Addendum McAfee Application Control and Change Control 6.1.1 About this release For use with epolicy Orchestrator 4.6 5.0 Software This document is an addendum to the McAfee Change Control and Application Control 6.1.0 Product Guide and McAfee Change Control and Application Control 6.1.0 Installation Guide, you can refer to the guides for complete information about the product. The current release of the product includes features that are redesigned to add more functionality to provide better reporting of content changes, new installation and uninstallation workflow for software packages, and better control on observation generation and processing. You can now manage the product by McAfee epo 5.0 also. These features are redesigned. Content change tracking Package control Observation throttling Upgrade support Content change tracking The content change tracking feature is now improved to allow you to specify directories for tracking content changes. You can specify a directory to track content and attribute changes for all files in this directory and its subdirectories. If you enable content change tracking for a directory, any attribute or content change to the files present in the directory creates new versions of the files in the McAfee epo server. For detailed information on attributes that are tracked for a file, see the File attributes for content change tracking section. Configure content change tracking rule You must create an Integrity Monitor (IM) rule group for monitoring content changes. 1 On the McAfee epo console, click Menu Configuration Solidcore Rules. 2 From the Rule Groups tab, select Integrity Monitor to view or define a rule group for monitoring changes performed on critical resources. 1
3 Click Add Rule Group. a Specify the rule group name. b c Select the rule group type as Integrity Monitor. Select the platform as Windows. 4 Click OK. The rule group is created and listed on the Rule Groups page. 5 Click Edit for the rule group. 6 On the File tab, click Add to monitor and track changes for a new file or directory. 7 Select an existing rule and click Edit. The Add File dialog box appears. a Review or add the file information. b c Select Enable Content Change Tracking. Select file encoding. Auto Detect ASCII UTF 8 UTF 16 Auto Detect works for most files. If you are aware of the file encoding, select ASCII, UTF 8, or UTF 16 (as appropriate). If needed, you can add new file encoding values. Contact McAfee Support for assistance in adding a file encoding value. d e f Select Is Directory if you specified a directory. Select Recurse Directory to include all subdirectories in the parent directory for tracking content changes. Specify patterns in the Include Patterns or Exclude Patterns field to match the file name. You can only specify file names as patterns. If you do not specify a pattern, all files are included for change tracking. Optionally, add an asterisk (*) at the beginning or end of every pattern. For example, if you specify an include pattern as *.txt, only the TXT files in the directory are monitored. If you specify an exclude pattern as *.ini, the INI files in the directory are not monitored. 8 Click OK. Specify multiple patterns by separating each pattern on a new line. Exclude Patterns has higher precedence than Include Patterns. For example, if you erroneously define include and exclude pattern for the same file, the exclude pattern applies. Assign the rule group to a policy Create a new Integrity Monitor policy or use an existing policy to assign the rule group. When you push the policy to an endpoint, the initial file content and attributes of the qualifying files are stored in the McAfee epo server and set as base version. For all subsequent changes made to the files being monitored, corresponding file versions are stored in the McAfee epo server. The base version identifies the starting point or the initial state of the file for comparison with other versions. 2
1 On the McAfee epo console, click Menu Policy Policy Catalog. 2 Select the Solidcore 6.1.1: Integrity Monitor product. 3 Click Actions New Policy. 4 Select the category as Integrity Monitoring Rules (Windows). 5 Select the policy you want to duplicate from Create a policy based on this existing policy list. To define a policy from scratch, select the Blank Template policy. 6 Specify the policy name and click OK to open the Policy Settings page. 7 Add the rule group to the policy. a Select the rule group in the Rule Groups tab. The rules included in the rule group are displayed in the various tabs. b c d Review the rules. On the Rule Groups tab, select Add. Select the rule group that you have created for content changes, then click OK. 8 Save the policy. Manage file versions Identify and review the versions for all files and directories where change tracking is enabled. 1 On the McAfee epo console, click Menu Reporting Content Change Tracking. All files where content change tracking is enabled are listed. 2 In the Quick find text box, specify the endpoint, directory name, or file name, then click Apply. The list is updated based on the specified search string. When you search for a directory, you can review versions of all files that are tracked for this directory. 3
