Best Practices Guide
McAfee Application Control 7.0.x For use with McAfee ePolicy Orchestrator 5.3.x
COPYRIGHT © 2016 Intel Corporation
TRADEMARK ATTRIBUTIONS Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence, McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
2
McAfee Application Control 7.0.0
Best Practices Guide
Table of Contents Table of Contents .................................................................................................................................................................................3 Purpose of this guide ................................................................................................................................................................................. 5 Using this guide ......................................................................................................................................................................................... 5 Find product documentation ..................................................................................................................................................................... 6 1 Before you begin................................................................................................................................................................................8 Supported McAfee ePO versions ................................................................................................................................................................ 8 Customizing McAfee default configuration ............................................................................................................................................... 8 Disabling unwanted applications and files ................................................................................................................................................ 9 Layering security protection ...................................................................................................................................................................... 9 Applying updates and patches ................................................................................................................................................................. 10 Using recommended configuration ......................................................................................................................................................... 10 Understanding Trusted Sources ............................................................................................................................................................... 11 2 Installing and upgrading AppControl................................................................................................................................................ 13 Determining database sizing ................................................................................................................................................................... 13 Estimate Database Storage before Deployment...................................................................................................................................... 13 Installing in cloned or imaged environments ........................................................................................................................................... 14 Installing with third-party tools ............................................................................................................................................................... 14 Rollout Overview ...................................................................................................................................................................................... 15 Upgrading Application Control ................................................................................................................................................................ 16 3 Deploying Application Control in Observe Mode ............................................................................................................................. 17 Deployment strategy ............................................................................................................................................................................... 17 Deployment workflow .............................................................................................................................................................................. 18 Deployment recommendations and guidelines ....................................................................................................................................... 19 Deployment Process................................................................................................................................................................................. 22 4 Defining policies .............................................................................................................................................................................. 24 Before you begin ...................................................................................................................................................................................... 24 Guidelines for policies .............................................................................................................................................................................. 25 Creating policies....................................................................................................................................................................................... 26 5 Managing inventory ......................................................................................................................................................................... 28 Recommendations for fetching inventory................................................................................................................................................ 28 Best practices for managing applications ................................................................................................................................................ 28 Defining inventory filters ......................................................................................................................................................................... 30
McAfee Application Control 7.0.0
Best Practices Guide
3
Guidelines for Whitelisting....................................................................................................................................................................... 31 Using reputation sources ......................................................................................................................................................................... 32 Best practices for configuring reputation sources ................................................................................................................................... 33 Processing events ..................................................................................................................................................................................... 33 Reports to run .......................................................................................................................................................................................... 33 7 Optimizing your software ................................................................................................................................................................ 35 Recommended tasks ................................................................................................................................................................................ 35 Applying Windows updates ..................................................................................................................................................................... 36 Managing Solidcore client tasks .............................................................................................................................................................. 36 Configuring alerts .................................................................................................................................................................................... 37 Configure an alert .................................................................................................................................................................................... 37 Monitoring server performance ............................................................................................................................................................... 38 Using McAfee Assurance Information Module ........................................................................................................................................ 38 8 Troubleshooting .............................................................................................................................................................................. 39 Suspending Deployment .......................................................................................................................................................................... 39 Location of Solidcore Files on Endpoint ................................................................................................................................................... 39 Tuning Rules of Engagement............................................................................................................................................................... 42 Level of Restriction ................................................................................................................................................................................... 42 Choosing an updater ................................................................................................................................................................................ 43 Other Considerations.......................................................................................................................................................................... 45 DoD-Specific Caveats / Known Issues ...................................................................................................................................................... 46 Resources ................................................................................................................................................................................................. 47 APPENDIX ........................................................................................................................................................................................... 49 Frequently asked questions (FAQs)..................................................................................................................................................... 52
4
McAfee Application Control 7.0.0
Best Practices Guide
Purpose of this guide This document provides information about the McAfee Application Control software so that you can easily and effectively use the software. Also, the document outlines some core recommendations for using Application Control. Use these recommendations to plan and maintain your software deployment. This document is one component of the Application Control software documentation set and supplements the information in the other documents. This document frequently references other documents in the Application Control documentation set. The information contained in the other guides is not duplicated in this guide, but this guide points you to that information. For a list of the other documents in the set, see Using this guide. Use the information in this document during these five stages. Stage
Associated chapters
Installing and configuring your software
• Before you begin • Installing and upgrading Application Control
Deploying your software
• Deploying Application Control in Observe mode • Defining policies
Managing and reporting on your environment
• Managing inventory • Maintaining your software
Maintaining and optimizing your software
• Optimizing your software • Frequently asked questions
Troubleshooting
• Solidcore CLI • DoD Specific Caveats
Using this guide Here are a few prerequisites for using this document. •
Review McAfee ePolicy Orchestrator Best Practices Guide available here. The guidelines and recommendations included in this guide are for use with McAfee ePO 5.0 and later. For more information about the recommended McAfee ePO versions, see Supported McAfee ePO versions.
•
Use this document with other existing Application Control documents. This guide is not a comprehensive guide for all implementations. To fully understand the recommendations included in this guide, you must have a basic understanding of Application Control software. If you do not know or you need more information, see one of these documents: Document
Configuration Description
McAfee Change Control and McAfee Application Control 7.0.0 Product Guide
Managed
McAfee Application Control 7.0.0
Information to help you configure, use, and maintain the product.
Best Practices Guide
5
McAfee Change Control and McAfee Application Control 6.2.0 Help
Managed
Context-sensitive help for all product-specific interface pages and options in McAfee ePO.
McAfee Change Control and McAfee Application Control 7.0.0 Installation Guide
Managed
Information to help you install, upgrade, and uninstall the product.
McAfee Application Control 7.0.0 Product Guide
Standalone
Information to help you use and maintain the product.
McAfee Change Control and McAfee Application Control 7.0.0 Installation Guide
Standalone
Information to help you install, upgrade, and uninstall the product.
McAfee Application Control 7.0.0 Command Line Interface Guide
Standalone
All Application Control commands that are available when using the command line interface (CLI). These guides are available on the McAfee Support page.
Find product documentation On the ServicePortal, you can find information about a released product, including product documentation, technical articles, and more. Task 1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab. 2 In the Knowledge Base pane under Content Source, click Product Documentation. 3 Select a product and version, then click Search to display a list of documents.
SCOPE This document provides best practices for implementing and using the McAfee Application Control (MAC) module. MAC is a CND tool that prevents unauthorized applications from running on a system. This document will act as a guide to setup and tune MAC using best practices and examples. It will not be a step-by-step guide on how to setup and tune, as each network operates differently. Application Control should be uniquely tuned to each environment. **MAC is licensed for Microsoft Windows workstations only.
PERSPECTIVE This document is written with the understanding that the user has strong skills in Windows technologies, including installation, configuration and security, and is currently an HBSS Administrator.
HELP DESK Questions, comments or concerns regarding this document should be directed to:
HBSS Help Desk
Email:
[email protected]
Phone: 1 (844) 347-2457 Options 1, 5, and 4 or DSN 850-0032 Options 1, 5, and 4
RECOMMENDATIONS Review this entire guide before taking action.
6
McAfee Application Control 7.0.0
Best Practices Guide
McAfee Application Control 7.0.0
Best Practices Guide
7
1
Before you begin Follow these security best practices to appropriately configure the protection available with Application Control and make your environments as safe as possible. Contents Supported McAfee ePO versions Customizing McAfee default configuration Disabling unwanted applications and files Layering security protection Applying updates and patches Using recommended configuration
Supported McAfee ePO versions This release of McAfee Application Control is compatible with these versions of McAfee ePO. •
McAfee ePO 5.0.1 — 5.1.3
•
McAfee ePO 5.3.0
•
Refer to KB73341 to determine supported McAfee ePolicy Orchestrator versions We don't guarantee that McAfee Application Control works with other versions of McAfee ePO.
Customizing McAfee default configuration Use these guidelines to configure the default configuration. 1 Evaluate customer environment. The McAfee default configuration is optimal for most enterprise security requirements. However, work with your Sales Engineer to evaluate the configuration based on your specific workflows, applications, and requirements. 2 Build and test custom configuration. After completing environment analysis, build and test the configuration in a staging environment before rollout. 3 Assess security against usability. Before creating the default configuration, evaluate the risk against the usability of the system and applications. Several features of Application Control restrict or allow users to run applications on the endpoint. For example, the self-approval feature allows users to run business-critical applications immediately instead of waiting for approval. This feature can be enabled on specific endpoints, as needed. For servers, we recommend that you disable this option. 8
McAfee Application Control 7.0.0
Best Practices Guide
Disabling unwanted applications and files Review the installed applications on your managed endpoints and disable any unwanted applications, script interpreters, and binary files. 1 Identify unwanted applications. Application Control pulls the entire inventory of the system to the McAfee ePO console, which also provides a view of all installed applications on your managed endpoints. You must then evaluate all installed applications and identify any that are not required or allowed in the enterprise. 2 Ban or remove the unwanted items. You must either ban or remove all unneeded and unsafe inventory items, such as applications, script interpreters, or binary files. This action reduces the risk of threat in your environment. Application Control and McAfee ePO work together effectively to meet and enforce the security requirements in your environment. For more information about managing inventory, see the McAfee Change Control and McAfee Application Control Product Guide. For more information about inventory-related best practices, see Managing inventory.
