Interface Reference. McAfee Application Control Windows Interface Reference Guide. Add Installer page. (McAfee epolicy Orchestrator)

Transcription

1 McAfee Application Control Windows Interface Reference Guide (McAfee epolicy Orchestrator) Interface Reference Add Installer page Add an existing installer to the McAfee epo repository. Table 1 definitions Installer Name Installer Path Version Vendor File SHA-1 File SHA-256 Specifies the installer name. Specifies the path of the installer. Specifies the version of the installer. Specifies the name of the vendor who published the installer. Specifies the SHA-1 value of the installer. Specifies the SHA-256 value of the installer. 1

2 Advanced File Comparison page Compare any two files (or file versions) on an endpoint or on two different endpoints. Table 2 definitions File 1 Allows you to specify information for the file to compare. Group Selects the group. Host Specifies the host name. File Specifies the name and path of the file. Version Selects the version to compare. File 2 Allows you to specify information for the file to compare. Group Selects the group. Show Comparison Close Host Specifies the host name. File Specifies the name and path of the file. Version Selects the version to compare. Compares the specified files. The files (attributes and content) are compared and differences are displayed. Returns to the Content Change Tracking Files page. Alerts page View Solidcore-related alerts. Table 3 definitions Filter Hide Filter/Show Filter Hides or shows the filters on the page. Show selected rows Hides all rows except the rows selected on the page. Actions Specifies the actions that you can perform on the selected alerts, including: Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or the Solidcore alerts. Dismiss Ignores the selected Solidcore alerts. Choose Columns Opens the Select the Columns to Display page. Use this option to select the columns of data to display on the Solidcore Alerts page. 2

3 Allow or Ban Files wizard Select Rule Group page Allow known executable or script files to run and prevent malicious executable or script files from running. This page is displayed when you select the Allow Files or Ban Files action from these pages: By Applications Inventory Details (opens when you click View for an endpoint on the By Systems page) File Details Table 4 definitions Allow Files Add Files to Whitelist Adds the selected files to the whitelist of the endpoint. This option is available only when you open the wizard from the Inventory Details page. Add to Existing Rule Group Updates an existing rule group with rules to allow the selected files. Select a Rule Group Selects the rule group to update. Rule Group OS Specifies the operating system for the rule group. Create a New Rule Group Creates a rule group with rules to allow the selected files. New Rule Group Name Specifies the name for the rule group. Rule Group OS Specifies the operating system for the rule group. Ban Files Add to Existing Rule Group Updates an existing rule group with rules to block the selected files. Select a Rule Group Selects the rule group to update. Rule Group OS Specifies the operating system for the rule group. Create a New Rule Group Creates a rule group with rules to block the selected files. New Rule Group Name Specifies the name for the rule group. Rule Group OS Specifies the operating system for the rule group. Allow or Ban Files wizard Verify Rules page Allow the executable files only on the selected endpoint by adding the files to the whitelist of the endpoint. This page is displayed when you select Add Files to Whitelist. This option is available only if you are managing the inventory for an endpoint (by clicking the View link for an endpoint on the By Systems page). Table 5 definitions File Path Add Edit Remove Displays prepopulated rules to add the files only on the selected endpoint. If needed, you can review and edit the rules. Opens the Add File Path for Whitelist dialog box. Specify the path of the file to add to the whitelist. Opens the Edit File Path for Whitelist dialog box with information for a selected rule. Edit the details as needed, then click OK. Deletes the selected rule. 3

4 Application Control s policy (Windows) Self-Approval tab Enable the self-approval feature on endpoints. Table 6 definitions Enable Self-Approval Self-Approval Text Enables the self-approval feature. Specifies the message to display on the endpoint in the McAfee Application Control - Self-Approval dialog box. When a user tries to run a new or unknown application, the dialog box appears. This option is enabled only when Enable Self-Approval is selected. The pop-up message: Supports up to 1500 characters. Supports special characters. Can include links which are highlighted in blue and are clickable. Links can be included anywhere in the banner text. Web URLs are detected with and without the protocol http or https, for instance or Other protocols are supported with the full URL text, such as addresses mailto:user@example.com or FTP server ftp://ftpserver.com Dialog Timeout Justification Message Advanced s Specifies the time duration (in seconds) for which the McAfee Application Control - Self-Approval dialog box displays on the endpoint after an action is prevented by Application Control. If the user does not take an action for the application in the specified time duration, the execution of the application is automatically denied and the dialog box closes. This option is enabled only when Enable-Self Approval is selected. Indicates whether it is mandatory or optional for the user to provide a business need or justification while allowing an action on the endpoint. By default, this is set to Mandatory. This option is enabled only when Enable Self-Approval is selected. Specifies the behavior for applications when the system is starting or when an interactive session is unavailable. In either of these scenarios, Application Control cannot display the McAfee Application Control - Self-Approval dialog box. If you select this option, applications that run on the system while it is starting or when an interactive session is unavailable are allowed to execute. This option is enabled only when Enable-Self Approval is selected. 4

5 Application Control s policy (Windows) End User Notifications tab Configure end-user notifications. The settings on this page determine the customized notification message displayed on the endpoints for the various Application Control events. Table 7 definitions User Message Helpdesk Information Use the option Show the messages dialog box when an event is detected and display the specified text in the message to display a message box at the endpoint each time an event is generated. Allows you to specify help desk information that is displayed on the endpoints. Mail to Specifies the address where all approval requests (from endpoints) are sent. Mail Subject Specifies the subject of the message sent for approval requests (from endpoints). Link to Website Indicates the website listed in the Application and Change Control Events window on the endpoints. McAfee epo IP Address and Port Specifies the McAfee epo server address and port. Messages Customize the messages displayed for the ActiveX Installation Prevented, Blocked Interactive Mode of Process, Execution Denied, Nx Violation Detected, Installation Denied, Prevented File Execution, Process Hijack Attempted, File Read Denied, VASR Violation Detected, and File Write Denied events by using these options: Message Specifies the message text for the event. Insert Variable Allows you to add variables to the notification message. Insert Adds the selected variable to the message text. Show Event in Dialog Indicates if all events of the selected event type are listed in the Application and Change Control Events window on the endpoints. Application Control s policy (Windows) Features tab Enable or disable selected features on endpoints. This page is useful to diagnose or troubleshoot issues faced on endpoint systems. Table 8 definitions Feature Control Enforce feature control from McAfee epo Enables or disables selected features on endpoints. Only when this option is selected are the settings for the following features applied to the endpoints. ActiveX By default, Application Control prevents the installation of ActiveX controls on endpoints. Select this option to enable the ActiveX feature to install and run ActiveX controls on endpoints. Alternatively, deselect this option to disable the ActiveX feature on endpoints. This feature is available only on the Windows platform. Execution Control Memory Protection Application Control performs a set of checks to determine whether to allow or block a file. For files whose execution is allowed after the checks, you can define additional granular and context-based rules to control execution. You can define attribute-based rules to allow, block, or monitor file execution in different contexts. Enables or disables these memory-protection techniques on endpoints. 5

6 Table 8 definitions (continued) Generate Observations Package Control CASP NX (64-Bit) Enables or disables the Critical Address Space Protection technique on endpoints. Enables or disables the No execute technique on endpoints. Enables or disables the generation of observations in Enabled mode. By default, Application Control prevents MSI-based installers from running on endpoints. Select this option to enable the Package Control feature to allow MSI-based installers to run and install software on endpoints. Alternatively, deselect this option to disable the Package Control feature on endpoints. For endpoints running versions earlier than 6.1.1, restart is required to enable the Package Control feature. Bypass Package Control Allow Uninstallation Bypasses package control on endpoints running version or later. Allows uninstallation of software packages on endpoints running version or later. Application Control s policy (Windows) Inventory tab Configure settings to fetch the inventory. Table 9 definitions Hide Windows OS Files Pull Complete Inventory Interval Includes or excludes the files that are specific to Windows operating system from the inventory. By default, these files are excluded. Inventory items signed by Microsoft certificates are not sent to McAfee epo. This prevents overloading the inventory with legitimate Windows files in the <system drive>\windows folder (signed by a Microsoft certificate) and files in the <system drive>\windows\winsxs folder. Specifies the minimum interval between complete inventory pull runs (when the complete inventory information is fetched from the endpoints). By default, this value is 7 days, which means you can only pull the complete inventory once a week for an endpoint. This value takes precedence over any scheduled tasks to fetch inventory. Receive Inventory Updates Interval Specifies the minimum lag between the generation of consecutive inventory updates. By default, this value is 3 hours. 6

7 Application Control s (Windows) policy Reputation tab Configure reputation-based workflows on Application Control endpoints. Table 10 definitions Pane What's reputation-based execution? Reputation Opens a McAfee KnowledgeBase article that explains reputation-based execution. Use McAfee Threat Intelligence Exchange (TIE) server Select to fetch reputation from the TIE server. This option is selected by default and comes into play if you have a TIE server installed in your setup. If this option is selected, reputation for files and certificates is fetched from the TIE server. The reputation values control execution at endpoints and are displayed on the Application Control pages on the McAfee epo console. The administrator can review the reputation values and make informed decisions for inventory items in the enterprise. Reputation-Based Execution Settings Advanced Threat Defense (ATD) Settings Use McAfee Global Threat Intelligence (McAfee GTI) Allow files with Ban files with Send files with Limit file size to Select to fetch reputation from the McAfee GTI server when the TIE server is unavailable or not installed. This option is selected by default. If this option is selected, reputation for files and certificates is fetched from the McAfee GTI server. The reputation values control execution at endpoints and are displayed on the Application Control pages on the McAfee epo console. The administrator can review the reputation values and make informed decisions for inventory items in the enterprise. Select to define the file reputation levels for which to allow execution of files on the endpoint. For example, if you select the checkbox and then select Might be Trusted from the drop-down list, all files with Known Trusted, Most Likely Trusted, and Might be Trusted reputation are allowed to execute on the endpoints. Select this option when performing new installations. By default, the option is selected with the Most Likely Trusted reputation value. Select to define the file reputation levels for which to prevent execution of files on the endpoint. For example, if you select the checkbox and then select Might be Malicious from the drop-down list, all files with Might be Malicious, Most Likely Malicious, and Known Malicious reputation are prevented from executing on the endpoints. Select this option when performing new installations and upgrades. By default, the option is selected with the Might be Malicious reputation value. Select this option to automatically send files with the specified reputation levels to ATD for further analysis. We recommend you select this option if ATD is available in your setup. If you select the checkbox and then select Unknown from the drop-down list, all files with Unknown, Might be Malicious, Most Likely Malicious, and Might be Trusted reputation are sent to ATD. This option is not selected by default. Select to specify the size of the files to send to ATD for analysis. Select the checkbox and specify the file size (in MB) in the text box. Possible values are between 1 MB to 10 MB. This option is not selected by default. 7

8 Application Details page Review details for an application. You can access this page from these pages: By Applications page by clicking Inventory Actions Application Details for an application selected in the Applications or Vendors pane Inventory Details page (opens when you click View for an endpoint on the By Systems page) by clicking Inventory Actions Application Details for an application selected in the Applications or Vendors pane Image Deviation Details page by clicking Application Details for an application selected in the Applications pane Table 11 definitions Application Properties Systems Lists properties, such as vendor and reputation for the selected application. This pane lists all endpoints on which the selected application is present. Hide Filter/Show Filter Hides or shows the filter options in the pane. Quick find Specifies the string to search for. You can search based on the system name. Apply Filters the list based on the specified string. Clear Removes an applied filter. Show selected rows Hides all rows except the rows selected in the Systems pane. Executable Files This pane lists all files associated with the selected application. Hide Filter/Show Filter Hides or shows the filter options in the pane. Quick find Specifies the string to search for. You can search based on the file name. Apply Filters the list based on the specified string. Clear Removes an applied filter. Show selected rows Hides all rows except the rows selected in the Executable Files pane. Actions The following actions are available from the Systems and Executable Files panes. Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or application details. Choose Columns Opens the Select the Columns to Display page. Use this to select the columns of data to display in the Systems or Executable Files pane. The following actions are available only from the Systems pane. Fetch Inventory Fetches inventory details for the selected one or more endpoints. Import Inventory Imports inventory details for the selected endpoint from an XML file. The inventory for the selected endpoint is updated based on the inventory details included in the XML file. Mark Trusted Recategorizes all unknown executable or script files on the selected endpoint as trusted files. This is useful to set a base image for your setup that includes known applications, including internally developed, recognized, or trusted (from a reputed vendor) applications. View Inventory Displays inventory details for the selected endpoint. 8

9 Begin Update Mode client task To authorize changes to endpoints, you can open a change window during which users or programs can make changes to protected endpoints. You can also add a label or ID to identify the changes made during Update mode. Table 12 definitions Workflow ID Comments Specifies a meaningful label or ID for the update mode window. Changes made during Update mode are tagged with the specified label or ID. Specifies a description for the update mode window. File Details page Review details for an executable file. You can access this page when you click a file name (in the Executable Files pane) from any of these pages: By Applications page Inventory Details page (opens when you click View for an endpoint on the By Systems page) Table 13 definitions File Details Lists relevant details for the selected file. File Name Displays the name of the selected file. Also, clicking Lookup in TIE opens the TIE Reputations page that allows you to view or edit the file reputation. File Version Displays the version information for the selected file. Path Displays the path of the selected file. First Seen System Displays the system where the selected file was detected for the first time in enterprise. First Seen Time Displays the date and time when the selected file was detected for the first time in enterprise. Final Reputation Displays the final reputation for the selected file. The color in which the reputation is displayed indicates whether the file is trusted, malicious, or unknown. Color Green Orange Red Reputation Known Trusted Most Likely Trusted Might be Trusted Unknown Might be Malicious Most Likely Malicious Known Malicious 9

