The idea behind the techbook is to provide a guide for running and operating the solution, either in a lab, POC or pilot production environment.
Topic: McAfee Application Control (MAC)
- Deployment Workflow
- Prerequisites
- Deployment steps
- Configuration
- Policies
- Testing / User Acceptance Testing (UAT)
- Events
- Reports and Dashboards
Please note all the information is based prior to Feb 2018.
3. Application Control
____________________________________________________________________________________ 3
Table of Contents
Introduction....................................................................................................................................................................................4
Workflow...................................................................................................................................................................................4
Prerequisites and Environment.....................................................................................................................................................4
Download McAfee Application Control..............................................................................................................................................5
Deployment of Application Control onePolicy Orchestrator (ePO) .......................................................................................................6
Install Extensions ........................................................................................................................................................................6
Install Packages...........................................................................................................................................................................7
ActivateLicenses.........................................................................................................................................................................7
Deployment of Application Control Client on the Endpoints.................................................................................................................8
Tags...........................................................................................................................................................................................8
Install Application Control Client...................................................................................................................................................8
Verify Application Control Client...................................................................................................................................................9
Configure Endpoints on Observation Mode......................................................................................................................................10
Configure Application Control Client in Observe Mode..................................................................................................................11
Enable Application Control, Start Observe Mode and Fetch Inventory (Solidification)..................................................................11
Verify Application Control Client Enablement and Observe Mode..............................................................................................12
Verify Fetch Inventory (Solidification) on the Endpoint.............................................................................................................14
Verify Fetch Inventory (Solidification) from theePolicy Orchestrator (ePO)................................................................................15
Verify thecompletion ofFetch Inventory (Solidification)..........................................................................................................16
Inventory Management.............................................................................................................................................................17
Policy Discovery........................................................................................................................................................................18
Configure Endpoints on Enable Mode..............................................................................................................................................19
Customized Rule Group.............................................................................................................................................................20
Create Rule Group................................................................................................................................................................20
Assign Rule Group................................................................................................................................................................22
Add Updater Process to Rule Group............................................................................................................................................23
Add Users to Rule Group............................................................................................................................................................23
Add Directories to Rule Group....................................................................................................................................................24
Add Certificates to Rule Group...................................................................................................................................................25
Configure Endpoints to End Observe Mode and Enable Solidcore Client .........................................................................................27
Verify Application Control Enable Mode on the Endpoint..............................................................................................................28
Verify Application Control Enable Mode on ePolicy Orchestrator (ePO)..........................................................................................28
User Acceptance Testing (UAT)...................................................................................................................................................29
UATâUpdater Process âRun previously installedapplication...................................................................................................29
UATâUpdater Process âRun installation ofnewapplication....................................................................................................29
UATâCertificates âRun application oftrusted certificates.......................................................................................................30
UATâDirectories âRunapplication from non-trusted and trusted directories............................................................................30
UATâUsers âRunapplications as a trusted user.....................................................................................................................31
Policy Discovery........................................................................................................................................................................32
Solidcore Events........................................................................................................................................................................34
Dashboards...................................................................................................................................................................................35
4. Application Control
____________________________________________________________________________________ 4
Introduction
Application Control software blocks unauthorized applications servers, corporate desktops, and fixed-function
devices. This centrally managed whitelistsolution uses a dynamic trust model and innovativesecurity features
that thwart advanced persistent threats (APTs) â without requiring signature updates or labor-intensive list
management.
The purposeof this document is to provide a quick guideon how to setup application control,configurepolicies
and perform some user acceptance testing.
Please note that this does not include all the features, options and use cases. This document will be updated
periodically to add more tests, feature explanations and fix any issues found in its current state.
Workflow
Prerequisites and Environment
This has been created with McAfee ePolicy Orchestrator 5.9 and McAfee Application Control 8.0 â Hot Fix 4.
