mcafee application control 8.0.0 product guide ... mcafee application control 8.0.0 product guide....

Product Guide

McAfee Application Control 8.0.0

COPYRIGHT

© 2016 Intel Corporation

TRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Application Control 8.0.0 Product Guide

Contents

Preface 7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1 Introduction 9Application Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Getting started 13Application Control workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Understanding Application Control modes . . . . . . . . . . . . . . . . . . . . . . . . 14How the whitelist works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Using the command-line interpreter . . . . . . . . . . . . . . . . . . . . . . . . . . 15Deploy Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Add the license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Create the whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Place Application Control in Enabled mode . . . . . . . . . . . . . . . . . . . . 17

3 Protecting file system components 19How protection works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

What is write protection? . . . . . . . . . . . . . . . . . . . . . . . . . . . 20What is read protection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Write-protect components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Apply write protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Exclude components from write protection . . . . . . . . . . . . . . . . . . . . 22List write-protected components . . . . . . . . . . . . . . . . . . . . . . . . 23Remove write protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Read-protect components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Apply read protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Exclude specific components from read protection . . . . . . . . . . . . . . . . . 25List read-protected components . . . . . . . . . . . . . . . . . . . . . . . . . 25Remove read protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 Overriding applied protection 27How do I override protection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Using updaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

What are updaters? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29When do I add updaters? . . . . . . . . . . . . . . . . . . . . . . . . . . . 30What can I add as updaters? . . . . . . . . . . . . . . . . . . . . . . . . . . 31Add updaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32List updaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Remove updaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Using certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

McAfee Application Control 8.0.0 Product Guide 3

Extract certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Add certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39View certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Remove certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Using SHA-1 or SHA-256 values . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Authorize binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Ban binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44View authorized and banned binaries . . . . . . . . . . . . . . . . . . . . . . . 44Remove authorized or banned binaries . . . . . . . . . . . . . . . . . . . . . . 44

Using binary names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Authorize execution of binaries by name . . . . . . . . . . . . . . . . . . . . . 45Ban execution of binaries by name . . . . . . . . . . . . . . . . . . . . . . . . 45Block interactive mode for a file . . . . . . . . . . . . . . . . . . . . . . . . . 45View authorized and banned binaries . . . . . . . . . . . . . . . . . . . . . . . 46Remove authorized and banned rules . . . . . . . . . . . . . . . . . . . . . . 46

Using trusted directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47What are trusted directories? . . . . . . . . . . . . . . . . . . . . . . . . . . 47When do I add trusted directories? . . . . . . . . . . . . . . . . . . . . . . . 47Add trusted directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Follow the guidelines to specify directory path . . . . . . . . . . . . . . . . . . . 48List trusted directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Exclude specific directories from the list of trusted directories . . . . . . . . . . . . . 49Remove trusted directories . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Using trusted users (Windows only) . . . . . . . . . . . . . . . . . . . . . . . . . . 50Add trusted users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50List trusted users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Remove trusted users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Allowing ActiveX controls to run . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Allow ActiveX controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Block execution of ActiveX controls . . . . . . . . . . . . . . . . . . . . . . . 52Disable the ActiveX feature . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Configuring interpreters to control execution of additional scripts . . . . . . . . . . . . . . 53Map an interpreter with a file extension . . . . . . . . . . . . . . . . . . . . . . 54List interpreter and file extension associations . . . . . . . . . . . . . . . . . . . 55Remove interpreter and file extension associations . . . . . . . . . . . . . . . . . 55

Defining attribute-based rules for file execution (Windows only) . . . . . . . . . . . . . . . 55Adding attribute-based rules . . . . . . . . . . . . . . . . . . . . . . . . . . 57Remove attribute-based rule . . . . . . . . . . . . . . . . . . . . . . . . . . 58List all attribute-based rules . . . . . . . . . . . . . . . . . . . . . . . . . . 59

5 Configuring memory-protection techniques 61Memory-protection techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Configure CASP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Configure NX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Configure Forced DLL Relocation . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

6 Maintaining your systems 67View product status and version . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Manage the whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Whitelist thread priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Add and remove operations . . . . . . . . . . . . . . . . . . . . . . . . . . 69List operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Check and update the status of whitelisted components . . . . . . . . . . . . . . . 71

Advanced exclusion filters (AEFs) . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Add or remove AEFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72List AEFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Contents


Manage product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Review features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Enable or disable features . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Package Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Set up Package Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Package Control configuration . . . . . . . . . . . . . . . . . . . . . . . . . 79

Making emergency changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Switch to Update mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Exit Update mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Enable or disable password protection . . . . . . . . . . . . . . . . . . . . . . . . . 81Review changes using events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Configure event sinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Configure the event cache size . . . . . . . . . . . . . . . . . . . . . . . . . 83View events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Configuring log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Runtime environment of the system . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Run ScAnalyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Review the ScAnalyzer report . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Managing mass deployments and system upgrades . . . . . . . . . . . . . . . . . . . . 87View the existing configuration parameters . . . . . . . . . . . . . . . . . . . . 88Export configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . 90Import configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . . 90Change configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . 91

Disable Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

7 Troubleshooting 93Collecting information before contacting McAfee Support . . . . . . . . . . . . . . . . . . 93

Collect GatherInfo logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Collecting system and issue details . . . . . . . . . . . . . . . . . . . . . . . 94

Troubleshoot startup failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Identify self-modifying driver issues . . . . . . . . . . . . . . . . . . . . . . . . . . 96Diagnose system crash issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

System crash on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Diagnose system-crash on Windows . . . . . . . . . . . . . . . . . . . . . . . 97System crash on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Analyze Active Directory issues (Windows only) . . . . . . . . . . . . . . . . . . . . . 99Installing application after failure . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Application execution failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Diagnose application performance-related issues . . . . . . . . . . . . . . . . . . . . 102Diagnose system-hang issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Diagnose system performance issues . . . . . . . . . . . . . . . . . . . . . . . . . 103Detect Application Control installation failure . . . . . . . . . . . . . . . . . . . . . . 104Diagnose updater privileges issues . . . . . . . . . . . . . . . . . . . . . . . . . . 104Identify events flooding issue . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Troubleshoot using error messages . . . . . . . . . . . . . . . . . . . . . . . . . . 105Command line interface error messages . . . . . . . . . . . . . . . . . . . . . . . . 105Legitimate failures and error messages . . . . . . . . . . . . . . . . . . . . . . . . 106

Error messages generated for binary and script files . . . . . . . . . . . . . . . . 106Error messages generated for installer packages . . . . . . . . . . . . . . . . . 107Error messages generated while tampering with the whitelisted components . . . . . . 108

Bypass rules for files and scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Add bypass rules for files and scripts . . . . . . . . . . . . . . . . . . . . . . 110Remove bypass rules for files and scripts . . . . . . . . . . . . . . . . . . . . 111

Skip rules for path components . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Skip rules for path components . . . . . . . . . . . . . . . . . . . . . . . . 112List skip rules for path components . . . . . . . . . . . . . . . . . . . . . . . 114

Contents


Remove skip rules for path components . . . . . . . . . . . . . . . . . . . . . 114

A Frequently asked questions 117

B Application Control event list 119

C Command short forms 125

D Application Control Command Line Interface reference 127Command overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Argument details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Index 149

Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses these typographical conventions and icons.

Italic Title of a book, chapter, or topic; a new term; emphasis

Bold Text that is emphasized

Monospace Commands and other text that the user types; a code sample; a displayed message

Narrow Bold Words from the product interface like options, menus, buttons, and dialog boxes

Hypertext blue A link to a topic or to an external website

Note: Extra information to emphasize a point, remind the reader of something, orprovide an alternative method

Tip: Best practice information

Caution: Important advice to protect your computer system, software installation,network, business, or data

Warning: Critical advice to prevent bodily harm when using a hardware product


Find product documentationOn the ServicePortal, you can find information about a released product, including productdocumentation, technical articles, and more.

Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.

2 In the Knowledge Base pane under Content Source, click Product Documentation.

3 Select a product and version, then click Search to display a list of documents.

PrefaceFind product documentation


https://support.mcafee.com

1 Introduction

McAfee® Application Control software offers an effective way to block unauthorized applications fromrunning on your systems. Unlike simple whitelisting, it uses a dynamic trust model to avoidlabor-intensive lists.

Today’s IT departments face tremendous pressure to ensure that systems and servers comply withsecurity policies, operating procedures, and regulations. Users can unintentionally introduce softwarethat poses a risk to the business, installs malware, creates support issues, and violates softwarelicenses, compromising systems and your business. Businesses of all sizes need an efficient way tostandardize systems and servers to make sure that they are running only approved software, withoutimpacting productivity.

As enterprises face unknown software from the Internet, Application Control adds timely control toyour system security strategy, and is attuned to the operational needs of enterprises.

This document is intended for using Application Control in the standalone configuration only.

Contents Application Control overview Product features

Application Control overviewApplication Control software allows only authorized applications on servers, corporate desktops, andfixed-function devices.

Increased control over fixed-function systems

In regulated industries like banking, retail, and manufacturing, devices such as point-of-sale (POS)terminals or customer service terminals perform critical functions and often store sensitive data.Application Control extends a layer of protection to fixed function systems. Its low overhead footprintdoes not have an impact on the system performance, requires low initial and ongoing operationaloverhead, and works effectively in standalone mode. The product is designed to operate in networkand firewall configurations. It can even operate on systems that are not connected to a network.

Business efficiency in a controlled environment

Malware takes advantage of the flexible software and modular code used in business environments.Application Control extends coverage to Java, ActiveX controls, scripts, batch files, and codes. Thiscoverage gives greater control over application components, and blocks advanced threats withoutrequiring signature updates.

1


Easy solution

Application Control is an easy solution that provides:

• Easy setup and low initial and ongoing operational overhead.

• Minimal impact on CPU cycles and uses less than 10 MB of RAM.

• No file system scanning that could have an impact on the system performance.

Also, Application Control requires no signature updates.

Dynamic whitelisting using a trust model

Application Control provides flexible, affordable, and secure dynamic management of a whitelist. Thisdynamic management allows Application Control to support multiple configurations for differentbusiness needs, such as POS terminals, BackOffice servers, and multiple desktop images for differentuser profiles.

Leveraging a trusted source model, Application Control eliminates the need for IT administrators tomanually maintain lists of approved applications. On a protected system, authorized software isallowed to run and it cannot be changed. Application Control prevents attempts to tamper withprotected files, creates an event for each attempt, and writes event entries in a log file.

Key advantages and uses

• Protection against zero‐day threats without requiring signature updates.

• Lower cost of ownership because dynamic whitelisting eliminates manual effort of adding trustedapplications to the whitelist.

• Protection against malware for these fixed function systems.

• POS terminals (in retail environments) • Automated teller machines (ATMs) inbanking

• Kiosk devices • Servers and corporate desktops

• Customer service terminals

Product featuresApplication Control protects your system from any unauthorized attempt using these key features.

• Malware protection — Protects systems from malware attacks before they occur, by proactivelycontrolling the application execution on the system.

• Secured system — Secures a system against threats and unwanted changes.

• Execution protection — Prevents execution of unauthorized updates that might change theexisting applications running on the system.

• Dynamic whitelisting — Eliminates the manual maintenance effort that other whitelistingtechnologies require.

• Trusted applications — Enables administrators to adopt a flexible approach with a centralizedrepository of trusted applications to run on the system.

1 IntroductionProduct features


• Memory protection — Prevents execution of unauthorized software, scripts, and libraries, anddefends against memory exploits.

• Automatic whitelisting — Whitelists new software that is added through an authorized process.

IntroductionProduct features 1


1 IntroductionProduct features


2 Getting started

Application Control workflow details important concepts and includes instructions to help you deployApplication Control to a system.

Contents Application Control workflow Understanding Application Control modes How the whitelist works Using the command-line interpreter Deploy Application Control

Application Control workflowThis diagram provides an overview of the Application Control deployment workflow.

2


Understanding Application Control modesApplication Control operates in different modes depending on your requirements.

Disabled Application Control is not running on the system. Although Application Control is installed,its features are disabled.Disabled mode is supported on Windows and Linux platforms. From Disabled mode, youcan switch to Enabled or Update mode. See Disable Application Control.

Enabled Only whitelisted applications and files are allowed to run. Execution of unauthorizedsoftware, such as a virus or spyware, is prevented. In Enabled mode, Application Controlprotects files in the whitelist from unauthorized modification and deletion attempts. Afterthe initial whitelist is created for your system, switch Application Control to Enabled mode.This mode makes sure that no unauthorized changes are allowed.Enabled mode is supported on Windows and Linux platforms. You can switch ApplicationControl from Enabled mode to Disabled or Update mode. See Place Application Control inEnabled mode.

Update Perform authorized software updates on a protected system. This mode groups requiredupdate actions, such as addition, modification, or removal of software, then executes theactions. When you perform software updates in Update mode, Application Control tracksand records each change. Also, it dynamically updates the whitelist to make sure that thechanged or added binaries and files are authorized to execute when the system returns toEnabled mode. If you delete any software and program files from the system, therespective files are removed from the whitelist.Update mode is supported on Windows and Linux platforms. You can switch from Updatemode to Enabled mode only. See Making emergency changes.

Observe Unavailable in the standalone configuration; available only when McAfee® ePolicyOrchestrator® (McAfee® ePO™) manages the system.In Observe mode, the application is in effect but does not prevent any changes made tothe endpoints. Observe mode is supported only on Windows platform.

How the whitelist worksWhen you deploy Application Control to protect a system, it scans the system and creates a whitelistof executables (binaries, libraries, and drivers) and scripts present on the system. The whitelist alsoincludes hidden files and folders.

The whitelist lists authorized files and determines trusted or known files. In Enabled mode, only filesthat are present in the whitelist are allowed to execute. All files in the whitelist are protected andcannot be changed or deleted. An executable binary or script that is not in the whitelist is said to beunauthorized and is prevented from running.

Application Control stores the whitelist for each drive or volume at the following location:

• Windows: <drive>\Solidcore\scinv

• Linux: <volume>/.solidcore/scinv

Here is a list of the types of files included in the whitelist.

• Binary executables (.exe, .sys, and .dll files for Windows and binaries and shared libraries forLinux)

• Script files (such as .bat, .cmd, and .vbs files for Windows and files containing #! for Linux)

When the whitelist is created for Windows, Application Control does not include system-specific filesthat are protected by the operating system. For example, pagefile.sys and hiberfil.sys.

2 Getting startedUnderstanding Application Control modes


When you execute a file on a whitelisted system, Application Control compares the checksum and pathof the binary with the checksum and path stored in the whitelist and allows the execution only if thechecksum value and path matches.

Using the command-line interpreterThe command-line interpreter (sadmin) allows you to manage the Application Control configurationand features.The method you use to open the command-line interpreter depends on your operating system.

Operatingsystem

Steps

Windows • On Windows 2008, Windows 2008 R2, Windows 2012, Windows 8, Windows 8.1,Windows 10, and Windows 7 (with UAC enabled) platforms, right‑click the McAfeeSolidifier Command-line icon on the desktop and select Run as administrator.

• On other Windows platforms, double‑click the McAfee Solidifier Command-line icon on thedesktop.

• Click Start | Programs | McAfee | Solidifier | McAfee Solidifier Command Line menu option.

By default, sadmin is added to the PATH environment variable and allows the sadmincommand to work by opening the command line interface (CLI) window from anylocation.

Linux 1 Open a Linux terminal.

2 Access the command-line interpreter from <install directory>/mcafee/solidcore/bin/sadmin.

Use these commands to get help information.

Syntax Description

sadmin help Lists basic help information.

sadmin help <command> Provides basic help for the specified command.

sadmin help-advanced <command> Provides advanced help for the specified command.

Deploy Application Control Complete the tasks to deploy Application Control to a system.

Before you beginReview the deployment workflow.

Tasks• Add the license on page 16

The license determines if the product features are available to you.

• Create the whitelist on page 16The whitelist controls applications and files that can run on a protected system. Create awhitelist of executables (binaries, libraries, and drivers) and scripts present on the system.

• Place Application Control in Enabled mode on page 17Place Application Control in Enabled mode to allow only whitelisted applications to run onthe system.

Getting startedUsing the command-line interpreter 2


Add the licenseThe license determines if the product features are available to you.

• Windows – You can specify the license during or after installation. If you don't specify a licenseduring installation, you must when you run Application Control on the system.

• Linux – You must specify a valid license after installation when you run Application Control on thesystem.

Task

1 Verify if a license is already added (provided during installation) by entering the following commandand pressing Enter.sadmin license listAll licenses that are already installed on the system are listed.

2 If no license is listed, add a license now.

a Run this command at the command prompt.

sadmin license add <license_key>

b Restart the Application Control service.

Windows net stop scsrvcnet start scsrvc

Linux service scsrvc restart

Create the whitelistThe whitelist controls applications and files that can run on a protected system. Create a whitelist ofexecutables (binaries, libraries, and drivers) and scripts present on the system.

Before you begin• Read how Application Control uses the whitelist. See How the whitelist works.

• Optionally, set the whitelist thread priority before creating the whitelist. See Whitelistthread priority.

Task

1 Run this command at the command prompt.

sadmin solidifyThe time the system takes to create the whitelist varies from a few minutes to an hour, dependingon your system configuration, including CPU speed, RAM, and applications installed on the system.After the whitelist is created, a message similar to this message appears.

Solidifying volume C:\00:04:11: Total files scanned 12265, solidified 6342

2 Verify that the drive or volume is whitelisted.


sadmin statusThe status of Application Control is displayed. You can view the operational mode, operationalmode on system restart, connectivity with McAfee ePO, CLI access status, and whitelist statusof the drives or volumes. However, in the standalone configuration of the product, connectivitywith McAfee ePO is not applicable.

2 Getting startedDeploy Application Control


b Review the whitelist status of the drives or volumes, and make sure that the status is Solidified.

Place Application Control in Enabled modePlace Application Control in Enabled mode to allow only whitelisted applications to run on the system.

Task1 Run this command at the command prompt.

sadmin enable

2 Place Application Control in Enabled mode.

Operatingsystem

Action

Windows Perform one of these steps:• Restart the system to enable Application Control and the memory protection

feature.

• Restart the Application Control service to enable Application Control withoutthe memory protection feature.net stop scsrvcnet start scsrvc

Linux Restart the Application Control service to enable Application Control.service scsrvc restart

3 Verify that Application Control is in Enabled mode with this command:

sadmin statusApplication Control status is displayed. You can view the operational mode, operational mode onsystem restart, connectivity with McAfee ePO, CLI access status, and whitelist status of all drives.However, in the standalone configuration of the product, connectivity with McAfee ePO is notapplicable.

a Review the operational mode.

b Verify that the current operational mode is Enabled.

Getting startedDeploy Application Control 2


2 Getting startedDeploy Application Control


3 Protecting file system components

When Application Control is running in Enabled mode, you can choose a set of files, directories, drives(Windows), volumes (on Linux), and registry keys to protect from unauthorized changes.

Contents How protection works Write-protect components Read-protect components

How protection worksApplication Control prevents unauthorized changes to your system components by write-protectingthem.

Application Control can write-protect or read-protect these components.

Feature Component Prevented actions

Write protection File • Creating

• Modifying

• Renaming

• Deleting

• Creating hard links

• Creating Alternate Data Stream (ADS)for Windows

Directory • Modifying

• Deleting

• RenamingDrive/Volume

Registry Key

(Windows)

Read protection File Reading data

Directory

(Applicable only to the files inside theread-protected directory)

Drive/Volume

(Applicable only to the files inside theread-protected drive/volume)

3


If you specify a component (file, directory, volume) to be write-protected before creating it, youcannot create a component with that name.

If a file is write-protected, you cannot modify its content or attributes. However, on the Windowsplatform, certain attributes can be modified.

Attribute Attribute modification allowed

Encryption No

Compression No

Hidden Yes

Read-only Yes

What is write protection?Write protection is a feature that protects the files, directories, and drives (Windows) or volumes(Linux) from being modified or deleted. Write protection is identified as deny-write in the features list.By default, this feature is enabled.

If you write-protect a directory, drive, or volume, write protection is applied to all files andsubdirectories in that directory, drive, or volume. If any file residing in a directory or subdirectory iswrite-protected, you are not allowed to rename, move, or delete its parent directory. Creation of newfiles in a write-protected directory, drive, or volume is also not allowed.

Write-protect only files that are not routinely updated by programs. For example, C:\WINDOWS\system32\drivers\etc\hosts.

This feature is in effect only when Application Control is operating in Enabled mode.

Any unauthorized attempt to modify the contents of a write-protected component is prevented and anevent is generated.

What is read protection?Read protection is a feature that protects the files, directories, drives (Windows), and volumes (Linux)by preventing the data in the files from being read. Read protection is identified as deny-read in thefeatures list.

This feature is disabled by default and can be enabled by using sadmin features enable deny-readcommand. No restart is required for enabling or disabling this feature. Read protection works onlywhen Application Control is running in Enabled mode.

When a directory, drive, or volume is read-protected, read protection is applied only to the files in thatdirectory, drive, or volume. As a result, the files in the subdirectories are also read-protected. If aread-protected file or directory is moved to a different path, it is no longer read-protected.

Be careful when you read-protect directories, drives, or volumes to allow Application Control tooperate on a system. For example, if you read-protect a directory, drive, or volume, the whitelistedfiles in that directory, drive, or volume cannot execute. Also, if you create a file in a read-protecteddirectory, drive, or volume, the file cannot be added to the whitelist.

Make sure that the read-protected files are also write-protected using the deny-write feature toprovide extra protection to the read-protected files. This ensures that the contents of the files cannotbe read by renaming or moving the files. A read-protected file (that is not write-protected) becomesreadable if it is renamed or moved to another location.

3 Protecting file system componentsHow protection works


Any unauthorized attempt to read data from a read-protected file is prevented and an event isgenerated.

You cannot read-protect registry keys.

Write-protect componentsUsing the write protection feature, you can write-protect specific files, directories, drives (Windows),and volumes (Linux) to prevent unauthorized programs or users from modifying them.Write-protecting these components makes them read-only and prevents unauthorized changes. Thesecomponents cannot be compressed or encrypted.

Tasks• Apply write protection on page 21

Write protection makes the components read-only and protects the components fromunauthorized changes.

• Exclude components from write protection on page 22Exclude specific components from a write-protected directory, drive (Windows), or volume(Linux).

• List write-protected components on page 23View the complete list of write-protected files, directories, and drives (Windows) orvolumes (Linux).

• Remove write protection on page 23When you remove write protection, components are no longer protected from unauthorizedchanges.

Apply write protectionWrite protection makes the components read-only and protects the components from unauthorizedchanges.

Task1 Write-protect files, directories, drives (Windows), or volumes (Linux).

sadmin write-protect [ -i ] pathname1 ... pathnameN Specify the complete paths to thecomponents to be write-protected.

Paths can include the wildcard characters to specify file paths and file names. When usingwildcards, ensure that specified string matches a limited set of file paths or file names. If thespecified string matches many files, we recommend you revise the string.

• On the Windows platform, paths can include the * and ? wildcard characters. When specifying afile path, C:\Test1\*\*\Test.text, C:\?Test*\Test1\Test.txt are allowed while*:\Test1\*\*\Test.txt, *\Test1\Test2\Test.txt, and *:\Test1\Test2\Test.txt are not.

• On the Linux platform, paths can include the * wildcard character. Using/abc/*/def is allowedwhile /abc/*.sh, /abc/*.*, or /abc/doc.* is not supported.

For example:

• sadmin write-protect -i Listener.ora (Windows)

• # sadmin write-protect –i /etc/security/limits.conf (Linux)

Protecting file system componentsWrite-protect components 3


Write-protect the network file system components by specifying the network path with the sadminwrite-protect command in any of the ways to prevent any modifications to the network sharefrom the client system.

Write-protect a hard link to a write-protected file to prevent any modification to the hard link.

This table describes how you can specify the network path with the command.Syntax Example

sadmin write-protect –i \\server-name\share-name

Specify the server name that has a network share. Also,specify the name of the network share. For example:

sadmin write-protect –i \\ftpserver\documents

sadmin write-protect –i \\server-ip\share-name

Specify the IP address of a server and name of the networkshare.

For example:

sadmin write-protect –i \\192.168.0.1\documents

sadmin write-protect –imapped-drive-letter:\

Specify the drive letter, which is mapped to the server on theclient system.

For example:

sadmin write-protect –i W:\

sadmin write-protect -i /mount-point (Linux)

Specify the mount point name on the Linux platform.

For example:

sadmin write-protect –i /nfs

2 Write-protect registry keys.

sadmin write-protect-reg [ -i ] registrykeyname1 ... registrykeynameN

Paths used in registry key-based rules can include the wildcard character (*). But, it can onlyrepresent one path component in the registry path. Do not use the character for the component atthe end of the complete registry path (if used at the end the path filter will not be in effect). Forexample, registry path HKEY_LOCAL_MACHINE\*\Microsoft is allowed while HKEY_LOCAL_MACHINE\*or HKEY_LOCAL_MACHINE\*\* is not allowed.

Modifications to the write-protected registry keys are not allowed.

Write-protect only the HKEY_LOCAL_MACHINE\SOFTWARE registry key cluster to protect the Windowscomponents. Do not write-protect other registry key clusters.

Specify registry key names as parameters with the write-protect-reg (wpr) command to apply writeprotection to registry keys. For example:

sadmin write-protect-reg –i HKEY_LOCAL_MACHINE\SOFTWARE

Exclude components from write protectionExclude specific components from a write-protected directory, drive (Windows), or volume (Linux).

Task1 Exclude specific components from a write-protected directory, drive, or volume.

sadmin write-protect -e pathname1 ... pathnameN

3 Protecting file system componentsWrite-protect components


When you specify a file path to be excluded from a write-protected directory, drive, or volume,write protection is removed from only that specific file.

Specify the complete path to the files, directories, drives, or volumes to be excluded from writeprotection. For example:

• sadmin write-protect –e Listener.ora (Windows)

• # sadmin write-protect -e /etc/security/limits.conf (Linux)

2 Exclude registry keys from write protection.

sadmin write-protect-reg -e registrykeyname1 ... registrykeynameNSpecify the registry key names as parameters with this command and the exclude argument toexclude registry keys from being write-protected. For example:

sadmin write-protect-reg –e HKEY_LOCAL_MACHINE\SOFTWARE

List write-protected componentsView the complete list of write-protected files, directories, and drives (Windows) or volumes (Linux).

Task

1 List all write-protected components.

sadmin write-protect –l

2 List all write-protected registry keys.

sadmin write-protect-reg –l

Remove write protectionWhen you remove write protection, components are no longer protected from unauthorized changes.