Layering security protection Adding different layers of security products provides optional protection and effectively secures your enterprise. Layer
Description
Perimeter security
Network security for endpoints that are exposed to the external world to prevent unwanted attacks to the system. For example, you can deploy McAfee Web Gateway and McAfee Firewall Enterprise to protect endpoints.
®
®
Physical access security
Protecting endpoints from unauthorized physical access and offline access of the system drive. We recommend using encryption software.
Administrator access control
Protecting endpoints against unauthorized administrative access, using the principal of least privilege. Role Based Access Control and User Access Control allow access only to authorized users.
Endpoint security controls
Deploy endpoint controls based on the security requirements of your organization. Although, Application Control provides protection through multiple techniques, you might need additional products to ensure that endpoints are protected. Collaborate with your Sales Engineer for information and guidance on other security controls that can be used. Based on your requirements, you can choose to deploy products, such as McAfee Email Protection, McAfee Web Protection, McAfee Endpoint Encryption, McAfee Data Loss Prevention (McAfee DLP), and McAfee Deep Defender . ®
®
®
McAfee Application Control 7.0.0
®
®
™
Best Practices Guide
9
Applying updates and patches Apply updates and security patches as soon as possible to keep the systems protected, especially critical security patches recommended by the operating system and application vendors. The presence of Application Control can mitigate risks due to delay in applying updates. However, if the attack involves a critical system process, the mitigation for buffer overflow might result in Denial of Service (DoS) or make the system unusable.
Using recommended configuration Using these guidelines to configure Application Control in your enterprise for optimal protection. Feature
Description
Memory protection
Memory protection features (CASP, VASR, DEP) of Application Control protect against exploits that cause buffer overflows. Enable all memory protection features and consult with McAfee support team to evaluate the risk for any exception or bypass. For more information, see the McAfee Change Control and McAfee Application Control Product Guide.
Script authorization
A default script interpreter list comes with the product to whitelist script execution. Update the list based on the scripts and interpreters used or allowed in your organization. Script interpreters, such as PowerShell, Perl, PHP, and Java, and their supported extensions must be evaluated. Adding scripting languages can change the security posture of a system. Several factors must be considered before making decisions, such as: •
Administrative capabilities
• Degree of expected exposure to potential attack of a system •
Level of approval to grant scripting access and
administrative permissions• Ancillary access controls that might protect networks and systems Periodically review the list of allowed script interpreters because of changing security needs and circumstances. If any of the script interpreters are present but not in use, remove them from the whitelist and prevent them from executing. For more information, see the McAfee Application Control Product Guide. The needed commands can be issued from the McAfee ePO console using the SC: Run Commands Client Task. Trusted update mechanisms
Application Control includes various methods to ensure proper functioning and updating of applications. We also provide a default list of trusted executables. We recommend you carefully update or change this list. For more information, see the McAfee Change Control and McAfee Application Control Product Guide.
Alerts and notifications
10
Constant monitoring is an integral part of protecting your systems. Application Control sends events to the McAfee ePO console whenever it prevents an unwanted operation. We recommend configuring the required alerts and email notifications to be aware of the activities at the endpoints. For more information, see Configuring alerts.
McAfee Application Control 7.0.0
Best Practices Guide
Understanding Trusted Sources Application Control provides several mechanisms to help the administrator create a dynamic whitelisting solution. Administrators can use one or more of these mechanisms to allow authorized change agents to create, modify, update, or delete files in the whitelist. To design a trust model and allow additional users or programs to modify a protected endpoint, you can use one of these methods of trust. The Trust Model is configured per rule, and/or per rule group. Trust Sources:
Allow for changes in a controlled manner Allow applications not in the whitelist to run Are used to update an endpoint
Types of Trusted Sources:
Updater – Application processes; not authorized automatically Binary – A single binary Publisher –Trusted certificate associated with a software package Installer - Programs that can install or update software. SHA1 hash is registered so it can be installed; hash does NOT need to be installed on the system Trusted User –Users that can install programs and run executables Trusted Directory –Directories with trusted applications that you want to make updaters
BEST PRACTICE: Understand the differences between the Trusted Sources before implementing.
Update Mode Use Update mode to perform scheduled or emergency changes, such as software and patch installations.
Update Mode indicates that the software is in effect but will allows ad-hoc changes to the endpoints and tracks the changes made Use Update mode to define a change window during which you can make changes to endpoints and authorize the made changes Switch to Enabled mode when the changes are complete Use Update Mode when enforcement is Enable (e.g. no changes are allowed on the client) and emergency changes need to be made NOTE: When creating a SC: Begin Update Mode task Administrators should also create an SC: End Update Mode task to end the Update Mode window
Update Mode The following table outlines the relative degree of restriction of each element a policy could have:
Updater Method
Level of Restriction
Business Use Case
Update Window
Low
Emergency Changes to system(s)
Trusted Users
Low
Publishers
Medium
Updater
High
Administration of systems that are geographically distant Customers can be their own code to update a system regardless of how the code enters the system, or use signed code from vendor Update Existing Whitelisted Applications based on a program that can make change
McAfee Application Control 7.0.0
Notes Create ePO Client Tasks to start and end
More flexibility than a hashed installer
Most common updating method
Best Practices Guide
11
12
Binary
High
Installers
High
Trusted Directory
High
Allow or block program execution based on name or hash. Allow – Scripts created on dynamically, i.e. by end of day/closing process on a kiosk for back office reporting Block - block installed programs that shouldn’t run, i.e. iTunes OR reduce the risk exposure of a server of admin tool misuse, i.e. ban net.exe, msconfig.exe, runas.exe, netstat.exe, etc. A non-whitelisted standalone executable that is identified by hash to install applications on a controlled system Printer drivers on remote share, “corporate approved” applications on share, start-up scripts
Used to control execution, not change on a system
Useful for software distribution based on approved applications Easier to manager than hash or cert, but not as secure
NOTE: Updater mechanisms are global. It is not possible to specify that a particular application can only modify a specific set of code. Consider using “Installers” policies rather than “Trusted Directory” policies. Installer policies are based on the name of the installer package (e.g. an MSI program installer) or its binary hash. Installers are more specific and therefore more secure than Trusted Directories.
McAfee Application Control 7.0.0
Best Practices Guide
2
Installing and upgrading AppControl Successfully installing and upgrading the software is the first step in protecting your network environment. Contents Determining database sizing Installing in cloned or imaged environments Installing with third-party tools Upgrading Application Control
Determining database sizing Before you install the Application Control software, you must determine the database and hardware requirements for your enterprise. Here are suggested sizing requirements for enterprises based on the number of nodes. Enterprise size
Number of nodes
Suggested sizing requirements
Small
Less than 10,000 nodes
200 GB
Medium
Between 10,000 to 50,000 nodes
200 GB–1 TB
Large
More than 50,000 nodes
1–2 TB
For detailed sizing calculations and feature-specific sizing details, see the Application Control database sizing guide available in KB83754. A few Application Control features are database heavy, so we recommend that you review the guide if you are running 50,000 to 100,000 nodes.
Estimate Database Storage before Deployment Estimate the amount of database storage you require before deploying MAC. The main factors that affect ePO Database size are the events and the Inventory of hosts. Use the Database Sizing Guide in KB72753 to calculate the database storage space. Assume each host will produce five events per day for Application Control. NOTE: Collecting Inventory on all systems will take up quite a bit of space in the database (approximately 5-8 MB per system). Recommend determining how much space is needed for a single system by finding how large the XML file that contains the Inventory is. This will help determine if A) there is sufficient bandwidth to support inventory collection, B) the hardware resources can support the inventory collection/insertion, and C) how often inventory can be collected under the hardware/networking constraints.
McAfee Application Control 7.0.0
Best Practices Guide
13
Installing in cloned or imaged environments Application Control is compatible with cloned images. Here are the high-level steps to successfully install the software in a cloned environment: 1
Build a master image. a Install Application Control and place the system in Enabled mode. For details, see McAfee Change Control and McAfee Application Control Installation Guide. b Place Application Control in Update mode. For details, see McAfee Change Control and McAfee Application Control Product Guide. c
Complete other changes, as required, before locking down the image.
d Delete the Agent GUID value from this registry key. •
32-bit systems — HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent
•
64-bit systems — HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates \ePolicy Orchestrator\Agent If you have McAfee Agent 5.0 installed, run this command on the system (to be used as the master image) to make sure that the GUIDs are not duplicated. maconfig -enforce -
noguid
e Shut down the system. 2 Clone the required systems using the master image. 3 Perform any post-cloning operations or tasks to personalize the system. For example, you can configure that system for a specific user or install applications present on the system. 4 End Update mode and place all cloned systems in Enabled mode. For details, see McAfee Change Control and McAfee Application Control Product Guide. If you choose to clone the system in Enabled mode (without placing the system in Update mode) and are using the Microsoft System Preparation Tool (Sysprep) utility, make sure that relevant updaters are identified and applied. The required rules for this utility are added to the Operating System Imaging rule group.
