTROL BEST PRACTICES GUIDE Version December 2011

2 About This Guide The purpose of this guide is to provide best practices for initial usage of the three main Solidcore products, McAfee Application Control, McAfee Integrity Monitor & McAfee Change Control. Topics addressed in this document include: Pre-Installation Requirements and Guidelines (Setting up for Success) MAC/MCC Install and Initial Deployment MAC/MCC/MIM Use Cases for Evaluation Planning Policy and configuration guidance Dashboards and Reporting Post Evaluation Considerations Intended Audience This guide is intended to assist McAfee customers with the initial setup of McAfee Application Control, McAfee Change Control, and/or McAfee File Integrity Monitoring. Assumptions To successfully use this guide it is assumed that: A fully functional epo 4.6 infrastructure is available, including the required SQL database. Local or Domain Administrator credentials for the epo server, sa level credentials for the SQL database All installation packages have been downloaded.

3 Core Functionality McAfee Application Control / Whitelisting (MAC) Current Version 6.x McAfee Application Control can technically enforce control over system and application code to ensure that only authorized code can run; unauthorized cannot run (both via Dynamic Whitelisting); authorized code cannot be tampered with (via Application Control); and vulnerabilities in authorized code cannot be exploited (via Memory Protection). Application code not only includes traditional executables but also scripts and interpreted languages. Authorized updating mechanisms allow granular change control, so that, for example, Windows patches can be approved automatically, whereas changes to lockeddown applications will be prevented. Authorized updating can occur by opening an update window, authorizing a user or application to make changes. No file system scanning is required for this solution, so system performance overhead and resource constraint concerns are eliminated. In addition, Application Control also provides Image Deviation which compares all the code resident on a machine or group of machines to a Gold Master standard, and also compares all the code to McAfee s Global Threat Intelligence Blacklist in a cloud security data Please Note: Review the attached Matrix of supported operating systems (below) McAfee Integrity Monitoring (MIM) Current Version 6.x McAfee Real-time Integrity Monitoring can monitor changes update, delete, rename, move, copy operations on files, directories and registry keys, and track as they happen in real time. This even allows identification of transient changes (when a file is changed inappropriately, and then changed back). The monitoring includes rich information capture that records the user and the program that made the change, the object that was changed, and the exact time when the change was made. Please Note: Review the attached Matrix of supported operating systems (below) McAfee Change Control (MCC) Current Version 6.x McAfee Change Control can provide tamper-proofing by technically enforcing that no changes can be made to selected files, directories and registry keys, so that they cannot be modified in any way. In addition it tracks any authorized changes in real-time allowing automatic and accurate monitoring and reporting of actual changes. Protection is linked directly to policy, and changes are verified against the change source, time window, or approved change ticket. Changes that are attempted outside of policy on enabled servers are not allowed and logged. aplease Note: Review the attached Matrix of supported operating systems (below) Operating System Matrix Operating Systemsupport-matrix.pdf

4 Core Functionality Matrix Table 1 - Evaluation Description MAC MCC Scenarios -includes File Integrity Monitoring- Whitelist software & confirm unauthorized software is not permitted to run 1 - Application Control and Reporting Explore trusted update sources and mechanisms 2 - Trusted Updaters Image Deviation -Gold system image comparison- 3- Gold Image Configuration Comparison Monitor critical configuration files and registry for changes Protect critical configuration files from reading and writing and registry settings from writing 4 - File System and Registry Monitoring 5- File System and Registry Protection Manage systems locally and remotely epo Management

5 Helpful Guides : EPO 4.6 Product Guide : epo_460_product_g uide_en-us.pdf EPO 4.6 Installation Guide: epo_460_install_guid e_en-us.pdf EPO 4.6 Sizing Guide for McAfee Application Control / Change Control epo Database Sizing Estimation Guide for MAC_MCC_MIC.pdf McAfee Application Control Emergency back out procedure McAfee Application Control Emergency Backout Procedure.pdf McAfee Application Control / Change Control Stand alone to EPO managed instructions: McAfee Solidcore Agent Standalone to epo Managed.pdf

6 Getting Started with EPO 4.6 Summary of Initial setup tasks Initial Communication: (required) 01-: MFE: Create EPO Systems Tree Infrastructure 02-: MFE: Setup Communication between EPO and the McAfee Agent (Client). 03-: MFE: Install Application Control/ Change control Extension 04-: MFE: Check in Client Application Control/ Change control software packages Application / Change Control Initial Tasks : (required) 10-:SC: Deploy Application / Change Control software module 11:-SC: Enable Application / Change Control 12:-SC: Pull Inventory 13:-SC: Get Diagnostics for Programs