3 Review the file status. The File Status column denotes the current status of file under content change tracking. Status values that are updated and new status values included in this release are: File status Success Path not found Directory tracking not supported (prior to end point v6.1.1 ) Wildcard characters in path (not supported) File size exceeds maximum size limit Error while accessing the file Network path (not supported) Definition Content changes for the file are being tracked successfully. The file or directory was not found at the specified path. Verify that the file exists and check the specified path. The file specified for content change tracking is a directory. Prior to this release, you cannot track content changes for directories. The specified file path includes wildcard characters. You cannot use wildcard characters while specifying the file path for content change tracking. The file size exceeded the specified size limit for content change tracking. If needed, you can change the size limit for content change tracking for endpoints. For more information, see Specify the maximum file size in the McAfee Change Control and Application Control 6.1.0 Product Guide. The file type can not be accessed. The file specified for content change tracking is stored on a network volume. You cannot track changes for files on network volumes. Encrypted file (not supported) File Deleted File Renamed Multiple file encodings defined Directory rule matched with file name (error) Success (Tracking file-attributes only) Directory Renamed File rule matched with directory (error) Maximum file limit reached The file specified for content change tracking was encrypted on the endpoint. The file specified for content change tracking was deleted from the endpoint. The file specified for content change tracking was renamed on the endpoint. Multiple and conflicting file encoding values are specified for the file. This can occur if two monitoring rules, each with a different file encoding value, are applied to track content changes for the file. The rule specified for content change tracking of a directory matches a file. Only file attributes are being tracked for this file. The directory specified for content change tracking was renamed on the endpoint. The rule specified for content change tracking of a file matches a directory. The number of files under the tracked directory exceeds the maximum limit. If this limit is exceeded, only the base versions are skipped; all subsequent changes to the files are still reported. 4
Create a McAfee epo query To create a compliance report for the content changes, you must create a query to fetch file data for the server task. 1 On the McAfee epo console, click Menu Reporting, then select Queries & Reports. 2 Click Actions New to open the Result Type page. 3 From the Feature Group pane, select Solidcore. 4 From the Result Types page, select Solidcore File Content Change Repository, then click Next to open the Chart page. 5 From the Display Results As pane, select List Table, then click Next to open the Columns page. 6 Click Next to open the Filter page. a Specify the required filters. b Specify a group or system to view content changes for files present in it. This is mandatory and you must select a group or system. c (Optional) Specify other filters such as, time window, file path, and system tag. 7 Click Save. 8 Specify the query name, description, and query group, then click Save. Alternatively, you can duplicate the pre-shipped query Solidcore: Content Change Tracking Report Generation - With Group My Organization present in Menu Queries and Reports McAfee Groups Change Control page and modify the filters as required. Create a server task Create a server task to generate the compliance report for content changes. 1 On the McAfee epo console, click Menu Automation Server s. 2 Click New to open the Server Builder. 3 Type the task name and click Next. 4 From the Actions drop down list, select Solidcore: Content Change Tracking Report Generation. 5 Specify the IM rule group name that you created in Create an Integrity Monitor rule group. 6 Specify the query name that you created in Create a McAfee epo query. 5
7 Specify the number of revisions to be reported per file. For example, if a file has changed for 50 times in last seven days (as per the chosen time window in the query) but you want to include only the last 10 revisions in the report then specify the value as 10. Maximum allowed value for the number of revisions is 100 and the minimum value is 1. The default value is 10. 8 Specify one or more email address, separated by comma to send the compliance report link or report generated by the server task to those email addresses. An email server must be configured in McAfee epo. 9 Specify the email subject. 10 Specify the report name. The report name is appended with a date and time stamp to maintain uniqueness. Optionally, you can modify the date format. 