10 Table 13 definitions (continued) File SHA-1 Displays the SHA-1 value for the selected file. File SHA-256 Displays the SHA-256 value for the selected file. File MD5 Displays the MD5 value for the selected file. Application Displays the application to which the selected file is linked. Certificate Displays the name of the certificate vendor. The color in which the vendor is displayed indicates whether the file is trusted (Green), malicious (Red), or unknown (Orange). Click the vendor name to review the following additional details. Also, clicking Lookup in TIE opens the TIE Certificate Reputations Details page, which allows you to view or edit the certificate reputation. Subject Name of the certificate vendor. Issuer Name of the certificate signing authority. Certificate Reputation Reputation of the certificate. Possible values are Known Trusted, Most Likely Trusted, Might be Trusted, Unknown, Might be Malicious, Most Likely Malicious, and Known Malicious. The color in which the Certificate Reputation is displayed indicates whether the certificate is trusted (Green), malicious (Red), or unknown (Orange). Reputation Source Indicates the reputation source. Possible values are TIE and GTI. Public Key Algorithm Indicates the algorithm used to create the public key to encrypt messages. Public Key Length Specifies the length of the public key in bits. Public Key Hash Displays the public key hash. Certificate Hash Displays the certificate hash. Valid From Indicates the date from which the certificate is valid. Valid To Indicates the date till which the certificate is valid. Execution Status in Enterprise Inventory Displays the execution status of the selected file in your enterprise. You can view the number on systems where the file is allowed or banned. 10

11 Table 13 definitions (continued) File observed on systems Lists all endpoints with the selected file. Hide Filter/Show Filter Hides or shows the filter options in the pane. Preset Filters the systems list based on whether the file is allowed or banned on the endpoints. Quick find Specifies the string to search for. You can search based on the system name. Apply Filters the list based on the specified string. Clear Removes an applied filter. Execution Permission Lists the reason or cause associated with the execution status of a file. Possible values are: Allow by file SHA-1 or SHA-256 Allow by certificate Allow by name Allow by trusted path Allow by Whitelist Allow by observe mode Ban by file SHA-1 or SHA-256 Ban by certificate Ban by name Ban by trusted path Not in Whitelist Actions Allow/Ban Opens the Allow or Ban Files wizard where you can allow or ban the file by defining a rule. View Events Opens the Solidcore Events page where you can view events generated for selected system and file. Export Table Opens the Export page where you can specify the format and the package of files to be exported. You can save or file details. Choose Columns Opens the Select the Columns to Display page where you can select the columns of data to display in the File observed on systems pane. 11

12 Executable Files tab Allow or ban an executable file based on its name, SHA-1 value, or SHA-256 value. Table 14 definitions Add Opens the Add File dialog box. Rule name Specifies the name of a program. Allow/Ban Specifies if the program is trusted or not. Rule Type Selects one of these options. File SHA-1 Adds the SHA-1 of the executable file. File SHA-256 Adds the SHA-256 of the executable file. File Name (Deprecated) Adds the executable file name. This is a deprecated option and is not recommended. Instead, create a rule based on the file's checksum. Name/SHA-1/SHA-256 Specifies the name, SHA-1 value, or SHA-256 value for the file. This field is either Name, SHA-1, or SHA-256 depending on the Rule Type. OK Adds the file name, SHA-1, or SHA-2 value. Cancel Exits without saving the file details. Edit Remove Opens the Edit File dialog box with information for a selected rule. Edit the details as needed, then click OK. Deletes the selected rule. By Applications page Review and manage the software inventory for endpoints in your environment. You can access this page by selecting: Menu Application Control Inventory By Applications (allows you to manage inventory for all endpoints in your environment) Menu Application Control Inventory By Systems View (allows you to manage inventory for a single endpoint) Menu Systems System Tree, select an endpoint, and select Actions Application Control View Inventory (allows you to manage inventory for the selected endpoint) 12

13 Table 15 definitions Views and Filters Views View the inventory details using these options: Application Filters the inventory based on the applications installed on the endpoints. File Name Displays files filtered by name. File SHA-1 Searches for a file based on its SHA-1 value. File SHA-256 Searches for a file based on its SHA-256 value. File MD5 Searches for a file based on its MD5 value. Vendor Filters the inventory based on the vendor name. Final Reputation Filters the inventory and displays files based on the specified reputation value. Search String Enter a search string to filter the inventory details. The search string can be used with the available views. Search Filters the displayed results based on the specified view and filter criteria. What's Final Reputation? Opens a McAfee KnowledgeBase article that explains how the software determines final reputation for files or certificates. Filters Use these filters to view selected files. Add Saved Filter Opens the Select View page where you can define a new filter. Use the available properties to define the filter. By default, the Hidden property is added to all new filters you define. The Hidden property is set to False allowing you to view only unhidden inventory items. If needed, you can edit the property value or remove the property from the filter. Default View Removes any applied filter and lists all unhidden inventory items. All Malicious Files Displays all files where the Reputation value is Known Malicious, Most Likely Malicious, or Might be Malicious. This filter also displays all hidden files. Allowed Malicious Files Displays all files where the Reputation value is Known Malicious, Most Likely Malicious, or Might be Malicious and that are allowed on your enterprise. This filter also displays all hidden files. Allowed Unknown Signed Files Displays all files that are allowed in your enterprise, signed by a certificate, and with the Reputation value as Unknown. Allowed Unknown Unsigned Files Displays all files that are allowed in your enterprise, not signed by a certificate, and with the Reputation value as Unknown. Banned Trusted Files Displays all files banned in your enterprise and where the Reputation value is Known Trusted, Most Likely Trusted, or Might be Trusted. Files Discovered in Last Week Displays all files that are added to your enterprise in the last week. When you upgrade to the or later version of the Solidcore extension, no first seen information is available for the files. The time when you fetch the inventory after upgrade is recorded as the first seen information. Hidden Files Displays all applications, files, and vendors that are hidden by the administrator. Select this filter, then review the Applications, Executable Files, or Vendors panes for hidden applications, executable files, and vendors, respectively. 13

14 Table 15 definitions (continued) Filter actions Applications Duplicate Opens the Duplicate dialog box that allows you to duplicate the selected filter. This option is available for all seeded and user-defined filters. Edit Opens the Select View For Saved Search page that allows edit the filter configuration. This option is available only for user-defined filters. Rename Opens the Rename dialog box that allows you to rename the selected filter. This option is available only for user-defined filters. Delete Deletes the selected filter. This option is available only for user-defined filters. View inventory details in the Application view. In the tree, applications and executable files are sorted into Trusted Applications, Malicious Applications, and Unknown Applications categories. Collapse All Minimizes all expanded nodes in the Applications pane. Inventory Actions View applications using these options: Application Details Opens the Application details page with details for the application selected in the Applications pane. Hide Applications/Show Applications Hides or shows applications in the pane. Vendors Displays inventory details in the Vendor view. For each vendor, you can view the Trusted, Malicious, and Unknown categories. Collapse All Minimizes all expanded nodes in the Vendors pane. Inventory Actions View vendors using these options: Application Details Opens the Application details page with details of the application selected for a vendor in the Vendors pane. Hide Applications/Show Applications Hides or shows applications selected for a vendor in the pane. The hidden applications are not listed in all seeded filters except the Hidden Files filter. Hide Vendor/Show Vendor Hides or shows vendors in the pane. The hidden vendors are not listed in all seeded filters except the All Malicious Files and Hidden Files filters. 14

15 Table 15 definitions (continued) Executable Files View file information in the Application Name, Application Version, and Final Reputation views. In the Application and Vendor views, this pane lists the files associated with the node selected in the Applications or Vendors pane. In the Reputation Source column, if the reputation source is TIE, clicking TIE opens the TIE Reputations page or TIE Certificates Reputations Details page, as applicable. This allows you to view details for the selected file or the certificate for the file, as applicable. Hide Filter/Show Filter Hides or shows the filters in the pane. Quick find Specify the string to search for. You can search based on the file name. Apply Filters the files list based on the specified string. Clear Removes an applied filter. Show selected rows Hides all rows except the rows selected in the Executable Files pane. Actions Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or inventory details. Choose Columns Opens the Select the Columns to Display page where you can select columns of data to display in the Executable Files pane. Allow Files Opens the Allow or Ban Files wizard where you can allow a file by adding it to the whitelist or defining a rule. Ban Files Opens the Allow or Ban Files wizard where you can ban a file by defining a rule. Export Inventory for Offline GTI Tool Exports the SHA-1s of all executable files and public key SHA-1s of all certificates in the inventory to a file. Use this file to fetch McAfee GTI ratings by using the Offline GTI Tool. This action fetches McAfee GTI ratings for isolated McAfee epo environments (that do not have access to the Internet). Import GTI ratings Imports McAfee GTI ratings from the GTI result file to the McAfee epo server. The GTI result file is created by the Offline GTI Tool after it fetches McAfee GTI ratings for SHA-1s. Use this action to fetch McAfee GTI ratings for isolated McAfee epo environments (that do not have access to the Internet). Set Reputation by Application Control Opens the Set Reputation by Application Control dialog box where you can edit the reputation for the selected file. Hide Files/Show Files Hides or shows the selected files in the pane. The hidden files are not listed in all seeded filters except the All Malicious Files, Allowed Malicious Files, and Hidden Files filters. 15

16 By Systems page Review and manage the inventory for selected endpoints. Table 16 definitions Filters Use these filters to view selected files. Add Saved Filter Opens the Available Properties page that allows you to define a new filter. Use the available properties to define the filter. None Removes an applied filter. Systems With Allowed Malicious Files Displays all endpoints on which files with Known Malicious, Most Likely Malicious, or Might be Malicious reputation are allowed. Systems with Failed Inventory Fetch Displays all endpoints for which Application Control in unable to fetch inventory due to low Java Virtual Machine memory on the server. Systems With Malicious Files Displays all endpoints on which files with Known Malicious, Most Likely Malicious, or Might be Malicious reputation are present. Systems Use this pane to view information for the endpoints in your environment. View Displays inventory details for the associated endpoint. Fetch Fetches inventory details for the associated endpoint. Mark Trusted Recategorizes all unknown executable files or script files on the endpoint as trusted files. This is useful to set a base image for your environment that includes known applications, including internally developed, recognized, or trusted (from a reputed vendor) applications. Hide Filter/Show Filter Hides or shows the filters in the pane. Quick find Specify the string to search for. You can search based on the system name. Apply Filters the list based on the specified string. Clear Removes an applied filter. Actions Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or inventory details. Choose Columns Opens the Select the Columns to Display page. Use this to select the columns of data to display in the Systems pane. Calculate Predominant Observations (Deprecated) server task This server task determines the predominant observations generated in the enterprise in a given interval. Specifies the interval for determining the most prominent observations. By default, this server task runs daily and determines the most prevalent observations for the last seven days. Table 17 definitions Determine predominant observations for Specify the interval for determining the most prevalent observations. 16

17 Certificates tab Add a certificate as a trusted certificate that is authorized to install and update the software on the endpoints. Table 18 definitions Add Opens the Add Certificate dialog box. Search By Select one of these categories based on how you want to search for certificates. Issued To Searches for certificates based on the name of the organization that publishes the certificate. Issued By Searches for certificates based on the name of the signing authority. Extracted From Searches for certificates based on the file name from which the certificate was extracted. Friendly Name Searches for certificates based on the user-specified name for the certificate. Search Searches for the specified certificate. Add Certificate as Updater Allows applications signed by the selected certificates to change executable files or start any new applications on the endpoints. Updater Label Specifies an identification label to tag changes made by the executable files signed by the certificate. OK Adds the certificate. Cancel Exits without saving the certificate details. Edit Remove Search Certificate Opens the Edit Certificate Details dialog box with information for a selected rule. Edit the rule as needed, then click OK. Deletes the selected rule. Allows you to search for a certificate. Issued To Searches for a certificate based on the name of the organization that publishes the certificate. Issued By Searches for a certificate based on the name of the signing authority. Extracted From Searches for a certificate based on the path of the file from where the certificate was extracted. Friendly Name Searches for a certificate based on the friendly name of the certificate. Search Searches for a certificate based on the specified criteria. 17

18 Table 18 definitions (continued) Filters Show selected rows Hides all rows except the rows selected on the page. Hide Filter/Show Filter Hides or shows the filters on the page. Actions Specifies the actions that you can perform for the selected certificates. Add to Rule Group Adds a certificate to a rule group. Check Assignments Displays assignments for a certificate. Certificates can be assigned to policies and rule groups. Edit Updates the friendly name of the selected certificate. Extract Certificates Extracts a certificate from an executable file. Remove Deletes the selected certificate. Upload Uploads a valid certificate. Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or the certificates list. Choose Columns Opens the Select the Columns to Display page. Use this to select the columns of data to display in the Manage Certificates pane. Change Local CLI Access client task Allow or restrict access to the CLI console on the endpoints. Table 19 definitions Change CLI Status Restrict Allows only authorized users to access McAfee Solidcore Client CLI console on the endpoints. To access the CLI console, users must provide the password set in the McAfee Default policy in the Configuration (Client) category. Allow Allows users on the endpoints to access McAfee Solidcore Client CLI console without any authentication. During this CLI console state, any changes to configuration, policies, tasks pushed from the McAfee epo console are not enforced on the endpoint. The CLI Status should be set to Restrict or Lockdown to enforce any changes to the endpoint. Collect Debug Info client task Before contacting McAfee Support to help you with a Solidcore client issue, collect configuration and debug information for an endpoint. This client task scans the endpoint and creates an archive with system information and Solidcore client log files that can be used for debugging. The.zip file is generated on the endpoint and its location is listed (click the record associated with the client task) on the Menu Automation Solidcore Client Task Log page. No additional configuration is required to run this client task. 18