5 Manage the systems using the McAfee ePO console.
Installing with third-party tools You can install, upgrade, or uninstall Application Control using third-party tools, such as Microsoft System Center Configuration Manager. •
Make sure that McAfee Agent is installed in Managed mode on each endpoint where you want toinstall Application Control.
•
Make sure that when you configure third-party software to distribute and deploy the ApplicationControl software, use the following command for silent installation on the Windows platform. /s /v" /qn UNLICVER=1"
14
McAfee Application Control 7.0.0
Best Practices Guide
For details about command-line arguments, see McAfee Change Control and McAfee Application Control Installation Guide for standalone configuration.
Rollout Overview Establish a rollout strategy
BEST PRACTICE: Use a phased rollout to enable Solidcore. Because everything isn’t rolled out at once, the organization doesn’t have to deal with all the potential implementation issues at the same time. Information learned from early implementation stages can be applied to the guide the rest of the process so that there are fewer issues as the implementation continues. Establish a plan to handle requests/issues
Setup task to pull and review inventory of test systems daily o
BEST PRACTICE: Pull inventory daily with the Pull Inventory Client Task (Select SC: Pull Inventory)
Review applications in Solidcore Inventory (Menu | Application Control | By Application tab). By default, applications are sorted by McAfee Global Threat Intelligence (GTI) file reputation. Note: GTI requires an internet connection. Can also fetch inventory for a single system, but is NOT recommended (Menu | Application Control | Inventory | By Systems) Identify unwanted applications, script interpreters, or binaries from the Inventory Ban or remove unneeded or unsafe inventory items Begin phased rollout End Observe mode and place endpoints in Enable Mode SC: Observe Mode client task, select End Observe Mode and Enable Solidcore client
If there are issues on the endpoint, place the endpoint(s) in Update Mode to allow all changes
Make necessary exclusion or add authorized updater Test with endpoint still on Update Mode. See if event was allowed. If allowed, note the issue to prevent the same problem happening in future rollouts End Update Mode on endpoint and switch to Enable Mode Complete phased rollout To view events for Solidcore, navigate to Menu | Reporting | Solidcore Events
McAfee Application Control 7.0.0
Best Practices Guide
15
Upgrading Application Control Follow the recommendations to successfully upgrade the software. •
Upgrade the Solidcore extension before upgrading the Solidcore client.
•
Review the Solidcore extension usage guidelines.
•
16
Guideline
Example
You cannot use an old version of the Solidcore extension with a new version of the Solidcore client.
Solidcore 7.0.0 client cannot be run with the Solidcore 6.2.0 extension.
You can use a new version of the Solidcore extension with an old version of the Solidcore client.
Solidcore 6.2.0 client can be run with the Solidcore 7.0.0 extension.
Use these modes for upgrading the Solidcore client. Operating system
Managed configuration
Standalone configuration
UNIX and Linux
Update mode
Update mode
Windows
Enabled mode
Update mode
McAfee Application Control 7.0.0
Best Practices Guide
3
Deploying Application Control in Observe Mode Use Observe mode to put systems through a full-functionality testing cycle that allows you to identify and review policy suggestions. Observe mode offers two benefits. •
Helps you develop policies and determine rules that allow applications to run in Enabled mode
•
Allows you to validate policies and check that the created rules allow authorized changes on endpoints Complete your initial deployment and testing in a non-production or test environment before deploying to the production environment.
Contents Deployment strategy Deployment workflow Deployment recommendations and guidelines
Deployment strategy When using Observe mode, deploy Application Control in incremental batches of 10,000 endpoints. For example, if you have 50,000 endpoints in your enterprise, you must deploy in five batches of 10,000 endpoints. This approach allows you to effectively manage deployment and identify relevant rules. When a batch meets the required criteria (review the deployment workflow), change the mode to Enabled for this batch of endpoints. Also, place a new batch of endpoints in Observe mode. To ensure optimal performance, run only two batches simultaneously in Observe mode. Before adding a new batch to Observe mode, verify that no upcoming planned activity, such as maintenance tasks or Windows update applications, will impact the request rate for the current batch in Observe mode.
Enterprise size Number of nodes Small Less than 10,000 Medium Between 10,000 and 50,000 Large 50,000
More than
McAfee Application Control 7.0.0
Batch size
Suggested deployment period
10,000 nodes per batch
2–3 weeks 6–7 weeks 12–13 weeks
Best Practices Guide
17
3
Deploying Application Control in Observe mode
Deployment workflow Here is the high-level workflow that you must follow for each batch when deploying Application Control.
Deploying Application Control in Observe mode Deployment recommendations and guidelines
18
McAfee Application Control 7.0.0
Best Practices Guide
3
Deployment recommendations and guidelines Follow these recommendations and guidelines to successfully deploy in Observe mode. Task Recommendation Description Identify and place the endpoints in observe mode to analyze product impact on the endpoints and identify and define the required rules.
Number of endpoints
For effective deployment in a large setup, begin with an initial batch of 10,000 endpoints.
Selecting endpoints Select any 10,000 endpoints from your setup and place them in Observe mode. If your existing groups consist of similar endpoints, this allows you to analyze product impact on the endpoints, discover policy groups, and validate the policies to apply to each group. To reduce deployment time and quickly identify relevant rules, you can instead select or create a group that more accurately represents the enterprise. If you have multiple types of endpoints in your setup, create a subgroup within each existing group. For example, the HR subgroup within HR Department group. Use a combination of all subgroups, such as HR, Finance, Engineering, IT, and Admin to identify 10,000 endpoints for initial deployment. Because you select endpoints from varied groups, you effectively choose a set of endpoints with different operating systems, across different locations, used for different purposes and with varying usage. This type of selection effectively represents each type of system in the enterprise and allows you to quickly identify and define the required rules. After you identify the rules for this representative set, you can reduce deployment time by directly placing the remaining endpoints (within each group) in Enabled mode.
Pre-deployment tasks
Complete these activities for your endpoints: • Run an on-demand scan. • Patch applications and operating system. • Scan and pull applications in enterprise. • Run GetClean to classify the gray applications. • Block unwanted applications.
Place a batch in Observe mode by running the SC: Enable client task. For details, see Place endpoints in Observe mode in McAfee Change Control and McAfee Application Control Product Guide.
McAfee Application Control 7.0.0
Pulling inventory
Verifying placement
Number of endpoints
Pull an inventory for endpoints when placing endpoints in Observe mode. Select Pull Inventory when placing the endpoints in Observe mode. Run the Application Control Agent Status query to verify that selected endpoints are placed in Observe mode. For more information, see McAfee Change Control and McAfee Application Control Product Guide. At any time, there should be 10,000–20,000 endpoints running in Observe mode. At any point, only 2 batches can simultaneously run in Observe mode.
Best Practices Guide
19
3
Deploying Application Control in Observe mode
Task
Recommendation
Description
Determining scan priority
The scan priority determines the priority of the thread priority that is run to create the whitelist on the endpoints. For most scenarios, we recommend that you set the scan priority to Low. For systems that are in Production mode, use Low priority to make sure that there is minimal input and output impact. Also, you must use Low priority if the system cannot be restarted. If you can restart the system and you want the initial scan to be completed as soon as possible, select High priority.
Selecting activation
Wherever possible, use Full Feature Activation to ensure the option highest level of security. Use Full Feature Activation if the system does not have an alternate Memory Protection mechanism, such as the one provided by anti-virus or McAfee Host Intrusion Prevention software. ®
Perform day-today operations and tasks to help generate corresponding requests.
Based on the requests, you can define relevant rules required for your setup. Also, if you are using a specific tool for product updates or new deployments, use the tool in the initial two-week deployment period. If you are aware of activities or applications that run periodically, such as monthly payroll, make sure that the deployment period includes these activities.
Review the Specifying The McAfee ePO administrator must process requests. requests processing Based on your setup, you might need to make sure that received from ownership there is collaboration between global and site administrators. endpoints and define relevant rules for each request to make Determining • Process requests daily and define needed rules. frequency sure that you • Run report weekly to gather request trend and summary. configure Application Control Failure to process requests correctly for regularly results in a build-up of your setup. For requests that become detailed progressively harder to manage. information, see McAfee Change Control and McAfee Application Control Analyzing requests Process requests received from network paths. Product Guide. Then, process requests for updaters and installers on priority (for Software Installation activity type). If you trust the certificate associated with a request, define certificatebased rules for the request.
20
McAfee Application Control 7.0.0
Best Practices Guide
Determining action to take
You can create custom rules or approve globally action to take based on your choice and setup. Regardless of the action, the same rule is created. If the application is common to your setup, you can approve globally to add rules that apply to all endpoints in your enterprise. This allows for quick and simple processing. Or, create custom rules that you can add to a rule group and apply to selected endpoints.
Criteria for processing
Running reports
Task
McAfee Application Control 7.0.0
Review each received request and check its prevalence processing and associated application. You can sort the view based on request prevalence. For more information, review the reputation and publisher for the application.
Review the Top 10 Pending Policy Discovery Requests and Systems with Most Pending Requests Generated in Observe Mode monitors on the Solidcore: Health Monitoring dashboard.
