McAfee Solidcore Reviewers Guide

McAfee Application Control, Change Control,
and File Integrity Monitoring

Reviewers Guide
By Chris Payne
Version 0.1
21 June 2011
Confidential McAfee Internal Use Only

Evaluation Guide and Best Practices
Version History
Date Version Author Comments

17-Apr 2011 0.1 Chris Payne
McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries.
All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2009 McAfee, Inc. All rights reserved.
Table of Contents
Overview 6
About This Guide 6
Intended Audience 6
Pre-Installation Guidance 6
Core Functionality 7
McAfee Application Control 7
McAfee Change Control 7
McAfee Integrity Monitoring 7
Detailed Instructions - Install and Initial Deployment 8
Reviewers Guide Resource Kit 8
ePO Setup 8
Solidcore Preparation and Setup 9
Post Deployment Tasks - Collect Inventory (Application Control only) 14
Detailed Instructions – Application Control – Setup, Use, and Reporting 17
Solidcore Update Mechanisms - Overview 19
Trust Model - Manual Update Mode (Time Based Updates) 19
Trust Model – Authorized Updaters 20
Trust Model – Binary Ban or Allow (Blacklisting existing apps or allowing ones that are not on the
whitelist) 20
Trust Model – Publishers 21
Trust Model – Publishers – Custom Scripts 22
Trust Model - Installers 23
Trust Model - Trusted Users 24
Trust Model - Trusted Directories 25
Application Control - Testing and Reporting 26
Application Control – Updaters - Testing and Reporting 32
Detailed Instructions – Application Control – Image Deviation Use and Reporting 38
Detailed Instructions – Change Control – Monitoring File Systems and Registry 43
Detailed Instructions – Change Control – Protecting File Systems and Registry 47
Read Protect 47
Write Protect 47
Registry Protect 47
Detailed Instructions – Post Evaluation Cleanup 50
Appendix A, General Setup Tasks 51
ePO Client Tasks 51
ePO Automated Tasks 51
01 – SC:Update Inventory Search Index 52
02 – SC:Image Deviation 53
03 – SC:Get Updaters Setting up a Software Repository Scan automated task 54
Appendix B, Initial Configuration and Tuning of Policies 55
Using Application Control Learn Mode 55
Using Diagnostics Suggestions to Identify Updaters 55
Appendix C, Best Practice Tips 56
Appendix D, Deployment Scenarios 57
POS Sale Systems 57
Servers 57
Common Operating Environment Workstations and Laptops 57
Appendix E, POC Statement of Work Template 58
Document Definitions 58
Project Description 58
Client Business Goals 58
Project Scope 58
Phase 1 – Pre-Implementation 59
1. Discovery 59
Phase 2 – Application Control 59
1. Infrastructure Setup 59
2. Application Control Functional Scope Testing 59
Phase 3 – Change Control 60
1. Infrastructure Setup 60
2. Integrity Monitoring Functional Scope testing 60
3. Change Control Implementation 60
4. Change Control Functional Scope and Testing 61
Phase 4 – Acceptance 61
1. Acceptance 61
Documentation 64
Client Responsibilities 64
Proposal and Quotation Information 65
Terms and Conditions 65
Authorization 65
Appendix F, Business Use Cases 67
Overview
About This Guide
The purpose of this guide is to provide steps to reviewing the capabilities of McAfee’s Application
Control, Change Controls, and File Integrity Monitoring. The steps include setting up the ePO
Environment, preparing for and deploying the Solidcore, a comprehensive walk through of McAfee’s
Solidcore “Trust Model”, and testing and reporting for each of the three solutions. Each section builds
on the previous. Included in this guide is a Reviewers Guide Resource Kit which contains files that are
used and referenced throughout the guide. The Appendices contains additional details to support the
evaluation including a listing of the setup tasks built in each step, guidance on tuning the whitelist and
templates for POC Statement of Work and Business Use Cases to assist in tying the capabilities to real
world customer requirements.
Intended Audience
This guide is intended to assist McAfee Sales Engineers and McAfee customers in preparing for and
evaluating McAfee Application Control, McAfee Change Control, and File Integrity Monitoring.
Pre-Installation Guidance
Once a date is setup for the evaluation, establish the scope and identify critical success factors. Use the
POC Statement of Work Template located in the appendices to help craft and scope the evaluation. The
“Business Use Cases” located in the Appendices can help further refine the requirements of the POC.
Attempt to have a working ePO test environment setup at the customer and test clients identified.
Review internal processes regarding managing endpoints, ticketing systems, etc… to get a level of
understanding on what type of reporting is important, how the teams (Admins to Execs) consume and
use that information to make decisions.
Core Functionality
McAfee Application Control
McAfee Application Control (Whitelisting) can technically enforce control over system and application
code to ensure that only authorized code can run; unauthorized cannot run; authorized code cannot be
tampered with; Vulnerabilities in authorized code cannot be exploited. This capability is supported by
Memory Protection features. Application code not only includes traditional executables but also scripts.
Authorized updating mechanisms allow granular change control, so that for example, Windows patches
can be approved automatically, whereas changes to locked-down applications will be prevented from
executing. Authorized updating can occur by opening an update window, authorizing a user or
application to make changes). No file system scanning is required for this solution, so system
performance overhead and updates are eliminated. Image Deviation allows checks to be made that all
systems adhere to a known set of good or whitelist files.
McAfee Change Control
McAfee Change Control can provide tamper-proofing by technically enforcing that no changes can be
made to selected files, directories and registry keys, so that they cannot be modified in any way. In
addition it tracks any authorized changes in real-time allowing automatic and accurate monitoring and
reporting of actual changes. Protection is linked directly to policy, and changes are verified against the
change source, time window, or approved change ticket. Changes that are attempted outside of policy
on enabled servers are not allowed and logged.
McAfee Integrity Monitoring
McAfee Real-time Integrity Monitoring can monitor changes – update, delete, rename, move, copy
operations on files, directories and registry keys, and track as they happen in real time. This even allows
identification of transient changes (when a file is changed inappropriately, and then changed back). The
monitoring includes rich information capture that records the user and the program that made the
change, the object that was changed, and the exact time when the change was made.
Detailed Instructions - Install and Initial Deployment
The section reviews the steps necessary to prepare the Solidcore Test environment including setting up
ePO , deploying the Solidcore Agent, solidifying the test systems, collecting inventorying, and verifying
all the components are working properly by reviewing the dashboards and reporting in ePO. The steps
included in this section are also listed in Appendix A, General Setup Task.
Reviewers Guide Resource Kit
In order to simplify the review/evaluation process, a series of tools and files are provided that will aid in
the reviewing the product. The Hashtab tab application can be used for creating installers. The Process
Explorer application can be used for identifying processes for Updaters. Evaluation.zip contains a
number of files that are used and referenced throughout the evaluation.
Hashtab .zip ProcessExplorer.zip EVALUATION.zip
The following files can be downloaded as below...