19 Content Change Tracking Files page View and manage all files for which content change tracking is enabled. Table 20 definitions Filter Filter the displayed information using these options: Hide Filter/Show Filter Hides or shows the filters on the page. Quick find Specifies the string to search for. You can search based on the system name and file path. Apply Filters the list based on the specified string. Clear Removes an applied filter. Show selected rows Hides all rows except the rows selected on the page. File Status Denotes the status of content change tracking. Possible status values are: Success Path not found Directory tracking not supported (endpoints running version 6.1.1) Indicates that content changes for the file are being tracked successfully. Indicates that the file or directory was not found at the specified path. Verify that the file exists and check the specified path. Indicates that the file specified for content change tracking is a directory. You cannot track content changes for directories if you are running version or earlier. Wildcard characters in path (not supported) File size exceeds maximum size limit Error while accessing the file Network path (not supported) Encrypted file (not supported) File Deleted File Renamed Multiple file encodings defined Directory rule matched with file name (error) Success (Tracking file-attributes only) Directory Renamed Indicates that the specified file path includes wildcard characters. You cannot use wildcard characters while specifying the file path for content change tracking. Indicates that the file size exceeds the specified size limit for content change tracking. If needed, you can change the size limit for content change tracking for endpoints. Indicates that the file type cannot be accessed. Indicates that the file specified for content change tracking is stored on a network volume. You cannot track changes for files on network volumes. Indicates that the file specified for content change tracking was encrypted on the endpoint. Indicates that the file specified for content change tracking was deleted from the endpoint. Indicates that the file specified for content change tracking was renamed on the endpoint. Indicates that multiple and conflicting file encoding values are specified for the file. This can occur if two monitoring rules, each with a different file encoding value, are applied to track content changes for the file. Indicates that the rule specified for content change tracking of a directory matches a file. Indicates that only file attributes are being tracked for this file. Indicates that the directory specified for content change tracking was renamed on the endpoint. 19

20 Table 20 definitions (continued) View versions Actions File rule matched with directory (error) Maximum file limit reached File Status Indicates that the rule specified for content change tracking of a file matches a directory. Indicates that the number of files under the tracked directory exceeds the maximum limit. If this limit is exceeded, only the base versions are skipped; all subsequent changes to the files are still reported. Indicates the status of a file under content change tracking. Lists all versions for a file. The File Versions page lists all versions for the selected file. Choose Columns Opens the Select the Columns to Display page. Use this page to select the columns of data to display on the page. Delete Removes the selected file and all its versions from the McAfee epo database. This does not change or remove the actual file present on the endpoint. Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or the file list. Advanced File Comparison Opens the Advanced File Comparison page. Use this page to compare any two files (or file versions) on an endpoint or on two different endpoints. Content Change Tracking Report Generation server task Generate the compliance report for content changes. Table 21 definitions Rule Group Query Criteria Get Last N revisions Mail To Mail Subject Report Name Use this option to copy report on a network share and send network share information on Type the Integrity Monitor rule group name. Click Search to find the required rule group. Specify the query that you created to fetch content change tracking data for the server task. Specify the number of revisions to fetch for each file. For example, consider that a file has changed 50 times in last seven days (based on the specified interval in the query). To fetch information for the last 15 versions of the file, set this value to 15. The default value for the number of revisions is 10, maximum allowed value is 100, and minimum is 1. Type addresses, separated by commas, to send the generated report or report link. Specify the subject. Enter the report name. The report name is appended with the date and time when the report is generated. By default, the generated HTML report is sent as an attachment to all recipients. Select this option to place the generated report on a shared folder and send the link to the report in an to all intended recipients. When you select this option, these options are displayed on the page. Path Domain User Name Specify the network path where you want to save the generated report. Type a domain name. Enter a user name. 20

21 Table 21 definitions (continued) Password Test Connection Type a password. Click to verify the connection to the network path. Create Custom Rules (Deprecated) page Create customized rules for the binary or process name associated with an observation. Review the prepopulated rule for the observation, edit the rule (if needed), and specify the rule group for adding the rule. This page is displayed when you select an observation and select the Create Custom Rules action on the Predominant Observations (Deprecated) page. Table 22 definitions Prepopulated Rule Based on the properties and attributes of the binary or process associated with the selected observation, one the following tabs includes the relevant rule. Updater Processes Contains the rule to add the process or parent process associated with the observation as an authorized updater for your environment. Binaries Contains the rule to authorize the process associated with the observation to run on endpoints based on its SHA-1 value. Certificates Contains the rule to add the certificate associated with the process as a trusted certificate. Installers Contains the rule to add the program (or installer) as an authorized installer for your environment. Exceptions Contains the rule to allow the process to override or bypass the applied memory-protection techniques. Select the rule and click Edit to review or change the rule. Click Remove to delete the selected rule. Select Rule Group Allows you to specify the rule group for adding the rules. Choose existing Updates an existing rule group with the rule. Create new Creates a rule group for the rule. Save Cancel Saves the rule to the specified rule group. Exits without saving changes and return to the Predominant Observations (Deprecated) page. 21

22 Directories tab Add a trusted directory, such as a shared network drive, to allow users to install any software from the directory. Table 23 definitions Add Opens the Add Path dialog box. Path Specifies the location of the directory that you want to add as a trusted directory. Specify the UNC path name for the directory. Include Includes the specified directory as a trusted directory. Exclude Excludes a specific folder or subfolder within a trusted directory. Assign updater privileges to executed programs Allows applications stored in the trusted directory to make changes to executable files or start new applications on the endpoints. OK Adds the trusted directory. Cancel Exits without saving the rule. Edit Remove Opens the Edit Path dialog box with information for a selected rule. Edit the rule as needed, then click OK. Deletes the selected rule. Disable client task Disable the Solidcore client on the endpoints. Table 24 definitions Reboot Reboot endpoint Restarts the endpoint immediately when this task is applied. Edit Filter Criteria page Select specific properties to filter the information about the Solidcore Events page. Table 25 definitions Available Properties Property Comparison Value Remove Filter Update Filter Close Lists the properties that can be selected and configured as criteria to filter the events. Lists the name of the properties that you select from the list of available properties. Specifies the comparison operator to use for filtering the property value. Specifies the property value to filter. Removes the advanced filters and returns to the Solidcore Events page. Updates the advanced filters and returns to the Solidcore Events page to display filtered information. Returns to the Solidcore Events page. 22

23 Edit Permission Set Solidcore General page Define permissions for Solidcore features while configuring permission sets. Table 26 definitions Queries, Dashboards Events No permissions Restricts users from running queries and viewing dashboards related to Solidcore. Run Queries, View Dashboards Permits users to run queries and view dashboards related to Solidcore. No permissions Restricts users from viewing Solidcore events. View Events Permits users to view Solidcore events. View Events, Manual Reconciliation Permits users to view and manually reconcile Solidcore events. Responses Alerts No permissions Restricts users from creating automatic responses for Solidcore client events. Create Solidcore Event Response Permits users to create automatic responses for Solidcore client events. No permissions Restricts users from viewing and dismissing Solidcore alerts. View Alerts Permits users to only view Solidcore alerts. View and Dismiss Alerts Permits users to view and ignore Solidcore alerts. Client Task Log No permissions Restricts users from viewing and deleting Solidcore client task logs. View Client Task Log Permits users to view only Solidcore client task logs. View and Delete Client Task Log Permits users to view and delete Solidcore client task logs. Inventory No permissions Restricts users from accessing all inventory-related pages. Access to View Inventory Permits users to only view all inventory-related pages. Access to View, Modify, Import Inventory Permits users to view and manage inventory by using the inventory-related pages. Content Change Tracking No permissions Restricts users from viewing the Content Change Tracking Files page. View Content Changes Permits users to only view the Content Change Tracking Files page. View Content Changes, Set Base Version, Create Content Change Response Permits users to view and take actions from the Content Change Tracking Files page. Policy Discovery No permissions Restricts users from viewing the Policy Discovery page. View Policy Discovery Permits users to only view the Policy Discovery page. View Policy Discovery, Allow/Ban Policy Discovery Requests, Delete Policy Discovery Requests Permits users to view and take actions from the Policy Discovery page. 23

24 Table 26 definitions (continued) Certificates Installers Rule Groups No permissions Restricts users from viewing the Certificates tab on the configuration page (Menu Configuration Solidcore Rules). Access to View Certificates Permits users to only view the Certificates tab on the configuration page (Menu Configuration Solidcore Rules). Access to View, Modify, Import, Upload Certificates Permits users to view and take actions from the Certificates tab. No permissions Restricts users from viewing the Installers tab on the configuration page (Menu Configuration Solidcore Rules). Access to View Installers Permits users to only view the Installers tab on the configuration page (Menu Configuration Solidcore Rules). Access to View, Modify, Import, Upload Installers Permits users to view and take actions from the Installers tab. Allows you to configure permissions for the Rule Groups tab and various rules that you can define in policies. Rule permissions No permissions Restricts users from viewing the Rule Groups tab on the configuration page (Menu Configuration Solidcore Rules). View permissions Permits users to only view the Rule Groups tab on the configuration page (Menu Configuration Solidcore Rules). Edit permissions Permits users to view and take actions from the Rule Groups tab. Permissions for various rules you can define in policies and rule groups. Using the following options, you can configure permissions to allow or restrict users from defining rules for updater processes, executable files, users, certificates, installers, exclusions, directories, filters, and execution control. No permissions Restricts users from viewing the tab globally (on all pages where it appears). View permissions Permits users to only view the tab globally (on all pages where it appears). Edit permissions Permits users to view and take actions from the tab. Permissions for updater process, users, and filter rules apply to Application Control and Change Control. 24

25 Edit Permission Set Solidcore Policy Permissions page Define permissions for Solidcore policies while configuring permission sets. Table 27 definitions Solidcore Application Control Solidcore Change Control Solidcore Integrity Monitor Solidcore General No permissions Restricts users from viewing or changing the Solidcore policy settings for Application Control. View policy and task settings Permits users to only view the Solidcore policy settings for Application Control configured by the administrator. View and change policy and task settings Permits users to view and change the Solidcore policy and task settings for Application Control. No permissions Restricts users from viewing or changing the Solidcore policy settings for Change Control. View policy and task settings Permits users to only view the Solidcore policy settings for Change Control configured by the administrator. View and change policy and task settings Permits users to view and change the Solidcore policy and task settings for Change Control. No permissions Restricts users from viewing or changing the Solidcore policy settings for Integrity Monitor. View policy and task settings Permits users to only view the Solidcore policy settings for Integrity Monitor configured by the administrator. View and change policy and task settings Permits users to view and change the Solidcore policy and task settings for Integrity Monitor. No permissions Restricts users from viewing or changing the Solidcore General policy settings. View policy and task settings Permits users to only view the Solidcore General policy settings configured by the administrator. View and change policy and task settings Permits users to view and change the Solidcore General policy and task settings. 25

26 Edit Solidcore page Edit Solidcore license information for Application Control, Change Control, and Integrity Control. You can also configure generic Application Control settings and settings for other features, such as GTI cloud, inventory, and Observe mode. Table 28 definitions License Information General When you install the Solidcore extension, a default evaluation license for Integrity Control lasting 90 days is provided. You can extend this evaluation license for another 90 days or add a full license. The license key determines the features that are enabled. Any or all features can be enabled and used at the same time. Change Control Type the Change Control license key downloaded with the product from McAfee download website. Application Control Type the Application Control license key downloaded with the product from McAfee download website. Integrity Control Type the Integrity Control license key downloaded with the product from the McAfee download website. Generic launcher processes Specify the critical processes for your environment. Certain processes on the Windows operating system, such as explorer.exe and iexplore.exe, are launcher processes that are vital to the operating system. Although observations are generated for generic launcher processes, no suggestions are provided. Also, when using the Policy Discovery feature, no updater rules are generated for generic launcher processes at the endpoints. When allowed to execute based its reputation, no updater privileges are given to a generic launcher process. Restricted certificate names Certificates from certain vendors, such as Microsoft, are associated with multiple commonly used applications and should not be used to define rules based on the certificate. This field lists the certificates that are unavailable to the Allow by Certificate Globally option. If the main executable file in a request is signed by one of these certificates, you cannot create rules based on the certificate associated with the file. File paths to ignore while fetching inventory Specify the files (by specifying the file extension) that you do not want to manage in the inventory. No information for the specified file types is stored in the inventory tables. Generate alert for files with reputation value at and below Specify the reputation value for event generation. Events are generated for all files with the reputation at and below this value. If needed, you can set up responses to receive a notification for these events. Synchronize reputation information with McAfee GTI Server Specify whether the Application Control software periodically synchronizes with the McAfee GTI file reputation service to fetch reputation information for files in the inventory. Duration for which to ignore Approved or Excluded observations (6.1.1 and older endpoints) After you exclude observations or define relevant rules for observations from the Predominant Observations (Deprecated) page, the processed observations are deleted from the database. Because there can be a lag between rule creation at McAfee epo and rule application on the endpoints, observations might be generated at endpoints where action has already occurred on the McAfee epo console. Such observations can flow to the McAfee epo console after the next ASCI. To make sure that such observations are ignored in the database and are not 26

27 Table 28 definitions (continued) displayed on the McAfee epo console, specify the time period (in minutes) to ignore such observations. Threshold count at which to initiate throttling and suspend observation generation Specify the threshold value at which to initiate observation throttling. This option applies to endpoints running version and later. Threshold count at which to initiate throttling and suspend observation generation (6.1.1 and older endpoints) Specify the threshold value at which to initiate observation throttling. This option applies to endpoints running version and earlier. Allow group administrators to manage Policy Discovery requests for entire System Tree By default, the non-global administrators have permissions to review and manage requests generated by all systems in their associated group (within My Organization). However, if you are a McAfee epo administrator, you can set this option to Yes to provide permissions to all non-global administrators to review and take custom actions on the enterprise-wide requests, if needed. Enable client task Enable the Solidcore client on endpoints. Table 29 definitions Solidcore Client Platform Specifies the platform where to enable the software. Sub Platform Specifies the operating system where to enable the software. Enable Activation s Observe Mode Inventory Reboot Change Control Enables the Solidcore client to track changes and read- or write-protect files. Application Control Enables the Application Control functionality on endpoints. Selecting this option builds an inventory of executables (binaries, libraries, and drivers) and scripts on the endpoint. Initial Scan Priority Selects an option to specify the priority of the thread that creates the whitelist on endpoints. Limited Feature Activation Enables limited Application Control features without restarting endpoints. Memory protection features are unavailable. Full Feature Activation Enables all Application Control features (requires restart). Start Observe Mode Places endpoints in Observe mode. Pull Inventory Fetches the inventory (including the created whitelist) for the endpoints. After it is fetched, it is available on the McAfee epo console. Reboot endpoint Restarts the endpoint immediately when this task is applied. End Update Mode client task Run this task to close the update mode window on the required endpoints. No additional configuration is required to run this client task. 27