Recommendation
Description
Rule identification
Rules are identified for requests based on event and activity type. Event Type
Activity Type
Rule type
File Write Denied
Binary Modification
Updater Process rule
Installation Denied
Software Installation
Installers rule
ActiveX installation Prevented
ActiveX Installation
Certificates rule
NX Violation Detected
Memory Protection Violation
Exclusions rule
Process Hijack Attempted
Memory Protection Violation
Exclusions rule
VASR Violation Memory Detected Protection Violation
Exclusions rule
Execution Denied
Software Installation
Installer rule
Execution Denied
Application Execution
Binary rule to allow execution or Allow locally to add to whitelist
File Write Denied
Binary Addition Updater rule
Best Practices Guide
21
3
Deploying Application Control in Observe mode
Deployment Process •
BEST PRACTICE: Complete initial deployment and testing in a non-production or test environment before deploying to the production environment
•
Identify your pilot systems
•
•
o
Define a group that accurately represents the enterprise to reduces deployment time and quickly identify relevant rules
o
Notify pilot systems of test plan and timeframe
o
Make necessary communications/change management
BEST PRACTICE: Start with a blank policy and customize o
Add the necessary predefined Rule Groups and custom Rule Groups. This customized policy is the first initial tuning and will make Observe Mode and deployment easier.
o
NOTE: Creating a new policy based on the Blank Template will ensure that only the updater mechanisms used are configured as part of the policy. There are built-in rules for SCCM, CA Unicenter, and other patching/deployment solutions
Determine deployment strategy o
Determine the subset of production systems that will be used in Observe Mode ▪
•
o
Establish deployment period
o
Use the customized policy for initial deployment
o
Deploy MAC to pilot systems using McAfee Agent Product Deployment Client Task
Place pilot systems in Observe Mode o
Use client task SC: Enable (use Start Observe Mode checkbox) ▪
•
22
i.e. Power Users, Specific Function, etc.
Use this client task to place the endpoints in Observe mode after fresh installation of Application Control
BEST PRACTICE: Use consistent naming conventions for task names (e.g. SC: Start Observe Mode to denote this is a Solidcore task to start Observe mode)
McAfee Application Control 7.0.0
Best Practices Guide
McAfee Application Control 7.0.0
Best Practices Guide
23
3
4
Deploying Application Control in Observe mode
Defining policies Based on your requirements, define policies to customize Application Control features. Contents Before you begin Guidelines for default policies Creating policies
Before you begin Consider your change management process before defining or developing policies. Review how to change existing programs, tools, users, and processes. Here are some questions to consider. •
Do you have a formal change process?
•
Can you easily differentiate between an authorized change and unauthorized change? For example, you might not allow any changes to the systems during production hours.
24
•
How do you make changes? Do you use manual updates, an automatic software, or an agent-based push mechanism?
•
How homogeneous is your environment?
•
Do you have any specific security requirements?
McAfee Application Control 7.0.0
Best Practices Guide
Guidelines for policies Order of Rules •
There are several ways to allow or ban applications. Precedence is based upon the most explicit rule (i.e. the more specific rule). The order for which allow or deny statements are acted on is: 1. 2. 3. 4. 5.
•
Allow/Ban Binaries Allow Binaries by Publisher Allow/Ban Binaries by Name Allow Binaries by Trusted Path Allow/Ban Binaries in the Whitelist
Example: If an application is allowed by binary but it is banned by Publisher, it would be allowed because binary is more explicit than Publisher.
Default Policies Here are some guidelines for Application Control default policies. •
Make sure that all default policies are applied to endpoints. The default policies are applied to the global root, such as the My Organization node in the System Tree and are inherited by all managed endpoints where Application Control is installed. When an endpoint connects to the McAfee ePO server, the policy applicable to the endpoint's operating system is activated. For more information about the available default policies, see McAfee Change Control and McAfee Application Control Product Guide.
•
Do not change any existing default policy assignments. If you need to edit a default policy, contact McAfee Support. Typically, for other managed products, you duplicate the available default policies to create custom policies, apply the custom policies, and do not apply default policies. However, when using Application Control, you must apply the default policies to make sure that McAfee product updates are handled. If needed, you can apply other custom policies in addition to the default policies.
For example, if you remove the McAfee Default policy assignments, the contained default rules to allow successful application of Windows updates are also removed from the endpoints. This can result in errors at the endpoint and many irrelevant events.
Guidelines for Managing Policies • • •
• •
BEST PRACTICE: Instead of duplicating a default policy, create a blank policy and add the necessary predefined Rule Groups. Apply the new policy in an extra slot with the default policy. Add custom Rule Groups to the custom policy. Do not add custom Rule Groups to the default policy. BEST PRACTICE: Use Rule Groups to manage policies. Add Rule Groups to the policy instead of adding individual rules to the policy. To create a Rule Group, navigate to Menu | Configuration | Solidcore Rules. Create rule groups so that they have a one-to-one mapping to applications or software. This allows you to add your application-specific rules to a rule group. Suppress unneeded or irrelevant events by applying filter rules. To apply a filter, navigate to Menu | Configuration | Solidcore Rules | Rule Groups | Filters.
McAfee Application Control 7.0.0
Best Practices Guide
25
Rule Groups • •
• •
Rule groups are a collection of rules pertaining to like, similar, or associated programs, applications, or platforms. Best way to manage policies is through rule groups (Menu | Configuration | Solidcore Rules) instead of creating and modifying directly in the Policy Catalog. Only add or remove rule groups in the Policy Catalog; do not modify the rules themselves in the Policy Catalog, This allows multiple policies to reuse rule groups and are centrally updated in the Rule Groups section. Rule groups reduce effort required to define rules. Predefined Rule Groups contain commonly-used applications.
Creating policies Follow these guidelines when creating policies in your enterprise.
26
•
Review and understand the information available for multi-slot policies in the McAfee ePolicy Orchestrator Product Guide. You can define multi-slot polices that allow for effective policy use and improved policy organization. Use the functionality to effectively define and manage rules for your enterprise. For example, instead of duplicating a default policy and adding more rules to it, create a new blank policy and add all custom rules to the policy. Then, apply the new policy in an extra slot with the default policy.
•
All policies should use rule groups to manage policies. A rule group is a collection of rules. For more information about rule groups, see McAfee Change Control and McAfee Application Control Product Guide.
•
Make sure that when creating rules, you follow these best practices. Item
Best practices
Rule groups
Create rule groups so that they have a one-to-one mapping to applications or software. This allows you to add your application-specific rules to a rule group.
McAfee Application Control 7.0.0
Best Practices Guide
Policies
Define policies so that they have a one-to-one mapping to groups in System Tree on the McAfee ePO console. • Create a policy for a group of similar systems. For example, a specific policy for Domain Controllers and another for Oracle Servers. This allows you to add rules specific to a group or department to a policy (and apply the policy to the group). • Define granular policies rather than one large policy with many rules because you can apply multiple policies simultaneously to a system. • Analyze the impact of each policy type. Some rule or policies are more free or restrictive than others.
•
Review and understand the relative degree of restriction each rule mechanism or method offers. Defining policies Creating policies
4 Updater method
Restriction level
Reason
Update mode
Low
Make emergency changes to systems.
Users
Low
Allow technical support users to remotely log on to fix or administer systems that are geographically distant.
Certificates
Medium
Allow your application to update a system, regardless of how the application enters the system, or use signed application from a vendor. This method provides more flexibility than a hashed installer.
Updater Processes
High
Update existing whitelisted applications based on a program that can make changes. This is a commonly used updating method.
Binaries
High
Allow or block execution of programs based on name or hash. • Allow — Scripts created dynamically, such as by end of day or closing process on a kiosk for back-office reporting. • Block — Ban installed programs that should not run, such as iTunes. Or, reduce the risk exposure for a server by banning specific files, such as executables (net.exe or msconfig.exe). This method is typically used for execution control and not for making changes to a system.
Installers
High
Allow a non-whitelisted standalone executable that is identified by its hash to install applications on a protected system. This method is useful to distribute software based on approved applications.
Directories
High
Allow print drivers, in-house applications, or startup scripts placed on a remote share to run. Although this method is easier to manage than hashes or certificates, it is not as secure.
McAfee Application Control 7.0.0
Best Practices Guide
27
5
Managing inventory Follow these recommendations and best practices to successfully manage the inventory of endpoints in your enterprise. Contents Recommendations for fetching inventory Best practices for managing applications Defining inventory filters
Recommendations for fetching inventory Follow these recommendations to successfully fetch inventory from endpoints in your environment. •
Fetch inventory from 10,000 or fewer endpoints at a time.
•
Fetch inventory once in two weeks or later to keep the inventory information updated.
•
Use batches and follow a staggered approach to fetch inventory from more than 10,000 endpoints. To keep the McAfee ePO repository from being overwhelmed, you can randomize your deployment or use tag-based deployment. For more information about using randomization or tagging, see the McAfee ePO documentation.
•
Multiple methods are available to pull inventory immediately. For more information about the best approach, see Guidelines for fetching inventory in the McAfee Change Control and McAfee Application Control Product Guide.
