Application Control 7.0.0 Product Guide - Standalone Mode PDF Free Download

2y ago

47 Views

1 Downloads

2.22 MB

143 Pages

Report/dmca

Download PDF

Transcription

Product GuideMcAfee Application Control 7.0.0

COPYRIGHT 2016 Intel CorporationTRADEMARK ATTRIBUTIONSIntel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee ActiveProtection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfeeTotal Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others.LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.2McAfee Application Control 7.0.0Product Guide

Contents1Preface7About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7778Introduction9Application Control overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102Getting started13Application Control workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Understanding Application Control modes . . . . . . . . . . . . . . . . . . . . . . . .How the whitelist works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Using the command-line interpreter . . . . . . . . . . . . . . . . . . . . . . . . . .Deploy Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add the license . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Create the whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Place Application Control in Enabled mode . . . . . . . . . . . . . . . . . . . .3Protecting file system components19How protection works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .What is write protection? . . . . . . . . . . . . . . . . . . . . . . . . . . .What is read protection? . . . . . . . . . . . . . . . . . . . . . . . . . . . .Write-protect components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Apply write protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Exclude components from write protection . . . . . . . . . . . . . . . . . . . .List write-protected components . . . . . . . . . . . . . . . . . . . . . . . .Remove write protection . . . . . . . . . . . . . . . . . . . . . . . . . . . .Read-protect components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Apply read protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Exclude specific components from read protection . . . . . . . . . . . . . . . . .List read-protected components . . . . . . . . . . . . . . . . . . . . . . . . .Remove read protection . . . . . . . . . . . . . . . . . . . . . . . . . . . .4Overriding applied protection1920202121222323242425252527How do I override protection? . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Using updaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .What are updaters? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .When do I add updaters? . . . . . . . . . . . . . . . . . . . . . . . . . . .What can I add as updaters? . . . . . . . . . . . . . . . . . . . . . . . . . .Add updaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .List updaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Remove updaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Using certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .McAfee Application Control 7.0.01314141515161617272929293031353536Product Guide3

ContentsExtract certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .View certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Remove certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Using checksum values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Authorize binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Ban binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .View authorized and banned binaries . . . . . . . . . . . . . . . . . . . . . . .Remove authorized or banned binaries . . . . . . . . . . . . . . . . . . . . . .Using binary names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Authorize execution of binaries by name . . . . . . . . . . . . . . . . . . . . .Ban execution of binaries by name . . . . . . . . . . . . . . . . . . . . . . . .View authorized and banned binaries . . . . . . . . . . . . . . . . . . . . . . .Remove authorized and banned rules . . . . . . . . . . . . . . . . . . . . . .Using trusted directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .What are trusted directories? . . . . . . . . . . . . . . . . . . . . . . . . . .When do I add trusted directories? . . . . . . . . . . . . . . . . . . . . . . .Add trusted directories . . . . . . . . . . . . . . . . . . . . . . . . . . . .Follow the guidelines to specify directory path . . . . . . . . . . . . . . . . . . .List trusted directories . . . . . . . . . . . . . . . . . . . . . . . . . . . .Exclude specific directories from the list of trusted directories . . . . . . . . . . . . .Remove trusted directories . . . . . . . . . . . . . . . . . . . . . . . . . . .Using trusted users (Windows only) . . . . . . . . . . . . . . . . . . . . . . . . . .Add trusted users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .List trusted users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Remove trusted users . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Allowing ActiveX controls to run . . . . . . . . . . . . . . . . . . . . . . . . . . . .Allow ActiveX controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Block execution of ActiveX controls . . . . . . . . . . . . . . . . . . . . . . .Disable the ActiveX feature . . . . . . . . . . . . . . . . . . . . . . . . . . .Configuring interpreters to allow execution of additional scripts . . . . . . . . . . . . . . .Add interpreters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .List interpreters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Remove interpreters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Configuring memory-protection techniquesMemory-protection techniques .Configure CASP . . . . . . .Configure NX . . . . . . . .Configure Forced DLL Relocation6.53.Maintaining your systemsMcAfee Application Control 7.0.05356565759View product status and version . . . . . . . . . . . . . . . . . . . . . . . . . . . .Manage the whitelist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Whitelist thread priority . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add and remove operations . . . . . . . . . . . . . . . . . . . . . . . . . .List operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Check and update the status of whitelisted components . . . . . . . . . . . . . . .Advanced exclusion filters (AEFs) . . . . . . . . . . . . . . . . . . . . . . . . . . .Add or remove AEFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .List AEFs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Manage product features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Review features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Enable or disable features . . . . . . . . . . . . . . . . . . . . . . . . . . .Package Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Set up Package Control . . . . . . . . . . . . . . . . . . . . . . . . . . . oduct Guide