7 Initial Communication Setup : ( setup communication between EPO and client systems. EPO Setup System Tree: The System Tree groups represent a collection of systems. Deciding which systems to group together depends on the unique needs of your network and business. You can group systems based on machine-type (e.g. laptops, servers, desktops), geography (e.g. North America, Europe), political boundaries (e.g. Finance, Development), or any other criteria that supports your needs. Note: An efficient and well-organized System Tree can simplify maintenance. Many administrative, network, and political realities of each environment can affect how your System Tree is structured. Plan the organization of the System Tree before you build and populate it. Especially for a large network, you want to build the System Tree only once. Because every network is different and requires different policies and possibly different management McAfee recommends planning your System Tree before implementing the McAfee epo software. Regardless of the methods you choose to create and populate the System Tree, consider your environment while planning the System Tree.

8 2. Deploy the McAfee Agent to the identified systems and verify connectivity. Log in to EPO and navigate to Menu Systems System Tree. To add systems or subgroups to the system tree and click on the lower left of the EPO screen. From this form you may add systems and create the containers to organize your identified devices in the system tree. Note: Throughout this document, Identified systems is used to represent the devices in the system tree.

9 Options to deploy the McAfee Agent are : Options 1 and 2 Will deploy the agent by mapping a windows share (Credentials are required), copying the agent to the client and then executing the framepkg.exe to install the agent. This package will contain all pertinent information regarding the EPO to client connection. Option 4 Will create a deployable package (Credentials are optional). This package will contain all pertinent information regarding the EPO to client connection.

10 Verify Communication between the client and EPO Server : Install Application Control/ Change control Extension 3. Navigate to install the McAfee Solidcore Extension under MENU Software Extensions then click the button on the lower left of the form.

11 Add the licenses for your products : Licensing Options are : Change Control : To Activate the File Integrity Monitoring and Change Control functionality : Application Control Integrity Control: To Activate the combination suite of Application Control and Change Control to be used on POS, Manufacturing and ATM systems. Application Control: To Activate the Application Whitelisting protection coupled with memory protection. Reconciliation: To Activate the reconciliation functionality. (To be used with Remedy 7 exclusively) 4. Navigate to and click on the text on the left and the licenses:

12 Add the Solidcore Agent module to EPO : Navigate to Menu Software Master Repository Actions ****EPO Infrastructure Setup Completed****

13 Client McAfee Application/ Change Control Deployment Task : BEST PRACTICE TIP: create logical groups in the epo System Tree of machines that have Application Control/Change Control and deploy these tasks at a group level Setup a client task to deploy the McAfee Solidcore component to the identified systems. From the systems tree: 1.Navigate to the 2. Click on tab 3. Click on

14 5. Choose the Product : 6. Choose the task type: 7. Create the Task Name :

15 BEST PRACTICE TIP: Consider creating and using Tags to identify systems with Application Control/Change Control on them. This will assist with both administration and policy application 8. Choose your deployment time. (NOTE: most common method is to run immediately ) The options are : 9. Then to force a task completion

16 Verify that the Solidcore Client is installed :

17 McAfee Application /Change Control Enable Task : Enable McAfee Application Control / Change Control and ***Whitelist the System This task will set a flag in the software to enable (engage) whitelisting protection and/or Change Control with file integrity monitoring. It can also create the whitelist automatically if the application control option is selected. *** The Whitelisting functionality is only for use with the McAfee Application Control license. McAfee Change Control does not require a whitelist to function. Setup a client task to deploy the McAfee Solidcore component to the Identified systems : From the systems tree: 1.Navigate to the 2. Click on tab 3. Click on

18 Enable Options explained :

19 Name your task : BEST PRACTICE TIP: use a naming convention that relates to the product. (for example: SC: Enable, SC: Begin Update Mode ) Pick your version : and Earlier, or 6.0 and Later versions Pick your licensed Product: Initial Scan CPU throttle options: This option sets the process priority for the single scan that Application Control performs only once to build the initial whitelist. BEST PRACTICE TIP: for machines that are in Production mode use Low priority to ensure the least amount of impact from an I/O perspective especially if the machine cannot be rebooted. If the machine can be rebooted and you want the initial scan to occur as quickly as possible then set the priority to High. Activation Options : Application Control Only!!