Best practices for managing applications ®
Application Control can work with a reputation source, such as TIE server or McAfee Global Threat ™
Intelligence (McAfee GTI) file reputation service to fetch reputation information for files and certificates. Based on information fetched from the reputation source, the application and binary files in the inventory are sorted into trusted, malicious, and unknown categories. •
28
Manage the Unclassified Apps for your enterprise to reduce the number of unknown applications in your enterprise. This list typically includes all unknown applications, effectively creating the gray list for your enterprise. The goal is to achieve 95% classification by removing or reclassifying unknown files and applications. Review and process the gray list
McAfee Application Control 7.0.0
Best Practices Guide
routinely for your enterprise to keep it to a minimum size. By reclassifying files and applications, you minimize the risk to your enterprise. •
Run GetClean on endpoints with a high number of unknown files. The GetClean utility submits files for analysis to McAfee Labs where they are checked and classified automatically and correctly.
•
Reclassify internally developed, recognized, or trusted (from a reputed vendor or signed by a credible certificate) files that are currently in the unknown list.
•
If the TIE server is configured in your server, reset the files reputation on the TIE Reputations page. When resetting the reputation for a signed file, you must set the reputation for the file's certificate to Unknown to allow the overridden reputation to be used. For more information, see the McAfee Threat Intelligence Exchange Product Guide for your version of the software.
•
If the TIE server is unavailable, change the Enterprise Trust level or Reputation by Application Control of the file to Good. For more information, see Manage the inventory in the McAfee Change Control and McAfee Application Control Product Guide.
•
Enable the automatic response Bad File Found in Enterprise from the Menu | Automation | Automatic Responses page.
For Known Malicious and Might be Malicious files or certificates encountered in your environment, the software generates Malicious File Found events that are displayed on the Menu | Reporting | Threat Event Log page. The Bad File Found in Enterprise automatic response is preconfigured in Application Control but is disabled by default. Make sure that the mail server for your enterprise is configured on the McAfee ePO console. For more information about how to set up an email server, see McAfee ePolicy Orchestrator Product Guide. •
Review the Solidcore: Inventory dashboard regularly to track and monitor inventory status for your environment.
•
Designate a base image for your enterprise to create an approved repository of known applications, including internally developed, recognized, or trusted (from a reputed vendor) applications. This makes management of desktop systems easier by verifying the corporate applications. Here are high-level steps to follow:
1 Validate and review all applications on a system. 2 Run GetClean on the system to classify all unknown applications on the system. 3 Set the base image on the approved system by using the Mark Trusted option. For more information, see Set the base image in the McAfee Change Control and McAfee Application Control Product Guide.
GTI Trust Levels 5 4 3 2 1
-
Known Clean Assumed Clean Unknown Suspicious Malicious
McAfee Application Control 7.0.0
Best Practices Guide
29
Indicates the reliability or credibility of each binary. The assigned value ranges between 1 to 5. A value of 1 or 2 represents known bad files, such as a Trojan virus. A value of 3 GTI Trust Score indicates an Unclassified file. A value between 4 or 5 represents known and trusted good files. In addition to the above values, Application Control also tracks the Enterprise Trust Level value for each binary file. By default, the enterprise trust level for a file is the same as the cloud trust level. When edited, the enterprise trust level for a file overrides the cloud trust level for the file. GTI Usage •
Verify GTI file reputation is being utilized by navigating to Menu | Policy Catalog | Product: Solidcore: Application Control | Category: Application Control Options (Windows). Select the applied policy, then the Reputation tab.
•
Ensure Use McAfee Global Threat Intelligence (McAfee GTI) box is checked
•
Specify the reputation levels to automatically allow/block execution
•
The application and binary file trust levels can be found under Trust Score (Cloud), Trust Level (Cloud) and Trust Level (Enterprise) columns in the Inventory
•
By default, the enterprise trust level for a file is the same as the cloud trust level. When edited, the enterprise trust level for a file overrides the cloud trust level for the file
•
When reviewing the binary details, click the cloud trust score to view the details fetched from the GTI server for the binary file
•
NOTE: An Unclassified application is unknown because it may be specific to your organization. Administrators can change the enterprise reputation for files and certifications. To edit the enterprise trust level for a file, select the file and select Actions | Change Enterprise Trust Level.
Isolated ePO environments
Isolated ePO environments can use the Offline GTI tool to fetch McAfee GTI ratings. For information on how to configure the Offline GTI tool, refer to McAfee Change Control and McAfee Application Control 7.0.0 Product Guide. For optimal performance in an isolated ePO environment, navigate to Menu | Configuration | Server Settings | Solidcore. Click Edit, then set the Synchronize reputation with GTI option to No. You will only see this option available after inserting the license key.
Defining inventory filters Tune advanced exclusion filters for inventory data to exclude non-meaningful files from the endpoints.
30
•
Review the files contained in the temp folder and create rules for them.
•
Exclude file names that contain special characters. For example, files names containing the $symbol.
•
Exclude .mui files (Windows localized files).
McAfee Application Control 7.0.0
Best Practices Guide
•
Delete the folder (GUID name) that contains extracted files when applying Windows updates. If you cannot delete the folder, create rules to filter these files.
Guidelines for Whitelisting There are several methods to whitelisting and excluding events. When reviewing legitimate events, determine how it can be whitelisted in the following order: Publisher (certificatebased)
Updater Installer Binary
Trusted Path Trusted User
Use for trusted software packages This will reduce the most number of events NOTE: Use this option judiciously! Do not configure web browser certificates as publishers! Example: If Internet Explorer is configured as an updater application, Internet Explorer can download and execute any application from the internet. Use for software distribution applications such as Tivoli, Opsware, or Microsoft System Management Server (SMS), SCCM Use for software distribution based on approved applications Use if application cannot be securely whitelisted by Publisher Recommended to allow code in temp directories Best to add by Checksum (SHA1 hash) instead of filename Use for single applications/binaries Use sparingly e.g. Network share Avoid using this
Example: RunMe.exe is a legitimate SSH client that is used in the environment, how should it be listed? •
Does it have certificate that can be whitelisted? If so, can all executables with this publisher be allowed? If no or not sure, do not whitelist as a Publisher.
•
Is this used for software distributions? If yes, then you have the option of Updater or Installer. If the installer is not on the endpoint, use the Installer option is the updater. If the application is not used as a software distributor, do not whitelist as an Updater or Installer.
•
The application can be whitelisted as a Binary
•
Does the application only exist in a Trusted Path? If yes, then the application may also be whitelisted by Trusted Path.
•
If a trusted user is added, he or she will be able to execute RunMe.exe and any executable (not just whitelisted applications). This is not advisable.
•
NOTE: The order which rules are created does not affect the order of rules in how they are applied explicitly
McAfee Application Control 7.0.0
Best Practices Guide
31
6
Maintaining your software After Application Control is deployed, you can perform various tasks to maintain the endpoints. Review these topics for details about maintenance tasks. Contents Using reputation sources Processing events Reports to run
Using reputation sources ®
By default, Application Control is configured to work with the TIE server or McAfee Global Threat ™
Intelligence (McAfee GTI) file reputation service to fetch reputation information. Here is how the reputation information is helpful. On the McAfee • • • •
Helps make quick and informed decisions for binary files and certificates in your ePO console enterprise. Reduces the administrators effort and allows them to quickly define policies for the enterprise on the McAfee ePO server. Allows for reputation-based execution permitting only trusted and authorized endpoints files to execute. Determines whether to allow or ban execution for a file based on its reputation and reputation of all certificates associated with the file.
The settings configured for your enterprise determine the reputation values that are allowed or banned.
32
•
Trusted files — If the reputation for a binary file or its associated certificate is trusted, the file is allowed to run, unless blocked by a predefined ban rule.
•
Malicious files — If the reputation for a binary file or its associated certificate is malicious, the binary is not allowed to execute. You can choose to ban only Known Malicious, Most Likely Malicious, Might be Malicious files, or all such files.
•
Unknown — If the reputation for a binary file or its associated certificate is unknown, reputation is not used to determine execution. Application Control performs multiple other checks to determine whether to allow or block the file. For more information, see Checks that Application Control runs for a file.
McAfee Application Control 7.0.0
Best Practices Guide
Regardless of the file's reputation, if a ban by name or SHA-1 rule exists for a binary file, its execution is banned.
For more information, see File and certificate reputation in the McAfee Change Control and McAfee Application Control Product Guide.
Best practices for configuring reputation sources •
Review the default settings on the Reputation tab of the Application Control Options (Windows) policy. The default settings work for most enterprises. If needed, you can tweak the settings for your enterprise.
•
If Internet access is not available to endpoints in your enterprise, we recommend that you deselect the Use McAfee Global Threat Intelligence (McAfee GTI) option in the Application Control Options (Windows) policy. This allows optimal performance for endpoints in Air Gap environments.
•
Make sure GTI cloud is allowed over HTTPS
Processing events Create relevant rules to process events generated at endpoints. This helps control the flow of events from endpoints to the McAfee ePO server by gradually reducing the number of received events. Create and apply relevant scenario-based rules to process events. If you receive: •
Numerous Registry modified or File modified events, review and fine tune the filter rules for your enterprise. Define rules to exclude specific files or registry entries based on the event type and file name or registry key.
•
Multiple Write Denied events in your setup, review the events and define appropriate updater or filter rules. Updater rules are appropriate when the events are for a good file. Or, filter (AEF) rules might be relevant if the file is malicious or unknown.
