Release Notes McAfee Application Control 7.0.0 •

About this release

•

Release highlights

•

Feature details

•

Installation instructions

•

Resolved issues

•

Known issues

•

Find product documentation

◦

Product documentation

About this release This document contains important information about the current release. We strongly recommend that you read the entire document. This McAfee® Application Control release is available only for the Windows platform and includes: •

Solidcore extension 7.0.0–270

•

Solidcore client 7.0.0–646

We have developed this release for use with these McAfee® ePolicy Orchestrator® (McAfee ePO™) versions: •

5.1.0–5.1.3

•

5.3.0

•

5.3.1

Note

The reputation-based execution feature is supported only on McAfee ePO 5.1.1 and later versions.

Release highlights This release contains many improvements and bug fixes. Here are the release highlights. •

Reputation-based execution using McAfee® Threat Intelligence Exchange (TIE) and McAfee® Global Threat Intelligence™ (McAfee GTI) based on file and certificate reputation.

•

Seamless business continuity by automatically allowing or blocking execution based on an application's reputation.

•

Improved classification for applications based on file and certificate reputation information available from reputation sources.

•

Option to submit executables with Unknown reputation to McAfee® Advanced Threat Defense for analysis.

•

Additional context, such as MD5, SHA-1 checksum, deny reason, parent process, and file type for blocked applications on the Solidcore Events page to help you make better judgment.

•

Single-click capability from the Solidcore Events page to view application context and simplify policy creation.

•

Support to manage skiplist rules from the McAfee ePO console.

•

Memory-protection techniques for the latest Windows platforms.

•

Support for Windows 10 and Windows 10 Internet of Things (IoT) Enterprise.

•

Direct upgrade from Solidcore client 6.1.0–6.2.0.

•

Capability to manage Application Control 6.1.0–7.0.0 using Solidcore extension 7.0.0 on McAfee ePO 5.1.0–5.3.1.

•

Ended support for ticket-based enforcement.

•

Fixed multiple issues. For detailed information, see Resolved issues.

For more information about the new features, see Feature details.

Feature details Here are the details about the new features included in this release. •

Reputation-based execution

•

Memory protection for latest Windows platforms

•

Windows 10 support

•

User experience (UX) enhancements

For more information about these features, see McAfee Change Control and McAfee Application Control 7.0.0 Product Guide. Reputation-based execution In this release, we have implemented reputation-based execution for files. Application Control can work with multiple sources, such as McAfee® Threat Intelligence Exchange (TIE) server module and McAfee® Global Threat Intelligence™ (McAfee GTI) server to fetch reputation information for files and certificates. On the McAfee ePO console, the reputation information helps you make quick and informed decisions for binary files and certificates in your enterprise. Reputation information, readily available to administrators, reduces the administrators' effort and allows them to quickly define policies for the enterprise on the McAfee ePO server. On the endpoints, this integration allows reputation-based execution. When you execute a file at an endpoint, the software fetches its reputation and the reputation of all certificates associated with the file to determine whether to allow or ban the file execution. The settings configured for your enterprise determine the reputation values that are allowed and banned. •

Trusted files — If the reputation for a binary file or its associated certificate is trusted, the file is allowed to run, unless blocked by a predefined ban rule.

•

Malicious files — If the reputation for a binary file or its associated certificate is malicious, the binary is not allowed to execute.

•

Unknown — If the reputation for a binary file or its associated certificate is unknown, reputation is not used to determine execution. Application Control performs multiple other checks to determine whether to allow or block the file. For more information about the checks, see Checks that Application Control runs for a file in McAfee Change Control and McAfee Application Control 7.0.0 Product Guide.

Note

Reputation-based execution is available on all supported Windows platforms except Windows Vista and Windows 2008. Reputation-based execution is not available on UNIX platforms.

Based on the configuration, the software regularly synchronizes with these sources: TIE

The TIE server is a local reputation server that communicates with multiple reputation sources. It effectively combines and collates intelligence from global sources with local threat intelligence and customized organizational knowledge to provide aggregated reputation values. The TIE server can communicate with McAfee GTI, McAfee® Advanced Threat Defense, or third-party feeds that include local threat intelligence sourced from real-time and existing event data delivered by endpoints, gateways, and other security components. For more information about the TIE server, see Threat Intelligence Exchange

Product Guide for your version of the software. McAfee GTI

The McAfee GTI file reputation service is a cloud-based service that functions as a reputation source. Application Control periodically synchronizes with the McAfee GTI server to fetch ratings for binary files and certificates.