28 Events: Create Custom Policy page Define custom rules for the executable file associated with the event. This option is available only for the Execution Denied, ActiveX Installation Prevented, File Write Denied, Installation Denied, Process Hijack Attempted, VASR Violation Detected, and Nx Violation Detected events. By default, the recommended rule tab is highlighted. If needed, you can add rules from other tabs. This page is displayed when you: Click Create Policy action on the Solidcore Events page. Select an event and click Create Policy on the Events Details page. Table 30 definitions Event Details Lists relevant details for the selected file. Event Display Name Displays the event name that appears on the McAfee epo console. Deny Reason Displays the reason why the execution was denied at the endpoint for Execution Denied events. Parent Process Name Displays the path to the parent process for the process associated with the file that tried to execute or make changes for which the event is generated. Process Name Displays the path to the process associated with the file that tried to execute or make changes for which the event is generated. Also, for File Write Denied events, clicking Lookup in TIE opens the TIE Reputations page that allows you to view or change the file reputation. File Name Displays the name of the selected file. Also, clicking Lookup in TIE opens the TIE Reputations page that allows you to view or edit the file reputation. Final Reputation Displays the final reputation for the selected file. The color that the reputation is displayed in indicates whether the file is trusted, malicious, or unknown. Color Green Orange Red Reputation Known Trusted Most Likely Trusted Might be Trusted Unknown Might be Malicious Most Likely Malicious Known Malicious 28

29 Table 30 definitions (continued) Reputation (at Time of Execution) This value is not applicable on this page. This is because the Reputation (at Time of Execution) value is only applicable for the Execution Denied events where execution is denied due to malicious reputation. Reputation Source Indicates the reputation source. Possible values are TIE and GTI. Certificate Displays the name of the certificate vendor. The color that the vendor is displayed in indicates whether the file is trusted (Green), malicious (Red), or unknown (Orange). Clicking Lookup in TIE opens the TIE Certificate Reputations Details page, which allows you to view or edit the certificate reputation. Also, click the vendor name to review these additional details. Subject Name of the certificate vendor. Issuer Name of the certificate signing authority. Certificate Reputation Reputation of the certificate. Possible values are Known Trusted, Most Likely Trusted, Might be Trusted, Unknown, Might be Malicious, Most Likely Malicious, and Known Malicious. The color in which the Certificate Reputation is displayed indicates whether the certificate is trusted (Green), malicious (Red), or unknown (Orange). Reputation Source Indicates the reputation source. Possible values are TIE and GTI. Public Key Algorithm Indicates the algorithm used to create the public key to encrypt messages. Public Key Length Specifies the length of the public key in bits. Public Key Hash Specifies the public key hash. Certificate Hash Specifies the certificate hash. Valid From Indicates the date from which the certificate is valid. Valid To Indicates the date till which the certificate is valid. System Name Displays the endpoint where the event was generated. User Name Displays the name of the user logged on to the endpoint when the event was generated. File SHA-1 Displays the SHA-1 value of the file for which the event is generated. File SHA-256 Displays the SHA-256 value of the file for which the event is generated. File MD5 Displays the MD5 value of the file for which the event is generated. Select Rule Group Specifies the rule group for adding the created rules. Choose existing Updates an existing rule group with the defined rules. Create new Creates a rule group with the defined rules. Add rule group to existing policy Save Cancel Specifies the policy for adding the created or updated rule group. Saves the changes made. Exits without saving the changes, and returns to the Solidcore Events or Event Details page, as applicable. 29

30 Event Details page Review details for an event. You can access this page when you click an event on the Solidcore Events page. Table 31 definitions Monitoring Events Details Lists relevant details for the selected event. Agent GUID Displays the GUID value for the Solidcore Agent installed on the endpoint where the event is generated. Deny Reason Displays the reason why the action was denied at the endpoint for Execution Denied events. Description Describes the reason why the execution was denied and provides suggestion on how you can execute the file. Event Command Line Displays the CLI command executed at the endpoint where the Command Executed event is generated. Event Command User Name Displays the name of the user who executed the CLI command at the endpoint. Event Display Name Displays the event name that appears on the McAfee epo console. Event File Name Displays the path to the file name associated with the event. Event Generated Time Displays the time when the event is generated. Event ID Indicates the threat event ID displayed on McAfee epo. Event Name Displays the event name displayed at the endpoint. Event Sequence Number Displays the sequence number for the event. Failed Password Attempts Displays the number of failed password attempts made by the user. This field is displayed only for the Disabled Local CLI Access event. File MD5 Displays the MD5 value of the file where the event is generated. File SHA-1 Displays the SHA-1 value of the file where the event is generated. File SHA-256 Displays the SHA-256 value of the file where the event is generated. File Type Displays the type of file such as pe32 or pe64 for Execution Denied events. Generated by an Updater Indicates whether the event was generated by an updater. Generated in an Update Window Indicates whether the event was generated in Update mode. Local CLI Disabled Duration Displays the duration for which the local CLI is disabled due to incorrect password attempts. This field is displayed only for the Disabled Local CLI Access event. Object Name Displays the path of the object associated with the event. Based on the event type, the path can refer to a file, user, registry key, or process name. Parent Process Name Displays the path to the parent process for the process associated with the file that tried to execute or make changes where the event is generated. Performed By Displays the name of the user who was logged on to the endpoint when the event was generated. Process ID Displays the process ID for the process associated with the event. Process MD5 Displays the MD5 value for the process associated with the file that tried to execute or make changes where the File Write Denied event is generated. Process Name Displays the path to the process associated with the file that tried to execute or make changes where the event is generated. 30

31 Table 31 definitions (continued) Process SHA-1 Displays the SHA-1 value for the process associated with the file that tried to execute or make changes where the File Write Denied event is generated. Process SHA-256 Displays the SHA-256 value for the process associated with the file that tried to execute or make changes where the File Write Denied event is generated. Reconciliation Status Indicates whether the event is manually reconciled. Reconciliation Ticket Displays change ticket details for the reconciled event. Reputation (at Time of Execution) Displays the reputation of the file on the endpoint at the time of execution. This value is applicable only for the Execution Denied event. For Execution Denied events where execution is denied due to malicious reputation, this column displays the reputation. Possible values include TIE Malicious Certificate, GTI Malicious Certificate, TIE Malicious Checksum, GTI Malicious Checksum, and Not Applicable. Severity Displays the event severity. System Name Displays the endpoint where the event was generated. User Name Displays the name of the user logged on to the endpoint when the event was generated. User Comments Displays the additional information recorded for an event. Workflow ID Displays the workflow ID if the event is generated in Update mode. The workflow ID provides a meaningful description for the update window. Actions Create Policy Opens the Events: Create Custom Policy page where you can define custom rules for the file associated with the event. This option is available only for the Execution Denied, ActiveX Installation Prevented, File Write Denied, Installation Denied, Process Hijack Attempted, VASR Violation Detected, and Nx Violation Detected events. View Related Requests Opens the Policy Discovery Details page that displays detailed information about the requests associated with the event. View File Details Opens the File Details page that displays detailed information about the file associated with the event. Change File Reputation (TIE) Opens the TIE Reputations page that displays reputation information for the file associated with the request. If needed, you can edit the file reputation. View Content Change Open the Comparison page that allows you to review changes made to the file. This option is available only for the File Modified event. Add Comments Opens Add Comments dialog box where you can record additional information for multiple events. Choose Columns Opens the Select the Columns to Display page. Use this page to select the columns of data to display on the page. Dismiss Observations (Deprecated) Ignores one or more observations. This option is useful only for endpoints running version or earlier. Exclude Events Excludes or ignores events not needed to meet compliance requirements. Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or the file list. Reconcile Events Manually reconciles events by correlating the events with change tickets and marking the events as authorized or unauthorized. Show Related Systems Takes you to a page where you can view and take action on the systems where selected events occurred. 31

32 Events Exclusion wizard Define Rules page Prune routine system-generated events not relevant for monitoring or auditing. This wizard helps you exclude or ignore events not required to meet compliance requirements based on rules using a combination of one or more parameters. The Events Exclusion wizard displays when you select the Exclude Events action for selected events on the Solidcore Events page. Table 32 definitions Prepopulated rules Add Rule Exclusion rules are auto-populated for all events selected on the Solidcore Events page. Review and refine existing rules, as needed. Adds new event filtering rule. Configure these options as required. File Specifies the comparison operator and file name or directory to be excluded from being monitored. Event Specifies the comparison operator and Solidcore event to be excluded from being monitored. Program Specifies the comparison operator and process or program to be excluded from being monitored. Registry Specifies the comparison operator and registry key to be excluded from being monitored. This option is available only for the Windows platform. User Specifies the comparison operator and user name to be excluded from being monitored. When using the equals operator, specify the fully qualified path (for example, C:\windows \regedit.exe). When using other operators, such as ends with or contains, specify the partial path (for example, regedit.exe). The comparisons are case-sensitive for UNIX and case-insensitive for Windows. Apply rule to events also Apply rules to filter observations on endpoints running version or earlier Delete Back Next Cancel Applies the defined set of rules to filter events. If you select this option, the filter rules are applied to both observations and events. This option is available only for Application Control rule groups. Applies all defined rules on the page to filter observations only on endpoints running Solidcore client or earlier. By default, if this option is not selected, regardless of the Solidcore client running on the endpoint all defined rules on the page are applied to endpoints to filter observations and events (if Apply rule to events also is selected). Consider a scenario where you are using Solidcore extension to manage endpoints running Solidcore client or earlier. If you select this option for endpoints running: Solidcore client or earlier Observations are filtered based on the rules defined on the page. Solidcore client Observations are not filtered. Deletes the selected rule. Moves to the previous page of the wizard. Moves to the next page of the wizard. Exits without saving changes and return to the Solidcore Events page. 32

33 Events Exclusion wizard Select Platform page Prune routine system-generated events not relevant for monitoring or auditing. This wizard helps you exclude or ignore events not required to meet compliance requirements based on rules using a combination of one or more parameters. The Events Exclusion wizard displays when you select the Exclude Events action for selected events on the Solidcore Events page. Table 33 definitions Select the target platform Select the target rule group type Next Cancel Specifies the target platform for the rules. Specifies the type of rule group for the rules. Moves to the next page of the wizard. Exits without saving changes and return to the Solidcore Events page. Events Exclusion Wizard Select Rule Group page Prune routine system-generated events not relevant for monitoring or auditing. This wizard helps you exclude or ignore events not needed to meet compliance requirements based on rules using a combination of one or more parameters. The Events Exclusion wizard is displayed when you select the Exclude Events action for selected events on the Solidcore Events page. Table 34 definitions Choose existing Create new Back Save Cancel Adds the created rules to an existing rule group. Adds the created rules to a new rule group. Moves to the previous page of the wizard. Saves the changes and return to the Solidcore Events page. Exits without saving changes and return to the Solidcore Events page. 33

34 Exclusions tab Define rules to override or bypass the applied memory protection and other techniques. Table 35 definitions Add Opens the Add exclusion rules dialog box. Memory protection Expand the node to view memory-protection options. Disable buffer overflow protection (CASP) for a process Bypasses the specified process in the Process Name field from the Critical Address Space Protection (CASP) technique. Disable buffer overflow protection (NX) for a process on 64-bit Windows Bypasses the specified process in the Process Name field from the No execute (NX) technique. Select Enable Inheritance to bypass child processes launched by the file from the No execute (NX) technique. Disable ROP protection for a process using Forced Relocation (VASR) Bypasses the specified process in the Process Name field from the VASR Forced-Relocation technique. ally, the Library Name field allows you to specify the name of the DLL file associated with the process. Disable ROP protection for a DLL using DLL Relocation (VASR) Bypasses the specified DLL file in the Process Name field from the VASR DLL Relocation technique. The file is not rebased and is loaded from its preferred base address. This option is applicable for endpoints running version earlier than Disable ROP protection for a process using Stack Randomization (VASR) Bypasses the specified process in the Process Name field from the VASR Process Stack Randomization technique. This option is applicable for endpoints running version earlier than Installation detection Expand the node to view the option. Allow uninstallations On endpoints running version or later, this option allows execution of EXE-based uninstall files that come with the installer package. When the Allow Uninstallation subfeature (pkg-ctrl-allow-uninstall) for Package Control is disabled, the execution of uninstall files is blocked because there is no method to identify whether they are completing the installation process or performing uninstallation. However, this option bypasses the uninstall files from the Allow Uninstallation subfeature, thereby allowing the execution. For example, in case of Firefox browser, the helper.exe uninstall file performs uninstallation and multiple other tasks, such as import settings from other browsers. When you try to uninstall the Firefox browser using Control Panel, the helper.exe file performs uninstallation. Also, the file tries to perform other tasks. However, when the Allow Uninstallation subfeature is disabled, such tasks are denied because the uninstall file is not allowed to run. To allow the uninstall file to run when performing tasks other than uninstalling the software, we have designed a mechanism. The mechanism is based on applying a process-based rule. The process-based rule provides a specific context for bypassing the uninstall file from the Allow Uninstallation subfeature using the following command. sadmin attr add -o parent=<parent_process_name> -i <process_name> Using this rule, only when the <process_name> is launched by process <parent_process_name>, it is bypassed from the Allow Uninstallation subfeature and allowed to execute. 34