20 Full Feature Mode: (requires an immediate reboot) Application whitelisting with Memory Protection. This will enable the full protection capabilities of Application Control following a forced reboot that will occur 5 minutes after the machine receives the task. BEST PRACTICE TIP: if at all possible use Full Feature Mode to ensure the highest level of security, especially if the machine does not have another Memory Protection mechanism such as is sometimes provided by Anti-Virus or HIPS software. Limited Feature Mode: (delayed reboot) Application Whitelisting without memory protection enabled until a reboot. Start in Observation Mode: This option is to start the system in learning mode. Use this functionality to identify updating mechanisms and sources of change. Policy suggestions will be provided by the epo console when the endpoint machine is in Observe Mode. BEST PRACTICE TIP: for all systems it is beneficial to use Observe Mode and put systems through a full functionality testing/production cycle after which the policy suggestions can be reviewed. ** BREAK OUT FURTHER *** Change Control Activation : (Does not require a reboot) Activation options are not available or needed while using activating Change Control

21 Environment Specific Configuration Best Practices: Using Change Control to monitor Trusted Directories When using a trusted directory policy mounted from a server, use Change Control on the server to monitor who/what/when/how files are modified in the trusted directory. This helps to prevent mis-use of the Trusted Directory policy Recommendations for POS Environments Comments regarding PCI compliance o Compensating control for AV requirement Configurations often required given use of 3 rd party outsourcers Issues with network bandwidth how to get effective information and security while not interrupting normal business operations Effective grouping of systems in epo for efficient management Recommendations for ATM Environments Configurations often required given use of 3 rd party outsourcers NCR/Diebold/Wincor specific recommendations Windows Embedded Systems The only catch you might encounter is the write filter. If it is enabled you will have problems managing SC via epo. This is due to the write filter (if configured to do so) protecting the registry

22 key where we store our configs. There is a work around that excludes the registry from being written to. Please add the path 'c:\windows\system32\config' to the exclusion list for FBWF/EWF. >fbwfmgr /addexclusion c:\windows\system32\config Reboot Advice on configuring & why to use features such as: Read Protection Anti-debugging Mon UAT Client Installation and Deployment Tasks Complete

23 Management : Application Control NOTE: Protection Functionality Recap : Application Control creates an inventory of all executables, scripts, drivers and dynamic link library files (.dll) via the initial scan and only allows that authorized code to execute. Once the whitelist is created nothing on the whitelist can be modified except by an authorized source, hence the requirement for updating mechanisms that are typically found using Observe Mode and built in profiles provided with Application Control. These mechanisms include processes, people or code that is given the authority to change the whitelist contents. Application Control gates all processes to ensure they are run off of disk (not purely in memory) and includes memory protection to protect against memory based attacks such as Buffer Overflows, Stack Exploits, etc. Developing Policies - Initial Policy questions to manage McAfee Application Control: How do you make change today (programs, tools, users and processes)? Do you have a formal change process? Do you (or could you easily) develop what constitutes authorized change vs. unauthorized change (one example could be: we don t want changes during production hours )? How do you make change (manual updates, automatic software, agent based push, etc.)? How homogeneous (or not) is the environment (number of system images)? Security Policies and Rule groups : Since Application control only allows execution of applications that are in the inventory it needs to allow permitted mechanisms to make software changes. The process of dynamically updating the whitelist is identified in Application Control Policy. In addition to updating mechanisms, applications that spawn new processes need to be identified as updaters as well. BEST PRACTICE TIP: All policies should utilize rule groups to manage policies. A Rule group is a categorization system of application updating mechanisms.