md5sum.exe from http://www.etree.org/cgi-bin/counter.cgi/software/md5sum.exe
baretail.exe from http://www.baremetalsoft.com/baretail/download.php?p=w
Adobe Flash Player from http://get.adobe.com/flashplayer/?promoid=DXLUJ
Yahoo Messenger from http://messenger.yahoo.com/download/win/
ePO Setup
1. Check-in the McAfee Solidcore Extension and Solidcore packages into the Master Repository. Refer
to the
2. Add the license files for each capability in the Server Settings. Navigate to Menu | Configuration |
Server Settings and click on Solidcore on the left and edit/add the licenses:
3. In ePO, make the Solidcore dashboards for Application Control and Change Control active.
4. Push the McAfee Agent to the customer systems and verify connectivity and setup system tree for
the evaluation.
NOTE: Throughout this document, “Evaluation Group” is used to represent the Group of test
devices in the system tree for reference.
Solidcore Preparation and Setup
5. On one of more of the Test clients, create the following directories.

• C:\EVALUATION
• C:\EVALUATION\SOFTWARE
• C:\EVALUATION\SCRIPTS
• C:\EVALUATION\SECRET
6. Copy across the following 4 files to C:\EVALUATION, (delete any other files present in this directory).
The files can be found in the Reviewers Guide Resource Kit.
• baretail.exe
• Deleted.vbs
• Permitted.bat
• Permitted.vbs
7. Delete the file named Deleted.vbs and ensure it resides in the Recycle Bin.
8. Copy across the following 10 files to C:\EVALUATION\SOFTWARE, (delete any other files present in
this directory),
• Hashtab.exe
• JkDefrag.exe
• Msgr10us.exe
• Procexp.chm
• Procexp.exe
• Putty.exe
• SkypeSetup.exe
• Wireshark-win32-1.4.4.exe
• Wlsetup-web.exe
• Yahoomessenger.exe
9. Copy across the following files to C:\EVALUATION\SECRET, (delete any other files present in this
directory)
• Eyes Only.jpg
• TopSecret.jpg
10. Copy across the EVALUATION.reg file to the test client desktop and double-click it to create the
registry entry HKEY_LOCAL_MACHINE\SOFTWARE\EVALUATION\TESTKEY.
11. Deploy the Solidcore Agent. Navigate to Menu | Policy | Client Task Catalog | McAfee Agent |
Product Deployment. Create the client task “10 – SC: Deploy Solidcore” and Save it (use the figures
below for guidance). Assign it to your Evaluation Test Group and set the schedule to “Enabled” and
“Run Immediately”. Perform an Agent Wakeup and select the Force complete policy & task update
option.
• 10 – SC: Deploy Solidcore Set to Run immediately, Enabled
12. Restrict the Local CLI. Solidcore contains a client based CLI and can be used to perform standalone
configurations on the client.
NOTE: ePO and Solidcore utilize a “single master concept”. If ePO owns the console then the
CLI cannot be used. If the CLI is enabled (recovered/unlocked), then EPO cannot push policy.
Navigate to Menu | Policy| Client Task Catalog | Solidcore 5.1.x | SC: Change Local CLI Access.
Create the client task “20 – SC: Restrict Local CLI access” and Save it (use the figures below for
guidance). Assign it to your Evaluation Test Group and set the schedule to “Enabled” and “Run
Immediately”. Perform an Agent Wakeup and select the Force complete policy & task update
option.
• 20 – SC: Restrict Local CLI access Set to Run immediately, Enabled
13. Enable the Solidcore Agent and Solidify (Whitelist) the system. The SC: Enable client task is where
you “enable” your product by selecting “Application Control” and “Integrity monitoring / Change
Control” based on your license and requirements as show below.
Navigate to Menu | Policy | Client Task Catalog | Solidcore 5.1.x | SC: Enable. Create the client
task “30 – SC: Enable” and Save it (use the figures below for guidance). Assign it to your Evaluation
Test Group and set the schedule to “Enabled” and “Run Immediately”. Perform an Agent Wakeup
and select the Force complete policy & task update option.
• 30 – SC: Enable Set to Run immediately, Enabled
NOTE: that the solidification process takes 5-30 minutes or more (depending on the applications on
the system) and can (if desired) force a reboot of the host. Once the system reboots, perform
another Agent Wake-up and make sure the test clients have updated properties in ePO.
14. Confirm that McAfee Application Control is enabled by selecting each client in the system tree and
view the system detail properties, scroll down to Solidcore and select “More” and verify the
Solidification Status is listed as “Enabled”.
NOTE: Alternatively, you can navigate to the ePO Dashboard – Solidcore: Application Control. All
the test client hosts should be listed in the upper middle monitor (pie chart). Click this pie chart and
you can see that McAfee Application Control is enabled.
Post Deployment Tasks - Collect Inventory (Application Control only)
16. Collect the Solidcore Whitelist Inventory. The Solidcore Inventory is a listing of all the files from the
Solidified client system. These files can be used later in managing the whitelist.
Navigate to Menu | Policy | Client Task Catalog | Solidcore 5.1.x | SC: Pull Inventory. Create the
client task “40 – SC: Pull Inventory” and Save it (use the figures below for guidance). Assign it to
your Evaluation Test Group and set the schedule to “Enabled” and “Run Immediately”. Perform an
Agent Wakeup and select the Force complete policy & task update option.
Wait 3-5 minutes for the task to complete on the endpoint and then perform a second Agent
Wakeup to send the Inventory back to ePO. You can monitor the task by going to the client and
pulling up the McAfee Agent Status monitor.
• 40 – SC: Pull Inventory Set to Run immediately, Enabled
.
17. Update the Inventory Search Index. To allow ePO to perform a search on the Inventory, an update
to the Inventory search index needs to be performed each time Inventory is collected.
Navigate to Menu | Automation | Server Tasks. Create the Server Task “01 –SC:Update Inventory
Index” (use the figures below for guidance). Save it and “Run” it.
• 01 –SC:Update Inventory Index Set to Run Daily, Set time to your choice
18. Once it has completed, you can verify Inventory is available: Navigate to Menu | Reporting |
Solidcore| Inventory and search for “Microsoft”.
Detailed Instructions – Application Control – Setup, Use, and

