McAfee Application Control Windows Product Guide. (Unmanaged)

Transcription

1 McAfee Application Control Windows Product Guide (Unmanaged)

2 COPYRIGHT Copyright 2018 McAfee, LLC TRADEMARK ATTRIBUTIONS McAfee and the McAfee logo, McAfee Active Protection, epolicy Orchestrator, McAfee epo, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Application Control Windows Product Guide

3 Contents 1 Product overview 5 Overview Key features How it works Using Application Control 7 Application Control modes Use the command-line interpreter Overriding protection Configuring Application Control Add the license Create the whitelist Place Application Control in Enabled mode Using certificates What are certificates? Extracting certificates Add certificates View certificates Remove certificates Using updaters What are updaters? What to add as updater Add updaters Specifying files to be added as updaters Review default updaters using Fine-tune Discover potential updaters View updaters Remove updaters Using checksum values Using SHA-1 or SHA-256 values Using trusted directories When to add trusted directories Adding trusted directories Specifying directory paths View trusted directories Exclude specific directories from the list of trusted directories Remove trusted directories Using trusted users Add trusted users List trusted users Remove trusted users Using ActiveX controls Allowing ActiveX controls to run Block execution of ActiveX controls Disable the ActiveX feature McAfee Application Control Windows Product Guide 3

4 Contents Using interpreters Map an interpreter with a file extension View interpreter and file extension associations Remove interpreter and file extension associations Using execution control rules Defining attribute-based rules for file execution Add attribute-based rules Remove attribute-based rule View all attribute-based rules Memory-protection techniques 37 Configuring CASP Configuring bypassing rules for NX Configuring Forced DLL Relocation Maintain your systems 41 View product status and version Managing the whitelist Advanced exclusion filters (AEFs) Managing product features Package Control Configuring Package Control Making emergency changes Switch to Update mode Exit Update mode Enable or disable password protection Configuring log files Disable Application Control A Application Control event list 55 B Command short forms 61 4 McAfee Application Control Windows Product Guide

5 1 Product 1 overview Contents Overview Key features How it works Overview McAfee Application Control is a security software that blocks unauthorized applications from running on your systems. Application Control uses dynamic whitelisting to guarantee that only trusted applications run on servers, devices, and desktops. It eliminates the need for IT administrators to manually maintain lists of approved applications. It also gives IT control over endpoints to help enforce software license compliance. The software uses a dynamic trust model and innovative security features to prevent advanced persistent threats (APT) without requiring signature updates. It guarantees protection without impacting productivity. With Application Control, you can: Prevent any malicious, untrusted, or unwanted software from executing. Automatically identify trusted software and grant it authorization to run. Block users from introducing software that poses a risk to your company. Key features Application Control protects your organization against malware attacks before they occur by proactively controlling the applications that run on your desktops, laptops, and servers. It enforces control on connected or disconnected servers, virtual machines (VMs), endpoints, and devices. Dynamic whitelisting Application Control protects your organization against malware attacks before they occur by proactively controlling the applications that are executed on your system. You can manage your whitelist in a secure and dynamic way. IT administrators don t need to manually maintain lists of approved applications. Application Control groups executable across your company by application and vendor. You can easily search for useful information such as: McAfee Application Control Windows Product Guide 5

6 1 Product overview How it works Applications added this week Uncertified binaries Systems running outdated versions Protection against threats Application Control extends coverage to executable files, libraries, drivers, Java applications, ActiveX controls and scripts for greater control over application components. It enforces control on connected or disconnected servers, virtual machines, endpoints, and fixed devices, such as kiosks and point-of-sale (POS) terminals. It also locks down protected endpoints against threats and unwanted changes, with no file system scanning or other periodic activity that might impact system performance. Advanced memory protection Application Control offers multiple memory-protection techniques to prevent zero-day attacks. Memory-protection techniques provide extra protection over the protection from native Windows features or signature-based buffer overflow protection products. These techniques also prevent whitelisted applications from being exploited by memory buffer overflow attacks on Windows 32-bit and 64-bit systems. How it works Application Control creates a whitelist of all authorized executable files. When you run an executable file that isn't whitelisted, the software blocks its execution. The whitelist details authorized files and determines trusted or known files. In Enabled mode, only files that are present in the whitelist are allowed to run. All files in the whitelist are protected and can't be changed or deleted. An executable binary or script that isn't in the whitelist is said to be unauthorized and is prevented from running. Application Control stores the whitelist for each drive or volume at the following location: <drive>\solidcore\scinv Here is a list of the types of files included in the whitelist. Binary executables (.exe,.sys, and.dll files) Script files (such as.bat,.cmd, and.vbs files) When the whitelist is created for Windows, Application Control doesn't include system-specific files that are protected by the operating system. For example, pagefile.sys and hiberfil.sys. When you execute a file on a whitelisted system, Application Control compares the checksum and path of the binary with the checksum and path stored in the whitelist and allows the execution only if the checksum value and path match. 6 McAfee Application Control Windows Product Guide

7 2 Using 2 Application Control Contents Application Control modes Use the command-line interpreter Overriding protection Configuring Application Control Using certificates Using updaters Using checksum values Using trusted directories Using trusted users Using ActiveX controls Using interpreters Using execution control rules Application Control modes Application Control ensures that only whitelisted, legitimate, and authorized applications and files run on the system. It can operate in four different modes. Each mode is different in principle and usage. Disabled This mode indicates that Application Control isn't running on your system. Although the application is installed, its features are disabled. After installation, the application appears in Disabled mode by default. You can then switch to Update or Enabled mode. Enabled This mode indicates that only whitelisted applications and files are allowed to run. Execution of unauthorized software, such as a virus or spyware, is prevented. In Enabled mode, Application Control protects files in the whitelist from unauthorized change. After the initial whitelist is created, switch to Enabled mode which makes sure that no unauthorized changes are allowed. Update This mode indicates that protection is effective but changes are allowed on protected endpoints. When you perform software updates in Update mode, Application Control tracks and records each change. Also, it dynamically updates the whitelist to make sure that the changed or added binaries and files are authorized to execute when the system returns to Enabled mode. If you delete any software and program files from the system, the respective files are removed from the whitelist. McAfee Application Control Windows Product Guide 7

8 2 Using Application Control Use the command-line interpreter Use the command-line interpreter The command-line interpreter (sadmin) allows you to manage the Application Control configuration and features. The method you use to open the command-line interpreter depends on your operating system. 1 To open the command-line interpreter on Windows: On Windows 2008, Windows 2008 R2, Windows 2012, Windows 8, Windows 8.1, Windows 10, and Windows 7 (with UAC enabled) platforms, right-click the McAfee Solidifier Command-line icon on the desktop and select Run as administrator. On other Windows platforms, double-click the McAfee Solidifier Command-line icon on the desktop. Click Start Programs McAfee Solidifier McAfee Solidifier Command Line menu option. 2 Use these commands to get help information. sadmin help Lists basic help information. sadmin help <command> Provides basic help for the specified command. sadmin help-advanced <command> Provides advanced help for the specified command. Overriding protection On a protected system, overriding applied protection allows components to execute using checksum values, certificates, or from a trusted directory. If a component is configured as an updater, it can also update the software on a protected system. You can authorize execution of a program or file on a protected system by using one of these methods. Updater process or trusted user Checksum (SHA-1 or SHA-256) Certificate Trusted directory Adding to the whitelist Defining attribute-based rules for file execution The whitelist is the most common method to determine the trusted or known files. Typically, most applications and executable files remain unchanged over prolonged periods of time. But, if needed, you can allow certain applications and executable files to create, change, or delete files in the whitelist. To design a trust model and allow more users or programs to change a protected system, you can use one the methods listed in this table. 8 McAfee Application Control Windows Product Guide

9 Using Application Control Configuring Application Control 2 Method Updaters Trusted users Description If a component is configured as an updater, it is allowed to install new software and update existing software components on a protected system. If you provide updater rights to a Windows user, the user is defined as a trusted user and has the permissions to dynamically add to the whitelist. A trusted user can install or update any software. While adding the user details, you must also provide the domain details. Of all methods available to allow changes to protected endpoints, this method is the least preferred because it offers minimal security. Define trusted users carefully because after a trusted user is added, there are no restrictions on what they can change or run on an endpoint. SHA-1 or SHA-256 values Certificates Binary names Trusted directories Update mode Defining attribute-based rules for file execution Override protection applied to a system by authorizing certain files based on their checksum value. Authorizing files by their checksum (SHA-1 or SHA-256) value allows them to execute on a protected system. You can also provide updater rights to an authorized file. For more information, see Using SHA-1 or SHA-256 values. Application Control allows trusted certificates associated with software packages to run on a protected system. After you add a certificate to the list of trusted certificates, you can run all software signed by the certificate. Authorize execution of binaries (programs and files) by specifying their names. But, when you authorize execution of a binary by name, all binaries that have the same name and are present on the system or network shares are authorized to execute on a protected system. On a protected system, you can add directories (local or network directories) as trusted directories to run any software present in these directories. Trusted directories are identified by their Universal Naming Convention (UNC) path. Update mode is an authorized mode to perform software updates on a protected system. When Application Control is in Update mode, changes are allowed on a protected system. Place the system in Update mode to perform software updates. Use this method when none of the other methods, such as using trusted users, trusted directories, certificates, or checksum values meet your requirements and the software isn't present in the updaters list. For example, you can use Update mode to complete maintenance tasks, such as install patches or upgrade software. When a file's execution is undetermined after the checks, attribute-based or execution control rules, if any are defined, come into play. You can define specific rules using one or more attributes of a process to allow, block, or monitor the process. Configuring Application Control Contents Add the license Create the whitelist Place Application Control in Enabled mode Add the license The license determines if the product features are available. You can specify the license during or after installation. If you don't specify a license during installation, you must when you run Application Control on the system. McAfee Application Control Windows Product Guide 9

10 2 Using Application Control Configuring Application Control 1 Verify if a license is already added (provided during installation) by entering the following command and pressing Enter. sadmin license list All licenses that are already installed on the system are listed. 2 If no license is listed, add a license now: sadmin license add <license_key> 3 Restart Application Control: net stop scsrvc and net start scsrvc. Create the whitelist Application Control creates a whitelist of authorized executable files. When you run an executable file that isn't whitelisted, Application Control blocks its execution. 1 Run this command at the command prompt. sadmin so The time the system takes to create the whitelist varies from a few minutes to an hour, depending on your system configuration, including CPU speed, RAM, and applications installed on the system. After the whitelist is created, a message similar to this message appears. Solidifying volume C:\ 00:04:11: Total files scanned 12265, solidified Verify that the drive or volume is whitelisted. a Run this command at the command prompt. sadmin status The status of Application Control is displayed. You can view the operational mode, operational mode on system restart, connectivity with McAfee epo, CLI access status, and whitelist status of the drives or volumes. However, in the standalone configuration of the product, connectivity with McAfee epo is not applicable. b Review the whitelist status of the drives or volumes, and make sure that the status is Solidified. Place Application Control in Enabled mode Place Application Control in Enabled mode to allow only whitelisted applications to run on your system. 1 Run this command at the command prompt. sadmin enable 2 Place Application Control in Enabled mode using one of these methods: Restart the system to enable Application Control, memory protection feature and Script As Updater (SAU) feature. Restart the Application Control service to enable the software without the memory protection feature: net stop scsrvc or net start scsrvc 3 Verify that Application Control is in Enabled mode: sadmin status. 10 McAfee Application Control Windows Product Guide