35 Table 35 definitions (continued) Specify the process name (uninstall file) in the Process Name field and the parent process name in the Parent Process Name field. Specifying the parent process name is mandatory to provide specific context for bypassing the file. For endpoints running versions earlier than 6.1.1, this option applies the default rules for Installation Detection bypass technique and the new behavior for uninstallation of EXE-based uninstall files is partially applied without an option to specify the parent process name. Advanced options Expand the node to view the option. We recommend that you contact McAfee Support before applying these exclusions. Exclude file from write-protection rules and allow script execution Bypasses the specified process in the Process Name field using the Process Context File Operations bypass technique. ally, the Parent Process Name field allows you to specify the name of the parent process. Sometimes, Application Control can prevent legitimate applications from running. Use this option to define a bypass rule for a file on 32-bit or 64-bit Windows platforms. Use this option carefully because it can affect default Application Control functionality. Ignore path for file operations Specify the relative path in the Relative Path field to ignore the path for file operations. This option corresponds to the skiplist -i command. Exclude path from file operations Specify the relative path in the Relative Path field to bypass the path from file operations. This option corresponds to the skiplist -f command. Exclude path from write-protection rules Specify the relative path in the Relative Path field to bypass the file from write-protection rules. This option corresponds to the skiplist -d command. Exclude local path and all its contained files and sub-directories from the whitelist Specify the local path in the Path field to bypass the local path and all its contained files and subdirectories from the whitelist. This option corresponds to the skiplist -s command. Exclude volume from Application Control protection Specify the volume in the Volume field to bypass it from Application Control protection. In effect, this option detaches the specified volume from the whitelist. This option corresponds to the skiplist -v command. OK Adds the rule. Cancel Exits without saving the rule. Edit Remove Opens the Edit exclusion rules dialog box with information for a selected rule. Edit the rule as needed, then click OK. Deletes the selected rule. Contact McAfee Support for information about these options. They are available in earlier releases (deprecated) or address uncommon cases that McAfee Support is trained to configure. MP-mangling bypass Anti-debugging bypass MP-full crawl bypass Execution Control tab Use this tab to define additional attribute-based and granular rules for files in your setup. Based on the type of rules you define, a file is allowed, blocked, or monitored based on attributes provided. 35

36 Table 36 definitions Add Opens the Add Execution Control Rule dialog box. Configure these options, as needed. Action Select one of these options when adding an execution control rule. Based on specified attributes Monitor Select to define rules to monitor file execution when run with specified attributes. Block Select to define rules to prevent file execution when run with specified attributes. Allow Select to define rules to allow file execution when run with specified attributes. Block interactive mode for console-based process Select to define rules to block interactive mode for console-based processes. Process Name Specify the process for which to specify the rule. Attributes for the rule Specify one or more of these attributes to define an attribute-based rule. These fields are available only when you select the Based on specified attributes action. Path Select the associated checkbox to use path as a context-based attribute for the rule and specify the path for the process. The rule comes into play only when the process is run from the specified path. Command Line Argument Select the associated checkbox to use command-line argument as a context-based attribute for the rule and specify the argument. The rule comes into play only when the process is run with the specified argument. Parent Process Name Select the associated checkbox to use parent process as a context-based attribute for the rule and specify the name of the parent process. The rule comes into play only when the process is run by the specified parent process. User Name Select the associated checkbox to specify user name as a context-based attribute for the rule and enter the user name. The rule comes into play only when the process is run by the specified user. Rule Description Enter a rule description. Make sure the description is meaningful and aptly describes the rule. OK Saves the changes made. Cancel Exits without saving the changes and returns to the Execution Control page. Edit Remove Opens the Edit Execution Control Rule dialog box with information for a selected rule. Edit the rule as needed, then click OK. Deletes the selected rule. Extension tab You can monitor specific file types by specifying the file extensions to be included for or excluded from monitoring. When a file of a monitored file type is changed, an event is generated on the endpoint and sent to the McAfee epo server. Add a file extension to be included or excluded from being monitored for changes. 36

37 Table 37 definitions Add Opens the Add Extension dialog box. Extension Specifies the file extension to be monitored for changes. Include Monitors changes to the specified file extension. Exclude Excludes a specific file extension from being monitored. OK Monitors changes to the specified file extension. Cancel Exits without saving the settings. Edit Remove Opens the Add Extension dialog box with information for a selected rule. Edit the file extension as required, then click OK. Deletes the selected rule from the policy. Extract Certificate from File page Extract certificates associated with one or more signed executable files present on a network share. Table 38 definitions Location Domain User Name Password Specifies the path of the file. Make sure that the file path is accessible from the McAfee epo server. Specifies the domain name to access the network location. Specifies the name of the user in the specified domain. Specifies the password to access the network location. File tab You can designate a set of files to include for or exclude from being monitored for changes. When a monitored file is changed, an event is generated on the endpoint and sent to the McAfee epo server. ally, if you choose to track changes for a monitored file, file versions are created on the McAfee epo server. Add files or directories to be included or excluded from being monitored for changes. 37

38 Table 39 definitions Add Opens the Add File dialog box. File Specifies the name of the file or directory to be monitored for changes. Include Monitors changes to the specified file or directory. Exclude Excludes a specific file or directory from being monitored. Enable Content Change Tracking Tracks content and attribute changes for the file. File encoding Specifies the encoding for the file where you are tracking content changes. Is Directory Tracks content and attribute changes for files in a directory. Recurse Directory Includes all subdirectories in the parent directory to track content and attribute changes. Include Patterns Includes file names or file extensions in the directory for content change tracking. ally, specify the file names or file extensions as patterns by adding an asterisk (*) at the beginning or end. Specify multiple patterns by separating each pattern on a new line. Exclude Patterns Excludes file names or file extensions in the directory for content change tracking. ally, specify the file names or file extensions as patterns by adding an asterisk (*) at the beginning or end. Specify multiple patterns by separating each pattern on a new line. Exclude Patterns has higher precedence than Include Patterns. If you mistakenly define an include and exclude pattern for the same file, the exclude pattern applies. Test Test.txt Test* *Test *.txt Test.* Matches all files with name Test (without any extension) in the directory. Matches all files with name Test and extension txt in the directory. Matches all files beginning with name Test in the directory. For example: Test, Test123, Test.txt, and Test.logs. Matches all files ending with name Test in the directory. For example: 123Test, Test, and xyztest. Matches all files with extension txt in the directory. Matches all files with name Test and applies to all file extensions. OK Monitors changes to the specified file or directory. Cancel Exits without saving the settings. Edit Remove Opens the Add File dialog box with information for a selected rule. Edit the file name or directory as needed, then click OK. Deletes the selected rule from the policy. 38

39 File Versions page Review versions for a tracked file. Table 40 definitions Filters Filter the displayed information using these options: Hide Filter/Show Filter Hides or shows the filters on the page. Quick find Specifies the string to search for. You can search based on the program name or modified by. Apply Filters the list based on the specified string. Clear Removes an applied filter. Show selected rows Hides all rows except the rows selected on the page. Actions Close Lists the actions you can perform for the file versions. View Opens the File Information page that displays the contents and attributes for the selected version. Compare with previous Compares the selected version with the previous version and displays the differences in file contents and attributes. Compare with base Compares the selected version with the base version and displays the differences in file contents and attributes. Choose Columns Opens the Select the Columns to Display page. Use this page to select the columns of data to display on the page. Compare Files Compares any two selected versions and displays differences between the file contents and attributes. Delete Removes the selected file versions from the McAfee epo database. This deletion does not change or remove the actual file present on the endpoint. Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or the versions list. Set as base version Resets the selected version as the base version and deletes all previous versions (older than the new base version) of the file. Returns to the Content Change Tracking Files page. Filters tab Define advanced exclusion filters to exclude observations, events, and inventory data by using a combination of conditions. You can designate a set of files, events, processes or programs, registry keys, and users to exclude from being reported in observations and events. Also, you can designate a set of files, file types, files signed by certificates, application names, application versions, and application vendors to exclude from the inventory. When using the equals operator, specify the fully qualified path (for example, C:\windows\regedit.exe). When using other operators, such as ends with or contains, specify the partial path (for example, regedit.exe). The comparisons are case-insensitive for Windows. 39

40 Table 41 definitions Observations & Events Adds new advanced filtering rules for observations and events. Click Add Rule to configure these options as needed. File Specifies the comparison operator and file name or directory to exclude. Event Specifies the comparison operator and Solidcore event to exclude. Program Specifies the comparison operator and process or program to exclude. Registry Specifies the comparison operator and registry key to exclude. User Specifies the comparison operator and user name to exclude. Apply rule to events also Delete Inventory Applies the defined set of rules to filter events. If you select this option, the filter rules are applied to both observations and events. Deletes the selected advanced filtering rule. Adds new advanced filtering rules for inventory data. Click Add Rule to configure these options as needed. File Specifies the comparison operator and file name or directory to exclude. File type Specifies the comparison operator and file types, such as executable file (32-bit or 64-bit) or script to exclude. Application name Specifies the comparison operator and application name to exclude. Application version Specifies the comparison operator and application version to exclude. Application vendor Specifies the comparison operator and vendor (who builds the application) to exclude. This implies that all applications made by the specified vendor are excluded. File signed by certificate Specifies that all signed files (signed by any certificate) are to be excluded. When you create a filter to exclude inventory items based on the application name, version, or vendor, the filter works on the embedded values associated with the application. Events Adds new advanced filtering rules for events. Click Add Rule to configure these options as needed. File - Specifies the comparison operator and file name or directory to exclude. Event - Specifies the comparison operator and Solidcore event to exclude. Program - Specifies the comparison operator and process or program to exclude. Registry - Specifies the comparison operator and registry key to exclude. User - Specifies the comparison operator and user name to exclude. 40

41 General - Configuration (Client) policy CLI tab Change the default password for McAfee Solidcore Client CLI console access and configure the CLI breach notifications feature. Table 42 definitions Pane Local CLI Access Password Password Specifies the password to access McAfee Solidcore Client CLI console. Local CLI Access Configuration Confirm Password Enable Disable CLI after failed attempts within minutes Disable CLI for minutes Confirms the new password. Select to enable the CLI breach notifications feature. By default, this feature is disabled. Indicates that the CLI is disabled when a user makes the specified number of incorrect password attempts in the define time window. You can specify the number of permitted attempts and the time duration based on your requirements. By default, the CLI is disabled if a user makes 3 unsuccessful attempts in 30 minutes. Indicates the time duration for which to disable the CLI if any user makes unsuccessful logon attempts. You can specify the time duration based on your requirements. By default the CLI is disabled for 30 minutes. General - Configuration (Client) policy Miscellaneous tab Configure settings to track content changes. Table 43 definitions Content Change Tracking: Maximum file size Content Change Tracking: File-extensions for attributes-only tracking Type the maximum file size to track content changes. By default, you can track changes for any file with a size of 1000 KB or smaller. Specify the file extensions for tracking attribute changes only. Use a comma to separate extensions. For executable files, the content change tracking feature tracks only attribute changes and does not track content changes. 41

42 Table 43 definitions (continued) Content Change Tracking: Maximum file limit per rule Inventory Updates: Configuration Specify a value to control the maximum number of files to fetch per rule. This limit applies to the number of qualifying files in the directory (that match the include and exclude patterns and recursive and non-recursive options) and not to the total number of files in the directory. If the number of qualifying files for a specified rule exceeds the set threshold value, the base versions of the files are not sent to the McAfee epo server. Specify whether inventory information is updated at regular intervals based on changes made at endpoints running these Application Control versions: Earlier than and later Both (earlier than 6.2.0, and and later) By default, this value is enabled for endpoints running version and later. Enable on endpoints running version earlier than For endpoints running Application Control version earlier than 6.2.0, inventory updates are pushed to the McAfee epo server after the agent-server communication interval. Enable on endpoints running version and later For endpoints running Application Control and later, inventory updates are pushed to the McAfee epo server after the agent-server communication interval. When you manually fetch inventory for an endpoint, the complete and updated inventory is pulled for the endpoint. General - Configuration (Client) policy Throttling tab Configure settings for throttling events, inventory updates, and policy discovery requests (observations). Table 44 definitions Enable Throttling Events Enables or disables the throttling feature for events, inventory updates, and policy discovery requests. Enables or disables event throttling when the throttling feature is enabled. Threshold Specifies the event throttling threshold for each endpoint. This value indicates the maximum number of event XML files that an endpoint can send to the McAfee epo server in 24 hours. Cache Size Specifies the event cache size for endpoints. This value indicates the maximum number of event XML files that the event cache can store. 42

43 Table 44 definitions (continued) Inventory Updates Policy Discovery (Observations) Enables or disables throttling of inventory updates when the throttling feature is enabled. Threshold Specifies the threshold value for throttling of inventory updates for each endpoint. This value indicates the maximum number of file elements (containing updated inventory information) that an endpoint can send to the McAfee epo server in 24 hours. Enables or disables request throttling when the throttling feature is enabled. Threshold Specifies the threshold value for throttling of policy discovery requests for each endpoint. This value indicates the maximum number of request XML files that an endpoint can send to the McAfee epo server in 24 hours. Cache Size Specifies the request cache size for endpoints. This value indicates the maximum number of request XML files that the request cache can store. 43