Deploymentof Application
Control
Configure ApplicationControl
inObserve Mode
Create Rule Groupsand
Policies
Change ApplicationControl
fromObserve toEnable Mode
PerformLockdownTesting
5. Application Control
____________________________________________________________________________________ 5
Download McAfee Application Control
1. Go to McAfee Product Downloads page
2. Under Product Downloads, click on Download
3. Enter your Grant Number and captcha information, click Submit
4. In the Products tab, click on McAfee Reseller Support
5. In the Current Version tab, under Endpoint Security, click on McAfee Application Control X.X
6. In the Extensions tab, download the latest version as per the following:
7. In the Extensions tab, download the latest version as per the following:
8. In the Documentation tab, download the required documentation set and license file:
6. Application Control
____________________________________________________________________________________ 6
Deployment of Application Control on ePolicy Orchestrator (ePO)
Install Extensions
1. Log in to ePolicy Orchestrator (ePO)
2. Go to Menu -> Software -> Extensions
3. Click on Install Extension
4. Browse and select the âePO Management Extension HF4â, click OK
5. In the Install Extension page, click OK
6. Click on Install Extension
7. Browse and select the âHelp Extensionâ, click OK
8. In the Install Extension page, click OK
After the installation of the Extensions, the following changes appear in the ePolicy Orchestrator (ePO):
On the Extensions page, entry for Solidcore is made
In Menu, under Reporting, Solidcore Events and Solidcore Alerts
Solidcore Events to view all Solidcore events generated for the managed
endpoints.
Solidcore Alerts page to view Solidcore-related alerts.
In Menu, under Automation, Solidcore Client Task Log
SolidcoreClientTask Log to view status of the Solidcoreclienttasks runs on the
endpoints.
7. Application Control
____________________________________________________________________________________ 7
Scroll down on the Menu, under Configuration, Solidcore Rules
SolidcoreRules provides a defaultsetof RuleGroups,Certificates and Installers
included for Application Control. Define and manage Rule Groups, Certificates
and Installers can be customized.
Scroll down on the Menu, a new section Application Control can be seen with
the following pages; Inventory, Image Deviation and Policy Discovery
Inventory â You can manage and review software inventory discovered on the
endpoints here either by Application or Systems.
Image Deviation - Image deviation is used to compare the inventory of an
endpoint with the inventory that is fetched froma designated gold system. This
helps you to track the inventory present on an endpoint and identify any
differences that occur.
Policy Discovery - The Policy Discovery pageserves as a central consoleto help
you manage all observation and self-approval requests.
Install Packages
1. Go to Menu -> Software -> Master Repository
2. Click on Check In Package
3. Select Package type: Product or Update (.ZIP)
4. Browse and select the âSolidcore Client for Windows HF4â, click Next
5. Select Branch: Current, click Save
6. In the Master Repository page, verify that the âSolidcore Client for Windowsâ is available
Activate Licenses
1. On your computer, Open the McAfee_Application_Control_v8_0_License.txt fileand copy the License
Key of âePO-based Deploymentâ
2. Go to Menu -> Configuration -> Server Settings
3. Under Setting Categories, select Solidcore
4. On the right-side pane, click on Edit
5. Under License Information, insert the License Key at the
Application Control text box, Click Save
8. Application Control
____________________________________________________________________________________ 8
Deployment of Application Control Client on the Endpoints
Tags
We can use Tags to identify and sort systems. Tags and tag groups allow you to sel ect groups of systems and
simplify the creation of tasks and queries.
This step is totally up to the person conducting the tasks. Even on this document not all tasks or policies were
used with Tags.