11 Using Application Control Using certificates 2 The status is displayed. You can view the operational mode, operational mode on system restart, CLI access status, and whitelist status of all drives. a Review the operational mode. b Verify that the current operational mode is Enabled. Using certificates Contents What are certificates? Extracting certificates Add certificates View certificates Remove certificates What are certificates? Application Control allows trusted certificates that are associated with software packages to run on a protected system. After you add a certificate as a trusted or authorized certificate, you can run all software, signed by the certificate on a protected system without entering Update mode. For example, if you add Adobe's code-signing certificate, all software issued by Adobe and signed by Adobe's certificate are allowed to run. Application Control supports only X.509 certificates. To allow in-house applications to run on protected systems, you can sign the applications with an internal certificate and define the internal certificate as a trusted certificate. After you do so, all applications signed by the certificate are allowed. You can also provide updater permissions to the certificate. All applications and binary files that are either added or changed on a system and signed by a certificate that has the updater permissions are automatically added to the whitelist. Use this option carefully because it makes sure that all executable files signed by the certificate acquire updater rights. Extracting certificates The ScGetCerts utility extracts a certificate from a file. This utility can also run on systems where the whitelist is not created. The ScGetCerts utility is shipped with the product and it gets installed in the Application Control installation directory. The default location of ScGetCerts is C:\Program Files\McAfee\Solidcore\Tools\ScGetCerts. Here is the syntax of the command to extract certificates. scgetcerts.exe [<FILEPATH: filename directory>] [OUTPUT PATH] [--cab] <-A> <-O> <-n -c> [<DOMAIN>] [<USERNAME>] [<PASSWORD>] To extract certificate from a file, specify the file path with the file name or the directory path where the file is located. If you specify a directory name, certificate, or installer information, certificates are extracted recursively from all files to the specified directory. Also, specify the output directory path where you want to store the extracted certificates, installer information, or both. McAfee Application Control Windows Product Guide 11

12 2 Using Application Control Using certificates This table describes the supported parameters: Parameter Description cab It extracts certificate from a cab file. When you specify the cab parameter, you must specify the O parameter with it. A It extracts all certificates from a file. By default, only the root certificate is extracted. O Specify this optional parameter if only the certificates are required to be extracted and not the additional information. But, this parameter is not optional if cab parameter is also specified. c It checks if the path of the file is accessible on the network. n It provides authentication to the directory path on the network. The n option is specified only when you specify the directory path. Mention the domain, user name, and password when n or c parameter is used. Add certificates You can add certificates as trusted or authorized certificates to run all software signed by those certificates on a protected system. Application Control supports only X.509 certificates. 12 McAfee Application Control Windows Product Guide

13 Using Application Control Using certificates 2 Add a certificate: sadmin cert add Use an existing certificate or extract certificates from one or more signed files. You can extract certificate from any signed file using ScGetCerts.exe (<Install_dir>\Tools\ScGetCerts\ScGetCerts.exe). Syntax sadmin cert add <certificatename> Description Adds a certificate as a trusted certificate. For example: sadmin cert add mcafee.cer sadmin cert add c <certificatecontent> Use the -c argument to specify the certificate content as trusted. For example: sadmin cert add c MIIFGjCCBAKgAwIBAgIQbwr3oyE8ytuorcGnG3VhpDANBgkqhkiG9w0BAQUFADCB tdelmakga1uebhmcvvmxfzavbgnvbaotdlzlcmltawdulcbjbmmumr8whqydvqql ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNDEuMCwGA1UEAxMl VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwNCBDQTAeFw0wNTEyMTAw MDAwMDBaFw0wNjEyMTAyMzU5NTlaMIHdMQswCQYDVQQGEwJVUzETMBEGA1UECBMK Q2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxIzAhBgNVBAoUGkFkb2JlIFN5 c3rlbxmgsw5jb3jwb3jhdgvkmt4wpaydvqqlezveawdpdgfsieleiensyxnzidmg LSBNaWNyb3NvZnQgU29mdHdhcmUgVmFsaWRhdGlvbiB2MjEcMBoGA1UECxQTSW5m b3jtyxrpb24gu3lzdgvtczejmcega1ueaxqaqwrvymugu3lzdgvtcybjbmnvcnbv cmf0zwqwgz8wdqyjkozihvcnaqebbqadgy0amigjaogbajcs8tyuz/jsb6xlyv5z d02tio4izoxanfxbgvxs3yg4v7zir8k2k0tzzpmz3y00qr237ntsldnlb4rmx9fr +DmH1Fq2CwQBCVTnrwbtdUyv2v977Fc05B09WEJvZmvcm22iNrfpCV5wqd7OTp1F qp2hima0ihztwac3r9cn8xppagmbaagjggf/miibezajbgnvhrmeajaama4ga1ud DwEB/wQEAwIHgDBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vQ1NDMy0yMDA0LWNy bc52zxjpc2lnbi5jb20vq1ndmy0ymda0lmnybdbebgnvhsaepta7mdkgc2cgsagg +EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9y cgewewydvr0lbawwcgyikwybbquhawmwdqyikwybbquhaqeeatbnmcqgccsgaquf BzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wPwYIKwYBBQUHMAKGM2h0dHA6 Ly9DU0MzLTIwMDQtYWlhLnZlcmlzaWduLmNvbS9DU0MzLTIwMDQtYWlhLmNlcjAf BgNVHSMEGDAWgBQI9VHo+/49PWQ2fGjPW3io37nFNzARBglghkgBhvhCAQEEBAMC BBAwFgYKKwYBBAGCNwIBGwQIMAYBAQABAf8wDQYJKoZIhvcNAQEFBQADggEBAFY7 rayt9wjcdfq+ynhfnezxav3zhghtdtwqgpwzjh/wg9iglnyrqmnoqnjdfsscduxf FryGREMwCHI/PvEYq7hKZsUXSGWRNl+Auuomg0OFGG1ZlBv/rWtQEbwmGKgtwXMD Dm2IYY3t7O7shG3KW4qHg+Tq04pR8VGTGJodwZWEsj9JavErsujI7SFDMkj9xFz4 VD/ilkWF+AyzSLAyUTq797y/7TsG5Y1SeMtze49cVbJVRrbGtq3kSzF56adsA4Hv v2cjm379gkyx0atro74ylewcfwdaogz+f+xtou9cr48bpvkfp5xmluj46hps1u83 Jk2lrr5OYmtMqd7f0 sadmin cert add u <certificatename> Add trusted certificates as updaters using the -u argument. For example: sadmin cert add u mcafee.cer Selecting this option makes sure that all files signed by a certificate acquire updater rights. For example, if you set the Microsoft certificate that signs the Internet Explorer application as an updater, Internet Explorer can download and execute any application from the Internet. In effect, any file added or modified by an application that is signed by the certificate is added to the whitelist automatically. McAfee Application Control Windows Product Guide 13

14 2 Using Application Control Using certificates View certificates View certificates in the Application Control certificate store to verify that the trusted certificates are added to the system. Run these commands at the command prompt. Syntax sadmin cert list Description Lists the SHA-1 and SHA-256 of certificates that are added as trusted or authorized certificate in the Application Control certificate store. sadmin cert list -d Lists details of the issuer and subject of the certificates added to the system. sadmin cert list -u Lists all certificates with updater permissions. 14 McAfee Application Control Windows Product Guide

15 Using Application Control Using updaters 2 Remove certificates Delete certificates from the Application Control certificate store to remove their trusted or authorized status. Such certificates cannot run the software signed by the trusted certificates on a protected system. Run this command at the command prompt. sadmin cert remove Syntax sadmin cert remove <SHA-1 or SHA-256> Description Removes a certificate that is added as a trusted certificate using the SHA-1 or SHA-256 value. Specify the SHA-1 or SHA-256 value of the certificate to remove the certificate from the Application Control certificate store. For example: sadmin cert remove 7ecf2b6d72d8604cf6217c34a4d9974be6453dff sadmin cert remove c <certificatecontent> sadmin cert flush Use the c argument to remove specified certificate content from the Application Control certificate store. For example: sadmin cert remove c MIIFGjCCBAKgAwIBAgIQbwr3oyE8ytuorcGnG3VhpDANBgkqhkiG9w0BAQUFADCB tdelmakga1uebhmcvvmxfzavbgnvbaotdlzlcmltawdulcbjbmmumr8whqydvqql ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNDEuMCwGA1UEAxMl VmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwNCBDQTAeFw0wNTEyMTAw MDAwMDBaFw0wNjEyMTAyMzU5NTlaMIHdMQswCQYDVQQGEwJVUzETMBEGA1UECBMK Q2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxIzAhBgNVBAoUGkFkb2JlIFN5 c3rlbxmgsw5jb3jwb3jhdgvkmt4wpaydvqqlezveawdpdgfsieleiensyxnzidmg LSBNaWNyb3NvZnQgU29mdHdhcmUgVmFsaWRhdGlvbiB2MjEcMBoGA1UECxQTSW5m b3jtyxrpb24gu3lzdgvtczejmcega1ueaxqaqwrvymugu3lzdgvtcybjbmnvcnbv cmf0zwqwgz8wdqyjkozihvcnaqebbqadgy0amigjaogbajcs8tyuz/jsb6xlyv5z d02tio4izoxanfxbgvxs3yg4v7zir8k2k0tzzpmz3y00qr237ntsldnlb4rmx9fr +DmH1Fq2CwQBCVTnrwbtdUyv2v977Fc05B09WEJvZmvcm22iNrfpCV5wqd7OTp1F qp2hima0ihztwac3r9cn8xppagmbaagjggf/miibezajbgnvhrmeajaama4ga1ud DwEB/wQEAwIHgDBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vQ1NDMy0yMDA0LWNy bc52zxjpc2lnbi5jb20vq1ndmy0ymda0lmnybdbebgnvhsaepta7mdkgc2cgsagg +EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9y cgewewydvr0lbawwcgyikwybbquhawmwdqyikwybbquhaqeeatbnmcqgccsgaquf BzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wPwYIKwYBBQUHMAKGM2h0dHA6 Ly9DU0MzLTIwMDQtYWlhLnZlcmlzaWduLmNvbS9DU0MzLTIwMDQtYWlhLmNlcjAf BgNVHSMEGDAWgBQI9VHo+/49PWQ2fGjPW3io37nFNzARBglghkgBhvhCAQEEBAMC BBAwFgYKKwYBBAGCNwIBGwQIMAYBAQABAf8wDQYJKoZIhvcNAQEFBQADggEBAFY7 rayt9wjcdfq+ynhfnezxav3zhghtdtwqgpwzjh/wg9iglnyrqmnoqnjdfsscduxf FryGREMwCHI/PvEYq7hKZsUXSGWRNl+Auuomg0OFGG1ZlBv/rWtQEbwmGKgtwXMD Dm2IYY3t7O7shG3KW4qHg+Tq04pR8VGTGJodwZWEsj9JavErsujI7SFDMkj9xFz4 VD/ilkWF+AyzSLAyUTq797y/7TsG5Y1SeMtze49cVbJVRrbGtq3kSzF56adsA4Hv v2cjm379gkyx0atro74ylewcfwdaogz+f+xtou9cr48bpvkfp5xmluj46hps1u83 Jk2lrr5OYmtMqd7f0 Removes all certificates from the Application Control certificate store. Using updaters Contents What are updaters? What to add as updater Add updaters McAfee Application Control Windows Product Guide 15