11 Send the compliance report to all intended recipients. By default, report generated by server task is sent on email as an attachment to all recipients. The report is sent as a PDF file. The PDF report size of up to 20 MB can be sent through email. If the size exceeds this limit then recipients are notified on email with a failure message. Alternatively, you can choose to copy the report on a network share. The generated report could be a very large file and it is not preferable to attach such a large file to the email. For this reason, the reports are saved to a remote location and a link to the report is sent to all recipients on email. Follow these steps, if you want to send the report link on email. a b c d Select Use this option to copy report on a network share and send network share information on email to specify the network share. Specify a network path to save the generated report. Specify the network credentials to access the specified network path. Click Test Connection to make sure that the specified credentials work. 12 Click Next. 13 Specify the schedule for the task, then click Next to open the Summary page. 14 Review the task summary and click Save. 15 From the Server s page, Run this server task. Based on your choice an email with the attached report or a report link is sent to all specified email IDs. If the server task fails for any reason, an email indicating the failure is sent. If the number of pages in the report exceeds 15000, the report is split into parts and the report name appends underscore (_) with one, two, and so on. View general configuration policy changes Changes are made to the Solidcore 6.1.1:General policy to include global settings for the content change tracking feature. These settings are included for the content change tracking feature. 6
Maximum file size File extensions for attributes-only tracking Maximum file limit per rule 1 On the McAfee epo console, click Menu Policy Policy Catalog. 2 Select the Solidcore 6.1.1: General product. 3 Click the McAfee Default policy in the Configuration (Client) category. 4 Select the Miscellaneous Settings tab. The settings are displayed on the page. New settings for the content change tracking feature New settings are included to allow you to customize the feature as needed. Content Change Tracking: Maximum file size By default, the maximum file size supported for content change tracking is 1000 KB. However, the file size can be increased or decreased as required. Content Change Tracking: File-extensions for attributes-only tracking For binary files, only attributes are tracked by the content change tracking feature and not the content. By default, the list of binary files includes these extensions: zip bmp 7z pdf rar tar gz bz tgz bz2 jpg exe gif dll tiff sys png jar 7
This list is configurable. Only the changes in file attributes is reported for binary files because maintaining the content difference for files with non-displayable contents unnecessarily utilizes database space and McAfee epo computational resources. You can use this setting to identify all such file extensions for which file attribute change tracking suffices the purpose. This helps in optimizing the system throughput. Content Change Tracking: Maximum file limit per rule When you apply the content change tracking rule on a directory, base versions of all files qualifying the specified include or exclude patterns within the directory are collected and sent to McAfee epo. These base versions will be used for tracking the content changes with future versions of the files. However, if the number of qualifying files for a single rule is too high, this can result in deteriorating the operational performance at endpoint and also at McAfee epo. The maximum file limit per rule is included to prevent such outbursts. If the number of qualifying files for a rule exceeds the threshold then the base versions of the files are not fetched. This limit applies only on the number of qualifying files (matching with include/exclude patterns and recursive/ non-recursive option) in the directory and not on the total number of files under directory. This limit is configurable. By default, the limit is set to 100 files per rule. If the number of files per rule exceeds the defined limit, the base versions will not be sent to McAfee epo. However, All subsequent changes to the files are still reported and the base versions for new files are sent to McAfee epo. Package control Manage the installation and uninstallation of software packages using the package control feature. Application Control uses the package control feature to prevent unauthorized installation and uninstallation of software packages. This feature controls (allows/denies) the following actions for software packages. Installation Uninstallation Upgrade/Repair In this release, the feature is redesigned from the earlier implementation. Drawbacks of the earlier implementation Earlier implementation of this feature had certain drawbacks. Drawback Description Troubleshooting The earlier implementation was not useful for troubleshooting purpose because detailed analysis of the package control-related issues was not supported. System restart Maintenance Uninstallation After changing the feature state, system restart was required. Code was maintained separately for 32-bit and 64-bit architecture. Uninstallation of certain installers was not controlled by the package control feature. New implementation The redesigned feature provides more flexibility to control installation and uninstallation of software packages. Package control feature is supported for these installers. 8