24 To manage policies navigate to the policy catalog.

25 Create a new Policy: BEST PRACTICE TIP: create new policies based on the Blank Template to ensure that only the updater mechanisms you want are configured as part of your policy. Label the policy utilizing best practice naming conventions:

26 BEST PRACTICE TIPS: 1. Create policies for groups of similar machines (i.e. policies for Domain Controllers, policies for Oracle Servers, etc) 2. Machines can have multiple policies so consider having more granular policies rather than one large policy with many rule entities 3. Consider carefully the impact of a policy type some policies are more loose or restrictive than others. The following table outlines the relative degree of restriction of each element a policy could have: Updater Method Level of Restriction Business Use Case Notes Update Window Low Emergency Changes to system(s) Two epo Client Tasks One to Open and one to Close Trusted Users Low Help desk user ability to remotely login for break fix, administration of systems that are geographically distant

27 Updater Method Level of Restriction Business Use Case Notes Publishers Medium Customer can be their own CA and allow only their code to update a system regardless of how the code enters the system, or use signed code from a vendor. More flexibility than a hashed Installer Authorized Updater Program High Update Existing Whitelisted Applications based on a program that can make change Most common updating method Binary High Allow or block program execution based on name or hash. Allow Scripts created on dynamically, i.e. by end of day/closing process on a kiosk for back office reporting Block - block installed programs that shouldn t run, i.e. itunes OR reduce the risk exposure of a server of admin tool misuse, i.e. ban net.exe, msconfig.exe, runas.exe, netstat.exe, etc. Used to control execution, not change on a system Installers High A non whitelisted standalone executable that is identified by hash to install applications on a controlled system Useful for software distribution based on approved applications Trusted Directory High Printer drivers on remote share, corporate approved applications on share, start-up scripts Easier to manage than hash or cert, but not as secure 4. Application Control will not allow code to be run in temporary directories (i.e. C:\temp). To allow code that exists in these directories to run you may need to create a Binary Allow policy specifically for the executable name or hash 5. When using Updaters (i.e. specific application processes that will be allowed to modify the whitelist) consider the implications of using full path names vs. just the name of the executable itself. For example, when creating an updater for Firefox if you specify that Firefox.exe is an authorized updater, then any version of Firefox currently on the machine could make updates (i.e. if both C:\Firefox.exe and C:\Program Files\Firefox.exe, exist they are both updaters). Consequently if you specify in the Updater field C:\Program Files\Firefox.exe then only that instance of Firefox will be an updater. 6. Updater mechanisms, regardless of whether it s a Updater, Trusted User, Publisher etc. are global. It is not possible to specify that a particular application can only modify a specific set of code.

28 7. When you create an Updater type of policy you are authorizing a specific process on the machine to be allowed to make changes to existing code and add new code to the whitelist. If the process is running when you create the policy and assign it updater privileges it will NOT inherit those rights until the process is restarted. 8. Consider using Installers policies rather than Trusted Directory policies. Installer policies are based on the name of the installer package (e.g. an MSI program installer) or it s binary hash. Because it is more specific an Installer policy is more secure than a Trusted Directory policy The Application Control Policy Explained: = A rule group is a categorization system the will assist with policy management. Rule groups include updaters, binary, trusted users, publishers and installers. Best Practices : are to utilize rule groups in policies as opposed to adding updaters to the policy itself. Rule Groups are created at :

29 = A mechanism to allow updates automatically.these whitelisted applications are permitted to update the system. It is the plumbing for Client/Server updating mechanisms. Example: SCCM Server: Update Update CLIENT: ccmexec.exe Update Typical examples are: Software provisioning systems that download install and run new code, e.g., Microsoft SCCM, Microsoft SUS, Tivoli, Altiris, custom scripts. Self-updating applications, e.g. Anti-virus, Adobe Acrobat, Google Update. Applications that create executable code at run time, e.g., anti-virus, custom applications. Applications that write to existing system or application code on disk (binaries, DLL s, scripts etc), e.g., backup agents, anti-virus. =Explicitly allows a binary to run. It will also give the ability to ban or blacklist applications. =A trusted user has the ability to dynamically update the whitelist while logged into a system. This privileged user can install and uninstall software. ( User must also have windows domain or local admin rights). = A trusted publisher is a digitally signed software application. McAfee Application Control can traverse software directories and extract these certificates. To identify Publishers :Navigate to :

30 Extract the certificates from the signed applications.

31

32 Add the publishers to the Application Control Policy: Pick the publisher to apply to the policy:

33 Save the policy: = Application installer identified by its checksum (SHA1) hash that is allowed to install or update software. When a program (or an installer) is configured as an authorized installer, it gets both the attributes - authorized binary and updater. Hence, regardless of whether the installer was originally present on the endpoint or not, it is allowed to execute and update software on the endpoint. To identify Installers :Navigate to :

34 NOTE : Use the embedded application Hashtab to extract the sha1 hash value of the desired installer. Determine you application and collect the hash value :

35 Define the Installer:

36 Now apply the installer to your policy:

37 = Some applications (as part of their day-to-day processing) run code in this way and hence are prevented from running. To allow such applications to run, define appropriate bypass rules. Note that a bypassed file or application is no longer considered by the memoryprotection features of Application Control. Bypassing a file should be the last-resort to allow an application to run and should be used wisely. Note: Memory Protection Components: MP-CASP (32-bit) and MP-NX (64-bit Best Practice tip: For software such as PSEXEC and DameWare you will need an exception.