Create Tag
1. Go to Menu -> Systems -> Tag Catalog
2. Click on New Tag
3. In the Description page, insert the following details and click Next:
a. Name: AC
b. Notes: Application Control (Solidcore)
4. In the Criteria page, click Next (we shall apply the tag manually)
5. In the Evaluation page, click Next
6. In the Preview page, click Save
Assign Tag
1. Go to Menu -> Systems -> System Tree
2. On the left pane, under System Tree, select My Organization
3. On the right pane, click Systems. Under Preset: This Group and All Subgroups
4. Select the endpoints where Application Control Client would be deployed
5. Click on Actions -> Tag -> Apply Tag
6. Select the Tag, AC, click OK
Install Application Control Client
1. Ensure that My Organization and the preset, This Group and All Subgroups is selected
2. Click on Assigned Client Tasks
3. Click on New Client Task Assignment
4. On the Client Task Assignment Builder: My Organization, ensure the following:
a. Task to Schedule:
i. Product: McAfee Agent
ii. Task Type: Product Deployment
iii. Task Name: SolidCore_Install_Windows_CWD
b. Tags:
i. Send this task to only computers which have the following criteria
ii. Has any of these tags: AC
c. Schedule Type: Run Immediately
d. Click Save
5. Ensure that My Organization and the preset, This Group and All Subgroups is selected
6. Select the systems with the Tag: AC
7. Click on Wake Up Agents
8. On the Force policy update, check the Force complete policy and task update
9. Click OK
9. Application Control
____________________________________________________________________________________ 9
Verify Application Control Client
1. Move to one of the endpoints where Application Control client is being deployed
2. On the System Tray, right click on the McAfee Agent and select McAfee Agent Status Monitor
3. Note the following during the installation process
4. On the System Tray,rightclick on theMcAfee Agent and selectAbout. Scroll down to confirmthebelow:
5. Move to the ePolicy Orchestrator (ePO)
6. Go to Menu -> Systems -> System Tree
7. Click on one of the endpoints where you had deployed Application Control client
8. Click on Products, you should see Solidcore as a Product entry
10. Application Control
____________________________________________________________________________________ 10
Configure Endpoints on Observation Mode
Initially Application Control will be configured to run on Observe Mode. Observe mode offers two benefits.
ďˇ Helps you develop policies and determine rules that allow applications to run in Enabled mode.
ďˇ Performs a dry run for the product to run or install software without any blockages.
Observations record execution, installation, and uninstallation activities for managed endpoints.
Generally speaking, when Application Control is running in Observe mode, it allows most operations on
the endpoints.
In Observe mode, a fileis allowed to execute unless itis banned by a specific rule or has malicious reputation.
In Enabled mode, for each action that is blocked by Application Control,a correspondingobservation is logged
in Observe mode. For example, the installation of software or modification of a package generates
corresponding observations.
All observations generated on an endpoint aresent to the McAfee ePO server after agent-server communication
interval (ASCI). When an endpoint is in Observe mode, no Application Control events are generated for the
endpoint.
Observe mode also supports reputation-based execution.When you execute a fileat an endpoint, the software
fetches its reputation and reputation of all certificates associated with the fileto determine whether to allowor
ban the file execution.
You can keep the endpoints in Observe mode for 24 hours,customers can perform any actions such as software
installations,binary modificationsetc. So that we know what operations areusually performed at the endpoint.
11. Application Control
____________________________________________________________________________________ 11
Configure Application Control Client in Observe Mode
Enable Application Control, Start Observe Mode and Fetch Inventory (Solidification)
1. Go to Menu -> Systems -> System Tree
2. Ensure that My Organization and the preset, This Group and All Subgroups is selected
3. Click on Assigned Client Tasks
4. Click on New Client Task Assignment
5. On the Client Task Assignment Builder: My Organization, ensure the following:
a. Task to Schedule:
i. Product: Solidcore 8.0.0
ii. Task Type: SC:Enable
6. On Take Actions, Click Create New Task, ensure the following:
a. Task Name:
b. Description:
c. Enable: Check Application Control and Initial Scan Priority: High
d. Activation Options: Full Feature Activation
e. Observe Mode: Start Observe Mode
f. Inventory: Check Pull Inventory
g. Click Save
7. Tags:
a. Send this task to only computers which have the following criteria
b. Has any of these tags: AC
8. Schedule Type: Run Immediately
9. Click Save
12. Application Control
____________________________________________________________________________________ 12
10. Ensure that My Organization and the preset, This Group and All Subgroups is selected
11. Select the systems with the Tag: AC
12. Click on Wake Up Agents
13. On the Force policy update, check the Force complete policy and task update
14. Click OK
Verify Application Control Client Enablement and Observe Mode
1. Move to one of the endpoints where Application Control client is being deployed
2. On the System Tray, right click on the McAfee Agent and select McAfee Agent Status Monitor
3. Note the following during the Client Task Assignment process
4. On the ePolicy Orchestrator (ePO), go to Menu -> Automation -> Solidcore Client Task Log.
5. You should see the details of the ClientTask Assignment process.Note that startand end time is nearly
the same as in the actual endpointâs McAfee Agent Monitor
Once the assignmentis completed, the endpoint will reboot,this is becausewe selected Full FeatureActivation.