• You can remove write protection from specific files, directories, drives (Windows), or volumes(Linux). Also, you can remove write protection applied to specific registry keys.

• You can remove write protection from all files, directories, drives, and volumes, as well as from allregistry keys.

Task

1 Remove write protection applied to specific components.

sadmin write-protect [ -r ] pathname1 ... pathnameN

When you specify the file path, write protection applied to all files in the specified path is removed.

Specify the complete path to the file, directory, or drive to be removed from write protection.

For example:

• sadmin write-protect -r Listener.ora (Windows)

• # sadmin write-protect –r /etc/security/limits.conf (Linux)

2 Remove write protection from specific registry keys.

sadmin write-protect-reg [ -r ] registrykeyname1 ... registrykeynameN

For example:

sadmin write-protect–reg -r HKEY_LOCAL_MACHINE\SOFTWARE

Protecting file system componentsWrite-protect components 3


3 Flush write protection from all files, directories, drives, or volumes.

sadmin write-protect –f

4 Flush write protection from all registry keys.

sadmin write-protect-reg –f

Read-protect componentsUsing the read protection feature, you can read-protect specific files, directories, drives (Windows),and volumes (Linux) to prevent unauthorized programs or users from reading the data. Thesecomponents cannot be compressed or encrypted.

Tasks

• Apply read protection on page 24The read-protection feature prevents unauthorized programs or users from reading datafrom the components.

• Exclude specific components from read protection on page 25Exclude specific components from a read-protected directory, drive (Windows), or volume(Linux).

• List read-protected components on page 25View the complete list of components that are read-protected.

• Remove read protection on page 25Removing read protection allows users or unauthorized programs to read data from thecomponents, putting the critical data at risk.

Apply read protectionThe read-protection feature prevents unauthorized programs or users from reading data from thecomponents.

Task

• Read-protect files, directories, drives (Windows), or volumes (Linux).

sadmin read-protect [ -i ] pathname1 ... pathnameNSpecify the complete path to each component to be read protected.

Paths can include the wildcard characters to specify file paths and file names. When usingwildcards, ensure that specified string matches a limited set of file paths or file names. If thespecified string matches many files, we recommend you revise the string.

• On the Windows platform, paths can include the * and ? wildcard characters. When specifying afile path, C:\Test1\*\*\Test.text, C:\?Test*\Test1\Test.txt are allowed while*:\Test1\*\*\Test.txt, *\Test1\Test2\Test.txt, and *:\Test1\Test2\Test.txt are not.

• On the Linux platform, paths can include the * wildcard character. Using/abc/*/def is allowedwhile /abc/*.sh, /abc/*.*, or /abc/doc.* is not supported.

For example:

• sadmin read-protect –i password.docx (Windows)

• # sadmin read-protect –i /etc/password (Linux)

You can apply read protection over mounted network file system components by specifying thenetwork paths with the sadmin read-protect command.

3 Protecting file system componentsRead-protect components


Exclude specific components from read protectionExclude specific components from a read-protected directory, drive (Windows), or volume (Linux).

Task• Exclude specific components.

sadmin read-protect -e pathname1 ... pathnameNSpecify the complete path to the files, directories, drives, or volumes to be excluded from readprotection.

For example:

• sadmin read-protect -e password.docx (Windows)

• # sadmin read-protect –e /etc/password (Linux)

List read-protected componentsView the complete list of components that are read-protected.

Task• List all read-protected components.

sadmin read-protect –l

Remove read protectionRemoving read protection allows users or unauthorized programs to read data from the components,putting the critical data at risk.

Remove read protection using one of these two methods.

• Remove read protection.

Remove read protection from specific files, directories, drives (Windows), or volumes (Linux).

• Flush read protection.

Flush read protection from all files, directories, drives (Windows), and volumes (Linux).

Task1 Remove read protection applied to specific components.

sadmin read-protect [ -r ] pathname1 ... pathnameNSpecify the complete path to the files, directories, drives, or volumes to be removed from readprotection.

For example:

• sadmin read-protect -r confidential.docx (Windows)

• # sadmin read-protect -r /etc/password (Linux)

2 Flush read protection applied to all components.

sadmin read-protect –f

Protecting file system componentsRead-protect components 3


3 Protecting file system componentsRead-protect components


4 Overriding applied protection

On a protected system, overriding applied protection allows components to execute using checksumvalues, certificates, or from a trusted directory. If a component is configured as an updater, it can alsoupdate the software on a protected system.

Contents How do I override protection? Using updaters Using certificates Using SHA-1 or SHA-256 values Using binary names Using trusted directories Using trusted users (Windows only) Allowing ActiveX controls to run Configuring interpreters to control execution of additional scripts Defining attribute-based rules for file execution (Windows only)

How do I override protection?Authorize execution of a program or file on a protected system to override protection.

You can authorize execution of a program or file on a protected system by using one of thesemethods.

• Updater process or trusted user

• Checksum (SHA-1 or SHA-256)

• Certificate

• Authorizing files (by name)

• Trusted directory

• Adding to the whitelist

• Defining attribute-based rules for file execution

The whitelist is the most common method to determine the trusted or known files.

Typically, most applications and executable files remain unchanged over prolonged periods of time.But, if needed, you can allow certain applications and executable files to create, modify, or delete filesin the whitelist. To design a trust model and allow more users or programs to modify a protectedsystem, you can use one the methods listed in this table.

4


Method SupportedOperatingSystem

Description

Updaters Windows andLinux

Updaters are authorized components that are permitted to updatethe system. If a component is configured as an updater, it isallowed to install new software and update existing softwarecomponents on a protected system. For more information, seeUsing updaters.

Trusted users Windows If you provide the updater permissions to a Windows user, theuser is defined as a trusted user and has the permissions todynamically add to the whitelist. You can add a user as a trusteduser to allow the user to install or update any software. Whileadding the user details, you must also provide the domain details.

Of all methods available to allow changes to protected endpoints,this method is the least preferred because it offers minimalsecurity.

Define trusted users carefully because after a trusted user isadded, there are no restrictions on what the user can modify orrun on an endpoint.

For more information, see Using trusted users.

Checksum values Windows Override protection applied to a system by authorizing certainfiles based on their checksum value. Authorizing files by theirchecksum (SHA-1 or SHA-256) value allows them to execute onthe protected system. You can also provide updater permissionsto an authorized file. For more information, see Using checksumvalues.

Certificates Windows Application Control allows trusted certificates associated withsoftware packages to run on a protected system. After you add acertificate to the list of trusted certificates, you can run allsoftware signed by the certificate on a protected system. Formore information, see Using certificates.

Binary names Windows andLinux

Authorize execution of binaries (programs and files) by specifyingtheir names. But, when you authorize execution of a binary byname, all binaries that have the same name and are present onthe system or network shares are authorized to execute on aprotected system.

Use caution when you authorize execution of a binary by name.

For more information, see Using binary names.

Trusteddirectories

Windows andLinux

On a protected system, you can add directories (local or networkdirectories) as trusted directories to run any software present inthese directories. Trusted directories are identified by theirUniversal Naming Convention (UNC) path. For more information,see Using trusted directories.

4 Overriding applied protectionHow do I override protection?


Method SupportedOperatingSystem

Description

Update mode Windows andLinux

Update mode is an authorized mode to perform software updateson a protected system. When Application Control is in Updatemode, changes are allowed on a protected system. Place thesystem in Update mode to perform software updates. Use thismethod when none of the other methods, such as using trustedusers, trusted directories, certificates, or checksum values meetyour requirements and the software is not present in the updaterslist. For example, you can use Update mode to completemaintenance tasks, such as install patches or upgrade software.For more information, see Understanding Application Controlmodes.

Definingattribute-basedrules for fileexecution

Windows When a file's execution is undetermined after the ApplicationControl checks, attribute-based or execution control rules, if anyare defined, come into play. You can define specific rules usingone or more attributes of a process to allow, block, or monitor theprocess. For more information, see Defining attribute-based rulesfor file execution.

Using updatersOn a protected system, most software applications and executable files are not updated regularly.However, you can override the protection and tamper proofing that is in effect by specifying certainlegitimate files or programs as updaters.

When there are certain components that are frequently required to install new software or updateexisting software components, specifying the components as updaters is a recommended way overusing Update mode. Adding such components as updaters is recommended because you can select thecomponents and provide updater permissions to the intended components only whereas using Updatemode authorizes components to perform update actions, such as addition, modification, or removal ofsoftware. However, in Update mode, read and write protection that is in effect is overridden.

What are updaters?Updaters are authorized components that are permitted to update the system.

By default, if you provide the updater permissions to a component, the child componentsautomatically inherit the updater permissions. For example, if you specify Adobe 8.0 program as anupdater, it can periodically patch all needed files.

Updaters work at a global level and are not application- or license-specific. When a program is definedas an updater, it can change any protected file.

To qualify as updaters, components must match one of these requirements:

Overriding applied protectionUsing updaters 4


Requirement Description

Components mustbe present in thewhitelist.

Only the supported type of components present in the whitelist can be addedas updaters. For example, if you specify whitelisted AcroRd32.exe as anupdater, it is allowed to automatically update the Adobe Reader software fornew updates.

Components mustbe defined asauthorized binaries.

Adding authorized files as updaters is a workaround and should be done onlywhen it is needed to update the software components using the allowed files.Be cautious and carefully assign updater permissions to files. We suggest youto remove the updater permissions from the files soon after the update is done.If authorized files are specified as updaters, they can allow other associatedfiles to make changes on the protected systems.

For example, if you set cmd.exe as an updater and invoke any executable fromit, the executable can perform any change on the protected systems.

To avoid a security gap, do not configure a file as an allowed binary and updaterconcurrently.

For more information about how to specify files as updaters, see Specify files tobe added as updaters.

Application Control also includes predefined default updater permissions for commonly usedapplications that might need to update the systems frequently. These applications are known asdefault updaters. For example, default updater permissions are defined for Yahoo, Oracle, and McAfeeproducts.

When do I add updaters?Certain programs frequently update software components on the system automatically. Add suchprograms as updaters to allow them to update the software components.

Add scripts, installers, binaries, and users as updaters when they are frequently required to makechanges on the system.

4 Overriding applied protectionUsing updaters


What can I add as updaters?Add components such as installers, scripts, binaries, users, or certificates as updaters.

Component Examples

Installers (forWindows)

Add installers as updaters to allow them to automatically update the softwarecomponents on the protected systems.• Windows installer

For example, to add Windows installer (for a Hotfix, KB893803) as an updater andperform automatic updates on protected files or registry keys, specify thiscommand:

sadmin updaters add WindowsInstaller-KB893803-v2-x86.exe• Microsoft installer (MSI-based installer)

For example, to add MSI-based installer Ica32Pkg.msi and perform automaticupdates on protected files or registry keys, specify this command:

sadmin updaters add Ica32Pkg.msi

Scripts Add scripts as updaters to provide updater permissions to the scripts. Scripts withupdater permissions are allowed to perform update operations on the protectedsystems.

sadmin updaters add <scriptname>sadmin updaters add myscript12.batOn the Windows platform, you must use the cmd interpreter with the /C parameter(cmd /C) to run scripts as updaters. For example, cmd /C myscript12.bat. Usingthe /C parameter ensures that the specified command is executed and stopped.

Adding scripts as updaters is available on all Windows platforms except WindowsServer 2003 (IA64).

Binaries Add binaries as updaters to provide updater permissions to the binaries. Binaries withupdater permissions are allowed to update the protected binaries and softwarecomponents. Binaries also include executable (.exe) files on Windows platform.

sadmin updaters add <filename>sadmin updaters add update.exe



Component Examples

Users (forWindows)

Add users as updaters to allow the users to perform update operations on theprotected system.

sadmin updaters add –u <username>sadmin updaters add –u <username>sadmin updaters add –u john_smithFor domain users:

sadmin updaters add –u [email protected] updaters add –u mydomain\john_smith

Certificates(for Windows)

Add selected certificates as updaters to assign updater permissions to all componentssigned by the selected certificates. All components signed by selected certificates areallowed to make changes to the binaries on the system and start new applications.Be cautious and carefully assign updater permissions to the certificates. See Usingcertificates.

You can add certificates as updaters only on the Windows platform.

For example, if you add the Microsoft certificate that is used to sign the InternetExplorer application as an updater, it allows the Internet Explorer to download andexecute any application.

Application Control supports only X.509 certificates (base 64 encoded).

sadmin cert add –u <certfilename>sadmin cert add –u firefox.cer

Processes that are currently running can be added as updaters.

While creating the whitelist, temporary folders are ignored and are not whitelisted. The exception iswhen a process with updater permissions creates binaries in the temp folder, the binaries are added tothe whitelist. You can add, list, or remove the updaters using the sadmin updaters command withthe required arguments.

Also, you can modify the default configuration of Application Control to allow more commonly usedapplications to execute and add them to default updaters. You can add these types of applications todefault updaters:

• Software provisioning systems that download, install, and run new applications. For example,Microsoft software update and custom scripts.

• Self-updating applications. For example, anti-virus.

After creating the whitelist on a system, Application Control configures the default updaters.Application Control updates the default configuration to allow the default updaters to execute andupdate the Commercial-Off-The-Shelf (COTS) applications. You can use the Finetune utility toconfigure default updaters. For more information on Finetune utility, see Update the default updatersusing Finetune.

Add updatersYou can add various components as updaters to allow them to update the software components.

Task• Run this command at the command prompt.



sadmin updaters add <filename>This table lists the supported arguments, descriptions, and examples.

Argument Description

-d To exclude the child processes of a file to be added as an updater from inheriting theupdater permissions.

sadmin updaters add –d <filename>sadmin updaters add –d winlogon.exe

-n To disable event logging for a file to be added as an updater.

sadmin updaters add –n <filename>sadmin updaters add –n winlogon.exe

-l To add an execution file as an updater only when the specified library name is loadedfor the execution file (for Windows).

sadmin updaters add -l <associated libraryname> <filename>sadmin updaters add –l system32\wuauserv.dll svchost.exe

-t To perform these operations:• Include the tags for a file to be added as an updater.sadmin updaters add -t <associated tag> –l <associated libraryname><filename>sadmin updaters add –t Win_up_schedule1 –l system32\wuauserv.dllsvchost.exe

• To add a user with a tag name as an updater.sadmin updaters add –t <tagname> –u <username>sadmin updaters add –t McAfee001 -u john_smith




-p To add a file as an updater, only when its parent execution file (for Windows) orparent program (for Linux) is running.

sadmin updaters add -p <parentname> <filename>sadmin updaters add –p svchost.exe iexplore.exe

-u To add a user as an updater (for Windows). All update operations by the specifieduser name are allowed.

When you specify the –u argument, other arguments, such as -l, -p, -d, and –n arenot applicable.

sadmin updaters add –u <username>Here are the type of user names that can be added as updaters.

• Simple nameFor example, john_smith.

If you specify a simple name, users with this name in all domains are added asupdaters.

• Domain name (username@domain name)For example, [email protected].

• Hierarchical domain name (domain name\user name)For example, mydomain\john_smith.

If you right-click a file and select Run as <updater user name>, the file can execute and runas an updater only if the file is added to the whitelist and authorized to run.

Specify files to be added as updatersSpecify files using the file name or checksum value.

This table describes the methods to specify a file to be added as an updater.



Method Description

Specify thefile name

If the file name is added as an updater, the updater permissions are applicable on thefile name only and even if file path is changed, the updater permissions are in effect.

You can specify the absolute or relative path of the file. However, if you specify theabsolute path of the file as an updater, the updater permissions are applicable only onthat specific path. For example, if dir\file.exe is specified, the updater rule appliesonly if file.exe is in a directory named dir.

On the Windows platform, if you specify full path names containing the drive letter,the drive letter is not considered. For example, if you specify C:\foo\bar.exe, theupdater rule is added for \foo\bar.exe only and does not include the drive letter.

Paths can include the wildcard characters to specify file paths and file names. Whenusing wildcards, ensure that specified string matches a limited set of file paths or filenames. If the specified string matches a large number of files, we recommend yourevise the string.• On the Windows platform, paths can include the * and ? wildcard characters. When

specifying a file path for an updater rule, ?:\Test1\Test2\Test.exe, C:\?Test*QA\Test1\Test.exe, C:\Test1\?\?\Test.exe and C:\*\*\Test.exe are allowedwhile *:\Test1\Test2\Test.exe and *:\Test1\*\*\Test.exe are not supported.

• On the Linux platform, paths can include the * wildcard character. Using /abc/*/defis allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is not supported.

Specify thefile SHA-1 orfile SHA-256(forWindows)

If the file SHA-1 or file SHA-256 is added as an updater, it allows only the file with thatSHA-1 or SHA-256 value to be added as an updater. This makes sure that regardlessof the source of the file, if the SHA-1 or SHA-256 value matches, the file is allowed tobe added as an updater. You can add the file SHA-1 or file SHA-256 as an updater onlyon the Windows platform.

You can specify the checksum value to be added as an updater by using the sadminauth –a –u –c <checksumvalue> command.

For example, if you have multiple versions of the Adobe Acrobat product on yoursystem but you want to run only a particular version, you can specify checksum valueof the executable file as an updater. Adding checksum value of the executable file asan updater makes sure the execution of only the required version of the product. SeeUsing checksum values.

Specifying checksum value to be added as an updater is not supported for scripts.Scripts cannot be added as updaters by this method.

Update the default updaters using Finetune (Windows only)Finetune utility enables you to update the default system configuration to execute the CommercialOff-The-Shelf (COTS) applications and add them to default updaters.Finetune authenticates with the KnowledgeBase that these applications are authorized by ApplicationControl to execute configuration changes. You can deploy Finetune using the batch file, finetune.bat,which is available where Application Control is installed. However, you can use this utility to add orremove the whitelisting customization to run a particular application.

To get help about the options that Finetune supports, run this command.

finetune.bat help



Task Description

Add an application todefault updaters.

To add an application to default updaters in the configuration file, runthis command.finetune.bat add A-ApplicationFor example:

finetune.bat add A-McAfee

Remove an applicationfrom default updaters.

To remove the application from default updaters in the configuration file,run this command.finetune.bat remove A-ApplicationFor example:

finetune.bat remove A-McAfee

The attribute "A" refers to the application identifier. You can view all identifiers by running thefinetune.bat help command.

Add suggested programs as updatersYou can identify a list of possible updaters that can be added on a Windows system. This feature isidentified as discover-updaters in the feature list.

When running in Enabled mode, Application Control protection can prevent a legitimate applicationfrom executing (if the required rules are not defined). Application Control tracks all such failedattempts made by authorized executable to modify protected files or run other executable files. Youcan review information for failed attempts to identify updater rules to allow legitimate applications torun successfully. This feature is available only on the Windows platform.

Task1 To get a list of components that can be added as updaters, run this command.

sadmin diagThe output shows the list of possible updaters that can be configured on the system to performupdate operations.

Review the diag list to ensure that no restricted program or programs with generic names such as,setup.exe, are set as authorized updaters.

The output of executing this command displays these configuration parameters.

Symbol Configuration Rules

! The configuration for the program exists. The existing configuration is displayed on thenext line.

* The configuration is for a restricted program, which can provide capability to change thesystem. Hence, such programs must have restricted configuration.

* and ! The configuration of the program exists but some modifications are required in theconfiguration to execute the program successfully.

2 Perform one of these steps.

• To apply the diagnosed configuration changes, run this command.sadmin diag fix

This command does not fix the rules marked with * (* is the restricted program).



• To apply the diagnosed configuration changes for restricted programs, run this command.sadmin diag fix -f

Restricted programs are Windows critical programs. For example, services.exe, winlogon.exe, svchost.exe, and explorer.exe.

List updatersView the list of all components defined as updaters on the system.

Task• Run this command to list all updaters.

sadmin updaters list

Remove updatersRemove updaters added on the system to restrict them from making changes to the softwarecomponents.

You can remove updaters by using any of these methods.

Flush all componentsFlush all components from the updaters list.

Task• To flush all components from the updaters list, run this command.

sadmin updaters flush



Remove a specific componentRemove a specific component from the updaters list.

Task• To remove a specific component from the updaters list, run this command.

sadmin updaters removeThis table lists how to remove specific components as updaters.

Component Example

Installers (availableonly on Windows)

Remove installers from the updaters list.

sadmin updaters remove <installername>sadmin updaters remove Ica32Pkg.msi

Scripts Remove scripts from the updaters list.

sadmin updaters remove <scriptname>sadmin updaters remove myscript12.bat

Binaries Remove binaries from the updaters list.

sadmin updaters remove <filename>sadmin updaters remove update.exe

On Windows, after using this command, restart the processes to removethem from the updaters list. However, on the Linux platform, processrestart is not required.

Users (on Windows) Remove users from the updaters list.

sadmin updaters remove -u <username>sadmin updaters remove -u john_smith

After using this command, restart the system to remove users from theupdaters list.

Using certificatesManufacturers of ATMs, Storage systems, and Point-Of-Sale systems, embed Application Control intheir systems for protection. These manufacturers are the primary consumers who use the method ofadding certificate to perform update operations. However, commercial enterprises can also use thismethod of performing updates.

Application Control allows trusted certificates that are associated with software packages to run on aprotected system. After you add a certificate as a trusted or authorized certificate, you can run allsoftware, signed by the certificate on a protected system without entering Update mode. For example,if you add Adobe’s code-signing certificate, all software issued by Adobe and signed by Adobe’scertificate are allowed to run.

To allow in-house applications to run on protected systems, you can sign the applications with aninternal certificate and define the internal certificate as a trusted certificate. After you do so, allapplications signed by the certificate are allowed.

4 Overriding applied protectionUsing certificates


You can also provide updater permissions to the certificate. Application files that are either added orchanged on a system and signed by a certificate that has the updater permissions are automaticallyadded to the whitelist. For more information about updaters, see Using updaters.

Use this option carefully because selecting this option makes sure that all binary files signed by atrusted certificate acquire updater permissions. For example, if you set the Microsoft certificate thatsigns the Internet Explorer application as an updater, Internet Explorer can download and execute anyapplication. In effect, any files added or changed by an application signed by the trusted certificate(with updater permissions) are added to the whitelist automatically.

Extract certificatesThe ScGetCerts utility is used to extract certificate from a file. This utility can also run on systemswhere the whitelist is not created.

This utility is shipped with the product and it gets installed in the Application Control installationdirectory. Default location of this utility is C:\Program Files\McAfee\Solidcore\Tools\ScGetCerts.

Here is the syntax of the command to extract certificates.

scgetcerts.exe [<FILEPATH: filename|directory>] [OUTPUT PATH] [--cab] <-A> <-O><-n|-c> [<DOMAIN>] [<USERNAME>] [<PASSWORD>]To extract certificate from a file, specify the file path with the file name or the directory path wherethe file is located. If you specify a directory name, certificate, or installer information, certificates areextracted recursively from all files to the specified directory. Also, specify the output directory pathwhere you want to store the extracted certificates, installer information, or both.

This table describes the supported parameters:

Parameter Description

--cab Specify this parameter to extract certificate from a cab file. When you specify the --cabparameter, you must specify the -O parameter with it.

-A Specify this optional parameter to extract all certificates from a file. By default, only theroot certificate is extracted.

-O Specify this optional parameter if only the certificates are required to be extracted andnot the additional information. However, this parameter is not optional if --cabparameter is also specified.

-c Specify this parameter to check if the path of the file is accessible on the network.

-n Specify this optional parameter to provide authentication to the directory path on thenetwork. The -n option is specified only when you specify the directory path.

Mention the domain, user name, and password when –n or –c parameter is used.

Add certificatesAdd certificates as trusted or authorized certificates to run all software signed by those certificates ona protected system.

Application Control supports only X.509 certificates.

Overriding applied protectionUsing certificates 4



sadmin cert add

Use an existing certificate available to you or extract certificates from one or more signed files. Youcan extract certificate from any signed file using ScGetCerts.exe (<Install_dir>\Tools\ScGetCerts\ScGetCerts.exe). See Extract certificates.

Syntax Description

sadmin cert add<certificatename>

Adds a certificate as a trusted certificate.

For example: sadmin cert add mcafee.cer

sadmin cert add –c<certificatecontent>

Use the -c argument to specify the certificate content as trusted.For example: sadmin cert add –cMIIFGjCCBAKgAwIBAgIQbwr3oyE8ytuorcGnG3VhpDANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwNCBDQTAeFw0wNTEyMTAwMDAwMDBaFw0wNjEyMTAyMzU5NTlaMIHdMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxIzAhBgNVBAoUGkFkb2JlIFN5c3RlbXMgSW5jb3Jwb3JhdGVkMT4wPAYDVQQLEzVEaWdpdGFsIElEIENsYXNzIDMgLSBNaWNyb3NvZnQgU29mdHdhcmUgVmFsaWRhdGlvbiB2MjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczEjMCEGA1UEAxQaQWRvYmUgU3lzdGVtcyBJbmNvcnBvcmF0ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJcS8Tyuz/JSB6XlyV5Zd02tIo4iZoXANFxbGVXS3Yg4v7zIR8k2K0Tzzpmz3Y00Qr237nTslDnLb4rMx9Fr+DmH1Fq2CwQBCVTnrwbtdUyv2v977Fc05B09WEJvZmvcm22iNrfpCV5wqd7OTp1FqP2HIMa0ihztWAc3R9cn8xPPAgMBAAGjggF/MIIBezAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vQ1NDMy0yMDA0LWNybC52ZXJpc2lnbi5jb20vQ1NDMy0yMDA0LmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwEwYDVR0lBAwwCgYIKwYBBQUHAwMwdQYIKwYBBQUHAQEEaTBnMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wPwYIKwYBBQUHMAKGM2h0dHA6Ly9DU0MzLTIwMDQtYWlhLnZlcmlzaWduLmNvbS9DU0MzLTIwMDQtYWlhLmNlcjAfBgNVHSMEGDAWgBQI9VHo+/49PWQ2fGjPW3io37nFNzARBglghkgBhvhCAQEEBAMCBBAwFgYKKwYBBAGCNwIBGwQIMAYBAQABAf8wDQYJKoZIhvcNAQEFBQADggEBAFY7rAYt9WjCDFQ+YNHfnEZxav3zhGhTdTwqGpWZJh/wg9IgLnyRqMnoQNjDFsSCduxfFryGREMwCHI/PvEYq7hKZsUXSGWRNl+Auuomg0OFGG1ZlBv/rWtQEbwmGKgtwXMDDm2IYY3t7O7shG3KW4qHg+Tq04pR8VGTGJodwZWEsj9JavErsujI7SFDMkj9xFz4VD/ilkWF+AyzSLAyUTq797y/7TsG5Y1SeMtze49cVbJVRrbGtq3kSzF56adsA4Hvv2CjM379GkYX0Atro74YLEwcfwdAogZ+F+XtOU9CR48bPvkFP5xMLUJ46HPs1u83Jk2lrr5OYmtMqd7f0

sadmin cert add –u<certificatename>

Add trusted certificates as updaters using the -u argument.