•
Multiple Installation Denied events in your environment, review the events and define appropriate updaters.
•
Numerous Execution Denied events in your environment, the file might not be whitelisted or is banned. The file is not whitelisted when it is added to an endpoint through a non-trusted method. If you receive Execution Denied events:
•
From a single host, run an anti-virus scan of the system, then resolidify the endpoint.
•
From multiple hosts for a file, review the file execution status on the Inventory page to verify ifand why the file is banned. If the ban rule for the file is legitimate, add filter (AEF) rules for the file.
Reports to run Based on the activity, review these monitors on the Solidcore: Health Monitoring dashboard.
McAfee Application Control 7.0.0
Best Practices Guide
33
Activity
Monitor
Data throttled or dropped
Review the Number of Systems where Throttling Initiated in Last 7 Days monitor on the Health Monitoring dashboard.
Policy Discovery requests
Review these monitors on the Health Monitoring dashboard.
This monitor displays the number of systems on which Event, Inventory Updates (Diff), or Policy Discovery (Observations) throttling is initiated in last 7 days. The summary table sorts the data in descending order.
• Top 10 Pending Policy Discovery Requests This monitor displays the top 10 pending policy discovery requests in your setup. The chart includes a bar for each object name and indicates the number of pending policy discovery requests for each object name. Click a bar on the chart to review detailed information. • Systems with Most Pending Requests Generated in Observe Mode This monitor displays the systems (running in Observe mode) that have the most pending Policy Discovery requests. The chart includes the system name and the number of pending policy discovery requests for each system. The summary table sorts the data in descending order.
Rogue host detection
Review the Top 10 Events for 10 Most Noisy Systems in Last 7 days monitor on the Health Monitoring dashboard. This monitor displays the top 10 events generated on the 10 most noisy systems in last 7 days. The chart includes a bar for each system and indicates the number of events of the top 10 types for each system. Click a bar on the chart to review detailed information.
For more information, see McAfee Change Control and McAfee Application Control Product Guide.
34
McAfee Application Control 7.0.0
Best Practices Guide
7
Optimizing your software Optimization improves your experience about using the software and allows you to make the software work more efficiently for you. You can optimize the software by following these tasks. Contents Recommended tasks Applying Windows updates Managing Solidcore client tasks Configuring alerts Monitoring server performance Using McAfee Assurance Information Module ®
Recommended tasks Perform certain tasks daily, weekly, and monthly to make sure that your systems are protected and Application Control is working efficiently. Frequency Recommended tasks Daily
• Review the health monitoring dashboard. • Review and manage policy discovery requests. • Review the Policy Discovery page to make sure that Observation throttling isn'tinitiated. For detailed information, see Throttle observations in the McAfee Change Control and McAfee Application Control Product Guide.
Weekly
• Review and manage events. • Run the Non Compliant Solidcore Agents query to identify systems in the enterprise that are not compliant. • Apply filters to suppress unneeded or irrelevant events. • Optionally, pull inventory for systems where throttling is reset. • Review and manage inventory for endpoints. For details, see Managing inventory.
McAfee Application Control 7.0.0
Best Practices Guide
35
Monthly
• Application Control allows you to run queries that report on events data from multiple McAfee ePO databases. If you are using a distributed McAfee ePO environment, periodically roll up data for a consolidated report. To regularly roll up event data, you can schedule and run the Roll Up Data server task. When running the task, you can optionally purge data. • In addition to collating data on a centralized server, you can drop events from other McAfee ePO servers. Use the Solidcore: Purge server task to purge data. See McAfee Change Control and McAfee Application Control Product Guide for instructions. • Routinely purge data for inventory, events, client task logs, alerts, and observations. For more information, see McAfee Change Control and McAfee Application Control Product Guide. We recommend that you purge: • Events older than 3 or 6 months (based on your auditing needs). • Client task logs older than 30 days. Based on your compliance requirements, you might choose to retain data older than three months. To understand implications of retaining older data on database requirements, see Determining database sizing.
• Solidcore: Auto Purge Policy Discovery Requests server task is configured to automatically delete requests older than 3 months. This is an internal task that runs weekly by default. If needed, edit this task to change the configuration. • Periodically delete Server Task Logs by running the Purge Server Task Log server task. Delete data older than 6 months.
Applying Windows updates Here are considerations to review before applying Windows updates in your enterprise. •
Make sure that the McAfee Default policy is applied to all endpoints.
•
(Optional) Suppress unneeded or irrelevant events by applying filter rules.
Managing Solidcore client tasks Here are a few best practices to manage Solidcore client tasks.
36
•
Review the Solidcore Client Task Log page to check the client task status (success or failure).
•
Before configuring a client task, make sure that the CLI on the endpoint is not recovered. Reviewthe Non Compliant Solidcore Agents monitor in the Application Control dashboard to verify if CLI is recovered.
McAfee Application Control 7.0.0
Best Practices Guide
Configuring alerts Configure alerts or automatic responses to receive notifications about important occurrences in your environment.
When to configure an alert? •
To receive notifications for Known Malicious and Might be Malicious files or certificates encountered in your setup, enable the Bad File Found in Enterprise automatic response from the Menu | Automation | Automatic Responses page. For more information, see Managing inventory.
•
To receive a notification when event or policy discovery request throttling is initiated for an endpoint in your environment, configure an alert for the Data Throttled event. Similarly, to receive a notification when the cache is full and old data is dropped from the event or request cache, or throttling of inventory updates is initiated for an endpoint, configure an alert for the Data Dropped event.
•
To receive a notification when data congestion exists for inventory items and observations at the McAfee ePO console, configure an alert for the Data Congestion Detected event.
Configure an alert You can configure an alert or automatic response. To learn how to configure an alert, view this video. Alternatively, follow these steps to configure an automatic response. Task For details about product features, usage, and best practices, click ? or Help. 1 Select Menu | Automation | Automatic Responses. 2 Click Actions | New Response. a
Enter the alert name. b Select the Solidcore Events group and
Client Events event type. c Select Enabled, then click Next to open the Filter page. 3 Select SC: Event Display Name from the Available Properties. 4 Select Data Throttled, Data Dropped, or Data Congestion Detected from the Value list, then click Next. 5 Specify aggregation details, then click Next to open the Actions page. 6 Select Send Email, specify the email details, then click Next to open the Summary page. 7 Review the details, then click Save.
McAfee Application Control 7.0.0
Best Practices Guide
37
Monitoring server performance Periodically check to see how your Application Control software is working so that you can avoid performance problems. •
Periodically make sure that your McAfee ePO server is working well. For more information about maintaining your McAfee ePO server, see McAfee ePolicy Orchestrator Best Practices Guide.
•
Set up Windows Performance Monitor (PerfMon) to gather performance counters. Review the Performance Monitor page on the Microsoft Developer Network website for information about setting up PerfMon. Collect data for these counters to determine if any services are consuming resources:
•
McAfee ePO or database CPU consumption
•
McAfee ePO or database memory consumption
•
McAfee ePO or database disk input and output
•
Network latency between McAfee ePO and the database
•
Determine parsing rates for the McAfee ePO parser. For more information, see Finding and using Performance Monitor in the McAfee ePolicy Orchestrator Best Practices Guide.
•
Estimate and adjust the agent-server communication interval (ASCI) for your environment. For information about adjusting ASCI, see McAfee ePolicy Orchestrator Best Practices Guide.
•
Maintain your SQL database to make sure that there is optimal performance. For information, see McAfee ePolicy Orchestrator Best Practices Guide.
Using McAfee Assurance Information Module McAfee continually strives to improve the product experience for customers. We recommend that you enable Assurance Information Module to help us collect information about how you use our products. This collected data helps us improve product features and customers' experience with the product. Assurance Information Module collects the data from the client systems where McAfee products are installed, and that are managed by the McAfee ePO server. It helps improve McAfee products by collecting the following data: •
System environment (software and hardware details).
•
Effectiveness of installed McAfee product features.
•
McAfee product errors and related Microsoft Windows events.
Install and enable the software and enforce the policy for the software. For detailed instructions, review the Quick Start Guide for Assurance Information Module.
38
McAfee Application Control 7.0.0
Best Practices Guide
8
Troubleshooting
Suspending Deployment In case you encounter any critical issues that hamper operations, complete the following steps: 1. Report the issue to the concerned person 2. Place Application Control in Update Mode 3. If the issue still exists, place Application Control in disable mode
Location of Solidcore Files on Endpoint The Solidcore install directory: \McAfee\Solidcore •
sadmin.exe o This is the CLI program
•
Solidcore log files
•
Tools for Solidcore diagnostics
Solidcore directory on the c:\ •
scinv file o The whitelist; is a hash map of the whitelisted files
•
evt_cache o Stores the events from the solidifier that get forwarded to ePO
Solidcore CLI The Solidcore Command Line Interface (CLI) offers a command-line interface for endpoint administration. This interface allows direct review of endpoint logs, manipulation of Solidcore policy settings, and enforcement of MAC features. Recommend changing the master password to access the CLI •
Default password is “solidcore”
•
To change the password navigate to Menu | Policy | Policy Catalog | Product: Solidcore: General | Category: Configuration (Client). Select the applied policy and select CLI tab.