38 What are Attributes? See Appendix A for Memory trouble Shooting Always authorized attribute- This memory attribute allows the user to configure a supported file as always authorized to execute. A File configured under this attribute will be allowed to execute whether whitelisted or not. Bypassed from memory control attribute -This attribute allows user to configure a process to run bypassed from MP-mangling and MP-decoying. This is one of the memory protection technique provided by application control but it is disabled by default. Bypassed from Critical Address Space Protection attribute-critical Address Space Protection is the latest and most effective memory protection technique provided by Application Control. It is enabled by default. This attribute configures a process to run bypassed from MP-CASP. Bypassed from process stack randomization attribute This bypass is an attribute under MP-VASR protection which is enabled only on special request from customer. Rebase DLL attribute- Change the base address of a DLL. The technique which involves randomly arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, in a process's address space Bypassed from DLL relocation attribute- A DLL configured bypassed from DLL relocation provided by MP-VASR. This attribute is part of the VASR memory protection technique. This feature is disabled by default as CASP is enabled. Full crawl attribute This memory attribute belongs to MP-mangling and MP-decoying memory protection. This feature is disabled by default. Crawling is the process by which a system accesses and parses content and its properties, sometimes called metadata, to build a content index from which search queries can be served. Bypassed from installer detection- -Belongs to PKG-CTRL feature which tracks for the installation and un-installation of MSI based packages. Any installer name that is bypassed from installer detection is configured to be bypassed from installer detection functionality. Always unauthorized attribute- A Binary/script configured that is blocked from execution even if whitelisted. Process Context registry bypass- Application Control will not track any registry operations for the process configured under this attribute. All the registry operations in context of the configured process will be bypassed from Application Control. Bypassed from DEP- DEP is the Data Execution Prevention. It is a Memory protection technique MP-NX, provided by Application Control for 64 bit machines. Memory protection check will not apply on the process configured as Bypassed from DEP. MP-CASP and MP- NX

39 =A shared folder on the internal network or a local defined path on every system where installers for authorized and licensed applications are kept. Such network shares are within the security perimeter, they are known.this policy allowsall users to run any software present on a Trusted Directory identified by its UNC pathname Best Practice tip : Windows group policy needs to have a trusted directory defined to allow login scripts. Example: \\contoso.com\sysvol \\contoso.com\netlogon = Refers to event filtering. Advanced filters are used to exclude changes by using combination of conditions. Advanced exclusion filters are typically used to prune routine system-generated change events that are not relevant for your monitoring or auditing needs. Example: This policy example below will exclude events by the file c:\logs\web.log with the event of File Modified and using the program equals Apache.exe and the user equals system. Best Practice tip: Use this to filter common approved day to day events that do not provide useful information.

40 Managing the inventory By creating an inventory with McAfee Application Control you now have the ability manage your whitelist. The software inventory from an endpoint contains information about the executable binaries, drivers, dll files, script files that reside on each endpoint. The information stored in the inventory metadata includes the complete file name, file size, SHA1 checksum, file type, embedded application name and version. The software inventory metadata information can be imported and managed via the McAfee epo console. You can manage the whitelist with tasks that include: allow or ban specific binary files, inspect application or binary file reputation with the McAfee Global Threat Intelligence Cloud, and also compare the endpoint inventory with a gold system to view image deviation. Contents Fetching the inventory Interpreting the inventory Managing the inventory Comparing the inventory Retrieving the inventory metadata Application Control provides multiple methods to help you fetch the software inventory for an endpoint. 1 Use the SC: Enable client task to fetch the inventory for endpoints when you place the endpoints in Enabled mode. For more information, see the Enabling Application Control section. Use the Fetch Inventory link on the Menu Application Control Inventory Inventory