ContentsPackage Control configuration . . . . . . . . . . . . . . . . . . . . . . . . .Making emergency changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Switch to Update mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .Exit Update mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Enable or disable password protection . . . . . . . . . . . . . . . . . . . . . . . . .Review changes using events . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure event sinks . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure the event cache size . . . . . . . . . . . . . . . . . . . . . . . . .View events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configuring log files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Runtime environment of the system . . . . . . . . . . . . . . . . . . . . . . . . . .Run ScAnalyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Review the ScAnalyzer report . . . . . . . . . . . . . . . . . . . . . . . . . .Managing mass deployments and system upgrades . . . . . . . . . . . . . . . . . . . .View the existing configuration parameters . . . . . . . . . . . . . . . . . . . .Export configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . .Import configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . .Change configuration parameters . . . . . . . . . . . . . . . . . . . . . . . .Disable Application Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1828283Collecting information before contacting McAfee Support . . . . . . . . . . . . . . . . . . 83Collect GatherInfo logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Collecting system and issue details . . . . . . . . . . . . . . . . . . . . . . .84Startup failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Self-modifying driver issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86System crash issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86System crash on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Whitelist is corrupt on Windows . . . . . . . . . . . . . . . . . . . . . . . . . 87System crash on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . .88Active Directory issues (Windows only) . . . . . . . . . . . . . . . . . . . . . . . . . 89Application installation failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Application execution failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Application performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92System hang issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92System performance issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93Application Control installation failure . . . . . . . . . . . . . . . . . . . . . . . . .94Updater privileges issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94Events flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95Using error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Command line interface error messages . . . . . . . . . . . . . . . . . . . . . . . .95Legitimate failures and error messages . . . . . . . . . . . . . . . . . . . . . . . . . 96Error messages generated for binary and script files . . . . . . . . . . . . . . . .96Error messages generated for installer packages . . . . . . . . . . . . . . . . . . 97Error messages generated while tampering with the whitelisted components . . . . . . . 98Bypass rules for files and scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Add bypass rules for files and scripts . . . . . . . . . . . . . . . . . . . . . . 100Remove bypass rules for files and scripts . . . . . . . . . . . . . . . . . . . .101Skip rules for path components . . . . . . . . . . . . . . . . . . . . . . . . . . .102Add skip rules for path components . . . . . . . . . . . . . . . . . . . . . . . 102List skip rules for path components . . . . . . . . . . . . . . . . . . . . . . . 105Remove skip rules for path components . . . . . . . . . . . . . . . . . . . . . 105AFrequently asked questionsMcAfee Application Control 7.0.0107Product Guide5

Contents6BApplication Control event list109CCommand short forms115DApplication Control Command Line Interface reference117EArgument details131Index137McAfee Application Control 7.0.0Product Guide

PrefaceThis guide provides the information you need to work with your McAfee product.ContentsAbout this guideFind product documentationAbout this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.AudienceMcAfee documentation is carefully researched and written for the target audience.The information in this guide is intended primarily for: Administrators — People who implement and enforce the company's security program. Users — People who use the computer where the software is running and can access some or all ofits features.ConventionsThis guide uses these typographical conventions and icons.ItalicTitle of a book, chapter, or topic; a new term; emphasisBoldText that is emphasizedMonospaceCommands and other text that the user types; a code sample; a displayed messageNarrow BoldWords from the product interface like options, menus, buttons, and dialog boxesHypertext blue A link to a topic or to an external websiteNote: Extra information to emphasize a point, remind the reader of something, orprovide an alternative methodTip: Best practice informationCaution: Important advice to protect your computer system, software installation,network, business, or dataWarning: Critical advice to prevent bodily harm when using a hardware productMcAfee Application Control 7.0.0Product Guide7