16 2 Using Application Control Using updaters Specifying files to be added as updaters Review default updaters using Fine-tune Discover potential updaters View updaters Remove updaters What are updaters? Updaters are authorized components that are allowed to update the system. By default, if you provide updater rights to a component, the child component automatically inherits the same rights. For example, if you specify Adobe 8.0 program as an updater, it can periodically patch all needed files. Updaters work at a global level and are not application-specific or license-specific. When a program is defined as an updater, it can change any protected file. To qualify as updaters, components must match one of these requirements: They must be present in the whitelist. They must be defined as authorized binaries. Application Control also includes predefined default updater rights for commonly used applications that might need to update the systems frequently. These applications are known as default updaters. For example, default updater permissions are defined for Yahoo, Oracle, and McAfee products. When to add updaters Certain programs frequently update software components on the system automatically. Add such programs as updaters to allow them to update the software components. Add updaters when they are frequently required to make changes to the system. What to add as updater You can add components such as installers, scripts, binaries, users, or certificates as updaters. Component Examples Installers Add installers as updaters to allow them to automatically update the software components on the protected systems. Windows installer To add Windows installer for Hotfix KB as an updater, use this command: sadmin updaters add WindowsInstaller-KB v2-x86.exe Microsoft installer (MSI-based installer) To add MSI-based installer Ica32Pkg.msi and perform automatic updates on protected files or registry keys, use this command:sadmin updaters add Ica32Pkg.msi Scripts Scripts with updater rights are allowed to perform update operations on protected systems. sadmin updaters add <scriptname> sadmin updaters add myscript12.bat On the Windows platform, you must use the cmd interpreter with the /C parameter (cmd /C) to run scripts as updaters. For example, cmd /C myscript12.bat. Using the /C parameter ensures that the specified command is executed and stopped. Adding scripts as updaters is available on all Windows platforms except Windows Server 2003 (IA64). 16 McAfee Application Control Windows Product Guide

17 Using Application Control Using updaters 2 Component Examples Binaries You can add binaries as updaters. Binaries with updater rights are allowed to update protected binaries and software components. Binaries also include executable (.exe) files. sadmin updaters add <filename> sadmin updaters add update.exe Users Certificates You can add users as updaters to allow the users to perform update operations on the protected system. sadmin updaters add u <username> sadmin updaters add u <username> sadmin updaters add u john_smith For domain users: sadmin updaters add u john_smith@mycompany.com sadmin updaters add u mydomain\john_smith You can add selected certificates as updaters. All components signed by these certificates are allowed to make changes to the binaries on the system and start new applications. For example, if you add as an updater the Microsoft certificate that is used to sign the Internet Explorer application, it allows it to download and execute any application. sadmin cert add u <certfilename> sadmin cert add u firefox.cer Processes that are currently running can be added as updaters. While creating the whitelist, temporary folders are ignored and are not whitelisted. The exception is when a process with updater permissions creates binaries in the temp folder, the binaries are added to the whitelist. You can add, list, or remove the updaters using the sadmin updaters command with the required arguments. Also, you can change the default configuration of Application Control to allow more commonly used applications to execute and add them to default updaters. You can add these types of applications to default updaters: Software provisioning systems that download, install, and run new applications. For example, Microsoft software update and custom scripts. Self-updating applications. For example, anti-virus. After creating the whitelist on a system, Application Control configures the default updaters. The software updates the default configuration to allow the default updaters to execute and update the Commercial-Off-The-Shelf (COTS) applications. You can use the Fine-tune utility to configure default updaters. Add updaters You can add various components as updaters to allow them to update the system. If a program is configured as an updater, it can install new software and update existing software. Run this command at the command prompt. sadmin updaters add <filename> This table lists the supported arguments, descriptions, and examples. McAfee Application Control Windows Product Guide 17

18 2 Using Application Control Using updaters Argument Description -d Excludes the child process of the file from inheriting the updater permissions. sadmin updaters add d <filename> sadmin updaters add d winlogon.exe -n Disables event logging for a file to be added as an updater. sadmin updaters add n <filename> sadmin updaters add n winlogon.exe -l Use this argument to add an execution file as an updater only when the specified library name is loaded for the execution file. sadmin updaters add -l <associated libraryname> <filename> sadmin updaters add l system32\wuauserv.dll svchost.exe -t Performs these operations: Include the tags for a file to be added as an updater. sadmin updaters add -t <associated tag> l <associated libraryname> <filename> sadmin updaters add t Win_up_schedule1 l system32\wuauserv.dll svchost.exe To add a user with a tag name as an updater. sadmin updaters add t <tagname> u <username> sadmin updaters add t McAfee001 -u john_smith -p Adds a file as an updater, only when its parent execution file is running. sadmin updaters add -p <parentname> <filename> sadmin updaters add p svchost.exe iexplore.exe -u Adds a user as an updater. All update operations by the specified user name are allowed. When you specify the u argument, other arguments, such as -l, -p, -d, and n are not applicable. sadmin updaters add u <username> Here are the types of user names that can be added as updaters. Simple name For example, john_smith. If you specify a simple name, users with this name in all domains are added as updaters. Domain name (username@domain name) For example, john_smith@mycompany.com. Hierarchical domain name (domain name\user name) For example, mydomain\john_smith. If you right-click a file and select Run as <updater user name>, the file can run as an updater only if the file is added to the whitelist and authorized to run. Specifying files to be added as updaters You can specify files using the file name or checksum value. This table describes the methods to specify a file to be added as an updater. 18 McAfee Application Control Windows Product Guide

19 Using Application Control Using updaters 2 Method Specify the file name Description If the file name is added as an updater, the updater permissions apply only to the file name and, even if the file path is changed, the updater permissions are in effect. You can specify the absolute or relative path of the file. But, if you specify the absolute path of the file as an updater, the updater permissions are applicable only to that specific path. For example, if dir\file.exe is specified, the updater rule applies only if file.exe is in a directory named dir. If you specify full path names with the drive letter, the drive letter isn't considered. For example, if you specify C:\foo\bar.exe, the updater rule is added for \foo\bar.exe only and does not include the drive letter. Paths can include wildcard characters to specify file paths and file names. Paths can include the * and? wildcard characters. When specifying a file path for an updater rule,?:\test1\test2\test.exe, C:\?Test*QA\Test1\Test.exe, C:\Test1\?\?\Test.exe and C:\*\*\Test.exe are allowed while *:\Test1\Test2\Test.exe and *: \Test1\*\*\Test.exe aren't supported. Specify the file SHA-1 or file SHA-256 If the file SHA-1 or file SHA-256 is added as an updater, it allows only the file with that SHA-1 or SHA-256 value to be added as an updater. This makes sure that regardless of the source of the file, if the SHA-1 or SHA-256 value matches, the file is allowed as an updater. You can specify the checksum value to be added as an updater by using the sadmin auth a u c <checksumvalue> command. Specifying checksum value to be added as an updater isn't supported for scripts. Scripts can't be added as updaters by this method. Review default updaters using Fine-tune The Fine-tune utility enables you to update the default system configuration to execute Commercial Off-The-Shelf (COTS) applications and add them to default updaters. The Fine-tune utility authenticates with the Knowledge Base that Application Control authorizes these applications to execute configuration changes. You can deploy Fine-tune by using the batch file, finetune.bat, which is available where Application Control is installed. But, you can use this utility to add or remove the whitelisting customization to run a particular application. To get help about the utility's supported options, run this command. finetune.bat help The attribute "A" refers to the application identifier. You can view all identifiers by running the finetune.bat help command. 1 Add an application to default updaters: finetune.bat add A-Application. For example: finetune.bat add A-McAfee 2 Remove an application from default updaters: finetune.bat remove A-Application. For example: finetune.bat remove A-McAfee McAfee Application Control Windows Product Guide 19

20 2 Using Application Control Using updaters Discover potential updaters You can identify a list of possible updaters that can be added in a Windows system. In the feature list, this is identified as discover-updaters. When running in Enabled mode, Application Control protection can prevent a legitimate application from running (if the required rules are not defined). The software tracks all failed attempts made by authorized executable to change protected files or run other executable files. You can review the information of failed attempts to identify update rules to allow legitimate applications to run. 1 Get a list of components that can be added as updaters: sadmin diag Review the list to ensure that no restricted program or programs with generic names such as, setup.exe, are set as authorized updaters. The output of executing this command displays these configuration parameters. Symbol Configuration Rules! The configuration for the program exists. The existing configuration is displayed on the next line. * The configuration is for a restricted program, which can provide capability to change the system. Hence, such programs must have restricted configuration. * and! The configuration of the program exists but some changes are required in the configuration to execute the program successfully. 2 Apply the diagnosed configuration changes: sadmin diag fix 3 Apply the diagnosed configuration changes for restricted programs: sadmin diag fix -f Restricted programs are Windows critical programs. For example, services.exe, winlogon.exe, svchost.exe, and explorer.exe. View updaters Updaters are authorized components that are permitted to update the system. When a program is defined as an updater, it can change any protected file. View the list of all components defined as updaters on the system: sadmin updaters list Remove updaters You can remove updaters to restrict them from making changes to the system. 1 Delete all components from the updaters list: sadmin updaters flush 20 McAfee Application Control Windows Product Guide

21 Using Application Control Using checksum values 2 2 Remove a specific component from the updaters list: sadmin updaters remove This table lists how to remove specific components as updaters. Component Installers Scripts Binaries Command sadmin updaters remove <installername> sadmin updaters remove Ica32Pkg.msi sadmin updaters remove <scriptname> sadmin updaters remove myscript12.bat sadmin updaters remove <filename> sadmin updaters remove update.exe After using this command, restart the system to remove the binaries from the updaters list. Users sadmin updaters remove u <username> sadmin updaters remove u john_smith After using this command, restart the system to remove users from the updaters list. Using checksum values Using SHA-1 or SHA-256 values Override the protection applied to a system by authorizing certain files based on their SHA-1 or SHA-256 values. Authorizing files by their SHA-1 or SHA-256 value allows them to execute on the protected system. If a file is not added to the whitelist but configured as an authorized file, it is allowed to execute on the system. Regardless of the source of a file, if the SHA-1 or SHA-256 value matches, the file is allowed to run. You can also provide updater permissions to an authorized file. Configuring an authorized binary as an updater provides the updater permissions in addition to the execution. An authorized file that is configured as an updater is allowed to run and update software on a protected system. Installers can also be authorized by SHA-1 or SHA-256 value and configured as updaters to allow them to install new software and update the software components. For example, if you authorize the installer for the Microsoft Office 2010 suite by SHA-1 or SHA-256 and also configure the installer as an updater, if the SHA-1 or SHA-256 value matches, the installer is allowed to install the Microsoft Office suite on the protected systems. McAfee Application Control Windows Product Guide 21

22 2 Using Application Control Using checksum values Authorize binaries You can authorize binaries to allow them to execute on a protected system. Syntax sadmin auth a c <checksumvalue> sadmin auth a [ t tagname] c <checksumvalue> sadmin auth a u c <checksumvalue> Description To specify the SHA-1 or SHA-256 value of the binary to be authorized. For example: sadmin auth a c bcc5aa45a0221b4016f62d63a26d3ee4af To include the tag name and the checksum value of the binary to be authorized. For example: sadmin auth a t Win_up_schedule1 c bcc5aa45a0221b4016f62d63a26d3ee4af To authorize a binary and also provide updater permissions. Specify the checksum value of the binary to be authorized and added as an updater. For example: sadmin auth a u c bcc5aa45a0221b4016f62d63a26d3ee4af Ban binaries You can restrict binaries from executing on a protected system. Syntax sadmin auth b c <checksumvalue> sadmin auth b t <tagname> c <checksumvalue> Description To specify the SHA-1 or SHA-256 value of the file to be banned. For example: sadmin auth b c bcc5aa45a0221b4016f62d63a26d3ee4af To include the tag name and SHA-1 or SHA-256 value of the file to be banned. For example: sadmin auth b t AUTO_1 c bcc5aa45a0221b4016f62d63a26d3ee9at View authorized and banned binaries You can view authorized and banned binaries on a protected system. Run this command at the command prompt: sadmin auth -l This command lists authorized and banned binaries and those added as updaters. 22 McAfee Application Control Windows Product Guide