For example:

sadmin cert add –u mcafee.cer

Use this option carefully because selecting this option makes sure that allfiles signed by a certificate acquire updater privileges. For example, if youset the Microsoft certificate that signs the Internet Explorer application asan updater, Internet Explorer can download and execute any applicationfrom the Internet. In effect, any file added or modified by an applicationthat is signed by the certificate (with updater privileges) is added to thewhitelist automatically.



View certificatesView certificates in the Application Control certificate store to verify that the trusted certificates areadded to the system.

Task• Run these commands at the command prompt.

Syntax Description

sadmin cert list Lists the SHA-1 and SHA-256 of certificates that are added as trusted orauthorized certificate in the Application Control certificate store.

sadmin cert list -d Lists details of the issuer and subject of the certificates added to thesystem.

sadmin cert list -u Lists all certificates with updater permissions.

Overriding applied protectionUsing certificates 4


Remove certificatesRemove certificates from the Application Control certificate store to remove their trusted or authorizedstatus. Such certificates cannot run the software signed by the trusted certificates on a protectedsystem.


sadmin cert remove

Syntax Description

sadmin cert remove<SHA-1 or SHA-256>

Removes a certificate that is added as a trusted certificate using the SHA-1or SHA-256 value. Specify the SHA-1 or SHA-256 value of the certificate toremove the certificate from the Application Control certificate store.

For example:

sadmin cert remove 7ecf2b6d72d8604cf6217c34a4d9974be6453dff

sadmin cert remove –c<certificatecontent>

Use the –c argument to remove specified certificate content from theApplication Control certificate store.

For example:

sadmin cert remove –cMIIFGjCCBAKgAwIBAgIQbwr3oyE8ytuorcGnG3VhpDANBgkqhkiG9w0BAQUFADCBtDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNDEuMCwGA1UEAxMlVmVyaVNpZ24gQ2xhc3MgMyBDb2RlIFNpZ25pbmcgMjAwNCBDQTAeFw0wNTEyMTAwMDAwMDBaFw0wNjEyMTAyMzU5NTlaMIHdMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxIzAhBgNVBAoUGkFkb2JlIFN5c3RlbXMgSW5jb3Jwb3JhdGVkMT4wPAYDVQQLEzVEaWdpdGFsIElEIENsYXNzIDMgLSBNaWNyb3NvZnQgU29mdHdhcmUgVmFsaWRhdGlvbiB2MjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczEjMCEGA1UEAxQaQWRvYmUgU3lzdGVtcyBJbmNvcnBvcmF0ZWQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJcS8Tyuz/JSB6XlyV5Zd02tIo4iZoXANFxbGVXS3Yg4v7zIR8k2K0Tzzpmz3Y00Qr237nTslDnLb4rMx9Fr+DmH1Fq2CwQBCVTnrwbtdUyv2v977Fc05B09WEJvZmvcm22iNrfpCV5wqd7OTp1FqP2HIMa0ihztWAc3R9cn8xPPAgMBAAGjggF/MIIBezAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vQ1NDMy0yMDA0LWNybC52ZXJpc2lnbi5jb20vQ1NDMy0yMDA0LmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwEwYDVR0lBAwwCgYIKwYBBQUHAwMwdQYIKwYBBQUHAQEEaTBnMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wPwYIKwYBBQUHMAKGM2h0dHA6Ly9DU0MzLTIwMDQtYWlhLnZlcmlzaWduLmNvbS9DU0MzLTIwMDQtYWlhLmNlcjAfBgNVHSMEGDAWgBQI9VHo+/49PWQ2fGjPW3io37nFNzARBglghkgBhvhCAQEEBAMCBBAwFgYKKwYBBAGCNwIBGwQIMAYBAQABAf8wDQYJKoZIhvcNAQEFBQADggEBAFY7rAYt9WjCDFQ+YNHfnEZxav3zhGhTdTwqGpWZJh/wg9IgLnyRqMnoQNjDFsSCduxfFryGREMwCHI/PvEYq7hKZsUXSGWRNl+Auuomg0OFGG1ZlBv/rWtQEbwmGKgtwXMDDm2IYY3t7O7shG3KW4qHg+Tq04pR8VGTGJodwZWEsj9JavErsujI7SFDMkj9xFz4VD/ilkWF+AyzSLAyUTq797y/7TsG5Y1SeMtze49cVbJVRrbGtq3kSzF56adsA4Hvv2CjM379GkYX0Atro74YLEwcfwdAogZ+F+XtOU9CR48bPvkFP5xMLUJ46HPs1u83Jk2lrr5OYmtMqd7f0

sadmin cert flush Removes all certificates from the Application Control certificate store.



Using SHA-1 or SHA-256 valuesOverride the protection applied to a system by authorizing certain files based on their SHA-1 orSHA-256 values.

Authorizing files by their SHA-1 or SHA-256 value allows them to execute on the protected system. Ifa file is not added to the whitelist but configured as an authorized file, it is allowed to execute on thesystem. Authorizing a file based on the SHA-1 or SHA-256 value ensures that regardless of the sourceof a file, if the SHA-1 or SHA-256 value matches, the file is allowed to run.

You can also provide updater permissions to an authorized file. Configuring an authorized binary as anupdater provides the updater permissions in addition to the execution. An authorized file that isconfigured as an updater is allowed to run and update software on a protected system. Installers canalso be authorized by SHA-1 or SHA-256 value and configured as updaters to allow them to install newsoftware and update the software components. For example, if you authorize the installer for theMicrosoft Office 2010 suite by SHA-1 or SHA-256 and also configure the installer as an updater, if theSHA-1 or SHA-256 value matches, the installer is allowed to install the Microsoft Office suite on theprotected systems.

Authorize binariesAuthorize binaries to allow them to execute on a protected system.

Task• Run this command to authorize binaries.

sadmin auth -a [-t tagname] -c <checksumvalue>

Syntax Description

sadmin auth –a –c<checksumvalue>

To specify the SHA-1 or SHA-256 value of the binary to be authorized.

For example:

sadmin auth –a –c 803291bcc5aa45a0221b4016f62d63a26d3ee4af

sadmin auth –a [–ttagname] –c<checksumvalue>

To include the tag name and the checksum value of the binary to beauthorized.

For example:

sadmin auth –a –t Win_up_schedule1 –c803291bcc5aa45a0221b4016f62d63a26d3ee4af

sadmin auth –a –u –c<checksumvalue>

To authorize a binary and also provide updater permissions. Specifythe checksum value of the binary to be authorized and added as anupdater.

For example:

sadmin auth –a –u –c803291bcc5aa45a0221b4016f62d63a26d3ee4af

Overriding applied protectionUsing SHA-1 or SHA-256 values 4


Ban binariesRestrict binaries from executing on a protected system.

Task• Run this command to ban binaries.

sadmin auth -b -c <checksumvalue>

Syntax Description

sadmin auth –b –c<checksumvalue>

To specify the SHA-1 or SHA-256 value of the file to be banned.

For example:

sadmin auth –b –c 803291bcc5aa45a0221b4016f62d63a26d3ee4af

sadmin auth –b –t<tagname> –c<checksumvalue>

To include the tag name and SHA-1 or SHA-256 value of the file to bebanned.

For example:

sadmin auth –b –t AUTO_1 –c583291bcc5aa45a0221b4016f62d63a26d3ee9at

View authorized and banned binariesList all authorized and banned binaries on a protected system.


sadmin auth -lThis command lists all authorized and banned binaries on a protected system. Also, it lists thebinaries that are added as updaters.

Remove authorized or banned binariesRemove authorized or banned binaries on a system to restrict the authorized binaries to execute andto remove the ban rules from the binaries that are banned.

Task• Remove the authorized or banned binaries using these methods.

Syntax Description

sadmin auth -r<checksumvalue>

To specify the SHA-1 or SHA-256 value of the file to be removed.

For example:

sadmin auth –r 803291bcc5aa45a0221b4016f62d63a26d3ee4af

sadmin auth -f To flush all authorized or banned binaries. This command removes all filesthat are authorized or banned on a system.

4 Overriding applied protectionUsing SHA-1 or SHA-256 values


Using binary namesYou can override the applied protection by specifying the name of binaries (programs or files) toauthorize their execution.

When you specify a binary name to authorize its execution on a protected system, all binaries thathave the same name and are present on the system or network directories are authorized to execute.Similarly, if you ban a binary by specifying its name, all binaries that have the same name are notallowed to execute.

Authorize execution of binaries by nameAllow execution of binaries on a protected system by specifying their names.


sadmin attr add -a <filename>For example, sadmin attr add -a setup.exeAlso, you can specify the absolute path of the file to make sure that only the required file is allowedto execute.

For example, sadmin attr add -a "C:\Program Files\Google\Picasa3\setup.exe"However, on the Windows platform, the drive letter is truncated. Therefore, if the file path\Program Files\Google\Picasa3\setup.exe is located in any other drive instead of C, the file isstill authorized to execute.

Ban execution of binaries by nameRestrict execution of binaries on a protected system by specifying their names.


sadmin attr add -u <filename>For example, sadmin attr add -u setup.exeAlso, you can specify the absolute path of the file to make sure that only the required file is notallowed to execute.

For example, sadmin attr add -u "C:\Program Files\Google\Picasa3\setup.exe"but, on the Windows platform, the drive letter is truncated. So, even if the file path \ProgramFiles\Google\Picasa3\setup.exe is located in any other drive instead of C, the file is notauthorized to execute.

Block interactive mode for a fileDefining attribute-based rules for a file does not prevent the user from executing malicious commandsin interactive mode. To restrict files from running as interactive mode processes, define a rule usingthe -m option.

For example, the administrator might need to execute a powershell.exe to perform administrativetasks. Or, an installed software might need to run a powershell.exe. To enable this, instead ofblocking powershell.exe completely, you can block only the interactive mode for powershell.exe.

We recommend you define this rule for powershell.exe when no endpoint has the businessrequirement to use it.

Overriding applied protectionUsing binary names 4



sadmin attr add -m <filename>For example, sadmin attr add -m Powershell.exe. In this case, Powershell.exe is blocked fromexecution when started in interactive mode.

The applied rule is ineffective in these scenarios:

• When the system is in Update mode.

• When the system is in Observe mode.

• When using reboot-free activation.

• If a file has assigned updater privileges.

• If a file is already open, and then a block rule is applied.

View authorized and banned binariesList all authorized and banned files (by name or interactive mode) on a protected system.


Command Description

sadmin attr list -a Lists all files that are authorized by name.

sadmin attr list -m Lists all the files that are blocked in interactive mode.

sadmin attr list -u Lists all files that are banned by name.

Remove authorized and banned rulesRemove the authorized by name rules on files to restrict the authorized files to execute. Also, you canremove the ban by name and blocking in interactive mode rules to allow execution of banned files.


Command Description

sadmin attr remove -a<filename>

Removes the added rule to authorize the specified binary by name.Specify the same file name or path that was used to add the rule.

sadmin attr remove -m<filename>

Removes the added rule to block the interactive mode for a file.

sadmin attr remove -u<filename>

Removes the added rule to ban the specified binary by name. Specifythe same file name or path that was used to add the rule.

sadmin attr flush -a Removes the authorized by name rules for all files.

sadmin attr flush -m Removes the block in interactive mode rules for all files.

sadmin attr flush -u Removes the banned by name rules for all files.

4 Overriding applied protectionUsing binary names


Using trusted directoriesYou can override the protection applied to a system using trusted directories. After you add directoriesas trusted directories, systems can run any software present in these directories.

On the Windows platform, Application Control tracks files and blocks the execution of binaries andscripts on the network directories. Application Control also supports tracking files on the ServerMessage Block (SMB) mount points. This feature is identified as network-tracking in the features list.By default, this feature is enabled and prevents the execution of binaries and scripts on networkdirectories.

When this feature is disabled, execution of scripts on network directories is allowed. However,execution of binaries on network directories is not allowed. Also, write-protecting or read-protectingcomponents on a network directory is not in effect.

What are trusted directories?On a protected system, you can add directories (local or network share) as trusted directories to runany software present in these directories. Trusted directories are identified by their Universal NamingConvention (UNC) path.

When do I add trusted directories?If you maintain shared folders containing installers for licensed applications on the internal network inyour organization, add trusted directories for such network shares.

When enabled, Application Control tracks files over network shares and blocks their execution until thenetwork share is added as a trusted share. Application Control also prevents protected systems fromexecuting any file residing on a network share.

Also, if needed, you can also allow the software located at the UNC path to install software on theprotected systems. For example, when logging on to a Domain Controller from a protected system,you need to define \\domain‑name\SYSVOL as a trusted directory (to allow execution of scripts andbinaries).

Add trusted directoriesAdd directories as trusted directories to run any software present in these directories on a protectedsystem. Specify the absolute or relative path (on Linux only) to one or more directories. You can alsospecify paths to the directories located on network shares.

This table describes adding trusted directories.

Overriding applied protectionUsing trusted directories 4


Syntax Description

sadmin trusted –i<pathname1...pathnameN>

Specify one or more paths to the directories to be added as trusteddirectories. You can also specify paths of the directories located onnetwork shares.

For example:• sadmin trusted –i C:\Documents and Settings\admin\Desktop\McAfee (for Windows)

• sadmin trusted –i \\192.168.0.1\documents• sadmin trusted –i /etc/security (for Linux)

For more information about specifying directory path, see Follow theguidelines to specify directory path.

sadmin trusted –u<pathname1...pathnameN>

Specify one or more paths to the directories to be added as trusteddirectories. This command adds all binaries and scripts present in thedirectories as updaters. You can also specify paths to the directorieslocated on network shares.

For example:

• sadmin trusted –u C:\Documents and Settings\admin\Desktop\McAfee (for Windows)

• sadmin trusted –u \\192.168.0.1\documents

You can also add a trusted volume by specifying a volume namewith this command to include all binaries and scripts present in thespecified volume as updaters. Use the sadmin trusted –i -u<volumename> command to specify the volume name.

Follow the guidelines to specify directory pathNetwork file system is supported on the Windows and Linux platforms. You can specify directory pathson a mounted network file system using these methods.

On the Windows platform:

Syntax Description

sadmin trusted –i \\server-name\share-name

Specify the server name that has a network share. Also,specify the name of the network share.

sadmin trusted –i \\server-name Specify the server name.

sadmin trusted –i \\* Specify all network shares by all servers.

On the Linux platform, the network file system is mounted and then the local mount point ismentioned in trusted list. For example, A whitelisted server "A" can run a remote file /mnt/ps locatedon server "B" only if it has been added as a trusted share on server "A". To execute any file on thenetwork share, establish the network share as a trusted share using the following command:

# sadmin trusted -i /mnt

Paths can include the wildcard characters to specify file paths and file names. When using wildcards,ensure that specified string matches a limited set of file paths or file names. If the specified stringmatches a large number of files, we recommend you revise the string.

4 Overriding applied protectionUsing trusted directories


• On the Windows platform, paths can include the * and ? wildcard characters. When specifying atrusted directory, \\10.10.10.10\*****\User2, \\10.10.10.10\????\User2, \\10.10.10.10\*AD*\* and \\10.10.10.10\?AD?***\User1 are allowed while \\*\AD\User1, \\*.10.10.10\AD*\User1, and \\10.**10.10\AD*\User1 are not supported.

• On the Linux platform, paths can include the * wildcard character. Using /abc/*/def is allowedwhile /abc/*.sh, /abc/*.*, or /abc/doc.* is not supported.

List trusted directoriesView the list of directories that are added as trusted directories on the system.


sadmin trusted -lThis command lists all trusted directories added on the system.

Exclude specific directories from the list of trusted directoriesExclude specific directories from the list of directories that you added as trusted directories on thesystem.


sadmin trusted –e <pathname1...pathnameN>Use this command to specify one or more paths to the directories to be excluded from the list oftrusted directories.

For example:

• sadmin trusted –e C:\Documents and Settings\admin\Desktop\McAfee (for Windows)

• sadmin trusted –e \\192.168.0.1\documents

• sadmin trusted –e /etc/security (for Linux)

Remove trusted directoriesRemove trusted directories to restrict those directories to run any software present in them.

Task• Remove the trusted directories using these methods.

Syntax Description

sadmin trusted –r<pathname1...pathnameN>

To specify one or more paths to the directories to be removedas trusted directories.

For example:• sadmin trusted –r C:\Documents and Settings\admin\Desktop\McAfee (for Windows)

• sadmin trusted –r \\192.168.0.1\documents• sadmin trusted –r /etc/security (for Linux)

sadmin trusted –f To flush all rules for trusted directories. If you specify thisargument, all rules for the trusted directories are removed fromthe system.

Overriding applied protectionUsing trusted directories 4


Using trusted users (Windows only)You can add users as updaters to allow users to perform update operations on a protected system. Ifyou provide updater permissions to a user, the user is defined as a trusted user.

What are trusted users

Trusted user is an authorized Windows user with updater permissions to dynamically add to thewhitelist. For example, add the administrator as a trusted user to allow the administrator to install orupdate any software. While adding the user information, you can also provide the domain details.

When do I add trusted users

Add specific users as trusted users when they are required to perform update operations on theprotected system.

Of all strategies that allow changes to protected systems, this is the least preferred one because itoffers minimal security. Define trusted users carefully because after a trusted user is added, there areno restrictions on what the user can change or run on the system.

Add trusted usersAdd trusted users to allow them to perform update operations on a protected system.


sadmin updaters add –u <username>This table lists the supported arguments, descriptions, and examples.

4 Overriding applied protectionUsing trusted users (Windows only)



-u Specify the –u argument to add a user as a trusted user (Windows). All updateoperations by the specified user name are allowed.

You can add these types of user names as trusted users.• Simple name

For example, john_smith.

sadmin updaters add –u john_smithIf you specify a simple name, users with this name in all domains are added asupdaters.

• Domain name (username@domain name)For example, john_smith@mycompany.

sadmin updaters add –u john_smith@mycompany• Hierarchical domain name (domain name\user name)

For example, mydomain\john_smith.

sadmin updaters add –u mydomain\john_smith

When you specify the –u argument, other arguments supported for sadmin updatersadd command, such as -l, -p, -d, and –n are not applicable.

For more information about updaters, see Using updaters.

-t Specify the –t argument to add a user with a tag name as an updater. Tag name is anidentification label which is present in the logs for all files processed by this rule.

sadmin updaters add –t <tagname> –u <username>sadmin updaters add –t McAfee001 -u john_smith

List trusted usersList trusted users to view the list of all users who have updater permissions on the system.


sadmin updaters listThis command lists all trusted users and other components defined as updaters on the system.

Remove trusted usersWhen you remove a user as a trusted user, the updater permissions assigned to that user areremoved.


sadmin updaters remove -u <username>For example, sadmin updaters remove -u john_smith

After using this command, restart the system to remove updater permissions from the users.

Overriding applied protectionUsing trusted users (Windows only) 4


Allowing ActiveX controls to runTypically, certain websites and programs require ActiveX controls to be installed on systems. Bydefault, Application Control prevents the installation of ActiveX controls on a protected Windowssystem and the ACTX_INSTALL_PREVENTED event is generated.

Install and run ActiveX controls on a protected system using the ActiveX feature. This feature isenabled by default and available on all Windows operating systems except Windows Server 2012. Onlythe Internet Explorer browser is supported for ActiveX control installations. Installation of ActiveXcontrols is supported only for the Internet Explorer (32-bit) application. Simultaneous installation ofActiveX controls using multiple tabs of Internet Explorer is not supported.

Allow ActiveX controlsOn a protected system, you can install and run ActiveX controls required for a website by adding thecertificate of the website to Application Control certificate store.

Task• Run this command at the command prompt to add the certificates.

sadmin cert add <certificatefilename>For more information about adding certificates, see Using certificates.

Block execution of ActiveX controlsUninstall ActiveX controls required for a website by removing the certificate of the website from theApplication Control certificate store.

Task• Block the execution of allowed ActiveX controls in these scenarios.

Scenario Description

Block the execution of anActiveX control that waspreviously allowed (but notinstalled on the system).

Run this command to remove the certificate from the ApplicationControl certificate store.sadmin cert remove <certificatefilename>If the ActiveX control is not installed on the system, removing thewebsite’s certificate blocks execution of the ActiveX control.

Block the execution of anActiveX control when thecertificate is added to theApplication Control certificatestore and ActiveX is alreadyinstalled on the system.

1 Run this command to remove the website’s certificate from theApplication Control certificate store.sadmin cert remove <certificatefilename>

2 Remove the installed ActiveX control from Add or Remove Programs(Windows 2003, 2008, and XP) or Programs and Features (Windows7 and later).

Disable the ActiveX featureDisable the ActiveX feature to stop running ActiveX controls.

Task• Run this command to stop running the ActiveX feature.

sadmin features disable activexSystem restart is not required after enabling or disabling this feature.

4 Overriding applied protectionAllowing ActiveX controls to run


Configuring interpreters to control execution of additionalscripts

Application Control allows you to control the execution of scripts in your setup.

Unlike executables, a script needs an interpreter to read and execute the instructions written in ascripting language. To manage execution of scripts in your setup:

1 Ensure relevant interpreters (files) and scripts are whitelisted (Linux and Windows only).

2 Map appropriate file extensions (of scripts) with specific interpreters (Windows only).

On the Windows platform, by default, if no interpreter is associated with a script file, the script isallowed to execute (because Application Control doesn't treat it as a script file). By default, ApplicationControl supports standard interpreters and script files that are integrated with Windows operatingsystem, such as batch files (.bat), command interpreter (.cmd), script files (.vbs), Power shell files(.ps1), and Command files (.com).

On the Windows platform, when you execute an interpreter to run a script file here are the checks thatare performed.

On the Linux platform, Application Control controls execution of scripts with #! when run using the ./<script name> syntax. By default, scripts with #! are not allowed to execute. So, to manage scriptexecution (for scripts with #!) on a protected Linux system, use the following syntax.

./ <script name>

Overriding applied protectionConfiguring interpreters to control execution of additional scripts 4


Application Control provides additional and granular control for file and script execution. For example,you can choose to block an interpreter from running except when run by a specific user or when runwith specific arguments. To further tweak how to use interpreters and scripts, see DefiningAttribute-based rules for file execution.

Map an interpreter with a file extensionAssociate an interpreter with a file or script extension to control execution for a certain script type(Windows only).


sadmin scripts add extension interpreter1 [interpreter2]...The file with specified extension or type is associated with the specified interpreters.

For example:

sadmin scripts add .vbs wscript.exe cscript.exeThis command enables Application Control to enforce that wscript.exe and cscript.exe canexecute a .vbs script (when the script file and interpreters are whitelisted). After the association isdefined, wscript.exe and cscript.exe can also execute other script files (provided the interpretercan read and understand the instructions in the script file) . The association is effectiveimmediately and applies to all new interpreter instances initiated after running this command.

If needed, you add associate additional interpreters with a script or file type. For example:

sadmin scripts add .vbs zscript.exeIf you attempt to add an interpreter that is already associated with a file or extension type, noaction is taken.

Application Control supports a special tag 16Bit as a synthetic extension for the 16-bit binaries. Tocontrol execution for the 16-bit binaries, execute these commands.

• sadmin scripts add 16Bit wowexec.exe

• sadmin scripts add 16Bit ntvdm.exe

4 Overriding applied protectionConfiguring interpreters to control execution of additional scripts


List interpreter and file extension associationsList the existing interpreter and file or script extension associations defined in your setup to control fileexecution (Windows only).


sadmin scripts listSample output appears like this:

.ps1 "powershell.exe"

.bat "cmd.exe"

.cmd "cmd.exe"

.pif "ntvdm.exe"

.sys "ntvdm.exe"

.vbe "cscript.exe" "wscript.exe"16Bit "ntvdm.exe" "wowexec.exe".vbs "cscript.exe" "wscript.exe".exe "ntvdm.exe"

Remove interpreter and file extension associations Remove existing interpreter and file or script extension associations defined in your setup (Windowsonly).

Task• Run one of these command at the command prompt.

• sadmin scripts remove extension [interpreter1 [interpreter2]]... — Removes thespecified interpreter associations for the file or script type.

• sadmin scripts remove extension — Removes all interpreter associations for the specifiedfile or script type.

Defining attribute-based rules for file execution (Windowsonly)

Application Control performs multiple checks to determine whether to allow or block a file's execution.If a file's execution is allowed after the Application Control checks, attribute-based or granular rules, ifany are defined, come into play. The rules are based on the concept of fine-grained whitelisting andcan be created on the attributes of a file.

You can define specific rules using one or more attributes of the file to allow, block, or monitor the file.When multiple rules are matched for a particular scenario, allow rules have the highest precedence,followed by block and monitor rules, respectively.

Attribute-based rules help you allow or block files in different scenarios based on file context and offerflexibility.

Overriding applied protectionDefining attribute-based rules for file execution (Windows only) 4


• Context-based allowing or blocking of files — On a protected system, only whitelisted interpretersare allowed to execute. But, in certain scenarios, whitelisted interpreters might be misused toexecute malicious scripts. For example, a powershell.exe script can be used to execute unsolidifiedscripts and execute file-less scripts by invoking its execution with atypical input arguments. Youcan prevent misuse of interpreters by defining attribute-based rules to block potentially maliciousscenarios.

• Flexibility and control — Attribute-based rules provide flexibility to allow or block file execution, asneeded. You might need to block a user from running a specific file. If an administrator wants toblock the execution of powershell.exe for a specific user, a rule can be added to prevent itsexecution by the user. Other users in your setup can execute powershell.exe. You can achieve suchscenarios using attribute-based rules.

Similarly, you might choose to block execution of a certain file in your setup completely, unlesswhen run by a specific parent process. You can achieve this by creating a generic block rule and aparent process-based allow rule for the file. Because the allow rule has precedence over the blockrule, it overrides the block rule when applied.

Or, you might choose to only observe or monitor a file to determine its execution in your setup. Todo this, you can define a monitor rule for the file.

We recommend that before creating a block rule for a file, create a monitor rule to observe the file'suse and execution in your setup. After you define the monitoring rule, if no OBSERVED_FILE_EXECUTIONevents are generated for the file over a reasonable time window, you can safely define a block rulefor a file.

When configuring an attribute-based rule, you can choose to allow, block, or monitor a file. This tabledescribes the behavior of a rule in various supported modes.