This includes the Memory Protection feature.
14. Application Control
____________________________________________________________________________________ 14
Verify Fetch Inventory (Solidification) on the Endpoint
1. On the System Tray, right click on the McAfee Agent. A new Quick Settings option should appear with
the Application Control Event and Application Control Solidification Status.
2. Click on Application Control Solidification Status.This shows the solidification or whitelistingstatus for
an endpoint.
3. On the endpoint, right-click on the taskbar and open Task Manager. You should see McAfee Solidifer
Service running with high CPU and Memory
15. Application Control
____________________________________________________________________________________ 15
Verify Fetch Inventory (Solidification) from the ePolicy Orchestrator (ePO)
1. Go to Menu -> Systems -> System Tree
2. Ensure that My Organization and the preset, This Group and All Subgroups is selected
3. Click on Actions -> Choose Columns
4. On the left pane, on the filter list of Available Columns, search for âSolidification Statusâ
5. Click Save
6. You can view the current state of Solidification as below:
16. Application Control
____________________________________________________________________________________ 16
Verify the completion of Fetch Inventory (Solidification)
1. Move to one of the endpoints where Application Control client has been deployed
2. On the System Tray, right click on the McAfee Agent. Click on Application Control Solidification Status.
3. On the ePolicy Orchestrator, check the System Tree with the âSolidification Statusâ coloumn filtered
4. Go to Menu -> Reporting -> SolidcoreEvents. The Event Display Name on all theendpoints should be
Initial Scan Completed.
17. Application Control
____________________________________________________________________________________ 17
Inventory Management
1. Go to Menu -> Application Control -> Inventory
You can review, fetch, and manage the software
inventory for protected endpoints. The software
inventory for an endpoint contains information
about the executable files and scriptfiles presenton
the endpoint.
The information stored in the inventory includes
complete file name, file size, SHA-1, SHA-256, file
reputation, file type, embedded application name,
certificate details, and version.
By Applications provides the inventory for all managed endpoints
Trusted Includes trusted inventory items with Known Trusted, Most Likely Trusted, and Might be
Trusted reputations, as received from the reputation source (effectively creating the whitelist
for your enterprise).
Because these are trusted files,you do not need to perform extensive management activities for
these files. If your organization wants todisallow a trusted file, you can block it.
Malicious Includes malware or malicious inventory items with Known Malicious, Most Likely Malicious,
and Might be Malicious reputations,as received from the reputation source(effectively creating
the blacklist for your enterprise).
Because these applications are malicious files, usually, you must block these applications. If
needed, you can re-categorize any in-house or trusted applications in the malicious list as a
trusted file.
Unknown Includes inventory items with Unknown reputation or items that are not synchronized with the
reputation source (effectively creating the graylist for your enterprise).
You must routinely review and manage the graylistfor your enterprise to keep it to a minimum
size(ideally zero).You might need to reclassify internally developed, recognized,or trusted (from
a reputed vendor) files that are currently in the unknown list.
Any pre-existing advanced persistent threat (APT) resides in the graylist or unknown category.
By Systems provides the inventory for a selected endpoint
18. Application Control
____________________________________________________________________________________ 18
Policy Discovery
1. Move to the endpoint where Application Control is deployed
2. Download a couple of application installation files. The following applications will be used as an
example:
a. Privacy Eraser (utility)
b. 7-Zip (compression)
c. Media Monkey (multimedia)
3. Install 7-Zip
4. On the System Tray, right click on the McAfee Agent and select McAfee Agent Status Monitor
5. Click on Collect and Send Props and Send Events
6. On the ePolicy Orchestrator, go to Menu -> Application Control -> Policy Discovery
Since 7-Zip was executed, it shows 7z1801-x64.exe as a File Addition.
The Policy Discovery helps in definingpolicies for various applications based on the events generated from the
endpoints. Events like File Additions, Software Installations, Binary Modifications. Customized policies can be
created to allow/ban if required.