Reporting
McAfee Application Control can technically enforce control over system and application code to ensure
that only authorized code can run, unauthorized cannot run, authorized code cannot be tampered with,
and vulnerabilities in authorized code cannot be exploited. This capability is supported by Memory
Protection features to protect running code. Application code not only includes traditional executables
but also scripts, interpreted languages and object libraries.
McAfee’s Application Control uses a Trust Model to provide authorized updating mechanisms that
allows automated granular change control to a system. Authorized updating can occur by opening an
update window, authorizing a user or application to make changes as well as other mechanisms. No file
system scanning is required for this solution, so system performance overhead and updates are
eliminated. For example, Windows patches can be approved automatically, whereas changes to locked-
down applications will be prevented from executing.
This section reviews Application Control Trust Model methods and steps through each of the Authorized
updating mechanisms to show how systems are solidified, (a process which permits existing applications
and scripts to execute, but prevents any new or changed files from being executed). It looks at how
authorized updates and program execution are handled, and how modified files are automatically added
to the whitelist.
Update Mechanisms include:
o Time based update ( Time based “update mode”)
o Authorized Updaters
o Publishers - Certificates
o Installers
o Trusted Directories
o Trusted Users
Updater Method Level of Restriction Business Use Case Notes
Two ePO Client Tasks

Update Window Low Emergency Changes to system(s) One to Open and one
to Close
Help desk user ability to remotely login

Trusted Users Low for break fix, administration of systems
that are geographically distant
Customer can be their own CA and

allow only their code to update a
More flexibility than
Publishers Medium system regardless of how the code
a hashed Installer
enters the system, or use signed code
from a vendor.
Update Existing Whitelisted

Authorized Updater Most common
High Applications based on a program that
Program updating method
can make change
Allow or block program execution

based on name or hash.
Allow – Scripts created on dynamically,
i.e. by end of day/closing process on a
Used to control
kiosk for back office reporting
Binary High execution, not
Block - block installed programs that change on a system
shouldn’t run, i.e. iTunes OR reduce the
risk exposure of a server of admin tool
misuse, i.e. ban net.exe, msconfig.exe,
runas.exe, netstat.exe, etc.
A non whitelisted standalone Useful for software

executable that is identified by hash to distribution based on
Installers High
install applications on a controlled approved
system applications
Printer drivers on remote share, Easier to manage