Prerequisites Here are the prerequisites to use the reputation-based execution feature in your enterprise. Using TIE server

•

Make sure that you have the McAfee ePO software (version 5.1.1 or later) installed in your environment. See McAfee ePolicy Orchestrator Software Installation Guide for your version of the software.

•

Make sure that you have McAfee® Agent (version 5.0 or later) installed on endpoints in your environment. See McAfee Agent Product Guide for your version of the software.

•

Install and configure TIE server (version 1.2.0-141 or later). For more information, see McAfee Threat Intelligence Exchange Installation Guide for your version of the software. Review the Requirements section in the guide to make sure that your installation is successful.

•

Install the McAfee® Data Exchange Layer (DXL) software (broker and client) version 2.0 on McAfee ePO. See McAfee Threat Intelligence Exchange Installation Guide for your version of the software.

•

Deploy the DXL client to all endpoints. See McAfee Threat Intelligence Exchange Installation Guide for your version of the software.

•

Install or upgrade to the Solidcore extension version 7.0.0-270. For more information, see Installation instructions. We recommend that you first install and configure the TIE server and DXL software, then install or upgrade the Solidcore extension. If you first install or upgrade the Solidcore extension, you must restart the Solidcore extension plug-in after installing and configuring the TIE server and DXL software.

•

Install or upgrade to the Solidcore client version 7.0.0-646. For more information, see Installation instructions in the release notes. We recommend that you first deploy the DXL client to endpoints, then install or upgrade the Solidcore client. However, if you first install or upgrade the Solidcore client, you must restart the McAfee Solidifier service (scsrvc.exe) at endpoints after deploying the DXL client.

•

Using GTI server

(Optional) Deploy Advanced Threat Defense version 3.4.6.83 to submit unknown files for reputation computation using the sandboxing technology.

If TIE server is not configured or is unavailable in your enterprise, you can use the reputation-based execution feature on the McAfee GTI server. McAfee GTI server is preconfigured in your enterprise and you do not need to change any settings.

Memory protection for latest Windows platforms We have added support for memory-protection techniques on the following platforms: Memoryprotection technique CASP — Critical Address Space Protection (mpcasp)

New platforms 32-bit — Windows Server 2008, Windows Vista, Windows 7, Windows Embedded 7, Windows 8, Windows Embedded 8, Windows 8.1, Windows Embedded 8.1, Windows 10, and Windows 10 IoT Enterprise

NX — No eXecute (mp-nx)

64-bit — Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows 7, Windows Embedded 7, Windows 8, Windows Embedded 8, Windows 8.1, Windows Embedded 8.1, Windows 10, Windows 10 IoT Enterprise, Windows Server 2012, and Windows Server 2012 R2

Forced DLL Relocation

32-bit and 64-bit — Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows 7, Windows Embedded 7, Windows 8, Windows Embedded 8, Windows 8.1, Windows Embedded 8.1, Windows 10, Windows 10 IoT Enterprise, Windows Server 2012, and Windows Server 2012 R2

(mp-vasr-forcedrelocation)

Windows 10 support We have added support for these platforms. •

Windows 10

•

Windows 10 IoT Enterprise

UX enhancements We have made these significant enhancements to the user experience. •

Support to manage skiplist rules from the McAfee ePO console.

•

Additional context, such as MD5, SHA-1 checksum, deny reason, parent process, and file type for blocked applications on the Solidcore Events page to help you make better judgement.

•

Single-click capability from the Solidcore Events page to view application context and simplify policy creation.

Installation instructions Here is information specific to the 7.0.0 release for installation and upgrade. System requirements To review system requirements for this release, see the McAfee KnowledgeBase article KB73341. Supported platforms This release is available for all supported Microsoft Windows platforms. Starting with this release, we have discontinued support for Windows XP and Windows Server 2003 platforms. Supported McAfee ePO versions Installation and upgrade of Solidcore extension 7.0.0 is supported on McAfee ePO versions 5.1 and 5.3. We do not support installation of Solidcore extension 7.0.0 on McAfee ePO 4.6. Upgrade support Component

Details

Solidcore extension

This release supports upgrading from these Solidcore extension versions: •

6.0.0, 6.0.1

•

6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4

•

6.2.0

Note

When upgrading to the Solidcore 7.0.0 extension, the migration task can take longer than usual. Depending on the volume of inventory data in your environment, the task can take a few hours or a day to complete. For more information, see KB84651.