MSI installers Includes multiple variants such as,.msp,.mst, and.msm. EXE-based installers Includes MSI files embedded with the installer. Non-MSI-based installers Installation or uninstallation is supported in Update mode only. Does not include MSI file embedded with the installer. Improvement Operating modes System restart Description Multiple operating modes are available to control the installation/uninstallation of software packages. For more information, see Operating modes. System restart is not required after changing the feature state. Uninstallation control Uninstallation of software packages can be completely controlled. Maintenance Troubleshooting 32-bit and 64-bit architectures are now handled generically. Detailed analysis of the package control-related issues is now supported. These workflow changes are made in the new implementation. Workflow Installation Description No changes. Uninstallation Earlier updater rules were required to perform uninstallation. In the new implementation, package control includes a new subfeature to control uninstallation. Uninstallation is allowed or denied based on the state of this subfeature (no rules required). By default, uninstallation is allowed. Bypass Earlier implementation supported process-based bypass for package control. The new implementation introduces a new subfeature to bypass from package control. Package control feature is identified as pkg-ctrl in the features list. By default, this feature is enabled. This is the parent feature and includes these subfeatures. Allow uninstallation Controls the uninstallation of software packages. When this feature is enabled, all software uninstallation is allowed. By default, this feature is enabled and identified as pkg-ctrl-allow-uninstall in the features list. Bypass package control Controls bypassing from the package control feature. When this feature is enabled, pkg-ctrl feature is bypassed and all software installation and uninstallation is allowed. By default, this feature is disabled and identified as pkg-ctrl-bypass in the features list. You can configure package control and all its subfeatures on selected endpoints using a policy. Configure package control on selected endpoints Create a policy to use the package control feature on selected endpoints. Before you begin You must update the Solidcore Extension and Solidcore Client to the 6.1.1 version before configuring package control. 1 On the McAfee epo console, click Menu Policy Policy Catalog. 2 Select the Solidcore 6.1.1: Application Control product. 3 Select the Application Control Options (Windows) category. 9
4 Edit the My Default policy by clicking the policy. By default, the My Default policy is applied to all endpoints in your enterprise. If you want to configure the feature for selected endpoints, duplicate the My Default policy, edit the settings, and apply the policy to only the relevant endpoints. 5 On the Features tab: a Select Enforce feature control from epo. By default, the Package Control and Allow Uninstallation options are selected. b Select an option to configure package control. Option Package Control Allow Uninstallation Bypass Package Control Definition Selecting this option enables package control. Deselecting this option disables package control and all its subfeatures. Selecting this options allows uninstallation of software packages on endpoints. Deselecting this option prevents uninstallation of software packages on endpoints. Selecting this option bypasses package control. Deselecting this option enables package control. Operating modes There are six operating modes for these features based on the Application Control state. Based on your requirements, you can select a required mode to control installation and uninstallation of software packages. The behavior matrix shows the operating modes, features state, Application Control state, and the corresponding installation and uninstallation behavior. Operating mode Pkg-ctrl feature state Pkg-ctrl-bypass feature state Pkg-ctrl-allow-uninstall feature state Application Control state 1 * Enabled Disabled Enabled Enabled mode 2 Enabled Disabled Disabled Enabled mode 3 Enabled Enabled Not applicable Enabled mode 4 Disabled Not applicable Not applicable Enabled mode 5 Disabled Not applicable Not applicable Update mode 6 Enabled Not applicable Not applicable Update mode * This is the default operating mode. Install behavior Allow by rules Allow by rules allow deny allow allow Uninstall behavior allow deny allow deny allow allow These are the scenarios for which operating modes are used. All software installation/uninstallation is blocked. All software installation/uninstallation is allowed. 10
All software installation is authorized and uninstallation is allowed. All software installation is authorized and uninstallation is blocked. No specific guidelines are there to use operating modes 3 6. For operating modes 1 and 2, you can use one of these methods to allow installation. Updater by path Certificate as an updater Trusted user Checksum as an updater Trusted path For more information on updaters, see McAfee Change Control and Application Control 6.1.0 Product Guide. Advantages of using operating mode 1 (default mode) This mode allows software modify/repair/remove/upgrade in these scenarios. Explicit software upgrades. Software upgrades through windows update mechanisms. Software upgrades (of existing software) while installing new software packages in case of chained installations. Rollback in case of power failure or if you restart