McAfee Application Control 7.0.0
Best Practices Guide
39
NOTE: To change the CLI access status from ePO, use the SC: Change Local CLI Access client task. Select Restrict to put the CLI access into Lockdown status, providing the McAfee Agent has the capability to enforce the policies downloaded from the server. Select Allow to put the CLI Access in Recovered status, providing unauthenticated access to the configurations of the application on the device. •
Use the Restrict status to allow only authorized users to access the MAC CLI on the endpoints. To access the CLI console, users need to provide the password set in the Assigned policy in the Configuration (Client) category.
•
Run the SC: Change Local CLI Access client task as necessary to avoid leaving systems in Recovered Mode.
•
NOTE: Do not leave CLI in Recovered Mode. CLI in Recovered mode breaks connection to/from ePO and should only be used for updates and/or troubleshooting.
Local CLI Administration •
Access the CLI from the Start menu by navigating to Programs > McAfee > Solidifier > McAfee Solidifier Command Line
•
The CLI has two statuses: o
Lockdown – Indicates that the device is accepting input from the McAfee Agent and enforcing policies as defined by ePO
o
Recovered - CLI will accept commands from the keyboard rather than from the McAfee Agent
NOTE: Upon installation and enabling of MAC, the default state of the CLI will be Lockdown. •
Run the “sadmin status” command to determine the current status of the CLI. If status is Lockdown, type “sadmin recover” to be prompted for the password. Once the password is correctly entered, the CLI is placed in Recovered status and will accept commands from the end user.
•
Administrators can set and delete the password locally Set password using “sadmin passwd”
o
Delete password using “sadmin passwd –d”
•
To lock the CLI locally use “sadmin lockdown”
•
Other useful commands:
•
40
o
o
sadmin begin-observe (bo) – start Observe Mode on the system
o
sadmin begin-update (bu) – begin the update window
o
sadmin end-update (eu) – en the update window
o
sadmin disable – disable Solidcore on next reboot
o
sadmin enable – enable Solidcore on next reboot
o
sadmin unsolidify(so) –unsolidify a solidified system
o
sadmin recover –recover local CLI password
For the complete list of commands available in the CLI, refer to the Application Control Command Line Interface Reference Guide.
McAfee Application Control 7.0.0
Best Practices Guide
To uninstall Solidcore, it must be "disabled" first. To place endpoint in Disabled mode, run client task SC: Disable.
McAfee Application Control 7.0.0
Best Practices Guide
41
Tuning Rules of Engagement When identifying the Updater Method, the following table should be followed. All rules that are added to the rule group should be completed by a Global Administrator. The table below lists the Updater Methods in order of most secure to least secure.
Level of Restriction High – This is the most secure level of Updater Method. It allows for more granularity of configuration and a greatly reduced threat surface area.
Medium – This is a less stringent level of Updater Method. This is less granular than a high restriction level while allowing a broader scope of what an Updater can be.
Low – This is the least stringent of the Updater Methods. It will allow a full directory to be added to the whitelist. Updater Method Binaries
Installer
Level of Restriction High
High
Use Case Binaries should be used for specific files that cannot be added through the other options. A Binary should be added in a break/fix scenario. This will still need to be Authorized by the AOR CCRB or equivalent. This should be used when an Application has a named installer. (i.e. Ica32Pkg.msi)
Method 1. Use an existing rule group, or create a new rule group for the application. 2. Add a binary to the appropriate rule group in the “Binaries” tab 3. Add the rule group to the appropriate policy or policies
1. Use an existing rule group, or create a new rule group for the application. 2. A hash can be collected, for the Installer, from the Inventory. 3. Add an installer to the appropriate rule group in the “Installers” tab
Updater Processes
42
Medium
This should be used when an installer calls additional processes to complete the Update or Installation. This allows Authorized Processes to be added to the rule group. (i.e.
McAfee Application Control 7.0.0
4. Add the rule group to the appropriate policy or policies 1. Use an existing rule group, or create a new rule group for the application. 2. Identify the Binary and Parent/Library, if applicable, from received events or observations.
Best Practices Guide
J2RE1 uses ikernel.exe to call svchost.exe)
Certificates
Medium
This should be used when a vendor (i.e. Microsoft or McAfee) has an Authorized Certificate Path.
3. Add the Binary and Parent or Library to the appropriate rule group in the “Updater Processes” tab. 4. Add the rule group to the appropriate policy or policies. 1. Use an existing rule group, or create a new rule group for the application 2. Extract the certificate information via Solidcore Rules Certificate Actions Extract Certificate 3. Add the Certificate to the appropriate rule group in the “Certificates” tab.
Directories
Trusted Users
Low
Low
A directory should be added in the case of a share. If another directory is needed, all other Updater Methods should be attempted first. This allows an Authorized Trusted User to update a system.
4. Add the rule group to the appropriate policy or policies. 1. Use an existing rule group, or create a new rule group for the application. 2. Add a directory to the appropriate rule group in the “Directories” tab 3. Add the rule group to the appropriate policy or policies DO NOT USE
Choosing an updater Binaries – This should be manually input by file name or SHA-1 o
Binaries must have a CoN
o
Binaries should be standalone, and not update existing binaries or scripts
Installers – This should be manually input by SHA-1 or input by scanning of a repository o
Installers must have a valid CoN
o
Installer hashes must be validated by the HBSS administrator prior to implementation
Updater Processes – Manually input by process name. (parent or library may also be necessary.) o
Updaters must have a valid U.S. Army Certificate of Networthiness (CoN)
o
Updaters must be approved by the HBSS CCRB within 30 days of implementation
o
Web browsers cannot be updaters unless restricted by library or parent
Certificates – Received by scanning a share or file or uploading manually o
Certificates cannot be used to identify updaters
o
Certificates must be validated by the HBSS administrator prior to implementation
McAfee Application Control 7.0.0
Best Practices Guide
43
Trusted Directories – These should be manually input and should be a granular as possible. o
Mitigating controls need to exist for approving executables in the trusted directory (i.e. Windows write permissions)
o
Directory paths should be as specific as possible
o
The updater privileges box should not be checked for trusted directories
Trusted Users – Trusted users may be manually input but should not be used under any circumstances. o
44
Trusted users should not be used, in lieu of user trust Observe mode will be utilized for troubleshooting purposes
McAfee Application Control 7.0.0
Best Practices Guide
Other Considerations •
BEST PRACTICE: Deploy Solidcore using tags. For example an administrator could setup the deployment task to apply only to computers which have the following criteria: Has any of these tags: [Workstation]
•
Before enabling MAC, consider use of self-approval feature to allow users running business-critical applications immediately instead of waiting for approval. This feature can be enabled on specific endpoints, as needed. For servers, we recommend that you disable this option
•
Allow users to examine the event and request approval using the Request Approval Button
•
Customize Client Notifications via the Policy Catalog (Product | Solidcore: Application Control | Category | Application Control Options (Windows)).
•
User Message: Enable this option to display a message box at the endpoint each time an event is generated
•
Help Desk Information: Allows you to specify helpdesk information that is displayed on endpoints
•
Messages: Customize pop-up notifications when any of these things happen: o
Execution Denied
o
File Write Denied
o
NX Violation Detected
o
ActiveX Installation Prevented
o
Package Modification Prevented
•
Assess security against usability. Before creating the default configuration, evaluate the risk against the usability of the system and applications. Several features of Application Control restrict or allow users to run applications on the endpoint. For example, the self-approval feature allows users to run business-critical applications immediately instead of waiting for approval. This feature can be enabled on specific endpoints, as needed. For servers, we recommend that you disable this option
•
Review built-in reports: o
Top 10 Pending Policy Discovery Requests
o
Systems with Most Pending Requests Generated in Observe Mode
o
Solidcore: Health Monitoring
McAfee Application Control 7.0.0
Best Practices Guide
45
DoD-Specific Caveats / Known Issues •
Disable memory protection within the MAC Options policy in ePO o
When used in conjunction with HIPS, it is recommended to disable MAC’s memory protection to avoid product conflict.
o
KB81465
o •
•
SCCM fails to install patches/updates with MAC installed o
This issue is caused by two competing rule groups, SMS 2003 Client and System Information
o
Remove the System Information Rule Group to allow inheritance for Wmiprvse.exe. Then push the installation task out to the client again.