23 Using Application Control Using checksum values 2 Remove authorized or banned binaries You can remove authorized or banned binaries from your system by using these methods. Syntax sadmin auth -r <checksumvalue> sadmin auth -f Description To specify the SHA-1 or SHA-256 value of the file to be removed. For example: sadmin auth r bcc5aa45a0221b4016f62d63a26d3ee4af This command flushes all authorized or banned binaries. This command removes all files that are authorized or banned on a system. Authorize execution of binaries by name You can override the applied protection by specifying the name of binaries (programs or files) to authorize their execution. When you specify a binary name to authorize its execution on a protected system, all binaries that have the same name and are present on the system or network directories are authorized to execute. Similarly, if you ban a binary by specifying its name, all binaries that have the same name are not allowed to execute. 1 Run this command to authorize binaries. sadmin attr add -a <filename> For example, sadmin attr add -a setup.exe 2 You can specify the absolute path of the file to make sure that only the required file is allowed to run. For example, sadmin attr add -a "C:\Program Files\Google\Picasa3\setup.exe" On Windows platforms, the drive letter is truncated. So, if the file path \Program Files\Google \Picasa3\setup.exe is located in any other drive instead of C, the file is still authorized to execute. Ban execution of binaries by name You can restrict execution of binaries on a protected system by specifying their names. For example, sadmin attr add -u setup.exe Run this command at the command prompt: sadmin attr add -u <filename> For example, sadmin attr add -u "C:\Program Files\Google\Picasa3\setup.exe" On the Windows platform, the drive letter is truncated. So, even if the file path \Program Files\Google \Picasa3\setup.exe is located in any other drive instead of C, the file isn't authorized to execute. McAfee Application Control Windows Product Guide 23

24 2 Using Application Control Using trusted directories View authorized and banned binaries You can view authorized and banned files on a protected system. Run these commands at the command prompt. Command sadmin attr list -a sadmin attr list -m sadmin attr list -u Description Lists all files that are authorized by name. Lists all the files that are blocked in interactive mode. Lists all files that are banned by name. Remove authorized and banned rules You can remove authorized by name rules to restrict authorized files to execute. Also, you can remove the ban by name and blocking in interactive mode rules to allow execution of banned files. Run these commands at the command prompt. Command sadmin attr remove -a <filename> sadmin attr remove -m <filename> sadmin attr remove -u <filename> sadmin attr flush -a sadmin attr flush -m sadmin attr flush -u Description Removes the added rule to authorize the specified binary by name. Specify the same file name or path that was used to add the rule. Removes the added rule to block the interactive mode for a file. Removes the added rule to ban the specified binary by name. Specify the same file name or path that was used to add the rule. Removes the authorized by name rules for all files. Removes the block in interactive mode rules for all files. Removes the banned by name rules for all files. Using trusted directories You can override the protection applied to a system using trusted directories. After you add directories as trusted directories, systems can run any software present in these directories. On the Windows platform, Application Control tracks files and blocks the execution of binaries and scripts on the network directories. The software also supports tracking files on the Server Message Block (SMB) mount points. This feature is identified as network-tracking in the features list. By default, this feature is enabled and prevents the execution of binaries and scripts on network directories. When this feature is disabled, execution of scripts on network directories is allowed. But, execution of binaries on network directories is not allowed. Also, write-protecting or read-protecting components on a network directory is not in effect. On a protected system, you can add directories (local or network share) as trusted directories to run any software present in these directories. Trusted directories are identified by their UNC path. 24 McAfee Application Control Windows Product Guide

25 Using Application Control Using trusted directories 2 When to add trusted directories If you maintain shared folders with installers for licensed applications on the internal network in your organization, you can add trusted directories for such network shares. When enabled, Application Control tracks files over network shares and blocks their execution until the network share is added as a trusted share. Application Control also prevents protected systems from executing any file residing on a network share. If needed, you can allow the software at the UNC path to install software on the protected systems. For example, when logging on to a Domain Controller from a protected system, you need to define \\domain name \SYSVOL as a trusted directory (to allow execution of scripts and binaries). Adding trusted directories You can add directories as trusted directories to run any software present in these directories on a protected system. This table describes how to add trusted directories. Command sadmin trusted i <pathname1...pathnamen> Description You can specify one or more paths to the directories to be added as trusted directories. You can also specify paths to the directories located on network shares. For example: sadmin trusted i C:\Documents and Settings\admin \Desktop\McAfee sadmin trusted i \\ \documents sadmin trusted u <pathname1...pathnamen> You can specify one or more paths to the directories to be added as trusted directories. This command adds all binaries and scripts present in the directories as updaters. You can also specify paths to the directories located on network shares. For example: sadmin trusted u C:\Documents and Settings\admin \Desktop\McAfee sadmin trusted u \\ \documents You can also add a trusted volume by specifying a volume name with this command to include all binaries and scripts present in the specified volume as updaters. Use the sadmin trusted i -u <volumename> command to specify the volume name. Specifying directory paths You can specify directory paths on a mounted network file system using these methods. Command sadmin trusted i \\server-name \share-name Description You can specify the server name that has a network share or the name of the network share. sadmin trusted i \\server-name sadmin trusted i \\* You can specify the server name. You can specify all network shares by all servers. Paths can include the wildcard characters to specify file paths and file names. When using wildcards, ensure that specified string matches a limited set of file paths or file names. If the specified string matches many files, we recommend you revise the string. McAfee Application Control Windows Product Guide 25

26 2 Using Application Control Using trusted directories Paths can include the * and? wildcard characters. When specifying a trusted directory, \\ \***** \User2, \\ \????\User2, \\ \*AD*\* and \\ \?AD?***\User1 are allowed while \\*\AD\User1, \\* \AD*\User1, and \\10.**10.10\AD*\User1 are not supported. View trusted directories You can view the list of directories that are added as trusted directories on the system. Run this command at the command prompt: sadmin trusted -l This command lists all trusted directories added on the system. Exclude specific directories from the list of trusted directories You can exclude specific directories from the list of directories that you added as trusted on the system. 1 Run this command at the command prompt: sadmin trusted e <pathname1...pathnamen> 2 Run this command to specify one or more paths to the directories to be excluded from the list of trusted directories: sadmin trusted e C:\Documents and Settings\admin\Desktop\McAfee sadmin trusted e \\ \documents Remove trusted directories You can remove trusted directories to restrict them to run any software present in them. Remove the trusted directories using these methods. Command sadmin trusted r <pathname1...pathnamen> sadmin trusted f Description To specify one or more paths to the directories to be removed as trusted directories. For example: sadmin trusted r C:\Documents and Settings\admin \Desktop\McAfee sadmin trusted r \\ \documents To flush all rules for trusted directories. If you specify this argument, all rules for the trusted directories are removed from the system. 26 McAfee Application Control Windows Product Guide

27 Using Application Control Using trusted users 2 Using trusted users A trusted user is an authorized Windows user with updater permissions to dynamically add to the whitelist. You can add users as updaters to allow users to perform update operations on a protected system. If you provide updater permissions to a user, the user is defined as a trusted user. For example, add administrators as trusted users to allow them to install or update any software. While adding the user information, you can also provide the domain details. Of all strategies that allow changes to protected systems, this is the least preferred one because it offers minimal security. After a trusted user is added, there are no restrictions on what the user can change or run on the system. Add trusted users Add trusted users to allow them to perform update operations on a protected system. Run this command at the command prompt. sadmin updaters add u <username> This table lists the supported arguments, descriptions, and examples. Argument Description -u Specify the u argument to add a user as a trusted user. All update operations by the specified user name are allowed. You can add these types of user names as trusted users. Simple name For example john_smith. sadmin updaters add u john_smith Domain name For example john_smith@mycompany. sadmin updaters add u john_smith@mycompany Hierarchical domain name (domain name\user name) For example mydomain\john_smith. sadmin updaters add u mydomain\john_smith When you specify the u argument, other arguments supported for sadmin updaters add command, such as -l, -p, -d, and n are not applicable. -t Specify the t argument to add a user with a tag name as an updater. Tag name is an identification label which is present in the logs for all files processed by this rule. sadmin updaters add t <tagname> u <username> sadmin updaters add t McAfee001 -u john_smith McAfee Application Control Windows Product Guide 27

28 2 Using Application Control Using ActiveX controls List trusted users You can view the list of all users who have updater permissions on the system. Run this command at the command prompt. sadmin updaters list This command lists all trusted users and other components defined as updaters in the system. Remove trusted users When you remove a trusted user, the updater permissions assigned to that user are removed. Run this command at the command prompt. sadmin updaters remove -u <username> For example, sadmin updaters remove -u john_smith After using this command, restart the system to remove updater permissions from the users. Using ActiveX controls Contents Allowing ActiveX controls to run Block execution of ActiveX controls Disable the ActiveX feature Allowing ActiveX controls to run Certain websites and programs require the installation of ActiveX controls. By default, Application Control prevents the installation of ActiveX controls on a protected Windows system and the ACTX_INSTALL_PREVENTED event is generated. Install and run ActiveX controls on a protected system using the ActiveX feature. This feature is enabled by default and available on all Windows operating systems except Windows Server Only Internet Explorer supports ActiveX control installation. Simultaneous installation of ActiveX controls using multiple tabs of Internet Explorer is not supported. On a protected system, you can install and run ActiveX controls required for a website by adding the certificate of the website to Application Control certificate store. Run this command at the command prompt to add the certificates: sadmin cert add <certificatefilename> 28 McAfee Application Control Windows Product Guide

29 Using Application Control Using interpreters 2 Block execution of ActiveX controls Uninstall ActiveX controls required for a website by removing the certificate of the website from the Application Control certificate store. Block the execution of allowed ActiveX controls in these scenarios. Block the execution of an ActiveX control that was previously allowed (but not installed on the system) Run this command to remove the certificate from the Application Control certificate store: sadmin cert remove <certificatefilename>. If the ActiveX control is not installed on the system, removing the website s certificate blocks execution of the ActiveX control. Block the execution of an ActiveX control when the certificate is added to the software certificate store and ActiveX is already installed on the system sadmin cert remove <certificatefilename> Disable the ActiveX feature You can disable the ActiveX feature to stop running ActiveX controls. Run this command to stop running the ActiveX feature. sadmin features disable activex System restart is not required after enabling or disabling this feature. Using interpreters You can configure interpreters to control the execution of additional scripts. Unlike executables, a script needs an interpreter to read and execute the instructions written in a scripting language. To manage execution of scripts in your setup: 1 Check that relevant interpreters and scripts are whitelisted. 2 Map appropriate file extensions of scripts with specific interpreters. On the Windows platform, by default, if no interpreter is associated with a script file, the script is allowed to execute because Application Control doesn't treat it as a script file. By default, the software supports standard interpreters and script files that are integrated with Windows operating system, such as batch files (.bat), command interpreter (.cmd), script files (.vbs), PowerShell files (.ps1), and Command files (.com). McAfee Application Control Windows Product Guide 29

30 2 Using Application Control Using interpreters When you execute an interpreter to run a script file, these checks that are performed. Application Control provides additional and granular control for file and script execution. For example, you can choose to block an interpreter from running except when run by a specific user or by specific arguments. Map an interpreter with a file extension You can associate an interpreter with a file or script extension to control execution for a certain script type. Run this command at the command prompt. sadmin scripts add extension interpreter1 [interpreter2]... The file with specified extension or type is associated with the specified interpreters. sadmin scripts add.vbs wscript.exe cscript.exe This command enables Application Control to enforce that wscript.exe and cscript.exe can execute a.vbs script (when the script file and interpreters are whitelisted). After the association is defined, wscript.exe and cscript.exe can also execute other script files (provided the interpreter can read and understand the instructions in the script file). The association is effective immediately and applies to all new interpreter instances initiated after running this command. If needed, you can add associate additional interpreters with a script or file type. For example: sadmin scripts add.vbs zscript.exe 30 McAfee Application Control Windows Product Guide