Trusted Directory High “corporate approved” applications on than hash or cert, but
share, start-up scripts not as secure
Solidcore Update Mechanisms - Overview
Most applications and other executable type files are likely to remain unchanged over prolonged
periods of time. However, it may be necessary to allow some applications and other executable type
files the ability to create, modify or delete solidified (and hence protected) files. This section explores
the common mechanisms for updating a whitelisted system.
Trust Model - Manual Update Mode (Time Based Updates)
This mode to allow ad-hoc changes to the system. For example, Update Mode allows you to bracket all
new software and patch installations during a specific time period, removing or modifying software to
dynamically update the local whitelisted Inventory. This functionality is useful for performing scheduled
or emergency changes when Application Control is enabled and it is not possible to have trusted users,
directories, publishers or installers (which are preferential due to enhanced level of security).
NOTE: It is recommended to use the Update Mode only for installing minor software updates.
Running programs cannot be hijacked in Update Mode due to memory protection.
1. To utilize this functionality, you will need to create two client tasks in ePO, one to open the Update
Window and a second to close the Update Window. These tasks will be used to open and close the
Update Window on the client. Set the schedule times for each task. Make sure the task is set to
“Disable” and then save it.
2. Navigate to Menu | Policy | Client Task Catalog | Solidcore 5.1.x | SC: Begin Update Mode. Create
the client task “30 – SC: Begin Update Mode” and Save it (use the figures below for guidance).
Assign it to your Evaluation Test Group and set the schedule to “Disabled” and “Run Immediately”.
• 30 – SC: Begin Update Mode Set to a scheduled start time, Disabled
3. Navigate to Menu | Policy | Client Task Catalog | Solidcore 5.1.x | SC: End Update Mode Create
the client task “31 – SC: End Update Mode” and Save it (use the figures below for guidance). Assign
it to your Evaluation Test Group and set the schedule to “Disabled” and “Run Immediately”.
• 31 – SC: End Update Mode Set to a scheduled stop time, Disabled
Trust Model – Authorized Updaters
An authorized updater is any whitelisted application executable that is defined as authorized update
agent. This application, once authorized, can patch, update and create binaries periodically without
requiring any user intervention. The Updaters is the most common update mechanism used in the
Trust Model as programs frequently need to make change, or are used as software distribution
mechanisms (e.g. Tivoli, Opsware, SMS, Bladelogic, etc.).
NOTE: McAfee Application whitelisting has predefined Rulesets for many popular updating
applications such as Altiris, SMS, McAfee and others. Refer to Menu | Configuration | Solidcore
to review the many predefined objects used in Rule Groups for Application Control, Change
Control and Integrity Monitoring.
Trust Model – Binary Ban or Allow (Blacklisting existing apps or allowing ones that are not
on the whitelist)
A Binary Policy is an executable that can be allowed or banned from executing. In this example, the
Skype Setup software was located in the C:\EVALUATION\SOFTWARE, which is a trusted directory.
However, company policy has been changed so that nobody is allowed to use Skype anymore. To
ensure it does not execute, regardless if it is whitelisted or not, it will be banned (Blacklisted) using a
binary ban policy. This is demonstrated under the policy entitied “McAfee Evaluation Rule Group”.
NOTE: The following steps assume the Solidcore Setup steps 1-5 were completed..
1. Navigate to Menu | Configuraton| Solidcore | Rule Groups and select “Application Control” from
the drop down menu. Locate the “McAfee Evaluation” Rule Group and edit it. Select Binary and
then select “Add from Inventory”. Search on “Skype” and select the SkypeSetup.exe and select
“Ban” and “Checksum”, name it “Ban Skype”, as shown below.
Trust Model – Publishers