41 By Systems page to fetch the inventory for selected endpoints. Use the Fetch Inventory action for a selected endpoint on Menu Systems System Tree Systems page to fetch the inventory for an endpoint. 4 Using the SC: Pull Inventory client task you can fetch the inventory for one or more endpoints. NOTE: Application Control also allows you to import inventory details for endpoints not connected to the McAfee epo console. Execute the sadmin ls -lax > <XML file name> command on the

42 endpoint using the CLI to generate an XML file with inventory details. On the McAfee epo console, select the endpoint on the Menu Systems System Tree Systems page and click Actions Import Inventory. The inventory for the selected endpoint is updated based on the inventory details included in the XML file. GTI Integration to interrogate the inventory Application Control software is integrated with the McAfee Global Threat Intelligence (GTI) file reputation service. For each binary file, GTI can indicate if the file is a good, bad, or unknown. Based on reputation information retrieved from GTI, the application and binary files in the inventory are sorted into Good, Bad, and Unclassified categories. GTI Trust Levels - Indicates the reliability or credibility of each binary. The assigned value ranges between 1 to 5. A value of 1 or 2 represents known bad files, such as Trojan, virus, and pup files. A value of 3 GTI Trust Score indicates an Unclassified file. A value between 4 or 5 represents known and trusted good files. GTI Value Description 5 Known Clean 4 Assumed Clean 3 Unknown 2 Suspicious 1 Malicious

43 In addition to the above values, Application Control also tracks the Enterprise Trust Level value for each binary file. By default, the enterprise trust level for a file is the same as the cloud trust level. When edited, the enterprise trust level for a file overrides the cloud trust level for the file. Note: An Unclassified application is unknown because it may be specific to your organization. However, you can categorize it as a Good file by editing the enterprise trust level. To edit the enterprise trust level for a file, select the file and select Actions Change Enterprise Trust Level.

44 Software Inventory Actions 1 Select Menu Application Control Inventory. Available Tasks All Ban Binaries Allowed Bad Binaries Allowed Unclassified Signed Binaries Allowed Unclassified Unsigned Binaries Banned Good Binaries Review the binary files. When you view files sorted by applications or vendors, the Applications or Vendors pane is displayed. The pane provides a tree structure to help you navigate and view the files under each category. Select a node in the tree to review associated binary files in the Binaries pane. For all other views, only the Binaries pane is displayed. For each file, the Binaries pane lists the name, version, trust score, trust level (cloud and enterprise), allowed system count, and banned system count. View binary details. a Click a binary file. The Binary Details page displays. b Click the cloud trust score to view the details fetched from the GTI server for the binary file. c Review the endpoints listed in the System for this Binary pane. d Click View Events for an endpoint to view events generated for the endpoint. e Click Ban to ban the binary file from an endpoint. f Click Close.

45 Comparing the inventory Image deviation is used to compare the inventory of an endpoint with the inventory that is fetched from a designated gold system. This helps you to track the inventory present on an endpoint and identify any differences that occur. To accomplish this, complete the following steps. 1 Fetch the inventory for your gold host. For detailed information, see the Fetching the inventory section. 2 Fetch the inventory for the endpoint. For detailed information, see the Fetching the inventory section. 3 Review the Menu Automation Solidcore Client Task Log page to ensure that both client tasks completed successfully. 4 Compare the inventory of gold host with the inventory of the endpoint. This is known as Image Deviation. 5 Review the comparison results.

46 Running the inventory comparison Use this task to compare the inventory of the gold host with the inventory of an endpoint. Before you begin Make sure that you have recently fetched the inventory for the gold host and endpoint. Task Select Menu Automation Server Tasks. Click New Task.

47 The Server Task Builder wizard opens. 3 Type the task name and click Next. 4 Select Solidcore: Run Image Deviation from the Actions drop-down list. 5 Specify the gold system. 6 Configure these options to select the endpoint to compare with the gold system. System to compare with Gold System Click Add to search for the endpoint that you want to compare with the gold system. Type the name of the endpoint in the System Name field and click Search. Groups to compare with Gold System Click Add to search for the group that you want to compare with the gold system. Type the name of the group in the Group Name field and click Search. Include Systems with Tags Click Add to search for endpoints based on their tag names. Type the tag name in the Tag Name field and click Search. Exclude Systems with Tags Click Add to search for endpoints based on their tag names. Type the tag name in the Tag Name field and click Search. Select the required tag from the search result. All endpoints with the selected tags are excluded from comparison with the gold system.