If you are upgrading Solidcore extension from 6.0.0 or a later release but earlier than 6.1.2-150, you must follow these steps.

Solidcore client

1

Upgrade Solidcore extension to any version between 6.1.2-150 and 6.2.0.

2

Upgrade McAfee ePO to 5.1.0 or later.

3

Upgrade Solidcore extension from any version between 6.1.2-150 and 6.2.0 to the 7.0.0 release.

This release supports upgrading from these Solidcore client versions: •

6.1.0, 6.1.1, 6.1.2, 6.1.3

•

6.2.0

Important

If you are upgrading the Solidcore client from an older release, you must first upgrade to the 6.1.0 release, then to the 7.0.0 release.

Resolved issues These issues are resolved in this release of the product. For a list of issues fixed in earlier releases, see the Release Notes for the specific release. Solidcore extension Solidcore version

Hotfix build number

Description

Service request number

All (earlier than 7.0.0)

6.1.3-141

When you run the Solidcore: Run Image Deviation server task from McAfee ePO to compare the inventory of an endpoint with the inventory that is fetched from a designated gold system, the server task fails and an internal server error is displayed.

4–9801160231

All (earlier than 7.0.0)

N/A

Apache Tomcat 5.0 software might crash when Solidcore extension is installed on McAfee ePO.

4–11507718238

All (earlier than 7.0.0)

N/A

In the McAfee Change Control and Application Control 6.2.0 Product Guide, information about execution of a binary file for which ban rules exist is missing.

4-9314196991

All (earlier than 7.0.0)

N/A

We have added MARService.exe as an updater to the McAfee rule group.

1119783

Solidcore client Solidcore version

Operating system

Hotfix build number

Description

Service request number

6.1.0, 6.1.1, 6.1.2, 6.1.3 and 6.2.0

Windows all

6.1.0-706, 6.1.1-404, 6.1.2-449, 6.1.3-436, 6.2.0-498

When you apply Windows updates released on October 13, 2015 (Microsoft Security Bulletin MS15-111) or November 10, 2015 (Microsoft Security Bulletin MS15-115) to a system where Application Control is enabled, the command prompt (cmd.exe) might fail to start.

4–11350657154, 4– 11312642891, 4– 11385243211

6.1.0, 6.1.1, 6.1.2, 6.1.3 and 6.2.0

Windows 7 and earlier

6.1.0-706, 6.1.1-404, 6.1.2-449, 6.1.3-441, 6.2.0-505

On Windows 7 and earlier platforms, an incompatibility exists between Application Control and all McAfee products that use SysCore 15.4.0.622.9 or later.

1101321

6.1.0, 6.1.1, 6.1.2, 6.1.3 and 6.2.0

Windows all

6.1.0-706, 6.1.1-404, 6.1.2-449, 6.1.3-441, 6.2.0-505

On the Windows 32bit system, when a code written in assembly language calls the Syscall library function with certain arguments, the system might show a bluescreen error.

1096765

6.1.3

Windows all

6.1.3-432

When the inventory is corrupt on a system, the system might restart in a loop. This issue occurs because the Federal Information Processing Standard (FIPS) driver fails to load on the system, making it difficult for Application Control to detect the corrupt inventory.

4–9922780391

6.1.3

Windows all

6.1.3-432

While creating Windows backup on a system where Application Control is enabled, the system might stop responding.

4–10570835111

6.1.3 and 6.2.0

Windows all

6.1.3-419

A memory leak is

4–8265690411

observed on a system where the MP-CASP feature is enabled. This issue occurs because of incompatibility between the MP-CASP feature and a Windows API. 6.1.3 and 6.2.0

Windows Server 2012 R2

6.1.3-419

When you open a file on the Windows Server 2012 R2 system where Application Control is enabled, the software mistakenly checks for a mount-point folder path. This issue can cause kernel stack overflow and the system might stop responding.