44 General policy Exception Rules (Windows) page Define rules to override or bypass the applied memory protection and other techniques on the Microsoft Windows operating system. Table 45 definitions Add Opens the Add exclusion rules dialog box. Memory protection Expand the node to view memory-protection options. Disable buffer overflow protection (CASP) for a process Bypasses the specified process in the Process Name field from the Critical Address Space Protection (CASP) technique. Disable buffer overflow protection (NX) for a process on 64-bit Windows Bypasses the specified process in the Process Name field from the No execute (NX) technique. Select Enable Inheritance to bypass child processes launched by the file from the No execute (NX) technique. Disable ROP protection for a process using Forced Relocation (VASR) Bypasses the specified process in the Process Name field from the VASR Forced-Relocation technique. ally, the Library Name field allows you to specify the name of the DLL file associated with the process. Disable ROP protection for a DLL using DLL Relocation (VASR) Bypasses the specified DLL file in the Process Name field from the VASR DLL Relocation technique. The file is not rebased and is loaded from its preferred base address. This option is applicable for endpoints running version earlier than Disable ROP protection for a process using Stack Randomization (VASR) Bypasses the specified process in the Process Name field from the VASR Process Stack Randomization technique. This option is applicable for endpoints running version earlier than Installation detection Expand the node to view the option. Allow uninstallations On endpoints running version or later, this option allows execution of EXE-based uninstall files that come with the installer package. When the Allow Uninstallation subfeature (pkg-ctrl-allow-uninstall) for Package Control is disabled, the execution of uninstall files is blocked because there is no method to identify whether they are completing the installation process or performing uninstallation. However, this option bypasses the uninstall files from the Allow Uninstallation subfeature, thereby allowing the execution. For example, in case of Firefox browser, the helper.exe uninstall file performs uninstallation and multiple other tasks, such as import settings from other browsers. When you try to uninstall the Firefox browser using control panel, the helper.exe file performs uninstallation. Also, the file tries to perform other tasks. However, when the Allow Uninstallation subfeature is disabled, such tasks are denied because the uninstall file is not allowed to run. To allow the uninstall file to run when performing tasks other than uninstalling the software, we have designed a mechanism. The mechanism is based on applying a process-based rule. The process-based rule provides a specific context for bypassing the uninstall file from the Allow Uninstallation subfeature using the following command. sadmin attr add -o parent=<parent_process_name> -i <process_name> Using this rule, only when the <process_name> is launched by process <parent_process_name>, it is bypassed from the Allow Uninstallation subfeature and allowed to execute. 44

45 Table 45 definitions (continued) Specify the process name (uninstall file) in the Process Name field and the parent process name in the Parent Process Name field. Specifying the parent process name is mandatory to provide specific context for bypassing the file. For endpoints running versions earlier than 6.1.1, this option applies the default rules for Installation Detection bypass technique and the new behavior for uninstallation of EXE-based uninstall files is partially applied without an option to specify the parent process name. Advanced options Expand the node to view the option. We recommend that you contact McAfee Support before applying these exclusions. Exclude file from write-protection rules and allow script execution Bypasses the specified process in the Process Name field using the Process Context File Operations bypass technique. ally, the Parent Process Name field allows you to specify the name of the parent process. Sometimes, Application Control can prevent legitimate applications from running. Use this option to define a bypass rule for a file on 32-bit or 64-bit Windows platforms. Use this option carefully because it can affect default Application Control functionality. Ignore path for file operations Specify the relative path in the Relative Path field to ignore the path for file operations. This option corresponds to the skiplist -i command. Exclude path from file operations Specify the relative path in the Relative Path field to bypass the path from file operations. This option corresponds to the skiplist -f command. Exclude path from write-protection rules Specify the relative path in the Relative Path field to bypass the file from write-protection rules. This option corresponds to the skiplist -d command. Exclude local path and all its contained files and sub-directories from the whitelist Specify the local path in the Path field to bypass the local path and all its contained files and subdirectories from the whitelist. This option corresponds to the skiplist -s command. Exclude volume from Application Control protection Specify the volume in the Volume field to bypass it from Application Control protection. In effect, this option detaches the specified volume from the whitelist. This option corresponds to the skiplist -v command. OK Adds the rule. Cancel Exits without saving the rule. Edit Remove Opens the Edit exclusion rules dialog box with information for a selected rule. Edit the rule as needed, then click OK. Deletes the selected rule. Contact McAfee Support for information about these options. These options are available in earlier releases (deprecated) or address specific scenarios that McAfee Support is trained to configure. MP-mangling bypass Anti-debugging bypass MP-full crawl bypass 45

46 Image Deviation Details page View image deviation details, including deviation type and file path. You can sort the details based on applications or executable files. Table 46 definitions Filter Filter by Deviation Type Specifies the deviation type to filter the details. Filter by Path Specifies the file path to filter the image deviation details. Update Filters Filters the image deviation details based on the specified type and path. View Actions Application Details Back Close Allows you to sort the details either by applications or executable files. Applications Displays the Applications pane that sorts all files based on the associated application. All listed applications are sorted into Trusted Applications, Malicious Applications, and Unknown Applications categories. Click Application Details to view the details for a selected application. Executable Files Displays a list of all files. Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or the image deviation details. Choose Columns Opens the Select the Columns to Display page. Use this page to select the columns of data to display in the Executable Files pane. Opens the Application Details page that displays application information. Returns to the previous page. Returns to the Search Image Deviation Summary page. Installers tab Add installers authorized to install and update the software on the endpoints. Table 47 definitions Add Opens the Add Installer dialog box. Search By Searches for the required installer. Installer Name Specifies the name of the installer. Vendor Specifies the name of the vendor who publishes the installer. Search Searches for the specified installer or vendor. Installer Label Specifies an identification label used to tag changes made by the installer. OK Adds the installer. Cancel Exits without saving the installer details. Edit Remove Opens the Edit Installer Details dialog box with information for a selected rule. Edit the rule as needed, then click OK. Deletes the selected rule. 46

47 Table 47 definitions (continued) Search Installer Allows you to search for an installer. Installer Name - Searches for an installer based on its name. Vendor - Searches for an installer based on the name of the vendor who published the installer. Search - Searches for installers based on the specified criteria. Filters Show selected rows - Hides all rows except the rows selected on the page. Hide Filter/Show Filter - Hides or shows the filter options in the pane. Actions Lists the actions that you can perform for installers. Add Installer Adds an installer to the McAfee epo database. Add to Rule Group Adds an installer to a rule group. Check Assignments Displays assignments for an installer. Installers can be assigned to policies and rule groups. Choose Columns Opens the Select the Columns to Display page. Use this to select the columns of data to display in the Installers pane. Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or the installers list. Edit Updates the name of the selected installer. Remove Deletes the selected installer. Before you delete an installer, make sure that it is not used in any rule groups and policies. McAfee GTI Server Details page Edit settings for the McAfee GTI server that Application Control (both extension and endpoints) communicates with to fetch file and certificate reputation. Table 48 definitions Server Address Certificate for File Server Certificate for Feedback Server Certificate for Certificate Server Host Name Specifies the address for the file server, certificate server, and feedback server. Click Change to open the Server Address dialog box to edit the server addresses. Provides the path to the certificate for the server used to fetch file reputation. By default, the internal certificate is used. To use an alternate certificate, select Change Certificate and specify the path to the certificate. Provides the path to the certificate for feedback server. By default, the internal certificate is used. To use an alternate certificate, select Change Certificate and specify the path to the certificate. Provides the path to the certificate for the server used to fetch certificate reputation. By default, the internal certificate is used. To use an alternate certificate, select the Change Certificate option and specify the path to the certificate. Specifies the host name for the certificate server. 47

48 Table 48 definitions (continued) User Name Password Test Connection Specifies the user name to access the certificate server. Specifies the password associated with the user for the certificate server. To change the password, select the Change Password option and specify the password in the Password field. Type the password again in the Confirm Password field. Verifies the connection to the server. Migration server task This task runs automatically when you upgrade the Solidcore extension. Check the Server Task Log page to make sure that migration was successful. If the migration fails, review the Server Task Log page, resolve any issues, and run the Migration server task manually to complete the migration. Observations Detail (Deprecated) page Analyze the suggestions available for an observation and take actions. Table 49 definitions Binary Tree Represents the hierarchy and relationship between the file and its parent process. Also, allows you to review information for all child observations associated with the opened collated observation. By default, the file associated with the collated observation is selected in this pane. Suggestions tab Binary Info pane Displays detailed information for the selected binary file and lists all actions you can perform for the file. Depending on the file's properties and attributes, one or more of the following actions are available for the file. Add as Installer Adds the program (or installer) as an authorized installer for your setup. Add as Updater Adds the program as an authorized updater for your setup. Add to Whitelist Adds the file to the whitelist for a specific endpoint. This action does not result in any rule group or policy changes. Add Parent as Updater Adds the parent program as an updater for your setup. Add as Exception Defines a rule to allow the file to override or bypass the applied memory-protection techniques. Add by binary SHA-1 Authorizes the binary file to run on endpoints based on its checksum value. Add as Trusted Directory Adds the location for the file as a trusted directory for your environment. The added trusted directory is provided updater privileges. 48

49 Table 49 definitions (continued) Certificate Info pane Rule Group pane Files to be Whitelisted pane Displays information for the certificate, if any, associated with the file. This pane is displayed only if a certificate is associated with the selected file. Add Certificate Adds the certificate as a trusted certificate. Displays the various rules to be added to the rule group. By default, this pane is empty and is populated based on the actions you perform. Displays the various files to be whitelisted on the endpoint. By default, this pane is empty and is populated only when you choose the Add to Whitelist action. Add Opens the Add to whitelist dialog box. Specify the binary path name. Remove Deletes the selected rule. Edit Opens the Add to whitelist dialog box with information for a selected rule. Edit the details as needed, then click OK. Observations tab Dismiss Approve Cancel Displays detailed information for observations in a tabular format. Ignores the observation. Saves the changes made and approve the observation. Exits without saving changes and return to the Observations (Deprecated) page. Observations (Deprecated) page View observations generated for the managed endpoints. Table 50 definitions Enable Observation Generation Filters Restarts observation generation at endpoints. Allows you to filter the displayed observations based on specified criteria, including: Search Filters observations based on the specified search criteria. Specify whether to search based on process name, binary name, or observation type, select the operator, enter search string, and click Search. Time Filter Filters observations generated in the specified time period. Approval Status Filter Filters observations based on their approval status. 49

50 Table 50 definitions (continued) Solidcore Observations Lists all observations that match the specified filter criteria. Hide Filter/Show Filter Hides or shows the filters in the pane. Quick find Specifies the string to search for. You can search based on the process name, binary name, or host name. Apply Filters the observations list based on the specified string. Clear Removes an applied filter. Show selected rows Hides all rows except the rows selected on the page. Actions Show Suggestions Opens the Observations Detail (Deprecated) page that displays details for the associated observation. Choose Columns Opens the Select the Columns to Display page. Use this to select the columns of data to display in the Solidcore Observations pane. Delete Observations Removes the selected observations from the Observations (Deprecated) page and the database. Select Delete Similar Observations to delete other related observations. All observations with the same checksum or file name on different hosts are considered similar observations. Dismiss Observations Ignores the selected observations (by setting their status to Dismissed). You can also choose to ignore other related observations or define exclusion rules to stop receiving similar observations. Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or the observations list. Observe Mode client task Place the Solidcore client on the endpoints in Observe mode. Table 51 definitions Observe Mode Specifies whether to begin or end Observe mode. Start Observe Mode Places the endpoints in Observe mode. Workflow ID Specifies the workflow ID that can be used to track the observations generated in Observe mode. Comments Provides comments or added information, if needed. End Observe Mode Removes the endpoints from Observe mode. Enable Solidcore client Places the endpoints in Enabled mode. Disable Solidcore client Places the endpoints in Disabled mode. 50

51 Policy Discovery: Custom Rules page Define custom rules for executable files associated with the selected request, and apply rules to selected endpoints. By default, the recommended rule tab is highlighted. If needed, you can add rules from other tabs. This page is displayed when you select a request and click the Create Custom Policy action on the Policy Discovery page. Table 52 definitions s Select Action Show Request Details/Hide Request Details Select Rule Group Specify the action to take for the selected request. The permissions assigned to you determine the options that are available. All options are available only to users who are assigned the Solidcore admin permission set. Approve Request Adds rules to allow the file associated with the selected request to run on specified endpoints in the enterprise. Ban Request Adds rules to ban the file associated with the selected request from running on specified endpoints in the enterprise. Allow by Certificate Adds rules to include the certificate associated with the selected request. If the file associated with the selected request is an installer or executable file that has tried to run other executable files, the certificate is assigned updater privileges. Bypass Memory Protection Adds rules to bypass applied memory protection for the file associated with the selected request. This option is available only for observations and is unavailable for approval requests. Clear and define rules Removes all prepopulated rules and allows you to add custom rules for the file associated with the selected request. When you select this option, the Request Details pane is displayed. Use the information listed in the pane to define rules. Allow Trusted Path Adds rules to allow files placed on a network path to run with updater privileges on specified endpoints in the enterprise. When you select this option, the Request Details pane is displayed that includes the More Suggestions option. You can click More Suggestions to find information about the suggested alternate paths and the corresponding pending request count. Shows or hides the request details. The details include file name, certificate, activity, application name, and checksum. Specifies the rule group for adding the created rules. Choose existing Updates an existing rule group with the defined rules. Create new Creates a rule group with the defined rules. Add rule group to existing policy Save Cancel Specifies the policy for adding the created or updated rule group. Saves the changes made. Exits without saving the changes, and returns to the Policy Discovery page. 51