31 Using Application Control Using execution control rules 2 If you try to add an interpreter that is already associated with a file or extension type, no action is taken. Application Control supports a special tag 16 Bits as a synthetic extension for the 16-bit binaries. To control execution for the 16-bit binaries, execute these commands. sadmin scripts add 16Bit wowexec.exe sadmin scripts add 16Bit ntvdm.exe View interpreter and file extension associations You can view the existing interpreter and file or script extension associations defined in your setup to control file execution. Run this command at the command prompt. sadmin scripts list Sample output appears like this:.ps1.bat.cmd.pif.sys.vbe 16Bit.vbs.exe "powershell.exe" "cmd.exe" "cmd.exe" "ntvdm.exe" "ntvdm.exe" "cscript.exe" "wscript.exe" "ntvdm.exe" "wowexec.exe" "cscript.exe" "wscript.exe" "ntvdm.exe" Remove interpreter and file extension associations Remove existing interpreter and file or script extension associations defined in your setup. Run one of these command at the command prompt. sadmin scripts remove extension [interpreter1 [interpreter2]]... Removes the specified interpreter associations for the file or script type. sadmin scripts remove extension Removes all interpreter associations for the specified file or script type. Using execution control rules Contents Defining attribute-based rules for file execution Add attribute-based rules Remove attribute-based rule View all attribute-based rules Defining attribute-based rules for file execution Application Control performs multiple checks to determine whether to allow or block a file's execution. If a file's execution is allowed after the Application Control checks, attribute-based or granular rules, if any are defined, McAfee Application Control Windows Product Guide 31

32 2 Using Application Control Using execution control rules come into play. The rules are based on the concept of fine-grained whitelisting and can be created on the attributes of a file. This feature is also known as Execution Control and it is enabled by default. To disable this feature, use this command: sadmin features disable execution-control You can define specific rules using one or more attributes to allow, block, or monitor the file. Rules that allow execution take precedence over rules that block or monitor execution. Attribute-based rules help you allow or block files in different scenarios based on file context and offer flexibility. Context-based allowing or blocking of files On a protected system, only whitelisted interpreters are allowed to execute. But, in certain scenarios, whitelisted interpreters might be misused to execute malicious scripts. For example, a powershell.exe script can be used to execute unsolidified scripts and execute file-less scripts by invoking its execution with atypical input arguments. You can prevent misuse of interpreters by defining attribute-based rules to block potentially malicious scenarios. Flexibility and control Attribute-based rules provide flexibility to allow or block file execution, as needed. You might need to block a user from running a specific file. If an administrator wants to block the execution of powershell.exefor a specific user, a rule can be added to prevent its execution. You can achieve such scenarios using attribute-based rules. Similarly, you might choose to block execution of a certain file in your setup completely, unless when run by a specific parent process. You can achieve this by creating a generic block rule and a parent process-based allow rule for the file. Because the allow rule has precedence over the block rule, it overrides the block rule when applied. Or, you might choose to only observe or monitor a file to determine its execution in your setup. To do this, you can define a monitor rule for the file. We recommend that before creating a block rule for a file, create a monitor rule to observe the file's use and execution in your setup. After you define the monitoring rule, if no OBSERVED_FILE_EXECUTION events are generated for the file over a reasonable time window, you can safely define a block rule for a file. When configuring an attribute-based rule, you can choose to allow, block, or monitor a file. This table describes the behavior of a rule in various supported modes. Type of rule Enable Allow Allow file execution. No event is generated. Update Allow file execution. No event is generated. Block Monitor Block file execution. The PREVENTED_FILE_EXECUTION event is generated. Allow file execution. The OBSERVED_FILE_EXECUTION event is generated. Allow file execution. The OBSERVED_FILE_EXECUTION event is generated. Allow file execution. The OBSERVED_FILE_EXECUTION event is generated. The applied rules are ineffective when any process is selected as an updater. Only the events are generated. 32 McAfee Application Control Windows Product Guide

33 Using Application Control Using execution control rules 2 Add attribute-based rules You can create rules based on one or more attributes of a file to allow, block, or monitor its execution. 1 Enter the command with attribute type as command_line: sadmin ruleengine add <ruletype> processname command_line <operation> <REGEX/STRING> This table describes the command's tokens and their functionality. Token Possible values Description Ruletype allow block monitor Allows you to create a rule to allow, block or monitor execution. Attributetype command_line Defines the command_line argument with which a process is launched. The attribute-based rule can be formed on it for decision making in the rule engine. Operation matches notmatches equals notequals Performs the rule based on operation configured on the attribute of a process. Only matches and notmatches support REGEX. For others, string is used. REGEX A regular expression Includes a regular expression or a string of characters. It describes a grammar that can be constructed based on ECMA script. STRING Any characters Defines a string of characters. 2 Enter the command with attribute type as parent_process_name, user, or path: sadmin ruleengine add <ruletype> processname <attributetype> <operation> STRING This table describes the command's tokens and their functionality. Token Possible values Description Ruletype allow block monitor Allows you to create a rule to allow, block or monitor execution. Attributetype user parent_process_name path Defines the attribute type on which attribute-based rules can be formed for decision making in the rule engine. Operation equals notequals Performs the rule based on operation configured on the attribute of a process. STRING Any characters Defines a string of characters. You can use multiple attributes when creating attribute-based rules. Use AND as a connector while creating a rule based on two or more attribute types. For example, sadmin ruleengine add block powershell.exe command_line matches.*iex* AND user equals "user1" rule prevents user1 from running powershell.exe when run with command-line argument that matches regex *iex* in this case. In other scenarios, user1 is allowed to execute powershell.exe. McAfee Application Control Windows Product Guide 33

34 2 Using Application Control Using execution control rules Remove attribute-based rule You can remove attribute-based rules defined on the system. 1 Remove one rule with attribute type as command_line: sadmin ruleengine remove <ruletype> processname command_line <operation> <REGEX/STRING> This table describes the command's tokens and their functionality in detail. Token Possible values Description Ruletype allow block monitor Allows you to create a rule to allow, block, or monitor execution. Attributetype command_line Operation matches notmatches equals notequals Defines the command_line argument with which a process is started. The attribute-based rule can be formed on it for decision making in the rule engine. Performs the rule based on operation configured on the attribute of a process. Only matches and notmatches support REGEX. For others, string is used. REGEX A regular expression Includes a regular expression or a string of characters. It describes a grammar that can be constructed based on ECMA script. See this article for more details. STRING Any characters Defines a string of characters. 2 Remove one rule with parent_process_name, path, or user attribute type: sadmin ruleengine remove <ruletype> processname <attributetype> <operation> STRING This table describes the command's tokens and their functionality. Token Possible values Description Ruletype allow block monitor Allows you to create a rule to allow, block, or monitor execution. Attributetype user parent_process_name path Defines the attribute type on which attribute-based rules can be formed for decision making in the rule engine. Operation equals notequals Performs the rule based on operation configured on the attribute of a process. STRING Any characters Defines a string of characters. You can use multiple attributes when creating attribute-based rules. Use AND as a connector while creating a rule based on two or more attribute types. For example, sadmin ruleengine remove block powershell.exe command_line matches.*iex* AND user equals "user1" rule removes the rule that is preventing user1 from running powershell.exe when run with command-line argument that matches regex.*iex* in this case. 34 McAfee Application Control Windows Product Guide

35 Using Application Control Using execution control rules 2 3 Remove or flush all attribute-based rules defined on the system: sadmin ruleengine flush View all attribute-based rules You can view all attribute-based rules defined on the system. Run this command at the command prompt. sadmin rulengine list This command lists all the rules added on the system. McAfee Application Control Windows Product Guide 35

36 2 Using Application Control Using execution control rules 36 McAfee Application Control Windows Product Guide

37 3 Memory-protection techniques Memory-protection techniques prevent or thwart malware execution and unauthorized attempts to gain control of a system through buffer overflow. Application Control offers multiple memory-protection techniques to prevent zero-day attacks and protect integrity of the running process executables and DLLs. These techniques provide protection that complements what is offered by Windows security features or buffer overflow protection products that are signature-based. These techniques are available on all supported Windows operating systems. At a high level, the memory-protection techniques prevent two kinds of exploits. Buffer overflow followed by direct code execution. Buffer overflow followed by indirect code execution using Return-Oriented Programming (ROP). For a detailed and updated list of the exploits prevented by the memory-protection techniques, subscribe to McAfee Threat Intelligence Services (MTIS) security advisories. This table describes the memory-protection techniques with supported operating systems, default states, and events. Technique CASP Critical Address Space Protection (mp-casp) Description CASP is a memory-protection technique that renders useless any shellcode running from the non-code area. This shellcode is an abnormal event that usually happens because of a buffer overflow. CASP allows code to execute from non-code area but disallows the code from invoking any meaningful API calls, such as CreateProcess() and DeleteFile(). Any meaningful exploit code wants to invoke at least one of these APIs and because CASP blocks them, the exploit fails to do any damage. When you use CASP, it protects all processes running on your Windows system except for those processes that are already protected by Window's protection feature. CASP technique is identified as mp-casp in the features list. Use the sadmin features command to view identifiers of the supported features. You can bypass or enforce CASP on executables. Also, you can list or flush the executables that are bypassed by CASP. Supported operating systems Default state Event generated 32-bit and 64-bit Windows Server 2008, Windows 7, Windows Embedded 7, Windows 8, Windows Embedded 8, Windows 8.1, Windows Embedded 8.1, Windows 10, and Windows 10 IoT Enterprise Enabled PROCESS_HIJACK_ATTEMPTED McAfee Application Control Windows Product Guide 37

38 3 Memory-protection techniques Technique NX No Execute (mp-nx) Description The NX feature uses the Windows Data Execution Prevention (DEP) feature to protect processes against exploits that try to execute code from writable memory area (stack/heap). MP-NX also provides granular bypass capability and raises violation events that can be viewed on the Windows Event Viewer console. Windows DEP prevents code from being run from a non-executable memory region. This abnormal event mostly occurs due to a buffer overflow. The malicious exploit attempts to execute code from these non-executable memory regions. NX technique is identified as mp-nx in the features list. Use the sadmin features command to view identifiers of the supported features. NX is applicable for 64-bit and 32-bit processes. Also, you can list or flush the executables that are bypassed by NX. Supported operating systems 64-bit Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows Embedded 7, Windows 8, Windows Embedded 8, Windows 8.1, Windows Embedded 8.1, Windows 10, Windows 10 IoT Enterprise, Windows Server 2012, Windows Server 2012 R2, and Windows Server This feature is not available on the IA64 architecture. Forced DLL Relocation (mp-vasr-forced-relocation) Default status Event generated Enabled NX_VIOLATION_DETECTED This feature forces relocation of those dynamic-link libraries (DLLs) that have opted out of the Windows native ASLR feature. Some malware relies on these DLLs always being loaded at the same and known addresses. By relocating such DLLs, these attacks are prevented. Forced DLL Relocation technique is identified as mp-vasr-forced-relocation in the features list. Use the sadmin features command to view all identifiers of the supported features. You can bypass or enforce Forced DLL Relocation on executables, list or flush the executables that are bypassed by Forced DLL Relocation, and bypass a DLL module that is loaded for the specified process. Supported operating systems Default state Event generated 32-bit and 64-bit Windows Server 2008, Windows Server 2008 R2, Windows 7, Windows Embedded 7, Windows 8, Windows Embedded 8, Windows 8.1, Windows Embedded 8.1, Windows 10, Windows 10 IoT Enterprise, Windows Server 2012, and Windows Server 2012 R2 Enabled VASR_VIOLATION_DETECTED Occasionally, some applications (as part of their day-to-day processing) might run code in an atypical way and be prevented from running by the memory-protection techniques. Contents Configuring CASP Configuring bypassing rules for NX Configuring Forced DLL Relocation 38 McAfee Application Control Windows Product Guide