The Approval Status provided three (3) event categories:
ďˇ Pending â Software Installation,scriptexecution or binary modifications executed attheendpoint.They
can either be allowed or blocked.
ďˇ Allowed â Software Installation, script execution or binary modifications which are allowed.
ďˇ Banned â Software Installation, script execution or binary modifications which are banned.
They also displaysthereputation sourcefor files,such as TIE,GTI, Application Control,Not synchronized,or Not
Applicable. If the reputation source is TIE, clicking TIE opens the TIE Reputations page that allows you to view
details for the selected file.
Values of TIE, GTI, or Application Control indicatethe sourcelastsynchronized with. Not synchronized indicates
that the software has not synchronized with any reputation source. For network path execution requests,
reputation source is set to Not applicable.
19. Application Control
____________________________________________________________________________________ 19
Configure Endpoints on Enable Mode
Indicates thatprotection is effective. Enabled mode is the recommended mode of operation. In Enabled mode,
Application Control:
ďˇ Allows only trusted (based on reputation) or authorized (based on rules) applicationsand installers to
run on servers and endpoints
ďˇ Protects against memory-based attacks and application tampering
20. Application Control
____________________________________________________________________________________ 20
Customized Rule Group
A rulegroup is a collection of rules. After you define a rulegroup, you can reuse the rules within the rule group
by associatingtherulegroup with different policies.Also,to modify a rule, update the rulein the rulegroup and
the change cascades across all associated policies automatically.
The software provides predefined rule groups to allow commonly used applications to run smoothly.
Create Rule Group
1. On the ePolicy Orchestrator, go to Menu -> Configuration -> Solidcore Rules
2. On the Rules Group tab, click on Add Rule Group
3. Provide the Name of the Rule Group, click OK
4. Search for the created Rule Group, under Actions click on Edit
Updates Processes An updater process is an application permitted to update the endpoint. If a programis
configured as an updater, it can install new software and update existing software.
Forexample, if you configure Adobe 8.0 updater program as an updater, it can
periodically patch all needed files.
Certificates A certificate refers to a trusted certificate, associated with a software package, that
permits the associated applications to run on a protected endpoint. After you add a
certificateas a trusted certificate,all applications signed by the certificateareallowed.
To allow any in-house applications to run on protected endpoints, you can sign the
applications with an internal certificate. After you do, all applications signed by the
certificate are allowed. Also, all executable and script files added or modified on an
endpoint by a file that is signed by the certificate are automatically added to the
whitelist.
Installers When a program (or an installer) is configured as an authorized installer, it gets both
the attributesâauthorized executable and updater. Regardless of whether the
installer was originally on the endpoint, it is allowed to execute and update software
on the endpoint.
Directories Add directories (local or network share) as trusted directories to run any software in
these directories on a protected endpoint.
21. Application Control
____________________________________________________________________________________ 21
A trusted directory refers to a directory (local or network share) identified by its
Universal Naming Convention (UNC) path. After you add a directory as a trusted
directory,endpoints can run any softwarein thatdirectory.When enabled,Application
Control prevents protected endpoints from executing any file residing on a network
share.If you maintain shared folders containinginstallers for licensed applications on
the internal network in your organization, add trusted directories for such network
shares.
Users A trusted user is an authorized user (Windows only) with privileges to dynamically add
to the whitelist.
Executable Files If a reputation source is available in your environment, executable files are
automatically allowed or blocked from executing based on their reputation. However,
based on your requirements, you can manually authorize or restrict execution for an
executable file (based on its name, SHA-1, or SHA-256).
Allowingan executable filebased on the SHA-1 or SHA-256 ensures that regardless of
the sourceof the file (such as the Internet or an in-house repository), if the SHA-1 or
SHA-256 matches, the file is allowed to run.
Exclusions Add exclusion rules to bypass applied memory-protection and other techniques.
Filters
Execution Control You can defineadditional execution control attribute-based rules for files in your setup
for protection from fileless malware and script-based attacks. Application Control
performs multiplechecks to determine whether to allowor block a file's execution. If
a file's execution is allowed after the Application Control checks, attribute-based or
granular rules, if any are defined, come into play.