52 Policy Discovery page View all requests received from endpoints in the enterprise, and define rules to manage the requests. Table 53 definitions s Filters Filter the displayed requests based on specified criteria. Time Filter Filters requests generated in the specified time period. Approval Status Filters requests based on their approval status. Activity Filters requests generated for the specified activity. Here is a description of the activities. ActiveX Installation Application Execution Application Execution at Start Up File Addition File Modification File Update at Start Up Memory Protection Violation Network path execution Script Execution Software Installation Software Uninstallation Installation of non-whitelisted ActiveX control signed by the certificate (listed in the Object Name column). Non-whitelisted executable file (listed in the Object Name column) is executed. Boot time execution allowed for a non-whitelisted executable file (listed in the Object Name column). New file (listed in the Object Name column) generated by a non-trusted agent on the endpoint. Whitelisted application (listed in the Object Name column) modified by a non-trusted agent. Executable file (listed in the Object Name column) tried to update a whitelisted file at boot time. Whitelisted executable file (listed in the Object Name column) tried a memory-protection (NX, CASP, or VASR) violation. File placed on a network path (listed in the Object Name column) is executed. Non-whitelisted script file (listed in the Object Name column) is executed. Application installation by a non-whitelisted executable file or Microsoft Installer (MSI) (listed in the Object Name column). Application uninstallation of a whitelisted executable file or MSI (listed in the Object Name column). 52

53 Table 53 definitions (continued) s Final Reputation Filters requests based on the file's reputation. System Name Filters requests generated for the specified endpoint. Update Results Applies the selected filters and displays requests that match the specified criteria. Reset Filters Removes all filters. Additional Filters/Hide Filters Shows or hides additional filters in the pane. What's Final Reputation? Opens a McAfee KnowledgeBase article that explains how the software determines final reputation for files or certificates. Hide Filter/Show Filter Hides or shows the filters in the pane. Quick find Specifies the string to search for. You can search based on the object name, application name, and certificate. Apply Filters the requests list based on the specified string. Clear Removes an applied filter. Show selected rows Hides all rows except the rows selected on the page. Object Name Final Reputation Reputation Source Certificate Displays the name of the file that was executed or acted on. Hover on the object name to view or copy the content. Displays the enterprise reputation for files. The color that the enterprise reputation is displayed in indicates whether the file is trusted, malicious, or unknown. Color Green Orange Red Gray Reputation Known Trusted Most Likely Trusted Might be Trusted Unknown Might be Malicious Most Likely Malicious Known Malicious Not applicable (only for network path execution requests) Displays the reputation source for files, such as TIE, GTI, Application Control, Not synchronized, or Not Applicable. If the reputation source is TIE, clicking TIE opens the TIE Reputations page that allows you to view details for the selected file. Values of TIE, GTI, or Application Control indicate the source last synchronized with. Not synchronized indicates that the software has not synchronized with any reputation source. For network path execution requests, reputation source is set to Not applicable. Displays the certificate associated with the file. Hover on the certificate name to view or copy the public key hash and certificate hash. 53

54 Table 53 definitions (continued) s Global Prevalence Lists the count of the requests received for a file. After requests are received from the endpoints, Application Control collates and groups requests based on these parameters: SHA-1 of the executable file or cab file (if there is a request for an ActiveX control) for which the request is received. Status of the request. Memory protection violation requests are grouped based on SHA-1 and activity type. Network path execution requests are grouped based on file path and activity type. 54

55 Table 53 definitions (continued) s User Comments Actions Displays the additional information recorded for a request. Add Comments Opens the Add Comments dialog box where you can record additional information for multiple requests. Allow File Globally Adds rules to allow the executable file (based on SHA-1 and SHA-256) to run across all endpoints in the enterprise. These rules are added to the Global Rules rule group included in the McAfee Default policy. When you allow requests, the selected collated requests and contained individual requests are all allowed. Allow Trusted Path Globally Adds rules to allow a file placed on a network path to run with updater privileges on all endpoints in the enterprise. Based on the network path associated with the request for which you want to define rules, suggested alternate paths (sorted by path length) and corresponding number of matching requests for each suggested path are displayed. If needed, you can add rules for suggested alternate paths to allow all files placed on that network path and its subdirectories to run with updater privileges on all endpoints in the enterprise. These rules are added to the Global Rules rule group included in the McAfee Default policy. Allow by Certificate Globally Adds the certificate associated with the selected request with or without updater privileges. This allows all applications signed by the selected certificate to change the executable files or start any new application on the endpoints. These rules are added to the Global Rules rule group included in the McAfee Default policy. When you allow a request based on the associated certificate, the selected collated request and contained individual requests are allowed by certificate. Ban File Globally Adds rules to block the executable file (based on SHA-1 and SHA-256) from running on any endpoint in the enterprise. These rules are added to the Global Rules rule group included in the McAfee Default policy. When you ban requests, the selected collated requests and contained individual requests are all blocked. Bypass Memory Protection Globally Adds rules to bypass applied memory-protection and other techniques for all endpoints. Choose Columns Opens the Select the Columns to Display page. Use this to select the columns of data to display on the Policy Discovery page. Create Custom Policy Opens the Policy Discovery: Custom Rules page. Use this page to define custom rules to allow, block, or allow by certificate an application or executable file for selected endpoints. Also, use this page to define custom rules to allow a network path for selected endpoints. Delete Requests Removes the selected requests from the Policy Discovery page and database. When you delete requests, the selected collated requests and contained individual requests are deleted. Export Table Opens the Export page. Use this page to specify the format and package of files export. You can save or the requests list. More Click to access these options. Change File Reputation (TIE) Opens the TIE Reputations page that displays reputation information for the file associated with the request. If needed, you can edit the file reputation. View File Details Opens the File Details page that displays detailed information for the file associated with the request. View Related Events Opens the Solidcore Events page that displays detailed information for the events associated with the request. 55

56 Policy Discovery Request Details page Review details for an executable file. You can access this page when you click a row on the Policy Discovery page. Table 54 definitions s Request Details Lists properties for the selected file and the associated certificate information, if applicable. File Name Displays the name of the file. Also, clicking Lookup in TIE opens the TIE Reputations page that allows you to view or edit the file reputation. File Version Displays the version information for the file. Path Displays the full path of the file for which the request is received. Parent Process Displays the full path of the parent process that launched the file. Files Changed Lists the files modified in case of activities, such as File Addition. Final Reputation Displays the final reputation for the file. File SHA-1 Displays the SHA-1 value for the file. Click the value to find more details for the SHA-1, such as execution status and first seen information in inventory. File SHA-256 Displays the SHA-256 value for the file. File MD5 Displays the MD5 value for the file. Application Displays the name of the application associated with the file. User Name Displays the name of the user who sent the request. Certificate Displays the name of the certificate vendor. The color that the vendor is displayed in indicates whether the file is trusted (Green), malicious (Red), or unknown (Orange). Click the vendor name to review the following additional details. Also, clicking Lookup in TIE opens the TIE Certificate Reputations Details page that allows you to view or edit the certificate reputation. Subject Name of the certificate vendor. Issuer Name of the certificate signing authority. Certificate Reputation Reputation of the certificate. Possible values are Known Trusted, Most Likely Trusted, Might be Trusted, Unknown, Might be Malicious, Most Likely Malicious, and Known Malicious. The color in which the Certificate Reputation is displayed indicates whether the certificate is trusted (Green), malicious (Red), or unknown (Orange). Reputation Source Indicates the reputation source. Possible values are TIE and GTI. Public Key Algorithm Indicates the algorithm used to create the public key to encrypt messages. Public Key Length Specifies the length of the public key in bits. Public Key Hash Displays the public key hash. Certificate Hash Displays the certificate hash. Valid From Indicates the date from which the certificate is valid. Valid To Indicates the date until which the certificate is valid. Enterprise Level Activity Lists the individual requests that make up the collated request. These individual requests help you determine the file path and endpoint for the request. Hide Filter/Show Filter Hides or shows the filters in the pane. Quick find Specify the string to search for. You can search based on the host name. Apply Filters the request list based on the specified string. 56

57 Table 54 definitions (continued) s Clear Removes an applied filter. Execution Time Indicates the time when the policy discovery request was received. Host Name Displays the name of the host from which the request was received. Description Describes the action that has taken place on the endpoint. Justification Message Displays the comment or justification the user sent with the request. Action Displays the Allow Locally action for requests that are generated when you execute an application that is not in the whitelist (Application Execution activity). This action adds one or more executable files to the whitelist of an endpoint to allow the files to run on the endpoint. Actions Add Comments Opens the Add Comments dialog box to record additional information for a request. Allow File Globally Adds rules to allow the file (based on SHA-1 ad SHA-256) to run across all endpoints in the enterprise. These rules are added to the Global Rules rule group included in the McAfee Default policy. When you allow requests, the selected collated requests and contained individual requests are all allowed. Allow Trusted Path Globally Adds rules to allow a file placed on a network path to run with updater privileges on all endpoints in the enterprise. Based on the network path associated with the request for which you want to define rules, suggested alternate paths (sorted based on path length) and corresponding number of matching requests for each suggested path are displayed. If needed, you can add rules for suggested alternate paths to allow all files placed on that network path and its subdirectories to run with updater privileges. These rules are added to the Global Rules rule group included in the McAfee Default policy. Allow by Certificate Globally Adds the certificate associated with the selected request with or without updater privileges. This allows all applications signed by the selected certificate to make changes to the executable files or launch any new application on the endpoints. These rules are added to the Global Rules rule group included in the McAfee Default policy. When you allow a request based on the associated certificate, the selected collated request and contained individual requests are allowed by certificate. Ban File Globally Adds rules to block the file (based on SHA-1 ad SHA-256) from running on any endpoint in the enterprise. These rules are added to the Global Rules rule group included in the 57

58 Table 54 definitions (continued) s McAfee Default policy. When you ban requests, the selected collated requests and contained individual requests are all blocked. Bypass Memory Protection Globally Adds rules to bypass applied memory-protection and other techniques for all endpoints. Create Custom Policy Opens the Policy Discovery: Custom Rules page. For selected endpoints, use this page to define custom rules to allow, block, or allow by certificate an application or executable file. Also, use this page to define custom rules to allow a network path. Delete Requests Removes the selected requests from the Policy Discovery page and database. When you delete requests, the selected collated requests and contained individual requests are deleted. More Click to access these actions. Change File Reputation (TIE) Opens the TIE Reputations page that displays reputation information for the file associated with the request. If needed, you can edit the file reputation. View File Details Opens the File Details page that displays detailed information for the file associated with the request. View Related Events Opens the Solidcore Events page that displays detailed information for the events associated with the request. Close/Back Closes the Policy Discovery Details page and returns to the Policy Discovery page. Predominant Observations (Deprecated) page View and manage the predominant observations for your enterprise. This page lists the top 10 prominent observations for your environment and allows you to take actions for each observation. 58

59 Table 55 definitions s Enable Observation Generation Filter Actions Restarts observation generation at endpoints. Show selected rows Hides all rows except the rows selected on the page. Exclude Adds filter rules to prevent the generation of the selected observations on all endpoints in your enterprise. These rules are added to the Global Observation Rules (Deprecated) rule group and applied to all endpoints in the enterprise. After you exclude observations, they are removed from the Predominant Observations (Deprecated) page. Also, all observations similar to the excluded observations are purged from the McAfee epo database. Approve Adds relevant rules to allow the binary files associated with the selected observations to run on all endpoints in the enterprise. These rules are added to the Global Observation Rules (Deprecated) rule group and applied to all endpoints in the enterprise. After you approve observations, they are removed from the Predominant Observations (Deprecated) page. Also, all observations similar to the approved observations are purged from the McAfee epo database. Create Custom Rules Allows you to review and add rules (to a rule group) to allow the binary file associated with the selected observation. When you select this option, a new page displays a prepopulated rule for the selected observation. Choose Columns Opens the Select the Columns to Display page. Use this to select the columns of data to display in the Predominant Observations (Deprecated) page. Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or the observations list. Program tab You can choose to track or not track all file or registry changes made by a program. When a monitored process or program makes a change, an event is generated on the endpoint and sent to the McAfee epo server. Add processes or programs to be included or excluded from being monitored for changes. Table 56 definitions Add Opens the Add Program dialog box. Program Specifies the process or program to be monitored for changes. Include Monitors changes made by the specified process or program. Exclude Excludes any specific process or program from being monitored. OK Monitors changes done by the specified process or program. Cancel Exits without saving the settings. Edit Remove Opens the Add Program dialog box with information for a selected rule. Edit the process or program as required, then click OK. Deletes the selected rule from the policy. 59

60 Pull Inventory client task Fetch the software inventory for one or more endpoints. No additional configuration is required to run this client task. After this task runs successfully, you can review the inventory details for the endpoints and define new rules. Use the Menu Application Control Inventory By Applications and Menu Application Control Inventory By Systems pages to define rules. Purge server task Purge Solidcore reporting data. When you purge data, the records are permanently deleted. Table 57 definitions Choose Feature Select the Solidcore reporting feature for which to purge the records. Events Purges Solidcore events. Client Task Log Purges Solidcore Client Task logs. Alerts Purges Solidcore alerts. Inventory Purges inventory details for endpoints. Content Change Tracking Repository Purges content change tracking data. Image Deviation Purges image deviation details. Policy Discovery Purges policy discovery requests. Purge records older than Purge by query Purges entries older than the specified age. This option is not applicable for features that do not have aging criteria, such as inventory records. Purges records for the selected feature that meet the query criteria. This option is only available for reporting features that support queries in McAfee epo. Also, this option is supported only for tabular query results. No seeded queries are available for purging. Before purging records, you must create the relevant query. Read-Protect tab Define read-protection rules to prevent users from reading the content of specified files, directories, and volumes. By default, the read protection feature is disabled at the endpoints. To enable the read protection feature, create a Run Commands client task with the features enable deny-read command. Read-protect critical files or directories. 60