48 Click Next. The Schedule page appears. Specify the schedule for the task. Click Next. The Summary page appears. Review the task summary and click Save. Run the server task immediately to instantly review the comparison results. Reviewing the comparison results Use this task to review the results of inventory comparison (image deviation). 1 Select Menu Application Control Image Deviation. 2 Locate the comparison of the gold host and endpoint. To quickly find the corresponding row, enter the endpoint name in the Search Target System field and click Search. 3 Click Show Deviations. 4 Review the comparison details. Select the view type. You can organize the results based on applications or binary files. Use the available filters to sort the results. Using the filters, you can view new (added), modified, and removed (missing) files. Use the Execution Allowed Mismatch filter to view files with changes to the execution status. Use the path filter to sort the results based on the file path.

49

50 McAfee Change Control Explained : NOTE: Please use the embedded document below to prepare your servers for the amount of data disk required. epo Database Sizing Estimation Guide for MAC_MCC_MIC.pdf Change control is comprised of two components 1. File Integrity Monitoring 2. Change configuration protection File Integrity Monitoring will monitor changes to the file system, registry, and user accounts. It maintains a comprehensive and up-to-date database (on McAfee epolicy Orchestrator ) that logs all attempts to modify files, registry keys, and local user accounts. File Integrity provides the following information: 1. Who made the change 2. When the change was made ( time stamp in real time) 3. What program was used to make the change 4. Where the change was made ( what system ) 5. How the change was made. 6. If the change was made by an approved change process

51 Event Example : The Event Components Explained : Agent GUID Unique assigned id from EPO Event Display Name - What Action took place Event File Name What file or registry key was effected Event Generated Time- Timestamp of the change ( in real time) Event Id EPO generated id of the change Event Name- What action took place ( same as Event display Name) Event Seq Number Generated by an Updater If the change was made by an approved change application Generated in an Update Window If the change took place in in authorized change window Object Name What was effected Performed by- What user performed this change Program Name- What program was used to make the change Reconciliation Status- ( Additional Optional License Needed) Will report if the change was reconciled to your BMC Remedy change ticketing system Reconciliation Ticket- ( Additional Optional License Needed) Ticket number assigned by BMC Remedy Severity- System Name- What system the change took place on User Name- Who performed the change Workflow ID Notification of what updater was used to make the change

52 What is being Tracked? Below is a table of tracked items: Files and Folders: File creation File modification (file contents and attributes, such as permissions or owner) File deletion File rename Stream creation Stream modification Stream deletion Registry key Registry key creation Registry key modification Registry key deletion User account User account creation User account modification User account deletion User log on User log off Managing McAfee Change Control Change configuration Protection ( Change Control) -provides protection to identified critical configuration files and the registry: 1. Write protection of critical configuration files 2. Read protection of critical files. If read protection is enabled then the files cannot be copied off of the system 3. Write protection of critical registry keys NOTE: trusted programs or users can be defined to allow updates to protected files and registry keys. NOTE: This is a user defined policy and has no pre-defined protection rules. This was created by design.

53 NOTE: Read Protection is disabled by default. To activate this functionality a client task must be run against the identified systems

54 Change Content Management : Navigate to the McAfee File Integrity policy: Identify the file you want to track :

55 View the results from the events: Appendix A. Solving Memory Discrepancies Identifying bypass candidates for MP-CASP and MP-NX Issue: System performance decreases or application does not work properly with Solidifier and MP enabled. Resolution: Disable the memory protection feature and check the behavior after MP-CASP (32-bit) and MP-NX (64-bit) disabled.

56 If issue is not observed with MP disabled: Run sadmin loglevel enable pst info. Check the issue with MP-disabled. Enable MP Reproduce the issue Run sadmin loglevel disable pst info. Run gatherinfo.bat and collect the logs for analysis