The rules are based on the concept of fine-grained whitelistingand can be created on
the attributes of a file.You can define specific rules usingoneor more attributes (such
as path, parent process, command_line argument and user) of the fileto allow,block,
or monitor the file. When multiple rules are matched for a particular scenario, allow
rules have the highestprecedence, followed by block and monitor rules, respectively.
22. Application Control
____________________________________________________________________________________ 22
Assign Rule Group
1. Go to Menu -> Policy -> Policy Catalog
2. From the Product list, Select Product Solidcore 8.0.0: Application Control
3. From the Category list, Select Application Control Rules (Windows)
You will notice that McAfee Applications (McAfee Default) and McAfee Default Rules are applied beforehand.
RuleGroups insideMcAfee Applications(McAfeeDefault) arealready included in.McAfeeDefault Rules.We will
be replacing McAfee Application (McAfee Default) with our customized rules.
We will be using McAfee Default Rules. This includes predefined Rule Groups to allow commonly used
applications to run smoothly.
4. On the Blank Template, click on Duplicate and provide a name
5. Click on the rule that was created
6. Click on Add, on the search bar look for the Rule Group you created previously
7. Click OK, click Save
8. Go to Menu -> Systems -> System Tree
9. Ensure that My Organization and the preset, This Group and All Subgroups is selected
10. Click on Assigned Policies
11. Under Category, look for Application Control Rules (Windows)
Under Policy, you will notice that McAfee Applications (McAfee Default) and McAfee Default Rules have been
assigned
12. Click on Edit Assignments
13. We will keep Policy 1 â McAfee Default.
14. In Policy 2:
a. Inherit From: check Break inheritance and assign the policy and settings below
b. Assigned policy: select the Policy/Rule made from the Blank Template in the previous steps
15. Click Save
16. Perform Agent Wake-up Call with Force policy update.
23. Application Control
____________________________________________________________________________________ 23
Add Updater Process to Rule Group
1. On the ePolicy Orchestrator, go to Menu -> Configuration -> Solidcore Rules
2. Search for the created Rule Group, under Actions click on Edit
3. Click on Updater Processes, click on Add
4. Add the information required for 7-zip
5. Click OK, click Save Rule Group
Add Users to Rule Group
1. On the ePolicy Orchestrator, go to Menu -> Configuration -> Solidcore Rules
2. Search for the created Rule Group, under Actions click on Edit
3. Click on Users, click on AD Import
4. Provide the information for the trusted user
5. Click OK, click Save Rule Group
25. Application Control
____________________________________________________________________________________ 25
Add Certificates to Rule Group
Before defining rules for certificates, they need to be extracted and added to the Certificate inventory in
Solidcore Rules.
You can add a certificateregardless of whether the certificateis an internal certificateor is issued to the vendor
by a certificate authority. When addinga certificate,you can also provideupdater privileges to the certificate.
Use this option carefully because it makes sure that all executable files signed by certificate acquire updater
privileges.
The certificates are extracted from applications kept on file share. Use any shared folder and drop some
applicationsfor certificateextractions.Justfor demonstration purposes, the MWEPOTrustedDirectory share
will be used, please note this has no relation with the Directories use case above.
For this example, a Team Viewer setup would be used.
1. On the ePolicy Orchestrator, go to Menu -> Configuration -> Solidcore Rules
2. Click on Certificates
3. Click on Actions -> Extract Certificates
4. Provide the required details as below:
5. Click Extract,you should receive the followingdialogbox
6. Click OK
26. Application Control
____________________________________________________________________________________ 26
7. You will notice that the Certificates inventory has an additional item
8. Go to Rule Groups
9. Search for the created Rule Group, under Actions click on Edit
10. Click on Certificates, click on Add
11. Search or scroll through to find the TeamViewer certificate
12. Check on TeamViewer and scroll down to check Add Certificate as Updater.
13. Provide a Label name
14. Click OK, save Rule Group
15. Perform Agent Wake-up Call with Force policy update on the selected group/endpoints
27. Application Control
____________________________________________________________________________________ 27
Configure Endpoints to End Observe Mode and Enable Solidcore Client
In order for us to now test the systems in lockdown mode we must End Observe Mode and ensure that the
Application Control client is on enabled mode.