o
KB87327
Installation or upgrade of SCCM client may fail with Application Control enabled o
•
Microsoft Windows Update cannot be installed when Application and Change Control is configured in Enable, Observe, or Update mode o
46
KB84741
When running on Windows 10 with Application and Change Control configured in Enable, Observe, or Update mode, Windows Update attempts to retrieve updates for around 30 minutes and then fails with the following error:
McAfee Application Control 7.0.0
Best Practices Guide
▪
o
Cause: This issue occurs because the Windows Update Service runs in a separate svchost.exe process when MACC is enabled
•
There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x800705b4)
KB87470
MAC Help Content cannot be displayed in ePO o
KB87649
Resources MAC Log File Location: •
Vista and above: C:\programdata\mcafee\solidcore\logs\solidcore.log
•
McAfee Agent Logs: C:\programdata\mcafee\common framework\
Application Control DoD Product Download: https://patches.csd.disa.mil/Default.aspx
Application Control security best practices: https://kc.mcafee.com/corporate/index?page=content&id=KB85337
Best Practices Guide McAfee Application Control 7.0.0: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD 26171/en_US/mac_700_bp_en-us.pdf
MAC Tech Talks on IASE: https://powhatan.iiie.disa.mil/cyber_tools_training/ctt/hbss_tech_talks.asp
Application Control 7.0.1 Known Issues: https://kc.mcafee.com/corporate/index?page=content&id=KB87447
McAfee Change Control and McAfee Application Control 7.0.0 Product Guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD 26169/en_US/mcc_700_mac_700_epo_pg_en-us.pdf
McAfee Application Control 7.0.0
Best Practices Guide
47
McAfee Change Control and McAfee Application Control 7.0 Installation Guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD 26170/en_US/mcc_700_mac_700_epo_ig_en-us.pdf McAfee Application Control Command Line Interface Guide: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD 26174/en_US/mac_700_standaln_cli_en-us.pdf
Application Control 7.0.1 Known Issues https://kc.mcafee.com/corporate/index?page=content&id=KB87447 ePO Database Sizing to manage Application Control https://kc.mcafee.com/corporate/index?page=content&id=KB72753
48
McAfee Application Control 7.0.0
Best Practices Guide
APPENDIX APPENDIX A – TRUST SOURCES Updaters •
A whitelisted application permitted to update the system e.g. SCCM
•
Makes changes to the system by elevating its privileges
•
When a program is configured as an updater, it gets the privilege to install new software and update existing program code (including itself) present on the system
•
Updaters can be added by Binary Name or Checksum (SHA1)
•
Updaters are not authorized automatically; to execute this program, it has to be present in the inventory either via initial scan (solidification) or given explicit authorization (via allowed binary in the policy)
•
SHA1 hash is already registered on the system
•
Example: Configure Adobe 8.0 updater program as an updater, it can periodically patch all needed files
•
Common updaters include software distribution applications such as Tivoli, Opsware, or Microsoft System Management Server (SMS)
Binary •
Pre-compiled application
•
Binaries can be specifically allowed or banned on a solidified system
•
Can specify the filename or checksum to identify the binary
•
Can add binary directly or add it from an inventory
•
Best to add Checksum (SHA-1 hash) instead of File Name
Publishers •
Publishers are trusted certificates associated with a software package that can run on a solidified system
•
They can be identified within a Rule Group and is allowed everywhere that rule group is assigned. After you add a certificate as a publisher, you can run all software that is signed by the certificate.
•
When adding a publisher, you can also choose to provide updater privileges to the publisher.
McAfee Application Control 7.0.0
Best Practices Guide
49
•
After a program is defined as an updater, it can modify any protected file. Selecting this option will ensure that all the binary files signed by publisher acquire updater privileges. Any files added or modified by an application that is signed by the publisher (with updater privileges) will be added to the whitelist automatically.
•
NOTE: Use this option judiciously! Example: If Internet Explorer is configured as an updater application, Internet Explorer can download and execute any application from the internet.
Installers •
Installers are programs that install other programs
•
Installers are allowed to install or update software. They are identified by its checksum (SHA1). Regardless of the source of the installer (or how one gets the installer to the endpoint), if the SHA1 value matches, the installer is allowed to run.
•
SHA1 hash is registered so it can be installed; hash does NOT need to be installed on the system
•
When a program (or an installer) is configured as an authorized installer, it gets both the attributes –authorized binary and updater.
•
Changes done by the installer will be tagged with Installer Label
•
Example: If you add the msi file for the Microsoft Office 2010 suite as an Installer, and the checksum matches, the msi file will be allowed to install the Microsoft Office suite.
•
Installers are allowed to execute and update software on the endpoint regardless of whether the installer was originally on the endpoint
Trusted Users •
Trusted users are users that can install programs, run executables, and modify protected files on a solidified system
•
NOTE: The Trusted Users rules do not take effect until the user logs into the system AFTER the policy has been enforced (log out and log back in)
Trusted Directories •
Trusted Directories are directories with trusted applications that you want to make into updaters
•
Example: Create a trusted directory of login scripts or else they won't run
•
i.e \\\SYSVOL
•
When creating a trusted directory, use the option “Make programs executed from this directory updaters.” Checking this box allows programs in the Trusted Directories to spawn their own processes and install further components if they need to.
APPENDIX B – APPLICATION CONTROL DEFINITIONS •
50
Observe Mode: In Observe Mode, MAC allows all operations on the endpoint; no action is blocked. “Learning Mode” concept. For each action that is blocked by MAC while in Enable Mode, in Observe Mode a corresponding observation is logged. All observations generated on an endpoint are sent to ePO after the ASCI. Observe Mode allows the administrator to discover policy rules to run a new
McAfee Application Control 7.0.0
Best Practices Guide
application before enterprise-wide deployment on endpoints. Observe Mode is supported only on Windows platform. •
Enable Mode: In Enable Mode, only files present in the whitelist are allowed to execute.
•
Update Mode: Update Mode allows for a pre-defined window of time during which changes or modifications can occur.
•
Disable Mode: Application is not running on the system. Although MAC is installed, its features are not disabled.
•
Trust Model: Dictates the changes that are permitted in your environment
•
Trusted Sources: Allow for changes in a controlled manner, allow applications not in the whitelist to run, are used to update an endpoint
•
Binary: Pre-compiled application
•
Inventory: List of applications authorized to execute on the endpoint and files not authorized to execute. Contains file name, full file path, and SHA1 checksum of each file.
•
Whitelist: Portion of the inventory that is authorized to execute, combined with those applications explicitly configured to execute using other methods (i.e. location, file characteristics, checksum, certificate). It does not rely on pre-defined knowledge of good or bad, behavior, heuristics, signatures, or updates.
•
Rule Group: A rule group is a collection of rules. They assist with policy management and should be used as opposed to adding updaters to the policy itself. Rule groups include updater binaries, trusted users, publishers and installers.
•
Exceptions (tab): Rules used to override or bypass the applied memory-protection techniques. Ability to add memory exception for an application that is poorly written or application or manipulates itself such as a psexec. Not commonly used
•
Filters(tab): Use filters to exclude observations, events, and inventory data by using a combination of conditions.
McAfee Application Control 7.0.0
Best Practices Guide
51
Frequently asked questions (FAQs) Here are answers to frequently asked questions. Although I fetched inventory for an endpoint, the inventory is not displayed on the McAfee ePO console. Inventory information might not be displayed on the McAfee ePO console in the following two scenarios: Inventory information received for the endpoint is incomplete Inventory for an endpoint consists of too many files
This can occur if you experience connectivity issues. To resolve this issue, check the connection and fetch the inventory for the endpoint again. To understand and resolve this issue, review KB79173.
Do we have any best practices for deploying Application Control in a Cluster Shared Volumes (CSV) environment? Before deploying Application Control in a CSV environment, review the guidelines listed in KB84258.
Aren’t there potential vulnerabilities when whitelisting scripts? There was a paper published that descried potential vulnerabilities that are either not applicable or being addressed by Intel Security engineering. We have a full list and breakout of the items discussed in the KB86405 article. The executable and scripting authorization and prevention mechanisms in MAC will be briefly described in the proceeding paragraphs to assist the reader in understanding the detailed sections of this article (please see the product documentation for a more complete explanation of these mechanisms): Items in the whitelist are authorized to execute. Items not in the whitelist are prevented from execution. MAC provides an additional "scripts list" mechanism to control which script files are prevented and which may execute.
To authorize execution of an executable (for example, a script interpreter in Portable Executable (PE) format), the executable file name and path must be in the whitelist. When the executable is in the whitelist, an interpreter executes every script associated with that executable. To place controls on which script files an interpreter will execute, first place the script file extension and interpreter executable file name in the scripts list (see 3.2.1 below for an example) After an association is in the scripts list, script files of that extension are prevented from interpretation. To execute specific script files, add each specifically required script file name and path to the whitelist. When the preceding steps have been performed, only specific script files added to the whitelist that also have an extension and associated interpreter added to the scripts list will be interpreted by the whitelisted executable script interpreter.
Are there any way’s that there could be an abuse of white listed applications such as Powershell? MAC currently provides mechanisms to completely disable unwanted interpreters such as PowerShell from the system by removing it from the whitelist. To still allow execution of scripts associated with non-whitelisted interpreters (for example, Powershell.exe), use any updater binary/script (for example, batch file) to launch their associated scripts (.ps1 files in this case). The default whitelist that ships with the product includes PowerShell based on customer requests. Customers are advised to follow the recommendations in KB85337 - Application Control security best practices. The product is not vulnerable when using the technique described above and when configured according to Application Control security best practices. The default configuration without local customization will allow the described whitelist bypass. A product enhancement that mitigates this issue is targeted for December 20, 2016.
What is the recommended feature status for Memory Protection – VASR? The recommended MP-VASR feature should be ON. Upon investigation, Intel Security has determined that scinject.dll is loaded at a random address due to the MP-VASR feature of MAC. The given attack is possible only when the MP-VASR feature is OFF. It is recommended to keep this feature ON. This issue has an overall CVSS score of 3.5, ranking it with a score of "low." A fix that changes the behavior of scinject.dll is targeted for December 20, 2016.
