Release Notes McAfee Application Control 6.1.0 About this document New features Known issues Resolved issues Installation instructions Find product documentation About this document Thank you for choosing this McAfee product. This document contains important information about the current release. We strongly recommend that you read the entire document. New features Here is a list of new and updated features included with this release of the product. For Added the Self Approval feature Application Control prevents any unauthorized or unknown applications from running on protected endpoints. When the Self Approval feature is enabled and users try to run an unknown application on a protected endpoint, they are prompted to approve or deny the application execution. In such a scenario, users can choose to approve the execution and run the application on the endpoint. When a user approves the execution, the business need or justification provided by the user for running the application is sent to the McAfee epo administrator. The administrator reviews the approval request and justification provided by the user and can choose to define rules to allow or ban the application for one or all endpoints in the enterprise. For detailed information, refer to the Managing approval requests section in the McAfee Change Control and Application Control 6.1.0 Product Guide. Enhanced the Observe mode feature Starting with this release, we have improved the Observe mode feature to allow simplified management of generated observations. We have introduced the Predominant Observations dashboard and Predominant Observations page and added the ability to define Advanced Exclusion Filters for observations. For detailed information on this feature, refer to the Deploying Application Control in Observe mode section in the McAfee Change Control and Application Control 6.1.0 Product Guide. Added the Forced DLL Relocation technique Typically, ASLR randomizes the addresses where modules are loaded to help prevent an attacker from leveraging data from predictable locations. The problem with this is that all modules have to use a compile time flag to opt into this. Starting with this release, we have added the Forced DLL Relocation memoryprotection technique which forces modules to be loaded at randomized addresses for a target process regardless of the flags it was compiled with. Exploits using return-oriented programming (ROP) and relying on predictable mappings will fail. This feature is available only on Vista and later platforms. By default, the Forced DLL Relocation technique is enabled. The VASR_VIOLATION_DETECTED event is generated when the Forced DLL Relocation technique blocks a file or application from running.
For detailed information on this memory-protection technique, refer to the Getting started with Application Control section in the McAfee Change Control and Application Control 6.1.0 Product Guide. Improved application categorization in inventory Starting with this release, the inventory user interface has been enhanced to improve the categorization of listed applications in the inventory. For detailed information on this feature, refer to the Managing the inventory section in the McAfee Change Control and Application Control 6.1.0 Product Guide. Improved the inventory feature Starting with this release, inventory information available at the McAfee epo console for endpoints is updated at regular intervals based on changes made at the endpoints. A change to an endpoint's inventory triggers inventory information to be pushed to the McAfee epo server after the agent-to-server-communication interval (ASCI) lapses. This keeps the inventory information at the McAfee epo server updated with changes to inventory at the endpoints. Additionally, this avoids the need to manually fetch inventory for an endpoint to get the updated inventory. For detailed information on this feature, refer to the Managing the inventory section in the McAfee Change Control and Application Control 6.1.0 Product Guide. For Linux Introduced framework for dynamic kernel support Starting with this release, we have introduced a new framework to support product deployment on any kernel version. In the previous releases, product deployment support was limited due to requirement of pre-compiled kernel modules specific to the underlying kernels. Provided pre-compiled binary files for a set of kernel modules and direct installation occurs (without compilation) on these set of kernels. Included capability to compile kernel modules for targets. If a pre-compiled binary file is unavailable for a kernel, deployment is supported through compilation. Added support to recompile kernel modules for targets if the kernel is upgraded on an endpoint with an existing installation. For detailed information, refer to the McAfee Change Control and Application Control 6.1.0 Installation Guide. Improved the hashing technique Implemented password protection Added support for noninteractive CLI Optimized policy application at Starting with this release, we are encrypting passwords using the SHA2 hashing algorithm. In previous releases, passwords were encrypted using the SHA1 hashing algorithm that was susceptible to rainbow table attacks. The SHA2 encryption algorithm offers protection from these attacks. The hash generated by SHA1 is 160-bit while that generated by SHA512 is of 512-bits. Starting with this release, we are appending passwords with a salt to protect password information. A salt is a random number that is appended to a password before the hash for the password is computed. This helps in protecting the password from rainbow table attacks. Use the -z switch to prevent the system from prompting for the password. This switch can be used with all CLI commands to provide the CLI password (so that the system does not prompt for it). Consider an example. If the CLI password is set and you issue the sadmin loglevel command, the system will immediately prompt you for the password. Using the -z switch, you can issue the sadmin loglevel -z <password> command to provide the password with the issued command. In the previous releases, policies were applied to the endpoints every 5 minutes