Type ofrule

Supported modes

Enable Update Observe

Allow • Allow file execution.

• No event is generated.

• Allow file execution.




Block • Block file execution.

• ThePREVENTED_FILE_EXECUTIONevent is generated.


• TheOBSERVED_FILE_EXECUTIONevent is generated.



Monitor • Allow file execution.

• The OBSERVED_FILE_EXECUTIONevent is generated.





The applied rules are ineffective when any process is marked as updater process. Only the events aregenerated.

4 Overriding applied protectionDefining attribute-based rules for file execution (Windows only)


Adding attribute-based rulesCreate rules based on one or more attributes of a file to allow, block, or monitor its execution.


a Enter the command with attribute type as command_line.

sadmin ruleengine add <ruletype> processname command_line <operation> <REGEX/STRING>

This table describes the command's tokens and their functionality in detail.

Token Possible values Description

Ruletype allow, block, andmonitor

Provides user to create add rule for the multiple rule typessupported.

Attributetype command_line Defines the command_line argument with which a processis launched. The attribute-based rule can be formed on itfor decision making in the rule engine.

Operation matches,notmatches,equals, andnotequals

Performs the rule based on operation configured on theattribute of a process. Only matches and notmatchessupport REGEX. For others, string is used.

REGEX A regularexpression

Includes a regular expression or a string of characters. Itdescribes a grammar that can be constructed based onECMA script. See this article for more details.

STRING Any characters Defines a string of characters.

b Enter the command with attribute type as parent_process_name, user, or path.

sadmin ruleengine add <ruletype> processname <attributetype> <operation> STRING



Ruletype allow, block, and monitor Provides user to create add rule for the multiple ruletypes supported.

Attributetype user, parent_process_name,and path

Defines the attribute type on which attribute-basedrule can be formed for decision making in the ruleengine.

Operation equals and notequals Performs the rule based on operation configured onthe attribute of a process.


You can use multiple attributes when creating attribute-based rules. Use AND as a connector whilecreating a rule based on two or more attribute types. For example, sadmin ruleengine add blockpowershell.exe command_line matches .*iex* AND user equals "user1" rule prevents user1from running powershell.exe when run with command-line argument that matches regex *iex* inthis case. In other scenarios, user1 is allowed to execute powershell.exe.



https://msdn.microsoft.com/en-us/library/bb982727.aspx#regexgrammar

Remove attribute-based ruleRemoves attribute-based rules defined on the system.

Task• Perform one of these steps.

a To remove one rule with attribute type as command_line, run this command at the commandprompt.

sadmin ruleengine remove <ruletype> processname command_line <operation> <REGEX/STRING>



Ruletype allow, block, andmonitor

Provides user to create remove rule for the multiple ruletypes supported.

Attributetype command_line Defines the command_line argument with which a processis launched. The attribute-based rule can be formed on itfor decision making in the rule engine.

Operation matches,notmatches,equals, andnotequals

Performs the rule based on operation configured on theattribute of a process. Only matches and notmatchessupport REGEX. For others, string is used.

REGEX A regularexpression

Includes a regular expression or a string of characters. Itdescribes a grammar that can be constructed based onECMA script. See this article for more details.


b To remove one rule with parent_process_name, path, or user attribute type, run this commandat the command prompt.

sadmin ruleengine remove <ruletype> processname <attributetype> <operation>STRING



Ruletype allow, block, and monitor Provides user to create remove rule for themultiple rule types supported.

Attributetype user, parent_process_name,and path

Defines the attribute type on whichattribute-based rule can be formed for decisionmaking in the rule engine.

Operation equals and notequals Performs the rule based on operation configuredon the attribute of a process.


You can use multiple attributes when creating attribute-based rules. Use AND as a connectorwhile creating a rule based on two or more attribute types. For example, sadmin ruleengineremove block powershell.exe command_line matches .*iex* AND user equals "user1"rule removes the rule that is preventing user1 from running powershell.exe when run withcommand-line argument that matches regex.*iex* in this case.




c To remove or flush all attribute-based rules defined on the system, run this command at thecommand prompt.

sadmin ruleengine flush

List all attribute-based rulesList all attribute-based rules defined on the system.


sadmin rulengine list

This command lists all the rules added on the system.



5 Configuring memory-protectiontechniques

Application Control offers multiple memory-protection techniques on the Windows platform to preventzero‐day attacks and protect integrity of the running process executables and DLLs.

These techniques provide protection that complements what is offered by native Windows securityfeatures or buffer overflow protection products that are signature-based. These techniques areavailable on all supported Windows operating systems. At a high level, the memory-protectiontechniques prevent these types of exploits.

• Buffer overflow followed by direct code execution

• Buffer overflow followed by indirect code execution using Return-Oriented Programming (ROP)

For a detailed and updated list of the exploits prevented by the memory-protection techniques,subscribe to the security advisories from McAfee® Global Threat Intelligence™ services.

Contents Memory-protection techniques Configure CASP Configure NX Configure Forced DLL Relocation

Memory-protection techniquesMemory-protection techniques prevent or thwart malware execution and unauthorized attempts togain control of a system through buffer overflow.

This table describes the memory-protection techniques with supported operating systems, defaultstates, and events.

5


Technique Description

CASP — Critical AddressSpace Protection (mp-casp)

CASP is a memory-protection technique that renders useless anyshellcode running from the non-code area. Code running from thenon-code area is an abnormal event that usually happens because abuffer overflow is exploited.

CASP allows code to execute from non-code area but disallows thecode from invoking any meaningful API calls, such as CreateProcess()and DeleteFile(). Any meaningful exploit code wants to invoke at leastone of these APIs and because CASP blocks them, the exploit fails todo any damage.

When you use CASP, it protects all processes running on yourWindows system with some exceptions. These exceptions include afew processes that are already protected by the integrity protectionfeature of Windows.

CASP technique is identified as mp-casp in the features list. Use thesadmin features command to view identifiers of the supportedfeatures.

You can bypass or enforce CASP on executables. Also, you can list orflush the executables that are bypassed by CASP. For moreinformation, see Configure CASP.

Supported operatingsystems

32-bit and 64-bit — Windows Server 2008,Windows 7, Windows Embedded 7, Windows8, Windows Embedded 8, Windows 8.1,Windows Embedded 8.1, Windows 10, andWindows 10 IoT Enterprise

Default state Enabled

Event generated PROCESS_HIJACK_ATTEMPTED

NX — No Execute (mp-nx) The NX feature uses the Windows Data Execution Prevention (DEP)feature to protect processes against exploits that try to execute codefrom writable memory area (stack/heap). On top of native DEP,MP-NX provides granular bypass capability and raises violation eventsthat can be viewed on the Windows Event Viewer console.Windows DEP prevents code from being run from a non-executablememory region. Usually, code running from the non-executablememory region is an abnormal event. This mostly occurs because of abuffer overflow. The malicious exploit attempts to execute code fromthese non-executable memory regions.

NX technique is identified as mp-nx in the features list. Use thesadmin features command to view identifiers of the supportedfeatures.

NX is applicable for 64-bit and 32-bit processes. Also, you can list orflush the executables that are bypassed by NX. For more information,see Configure NX.


64-bit — Windows Server 2008, WindowsServer 2008 R2, Windows 7, WindowsEmbedded 7, Windows 8, Windows Embedded8, Windows 8.1, Windows Embedded 8.1,Windows 10, Windows 10 IoT Enterprise,Windows Server 2012, and Windows Server2012 R2

This feature is not available on the IA64architecture.

Default status Enabled

5 Configuring memory-protection techniquesMemory-protection techniques


Technique Description

Event generated NX_VIOLATION_DETECTED

Forced DLL Relocation(mp-vasr-forced-relocation)

This feature forces relocation of those dynamic-link libraries (DLLs)that have opted out of the Windows native ASLR feature. Somemalware relies on these DLLs always being loaded at the same andknown addresses. By relocating such DLLs, these attacks areprevented.

Forced DLL Relocation technique is identified asmp-vasr-forced-relocation in the features list. Use the sadminfeatures command to view all identifiers of the supported features.

You can bypass or enforce Forced DLL Relocation on executables. Listor flush the executables that are bypassed by Forced DLL Relocation.Also, you can bypass a DLL module that is loaded for the specifiedprocess. For more information, see Configure Forced DLL Relocation.


32-bit and 64-bit — Windows Server 2008,Windows Server 2008 R2, Windows 7,Windows Embedded 7, Windows 8, WindowsEmbedded 8, Windows 8.1, WindowsEmbedded 8.1, Windows 10, Windows 10 IoTEnterprise, Windows Server 2012, andWindows Server 2012 R2

Default state Enabled

Event generated VASR_VIOLATION_DETECTED

Occasionally, some applications (as part of their day-to-day processing) might run code in an atypicalway and be prevented from running by the memory-protection techniques.

Contact McAfee Support for information about other deprecated memory-protection techniques such asMangling and Decoying.

Configure CASPTo protect the code in a non‑code area from making API calls, configure rules to add executables toCASP.

Task Syntax Description

Bypass executablesfrom CASP.

sadmin attr add –c<filename1 ...filenameN>

Specify one or more executables where CASPmust be bypassed.

For example, sadmin attr add –c alg.exe

Remove executablesfrom CASP bypass.

sadmin attr remove –c<filename1 ...filenameN>

Specify one or more executables to removefrom CASP bypass; in effect CASP will beenforced.

For example, sadmin attr remove –calg.exe

List the executablesthat CASP bypasses.

sadmin attr list –c Lists all executables that CASP bypasses.

For example, sadmin attr list –c

Flush the CASP bypassrules from allexecutables.

sadmin attr flush –c Removes the CASP bypass rules from allexecutables.

For example, sadmin attr flush –c

Configuring memory-protection techniquesConfigure CASP 5


Configure NXTo protect processes against exploits that try to execute code from writable memory area, configurerules to add executables to NX. This technique prevents code from being run from a non‑executablememory region.


Bypass executablesfrom NX.

sadmin attr add –n<filename1 ...filenameN>

Specify one or more executables where NXmust be bypassed.

For example, sadmin attr add –n alg.exe

Bypass an executableand its child processesfrom NX.

sadmin attr add –n -y<filename1 ...filenameN>

Specify an executable where NX must bebypassed, including its child processes. Youcan specify the -y option only with the -noption.

For example, sadmin attr add –n -yalg.exe

Remove executablesfrom NX bypass.

sadmin attr remove –n<filename1 ...filenameN>

Specify one or more executables to removefrom NX bypass; in effect NX will be enforced.

For example, sadmin attr remove –nalg.exe

List the executablesthat are bypassed fromNX.

sadmin attr list –n Lists all executables that NX bypasses.

For example, sadmin attr list –n

Flush NX bypass rulesfrom all executables.

sadmin attr flush –n Removes the NX bypass rules from allexecutables.

For example, sadmin attr flush –n

Configure Forced DLL RelocationCertain malware relies on the DLLs that have opted out of the Windows ASLR feature and are alwaysgetting loaded at the same and known addresses.

To prevent from such malware, configure rules to add one or more executables to Forced DLLRelocation. This technique forces relocation of those DLLs that have opted out of the native WindowsASLR feature.


Bypass executablesfrom Forced DLLRelocation.

sadmin attr add –v<filename1 ... filenameN>

Specify one or more protected componentswhere you bypass Forced DLL Relocation.

For example, sadmin attr add –vAcroRD32.exe

Enforce Forced DLLRelocation onexecutables.

sadmin attr remove –v<filename1 ... filenameN>

Specify one or more components whereyou enforce Forced DLL Relocation.

For example, sadmin attr remove –vAcroRD32.exe

List the executablesthat Forced DLLRelocationbypasses.

sadmin attr list –v Lists all components that Forced DLLRelocation bypasses.

For example, sadmin attr list –v

5 Configuring memory-protection techniquesConfigure NX



Flush Forced DLLRelocation rulesfrom allexecutables.

sadmin attr list –v Removes Forced DLL Relocation rules fromall executables.

For example, sadmin attr flush –v

Bypass a DLLmodule that isloaded for a specificprocess.

sadmin attr add -omodule=<DLLmodulename> -v<processname>

Bypass the DLL module name for aprocess.

For example, sadmin attr add –omodule=wuauserv.dll -v svchost.exe

Configuring memory-protection techniquesConfigure Forced DLL Relocation 5


5 Configuring memory-protection techniquesConfigure Forced DLL Relocation


6 Maintaining your systems

Using Application Control features, you can perform tasks to maintain and manage the systems inyour environment.

Contents View product status and version Manage the whitelist Advanced exclusion filters (AEFs) Manage product features Package Control Making emergency changes Enable or disable password protection Review changes using events Configuring log files Runtime environment of the system Managing mass deployments and system upgrades Disable Application Control

View product status and versionView Application Control status for product status details, such as operational mode, operational modeafter restart, whitelist status. For managed configuration of the product, you can also see connectivitywith McAfee ePO.

You can also view the Application Control version to see details of the installed product and thecopyright information.

Task1 Complete these steps to review Application Control status.


Include [Volume] to view details of a single volume.

sadmin status [volume]

6


b A message similar to this example displays the system details. The following table describes thefields and their meaning.

McAfee Solidifier: DisabledMcAfee Solidifier on reboot: Disabled

ePO Managed: NoLocal CLI access: Recovered

[fstype] [status] [driver status] [volume]* NTFS Solidified Unattached C:\

Status detail Description

McAfee Solidifier Specifies the operational mode of Application Control.

McAfee Solidifier onreboot

Specifies the operational mode of Application Control after systemrestart.

McAfee ePOManaged

Displays the connectivity status of Application Control with McAfee ePO.In standalone configuration of the product, this status is No.

Local CLI access Displays the lockdown or recovered status of the local CLI. In standaloneconfiguration of the product, this status is Recovered.

fstype Displays the supported file systems for a volume.

status Displays the current whitelist status for all supported volumes on asystem. If a volume name is specified, only the whitelist status for thatvolume is displayed.

driver status Displays whether the Application Control driver is loaded on a volume. Ifthe driver is loaded on a volume, status is attached; otherwise the statusis unattached.

volume Displays the volume names.

2 Run this command to view version and copyright details of Application Control installed on thesystem.

sadmin version

Manage the whitelistAn important part of system maintenance is managing the whitelist. You can perform various tasks tomanage the whitelist.

Tasks

• Whitelist thread priority on page 69The whitelist thread priority (SoPriority) determines the usage of system resources andthe time required to create the whitelist.

• Add and remove operations on page 69Add new components to the initial whitelist to allow their execution on a protected system.If needed, you can remove components from the whitelist.

• List operations on page 70View lists of all whitelisted and non-whitelisted files, directories, and drives/volumes on thesystem.

• Check and update the status of whitelisted components on page 71Compare the current whitelist status and checksum values of whitelisted files, directories,and volumes with the status and values stored in the whitelist. If they are not current, youcan update the whitelist and fix inconsistencies.

6 Maintaining your systemsManage the whitelist


Whitelist thread priorityThe whitelist thread priority (SoPriority) determines the usage of system resources and the timerequired to create the whitelist.

You can configure the whitelist thread priority before creating the initial whitelist on the Windowsoperating system. By default, the thread runs on low priority (value of 0) and if you do not specify thethread priority, Application Control considers the default priority to create the whitelist.

Run this command and specify the SoPriority value.

sadmin config set SoPriority=<value>

The SoPriority value that you specify should be based on your preference. This table describes theSoPriority values that you can specify.

Value Priority Advantages and disadvantages

0 Low (Recommended) The low value, takes more time to create the whitelist but causesminimal performance impact on the system.

1 Medium N/A

2 High The high value takes less time but uses more system resources andcan cause performance impact on the system.

Add and remove operationsAdd new components to the initial whitelist to allow their execution on a protected system. If needed,you can remove components from the whitelist.

Specify the components as file names, directory names, or volume names.

Do not remove a system drive or volume from the whitelist because doing this results in a blue screenor system failure.

Action Command syntax Description

Add components to thewhitelist.

sadmin solidify[<arguments><components>]

After the initial whitelist is created, execution isblocked for the components that are not includedin the whitelist. If needed, add more componentsto the whitelist.

Remove all componentsfrom the whitelist.

sadmin unsolidify Remove all components from the whitelist usingthis command. When you remove componentsfrom the whitelist, they are no longer protected byApplication Control.

Remove selectedcomponents from thewhitelist.

sadmin unsolidify[<arguments><components>]

Specify the components that you want to removefrom the whitelist.

You can add or remove components from the whitelist as described in this table.

Component Description

File name Add files to the whitelist. For example,sadmin solidify filename1 ... filenameN

Remove files from the whitelist. For example,sadmin unsolidify filename1 ... filenameN

Directory name Add all supported files (recursively) under specified directories to the whitelist. Forexample,sadmin solidify directoryname1 ... directorynameN

Maintaining your systemsManage the whitelist 6



Remove all supported files in one or more directories from the whitelist. Forexample,

sadmin unsolidify directoryname1 ... directorynameN

Volume name Add all supported files (recursively) under specified system volumes to the whitelist.For example,sadmin solidify volumename1 ... volumenameN

Remove all supported files in one or more system volumes from the whitelist. Forexample,sadmin unsolidify volumename1 ... volumenameN

File name

Directory name

Volume name

Optionally, you can specify supported arguments with the command.• Add — sadmin solidify [ –q | –v ] filename1 ... filenameN |directoryname1 ... directorynameN | volumename1 ... volumenameN

• Remove — sadmin unsolidify [ –v ] filename1 ... filenameN |directoryname1 ... directorynameN | volumename1 ... volumenameN

Here are the arguments descriptions:• The -q argument displays only error messages.

• The -v argument displays all messages.

List operationsView lists of all whitelisted and non-whitelisted files, directories, and drives/volumes on the system.

Action Command syntax Description

List all whitelistedcomponents.

sadmin list-solidified List all whitelisted components using thiscommand. Specify the names of files,directories, and drive/volumes to narrow theresults.

List all non-whitelistedcomponents.

sadminlist-unsolidified

List all non-whitelisted components using thiscommand. Specify the names of files,directories, and drive/volumes to narrow theresults.

You can narrow the results by specifying components as described in this table.Component Description

File name List all whitelisted files from the specified list of files. If only one file name isspecified, this command shows the file name only if the file is whitelisted. Specify aset of files to list the whitelisted files from that file set. For example,sadmin list-solidified filename1 ... filenameN

Lists all non-whitelisted files from the specified list of files. If only one file name isspecified, this command shows the file only if the file is non-whitelisted. Specify aset of files to list non-whitelisted files from that file set. For example,sadmin list-unsolidified filename1 ... filenameN

Directory name List all whitelisted files present in the specified directories. For example,sadmin list-solidified directoryname1...directorynameN

6 Maintaining your systemsManage the whitelist



List all non-whitelisted files present in the specified directories. Specify directorynames with this command to list all non-whitelisted files in the specified directories.For example,sadmin list-unsolidified directoryname1...directorynameN

Volume name List all whitelisted files present in the specified drives/volumes. For example,sadmin list-solidified volumename1...volumenameN

List all non-whitelisted files present in specified volumes. Specify volume names withthis command to list all non-whitelisted files in the specified volumes. For example,sadmin list-unsolidified volumename1...volumenameN

File name

Directory name

Volume name

List details about the files, such as file type, file path, and file checksum. Forexample,sadmin list-solidified [ -l ] filename1 ... filenameN |directoryname1...directorynameN | volumename1...volumenameN

Check and update the status of whitelisted componentsCompare the current whitelist status and checksum values of whitelisted files, directories, andvolumes with the status and values stored in the whitelist. If they are not current, you can update thewhitelist and fix inconsistencies.

If the components in the whitelist are changed or removed and the whitelist is not updated, theexecution of these components is blocked by Application Control. This results in inconsistencies in thewhitelist.


sadmin check [ -r ] file | directory | volumeYou can narrow the results by specifying the names of files, directories, and drive/volumes with thiscommand.

Also, you can specify the -r argument with this command. This argument fixes inconsistencies byupdating the whitelist with the latest checksum values of the components and adds thecomponents to the whitelist, if the components are not already present. If you do not specify acomponent, inconsistencies in all supported drives/volumes are fixed.

Advanced exclusion filters (AEFs)You can use a combination of conditions to define advanced filters to exclude reporting of changes.

For example, you might want to monitor the changes made to the tomcat.log file by all programsexcept the tomcat.exe program. To achieve this, define an advanced filter to exclude all changesmade to the log file by tomcat.exe. This means that you receive only events when the log file ischanged by other (non-owner) programs.

In this case, the defined filter is similar to exclude all events where filename is <log-file> andprogram name is <owner-program>. Use AEFs to prune routine system-generated change events thatare not relevant for your monitoring or auditing needs.

Several applications, particularly the web browser, maintain the application state in registry keys andregularly update several registry keys. For example, the ESENT setting is routinely changed by theWindows Explorer application and it generates the Registry Key Modified event. These state changes

Maintaining your systemsAdvanced exclusion filters (AEFs) 6


are regular and don't need to be monitored or reported. Defining AEFs allows you to eliminate anyevents that are not necessary for compliance, and ensures that the event list includes only meaningfulnotifications.

Add or remove AEFsLimit the notifications you receive by adding an advanced filter that excludes changes made tospecified components.

You can also remove AEFs to include the excluded notifications for the changes made to the specifiedcomponents. After removing the AEFs, you receive events for all changes made to the excludedcomponents. But, this results in inclusion of non-meaningful events to the events list.

Action Command syntax

Add AEFs sadmin aef add [component <condition> value]Remove one or multiple AEFs sadmin aef remove [component <condition> value]Remove all AEFs sadmin aef flush

Specify the component, condition, and value with this command.

Component Value Description

File File path Add AEFs:

sadmin aef add [file <condition> PATH]

Remove AEFs:

sadmin aef remove [file <condition> PATH]

Registry key Registry path Add AEFs:

sadmin aef add [reg <condition> PATH]Remove AEFs:

sadmin aef remove [reg <condition> PATH]Process Process path Add AEFs:

sadmin aef add [process <condition> PATH]Remove AEFs:

sadmin aef remove [process <condition> PATH]User User name Add AEFs:

sadmin aef add [user <condition> USER-NAME]Remove AEFs:

sadmin aef remove [user <condition> USER-NAME]Event Event name Add AEFs:

sadmin aef add [event equals EVENT_NAME]Remove AEFs:

sadmin aef remove [event equals EVENT_NAME]

6 Maintaining your systemsAdvanced exclusion filters (AEFs)


Component Value Description

Multiplecomponents

Supported values forthe specifiedcomponents

Add AEFs:

Specify the and operator to include multiple componentsto the filter rule.

For example:

sadmin aef add [file <condition> PATH] and [reg<condition> PATH] and [process <condition>PATH] and [user <condition> USER-NAME] and[event equals EVENT_NAME]

Remove AEFs:

sadmin aef remove [file <condition> PATH] and[reg <condition> PATH] and [process <condition>PATH] and [user <condition> USER-NAME] and[event equals EVENT_NAME]

You can also add AEFs for inventory data to exclude non-meaningful inventory data from the systems.But, this feature is supported only in the McAfee ePO-managed configuration. For details about thisfeature, see McAfee Change Control and McAfee Application Control 8.0.0 Product Guide.

Specify one or more conditions with the components to add AEFs. The filter rule is based on thespecified conditions.

Condition Add AEFs Remove AEFs

equals Add all components with the specifiedname.

Only this condition is valid to addevents as AEFs.

For example:

sadmin aef add file equals C:\Program Files\Microsoft DownloadManager\MSDownloadManager.exe

Remove all components with thespecified name.

For example:

sadmin aef remove file equals C:\Program Files\Microsoft DownloadManager\MSDownloadManager.exe

begins Add all components whose paths beginwith the specified characters.

For example:

sadmin aef add file begins C:\Program Files\Adobe

Remove all components whose pathsbegin with the specified characters.

For example:

sadmin aef remove file begins C:\Program Files\Adobe

ends Add all components whose paths end withthe specified characters.

For example:

sadmin aef add file ends rtf

Remove all components whose paths endwith the specified characters.

For example:

sadmin aef remove file ends rtf

Maintaining your systemsAdvanced exclusion filters (AEFs) 6


Condition Add AEFs Remove AEFs

contains Add all components whose paths containthe specified characters.

For example:

sadmin aef add process containssvchost.exe

Remove all components whose pathscontain the specified characters.

For example:

sadmin aef remove process containssvchost.exe

doesnt_contain Add all components whose paths do notcontain the specified characters.

For example:

sadmin aef add reg doesnt_containCurrentControlSet

Remove all components whose paths donot contain the specified characters.

For example:

sadmin aef remove regdoesnt_contain CurrentControlSet

List AEFsList AEFs to review all added AEFs with the specified conditions.


sadmin aef listThis command lists all AEFs with the specified conditions that are added to a system.

Manage product featuresWhen Application Control is installed on the system, the product features are in their default status.The default status of the features is critical to provide protection to your system. You might need tochange the default status of one or more features to allow configuration changes.

Tasks• Review features on page 75

Review the list of all Application Control features and their status (enabled or disabled) onyour system.

• Enable or disable features on page 77If needed, you can change the default status of a feature by enabling or disabling features.After disabling a feature, the system is no longer protected by that feature.

6 Maintaining your systemsManage product features


Review featuresReview the list of all Application Control features and their status (enabled or disabled) on yoursystem.


sadmin features listThe features list is displayed on the screen.

Starting from the Application Control 6.0.0 release, the features list has been minimized to showonly the features that require modifications regularly.

Feature Description Defaultstatus

Supportedoperatingsystem

activex Installs and runs ActiveX controls on theprotected system. Only the Internet Explorerbrowser is supported for the ActiveX controlinstallations. Simultaneous installation ofActiveX controls using multiple tabs ofInternet Explorer is not supported.

Enabled Windows

checksum Compares the checksum of the file to beexecuted with the checksum stored in thewhitelist.

Enabled Windows andLinux

deny-read Read-protects the specified components.When this feature is applied on components,they cannot be read. Read protection worksonly when Application Control is running inEnabled mode.

Disabled Windows andLinux

deny-write Write-protects the specified components.When this feature is applied on thecomponents, they are rendered as read-only,to protect your data.


discover-updaters Generates a list of potential updaters thatcan be included in the system.

When running in Enabled mode, ApplicationControl protection might prevent a legitimateapplication from executing (if the neededrules are not defined). This feature tracks allsuch failed attempts made by authorizedexecutable to change protected files or runother executable files and generates a list ofpossible updaters that can be configured onthe system to perform an update.

Enabled Windows

enduser-notification Displays a customized notification messageon the system when Application Controlprotection prevents an action on the system.This feature is supported only in the McAfeeePO-managed configuration. For detailsabout this feature, see McAfee ChangeControl and McAfee Application Control 8.0.0Product Guide.