4–8276697516

6.1.3 and 6.2.0

Windows all

6.2.0-458, 6.1.3-419

If McAfee Agent 5.0 or McAfee®

4–8178687291, 4– 8655201924

VirusScan® Enterprise 8.8 (HF 929019) coexist with Application Control software on the system, the system might stop responding if Application Control is enabled. This occurs because of an incompatibility between Syscore 15.3 and Application Control, and specifically when other installed applications use a tilde (~) in short path names. 6.1.3 and 6.2.0

Windows all

6.2.0-458, 6.1.3-419

6.1.3 and 6.2.0

Windows all

6.1.3-410, 6.2.0-493

When you install Application Control, the certificates folder in the Application Control installation directory is not created. The system (where Application Control is enabled) might stop responding with Bug

4–8588887705

4–10303308701, 46088539561, 47570856191

Check 0x22, when these options are enabled in the Driver Verifier tool: •

Special Pool

•

Pool Tracking

•

Deadlock Detection

•

Security Checks

•

Miscellaneous Checks

6.1.3 and 6.2.0

Windows 8 and Windows 8.1 (64-bit)

6.2.0-461

On a system where Application Control is enabled, you might experience a significant delay in system startup.

4–9561698971

6.2.0

Windows all

6.2.0-458

On a system where Application Control is enabled, when you run the Adobe InDesign software, the system might stop responding and display a bug check.

4–8732179009

6.2.0

Windows XP

6.2.0-458

On a Windows XP system where Application Control is enabled, when you disable the memoryprotection feature and enable the script as an updater feature, the system might erroneously restart in a loop.

4-9107814352

6.2.0

Windows all

6.2.0-476

On a system where Application Control is enabled, Microsoft .Net-based websites might stop working.

4–9799684551, 4– 9267979485

6.2.0

Windows 2000

6.2.0-476

When you run multiple installers on a system where Application Control is enabled, the system might stop responding.

4-9540515902

6.2.0

Windows all

6.2.0-480

While uninstalling

4–10227043671

software on the system where Application Control is installed, the system might show a blue screen error. This issue occurs because of a race condition. 6.2.0

Windows all

6.2.0-458

On a system where Application Control software is already installed, when you try to re-install the same version of the software using McAfee ePO, the Product Deployment client task fails and the error 1603: A fatal error occurred during installation is displayed in Windows Application Log.

4–7760620724

6.2.0

Windows all

6.2.0-476

While installing or upgrading software on the system where Application Control is enabled, the system might show a blue screen error.

4–9552120301

6.2.0

Windows all

6.2.0-476

On a system where Application Control is enabled, input or output (I/O) operations for the disk might increase frequently that affects system performance.

4–9870950991

6.2.0

Windows all

6.2.0-480

While creating the whitelist on a system, files that Application Control cannot open are marked as deferred in the whitelist. We have reduced the number of deferred files to refine the whitelist.

1090044

6.2.0

Windows all

6.2.0-493

McTray.exe might crash while unloading Application Control plug-in on a system.

4–10144566446

6.2.0

Windows all

6.2.0-493

While installing

4–10532941211

software on a system where Application Control is enabled, the system might show a blue screen error. This issue occurs because of a race condition. 7.0.0-626

Windows all

N/A

When communication with the TIE server is temporarily suspended, then after communication resumes, the missed notifications are mistakenly not synchronized.

1111630

7.0.0-626

Windows all

N/A

When you upgrade Application Control from 6.1.2-449 to 7.0.0-626 version, checksum mismatch occurs for files in the whitelist.

1117853

Known issues For a list of known issues in this product release, see this McAfee KnowledgeBase article: KB85710.

Find product documentation On the ServicePortal, you can find information about a released product, including product documentation, technical articles, and more. Task 1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab. 2

In the Knowledge Base pane under Content Source, click Product Documentation.

3

Select a product and version, then click Search to display a list of documents.

Product documentation Every McAfee product has a comprehensive set of documentation. Document

Configuration

Description

McAfee Change Control and McAfee Application Control 7.0.0 Product Guide

Managed

Information to help you configure, use, and maintain the product.

McAfee Change Control and McAfee Application Control 7.0.0 Help

Managed

Information to help you configure, use, and maintain the product. Also, includes context-sensitive Help for all product-specific interface pages and options in McAfee ePO.

McAfee Change Control and McAfee Application Control 7.0.0 Installation Guide

Managed

Information to help you install, upgrade, and uninstall the product.

McAfee Application Control 7.0.0 Product Guide

Standalone

Information to help you use and maintain the product.

McAfee Change Control and McAfee Application Control 7.0.0 Installation Guide

Standalone

Information to help you install, upgrade, and uninstall the product.

McAfee Application Control 7.0.0 Command Line Interface Guide

Standalone

All Application Control commands that are available when using the command line interface (CLI).

© 2016 Intel Corporation Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.