endpoints regardless of whether the policies had changed or not. Starting with the 6.1 release, we compute the checksum of the policies available on the McAfee epo console and compare the checksum with that of the policies applied on the endpoint. Policies are applied only if the two checksum values differ (indicating that the policy has changed). Known issues For known issues in this product release, refer to KnowledgeBase article KB76457. Resolved issues Solidcore Extension All 3-2084880486 - When you are using either Application Control or Change Control license and customize the columns available on the Systems page to include the Solidcore App Control Client Status and Solidcore Change Control Client Status fields, the fields display inaccurate status for the products. For example, if you are using only Application Control license, the status field for Change Control is erroneously populated with the same status as that for Application Control. Similarly, when only the Change Control license is applied on an endpoint, the status field for Application Control displays a value. 3-2010322266 - When saving a rule group containing a large number of rules, the HTTP 400 bad request error is displayed. This is a user interface defect and does not affect the operation being performed. only (all versions) 3-2049786270 - Currently, the Active Directory Group Synchronizing task commits data after synchronizing all the Active Directory groups in Rule Groups and policy tables. This can cause the Policy Catalog page to hang if a number of Active Directory Groups are added to a policy. 3-2379599621 - A trusted user configured using the Active Directory import feature is unable to modify files over the network directory. Note Fix for this issue is available when you upgrade the Solidcore Extension and Solidcore Client to the 6.1.0 version. 3-2345668952 - When using the McAfee epo 4.5 version, importing trusted user information from the Active Directory (AD) fails and an error message is generated. 3-1901614702 - If you sort the information on the Observations page based on the Binary Name column, the following error message is displayed: An unexpected error occurred. Error Message: DB ERROR When you click OK, the events are displayed correctly on the page. 784464 - When you click on the Legends on the Predominant Observations dashboard, the last-visited tab from the Observations page is displayed., Linux, and Solaris # 3-2102561562 - Fetching inventory details from multiple hosts that have the same SHA1 files may cause a memory issue. 3-1672792543 - After upgrading from the 5.1.2 to 6.0.0 version, accessing the Rule Groups page displays an Internal Server Error. This occurs because a problem exists with the Import/Export functionality of Solidcore 5.x extension. 3-2278261376 - When using the Debug mode to log information, the Application Control software was populating the log file with complete inventory information for endpoints. This caused the log file to fill up quickly and resulted in an Out Of Memory error. 724341 - An error message is displayed if a non-administrative user attempts to view the Systems Distribution by Inventory Age monitor in the Solidcore: Inventory dashboard. 766734 - When you review details for any File Write Denied, Process Hijacked, Execution Denied, ActiveX
Install Prevented, or NX Violation Detected event from the Solidcore Events page, the Events Details page includes a new field named Reason. This field provides a rationale for the generated event. Note Although the Solidcore client for 6.1 is available only for and Linux platforms, the issues that are highlighted with # have also been addressed for the Solaris platform. So, if you use the Solidcore 6.1 extension with the Solidcore 5.1.2 client on the Solaris operating system, you will no longer face the afore-mentioned issues. Solidcore Client only (all versions) 3-1901954232 - When using the End User Notifications feature with Lotus Notes client 8.5.1, the email message is sent successfully but the message structure is incorrect. The email content is added to the email subject instead of the email body. 3-1920207502 - When you try to open a PDF file from a network share (with Application Control 6.0 installed), although the selected PDF file opens and an execution denied message is erroneously generated for the directory that contains the PDF file. 3-2002658411 - When Application Control is in Observation mode, observations are generated if an unsupported file is modified using an interpreter process. 3-1972356921/3-2071863836 - If Application Control is enabled, a memory protection error is observed when using Microsoft Outlook to send an email message. 3-2029710151 - When trying to enforce policies on an endpoint, naprdmgr.exe stops responding resulting in policy enforcement errors. 3-2005882491 - When whitelisted files are modified, the Application Control software may fail to update corresponding attribute values for the modified files in the inventory. This prevents the execution of the files. 3-2000672212/3-2110862651 - When Application Control or Change Control is enabled, the system becomes unresponsive because the Internet Explorer browser hangs. 3-1974148892 - When the script as updater feature is enabled, the cmd.exe file crashes while executing logon scripts. 