1. Move to one of the endpoints where Application Control client is being deployed
2. On the System Tray,rightclick on theMcAfee Agent and selectAbout. Scroll down to confirmthebelow:
Please note above, that on this particular system that the SC:Enable task was run with Limited Feature
Activation.
3. On the ePolicy Orchestrator (ePO), go to Menu -> Systems -> System Tree
4. Ensure that My Organization and the preset, This Group and All Subgroups is selected
5. Click on Assigned Client Tasks, click on New Client Task Assignment
6. On the Client Task Assignment Builder ensure the following:
a. Task to Schedule:
i. Product: Solidcore 8.0.0
ii. Task Type: SC:Observe Mode
7. On Take Actions, Click Create New Task, ensure the following:
a. Task Name:
b. Description:
c. Observe Mode:
i. Check End Observe Mode
ii. Check Enable Solidcore Client
8. Click Save
9. Perform Agent Wake-up Call with Force policy update on the selected group/endpoints
28. Application Control
____________________________________________________________________________________ 28
Verify Application Control Enable Mode on the Endpoint
1. Move to one of the endpoints where Application Control client is being deployed
2. On the System Tray,rightclick on theMcAfee Agent and selectAbout. Scroll down to confirmthebelow:
Verify Application Control Enable Mode on ePolicy Orchestrator (ePO)
1. Go to Menu -> Systems -> System Tree
2. Ensure that My Organization and the preset, This Group and All Subgroups is selected
3. Click on Actions -> Choose Columns
4. On the left pane, on the filter list of Available Columns, search for âSolidcore Statusâ
5. Click Save
6. You can view the current state of Solidification as below:
29. Application Control
____________________________________________________________________________________ 29
User Acceptance Testing (UAT)
On the endpoint we will test our customized Rule Group.
1. Move to one of the endpoints where Application Control client is being deployed
2. On the System Tray, right click on the McAfee Agent. Quick Settings -> Application Control Event
UAT â Updater Process â Run previously installed application
1. Run the 7-Zip application. It should execute properly without any error.
UAT â Updater Process â Run installation of new application
1. Execute the Privacy Eraser Freeinstallation executable. You should receive an Execution Denied event.
2. Execute the Media Monkey installation executable. You should receive an Execution Denied event.
30. Application Control
____________________________________________________________________________________ 30
UAT â Certificates â Run application of trusted certificates
1. Execute the TeamViewer installation executable. TeamViewer installation should be allowed.
UAT â Directories â Run application from non-trusted and trusted directories
1. Run an application from any UNC Share that is not added in the customized Rule Group. You should
receive an Execution Denied event.
2. Run the same application from the UNC Share that is added in the customized Rule Group. It should
execute properly without any error.
32. Application Control
____________________________________________________________________________________ 32
Policy Discovery
1. On the ePolicy Orchestrator, go to Menu -> Application Control -> Policy Discovery
2. You can see all the activities that were performed at the endpoint.
3. Select the item where Object Name is mwepodatashare
4. Click on Actions.
You can seethat you areableto add this item either in your customized made Rule Group (Create Custom Policy)
or on the Global Rules Rule Group (Allow Trusted Path Globally)
34. Application Control
____________________________________________________________________________________ 34
Solidcore Events
1. On the ePolicy Orchestrator, go to Menu -> Reporting -> Solidcore Events
2. Here you can view the events that where conducted at the endpoint
3. Click on Create Policy for Object Type with MWEPODataShareipscan25.exe
From this page you can add this object to any Rule Group or get further information if connected to Threat
Intelligence Exchange (TIE).
35. Application Control
____________________________________________________________________________________ 35
Dashboards
1. Go to Menu -> Reporting -> Application Control
2. From the drop-down list select Solidcore: Application Control
1. From the drop-down list select Solidcore: Health Monitoring
The Solidcore: Health Monitoring dashboard includes specific monitors to indicate congestion levels for
inventory items and observations on the McAfee ePO console. You can also add more monitors to review
congestion for self-approval requests and clienttask logs.For each monitor, possiblevalues for the congestion
levels are No congestion, Low, Moderate, High, and Data deleted.