61 Table 58 definitions Add Opens the Add File dialog box. File Specifies the name or path of the file to protect or the path of the directory to protect. Include Read-protects the specified file or directory. Exclude Excludes the specified file or sub directory from read protection. OK Read-protects the specified file or directory. Cancel Exits without saving the settings. Edit Remove Opens the Add File dialog box with information for a selected rule. Edit the rule as required, then click OK. Deletes the selected rule from the policy. Registry tab On the Windows platform, you can define rules to monitor registry keys. You can choose to include or exclude a registry key for monitoring. When a monitored registry key is changed, an event is generated on the endpoint and sent to the McAfee epo server. Add registry keys to be included or excluded from being monitored for changes. Table 59 definitions Add Opens the Add Registry dialog box. Registry Specifies the registry key to be monitored for changes. Include Monitors changes to the specified registry key. Exclude Excludes the registry key from being monitored. OK Monitors changes to the specified registry key. Cancel Exits without saving the settings. Edit Remove Opens the Add Registry dialog box with information for a selected rule. Edit the registry key as required, then click OK. Deletes the selected rule from the policy. Rule Group Sanity Check server task Run the Rule Group Sanity Check server task to report and correct (if possible) discrepancies and inconsistencies in the Solidcore rule groups and policies. Review the logs generated by the server task (on the Server Task Log page) to view the warnings, if any. No additional configuration is required to run this server task. 61

62 Rule Groups tab A default set of rule groups is included for Integrity Monitor and Application Control. Manage rule groups for Integrity Monitor, Change Control, and Application Control. Table 60 definitions Filter Allows you to filter the rule groups based on these criteria: Type Filters the rule groups by Solidcore feature (Application Control, Integrity Monitor, and Change Control). Platform Filters rule groups based on the operating system. Search string Specify the name of the rule group to search for. Search Searches for a rule group based on the selected criteria. Hide Filter/Show Filter Hides or shows the filters on the page. Show selected rows Hides all rows except the rows selected on the page. Actions Specifies the actions that you can perform for the selected rule group. View Lists settings for the selected rule group. Edit Updates settings for the selected rule group. This option is available only for rule groups that you own. Rename Prompts you for a new name for the rule group. This option is available only for rule groups that you own. Duplicate Duplicates the selected rule group. Delete Deletes the selected rule group. This option is available only for rule groups that you own. Assignments Displays policy assignment for a rule group. Choose Columns Opens the Select the Columns to Display page. Use this page to select the columns of data to display on the page. Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or the rule group list. Owners Add Rule Group Import Export Lists the name of the user who owns the rule group. This link is enabled only for the McAfee epo administrator. Adds a rule group. Imports information for one or more rule groups. Exports the required rule groups to an XML file. 62

63 Run Commands client task Run CLI commands remotely on the endpoints. Table 61 definitions Run Commands Requires Response Specifies the CLI command you want to run on the endpoints. Specifies the option to receive the result of the command. The command output is available on the Menu Automation Solidcore Client Task Log page on the McAfee epo console. Run Image Deviation server task Compare the inventory of one or more endpoints with the inventory of a designated gold system. Table 62 definitions Consider file paths as case-sensitive Gold System Systems to compare with Gold System Groups to compare with Gold System Include Systems with Tags Exclude Systems with Tags Indicates whether to use case sensitivity for file paths while comparing the images. We recommend that you do not select this option for the Windows platform. Specifies the gold system. Lists the endpoints to compare with the gold system. Specifies system groups to compare with the gold system. Adds endpoints based on the specified tags to compare with the gold system. Adds endpoints based on the specified tags. The endpoints with the selected tags are excluded from comparison with the gold system. Scan a Software Repository server task Schedule a scan on a network share regularly. Use this page to: Extract the certificates associated with one or more signed executable files present on the share. Add installers present on the share. Table 63 definitions Software Repository Path Domain User Name Password Test Connection Add extracted certificates and installers to Rule Group Specifies the path of the repository. Make sure that the repository is accessible from the McAfee epo server. Specifies the domain name. Specifies the name of the user in the domain. Specifies the password to access the network location. Verifies that you are able to connect to the repository with the specified credentials. Adds the extracted certificates and installers to a user-defined rule group. 63

64 Search Image Deviation Summary page View image deviation results. Using the Image Deviation feature, you can compare the inventory of an endpoint with the inventory of a designated gold system. This page provides a summary of the image comparison and lists changes, such as modifications, deletions, or additions to the inventory of the endpoint (as compared to the inventory of the gold system). Table 64 definitions Search Target System Action Searches for the image deviation summary for a target system. Specify the name of the target system, and then click Search. Show Deviations Opens the Image Deviation Details page. Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or the image deviation summary. Choose Columns Opens the Select the Columns to Display page. Use this to select the columns of data to display in the Image Deviation Summary Listing pane. Send Feedback to Application Control GTI Cloud Server server task Configure and send feedback to McAfee on how you are currently using the McAfee GTI and Application Control features. No information about individual computers or users is sent to McAfee. McAfee stores no data that can be used to track the feedback information to a specific customer or organization. Table 65 definitions McAfee epo Base Information Policies Events Inventory Policy Discovery Sends information about the number of nodes managed by McAfee epo and number of nodes where Application Control is installed. Sends information about how you are using user-editable Change Control, Application Control, and General policies in your setup. Information is also sent for the Global Rules and Global Observation Rules (Deprecated) rule groups. Sends event information for your setup. Selecting this option sends information, such as file name and SHA-1 value, for the Execution Denied, Process Hijacked, and Nx Violation Detected events. Nodes Sends information about the number of endpoints where the event occurred, and the full path of the file associated with the event. Sends inventory information for your setup. Selecting this option sends detailed information for executable files, including base name, application name, application version, file version, and enterprise trust level. Nodes Sends information about the number of endpoints where the file is present, its execution status, and full path of the file. The feedback does not include any information to identify the endpoints, such as system name or IP address. Sends information for policy discovery requests. Selecting this option sends information about the type of requests generated for your setup and details about the certificates associated with commonly used applications. 64

65 Solidcore Client Task Log page View status of the Solidcore client tasks runs on the endpoints. Table 66 definitions Filter Allows you to filter the listed details based on these criteria: System Name Filters information based on the system name. Time Displays information for the specified time period. Command Status Filters information based on whether the command executed through the client task was successful or not. Task Name Filters information based on the task name. Task Status Filters information based on whether the client task is in progress, executed successfully, or failed. Search Displays information based on the specified criteria. Hide Filter/Show Filter Hides or shows the filters in the pane. Show selected rows Hides all rows except the rows selected in the Client Task Log pane. Actions Specifies the actions that you can perform on the selected client task log, including: Delete Removes the selected record from the page. Choose Columns Opens the Select the Columns to Display page. Use this page to select the columns of data to display in the Client Task Log pane. Export Table Opens the Export page. Use this page to specify the format and the package of files to be exported. You can save or the client task log. Solidcore Events page View all Solidcore events generated for the managed endpoints. Table 67 definitions Filter Filters the displayed events based on specified criteria, including: Time Filter Filters events generated in the specified time period. System Tree Filter Filters events generated for the specified group or subgroup. Advanced Filters Opens the Edit Filter Criteria page where you can select properties to filter the content displayed on the Solidcore Events page. What's reputation-based execution? Deny Reason Opens a McAfee KnowledgeBase article that explains reputation-based execution. Displays the reason for denial for Execution Denied events. Value Application Control Policy - File banned by name Application Control Policy - File banned by SHA-1 Description Application Control blocked this file because a ban rule exists for the file. Application Control blocked this file because a ban rule exists for the SHA-1 of the file. 65

66 Table 67 definitions (continued) Reputation (at Time of Execution) Application Control Policy - File execution denied by user TIE - Malicious process SHA-1 GTI - Malicious process SHA-1 TIE - Malicious Certificate GTI - Malicious Certificate Local Whitelist- File not present in whitelist Application Control Policy - Network path not trusted Application Control Policy - Removable media not trusted Local Whitelist- File SHA-1 mismatch Application Control blocked this file because its execution was denied by the user. Application Control blocked this file because the file reputation received from the TIE server is malicious or because McAfee Sandboxing technology (ATD) analyzed it to be suspicious. Application Control blocked this file because the file reputation received from the GTI server is malicious. Application Control blocked this file because the reputation received for the associated certificate from the TIE server is malicious. Application Control blocked this file because the reputation received for the associated certificate from the GTI server is malicious. Application Control blocked this file because it is not whitelisted. To execute this file, add the file to the whitelist. Application Control blocked this file because it was executed from a non-trusted network path. Application Control blocked this file because it was executed from a non-trusted media. Application Control blocked this file because the file's checksum in not present in the inventory. This can occur if the file SHA-1 changed. Displays the reputation of the file on the endpoint at the time of execution. This value is applicable only for the Execution Denied events where execution is denied due to malicious reputation. Possible values include TIE Malicious Certificate, GTI Malicious Certificate, TIE Malicious Checksum, GTI Malicious Checksum, and Not Applicable. 66

67 Table 67 definitions (continued) Actions User Comments Select all in this page Select all in all pages Specifies the actions that you can perform on the selected events, including: Create Policy Opens the Events: Create Custom Policy page where you can define rules for the file associated with the event. If file SHA-1 is available, corresponding rule is prepopulated on the Events: Create Custom Policy page. Else, you need to manually define relevant rules. This option is available only for the Execution Denied, ActiveX Installation Prevented, File Write Denied, Installation Denied, Process Hijack Attempted, VASR Violation Detected, and Nx Violation Detected events. View Related Requests Opens the Policy Discovery Details page that displays detailed information for the request associated with the event. View File Details Opens the File Details page that displays detailed information for the file associated with the event. Change File Reputation (TIE) Opens the TIE Reputations page that displays reputation information for the file associated with the request. If needed, you can edit the file reputation. View Content Change Open the Comparison page that allows you to review changes made to the file. This option is available only for the File Modified event. Show Suggestions (Deprecated) Opens the Observations Detail (Deprecated) page that displays details for the observations associated with the event. This option is useful only for endpoints running version or earlier. Add Comments Opens the Add Comments dialog box where you can record additional information for multiple events. Choose Columns Opens the Select the Columns to Display page where you can select the columns of data to display on the Solidcore Events page. Dismiss Observations (Deprecated) Ignores one or more observations. This option is useful only for endpoints running version or earlier. Exclude Events Excludes or ignores events not needed to meet compliance requirements. Export Table Opens the Export page where you can specify the format and the package of files to be exported. You can save or event details. Reconcile Events Manually reconciles events by correlating the events with change tickets and marking them as authorized or unauthorized. Show Related Systems Takes you to a page where you can view and take action on the systems where selected events occurred. Displays the Add a comment link where you can record additional information for an event. Selects all Solidcore events listed on the current page. Selects all Solidcore events displayed on all pages. 67

68 Solidcore Syslog Server Details page Add the syslog server as a registered server or edit settings for an existing syslog server. Table 68 definitions Syslog Server Address Syslog Server Port Syslog Facility Send Test Syslog Message Allows you to enter the server address. You can choose to specify the DNS name, IPV4 address, or IPv6 address. By default, this value is set to 514. You cannot change the port value. Specifies the type of logs the server receives. Verifies if the syslog server is reachable or not. Updater Processes tab When a program is configured as an updater, it can install new software and update existing software (including itself) installed on the endpoint. Updaters work at a global-level and are not application-specific. After a program is defined as an updater, it can change any protected file. Add updaters authorized to perform updates on the protected endpoints. 68

69 Table 69 definitions Add Opens the Add Updater dialog box. Configure these options as needed. Updater By Name/Updater By File SHA-1/Updater By File SHA-256 Select an option to indicate whether to add the updater based on the file name, SHA-1, or SHA-256, respectively. The Updater By File SHA-1 and Updater By File SHA-256 options are available only for the Windows platform. If you add the updater by name, the updater is not authorized to run automatically. However, when you add the updater by SHA-1 or SHA-256, the updater is authorized. File Name/File SHA-1/File SHA-256 Type the location (when adding by name), SHA-1 value, or SHA-256 value of the executable file, respectively. Updater Label Type an identification label. All changes made by the file are tagged with the specified label. Condition Select one of these options when adding an updater by name: None Select this option to authorize the updater without any conditions. Library Select this option to allow the file to run as updater only when it has loaded the specified library. Parent Select this option to allow the file to run as an updater only if it is started by the specified parent process. Disable Inheritance Select this option to disable inheritance for the updater (when adding an updater by name). For example, if Process A (that is set as an updater) starts Process B, disabling inheritance for Process A makes sure that Process B does not become an updater. Suppress Events Select this option to suppress events generated for actions performed by the updater (when adding an updater by name). OK Adds and authorizes the updater. Cancel Exits without saving the updater details. Edit Remove Opens the Edit Updater dialog box with information for a selected rule. Edit the rule as needed, then click OK. Deletes the selected rule. Upload Certificate page Upload an existing certificate available to you. Table 70 definitions Select a PEM format certificate to import. Specifies the path of the certificate file to import. 69

70 Users tab Add trusted users for Application Control. Table 71 definitions Add Opens the Add User dialog box. Domain\User Specifies the domain name and logon name of the user. Edit Remove AD Import User Label Specifies an identification label. All changes made by the user are tagged with this label. Name Specifies the name of the user. OK Adds the user. Cancel Exits without saving the user details. Opens the Edit User dialog box with information for a selected rule. Edit the user details as needed, then click OK. Deletes the selected rule. Opens the Import from Active Directory dialog box. Active Directory Server Selects the required registered server. Global Catalog Search Searches for users in the catalog (only if the selected Active Directory is a Global Catalog server). Search for Specifies whether to search for users or groups. Search By Specifies whether to search for users by UPN (User Principal Name) or SAM (Security Account Manager) account name. Your search determines the authorized user. Make sure that you use the trusted account to log on to the endpoint. If you use the UPN name while adding a user, make sure that the user logs on with the UPN name at the endpoint for trusted user privileges. User Name Specifies the user name search string. The Contains search criterion is applied for the specified user name. Group Name Specifies the group name to restrict your search to users in the specified group. You cannot directly add a group that is present in the Active Directory to a policy. To authorize all users in a group, add the user group to a rule group and include the rule group in a policy. Using groups makes sure that all changes to a user group automatically cascade across all rule groups and associated policies. Find Searches for the specified user or group name. Write-Protect File tab Applying write-protection rules renders specified files as read-only thus protecting your valuable data from unauthorized updates. Prevent unauthorized changes to critical files. 70