3-2036693852 - When running nightly backup of the Active Directory server, the system hangs. 3-2106040598 - If checksum computation for a process fails, corresponding updater rules or privileges are not checked. 3-2092965253/3-2253788741 - The system crashes at boot time while loading the Microsoft signed files (SHA2 checksum). The crash occurs when the certificate associated with the file is added to Application Control certificate store. 3-2113697262 - Although the user is configured as an updater, the Application Control software prevents modification of solidified files that are placed on a shared location on the network. 3-2098125069 - When Application Control is enabled on IBM POS devices, the system crashes when starting. This occurs because the system tries to load a driver with /dosdevices/ in the path. 3-2111796241 - When using the Critical Address Space Protection memory-protection technique in Application Control, the memory allocated to threads (of a process) is not freed up until the process terminates. 3-2188692825 - If you create an exception rule for Process Context File Operations Bypass without specifying the parent in the General Policy, Application Control erroneously does not save the rule until you specify the parent process. 3-2217138147 - If Application Control is enabled, the system stops responding when a USB device is inserted. 3-2253753361 - When Application Control is enabled and you try to run a non-existent script file, an
Access Denied error is generated instead of File Not Found error. 3-2280696682/3-2341792222 - When the Package Control feature is enabled in the Application Control software, the installation of some software may fail. 3-2462719551 - When in Update mode, if you copy a directory from one location to another, all the files contained in the directory are not solidified. Only the first file contained in the directory is solidified. 3-1841594417 - When booting a system with the BASEVIDEO switch, the Solidcore service stops running and an error message is displayed. 3-1936123441 - After installation, the output of the sadmin help command accurately reflects the default locale set for your system. If you use the sadmin config set command thereafter to reset the output to the default locale (as per your system configuration), the sadmin help output erroneously defaults to English (regardless of the default locale set for your system). 3-2104257380 - If deployed from the McAfee epo console using HTTP repositories, the deployment of Solidcore Client 6.0 (for ) fails. 3-2012566114 - On the platform, mp-nx bypass was not working. In addition, the Solidcore software was preventing the execution of the Gravitix application. Because mp-nx bypass was not working, there was no alternative method to allow execution of the Gravitix application. 723624 - Execution Denied events may be generated for some DLL files with searchprotocolhost.exe as the process name. These events have no functionality impact. Vista and later platforms 3-1998082271 - If you are installing updates or patches on the NTFS file system, the operating system performs transacted operations (because of the Transactional NTFS (TxF) feature of NTFS). When these transacted operations are performed and Application Control is Enabled, the system may stop responding. 3-2368437511 - When Change Control or Application Control is enabled on an endpoint running Vista or later operating system, deleting the preset CLI password gives an error. 2008 and 7 platforms 2000 server 3-2208490121 - The system stops responding while launching the Error Reporting Manager application. 3-2051821513 - The system behaves erratically (stops responding and causes other issues) during boot time. This occurs because the swin driver is unable to read the ntdll.dll file at boot time. Installation instructions For detailed install and upgrade instructions, see the McAfee Change Control and Application Control 6.1.0 Installation Guide. System requirements To review system requirements for this product release, refer to KnowledgeBase article KB76459. Upgrade support Solidcore Extension Solidcore Client This release supports upgrade from Solidcore Extension versions 5.1.0, 5.1.1, 5.1.2, 6.0.0, and 6.0.1. For the operating system, this release supports upgrade from Solidcore Client versions 5.1.0, 5.1.1, 5.1.2, 6.0.0, and 6.0.1. For the Linux operating system, this release supports upgrade from Solidcore Client versions 5.1.0, 5.1.1, and 5.1.2. Note that upgrade is also supported from the monthly kernel releases.
Supported Linux kernels To review the list of Linux kernels for which pre-compiled binary files are available with this product release, refer to KnowledgeBase article KB76544. Solidcore help extension installation Note that the help extension (for Change Control and Application Control) is available as an independent file and is not integrated with the Solidcore extension. To access the help pages, you must first install the Solidcore extension and then install the Solidcore help extension. For detailed instructions on how to install the Solidcore extension, see the McAfee Change Control and Application Control 6.1.0 Installation Guide. To install the Solidcore help extension, repeat the steps performed to install the Solidcore extension. Find product documentation McAfee provides the information you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com. 2 Under Self Service, access the type of information you need: To access... Do this... User documentation 1 Click Product Documentation. 2 Select a product, then select a version. 3 Select a product document. KnowledgeBase Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by product and version. Copyright 2012 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.