your machine during installation. This is called a suspended installation. The installer keeps track of the installation that is in progress. When resumed, you can rollback the suspended install or continue the suspended install. Advantages of using operating mode 2 Blocks software modify/repair/remove/upgrade in these scenarios. Recommended operating modes Desktop and System Center Configuration Manager (SCCM) managed environment Operating mode 1 Fixed function Operating mode 2 Server environment Operating mode 2 and switch to operating mode 1 for upgrades. Observation throttling Observations record all activity for managed endpoints. When running in Observe mode, Application Control allows all actions on endpoints and no action is blocked. For each action that will be blocked by Application Control in Enabled mode, a corresponding observation is logged in Observe mode. For example, the installation of a software or modification of a package will generate corresponding observations. Observations are generated every minute. When you don't timely review and manage existing observations, it results in excessive generation of observations at endpoints. When observations received at the McAfee epo server from the endpoints are too high, it can impact the responsiveness of the McAfee epo interface. 11
How observation throttling works Observation throttling provides a solution to unresponsiveness of the McAfee epo interface problem. By default, the limit on the number of observations to be processed in last 24 hours is set to 100,000. However this limit is configurable. When the number of observations received at the McAfee epo server in the last 24 hours reaches the defined threshold, it results in these actions. Further processing of observations is stopped at McAfee epo to prevent unresponsiveness of the McAfee epo interface. Observation Throttling Rules policy under Application Control 6.1.1 is automatically applied on My Organization group. This stops the generation of observations on all endpoints after agent to server communication interval (ASCI) lapses. An event Observation Threshold Exceeded is generated. You can check the Threat Event Log page for this event. This event can be used to create an automatic response. For more information on creating automatic responses, refer to the McAfee Change Control and McAfee Application Control Product Guide. A warning message indicating that the observation generation has stopped appears on the Observations and Predominant Observations pages. This warning message contains a link Enable Observation Generation that you can click to re-enable observation generation and processing. A read-only rule group and an associated policy for the rule group are added to apply the filter rules and stop the observation generation at endpoints. Rule group name: Stop Observation Rules Policy name: Observation Throttling Rules Configure the observations limit Optionally, you can change the default limit for the number of observations to be processed in last 24 hours. 1 On the McAfee epo console, click Menu Configuration Server Settings. 2 From the Setting Categories pane, select Solidcore. 3 Modify the value of Observe Mode: Number of observations received in last 24-hours above which Observation generation would be cut-off setting as needed. View the AEF rules for observations A default rule group is added to Solidcore Rules that includes Advance exclusion filters (AEF) rules to filter and stop all observations. This is a read-only rule group. However, you can view the AEF rules that are applied for observations. 1 On the McAfee epo console, click Menu Configuration Solidcore Rules. 2 From the Rule Groups tab, select Application Control. 12
3 Type Stop Observation Rules, then click Search. The Stop Observation Rules rule group appears. 4 Click View. 5 Select the Filters tab. All AEF rules applied for observations appear on the screen. View the observation throttling policy The Stop observation Rules rule group is assigned to the default read-only Observation Throttling Rules policy. Initially, this policy is not assigned to any system or group. When the number of observations reaches the defined threshold, this policy is automatically applied to My Organization (all systems and groups in your organization) and stops further generation of the observations at endpoints. 1 On the McAfee epo console, click Menu Policy Policy Catalog. 2 Select the Solidcore 6.1.1: Application Control product. 3 Click the Observation Throttling Rules policy. 4 Select Stop Observation Rules from the Rule Groups pane. 5 Select the Filters tab. All AEF rules applied for observations appear on the screen. Re-enable observation generation After the threshold limit is reached, you can review and manage observations to stop further observation generation. For more information on reviewing and managing observations, see McAfee Change Control and Application Control 6.1.0 Product Guide. 1 On the McAfee epo console, click Menu Application Control Observations. Predominant Observations and Observations pages display a warning message stating that the observation generation has stopped. 2 From the warning message, click Enable Observation Generation. Observation generation at endpoints and processing at the McAfee epo server is re-enabled. Upgrade support From this release, you can upgrade the Solidcore client in Enabled mode. This is supported only in McAfee epo managed configuration. 13