39 Memory-protection techniques Configuring CASP 3 Configuring CASP CASP is a memory-protection technique that renders useless any shellcode running from the non-code area. This shellcode is an abnormal event that usually happens because of a buffer overflow. CASP allows code to execute from non-code area but disallows the code from invoking any meaningful API calls. To protect the code in a non-code area from making API calls, configure rules to add executables to CASP. Syntax Description Bypass executables from CASP. sadmin attr add c <filename1... filenamen> Specify one or more executables where CASP must be bypassed. For example, sadmin attr add c alg.exe Remove executables from CASP bypass. List the executables that CASP bypasses. Flush the CASP bypass rules from all executables. sadmin attr remove c <filename1... filenamen> sadmin attr list c sadmin attr flush c Specify one or more executables to remove from CASP bypass; in effect CASP is enforced. For example, sadmin attr remove c alg.exe Lists all executables that CASP bypasses. For example, sadmin attr list c Removes the CASP bypass rules from all executables. For example, sadmin attr flush c Configuring bypassing rules for NX The NX feature uses the Windows Data Execution Prevention (DEP) feature to protect processes against exploits that try to execute code from writable memory area (stack/heap). MP-NX also provides granular bypass capability and raises violation events that can be viewed on the Windows Event Viewer console. To protect processes against exploits that try to execute code from writable memory area, configure rules to add executables to NX. This technique prevents code from being run from a non-executable memory region. Syntax Description Bypass executables from NX. sadmin attr add n <filename1... filenamen> Specify one or more executables where NX must be bypassed. For example, sadmin attr add n alg.exe Bypass an executable and its child processes from NX. Remove executables from NX bypass. List the executables that are bypassed from NX. Flush NX bypass rules from all executables. sadmin attr add n -y <filename1... filenamen> sadmin attr remove n <filename1... filenamen> sadmin attr list n sadmin attr flush n Specify an executable where NX must be bypassed, including its child processes. You can specify the -y option only with the -n option. For example, sadmin attr add n -y alg.exe Specify one or more executables to remove from NX bypass; in effect NX is enforced. For example, sadmin attr remove n alg.exe Lists all executables that NX bypasses. For example, sadmin attr list n Removes the NX bypass rules from all executables. For example, sadmin attr flush n McAfee Application Control Windows Product Guide 39

40 3 Memory-protection techniques Configuring Forced DLL Relocation Configuring Forced DLL Relocation This feature forces relocation of those dynamic-link libraries (DLLs) that have opted out of the Windows native ASLR feature. Some malware relies on these DLLs always being loaded at the same and known addresses. By relocating such DLLs, these attacks are prevented. Configure rules to add one or more executables to Forced DLL Relocation. Syntax Description Bypass executables from Forced DLL Relocation. sadmin attr add v <filename1... filenamen> Specify one or more protected components where you bypass Forced DLL Relocation. For example, sadmin attr add v AcroRD32.exe Enforce Forced DLL Relocation on executables. List the executables that Forced DLL Relocation bypasses. Flush Forced DLL Relocation rules from all executables. Bypass a DLL module that is loaded for a specific process. sadmin attr remove v <filename1... filenamen> sadmin attr list v sadmin attr list v sadmin attr add -o module=<dllmodulename> -v <processname> Specify one or more components where you enforce Forced DLL Relocation. For example, sadmin attr remove v AcroRD32.exe Lists all components that Forced DLL Relocation bypasses. For example, sadmin attr list v Removes Forced DLL Relocation rules from all executables. For example, sadmin attr flush v Bypass the DLL module name for a process. For example, sadmin attr add o module=wuauserv.dll -v svchost.exe 40 McAfee Application Control Windows Product Guide

41 4 Maintain your systems Contents View product status and version Managing the whitelist Advanced exclusion filters (AEFs) Managing product features Package Control Making emergency changes Enable or disable password protection Configuring log files Disable Application Control View product status and version You can view Application Control status for product status details, such as operational mode, operational mode after restart, and whitelist status. You can also view the software version to see details of the installed product and the copyright information. 1 View Application Control status: sadmin status [volume] Include [Volume] to view details of a single volume. a A message similar to this example displays the system details. The following table describes the fields and their meaning. McAfee Solidifier: Disabled McAfee Solidifier on reboot: Disabled epo Managed: No Local CLI access: Recovered [fstype] [status] [driver status] [volume] * NTFS Solidified Unattached C:\ Status detail McAfee Solidifier McAfee Solidifier on reboot Description Specifies the operational mode of Application Control. Specifies the operational mode of Application Control after system restart. McAfee Application Control Windows Product Guide 41

42 4 Maintain your systems Managing the whitelist Status detail McAfee epo Managed Local CLI access fstype status driver status volume Description Displays the connectivity status of Application Control with McAfee epo. In standalone configuration of the product, this status is No. Displays the lockdown or recovered status of the local CLI. In standalone configuration of the product, this status is Recovered. Displays the supported file systems for a volume. Displays the current whitelist status for all supported volumes on a system. If a volume name is specified, only the whitelist status for that volume is displayed. Displays whether the Application Control driver is loaded on a volume. If the driver is loaded on a volume, status is attached; otherwise the status is unattached. Displays the volume names. 2 View version and copyright details of Application Control installed on the system. sadmin version Managing the whitelist An important part of system maintenance is managing the whitelist. You can perform various tasks to manage the whitelist. Whitelist thread priority The whitelist thread priority (SoPriority) determines the usage of system resources and the time required to create the whitelist. You can configure the whitelist thread priority before creating the initial whitelist. By default, the thread runs on low priority (value of 0) and if you do not specify the thread priority, Application Control considers the default priority to create the whitelist. sadmin config set SoPriority=<value> The SoPriority value that you specify is based on your preference. This table describes the SoPriority values that you can specify. Value Priority Advantages and disadvantages 0 Low (Recommended) The low value, takes more time to create the whitelist but causes minimal performance impact on the system. 1 Medium N/A 2 High The high value takes less time but uses more system resources and can cause performance impact on the system. Adding and removing executables You can add new components to the initial whitelist to allow their execution on a protected system. If needed, you can also remove components from the whitelist. Specify the components as file names, directory names, or volume names. Do not remove a system drive or volume from the whitelist. This causes a blue screen or system failure. 42 McAfee Application Control Windows Product Guide

43 Maintain your systems Managing the whitelist 4 Action Command syntax Description Add components to the whitelist. Remove all components from the whitelist. Remove selected components from the whitelist. sadmin so [<arguments> <components>] sadmin unso sadmin unso [<arguments> <components>] After the initial whitelist is created, execution is blocked for the components that are not included in the whitelist. If needed, add more components to the whitelist. Remove all components from the whitelist using this command. When you remove components, they are no longer allowed to execute. Specify the components that you want to remove from the whitelist. You can add or remove components from the whitelist as described in this table. Component Description File name Add files to the whitelist. For example, sadmin solidify filename1... filenamen Remove files from the whitelist. For example, sadmin unsolidify filename1... filenamen Directory name Add all supported files under specified directories to the whitelist. For example, sadmin solidify directoryname1... directorynamen Remove all supported files in one or more directories from the whitelist. For example, sadmin unsolidify directoryname1... directorynamen Volume name Add all supported files (recursively) under specified system volumes to the whitelist. For example, sadmin solidify volumename1... volumenamen Remove all supported files in one or more system volumes from the whitelist. For example, sadmin unsolidify volumename1... volumenamen File name Directory name Volume name Optionally, you can specify supported arguments with the command. Add sadmin solidify [ q v ] filename1... filenamen directoryname1... directorynamen volumename1... volumenamen Remove sadmin unsolidify [ v ] filename1... filenamen directoryname1... directorynamen volumename1... volumenamen Here are the arguments descriptions: The -q argument displays only error messages. The -v argument displays all messages. Viewing components added to the whitelist You can view lists of all whitelisted and non-whitelisted files, directories, and drives/volumes on the system. McAfee Application Control Windows Product Guide 43

44 4 Maintain your systems Managing the whitelist Action List all whitelisted components. List all non-whitelisted components. Command syntax sadmin ls sadmin lu Description This command lists all whitelisted components. You can specify the names of files, directories, and drive/volumes to narrow the results. This command lists all non-whitelisted components using this command. You can specify the names of files, directories, and drive/volumes to narrow the results. You can narrow the results by specifying components as described in this table. Component File name Description List all whitelisted files from the specified list of files. If only one file name is specified, this command shows the file name only if the file is whitelisted. Specify a set of files to list the whitelisted files from that file set. For example, sadmin list-solidified filename1... filenamen Lists all non-whitelisted files from the specified list of files. If only one file name is specified, this command shows the file only if the file is non-whitelisted. Specify a set of files to list non-whitelisted files from that file set. For example, sadmin list-unsolidified filename1... filenamen Directory name List all whitelisted files present in the specified directories. For example, sadmin list-solidified directoryname1...directorynamen List all non-whitelisted files present in the specified directories. Specify directory names with this command to list all non-whitelisted files in the specified directories. For example, sadmin list-unsolidified directoryname1...directorynamen Volume name List all whitelisted files present in the specified drives/volumes. For example, sadmin list-solidified volumename1...volumenamen List all non-whitelisted files present in specified volumes. Specify volume names with this command to list all non-whitelisted files in the specified volumes. For example, sadmin list-unsolidified volumename1...volumenamen File name Directory name Volume name List details about the files, such as file type, file path, and file checksum. For example, sadmin list-solidified [ -l ] filename1... filenamen directoryname1...directorynamen volumename1...volumenamen Checking and updating the status of whitelisted components You can compare the current whitelist status and checksum values of whitelisted files, directories, and volumes with the status and values stored in the whitelist. If they are not current, you can update the whitelist and fix inconsistencies. If the components in the whitelist are changed or removed and the whitelist is not updated, the execution of these components is blocked by Application Control. This results in inconsistencies in the whitelist. You can run this command to check the status of whitelisted components: sadmin check [ -r ] file directory volume You can narrow the results by specifying the names of files, directories, and drive/volumes with this command. 44 McAfee Application Control Windows Product Guide

45 Maintain your systems Advanced exclusion filters (AEFs) 4 Also, you can specify the -r argument. This argument fixes inconsistencies by updating the whitelist with the latest checksum values of the components and adds the components to the whitelist, if the components are not already present. If you do not specify a component, inconsistencies in all supported drives/volumes are fixed. Advanced exclusion filters (AEFs) You can use a combination of conditions to define advanced filters to exclude reporting of changes. For example, you might want to monitor the changes made to the tomcat.log file by all programs except the tomcat.exe program. To achieve this, define an advanced filter to exclude all changes made to the log file by tomcat.exe. This means that you receive only events when the log file is changed by other (non-owner) programs. In this case, the defined filter is similar to exclude all events where filename is <log-file> and program name is <owner-program>. Use AEFs to prune routine system-generated change events that are not relevant for your monitoring or auditing needs. Several applications, particularly the web browser, maintain the application state in registry keys and regularly update several registry keys. For example, the ESENT setting is routinely changed by the Windows Explorer application and it generates the Registry Key Modified event. These state changes are regular and don't need to be monitored or reported. Defining AEFs allows you to eliminate any events that are not needed for compliance, and ensures that the event list includes only meaningful notifications. Adding or removing AEFs You can limit the notifications you receive by adding an advanced filter that excludes changes made to specified components. You can also remove AEFs to include the excluded notifications for the changes made to specified components. After removing the AEFs, you receive events for all changes made to the excluded components. But, this results in inclusion of non-meaningful events to the events list. Action Add AEFs Remove one or multiple AEFs Remove all AEFs Command syntax sadmin aef add [component <condition> value] sadmin aef remove [component <condition> value] sadmin aef flush Specify the component, condition, and value with this command. Component Value Description File File path Add AEFs: sadmin aef add [file <condition> PATH] Remove AEFs: sadmin aef remove [file <condition> PATH] Registry key Registry path Add AEFs: sadmin aef add [reg <condition> PATH] Remove AEFs: sadmin aef remove [reg <condition> PATH] McAfee Application Control Windows Product Guide 45