PrefaceFind product documentationFind product documentationOn the ServicePortal, you can find information about a released product, including productdocumentation, technical articles, and more.Task81Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.2In the Knowledge Base pane under Content Source, click Product Documentation.3Select a product and version, then click Search to display a list of documents.McAfee Application Control 7.0.0Product Guide

1IntroductionMcAfee Application Control software offers an effective way to block unauthorized applications fromrunning on your systems. Unlike simple whitelisting, it uses a dynamic trust model to avoidlabor-intensive lists.Today’s IT departments face tremendous pressure to ensure that systems and servers comply withsecurity policies, operating procedures, and regulations. Users can unintentionally introduce softwarethat poses a risk to the business, installs malware, creates support issues, and violates softwarelicenses, compromising systems and your business. Businesses of all sizes need an efficient way tostandardize systems and servers to make sure that they are running only approved software, withoutimpacting productivity.As enterprises face unknown software from the Internet, Application Control adds timely control toyour system security strategy, and is attuned to the operational needs of enterprises.This document is intended for using Application Control in the standalone configuration only.ContentsApplication Control overviewProduct featuresApplication Control overviewApplication Control software blocks unauthorized applications on servers, corporate desktops, andfixed-function devices.Increased control over fixed-function systemsIn regulated industries like banking, retail, and manufacturing, devices such as point-of-sale (POS)terminals or customer service terminals perform critical functions and often store sensitive data.Application Control extends a layer of protection to fixed function systems. Its low overhead footprintdoes not have an impact on the system performance, requires low initial and ongoing operationaloverhead, and works effectively in standalone mode. The product is designed to operate in networkand firewall configurations. It can even operate on systems that are not connected to a network.Business efficiency in a controlled environmentMalware takes advantage of the flexible software and modular code used in business environments.Application Control extends coverage to Java, ActiveX controls, scripts, batch files, and codes. Thiscoverage gives greater control over application components, and blocks advanced threats withoutrequiring signature updates.McAfee Application Control 7.0.0Product Guide9

1IntroductionProduct featuresEasy solutionApplication Control is an easy solution that provides: Easy setup and low initial and ongoing operational overhead. Minimal impact on CPU cycles and uses less than 10 MB of RAM. No file system scanning that could have an impact on the system performance.Also, Application Control requires no signature updates.Dynamic whitelisting using a trust modelApplication Control provides flexible, affordable, and secure dynamic management of a whitelist. Thisdynamic management allows Application Control to support multiple configurations for differentbusiness needs, such as POS terminals, BackOffice servers, and multiple desktop images for differentuser profiles.Leveraging a trusted source model, Application Control eliminates the need for IT administrators tomanually maintain lists of approved applications. On a protected system, authorized software isallowed to run and it cannot be changed. Application Control prevents attempts to tamper withprotected files, creates an event for each attempt, and writes event entries in a log file.Key advantages and uses Protection against zero‐day threats without requiring signature updates. Lower cost of ownership because dynamic whitelisting eliminates manual effort of adding trustedapplications to the whitelist. Protection against malware for these fixed function systems. POS terminals (in retail environments) Automated teller machines (ATMs) inbanking Kiosk devices Servers and corporate desktops Customer service terminalsProduct featuresApplication Control protects your system from any unauthorized attempt using these key features.10 Malware protection — Protects systems from malware attacks before they occur, by proactivelycontrolling the application execution on the system. Secured system — Secures a system against threats and unwanted changes. Execution protection — Prevents execution of unauthorized updates that might change theexisting applications running on the system. Dynamic whitelisting — Eliminates the manual maintenance effort that other whitelistingtechnologies require. Trusted applications — Enables admin

1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab. 2 In the Knowledge Base pane under Content Source, click Product Documentation. 3 Select a product and version, then click Search to display a list of documents. Preface Find product docum