Enabled Windows

Maintaining your systemsManage product features 6




execution-control Defines attribute-based rules using one ormore attributes of a process to allow, block,or monitor the process. For details about thisfeature, see Defining attribute-based rulesfor file execution.

Enabled Windows

integrity Protects Application Control files and registrykeys from unauthorized tampering. Allowsthe product code to run even when thecomponents are not present in the whitelist.Ensures that all product components areprotected. Prevents accidental or maliciousremoval of components from whitelist toensure that the product does not becomeunusable. In update mode, this feature isdisabled to facilitate product upgrades.


mp Protects running processes from hijackingattempts. Unauthorized code injected into arunning process is trapped, halted, andlogged. Attempts to gain control of thesystem through buffer overflow and similarexploits are rendered ineffective.

Enabled Windows

mp-casp Renders useless code that is running fromthe non‑code area, which happens due to abuffer overflow being exploited on 32-bitWindows platforms.

Enabled Windows

mp-vasrmp-vasr-forced-relocation

Forces relocation of those dynamic-linklibraries (DLLs) that have opted out of theWindows native ASLR feature.Some malware relies on these DLLs alwaysbeing loaded at the same and knownaddresses. By relocating such DLLs, theseattacks are prevented. For more detailsabout this feature, see Configure Forced DLLRelocation.

Enabled Windows

network-tracking Tracks files over network directories andblocks the execution of scripts over networkdirectories. By default, this feature is enabledand prevents the execution of scripts overnetwork directories. When this feature isdisabled, execution of scripts over networkdirectories is allowed. Also, write-protectingor read-protecting components over anetwork directory is not effective.

Enabled Windows

pkg-ctrl Manages installation and uninstallation ofMSI-based and non-MSI-based installers.

Enabled Windows

6 Maintaining your systemsManage product features




script-auth Prevents the execution of supported scriptfiles that are not in the whitelist. Onlywhitelisted script files are allowed to executeon the system. For example, supported scriptfiles such as .bat, .cmd, .vbs (on Windows),and script files with #! (hash bang) forsupported local file systems (on Linux) areadded to the whitelist and are allowed toexecute.


throttle Controls the flow of data (events, policydiscovery requests, and inventory updates)from each system to the McAfee ePO server.This feature is supported only in the McAfeeePO-managed configuration. For details, seeMcAfee Change Control and McAfeeApplication Control 8.0.0 Product Guide.

Enabled Windows

Enable or disable featuresIf needed, you can change the default status of a feature by enabling or disabling features. Afterdisabling a feature, the system is no longer protected by that feature.

Use caution and consult McAfee Support before enabling or disabling a feature. It can affect the corefunctionality of the product and might make your system vulnerable to security threats.

Task• Run these commands, as needed.

Task Command

Enable a feature. sadmin features enable <featurename>Disable a feature. sadmin features disable <featurename>

Package ControlManage the installation and uninstallation of software packages using the Package Control feature.

This feature allows or denies installation, uninstallation, and upgrade or repair actions for softwarepackages. Any unauthorized installation and uninstallation is prevented by the feature.

Package Control feature supports these types of installers.

• MSI installers — Includes multiple variants such as .msp, .mst, and .msm.

• EXE-based installers — Includes MSI files embedded with the installer.

• Non-MSI-based installers — Does not include an MSI file embedded with the installer.

Maintaining your systemsPackage Control 6


This feature is identified as pkg-ctrl in the features list. By default, this feature is enabled and allowsinstallation of software packages by adding rules, such as updater and trusted user. For moreinformation, see How do I override protection?. When this feature is disabled, software installation anduninstallation is blocked.

This feature was redesigned in the 6.1.1 and 6.1.2 releases. For detailed information aboutthe feature redesign, see McAfee Application Control 6.1.1 Product Guide and McAfeeApplication Control 6.1.2 Product Guide.

Package Control includes these subfeatures.

Subfeature Description

Allow Uninstallation Controls uninstallation of software packages. When this feature is enabled,software uninstallation is allowed. By default, this feature is enabled andidentified as pkg-ctrl-allow-uninstall in the features list.

Bypass PackageControl

Controls bypassing from the Package Control feature. When this feature isenabled, Package Control feature is bypassed and software installation anduninstallation is allowed. By default, this feature is disabled and identified aspkg-ctrl-bypass in the features list.

6 Maintaining your systemsPackage Control


Set up Package ControlConfigure Package Control to control the installation and uninstallation of software packages on asystem.

Task• Use these commands to configure Package Control.

Action Command Description

Disable the feature. sadmin featuresdisable pkg-ctrl

When you disable Package Control, all its subfeaturesare also disabled.

Enable the feature. sadmin featuresenable pkg-ctrl

When you enable Package Control, all its subfeaturesrevert to their default state.However, if you enable the Bypass Package Controlsubfeature, then disable Package Control and re-enablePackage Control, the Bypass Package Controlsubfeature is enabled.

Configure these Package Control subfeatures.

Feature Defaultstate

Feature configuration

AllowUninstallation

Enabled Disable the feature.

Prevent uninstallation ofsoftware packages on thesystem.

sadmin features disablepkg-ctrl-allow-uninstall

Enable the feature. sadmin features enablepkg-ctrl-allow-uninstall

Bypass PackageControl

Disabled Enable the feature.

The Package Control featureis bypassed and you cannotcontrol the installation anduninstallation of softwarepackages.

sadmin features enablepkg-ctrl-bypass

Disable the feature. sadmin features disablepkg-ctrl-bypass

Package Control configurationBased on your requirements, you can configure Package Control and its subfeatures to controlinstallation and uninstallation of software packages by allowing, authorizing, or blocking softwareinstallation and allowing or blocking uninstallation.

By default, the Package Control and Allow Uninstallation features are enabled. You can uninstall anysoftware from the system. However, software installation is allowed based on the defined rules such asupdater by name or path, trusted user, trusted directory, certificate as an updater, or checksum as anupdater. For more information about these rules, see Overriding applied protection.

Use this default configuration for desktop and System Center Configuration Manager (SCCM)-managedenvironments. This configuration allows change, repair, remove, or upgrade operations for softwarethat is useful in these scenarios:

• Explicit software upgrades.

• Software upgrades through Windows update mechanisms.

Maintaining your systemsPackage Control 6


• Software upgrades (of existing software) while installing new software packages in case of chainedinstallations.

• Rollback in case of power failure or if you restart your system during installation. This is called asuspended installation. The installer tracks the installation that is in progress. When resumed, youcan roll back the suspended installation or continue the suspended installation.

If needed, you can also change the default configuration to:

• Disable the Allow Uninstallation feature — Prevents you from uninstalling software from thesystem. However software installation is allowed based on the defined rules. Use this configurationfor fixed-function devices and server environments (for all actions except upgrades). For upgradingsoftware in server environments, you must switch to the default configuration because thisconfiguration blocks change, repair, remove, or upgrade operations for software.

• Enable the Bypass Package Control feature — Allows software installation and uninstallation on thesystem.

• Disable the Package Control feature — Prevents software installation and uninstallation on thesystem.

• Place the system in Update mode — Allows software installation and uninstallation on the system.

Making emergency changesRun Application Control in Update mode to perform emergency changes on a protected system.

When the product is in effect, you can allow scheduled or emergency changes to the system and trackthe changes made to the system by running the product in Update mode. Use Update mode to makechanges that cannot be made when Application Control is running in Enabled mode. When possible,use these other methods that are preferred to allow changes.

• Trusted users • Checksum (SHA-1 or SHA-256)values

• Trusted directories • Updaters

• Trusted certificates

In Enabled mode, if you install new software or add new files, the files are not added to the whitelistor allowed to execute unless you use a trusted method to add them. But, if you install or uninstallsoftware, or add new files in Update mode, changes are tracked and added to the whitelist.

To authorize or approve changes to the system, a change window is defined, where users andprograms can make changes to the system. Update mode allows you to perform these tasks.

• Schedule software and patch installations

• Remove or change software

• Dynamically update the whitelist

Memory-protection techniques are enabled in Update mode, so that running programs cannot beexploited.

Application Control generates the FILE_SOLIDIFIED event for files added during Update mode, andFILE_UNSOLIDIFIED event for files deleted during Update mode. Also, when the write-protected filesare changed or renamed in Update mode, corresponding update mode events, such asFILE_MODIFIED_UPDATE and FILE_RENAMED_UPDATE are generated.

From Update mode, you can switch to Enabled or Disabled mode.

6 Maintaining your systemsMaking emergency changes


Switch to Update modeSwitch Application Control to Update mode to perform scheduled or emergency changes on a system.If the product is in Enabled or Disabled mode, perform these steps to switch to Update mode.

Task

• Run this command at the command prompt.

sadmin begin-update [workflow-id [comment]]Optionally, specify these arguments with the command.

Attribute Description

workflow-id Specify a workflow ID for the current Update mode session. This is an identificationID that can be used for a Change Management or Ticketing System.

If you do not provide the workflow ID, the workflow ID is set to an automaticallygenerated string, AUTO_n, where n is a number that is incremented each time anupdate window is opened.

comment Specify a comment that describes the current Update mode session.

This information can be used for a Change Management or Ticketing System.

If Application Control was in Enabled mode, it is switched to Update mode.

If Application Control was in Disabled mode, perform one of these extra steps.

Step Description

Restart the system. When you restart the system, the product is switched to Update mode.Restarting the system is a recommended way to switch to Update mode.

Restart theApplication Controlservice.

Alternatively, you can restart the Application Control service to switch toUpdate mode. However, only limited features will be enabled after servicerestart. Key product features, such as memory‑protection will not be enabledand to enable all features, you must restart the system.

Exit Update modeExit Update mode after making scheduled or emergency changes, patch installations, or softwareupdates on your system.

Task

• Run this command at the command prompt.

sadmin end-update

Enable or disable password protectionRestrict users from running critical sadmin commands by enabling password protection. Whenpassword protection is enabled, Application Control allows these critical commands to run only whenthe user enters in the correct password. If you do not need password protection, remove thepassword, which allows users to run all sadmin commands.

Passwords are encrypted with the SHA2 hashing algorithm. To protect password details, a randomnumber is added to the password before the hash is computed.

The SHA5012 encryption algorithm, a subset of SHA2, generates a hash of 512 bits, which protectsthe password from rainbow table attacks.

Maintaining your systemsEnable or disable password protection 6


Task

1 Type the sadmin passwd command to set a password.

When you set a password, users can no longer run critical commands without providing the correctpassword. Only a limited set of non-critical commands can run without the password.

You can use the -z switch to prevent the system from prompting for the password. It can be used inall CLI commands.

• If you already set the password, Application Control prompts you to enter your password. Typethe old password and press Enter. You are now asked to set the new password and retype it.

• If you didn't set the password earlier, Application Control prompts you to enter a new password.Set the new password and retype it.

2 Type the sadmin passwd -d command to remove the password.

3 Press Enter.

Review changes using eventsApplication Control generates events for all changes that are made to a protected component. Useevents to review the changes and diagnose unauthorized execution attempts and failures on thesystem.

Whenever an attempt is made to access or change a protected resource, an event is generated on thesystem. Application Control tracks changes on the system and records events. For example, everytime the attributes or contents change for a protected file, a corresponding event is generated.

Tasks

• Configure event sinks on page 82Events are stored at locations called event sinks.

• Configure the event cache size on page 83Configure the event cache size to set the upper and lower limit of the event cache. Eventsare stored in the cache before being placed in the event sinks.

• View events on page 84View events specific to Application Control on your system to track changes related to theproduct.

Configure event sinksEvents are stored at locations called event sinks.

You can log events in many types of event sinks, including:

• Operating system log (oslog)

• System controller (sc)

When sc event sink is enabled, it sends the events to McAfee ePO.

• Debug output (debuglog)

• Pop-up (Windows only)

You can track changes that occur on the system by reviewing the events. See Application Controlevent list for a list of all Application Control events that can be generated and their description.

6 Maintaining your systemsReview changes using events


See the event sinks configured to events by viewing the event sink details. If more events are needed,you can add them to a specified event sink. If you do not want the events to be logged to a specificevent sink, you can stop the logging of events to that event sink.

Task Command Description

Add an event sadmin eventsink -a<event_name><sink_name>

Add an event by specifying both the event name and the eventsink where you want to log the event. The specified event willbe added to the event sink.

View theevent sinkdetails

sadmin event sink View the event sink details for all events generated on thesystem. You can view the associated event sinks for eachevent. Event sink details configured on the system for allevents are listed.

Remove anevent

sadmin eventsink -r<event_name><sink_name>

Remove an event by specifying both the event name and theevent sink from where you want to remove the event.Removing an event from an event sink allows you to stoplogging the event to that event sink. Perform these steps toremove an event from an event sink.

Configure the event cache sizeConfigure the event cache size to set the upper and lower limit of the event cache. Events are storedin the cache before being placed in the event sinks.

Application Control buffers the change events to deal with outages. By default, the buffer limit is set to2 MB. When the buffer limit nears the threshold, an event is logged on the system log stating that thecache is about to overflow. When this buffer limit exceeds the threshold, new events are not loggeduntil the number of events in the buffer falls below its high watermark.

Tasks• Set the event cache size on page 83

Set the event cache size to define the buffer limit for the event cache.

• Define the limits for the event cache on page 84Set the upper and lower limits for the event cache. When the limits are set, an alert isgenerated to notify that the cache is about to overflow or recovered from overflow.

Set the event cache sizeSet the event cache size to define the buffer limit for the event cache.


sadmin config set EventCacheSize=<value>Include a value for the EventCacheSize parameter. This value determines the event cache size.

Maintaining your systemsReview changes using events 6


Define the limits for the event cacheSet the upper and lower limits for the event cache. When the limits are set, an alert is generated tonotify that the cache is about to overflow or recovered from overflow.

Command Description

sadmin config setEventCacheWMHigh=<value>

Run this command at the command prompt to set an upper limit.Include a value for the EventCacheWMHigh parameter. Thespecified value for this parameter should be between 50% to100% of the event cache size.

sadmin config setEventCacheWMLow=<value>

Run this command at the command prompt to set a lower limit.Include a value for the EventCacheWMLow parameter. Thespecified value for this parameter should be above 20% of theevent cache size. The value of the low watermark level mustalways be less than the value of the high watermark level.

View eventsView events specific to Application Control on your system to track changes related to the product.

Task1 Perform these steps to view events on the Linux platform.

a Navigate to the /var/log/syslog directory.

b View the Application Control events.

2 Perform these steps to view events on the Windows platform.

a Open the Event Viewer application.

Platform Navigation

Windows Server 2008 Select Start | Run and type eventvwr.

Windows 7 Select Start | Search and type eventvwr.

Windows 8

Windows 8.1

Windows Server 2012

Windows 10

Press [Windows] + [R] on the keyboard, then type eventvwr.

b Press Enter.

c Perform these steps based on your platform.

6 Maintaining your systemsReview changes using events


Platform Step

WindowsServer 2008

1 From the navigation pane, select Application.All application events categorized by type, date, time, source, category,event, user, and computer columns are displayed.

2 Under the Source column, double-click McAfee Solidifier event to view itsdescription.Events are specific to Application Control and are listed by order ofoccurrence, with most recent first.

Windows 7and later

1 From the navigation pane, expand Window Logs and select Application.Application events are categorized by level, date and time, source, event ID,and task category columns are displayed.

2 Under the Source column, look for the McAfee Solidifier events.These events are specific to Application Control and are listed based on theorder of occurrence.

The most recent event is listed on the top.

3 Double-click an event to view its description.

Configuring log filesApplication Control generates log messages for all actions and errors related to the product. These logmessages are stored in log files that are used for troubleshooting errors.

This table describes the types of log files present on the system.Log file Operating

systemPath Description

solidcore.log WindowsServer 2008

<system drive>\Documents andSettings\Allusers\ApplicationData\McAfee\Solidcore\Logs

After the product is deployed on a system,a log file named solidcore.log is createdin the Logs folder (Windows) or solidcoredirectory (Linux). This file is also known asdebuglog.

You can configure the solidcore.log filesize and number of solidcore.log filesthat you want to create on the system.

Configuring log files is applicable only tothe solidcore.log file. You cannotchange the configuration of any otherlog file.

Linux /var/log/mcafee/solidcore/

s3diag.log(Windows only)

WindowsServer 2008

<system drive>\Documents andSettings\Allusers\ApplicationData\McAfee\Solidcore\Logs

s3diag.log file stores logs for alloperations performed on the supportedfiles.

Maintaining your systemsConfiguring log files 6


Log file Operatingsystem

Path Description

Solidcore_Installer.logand solidcore_setup.log(Windows)/solidcoreS3_install_<rel>‑<build>.log(Linux)

Windows (allsupportedversions)

<system drive>\Windows

Application Control installation logs arestored in this file.

If installation fails on the Linux platform,the file is stored at: /tmp/solidcoreS3_install_<rel>‑<build>.log.

If installation is successful on the Linuxplatform, the file is stored at: /var/log/mcafee/solidcore/solidcoreS3_install_<rel>‑<build>.log

Linux • /tmp/solidcoreS3_install.log

• /var/log/mcafee/solidcore/solidcoreS3_install.log

Runtime environment of the systemReview the runtime environment and system configuration using the ScAnalyzer utility. When youinstall the product, this utility automatically checks whether the host system satisfies the prerequisitesto install the product.

The ScAnalyzer checks the system for:

• Operating system version • Installed services

• Service Pack level • System devices

• Processor and memory configuration • Running processes

• Installed applications • Open network ports

• Installed hotfixes • Incompatible applications (for Windows)

When you execute ScAnalyzer on the Windows platform, it also compares the software installed on thesystem with an internal prepackaged checklist to create a file scanalysis.bat. This batch file containsthe whitelist customization rules for the installed applications to run smoothly.

Run ScAnalyzerRun ScAnalyzer on the Windows and Linux platforms to get details of the runtime environment andsystem configuration.

Task1 Navigate to this location.

• On Windows: C:\Program Files\McAfee\Solidcore\Tools\ScAnalyzer.

• On Linux: /usr/local/mcafee/solidcore/tools/scanalyzer/

These are the default installation paths for this utility on the Windows and Linux platforms.

2 Run this command.

• On Windows: scanalyzer

• On Linux: # ./scanalyzer.sh

You can specify more parameters with this command as described in this table.

6 Maintaining your systemsRuntime environment of the system


Parameter Description

-h Displays help for using ScAnalyzer.

-v Displays ScAnalyzer version.

[-c <checklist>] Detects if any application in the checklist is installed on the system. (Windowsonly)

-d Displays the difference in running services, processes, and open ports in twoseparate ScAnalyzer reports. For Linux use command -d<rep1 rep2>.

-o <output file> Writes output to the output file. If no file is specified, output is printed to screen(Windows) or console (Linux).

-s <scan_file> Detects if any application in the checklist is present in the ScAnalyzer report.(Windows only)

-q Runs the ScAnalyzer in quiet mode.

-n Prevents time stamp to be added to output file name.

The ScAnalyzer report is generated.

Review the ScAnalyzer reportReview the ScAnalyzer report to view details of your system configuration.

After running the command, the ScAnalyzer utility generates report in a data file. This report is knownas ScAnalyzer report and contains details of your system configuration.

Task1 Navigate to this path:

• On Windows: <System Drive>\Program Files\McAfee\Solidcore\DataThe file name is scan_<machine_name>_<date>_<time>.txt.

• On Linux: /usr/local/mcafee/solidcore/tools/scanalyzer/dataThe file name is report‑<machine_name>‑<date>_<time>.

2 Check these items during the manual review of the ScAnalyzer report.

• Operating system version and the Service Pack level for the supported version.

• Hotfixes required to install the product.

• Anti-virus software, which might update files during execution. Check the ScAnalyzer output forthese applications and change the system configuration to add them as updaters.

Managing mass deployments and system upgradesExport the system configuration to a configuration file and deploy the file to multiple systems at once.

The configuration file stores all configuration parameters for a system in a standard format. Examplesof configuration items are event cache size, SO priority, log file size, and log file path. You can add,delete, or change the configuration parameter values of the exported files and set new values.

Maintaining your systemsManaging mass deployments and system upgrades 6


You can also import the changed configuration file to enable new parameters and upgrade your systemconfiguration. Importing the configuration file is allowed on the same system or on other systems butthe system images must be identical.

For some parameters, system-specific rules are displayed. Changing them is not recommended. Suchparameters include Monitoring Rules List, Capability Rules List, Bypass List, and UpdatersList.

View the existing configuration parametersView all existing configuration parameters on your system.


sadmin config showApplication Control lists the configuration parameter items.

6 Maintaining your systemsManaging mass deployments and system upgrades


For example:

• On the Windows platform:

CustomerConfig 158 (0x9e) MPCompat 1 (0x1) FileRetrySecs 0 (0x0) DoNotApplyAefBackupRules 0 (0x0) CustomizedEventCacheSize 1000 (0x3e8) EventCacheSize 2 (0x2) EventCacheWMHigh 90 (0x5a) EventCacheWMLow 70 (0x46) FailSafeConf 0 (0x0)* FeaturesEnabled 2233943118021567 (0x7efc269ff83bf)* FeaturesEnabledOnReboot 2233943118021567 (0x7efc269ff83bf)* FeaturesInstalled 3659168154103807 (0xcfffe79ffafff)* FileAttrCTrack 5024 (0x13a0)* FileDenyReadOptions 1024 (0x400)* FileDenyWriteOptions 4831 (0x12df) FileDiffAttrOnlyTypes FileDiffMaxFiles 100 (0x64) FileDiffMaxSize 10 (0xa) FipsMode 0 (0x0) InvDiffConfig2 0 (0x0) InvDiffTimeout 10800 (0x2a30) PullInvTimeout 604800 (0x93a80)* LockdownStatus 0 (0x0) LogFileNum 4 (0x4)* LogFilePath C:\Documents and Settings\All Users\Application Data\McAfee\Solidcore\Logs LogFileSize 2048 (0x800)* RTEMode 0 (0x0)* RTEModeOnReboot 0 (0x0) SoPriority 0 (0x0) ssLangId Default* WorkFlowId None* AgentEventsThreshold 1000 (0x3e8) AgentEventsThresholdOnWakeup 0 (0x0)* SupplierCacheSize 7000 (0x1b58) SupplierCacheSizeOnWakeup 0 (0x0) ConsumerThreadTimeout 10800000 (0xa4cb80) InvDiffAgentEventsThreshold 10000 (0x2710)* ObAgentEventsThreshold 1000 (0x3e8) ObAgentEventsThresholdOnWakeup 0 (0x0)* ObSupplierCacheSize 7000 (0x1b58) ObSupplierCacheSizeOnWakeup 0 (0x0) ObConsumerThreadTimeout 10800000 (0xa4cb80) Accessibility 0 (0x0) EventCacheIntervalMilliSecs 10000 (0x2710) ReputationCacheLowWaterMark 8192 (0x2000) ReputationCacheHighWaterMark 16384 (0x4000) CliBreachMaxAllowedIncorrectAttempts 3 (0x3) CliBreachDisableRecoveryFeatureState 0 (0x0) CliBreachRecoveryDisablePeriodMinutes 30 (0x1e) CliBreachIncorrectPasswordMonitoringPeriod 30 (0x1e) IsInvBackupEnabled 1 (0x1)

Maintaining your systemsManaging mass deployments and system upgrades 6


• On the Linux platform:

CustomerConfig 0 (0x0) EventCacheSize 2 (0x2) EventCacheWMHigh 90 (0x5a) EventCacheWMLow 70 (0x46) FailSafeConf 0 (0x0)* FeaturesEnabled 47269939391728575 (0xa7efc269ff8bbf)* FeaturesEnabledOnReboot 47269939391728575 (0xa7efc269ff8bbf)* FeaturesInstalled 48695164427808767 (0xacfffe79ffafff)* FileAttrCTrack 5024 (0x13a0)* FileDenyReadOptions 1024 (0x400)* FileDenyWriteOptions 4831 (0x12df) FileDiffMaxSize 10 (0xa)* FipsMode 0 (0x0)* LockdownStatus 0 (0x0) LogFileNum 4 (0x4)* LogFilePath /var/log/mcafee/solidcore LogFileSize 2048 (0x800)* RTEMode 1 (0x1)* RTEModeOnReboot 1 (0x1)* WorkFlowId UPDATE_MODE: AUTO_26

* Entries cannot be configured using the command line interface.

Export configuration settingsExport configuration settings to a file to allow deployment of configuration settings to other systems.


sadmin config export filenameHere filename is the target file in which the configuration is to be exported.

Import configuration settingsImport configuration settings from a configuration file to deploy the same settings to your system.

Task1 Switch Application Control to Disabled or Update mode.

2 Restart the system.

3 Import Application Control configuration from a file using this command.

sadmin config import [ -a ] filenameUse the -a argument to append the configuration values. Default behavior is to replace theconfiguration values.

4 Switch Application Control to Enabled mode and restart the system.

6 Maintaining your systemsManaging mass deployments and system upgrades


Change configuration parametersChange the default value to a new value in the permitted range.

Task1 Type the sadmin config set NAME=VALUE command.

NAME signifies the configuration parameter name. VALUE refers to the new value for thisconfiguration parameter.

See this table for default values and the value range allowed for the configurable parameters.Parameter Default value Value range

EventCacheSize 2 (0x2) >0 and < MAX_INT32

EventCacheWMHigh 90 (0x5a) > 50 and < 100 and > EventCacheWMLow

EventCacheWMLow 70 (0x46) >20 and < EventCacheWMHigh

FailSafeConf 0 (0x0) 0 or 1

FipsMode 0 (0x0) 0 or 1

LogFileNum 4 (0x4) >= 0 and <= MAX_INT

LogFileSize 2048 (0x800) >= 0 and <= MAX_INT

2 Press Enter.

Disable Application ControlSwitch to Disabled mode to deactivate the features of Application Control.

Task1 Type the sadmin disable command.

2 Press Enter.


Maintaining your systemsDisable Application Control 6


6 Maintaining your systemsDisable Application Control


7 Troubleshooting

Use this information to identify and troubleshoot issues when you run Application Control.

If the issues are still not resolved after following the troubleshooting steps, collect the requiredinformation and contact McAfee Support. See Collecting information before contacting McAfee Support.

Contents Collecting information before contacting McAfee Support Troubleshoot startup failure Identify self-modifying driver issues Diagnose system crash issues Analyze Active Directory issues (Windows only) Installing application after failure Application execution failure Diagnose application performance-related issues Diagnose system-hang issues Diagnose system performance issues Detect Application Control installation failure Diagnose updater privileges issues Identify events flooding issue Troubleshoot using error messages Command line interface error messages Legitimate failures and error messages Bypass rules for files and scripts Skip rules for path components

Collecting information before contacting McAfee SupportCollecting specific information before you contact McAfee Support helps McAfee better understand theproblem.