46 4 Maintain your systems Advanced exclusion filters (AEFs) Component Value Description Process Process path Add AEFs: sadmin aef add [process <condition> PATH] Remove AEFs: sadmin aef remove [process <condition> PATH] User User name Add AEFs: sadmin aef add [user <condition> USER-NAME] Remove AEFs: sadmin aef remove [user <condition> USER-NAME] Event Event name Add AEFs: sadmin aef add [event equals EVENT_NAME] Multiple components Supported values for the specified components Remove AEFs: sadmin aef remove [event equals EVENT_NAME] Add AEFs: Specify the and operator to include multiple components to the filter rule. For example: sadmin aef add [file <condition> PATH] and [reg <condition> PATH] and [process <condition> PATH] and [user <condition> USER-NAME] and [event equals EVENT_NAME] Remove AEFs: sadmin aef remove [file <condition> PATH] and [reg <condition> PATH] and [process <condition> PATH] and [user <condition> USER-NAME] and [event equals EVENT_NAME] You can specify one or more conditions with the components to add AEFs. The filter rule is based on the specified conditions. Condition Add AEFs Remove AEFs equals Add all components with the specified name. For example: Only this condition is valid to add events as AEFs. sadmin aef add file equals C: \Program Files\Microsoft Download Manager\MSDownloadManager.exe Remove all components with the specified name. For example: sadmin aef remove file equals C: \Program Files\Microsoft Download Manager\MSDownloadManager.exe begins Add all components whose paths begin with the specified characters. For example: sadmin aef add file begins C: \Program Files\Adobe Remove all components whose paths begin with the specified characters. For example: sadmin aef remove file begins C: \Program Files\Adobe 46 McAfee Application Control Windows Product Guide

47 Maintain your systems Managing product features 4 Condition Add AEFs Remove AEFs ends Add all components whose paths end with the specified characters. For example: sadmin aef add file ends rtf Remove all components whose paths end with the specified characters. For example: sadmin aef remove file ends rtf contains Add all components whose paths contain the specified characters. For example: sadmin aef add process contains svchost.exe Remove all components whose paths contain the specified characters. For example: sadmin aef remove process contains svchost.exe doesnt_contain Add all components whose paths do not contain the specified characters. For example: sadmin aef add reg doesnt_contain CurrentControlSet Remove all components whose paths do not contain the specified characters. For example: sadmin aef remove reg doesnt_contain CurrentControlSet You can list all added AEFs with the specified conditions: sadmin aef list. Managing product features When Application Control is installed in a system, the product features are in their default status which is critical to provide protection to your system. You might need to change the default status of one or more features to allow configuration changes. Reviewing the features You can review the list of all Application Control features and check their status (enabled or disabled) in your system: sadmin features list The features list has been minimized to show only the features that require changes regularly. Feature Description Default status activex checksum deny-read deny-write Installs and runs ActiveX controls on the protected system. Only the Internet Explorer browser is supported for the ActiveX control installations. Simultaneous installation of ActiveX controls using multiple tabs of Internet Explorer is not supported. Compares the checksum of the file to be executed with the checksum stored in the whitelist. Read-protects the specified components. When this feature is applied on components, they can't be read. Read protection works only when the software is running in Enabled mode. Write-protects the specified components. When this feature is applied on the components, they are rendered as read-only to protect your data. Enabled Enabled Disabled Enabled McAfee Application Control Windows Product Guide 47

48 4 Maintain your systems Managing product features Feature Description Default status discover-updaters Generates a list of potential updaters that can be included in the system. When running in Enabled mode, the software protection might prevent a legitimate application from executing (if rules are not defined). This feature tracks all failed attempts by authorized executable to change protected files or run other files and generates a list of possible updaters. Enabled execution-control integrity mp mp-casp Defines attribute-based rules using one or more attributes of a process to allow, block, or monitor the process. Protects Application Control files and registry keys from unauthorized tampering. Allows the product code to run even when the components aren't present in the whitelist. This feature ensures that all product components are protected. It prevents accidental or malicious removal of components from the whitelist to ensure that the product doesn't become unusable. In update mode, it's disabled to facilitate product upgrades. Protects running processes from hijacking attempts. Unauthorized code injected into a running process is trapped, halted, and logged. Attempts to gain control of the system through buffer overflow and similar exploits are rendered ineffective. Renders useless code that is running from the non-code area, which happens due to a buffer overflow being exploited on 32-bit Windows platforms. Enabled Enabled Enabled Enabled mp-vasr mp-vasr-forced-relocation Forces relocation of those dynamic-link libraries (DLLs) that have opted out of the Windows native ASLR feature. Some malware relies on these DLLs always being loaded at the same and known addresses. By relocating such DLLs, these attacks are prevented. Enabled network-tracking pkg-ctrl script-auth Tracks files over network directories and blocks the execution of scripts over network directories. By default, this feature is enabled and prevents the execution of scripts over network directories. When this feature is disabled, execution of scripts over network directories is allowed. Also, write-protecting or read-protecting components over a network directory isn't effective. Manages installation and uninstallation of MSI-based and non-msi-based installers. Prevents the execution of supported script files that aren't in the whitelist. Only whitelisted script files are allowed to execute on the system. For example, supported script files such as.bat,.cmd,.vbs (on Windows), and script files with #! (hash exclamation point) for supported local file systems (on Linux) are added to the whitelist and are allowed to execute. Enabled Enabled Enabled Enabling or disabling features If needed, you can change the default status of a feature by enabling or disabling features. After disabling a feature, the system is no longer protected by that feature. Use caution and see McAfee Support before enabling or disabling a feature. It can affect the core functionality of the product and might make your system vulnerable to security threats. 48 McAfee Application Control Windows Product Guide

49 Maintain your systems Package Control 4 Action Enable a feature. Disable a feature. Command sadmin features enable <featurename> sadmin features disable <featurename> Package Control You can manage the installation and uninstallation of software packages using the Package Control feature. This feature allows or denies installation, uninstallation, and upgrade or repair actions for software packages. It prevents any unauthorized installation and uninstallation. Package Control feature supports these types of installers. MSI installers Includes multiple variants such as.msp,.mst, and.msm. EXE-based installers Includes MSI files embedded with the installer. Non-MSI-based installers Does not include an MSI file embedded with the installer. This feature is identified as pkg-ctrl in the features list. By default, this feature is enabled and allows installation of software packages by adding rules, such as updater and trusted user. When this feature is disabled, software installation and uninstallation are blocked. Package Control includes these subfeatures. Subfeature Allow Uninstallation Bypass Package Control Description Controls uninstallation of software packages. When this feature is enabled, software uninstallation is allowed. By default, this feature is enabled and identified as pkg-ctrl-allow-uninstall in the features list. Controls bypassing from the Package Control feature. When this feature is enabled, Package Control feature is bypassed and software installation and uninstallation is allowed. By default, this feature is disabled and identified as pkg-ctrl-bypass in the features list. Configuring Package Control You can configure Package Control to control the installation and uninstallation of software packages on a system. Use these commands to configure Package Control. Action Command Description Disable the feature. sadmin features disable pkg-ctrl Enable the feature. sadmin features enable pkg-ctrl Configure these Package Control subfeatures. When you disable Package Control, all its subfeatures are also disabled. When you enable Package Control, all its subfeatures revert to their default state. But, if you enable the Bypass Package Control subfeature, disable Package Control and re-enable Package Control, the Bypass Package Control subfeature is enabled. McAfee Application Control Windows Product Guide 49

50 4 Maintain your systems Package Control Feature Default state Allow Uninstallation Enabled Feature configuration Disable the feature. Prevent uninstallation of software packages on the system. sadmin features disable pkg-ctrl-allow-uninstall Enable the feature. sadmin features enable pkg-ctrl-allow-uninstall Bypass Package Control Disabled Enable the feature. The Package Control feature is bypassed and you cannot control the installation and uninstallation of software packages. sadmin features enable pkg-ctrl-bypass Disable the feature. sadmin features disable pkg-ctrl-bypass Package Control configuration Based on your requirements, you can configure Package Control and its subfeatures to control installation and uninstallation of software packages by allowing, authorizing, or blocking software installation and allowing or blocking uninstallation. By default, the Package Control and Allow Uninstallation features are enabled. You can uninstall any software from the system. But, software installation is allowed based on the defined rules such as updater by name or path, trusted user, trusted directory, certificate as an updater, or checksum as an updater. Use this default configuration for desktop and System Center Configuration Manager (SCCM)-managed environments. This configuration allows change, repair, remove, or upgrade operations for software that is useful in these scenarios: Explicit software upgrades. Software upgrades through Windows update mechanisms. Software upgrades (of existing software) while installing new software packages in case of chained installations. Rollback in case of power failure or if you restart your system during installation. This is called a suspended installation. The installer tracks the installation that is in progress. When resumed, you can roll back the suspended installation or continue the suspended installation. If needed, you can also change the default configuration to: Disable the Allow Uninstallation feature Prevents you from uninstalling software from the system. But software installation is allowed based on the defined rules. Use this configuration for fixed-function devices and server environments (for all actions except upgrades). For upgrading software in server environments, you must switch to the default configuration because this configuration blocks change, repair, remove, or upgrade operations for software. Enable the Bypass Package Control feature Allows software installation and uninstallation on the system. Disable the Package Control feature Prevents software installation and uninstallation on the system. Place the system in Update mode Allows software installation and uninstallation on the system. 50 McAfee Application Control Windows Product Guide

51 Maintain your systems Making emergency changes 4 Making emergency changes Run Application Control in Update mode to perform emergency changes on a protected system. When the product is in effect, you can allow scheduled or emergency changes to the system and track the changes made to the system by running the product in Update mode. Use Update mode to make changes that cannot be made when Application Control is running in Enabled mode. When possible, use these other methods to allow changes. Trusted users Checksum (SHA-1 or SHA-256)values Trusted directories Updaters Trusted certificates In Enabled mode, if you install new software or add new files, the files aren't added to the whitelist or allowed to execute unless you use a trusted method to add them. But, if you install or uninstall software, or add new files in Update mode, changes are tracked and added to the whitelist. To approve changes to the system, a change window is defined, where users and programs can make changes to the system. Update mode allows you to perform these tasks: Schedule software and patch installations. Remove or change software. Dynamically update the whitelist. Memory-protection techniques are enabled in Update mode, so that running programs cannot be exploited. From Update mode, you can switch to Enabled or Disabled mode. McAfee Application Control Windows Product Guide 51