s Upgrade the Solidcore client on page 14 In Enabled mode, you can upgrade the Solidcore client on the Windows endpoints. Verify the Solidcore client upgrade on page 15 Verify that the Solidcore client was upgraded successfully on an endpoint. Upgrade the Solidcore client In Enabled mode, you can upgrade the Solidcore client on the Windows endpoints. Before you begin By default, the McAfee default policy that includes the McAfee publishers rule group is applied to the endpoints. If you have changed the default policies, verify that the McAfee publishers rule group is assigned to policies that are applied on the endpoints. Make sure that you add the Solidcore client package to the McAfee epo repository. For information, see McAfee Change Control and McAfee Application Control 6.1.0. Installation Guide. 1 On the McAfee epo console, select Menu Systems System Tree. 2 Perform one of these actions: To apply the client task to a group, select a group in the System Tree and switch to the Assigned Client s tab. To apply the client task to an endpoint, select the endpoint on the Systems page and click Actions Agent Modify s on a Single System. 3 Click Actions New Client Assignment to open the Client Assignment Builder page. 4 Select the McAfee Agent product, Product Deployment task type, then click Create New to open the Client Catalog page. 5 Specify the task name and add any descriptive information. 6 Select the target platform. For example, when installing the Solidcore client package on the Windows operating system, select Windows as the target platform. 7 Specify the component and action. a Select the appropriate package from the Products and components list. b Select the Install action. 8 Click Save. 9 Click Next to open the Schedule page. 10 Specify scheduling details, then click Next. 14
11 Review and verify the task details and click Save. Optionally, you can wake up the agent to send your client task to the endpoint immediately. 12 Restart the endpoints after upgrade. Verify the Solidcore client upgrade Verify that the Solidcore client was upgraded successfully on an endpoint. 1 On the McAfee epo console, select Menu Systems System Tree. 2 Select a group or endpoint from the list. The Systems tab provides details for the selected node. 3 Review logs from the McAfee epo console. a Select a system on the Systems page. b Select Actions Agent Show Agent Log to view the agent log for the endpoint. By default, agent logs are not enabled on the McAfee epo console. For information on how to enable agent logs, see epolicy Orchestrator Product Guide. c Check the log to verify if the software was successfully upgraded at the endpoint. 4 Review the properties for the system. a Wake up the agent to fetch properties immediately. Typically, information is exchanged between the agent and server after the ASCI lapses. The default ASCI value is 60 minutes. Send an agent wake up call to ensure immediate communication and data exchange between the server and the agent, without waiting for the ASCI to expire. b c Click a system on the Systems page to view details for the selected system. On the McAfee epo console, select the Products tab and review the Solidcore version. Click the row to review additional information, including the product version and installation path. Copyright 2013 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. 00 15
A File attributes for content change tracking When you enable content change tracking, these attributes are tracked for files. Attribute Description File Size (Bytes) Size of file in bytes. File Created Last Accessed Last Modified Read Only Hidden System Directory Archive Temporary Compressed Owner Group Time at which file was created. Time at which file was last accessed. Time at which file was last modified. Boolean value specifying whether the file is read-only. True indicates read-only file. Boolean value specifying whether the file is a hidden file. True indicates hidden file. Boolean value specifying whether the file is a system file. True indicates system file. Boolean value specifying whether the file is a directory. True indicates file is a directory. Boolean value specifying whether the file is an archive. True indicates file is an archive. Boolean value specifying whether the file is a temporary file. True indicates temporary file. Boolean value specifying whether the file is a compressed file. True indicates compressed file. Name of user who created the file. Group to which the owner belongs. 16
Attribute Checksum User Description SHA1 checksum of the file. Each user who has access to the file is listed. The Discretionary Access Control List (DACL) and System Access Control List (SACL) for each user is also included. Here are the details of DACL and SACL: Discretionary access control list (DACL) An access control list that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object. System access control list (SACL) An access control list that controls the generation of audit messages for attempts to access a securable object. The ability to get or set an object's SACL is controlled by a privilege typically held only by system administrators. 17
Copyright 2013 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. 18 00