If an Application Control issue is not resolved after trying all suggested troubleshooting steps, collect arecent set of GatherInfo logs and details of the system and issue before contacting McAfee Support.

Collect GatherInfo logsGatherInfo is a utility that collects information related to log files, inventory, product version, andsystem state, which are needed for troubleshooting.

This utility is shipped with the product and is available in the product installation directory. Collect themost recent set of logs generated using the GatherInfo utility.

The default installation directory depends on the operating system:

7


• Windows — <System drive>\Program Files\McAfee\Solidcore\Tools\gatherinfo

• Linux — /usr/local/mcafee/solidcore/tools/gatherinfo

Task• Type these GatherInfo commands on a Windows or Linux system.

• For Windows, type GatherinfoGatherInfo generates the gatherinfo.zip file in the current working directory. The logs in thisfile are used by McAfee Support to identify issues.

• For Linux, type # ./gatherinfo.shGatherInfo generates the gatherinfo‑<machine_name>‑<date>_<time>.tar.gz file in thepresent working directory. The logs in this file can be used by McAfee Support to identify issues.

Optionally, specify these arguments.Windows Linux Description

-h -h or --help Displays help for using GatherInfo.

-v -v or --version Displays version of GatherInfo.

-q -q Gathers logs in quiet mode.

-x Excludes security logs collection.

-c or --core<core-file>

Traces previous logs for the specified core file. Specify acore file with this argument to get details of previouslygenerated logs.

-n Excludes timestamp from the output file name and notimestamp is added.

Collecting system and issue detailsCollect the system and issue details before contacting McAfee Support. This helps McAfee Supportunderstand and recreate the issue for diagnostics.

Requireddetail

Description

Problemdescription

Describe the problem in detail.

Diagnostics Collect recent set of log files generated using the GatherInfo utility. See CollectGatherInfo logs.

Errormessages

Observe and note the error messages. See Command line interface error messages.

Systemimage

Create a system image that helps McAfee Support recreate the problem fordiagnostics. See the KnowledgeBase article KB60323 to create a system image.

7 TroubleshootingCollecting information before contacting McAfee Support


http://kc.mcafee.com/corporate/index?page=content&id=KB60323&actp=search&viewlocale=en_US&searchid=1368547378057

Requireddetail

Description

Completememorydump

Collect a complete memory dump in the case of a system crash. Perform these stepsto create a complete memory dump.

On Linux:1 Press Alt+SysRq+c on the

keyboard.


3 Navigate to the path /var/crash, where the crashdump is generated.

For detailed information ongenerating crash dump onLinux, refer to theKnowledgeBase articleKB66568.

On Windows:1 On the Windows platform:

a Right-click Computer.

b Click Properties.

c Click Advanced system settings.

2 Navigate to Advanced | Startup and Recovery.

3 Click Settings.You see options to create a Small, Kernel, orComplete memory dump, and where to save the file(default is: %SystemRoot%\MEMORY.DMP)

4 Select Kernel memory dump or Complete memory dump, andsave your settings.McAfee Support cannot use a Small memory dump (64 KB)for any purpose.

The next time Windows has a blue screen error, thefile %SystemRoot%\MEMORY.DMP will be created.

5 Send %SystemRoot%\MEMORY.DMP to McAfee Supportin a .zip file.

Use the Microsoft Dumpchk.exe utility before yousend the memory dump file for analysis. Dumpchkis a command-line utility you can use to verifythat a memory dump file has been createdproperly and is not corrupt. Download Dumpchk.exe from the Microsoft website at: http://support.microsoft.com/kb/156280

For detailed information on generating a crash dumpon Linux, see the KnowledgeBase article KB56023.

Troubleshoot startup failureTroubleshoot startup failure on a Windows system using the Safe mode startup option. Safe modeuses a minimum set of device drivers and services to start Windows.

Category Description

Issue Windows system does not start.

Symptom Starting a system takes more than the usual time.

When you run the system in Safe mode, only the basic files and drivers needed to run Windows arestarted. If an existing problem does not reappear when you start in Safe mode, you can eliminate thedefault settings and basic device drivers as possible causes.

Application Control does not run in Safe mode.

TroubleshootingTroubleshoot startup failure 7



http://support.microsoft.com/kb/156280



Task1 Restart your computer and press the F8 key repeatedly on your keyboard.

2 On the Advanced Boot Options menu, use the arrow keys to select a required Safe Mode option, thenpress Enter.

When your system is in Safe mode, the words Safe Mode appear at the corners of the screen. To exitSafe mode, restart your system normally.

For more details, see the Microsoft KnowledgeBase article KB315222.

Identify self-modifying driver issuesWhen loaded on a system, certain drivers can modify their images on system drives. These drivers arecalled self-modifying drivers. An example for such driver is clkdrv.sys, the crypt key driver.

If such drivers are added to the whitelist during initial configuration, Application Control does not allowthem to load on the systems and self-modification is not allowed. This might lead to a blue screen.


Symptom The system stops responding.

Issue Blue screen failure because of self-modifying drivers.

You must prevent a blue screen failure due to self-modifying drivers. Always authorize theself-modifying drivers to execute on the system. Authorize the self-modifying drivers by their name.Authorizing such drivers by name does not block the driver from loading on to the system.

Task1 Identify the self-modifying drivers on your system.

If you cannot identify the self-modifying drivers, contact McAfee Support.

2 To authorize the self-modifying drivers by their name, run the sadmin attr add –a <filename>command for each identified self-modifying driver and provide a driver name.


If the system is not able to restart normally, collect all required information and contact McAfeeSupport.

Diagnose system crash issuesDiagnose system-crash issues to recover a system that has Application Control installed on it.

On Windows platform, when the system crashes, a blue screen occurs with a bug check number.

On Linux platform, if there is a system crash, the system might stop responding to any command.

7 TroubleshootingIdentify self-modifying driver issues



System crash on WindowsDiagnose to recover a system that crashes with a blue screen error.


Crash type System crash (blue screen).

Symptom System shows a blue screen with a bug check number.

Task1 Collect this required information.

a Note the bug check number and all parameters displayed on the screen.

Make sure that the Automatically restart option is deselected under System properties | Advanced | Startupand Recovery, while trying to reproduce the bug check. Otherwise, the system restartsautomatically and you will not be able note the bug check details, when the bug check occurs.

b Collect a complete memory dump.

See Collecting system and issue details.

2 Start the system in Safe mode.

a Press the F8 key while the system is booting.

b Select Safe mode with networking.

3 Prevent the system from going into a restart loop by deselecting Automatically restart on the StartUp andRecovery screen.

For detailed instructions, see this KnowledgeBase article.

http://support.microsoft.com/kb/307973.

4 To disable Application Control, type the command scsrvc -d in the Application Control commandline interface, then type the command sadmin disable.

5 Restart the system

6 If the issue is not resolved, collect all required information and contact McAfee Support.

Diagnose system-crash on WindowsDiagnose to recover a system that crashes because of a corrupt whitelist.


Crash type The whitelist for a drive is corrupt.

Symptom The system shows a blue screen with this error (bug check and parameters).0xE0100010 (0X00000010, 0X00000000, 0X00000000, 0X00000000)

TroubleshootingDiagnose system crash issues 7



Task

1 Complete these steps to collect the initial required information.

a Turn off the system, then turn it on again.

b Verify the whitelist status for a corrupt drive.

sadmin statusThe corrupt drive shows the status as Corrupt as seen in this output.

McAfee Solidifier: DisabledMcAfee Solidifier on reboot: Disabled

ePO Managed: NoLocal CLI access: Recovered

[fstype] [status] [driver status] [volume]* NTFS Corrupt Unattached C:\FAT 32 Solidified Unattached E:\

c Enable Application Control.

sadmin enable

The system displays an error message and Application Control cannot be enabled.

2 Delete the corrupt whitelist for the drive.

sadmin clean <drive>

3 Restart the Application Control service.

net stop scsrvcnet start scsrvc

4 Whitelist the drive again.

sadmin so <volume name>


System crash on LinuxDiagnose to recover a system that stops responding to any command.


Crash type Linux system crashes

Symptom The system might stop responding to any command.

Task

1 Start the system in the single user mode.

2 Open the Application Control configuration file located at /etc/mcafee/solidcore/solidcore.conf.

3 Change the value of parameter RTEModeOnReboot to be 0x0.

4 Run the Application Control service manually from this path.

(/<install-dir>/mcafee/solidcore/scripts/scsrvc -d)This starts Application Control in Disabled mode.

7 TroubleshootingDiagnose system crash issues


5 If necessary, remove the Application Control package.


Analyze Active Directory issues (Windows only)Diagnose Active Directory (AD) issues to recover a system that is unable to execute logon scripts fromAD (through Group Policy).


Issue Not able to execute logon scripts from Active Directory (through Group Policy).

Symptom The system shows this error message.

McAfee Solidifier prevented unauthorized execution of '\Device\LanmanRedirector\<Domain Controller host_name>\sysvol\<Domain name>\Policies\{<unique_policy_name>} \User\Scripts\Logon\<script_name>' by process <process_name> (Process Id: PID, User: user_name)

Task1 Create a whitelist for the Domain Controller using the sadmin solidify command.

There is no need to whitelist any path related to sysvol manually because all Application Controlsupported files are automatically whitelisted on the system.

2 Perform one of these steps.

• Add the ntfrs.exe file as an authorized updater using this command.

sadmin updaters add –t AD ntfrs.exe

This command automatically updates all sysvol volumes for all domain controllers in a localdomain.

• Add the dfsrs.exe file as an authorized updater to automatically update all sysvol volumesamong all domain controllers in a local domain using this command.sadmin updaters add –t AD dfsrs.exe

3 Add the sysvol network path as a trusted path for each domain controller in the local domain andfor all domain controllers (self and peers) using this command.

sadmin trusted –i \\<DC_DNS_NAME>\SYSVOL

If a child domain of the root domain is present in the AD cluster, a trusted rule for each domaincontroller in the child domain must be added.

TroubleshootingAnalyze Active Directory issues (Windows only) 7


For example, if sales.mycompany.com is a child domain of mycompany.com, it has its own threedomain controllers named cdc1.sales.mycompany.com, cdc2.sales.mycompany.com, and cdc3.sales.mycompany.com respectively. In this scenario, three trusted rules must be added for allthree domain controllers of the child domains for proper functioning of Group Policy in the childdomain. This is described in these commands.

• sadmin trusted –i\\cdc1.sales.mycompany.com\SYSVOL



You can add and execute any file in the trusted path, independent of the Application Control status(Enabled or Disabled). You can execute unauthorized (or non-whitelisted) files only from the trustednetwork path and not from the local system path. The existing files that are whitelisted on localsystem are still protected and cannot be modified or deleted from the network path.

4 Run the sadmin ls command with the actual file paths to list the status of the whitelisted files.

sadmin ls C:\WINDOWS\SYSVOL\domain\Policies


Installing application after failureTroubleshoot installation failure and successfully install the application.


Issue Application installation fails.

Symptom The system displays an error message related to installation failure.

Task1 Verify that the application installs in Update mode.

2 Configure the installer as an updater. See Add updaters.

3 Check if the application installs with pkg-ctrl feature disabled.

If the application installs with pkg-ctrl feature disabled, enable pkg-ctrl and proceed to step a.

a Increase the log file size or number of log files. See Configuring log files.

If needed, you can increase the log file size and number of log files both.

b Run the sadmin loglevel enable pst info command.

c Reinstall the application.

If the issue persists, proceed to the next step.

d Run the sadmin loglevel disable pst info command.

4 Check if the application installs with memory-protection feature disabled.

7 TroubleshootingInstalling application after failure


If the application installs with memory-protection feature disabled, enable memory-protection andproceed to step a.




c Reinstall the application.



e If the issue is not resolved, collect all required information and contact McAfee Support.

Application execution failureTroubleshoot to successfully execute an application that fails to execute.


Issue Application execution fails.

Symptom The application is not allowed to run and the system shows an error message.

Task1 Check if the application is allowed to run in Update mode.

2 Identify components to be added as updaters or trusted configuration.

3 Configure the identified components as updaters or trusted configuration. See Add updaters.

4 Perform these steps to check if the application executes when the memory-protection feature isdisabled.

If the application executes when the memory-protection feature is disabled, enablememory-protection and proceed to step a.


If necessary, you can increase the log file size and number of log files both.


c Run the application again.



5 Check if the application executes when the script-auth feature is disabled.

If the application executes when the script-auth feature is disabled, enable the script-auth featureand proceed to step a.


If necessary, you can increase the log file size and number of log files both.




TroubleshootingApplication execution failure 7




Diagnose application performance-related issuesDiagnose to recover an application that is running low on performance or stops responding whilerunning.


Issue Application stops responding while running.

Symptom Application does not run properly and low on performance.

Task1 Check if the application is running properly in Update mode.

If the issue resolves in Update mode, perform extra steps to diagnose what caused the problem tooccur.

a Run the sadmin features disable checksum command.

b Collect all required information and contact McAfee Support.



4 Check if the application runs properly when the memory-protection feature is disabled.

If the application runs properly when the memory-protection feature is disabled, enablememory-protection and proceed to step a.








Diagnose system-hang issuesDiagnose to recover a system that hangs (stops responding) while running.


Issue System stops responding while running.

Symptom System does not respond to input from the keyboard or mouse.

7 TroubleshootingDiagnose application performance-related issues


Task

1 Turn-off the system.


By default, Application Control protection is not available in Safe mode.

3 Collect complete memory dump. For detailed instructions on collecting complete memory dump,see Collect the system and issue details.

4 Issue the scsrvc -d command at the command prompt.

5 Open a new Application Control CLI window keeping the previous CLI window still running on thesystem.

6 Perform these steps on the new CLI window.

a Run the begin-update command.

b Restart the system to switch to Update mode.

c Check if the system is running properly in Update mode.

7 Set manual crash dump settings on the system and crash the system. For detailed instructions, seethe KnowledgeBase article http://support.microsoft.com/kb/927069.


9 Disable Application Control by running the sadmin disable command.

10 Issue the scsrvc -d command at the command prompt.


Diagnose system performance issuesDiagnose to recover a system that is running low on performance or slows down while running.


Issue System slows down while running.

Symptom System does not work properly and low on performance.

Task

1 Check if the system is running properly in Update mode.



4 Check if the system runs properly when the memory-protection feature is disabled.

If the system runs properly when the memory-protection feature is disabled, enablememory-protection and proceed to step a.

a Run the sadmin loglevel enable pst info command.

b If the issue persists, run the sadmin loglevel disable pst info command.

c If the issue is not resolved, collect all required information and contact McAfee Support.

TroubleshootingDiagnose system performance issues 7



Detect Application Control installation failureTroubleshoot to successfully install Application Control that fails to install on a system.


Issue Application Control fails to install on a Windows or Linux system.

Symptom System shows an error message related to installation failure.

Installation can fail in these scenarios.• Installing Application Control on unsupported operating systems.

• Blacklisted applications are installed on the system (for Windows).

• System does not meet the memory or disk space requirement to install ApplicationControl.

• Trying to upgrade, when Application Control upgrade is not supported.

Task

1 Contact McAfee Support, if you don't have another system with the same operating system andApplication Control installed on it.

2 Perform these steps on another system that has the same operating system with ApplicationControl installed on it.

a Run scanalyzer on the system. For more information, see Runtime environment of the system.

A report file is generated with a warning if any pre-requisite to install Application Control ismissing.

b Ensure that your system meets the requirements according to the report file generated byScAnalyzer.

If your system does not meet the requirements, you cannot install Application Control.

Diagnose updater privileges issuesDiagnose to provide updater privileges to processes that are configured as updaters but do not haveupdater privileges.

This table describes the issue and symptom.


Issue Processes that are configured as updaters do not have the updater privileges.

Symptom Updater processes are not behaving as updaters.

Task

1 Check if the process configured as an updater has updater privileges.

a Verify that the process is running.

b Run the sadmin xray command to check the output and process configuration.

Running the sadmin xray command shows the updater privileges status for the process.

c If the process is not using updater privileges, restart the process.

2 If the process still does not have updater privileges, collect all required information and contactMcAfee Support.

7 TroubleshootingDetect Application Control installation failure


Identify events flooding issueDiagnose to filter similar type of events or undesired events that are generated and cause flooding ofthe event list.


Issue Event list is flooded with similar type of events.

Symptom Similar types of events or undesired events are generated.

Task1 Filter undesired events using advanced exclusion filters. See Add or remove AEFs.


Troubleshoot using error messagesTroubleshoot to resolve an error by always keeping a note of the error message related to thatparticular error.

You can find the error messages at these locations on your system.

• Console window

• Application Control command line interface

• Pop-up window from the operating system or an application (for Windows)

• Event viewer

• In the /var/log/syslog file (for Linux)

These error messages provide valuable insight to people who investigate the problem further. If thereare multiple error messages that look similar but are not identical, you should record the details ofeach error message because that can be helpful to provide the context related to the problem.

Command line interface error messagesTroubleshoot to fix common errors messages that appear on the CLI.

Error message Solution

When an invalid volume name is used with a command, such as sadminsolidify that accepts volume name as a parameter. For example,sadmin solidify J:This message is displayed on the CLI:

Volume “Volume name:” does not exist.

Use a correct volumename with the command.

When sadmin <Command Name> command is run from non-administrativeaccount, it fails to connect to the Application Control service and thismessage is displayed on the CLI:

Access Denied. Administrator permissions are needed to use the selected options.Use an administrator command prompt to complete these tasks.

Run CLI as anadministrator.

TroubleshootingIdentify events flooding issue 7


Error message Solution

If you run the sadmin solidify command and specify an impropervolume name, such as non-alphabetic characters or colon ‘:’ is missingafter the volume name, then this message is displayed on the CLI:

The Path “C:\Program Files\McAfee\Solidcore\<Volume_Name>” doesnot exist or cannot be accessed.

Use a proper supportedvolume name with thecommand.

While using the commands, such as sadmin updaters, if you specifymore arguments than the supported number of arguments for thatparticular command. For example sadmin updaters add -u <username> -p <binary name>.

This message is displayed on the CLI:

Too many arguments.Please type sadmin help <Command Name> for help.

Use the supported numberof arguments with thecommands.

While using the commands, such as sadmin updaters, if you specifyarguments but don’t specify the value for arguments. For example,sadmin updaters add -uThis message is displayed on the CLI:

Not enough arguments.

Please type sadmin help <Command Name> for help.

Specify the value such asuser name, file name, ortag name for allarguments you use withthe command.

While using the commands, such as sadmin write-protect, if you usean invalid argument. For example, sadmin write-protect -kThis message is displayed on the CLI:

Invalid option “<Argument Name>”.

Please type sadmin help <Command Name> for help.

Use the correct andsupported argument withthe command.

If you run the sadmin solidify command in a CLI and open anotherCLI and run any other command, such as sadmin status then thismessage is displayed on the CLI:

Another CLI is already connected.

Do not run commands onanother CLI whenwhitelisting is in progress.

Legitimate failures and error messagesCertain legitimate failures can occur when Application Control is running in Enabled mode on asystem. Error messages corresponding to the legitimate failures are also generated. However, sucherror messages are legitimate and reflect that Application Control is preventing unauthorizedoperations.

For example, Application Control ensures that a component, such as binary, script, or installerpackage, can execute only if it is present in the whitelist. If a component is present in the whitelist, itis allowed to execute normally. Otherwise, Application Control prevents its execution and shows acorresponding error message on the system. Events are generated in all such scenarios.

Error messages generated for binary and script filesWhen attempts are made to execute the binary or script files not present in the whitelist,corresponding error messages are generated. Review the error messages when such attempts aremade to understand the errors.

This table describes error messages displayed when you attempt to execute the binary and script filesnot present in the whitelist.

7 TroubleshootingLegitimate failures and error messages


Attempt Description

Attempt to execute an .exefile not present in thewhitelist.

When an attempt is made to execute a program not present in thewhitelist, such as putty.exe from a supported volume, the operationfails and a pop-up window displays this message.

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

If you execute putty.exe from the command prompt, this messageappears.

Access is denied.

Attempt to execute a .vbsscript file not present in thewhitelist.

If you double-click a .vbs script file not present in the whitelist, itsexecution fails and the Windows Script Host displays a pop-up windowthat shows:

Loading script “C:\shared\AUTH\AUTH.vbs” failed (Access is denied)

An event is also generated. For more information about events, seeReview changes using events.

Attempt to execute an ELFbinary file not present in thewhitelist. (Linux).

When an attempt is made to execute an ELF binary file, such asfoo2bar2 that is not present in the whitelist, the operation fails.If foo2bar2 file is executed from the command prompt, this message isdisplayed.

Permission denied.

Attempt to execute a #!(hash-bang) script notpresent in the whitelist.(Linux).

When you try to execute a #! script not present in the whitelist, itsexecution fails and this message is displayed.

bad interpreter: Permission denied

Error messages generated for installer packagesWhen attempts are made to execute the installer packages not present in the whitelist, correspondingerror messages are generated. Review the error messages when such attempts are made tounderstand the errors.

This table describes error messages displayed when you run installer packages that are not present inthe whitelist.

TroubleshootingLegitimate failures and error messages 7


Attempt Description

Attempt to run anMSI-based installer.

When an attempt is made to install an MSI-based installer, such as Ica32Pkg.msi, the operation fails.

This error message is displayed in a pop-up window.

The system administrator has set policies to prevent the installation.

An event is generated that displays Application Control has prevented theaction.

The event appears if the package-control feature is enabled.

Attempt to uninstallan MSI-basedinstaller.

When an attempt is made to uninstall a MSI-based package, such as Ica32Pkg.msi, the operation fails.

This error message is displayed in a pop-up window.

This installation is forbidden by system policy. Contact your system administrator.

An event is generated that displays Application Control has prevented theaction.

In some cases, you might not be able to uninstall an application (that wasinstalled using an MSI-based installer) using the Add or Remove Programsfeature. To remove such applications, execute <installer>.msi file to uninstallthe application.

Attempt to install oruninstall Windowsoptionalcomponents.

When an attempt is made to install or uninstall Windows optional componentsfrom Add or Remove Programs, the operation fails and an event is generated.

The event shows that Application Control has prevented the action.


Attempt to run anINF-based installer.

When an attempt is made to install an INF-based installer, such as mmdriver.inf by right-clicking on the installer, the operation fails and an event isgenerated.

The event shows that Application Control has prevented the action.


Error messages generated while tampering with the whitelistedcomponentsDuring normal usage, whitelisted program files cannot be modified, renamed, or deleted, even withadministrator rights. When attempts are made to tamper with the whitelisted components,corresponding error messages are generated. Review the error messages when such attempts aremade to understand the errors.

Any attempt to modify a whitelisted file is prevented and an access denied error is generated. Also,Application Control does not allow you to make changes to its registry files and protects its registryfiles from any changes being made to them in Enabled mode.

This table describes the error messages that are displayed when an attempt is made to tamper withwhitelisted files and registry keys.

7 TroubleshootingLegitimate failures and error messages


Attempt Description

Attempt to rename afile present in thewhitelist.

The rename operation fails and a pop-up window displays the followingmessage:

Cannot rename <filename>: Access is denied.

Make sure the disk is not full or write-protected and that the file is not currently in use.

An event is also generated that shows that Application Control has preventedthe rename operation. Also, an error message is displayed in the WindowsEvent Viewer.

Attempt to move a filepresent in thewhitelist.

On Windows platform:

The move operation fails and a pop-up window displays the followingmessage:

Cannot rename <filename>: Access is denied.


An event is also generated that shows that Application Control has preventedthe move operation. Also, an error message is displayed in the WindowsEvent Viewer.

On Linux platform:

The move operation fails and this message is displayed.

mv: cannot move ‘filename’ to ‘filename1’: Permission denied.

Attempt to delete afile present in thewhitelist.


The delete operation fails and a pop-up window displays this message.

Cannot delete <filename>: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use.

An event is also generated that shows that Application Control has preventedthe delete operation. Also, an error message is displayed in the WindowsEvent Viewer.

On Linux platform:

The remove operation fails and this message is displayed.

rm: cannot remove ‘filename’: Permission denied.

TroubleshootingLegitimate failures and error messages 7


Attempt Description

Attempt to overwrite afile present in thewhitelist.


The overwrite operation fails and a pop-up window displays this message.

Cannot copy <filename>: Access is denied.


An event is also generated that shows that Application Control has preventedthe overwrite operation. Also, an error message is displayed in the WindowsEvent Viewer.

On Linux platform:

Overwrite operation fails and this message is displayed.

cp: cannot create regular file ‘filename’: Permission denied.

Attempt to addalternate stream for afile present in thewhitelist.

The operation fails and this message is displayed on the CLI.

Access is denied.

An event is also generated.

Attempt to deletealternate stream for afile present in thewhitelist.

The operation fails but no message is displayed. However, an event isgenerated in the Windows Event Viewer.

Attempt to renamethe Application Controlspecific registry keys.

The operation fails and a pop-up displays this message.

The Registry Editor cannot rename 'registry key name'. Error while renaming value.

Attempt to delete aregistry key.

The operation fails and a pop-up displays this message.

Cannot delete Parameters: Error while deleting key.

Bypass rules for files and scriptsDefine specific rules to bypass files and scripts from the write-protection and script-auth featuresusing the process context file operations technique.

Some applications (as part of their day-to-day processing) run code in an atypical way and hence areprevented from running. To allow such applications to run, define appropriate bypass rules. Bypassinga file must be the last resort to allow an application to run.

Add bypass rules for files and scriptsAdd bypass rules for files and scripts to allow the non-whitelisted scripts to execute on the system andbypass the script-auth feature. Also, adding this rule bypasses the deny-write feature and awhitelisted file added to this rule will not be write-protected. However, this rule doesn't bypass thedeny-exec feature.

Add bypass rules using the sadmin attr add command and specify the required arguments.

The command syntax is sadmin attr add -o <parent_file> -p <file>.

7 TroubleshootingBypass rules for files and scripts


Task1 Run the sadmin attr add -o <parent_file> -p <file> command.

Specify a file name with the command to bypass the file from process context file operationstechnique.

Optionally, use the -o argument with this command to specify the DLL module name for a specifiedprocess or a file name. On the Linux platform, use this argument to specify the parent program.

2 Press Enter.

3 Optionally, run the sadmin attr list -p command.

View the list of all files that are bypassed using this command.

The bypass rule is added.