52 4 Maintain your systems Enable or disable password protection Switch to Update mode Switch Application Control to Update mode to perform scheduled or emergency changes in a system. If the product is in Enabled or Disabled mode, perform these steps to switch to Update mode. Run this command at the command prompt. sadmin bu [workflow-id [comment]] Optionally, specify these arguments with the command. Attribute Description workflow-id Specify a workflow ID for the current Update mode session. This is an identification ID that can be used for a Change Management or Ticketing System. If you don't provide the workflow ID, the workflow ID is set to an automatically generated string, AUTO_n, where n is a number that is incremented each time an update window is opened. comment Specify a comment that describes the current Update mode session. This information can be used for a Change Management or Ticketing System. If Application Control is in Enabled mode, it is switched to Update mode. If Application Control is in Disabled mode, perform one of these extra steps. Step Restart the system. Restart the Application Control service. Description When you restart the system, the product is switched to Update mode. Restarting the system is a recommended way to switch to Update mode. Or, you can restart the Application Control service to switch to Update mode. But only limited features will be enabled after service restart. Key product features, such as memory-protection and Script As Updater (SAU) aren't enabled. To enable all features, you must restart the system. Exit Update mode Exit Update mode after making scheduled or emergency changes, patch installations, or software updates in your system. Run this command at the command prompt. sadmin eu Enable or disable password protection You can restrict users from running critical sadmin commands by enabling password protection. When password protection is enabled, Application Control allows these critical commands to run only when the user enters the correct password. If you do not need password protection, remove the password, which allows users to run all sadmin commands. Passwords are encrypted with the SHA2 hashing algorithm. To protect password details, a random number is added to the password before the hash is computed. The SHA5012 encryption algorithm, a subset of SHA2, generates a hash of 512 bits, which protects the password from rainbow table attacks. 52 McAfee Application Control Windows Product Guide

53 Maintain your systems Configuring log files 4 1 Type the sadmin passwd command to set a password. When you set a password, users can no longer run critical commands without providing the correct password. Only a limited set of non-critical commands can run without the password. You can use the -z switch to prevent the system from prompting for the password. It can be used in all CLI commands. For example, sadmin solidify -z <password> is used for unmanaged CLI operation, and is different from the password for the McAfee epo administrator used for CLI lockdown. See the product guide for Windows platform for McAfee Change Control (for use with McAfee epo). If you already set the password, Application Control prompts you to enter your password. Type the old password and press Enter. You are now asked to set the new password and retype it. If you didn't set the password earlier, Application Control prompts you to enter a new password. Set the new password and retype it. 2 Type the sadmin passwd -d command to remove the password. 3 Press Enter. Configuring log files Application Control generates log messages for all actions and errors related to the product. These log messages are stored in log files that are used for troubleshooting errors. This table describes the types of log files present in the system. Log file solidcore.log Operating system Windows Server 2008 Linux Path <system drive> \Documents and Settings\All users\application Data\McAfee \Solidcore\Logs /var/log/mcafee/ solidcore/ Description After the product is deployed on a system, a log file named solidcore.log is created in the Logs folder (Windows) or solidcore directory (Linux). This file is also known as debuglog. You can configure the solidcore.log file size and number of solidcore.log files that you want to create on the system. Configuring log files is applicable only to the solidcore.log file. You can't change the configuration of any other log file. s3diag.log (Windows only) Windows Server 2008 <system drive> \Documents and Settings\All users\application Data\McAfee \Solidcore\Logs s3diag.log file stores logs for all operations performed on the supported files. McAfee Application Control Windows Product Guide 53

54 4 Maintain your systems Disable Application Control Log file Operating system Path Description Solidcore _Installer.log and solidcore _setup.log(windows)/ solidcores3 _install_<rel> <build>.log (Linux) Windows (all supported versions) Linux <system drive> \Windows /tmp/solidcores3 _install.log /var/log/mcafee/ solidcore/ solidcores3 _install.log Application Control installation logs are stored in this file. If installation fails on the Linux platform, the file is stored at: /tmp/solidcores3_install _<rel> <build>.log. If installation is successful on the Linux platform, the file is stored at: /var/log/mcafee/ solidcore/solidcores3_install_<rel> <build>.log Disable Application Control Switch to Disabled mode to deactivate the features of Application Control. 1 Type the sadmin disable command. 2 Press Enter. 3 Restart the system. 54 McAfee Application Control Windows Product Guide

55 A Application Control event list Application Control specific events with the name, event ID, severity, and the description are described in this table. Event names with a suffix (_UPDATE) indicate that events are generated in Update mode. Event ID (on systems) Threat event ID (on McAfee epo) Event name Severity Description PROCESS_TERMINATED Major McAfee Solidifier prevented an attempt to hijack the process <string> (Process Id: <string>, User: <string>), by illegally calling the API '<string>'. The process was terminated WRITE_DENIED Major McAfee Solidifier prevented an attempt to change file <string> by process/script <string> (sha1: <string>, md5: <string>, sha256: <string> ) (Process Id: <string>, User: <string>) EXECUTION_DENIED Major McAfee Solidifier prevented unauthorized execution of '<string>' (sha1: <string>, md5: <string>, sha256: <string>, File Type: <string>) by process <string> (Process Id:<string>, User: <string>) whose parent is process <string>, deny_reason : <string> (deny reason code: <string>) reputation score: <string> PROCESS_TERMINATED_UNAUTH_SYSCALL Major McAfee Solidifier prevented process <string>, run by <string>, from making unauthorized syscall %d (return address %d). The process was terminated PROCESS_TERMINATED_UNAUTH_API Major McAfee Solidifier prevented process <string>, run by <string>, from making unauthorized access to API <string> (return address <string>). The process was terminated McAfee Application Control Windows Product Guide 55

56 A Application Control event list Event ID (on systems) Threat event ID (on McAfee epo) Event name Severity Description REG_VALUE_WRITE_DENIED Major McAfee Solidifier prevented an attempt to change Registry key '<string>' with value '<string>' by process <string> (Process Id: <string>, User: <string>) REG_KEY_WRITE_DENIED Major McAfee Solidifier prevented an attempt to change Registry key '<string>' by process <string> (Process Id: <string>, User: <string>) REG_KEY_CREATED_UPDATE Info McAfee Solidifier detected creation of registry key '<string>' by program <string> (User: <string>, Workflow Id: <string>) REG_KEY_DELETED_UPDATE Info McAfee Solidifier detected deletion of registry key '<string>' by program <string> (User: <string>, Workflow Id: <string>) REG_VALUE_DELETED_UPDATE Info McAfee Solidifier detected deletion of registry value '<string>' under key '<string>' by program <string> (User: <string>, Workflow Id: <string>) OWNER_MODIFIED_UPDATE Info McAfee Solidifier detected modification to OWNER of '<string>' by program <string> (User: <string>, Workflow Id: <string>) PROCESS_HIJACKED Major McAfee Solidifier detected an attempt to exploit process <string> (sha1: <string>, md5: <string>, sha256: <string>) from address <string> INVENTORY_CORRUPT Critical McAfee Solidifier detected that its internal inventory for the volume <string> is corrupt FILE_CREATED_UPDATE Info McAfee Solidifier detected creation of '<string>' by program <string> (User: <string>, Original User: <string>, Workflow Id: <string>) FILE_DELETED_UPDATE Info McAfee Solidifier detected deletion of '<string>' by program <string> (User: <string>, Original User: <string>, Workflow Id: <string>) FILE_MODIFIED_UPDATE Info McAfee Solidifier detected modification of '<string>' by program <string> (User: <string>, Original User: <string>, Workflow Id: <string>) 56 McAfee Application Control Windows Product Guide

57 Application Control event list A Event ID (on systems) Threat event ID (on McAfee epo) Event name Severity Description FILE_RENAMED_UPDATE Info McAfee Solidifier detected renaming of '<string>' to '<string>' by program <string> (User: <string>, Original User: <string>, Workflow Id: <string>) FILE_SOLIDIFIED Info <string>' was solidified which was created by program <string>(user: <string>, Workflow Id: <string>) FILE_UNSOLIDIFIED Info <string>' was unsolidified which was deleted by program <string>(user: <string>, Workflow Id: <string>) READ_DENIED Major McAfee Solidifier prevented an attempt to read file '<string>' by process <string> (Process Id: <string>, User: <string>) PKG_MODIFICATION_PREVENTED Critical McAfee Solidifier prevented package modification by '<string>'(sha1: <string>, md5: <string>, sha256: <string>) by user: '<string>' PKG_MODIFICATION_ALLOWED_UPDATE Info McAfee Solidifier allowed package modification by <string>'(sha1: <string>, md5: <string>, sha256: <string>) by user: '<string>'. (Workflow Id: <string>) PKG_MODIFICATION_PREVENTED_2 Critical McAfee Solidifier prevented package modification by '<string>' by user: '<string>' NX_VIOLATION_DETECTED Critical McAfee Solidifier prevented an attempt to hijack the process '<string>' (Process Id: '<string>', SHA1: <string>, MD5: <string>, SHA256: <string>, User: '<string>'), by executing code from an address outside of code pages region. Faulting address '<string>'. The process was terminated REG_VALUE_MODIFIED_UPDATE Info McAfeeSolidifier detected modification to registry value '<string>' of type '<string>' under key '<string>' by program '<string>' (User: <string>, Workflow Id: <string>), with data: <string> FILE_READ_UPDATE Info McAfee Solidifier detected read for '<string>' by program <string> (User: <string>, Original User: <string>, Workflow Id: <string>) McAfee Application Control Windows Product Guide 57

58 A Application Control event list Event ID (on systems) Threat event ID (on McAfee epo) Event name Severity Description INITIAL_SCAN_TASK_COMPLETED Info McAfee Solidifier Initial Scan task is complete and Application Control is enforced on the system now ACTX_ALLOW_INSTALL Info McAfee Solidifier allowed installation of ActiveX <string> Workflow Id: <string> by user <string> ACTX_INSTALL_PREVENTED Major McAfee Solidifier prevented installation of ActiveX <string> Workflow Id: <string> by user <string> VASR_VIOLATION_DETECTED Critical McAfee Solidifier prevented an attempt to hijack the process '<string>' (Process Id: '<string>', sha1: <string>, md5: <string>, sha256: <string>, User: <string>'), by executing code from non-relocatable dll '<string>'. Faulting address <string>. Target address '<string>' LOCAL_CLI_ACCESS_DISABLED Major Local CLI has been disabled due to wrong password attempts and it can be recovered after <string> minutes LOCAL_CLI_RECOVER_SUCCESS Info Local CLI successfully recovered LOCAL_CLI_RECOVER_FAILED Info Failed to recover Local CLI OBSERVED_FILE_EXECUTION Info McAfee Solidifier observed start of '<string>'(process Id: <string>, sha1: <string>, md5: <string>, sha256: <string>, User: <string>, Workflow Id: <mode>: AUTO_2, original_procname: <string>, parent_name = <string>) with command-line: '<string>' PREVENTED_FILE_EXECUTION Major McAfee Solidifier blocked start of '<string>'(process Id: <string>, sha1: <string>, md5: <string>, sha256: <string>, User: <string>, original_procname: <string>, parent_name = <string>) with command-line: '<string>' INVENTORY_RECOVERED Critical McAfee Solidifier has detected that the inventory for volume <string> is corrupt. The backup dated <string> is loaded. 58 McAfee Application Control Windows Product Guide

59 Application Control event list A Event ID (on systems) Threat event ID (on McAfee epo) Event name Severity Description INVENTORY_RECOVER_FAILED Critical McAfee Solidifier has detected that the inventory for volume <string> is corrupt. The backup could not be loaded. Review the system and perform solidification to create whitelist BLOCKED_PROCESS_INTERACTIVE_MODE Critical McAfee Solidifier blocked process <string> in interactive mode. (Process Id: <string>, sha1: <string>, md5: <string>, sha256: <string>, User: <string>, original_procname: <string>, parent_name = <string>). McAfee Application Control Windows Product Guide 59

60 A Application Control event list 60 McAfee Application Control Windows Product Guide

61 B Command short forms You can use the short forms of the Application Control commands. These commands are interchangeable. Command sadmin write-protect sadmin write-protect-reg sadmin read-protect sadmin solidify sadmin unsolidify sadmin list-solidified sadmin list-unsolidified sadmin begin-update sadmin end-update Short form sadmin wp sadmin wpr sadmin rp sadmin so sadmin unso sadmin ls sadmin lu sadmin bu sadmin eu McAfee Application Control Windows Product Guide 61

62 B Command short forms 62 McAfee Application Control Windows Product Guide

63 0-00