57 sadmin loglevel enable pst info enabled the more informative logging for process tracking module of solidifier. Solidcore logs starts recording the process creation, DLL loading and termination to let the analyzer know about the life of a process like when it is created or terminated. Extract the Application Control logs from gatherinfo.bat and compare the logs for MP disabled versus MP enabled. Scan and compare each process and the operations happening in its context. Check for any differences between MP disabled and MP enabled states like any process terminating abruptly, DLL loading failed, process taking more time to complete its operations etc, with MP-enabled. Look for any erroneous condition recorded or logs marked with ERROR or WARNING. It is relatively easy to identify the process if certain application is not running over system wide impact as the focus is limited to the processes running or launched in context of that application. But many a times bypassing application processes does not help as there may be some windows process or compiler dependency etc involved. In cases where MP is causing a system wide impact like system hang, performance degraded, area of focus broadens to all processes and logs recorded. Analyzer should try to zero down the condition that may be leading to the issue. For e.g, any continuously running service is hung, backup process is failing etc. Once the analyzer probes out such conditions and suspects a process to be culprit, the process needs to be configured under relevant MP bypass attribute and check the issue again. Make sure that the process gets re-launched to make the configurations effective. Above mentioned allows the user to perform a first level analysis of the MP related issues. But these are not very straight forward to track down. In many cases, code analysis needs to be done in close mapping with the logs. Analyzer has to be extra cautious while bypassing the process from MP as it may open a security hole. It is highly recommended that system or any critical processes are not bypassed without discussing with McAfee.

58

59 Appendix B. Emergency Back out Procedure McAfee Application Control/ Change Control Emergency Back Out Procedure Boot Windows into Safe Mode : Navigate to HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services swin Parameters

60 Navigate to Parameters: Edit the RTEModeonReboot and change the value from 1 to 0

61 NOTE: Values: 0 = Disable, 1 = Enable, 2 = Update Mode

62 Appendix B: NON-EPO Manual Application Control Install Environment Microsoft Windows (all supported versions) Summary The document provide steps to connect Solidicore to epo when deployed using third party tools. Solution Step 1 - Deploy the McAfee Agent and modify the registry for epo management Deploy the Common Management Agent (CMA) or McAfee Agent to the system that hosts Solidifier. Use Remote Desktop to access the Solidifier system and log in with an Administrator account. Click Start, Run, type regedit, and click OK. Navigate to the registry key below: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swin\Parameters Right click Parameters and select New, DWORD value. Name the new value IsSystemControllerEPO. Right click the IsSystemControllerEPO value and select Modify. Click the Decimal radio button and change the Value data to 1. Click OK. Step 2 - Copy scormapl.dll to the S3 directory Click Start, Programs, McAfee, Solidifier, McAfee Solidifier Command Line. Execute sadmin lockdown. Navigate to the folder that contains SOLIDCOR<version_number>-<build_number>_WIN.zip. Extract scormapl.dll.x86 to the C:\Program Files\Solidcore\S3 directory.

63 Rename scormapl.dll.x86 to scormapl.dll. Step 3 - Modify the Solidifier Application Plugin registry key Click Start, Run, type regedit, and click OK. Navigate to the registry key below: HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\SOLIDCOR5000_WIN 1. Add the appropriate string values below: String name Value data Version <version_number.<build_number> Plugin Path C:\Program Files\Solidcore\S3\scormapl.dll Software ID SOLIDCOR5000_WIN Product Name McAfee Solidifier Language 0000 Step 4 - For 64-bit systems, use link_na_reg.exe to link the 64-bit and 32-bit versions of the epo registry entries Navigate to the directory that contains SOLIDCOR<version_number>-<build_number>_WIN.zip. Extract link_na_reg.exe from the.zip file. Click Start, Run, type cmd, and click OK. Change directory to the location of extracted link_na_reg.exe.

64 Type the command below and press ENTER: link_na_reg.exe" /s "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Network Associates" "HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates" Send an agent wakeup call (with get full properties) from epo. Appendix D: Configuring a syslog server You can access additional servers by registering them with your McAfee epo server. Registered servers allow you to integrate your software with other external servers. Use this task to add the syslog server as a registered server and send information (responses or Solidcore events) to the syslog server. Task For option definitions, click? in the interface. 1 Add the syslog server as a registered server.

65 a Select Registered Servers and click New Server. The Registered Server Builder wizard opens. b Select Solidcore Syslog Sever from the Server type list.

66 c Specify the server name, add any notes, and click Next. d Optionally, modify the syslog server port (McAfee epo 4.6 only). NOTE: If you are using McAfee epo 4.5, the default port (514) is used. You cannot alter the port when using McAfee epo 4.5. e Enter the server address. You can choose to specify the DNS name, IPV4 address, or IPv6 address. f Select the type of logs the server is configured to receive by selecting a value from the Syslog Facility list. g Click Test Syslog send to verify the connection to the server. h Click Save. You can choose to send specific responses to the syslog server (complete step 2) or use