Remove bypass rules for files and scriptsRemove bypass rules for files and scripts to restrict the non-whitelisted scripts to execute on thesystem. Also, when this rule is removed, deny-write and script-auth features are effective again.

There are two methods to remove bypass rules.

• Remove bypass rules from a specified file or script.

Bypass rules are removed only from the specified file or script.

The command syntax is sadmin attr remove -p <file>.

• Flush all bypass rules.

Removes all bypass rules added for files and scripts.

The command syntax is sadmin attr flush -p.

Task1 Remove bypass rules from a specific file or script.

a Type the sadmin attr remove -p <file> command.

Specify the file or script name.

b Press Enter.

Bypass rules for the specified file or script are removed.

2 Flush all bypass rules.

a Type the sadmin attr flush -p command.

b Press Enter.

All bypass rules added for files and scripts are removed.

TroubleshootingBypass rules for files and scripts 7


Skip rules for path componentsDefine skip rules on the Windows platform to skip specific path components from multiple ApplicationControl features and the Windows Alternate Data Stream (ADS) feature. When you skip a pathcomponent, all files in that path are skipped.

When the product is successfully deployed on a system and running in Enabled mode, all directoriesand subdirectories present on the system are added to the whitelist and protected by ApplicationControl features.

In a path, you can have certain files that require frequent modification or deletion operations butbecause of the applied protection by Application Control features, these operations are not allowed.You might want to perform operations on the files that are protected by Application Control features.In such cases, skip specific path components from features to allow operations that are blocked bythose features. Also, you can skip specific path components from the Windows ADS feature.

Use caution and take advice from McAfee Support before applying skiplist rules because doing so canaffect the core functionality of the product and might make your system vulnerable to security threats.

Skip rules for path componentsSpecify a path component to add skip rules and not the absolute or relative path. Application Controlsearches the specified path component across all volumes and applies skip rules on that particularpath component present on a system.

This applies skip rules on all files in that path component. For example, to define skip rules on a pathC:\WINDOWS\Debug\UserMode, do not specify the absolute or relative path. Specify only the pathcomponent \UserMode. Application Control applies the skip rules on this path component across allvolumes.

When you skip a path component from a feature, the path component is skipped from that featureonly and the protection applied by that feature on the path component is removed. But, the pathcomponent is not removed from the whitelist. You can also define skip rules to skip path componentsfrom the whitelist. This removes path components from the whitelist.

Add skip rules using the sadmin skiplist add command and specify the required arguments.

Here is the command syntax.

sadmin skiplist add [-c | -d | -f | -i | -r | -s | -v] PATH

This table describes the commands to skip path components from various features.

7 TroubleshootingSkip rules for path components


Feature Command Description

Monitoring sadminskiplistadd -c <pathcomponent>

Skip path components from the monitoring feature. This command isapplicable to Application Control only in Update mode where changesare tracked. User mode paths and paths with volume name do notwork with this command.Text added with this command is treated as complete component. Forexample, text can start with a forward slash (/) and end with abackward slash (\), dot (.), or null character.

No events are generated for files that contain the specified text. Also,the whitelist is not updated for such paths.

Writeprotection

sadminskiplistadd -d <pathcomponent>

Skip path components from write protection to remove write protectionapplied to all files in that path. Also, write denied event is not observedfor such paths.User mode paths and paths with volume name do not work with thiscommand. Text added with this command is treated as completecomponent. For example, text can start with a forward slash (/) andend with a backward slash (\), dot (.), or null character.

sadminskiplistadd -r <pathcomponent>

Skip registry path components from write protection for registry toremove write protection applied on the registry paths.Text added with this command is treated as complete component. Forexample, text can start with a forward slash (/) and end with abackward slash (\), dot (.), or null character.

Fileoperationsandscript-auth

sadminskiplistadd -f <pathcomponent>

Skip path components from file operations and the script-auth feature.When you skip path components from file operations, file operations,such as creation, modification, and deletion are not protected underwrite protection. But, link and rename operations for the destinationpath are still protected by write protection.Specify a path component with the command. User mode paths andpaths with volume name do not work with this command.

Text added with this command is treated as substring in a path. Noevents are raised and the whitelist is not updated for the skipped pathcomponents. Also, script execution control does not work for pathsadded with this command.

Fileoperationsanddeny-exec

sadminskiplistadd -i <pathcomponent>

Skip path components from file operations using the ignore path list.This works similar to the sadmin add -f command. Also, on theWindows 64-bit platform, binaries of pe32 type are also skipped fromthe deny-exec feature using this skip rule. Restarting the system isneeded to enable this skip rule.Follow these steps to add the skip rule.1 Run the sadmin config show command.

2 Press Enter.

3 Type the sadmin skiplist add -i <path component> command.

Specify a path component with the command. User mode paths andpaths with volume name do not work with this command.

4 Press Enter.

TroubleshootingSkip rules for path components 7


Feature Command Description

Whitelist sadminskiplistadd -s <pathcomponent>

Specify a path component with the command. Network path namescannot be specified with this command. When a path component isspecified with this command, files present in the whitelist under thatpath and subdirectories are removed from the whitelist. But, filesgenerated or modified on such paths and subdirectories are added tothe whitelist in unso state only regardless of the Application Controlmode (Enabled mode or Update mode) or using an updater. When filesare added to the whitelist in unso state, modifications to the files areallowed but execution is denied for all such files.Volume relative rules can also be specified using *\<vol_rel_name>.

An asterisk (*) can be used to represent any 1 component in the path.On addition of rules with asterisk (*), files in that path are not removedfrom the whitelist, but files generated in Enabled mode, Update mode,or using an updater are added to the whitelist in unso state only.Because files are not removed from the whitelist while adding ruleswith asterisk (*), write protection is observed for whitelisted files onsuch paths.

ApplicationControl

sadminskiplistadd -v <pathcomponent>

Skip volume names from attaching to Application Control. You can alsospecify the file system, such as NTFS or FAT. When you specify avolume name with this argument, Application Control is not attached tothat volume. Script-auth and deny-exec features are also not effectiveon the specified volume. Components in that volume are allowed toexecute on the system.You can specify a path component using user mode volume names,such as C: and D:. Also, device names, such as \device\harddiskvolume1 and file systems, such as NTFS and FAT can also bespecified.

If any of the criteria for specifying the path component is met,Application Control does not attach to that volume. Hence, script-authand deny-exec features will not work for such volumes. A restart isrequired for the rule to work if the drive is already attached.

List skip rules for path componentsYou can view the list of all skip rules added for the path components to skip from features.


skiplist listYou must specify arguments to view the list of skip rules applied using those arguments.

Remove skip rules for path componentsRemove skip rules applied to specific path component to again protect the path component byApplication Control features.

There are two methods to remove skip rules.



• Remove skip rules from a specified path component.

Skip rules are removed only from the specified path component.

The command syntax is sadmin skiplist remove [-c | -d | -f | -i | -r | -s | -v] PATH.

• Flush all skip rules.

Removes all skip rules for the specified argument.

The command syntax is sadmin skiplist flush [-c | -d | -f | -i | -r | -s | -v].

Task1 Remove skip rules from a specified path component.

a Type the sadmin skiplist remove command and specify the path component and theargument for which you want to remove the skip rules.

b Press Enter.

Skip rules from the specified path components are removed.

2 Flush all skip rules.

a Type the sadmin skiplist flush command and specify the argument for which you want toremove the skip rules.

b Press Enter.

All skip rules for the specified argument are removed.

TroubleshootingSkip rules for path components 7


A Frequently asked questions

Here are answers to frequently asked questions.

How can I switch Application Control from standalone to McAfee ePO managed mode?

See these KnowledgeBase articles.• Windows platform: KB69408

I have a Change Control product and I have upgraded it to Application Control. How doesthis upgrade affect my licenses?

When you add the Application Control license to upgrade from Change Control, the commonfeatures are set to the default status for Application Control.

What is the difference between log messages and events?

Events are generated for all changes made to a protected system and are stored in the eventsinks. Log messages are generated for all actions and errors related to the product, stored in logfiles. For information, see Review changes using events and Configuring log files.

What are the supported operating systems for Application Control?

See the KnowledgeBase article KB73341.

What is the difference between sadmin trusted -u and sadmin updaters add commands?

The sadmin updaters add command allows a component to run as an updater. But, beforeadding as an updater, the component must be authorized to execute on the system using one ofthese methods:• Component must be added to the whitelist.

• Component must be authorized by name or checksum.

For more information, see What are updaters?.

The sadmin trusted -u command provides updater privileges to the specified path. When youspecify directory paths with this command, all binaries and scripts present in the directories areconfigured as updaters. For more information, see Add trusted directories.

Why is the software allowing the execution of a banned file?

When defined rules are applied, the software combines or aggregates the rules defined for a file.When applying the rules, it uses the following order to determine whether the file execution isallowed or blocked. The order in which the methods are listed indicates the precedence thesoftware applies to the method.1 Executed by updater process or trusted user

2 Banned by checksum

3 Allowed by checksum

4 Allowed by certificate

5 Banned by name



https://kc.mcafee.com/corporate/index?page=content&id=KB73341

6 Allowed by name

7 Executed from trusted directory

8 Added to whitelist

If none of the above apply for a file, the software blocks the execution of the file. For example, ifyou ban a file based on its SHA-1 or SHA-256 value, it is allowed to execute if started by anupdater or trusted user. In all other scenarios, the file is blocked. Similarly, if a program isallowed based on its SHA-1 or SHA-256 value and is banned by name, the program is allowed toexecute and run.

I have defined variables on LINUX. Can I use these variables to define rules in ApplicationControl or Change Control?

LINUX platform doesn't provide predefined system variables that point to certain directories.But, you can define shell variables and use them on a system. In the standalone configuration ofApplication Control or Change Control, you can use the user-defined shell variables to add rules.For example, if you define a variable MYDIR=/test and use it to add an updater rule sadminupdaters add -t <workflow id> $MYDIR/updater, the variable resolves to /test/updaterand the updater rule is added.

How can I check the solidification or whitelisting status for an endpoint?

Perform these steps to review the solidification or whitelisting status on an endpoint:

1 Right-click the McAfee Agent icon in the notification area on the endpoint.

2 Select Quick Settings | Application Control Solidification Status.

The Application Control Solidification Status window appears.

3 Review the status for the endpoint and click Close.

A Frequently asked questions


B Application Control event list

Application Control specific events with the name, event ID, severity, and the description are describedin this table.

Event names with a suffix (_UPDATE) indicate that events are generated in Update mode.

Event ID(onsystems)

ThreateventID (onMcAfeeePO)

Event name Severity Description

19 20718 PROCESS_TERMINATED Major McAfee Solidifierprevented an attemptto hijack the process<string> (Process Id:<string>, User:<string>), by illegallycalling the API'<string>'. The processwas terminated.

20 20719 WRITE_DENIED Major McAfee Solidifierprevented an attemptto modify file <string>by process/script<string> (sha1:<string> , md5:<string>, sha256:<string> ) (Process Id:<string>, User:<string>).

21 20720 EXECUTION_DENIED Major McAfee Solidifierprevented unauthorizedexecution of '<string>'(sha1: <string>, md5:<string>, sha256:<string>, File Type:<string>) by process<string> (ProcessId:<string> , User:<string>) whose parentis process <string> ,deny_reason : <string>(deny reason code:<string>) reputationscore: <string>.


Event ID(onsystems)



29 20728 PROCESS_TERMINATED_UNAUTH_SYSCALL Major McAfee Solidifierprevented process<string>, being run by<string>, from makingunauthorized syscall%d (return address%d). The process wasterminated.

30 20729 PROCESS_TERMINATED_UNAUTH_API Major McAfee Solidifierprevented process<string>, being run by<string>, from makingunauthorized access toAPI <string> (returnaddress <string>). Theprocess was terminated

49 20748 REG_VALUE_WRITE_DENIED Major McAfee Solidifierprevented an attemptto modify Registry key'<string>' with value'<string>' by process<string> (Process Id:<string>, User:<string>).

50 20749 REG_KEY_WRITE_DENIED Major McAfee Solidifierprevented an attemptto modify Registry key'<string>' by process<string> (Process Id:<string>, User:<string>)

51 20750 REG_KEY_CREATED_UPDATE Info McAfee Solidifierdetected creation ofregistry key '<string>'by program <string>(User: <string>,Workflow Id: <string>).

52 20751 REG_KEY_DELETED_UPDATE Info McAfee Solidifierdetected deletion ofregistry key '<string>'by program <string>(User: <string>,Workflow Id: <string>).

54 20753 REG_VALUE_DELETED_UPDATE Info McAfee Solidifierdetected deletion ofregistry value'<string>' under key'<string>' by program<string> (User:<string>, Workflow Id:<string>).



Event ID(onsystems)



57 20756 OWNER_MODIFIED_UPDATE Info McAfee Solidifierdetected modification toOWNER of '<string>' byprogram <string>(User: <string>,Workflow Id: <string>).

61 20760 PROCESS_HIJACKED Major McAfee Solidifierdetected an attempt toexploit process<string> (sha1:<string>, md5:<string>, sha256:<string>) from address<string>.

62 20761 INVENTORY_CORRUPT Critical McAfee Solidifierdetected that itsinternal inventory forthe volume <string> iscorrupt.

75 20774 FILE_CREATED_UPDATE Info McAfee Solidifierdetected creation of'<string>' by program<string> (User:<string>, Original User:<string>, Workflow Id:<string>).

76 20775 FILE_DELETED_UPDATE Info McAfee Solidifierdetected deletion of'<string>' by program<string> (User:<string>, Original User:<string>, Workflow Id:<string>).

77 20776 FILE_MODIFIED_UPDATE Info McAfee Solidifierdetected modification of'<string>' by program<string> (User:<string>, Original User:<string>, Workflow Id:<string>)

79 20778 FILE_RENAMED_UPDATE Info McAfee Solidifierdetected renaming of'<string>' to '<string>'by program <string>(User: <string>,Original User: <string>,Workflow Id: <string>).

80 20779 FILE_SOLIDIFIED Info <string>' was solidifiedwhich was created byprogram<string>(User:<string>, Workflow Id:<string>).

Application Control event list B


Event ID(onsystems)



82 20781 FILE_UNSOLIDIFIED Info <string>' wasunsolidified which wasdeleted by program<string>(User:<string>, Workflow Id:<string>).

89 20788 READ_DENIED Major McAfee Solidifierprevented an attemptto read file '<string>'by process <string>(Process Id: <string>,User: <string>).

96 20795 PKG_MODIFICATION_PREVENTED Critical McAfee Solidifierprevented packagemodification by'<string>'(sha1:<string>, md5:<string>, sha256:<string>) by user:'<string>'.

97 20796 PKG_MODIFICATION_ALLOWED_UPDATE Info McAfee Solidifierallowed packagemodification by<string>'(sha1:<string>, md5:<string>, sha256:<string>) by user:'<string>'. (WorkflowId: <string>).

98 20797 PKG_MODIFICATION_PREVENTED_2 Critical McAfee Solidifierprevented packagemodification by'<string>' by user:'<string>'.

99 20798 NX_VIOLATION_DETECTED Critical McAfee Solidifierprevented an attemptto hijack the process'<string>' (Process Id:'<string>', SHA1:<string>, MD5:<string>, SHA256:<string>, User:'<string>'), byexecuting code from anaddress outside of codepages region. Faultingaddress '<string>'. Theprocess wasterminated.



Event ID(onsystems)



101 20800 REG_VALUE_MODIFIED_UPDATE Info McAfeeSolidifierdetected modification toregistry value'<string>' of type'<string>' under key'<string>' by program'<string>' (User:<string>, Workflow Id:<string>), with data:<string>

103 20802 FILE_READ_UPDATE Info McAfee Solidifierdetected read for'<string>' by program<string> (User:<string>, Original User:<string>, Workflow Id:<string>)

124 20823 INITIAL_SCAN_TASK_COMPLETED Info McAfee Solidifier InitialScan task is completeand Application Controlis enforced on thesystem now.

126 20825 ACTX_ALLOW_INSTALL Info McAfee Solidifierallowed installation ofActiveX <string>Workflow Id: <string>by user <string>

127 20826 ACTX_INSTALL_PREVENTED Major McAfee Solidifierprevented installation ofActiveX <string>Workflow Id: <string>by user <string>

129 20828 VASR_VIOLATION_DETECTED Critical McAfee Solidifierprevented an attemptto hijack the process'<string>' (Process Id:'<string>', sha1:<string>, md5:<string>, sha256:<string>, User:<string>'), byexecuting code fromnon-relocatable dll'<string>'. Faultingaddress <string>.Target address'<string>'.

133 20832 LOCAL_CLI_ACCESS_DISABLED Major Local CLI has beendisabled due to wrongpassword attempts andit can be recoveredafter <string> minutes.

134 20833 LOCAL_CLI_RECOVER_SUCCESS Info Local CLI successfullyrecovered.

Application Control event list B


Event ID(onsystems)



135 20834 LOCAL_CLI_RECOVER_FAILED Info Failed to recover LocalCLI.

136 20835 OBSERVED_FILE_EXECUTION Info McAfee Solidifierobserved launch of'<string>'(Process Id:<string>, sha1:<string>, md5:<string>, sha256:<string>, User:<string>, Workflow Id:<mode>: AUTO_2,original_procname:<string> ,parent_name =<string>) withcommand-line:'<string>'.

137 20836 PREVENTED_FILE_EXECUTION Major McAfee Solidifierblocked launch of'<string>'(Process Id:<string>, sha1:<string>, md5:<string>, sha256:<string>, User:<string>,original_procname:<string>, parent_name= <string>) withcommand-line:'<string>'.

138 20837 INVENTORY_RECOVERED Critical McAfee Solidifier hasdetected that theinventory for volume<string> is corrupt. Thebackup dated <string>is loaded.

139 20838 INVENTORY_RECOVER_FAILED Critical McAfee Solidifier hasdetected that theinventory for volume<string> is corrupt. Thebackup could not beloaded. Please reviewthe system and performsolidification to createwhitelist.

140 20839 BLOCKED_PROCESS_INTERACTIVE_MODE Critical McAfee Solidifierblocked process<string> in interactivemode. (Process Id:<string>, sha1:<string>, md5:<string>, sha256:<string>, User:<string>,original_procname:<string>, parent_name= <string>).



C Command short forms

You can use the short forms of the Application Control commands. These commands areinterchangeable.

Command Short form

sadmin write-protect sadmin wpsadmin write-protect-reg sadmin wprsadmin read-protect sadmin rpsadmin solidify sadmin sosadmin unsolidify sadmin unsosadmin list-solidified sadmin lssadmin list-unsolidified sadmin lusadmin begin-update sadmin busadmin end-update sadmin eu


C Command short forms


D Application Control Command LineInterface reference

Describes Application Control commands and its associated arguments.

Contents Command overview Argument details

Command overviewHere are all commands available for Application Control when using the command line interface (CLI).

In the OS column, these abbreviations indicate the supported operating systems.

• L — Linux

• W — Windows

In the Mode column, these abbreviations indicate the supported mode for the command.

• E — Enabled mode

• D — Disabled mode

• U — Update mode

Table D-1 Command details

Command Description Syntax OS Mode

attr Modifies or lists theApplication Controlconfiguration attributes list.

sadmin attr add -afilename1 ... filenameN

L E, D, U

sadmin attr add -pfilename1 ... filenameNsadmin attr add -ufilename1 ... filenameNsadmin attr add -o parent=filename2 -p filename1sadmin attr remove -afilename1 ... filenameNsadmin attr remove -pfilename1 ... filenameNsadmin attr remove -ufilename1 ... filenameN


Table D-1 Command details (continued)


sadmin attr list -afilename1 ... filenameN

sadmin attr list -pfilename1 ... filenameN

sadmin attr list -ufilename1 ... filenameN

sadmin attr flush -a

sadmin attr flush -p

sadmin attr flush -u


W (32-bit) E, D, U

sadmin attr add -cfilename1 ... filenameNsadmin attr add -hfilename1 ... filenameNsadmin attr add -o parent=filename2 -i filename1sadmin attr add -jfilename1 ... filenameNsadmin attr add -lfilename1 ... filenameNsadmin attr add -mfilename1 ... filenameNsadmin attr add -pfilename1 ... filenameNsadmin attr add -ufilename1 ... filenameNsadmin attr add -vfilename1 ... filenameN(Windows 7 and later)

sadmin attr add -o parent=filename2 -p filename1sadmin attr add -o module=modulename -v filename1(Windows 7 and later)

sadmin attr remove -afilename1 ... filenameN

sadmin attr remove -cfilename1 ... filenameN

sadmin attr remove -hfilename1 ... filenameNsadmin attr remove -ifilename1 ... filenameN

D Application Control Command Line Interface referenceCommand overview




sadmin attr remove -jfilename1 ... filenameNsadmin attr remove -lfilename1 ... filenameN

sadmin attr remove -mfilename1 ... filenameNsadmin attr remove -pfilename1 ... filenameN

sadmin attr remove -ufilename1 ... filenameN

sadmin attr remove -vfilename1 ... filenameN(Windows 7 and later)


sadmin attr list -cfilename1 ... filenameN

sadmin attr list -hfilename1 ... filenameNsadmin attr list -ifilename1 ... filenameN

sadmin attr list -jfilename1 ... filenameNsadmin attr list -lfilename1 ... filenameN

sadmin attr list -mfilename1 ... filenameNsadmin attr list -pfilename1 ... filenameN


sadmin attr list -vfilename1 ... filenameN(Windows 7 and later)


sadmin attr flush -c

sadmin attr flush -hsadmin attr flush -i

sadmin attr flush -jsadmin attr flush -l

sadmin attr flush -m

Application Control Command Line Interface referenceCommand overview D






sadmin attr flush -v (Windows 7and later)


W (64-bit) E, D, U

sadmin attr add -cfilename1 ... filenameN

sadmin attr add -hfilename1 ... filenameNsadmin attr add -o parent=filename2 -i filename1

sadmin attr add -jfilename1 ... filenameNsadmin attr add -mfilename1 ... filenameNsadmin attr add -nfilename1 ... filenameN

sadmin attr add -n -y filename1(Not available on Windows Server2012)

sadmin attr add -pfilename1 ... filenameN

sadmin attr add -ufilename1 ... filenameN

sadmin attr add -vfilename1 ... filenameN(Windows 7 and later)

sadmin attr add -o parent=filename2 -p filename1

sadmin attr add -o module=modulename -v filename1(Windows 7 and later)

sadmin attr remove -afilename1 ... filenameN

sadmin attr remove -cfilename1 ... filenameN

sadmin attr remove -hfilename1 ... filenameNsadmin attr remove -ifilename1 ... filenameN

sadmin attr remove -jfilename1 ... filenameN





sadmin attr remove -mfilename1 ... filenameNsadmin attr remove -nfilename1 ... filenameN

sadmin attr remove -pfilename1 ... filenameN

sadmin attr remove -ufilename1 ... filenameN

sadmin attr remove -vfilename1 ... filenameN(Windows 7 and later)


sadmin attr list -cfilename1 ... filenameN

sadmin attr list -hfilename1 ... filenameNsadmin attr list -ifilename1 ... filenameN

sadmin attr list -jfilename1 ... filenameNsadmin attr list -mfilename1 ... filenameNsadmin attr list -nfilename1 ... filenameN

sadmin attr list -pfilename1 ... filenameN


sadmin attr list -vfilename1 ... filenameN(Windows 7 and later)


sadmin attr flush -c

sadmin attr flush -hsadmin attr flush -i

sadmin attr flush -jsadmin attr flush -msadmin attr flush -n







sadmin attr flush -v (OnWindows 7 and later)

For more information about this command, see Configure memory-protection techniquesand Maintain your systems in McAfee Application Control 8.0.0 Product Guide forstandalone mode.

auth Authorizes an application(executable, installer, orbatch file) as a whitelist, orunauthorizes an applicationby adding to the blacklist. Theapplication might be locallyinstalled, invoked, or installedor invoked from a shareddrive.

sadmin auth -a -c checksum W E, D, U

sadmin auth -a [ -t ruleid ] -c checksum

sadmin auth -a [ -t rule id ][ -u ] -c checksum

sadmin auth -b -c checksum

sadmin auth -b [ -t rule id] -cchecksum

sadmin auth -f

sadmin auth -l

sadmin auth -r checksum

For more information about this command, see Override Application Control protection inMcAfee Application Control 8.0.0 Product Guide for standalone mode.

begin-update (bu)

Initiates the Update mode tohelp perform softwareupdates and installations.

sadmin begin-update[ workflow-id [ comment ]]sadmin bu [ workflow-id[ comment ]]

L, W E, D

For more information about this command, see Maintain your systems in McAfeeApplication Control 8.0.0 Product Guide for standalone mode.

cert Manages certificates fordigitally signed files. You canadd, remove, or list thecertificates in the ApplicationControl certificate store,which is a directory in theinstall directory <instlall_dir>/Certificates.

sadmin cert addcertificate_name

W E, D, U

sadmin cert add -ucertificate_name

sadmin cert add -ccertificate_content

sadmin cert remove SHA-1

sadmin cert remove SHA-256

sadmin cert remove -ccertificate_content

sadmin cert list

sadmin cert list -d

sadmin cert list -u





sadmin cert flush


check Validates and fixes theattributes of the specified fileor files against the fileinventory.

sadmin check [ -r ] L, W E, D, U

sadmin check [ -r ]filename1 ... filenameN

sadmin check [ -r ]directoryname1 ...directorynameN

sadmin check [ -r ]volumename1 ... volumenameN


config Allows you to:• Export current configuration

settings to a file.

• Import configurationsettings from a file to anexisting installation.

sadmin config export filename L, W E, D, U

sadmin config import [ -a ]filename

sadmin config set name=value

sadmin config show

For more information about this command, see Configure advanced features in McAfeeApplication Control 8.0.0 Product Guide for standalone mode.

diag Runs diagnostics and offerssuggestions on programs andapplications to authorize (toperform updates).

sadmin diag W E, U

sadmin diag fix [ -f ]


disable Activates the Disabled mode.Restart the system to makesure that the command isapplied. On the Linuxplatform, if ApplicationControl is in the Enabledmode, system restart is notrequired to apply thiscommand. But, to uninstallthe product, system restart isrequired.

sadmin disable L, W E, U






enable Activates the Enabled mode.Restart the system to makesure that the command isapplied. Or, restart theApplication Control service toapply this command. But, thememory-protection featurewill be available only aftersystem restart.

sadmin enable L, W D

For more information about this command, see How do I deploy Application Control inMcAfee Application Control 8.0.0 Product Guide for standalone mode.

end-update (eu)

Ends the Update mode andactivates the Enabled mode.

sadmin end-updatesadmin eu

L, W U


event Configures the log targets(sinks) for generated events.

sadmin event sink L, W E, D, U

sadmin event sink eventnamesinkname

sadmin event sink -a{ eventname | ALL } { sinkname| ALL }

sadmin event sink -r{ eventname | ALL } { sinkname| ALL }


features Enables, disables, or lists thefeatures on an existinginstallation.

sadmin features enablefeaturename

L, W E, D, U

sadmin features disablefeaturename

sadmin features list


help Provides information aboutbasic commands.

sadmin help L, W E, D, U

sadmin help [ command ]

For more information about this command, see Getting started in McAfee ApplicationControl 8.0.0 Product Guide for standalone mode.

help-advanced

Provides information aboutadvance commands.

sadmin help-advanced L, W E, D, U

sadmin help-advanced[ command ]

For more information about this command, see Getting started in McAfee ApplicationControl 8.0.0 Product Guide for standalone mode.

license Adds or displays licensinginformation.

sadmin license add licensekey L, W D





sadmin license list


list-solidified(ls)

Lists the whitelisted files,directories, and volumes.

sadmin list-solidified [ -l ]sadmin ls [ -l ]

L, W E, D, U

sadmin list-solidified [ -l ]filename1 ... filenameNsadmin ls [ -l ] filename1 ...filenameN

sadmin list-solidified [ -l ]directoryname1 ...directorynameNsadmin ls [ -l ]directoryname1 ...directorynameN

sadmin list-solidified [ -l ]volumename1 ... volumenameNsadmin ls [ -l ]volumename1 ... volumenameN


list-unsolidified(lu)

Lists the files, directories, andvolumes that are notwhitelisted.

sadmin list-unsolidifiedsadmin lu

L, W E, D, U

sadmin list-unsolidifiedfilename1 ... filenameNsadmin lu filename1 ...filenameN

sadmin list-unsolidifieddirectoryname1 ...directorynameNsadmin lu directoryname1 ...directorynameN

sadmin list-unsolidifiedvolumename1 ... volumenameNsadmin lu volumename1 ...volumenameN


lockdown Disables the local commandline interface. After lockdown,you can only issue the help,help‑advanced, status,version, and recovercommands.

sadmin lockdown L, W E, D, U





passwd Sets a password for thecommand line interface.

If the password is set, youmust verify the passwordbefore executing criticalcommands.

Using sadmin passwd -dcommand removes thepassword.

sadmin passwd L, W E, D, U

sadmin passwd -d


read-protect (rp)

Displays or modifies theread-protection rules. Youmust specify complete file ordirectory names with thiscommand.For more information about rpcommand, see Protect the filesystem components chapterin the McAfee ApplicationControl Product Guide forstandalone 8.0.0.

sadmin read-protect -epathname1 ... pathnameN

L, W E, D, U

sadmin read-protect -ipathname1 ... pathnameN

sadmin read-protect -rpathname1 ... pathnameN

sadmin read-protect -f

sadmin read-protect -l

For more information about this command, see Protect the file system components inMcAfee Application Control 8.0.0 Product Guide for standalone mode.

recover Recovers the local commandline interface.

sadmin recover L, W E, D, U

sadmin recover -f

ruleengine

Specify rules on variousattributes of a process whoseexecution is undetermined.This enables the user toallow, block, or monitor itsexecution. You can combineone or more unique attributetypes in one rule using ANDoperator.

sadmin ruleengine add allowprocessname command_line{ matches | not matches } regex

W E,D,U

sadmin ruleengine add allowprocessname { command_line |user | parent_process_name |path } { equals | not equals }stringsadmin ruleengine add blockprocessname command_line{ matches | not matches } regexsadmin ruleengine add blockprocessname { command_line |user | parent_process_name |path } { equals | not equals }stringsadmin ruleengine add monitorprocessname command_line{ matches | not matches } regex





sadmin ruleengine add monitorprocessname { command_line |user | parent_process_name |path } { equals | not equals }stringsadmin ruleengine remove allowprocessname command_line{ matches | not matches } regexsadmin ruleengine remove allowprocessname { command_line |user | parent_process_name |path } { equals | not equals }stringsadmin ruleengine remove blockprocessname command_line{ matches | not matches } regexsadmin ruleengine remove blockprocessname { command_line |user | parent_process_name |path } { equals | not equals }stringsadmin ruleengine removemonitor processnamecommand_line { matches | notmatches } regexsadmin ruleengine removemonitor processname{ command_line | user |parent_process_name | path }{ equals | not equals } stringsadmin ruleengine listsadmin ruleengine flush

For more information about this command, see Defining attribute-based rulesfor file execution in McAfee Application Control 8.0.0 Product Guide forstandalone mode.

skiplist Bypasses a path componentfrom a feature to remove theprotection applied by thatfeature. You can also defineskip rules to skip pathcomponents from thewhitelist. Use caution andtake advice from McAfeeSupport before applyingskiplist rules because doingso can affect the corefunctionality of the productand might make your systemvulnerable to security threats.For more information aboutskiplist rules, see Skip rulesfor path components chapterin McAfee Application Control8.0.0 Product Guide forstandalone mode.

sadmin skiplist add -cpathname1 ... pathnameN

W E, D, U

sadmin skiplist add -dpathname1 ... pathnameNsadmin skiplist add -fpathname1 ... pathnameNsadmin skiplist add -ipathname1 ... pathnameNsadmin skiplist add -rpathname1 ... pathnameNsadmin skiplist add -spathname1 ... pathnameNsadmin skiplist add -vpathname1 ... pathnameNsadmin skiplist remove -cpathname1 ... pathnameN





sadmin skiplist remove -dpathname1 ... pathnameNsadmin skiplist remove -fpathname1 ... pathnameNsadmin skiplist remove -ipathname1 ... pathnameNsadmin skiplist remove -rpathname1 ... pathnameNsadmin skiplist remove -spathname1 ... pathnameNsadmin skiplist remove -vpathname1 ... pathnameNsadmin skiplist list -csadmin skiplist list -dsadmin skiplist list -fsadmin skiplist list -isadmin skiplist list -rsadmin skiplist list -ssadmin skiplist list -vsadmin skiplist flush -csadmin skiplist flush -dsadmin skiplist flush -fsadmin skiplist flush -isadmin skiplist flush -rsadmin skiplist flush -ssadmin skiplist flush -v

solidify(so)

Adds specified files in adirectory or system volume tothe whitelist.

sadmin solidify L, W E, D, U

sadmin so

sadmin solidify [ -q | -v ]filename1 ... filenameN

sadmin solidify [ -q | -v ]directoryname1 ...directorynameN

sadmin solidify [ -q | -v ]volumename1 ... volumenameN


status Displays the status ofApplication Control. You canview the operational mode,operational mode on systemrestart, connectivity with

sadmin status L, W E, D, U





McAfee ePO, access status,and whitelist status of thelocal CLI.

sadmin status volumename


trusted Identifies a local or remoteshare as a trusted file path,volume, or directory. You caninclude, exclude, remove, list,or flush the trusted volumesor directories.

sadmin trusted -e pathname1 ...pathnameN

L E, D, U

sadmin trusted -i pathname1 ...pathnameN

sadmin trusted -r pathname1 ...pathnameN

sadmin trusted -f

sadmin trusted -l

sadmin trusted -evolumesetname1 ...volumesetnameN

W E, D, U

sadmin trusted -e pathname1 ...pathnameN

sadmin trusted -ivolumesetname1 ...volumesetnameN

sadmin trusted -i pathname1 ...pathnameN

sadmin trusted -rvolumesetname1 ...volumesetnameN

sadmin trusted -r pathname1 ...pathnameN

sadmin trusted -f

sadmin trusted -l

sadmin trusted -u <local ornetwork path>


unsolidify (unso)

Removes specified files fromthe whitelist.

sadmin unsolidify [ -v ]filename1 ... filenameN

L, W E, D, U

sadmin unsolidify [ -v ]directoryname1 ...directorynameN

sadmin unsolidify [ -v ]volumename1 ... volumenameN






updaters Adds, deletes, lists, or flushesprograms from the list ofauthorized updaters.

sadmin updaters add [ -d ]{ binaryname }

L E, D, U

sadmin updaters add [ -n ]{ binaryname }

sadmin updaters add [ -pparent-programname ]{ binaryname }

sadmin updaters add [ -trule-id ] { binaryname }

sadmin updaters add [ -d ][ -n ] [ -t rule-id ] [ -pparent-programname ]{ binaryname }

sadmin updaters remove{ binaryname }

sadmin updaters remove [ -pparent-programname ]{ binaryname }



sadmin updaters add [ -d ]{ binaryname }

W E, D, U

sadmin updaters add [ -llibraryname ] { binaryname }

sadmin updaters add [ -n ]{ binaryname }

sadmin updaters add [ -pparent-binaryname ]{ binaryname }

sadmin updaters add [ -trule-id ] { binaryname }

sadmin updaters add [ -d ][ -n ] [ -t rule-id ] [ -llibraryname ] { binaryname }

sadmin updaters add [ -d ][ -n ] [ -t rule-id ] [ -pparent-binaryname ]{ binaryname }

sadmin updaters add [ -trule-id ] -u username





sadmin updaters remove{ binaryname }

sadmin updaters remove [ -llibraryname ] { binaryname }

sadmin updaters remove [ -pparent-binaryname ]{ binaryname }

sadmin updaters remove -uusername




version Displays the version of theinstalled Application Control.

sadmin version L, W E, D, U


write-protect (wp)

Write-protects specified filesincluding the whitelisted files.You must specify complete fileor directory names with thiscommand.

sadmin write-protect -epathname1 ... pathnameN

L, W E, D, U

sadmin write-protect -ipathname1 ... pathnameN

sadmin write-protect -rpathname1 ... pathnameN

sadmin write-protect -f

sadmin write-protect -l


write-protect-reg(wpr)

Write-protects specifiedregistry keys including thewhitelisted registry keys.

sadmin write-protect-reg -eregistrykeyname1 ...registrykeynameN

W E, D, U

sadmin write-protect-reg -iregistrykeyname1 ...registrykeynameN

sadmin write-protect-reg -rregistrykeyname1 ...registrykeynameN

sadmin write-protect-reg -l

sadminwrite-protect-reg -f




Argument detailsThis table lists the commands with the supported arguments and their description. In the Argumentcolumn, the supported arguments for the commands are listed in alphabetical order.

You can use -z argument to prevent the system from prompting for the password. This argument canbe used in all CLI commands to provide the CLI password (so that the system does not prompt forpassword). For example, if the CLI password is set and you issue the sadmin wp -i abc.txtcommand, the system immediately prompts you for the password. Using the -z argument, you canissue the sadmin wp -z <password> -i abc.txt command to provide the password with the issuedcommand.

Table D-2 Argument details

Command Argument Description

attr -a Always authorizes by file name. This is a deprecatedtechnique. For more information, contact McAfeeSupport.

-b Configures the bypass, restore, list, and flush rulesfor a component protected using the Manglingtechnique. This is a deprecated technique. For moreinformation, contact McAfee Support.

-c Configures the bypass, restore, list, and flush rulesfor a component protected using the CriticalAddress Space Protection technique.

-f Bypasses from full crawl attribute. This is adeprecated technique. For more information,contact McAfee Support.

-h Adds a binary to MP Compat protection.

-i Configures the bypass, restore, list, and flush rulesfor a binary using the Package Control feature.

-j Bypasses a binary from MP Compat protection.

-l Configures the bypass, restore, list, and flush rulesfor a component using the Anti-Debuggingtechnique. This is a deprecated technique. For moreinformation, contact McAfee Support.

-m Configures the add, remove, list, and flush rules forblocking the process in the interactive mode.

-n Configures the bypass, restore, list, and flush rulesfor a component using the mp-nx technique.

-y Includes child processes for a component to bebypassed using the mp-nx technique. Thisargument can only be specified with the -nargument.

-o Indicates to specify the DLL module name for aspecified process. This argument can be usedwith -p, -v, and -i arguments. On the Linuxplatform, use this argument to specify the parentprogram for the -p attribute.

-p Bypasses from process context file operationsattribute.

-u Always unauthorizes by file name. This is adeprecated technique. For more information,contact McAfee Support.

D Application Control Command Line Interface referenceArgument details


Table D-2 Argument details (continued)


-v Bypasses from Forced DLL relocation attribute.

auth -a Authorizes a binary using the checksum value.

-b Bans a binary using the checksum value.

-c Specifies the checksum value.

-f Flushes all authorized or banned binaries.

-l Lists all authorized and banned binaries.

-r Removes the authorized or banned binaries.

-t Includes the associated tag name for a binary to bebanned.

-u Authorizes a binary and also provides updaterprivileges when used with the -a and -carguments.

begin-update (bu) workflow-id Indicates to specify an ID while switching to theUpdate mode. This ID can be used for trackingpurposes in a change management for ticketingsystem.

comment Indicates to use a descriptive text for the workflowID.

cert -c Specifies the certificate content as trusted.

-d Lists all details of the issuer and subject of thecertificates added to the system.

-u Provides updater privileges to a certificate that isadded as a trusted certificate or list the trustedcertificates with updater privileges.

check -r Fixes any inconsistencies that are encountered.

config -a Appends the configuration values.

diag -f Applies the diagnosed configuration changes for therestricted programs, such as winlogon.exe andsvchost.exe.

disable NA NA

enable NA NA

end-update (eu) NA NA

event -a Adds sinks to the specified event.

-r Removes sinks from the specified event.

features -d Lists all features (including the hidden features).For more information, contact McAfee Support.

help NA NA

help-advanced NA NA

license NA NA

list-solidified (ls) -l Lists details of the whitelisted files.

list-unsolidified(lu)

NA NA

lockdown NA NA

Application Control Command Line Interface referenceArgument details D




passwd -d Removes the password for using ApplicationControl.

read-protect (rp) -e Excludes specific components from a read-protecteddirectory, or volume.

-f Flushes all components from read protection.

-i Includes files, directories, or volumes for readprotection.

-l Lists the read-protected components.

-r Removes read‑protection applied to files,directories, or volumes.

recover -f Forcefully closes the McAfee ePO command andrecover the local CLI.

ruleengine allow A rule type for adding or removing the allow ruleson any attribute of a process.

block A rule type for adding or removing the block ruleson any attribute of a process.

monitor A rule type for adding or removing the monitorrules on any attribute of a process.

command_line This attribute type specifies the command-lineargument to execute a process. A rule type can beapplied to either allow, block, or monitor a processwhen executed using command_line.

user This attribute type specifies the user who tries toexecute a process. A rule can be applied to eitherallow, block, or monitor the process launched by auser.

parent_process_name This attribute type specifies a particular processwhich a parent process might tries to execute. Arule can be applied to either allow, block, ormonitor its execution when a parent process tries toexecute it.

path This attribute type denotes the path where theprocess resides whose execution is undetermined. Arule can be applied to allow, block, or monitor theprocess execution from that path.

regex A regular expression of one or more characters thatdefines the search pattern. It describes a grammarthat can be constructed based on ECMA script. Seethis article for more details.

string Specifies a string of characters.






skiplist -c Skips path components from the monitoringfeature. This command is applicable to ApplicationControl only in Update mode where changes aretracked. User mode paths and paths with volumename do not work with this command.Text added with this command is treated ascomplete component. For example, text can startwith a slash (/) and end with a slash (\), dot (.), ornull character.

No events are generated for files that contain thespecified text. Also, the whitelist is not updated forsuch paths.

-d Skips path components from write protection toremove write protection applied to all files in thatpath. User mode paths and paths with volumename do not work with this command.Text added with this command is treated ascomplete component. For example, text can startwith a forward slash (/) and end with a backwardslash (\), dot (.), or null character.

-f Skips path components from file operations and thescript-auth feature.User mode paths and paths with volume name donot work with this command.

Text added with this command is treated assubstring in a path. No events are raised and thewhitelist is not updated for the skipped pathcomponents. Also, script execution control does notwork for paths added with this command.

-i Skips path components from file operations usingthe ignore path list. This works similar to thesadmin add -f command.

User mode paths and paths with volume name donot work with this command.

When the path components are specified onWindows 64-bit platforms, even the deny-execfeature is skipped.

-r Skips registry path components from writeprotection for registry to remove write protectionapplied on the registry paths.

Text added with this command is treated ascomplete component. For example, text can startwith a forward slash (/) and end with a backwardslash (\), dot (.), or null character.

-s Removes files present under the specified pathcomponent and subdirectories from the whitelist.

Network path names cannot be specified with thiscommand. Volume relative rules can also bespecified using *\<vol_rel_name>.





-v Bypasses volumes from attaching to ApplicationControl. File system, such as NTFS or FAT, can alsobe specified with this argument. When you specify avolume name with this argument, ApplicationControl is not attached to that volume. Script-authand deny-exec features are also not effective on thespecified volume. Components in that volume areallowed to execute on the system.

You can specify a path component using user modevolume names, such as C: and D:. Also, devicenames, such as \device\harddiskvolume1, and filesystems, such as NTFS and FAT, can also bespecified.

solidify (so) -q Suppresses all output except for errors.

-v Displays all processed components.

status NA NA

trusted -e Excludes one or more specified paths to thedirectories or volumes from a list of trusteddirectories or volumes.

-f Removes all directories and volumes from thetrusted rule.

-i Adds one or more specified paths to the directoriesor volumes as trusted directories or volumes.

-l Lists all trusted directories and volumes.

-r Removes the specified directories or volumes fromthe trusted rule.

-u Provides updater privileges to all binaries andscripts in the trusted directories or volumes.

unsolidify (unso) -v Displays all processed components.

updaters -d Excludes the child processes of a binary file to beadded as an updater from inheriting the updaterprivileges.

-l Includes the library name for an execution file to beadded as an updater (for Windows).

-n Disables event logging for a file to be added as anupdater.

-p Adds a file as an updater only when it is started byspecified parent process.

-t Performs these operations:• Includes the tags for a file to be added as an

updater.

• Adds a user with a tag name as an updater.

-u Adds a user as an updater (for Windows).

version NA NA

write-protect (wp) -e Excludes specific components from awrite-protected directory or volume.

-f Flushes all components from write protection.





-i Write-protects files, directories, or volumes.

-l Lists the write-protected components.

-r Removes write protection applied to files,directories, or volumes.

write-protect-reg(wpr)

-e Excludes one or more registry keys from writeprotection.

-f Flushes all registry keys from write protection.Flushing the registry keys from write protectionremoves all write‑protection rules applied to theregistry keys.

-i Write‑protects registry keys.

-l Lists all write-protected registry keys.

-r Removes write protection from one or more registrykeys.



Index

Aabout this guide 7Active Directory issues 99

ActiveX controlsallow 52

block 52

disable 52

Address Space Layout Randomization (ASLR) 61, 64

advanced exclusion filters (AEFs)add and remove 72

list 74

overview 71

Application Controladvantages 9commands 125

deployment workflow 13, 15

disable 91

enable 17

error messages 105

features 9, 10, 74

modes 14

overview 9prerequisites to install, ScAnalyzer 86

status 16, 67

uses 9version 67

whitelist 16

applicationsbypass rules, process context file operations 110

execution failure 101

installation failure 100

performance issue 102

attribute-based rulesabout 55

add 55

list 55

remove 55

authorizationbinaries based on checksum values 43

certificates 38, 39

files and programs 27

files based on checksum values 43

Bbest practices

authorize programs or files 27

bypass rules, process context file operations 110

enable or disable features 77

retain in whitelist 69

updater permissions for certificates 38

binariesadd as updaters 31, 32

apply memory protection 61

authorize using checksum values 43

authorize using names 45

authorize using SHA-1 or SHA-256 values 43

ban using names 45

ban using SHA-1 or SHA-256 values 44

error messages, execution 106

execution on network directories 47

extract certificate 39

list authorized and banned 44, 46

remove authorized or banned 44, 46

blue screencorrupt whitelist 97

on Linux 98

on Windows 97

self-modifying drivers 96

buffer overflow 61

Ccertificates

ActiveX controls 52

add 39

add as updaters 31, 32

extract 39

remove 42

ScGetCerts utility 39

supported certificates 31, 39

trusted certificates 27, 38, 39, 41, 42

view 41

checksum valueslist authorized and banned binaries 44

overview 27

remove authorized or banned binaries 44

specify 34


command short forms 125

command-line interpreter, sadminenable and disable password protection 81

error messages 105

lockdown and recovered status 67

open 15

configuration parameterschange 91

export or import settings 90

view 88

conventions and icons used in this guide 7Critical Address Space Protection (CASP)

configure 63

overview 61

DData Execution Prevention (DEP) 61

default updatersCommercial-Off-The-Shelf (COTS) applications 31

definition 29

Finetune utility 31

update using Finetune utility 35

what to add 31

deny-read feature 19, 20, 24, 25

deny-write feature 19–23

deploymentApplication Control 15

on multiple systems 87

workflow 13

directoriesadd to whitelist 69

list read-protected 25

list whitelisted 70

list write-protected 23

read-protect 19, 24

remove from whitelist 69

trusted directories 27, 47, 49

write-protect 19, 21

Disabled modedescription 14

place in 91

discover-updaters feature 36

documentationaudience for this guide 7product-specific, finding 8typographical conventions and icons 7

drivescorrupt whitelist issue 97



read-protect 19, 24

whitelist 97

whitelist status 16


dynamic-link libraries (DLLs)Forced DLL Relocation 64

EEnabled mode

description 14

legitimate failures 106

place in 17

error messages 105

eventsadd and remove AEFs 72

configure event cache size 83

configure event sink 82

define limits, event cache 84

flooding 105

overview 82

view 84

view event list 119

executablesadd as updaters 32

tag names 32

Ffailures

Application Control installation 104

startup 95

troubleshoot 93

featuresenable or disable 77

manage 74

review 75

filesadd and remove AEFs 72

add as updaters 31, 32, 34

add skip rules 112

add to whitelist 69


attribute modification 19

authorize 27

authorize using checksum values 43

authorize using names 45

authorize using SHA-1 or SHA-256 values 43

ban using names 45

ban using SHA-1 or SHA-256 values 44


display file system 67



extract certificate 39

include tags 32

list authorized and banned 44, 46


list whitelisted 70


Index


files (continued)logs 85

read-protect 19, 24

remove authorized or banned 44, 46



Finetune utilitydefault updaters 31

definition 35

update the default updaters 35

Forced DLL Relocationconfigure 64

overview 61

frequently asked questions (FAQs) 117

GGatherInfo utility 93

Hhelp, sadmin 15

Iinstallers


configure package control 79


execution 77

package control modes 79

SHA-1 or SHA-256 value 43

interpreters 53, 55

inventory, See whitelist

Llicense 16

log filesGatherInfo 93

overview and types 85

MMcAfee ServicePortal, accessing 8McAfee Solidifier command line


McAfee Solidifier command-lineenable and disable password protection 81

error messages 105

open 15

McAfee Supportcollect information 93, 94

contact for deprecated memory-protection techniques 61

GatherInfo logs 93

log files 85

memory dump 94

memory-protection techniquesCritical Address Space Protection (CASP) 63

Forced DLL Relocation 64

mp-casp (Critical Address Space Protection) 63

mp-nx (No Execute) 64

mp-vasr-forced-relocation (Forced DLL Relocation) 64

No Execute (NX) 64

overview 61

modesDisabled 14, 91

Enabled 14, 17, 106

for package control 79

Observe 14

Safe 95

Update 14, 27, 81

Nnetwork-tracking feature 47

No Execute (NX)configure 64

overview 61

OObserve mode 14

operating mode, recommended 79

Ppackage control

configure 79

modes 79

overview and subfeatures 77

password protection 81

pathsabsolute path 34

add skip rules 112

events 84

guidelines 48

list skip rules 114

log files 85

relative path 34

trusted 99

performance issuesapplication 102

system 103

process context file operationsadd bypass rules 110

remove bypass rules 111

processesadd and remove AEFs 72



issue, updater privileges 104

programs, authorize 27

publishers, See certificates

Index


Rread protection

apply and exclude 24

list 25

prevented actions 19

remove and flush 25

what is 20

recommendationsauthorize programs or files 27


enable or disable features 77

retain in whitelist 69

updater permissions for certificates 38

registry keysadd and remove AEFs 72

read-protect 19, 20

write-protect 19, 21, 23

requirementsadd the license 16

Application Control 9help commands 15

modes 14

Return-Oriented Programming (ROP) 61

rulesadd bypass 110

add skip 112

list skip 114

remove bypass 111

remove skip 114

Ssadmin

enable and disable password protection 81

error messages 105


open 15

Safe mode 95

ScAnalyzer utility 86, 104

ScGetCerts utility 39

scriptsadd as updaters 31, 32

add skip rules 112


configure interpreters 53



interpreters 55

ServicePortal, finding product documentation 8SHA-1 or SHA-256 values

authorize files 43

ban binaries 44

short forms, commands 125

statusApplication Control 67

status (continued)whitelist 16

supported operating systems 117

system crashescorrupt whitelist 97

hang 102

on Linux 98

on Windows 97

self-modifying drivers 96

system image 94

Ttechnical support, finding product information 8thread priority, whitelist 16, 69

trusted directoriesadd 47

exclude 49

list 49

overview 27, 47

remove 49

trusted usersadd 50

list 51

overview 27, 50

remove 51

trusted volumes 47

UUpdate mode

description 14

make emergency changes 80

overview 27

place in and exit 81

updatersadd 32

add suggested programs, discover-updaters 36

arguments 32

authorized file as an updater 43

certificates 38

default updaters 29, 31, 35

definition and requirement 29

Finetune utility 31, 35

flush 37

list 37

list certificates with updater permissions 41

overview 27, 29

privileges issue 104

remove 37, 38

specify file checksum 34

specify file name 34

what to add 31

when to add 30

usersadd and remove AEFs 72

Index


users (continued)add as updaters 31, 32

trusted users 27, 50, 51

utilitiesDumpchk 94

Finetune 35

GatherInfo 93

ScAnalyzer 86, 104

ScGetCerts 39

VVirtual Address Space Randomization (VASR)

overview 61

volumesadd skip rules 112

add to whitelist 69


list whitelisted 70


read-protect 19, 24


trusted volumes 47

whitelist status 16, 67


Wwhitelist

add and remove components 69

whitelist (continued)add skip rules 112

corrupt whitelist issue 97

create 16

error messages, tampering 108

files included 14

fix inconsistencies 71

how it works 14

legitimate failures and error messages 106–108

list components 70

location 14

manage 68

status 16

thread priority 16, 69

write protectionadd skip rules 112

apply 21

exclude 21, 22

flush 21, 23

list 21, 23

prevented actions 19

remove 21, 23

what is 20

Index