A Publisher is identified authorized software that you want to allow users to download and install based
on the certificate associated with the software package. You will add its publisher certificate as a
trusted publisher by extracting its security certificate from the installer and registering it with ePO. To
assist in this effort, you can either use the “Scan Repository” Automated task to search for publishers
and installers and extract their certificates for use, or perform a one time task to Extract Certificates
from the Configuration | Solidcore | Publishers | Actions | Extract Certificates and it will automatically
extract the certificates from the share. You can use the results to populate the Publishers and Installers,
accordingly. In this example we will use the Automated Task.
1. Navigate to Menu | Automation | Server Tasks and locate the “03 – SC:Get Updaters” server task
and “Run” it. If it does not exist, refer to Appendix A, General Setup Tasks, for guidance on creating
it.
2. Navigate to Menu | Configuration | Solidcore | Publishers. This will list the software that was
discovered using the Repository Scan. In this example, select Microsoft, go to Actions and Assign to
Rule Group and select “McAfee Evaluation”.
Trust Model – Publishers – Custom Scripts
Custom scripts can be identified as a Publisher by signing the scripts and applications with a self-
generated certificate, then trusting this certificate.
1. Generate X.509 certificate pair using a tool like makecert.exe. For more information see
http://msdn.microsoft.com/en-us/library/bfsktky3%28VS.80%29.aspx. You can skip this step if you
already have a certificate.
2. Export the certificate in PEM (Base 64 Encoded DER) format.
3. Upload the Certificate to an Application Control Policy as a trusted publisher and apply the policy.
4. Use the certificate to sign and verify the binary. This can be done using a tool like SignTool.exe.
NOTE: In case of scripts, convert the script into a self extracting executable file, then sign the
file. (To allow execution of a signed script wrapped into a self extracting exe, add the publisher
as an updater in the Application Control policy.)
5. You can now copy the signed binary to a client and execute it.
Trust Model - Installers
An authorized application installer is based on and identified by the binary SHA1 hash associated with a
particular installer executable package that will allow users to download and install it on systems where
this rule is applied. The application does not have to reside on the system. In this example, we will use
the results from the Software Repository scan previously run to identify the installer packages by their
binary hash. Alternatively, you can enter an installer package and hash manually by Navigating to Menu
| Solidcore | Installers | Actions | Add Installers and fill in all the parameters including the Hash as
shown below. The Hashtab application, included in the Reviewers Guide Resource Kit, is useful for
extracting the hash for the installer on an endpoint.
1. Navigate to Menu | Configuration | Installers to list the “Installers” discovered in the previous
Software Repository Scan. Select the installers in your environment that you want authorized,. In
this example, we will select “wlsetup –web-.exe” This is a company approved Microsoft Instant
Messaging software package.
2. Go to Actions and Assign to Rule Group and select “McAfee Evaluation” as shown below.
Trust Model - Trusted Users
A Trusted User is an authorized user with Windows/Unix elevated privileges that can dynamically add to
the whitelist. It should be considered a least preferential method of updating a system as it is the least
restrictive in terms of what modifications can be made/what code can be run on an endpoint.
1. Navigate to Menu | Configuration | Solidcore | Rule Groups and select “Application Control” from
the drop down menu. Locate the “McAfee Evaluation” Rule Group and edit it.
2. Select Trusted User and then select “Add” or “AD Import”. In this example, we will use AD Import
to import a user from Active Directory.
NOTE: To utilize AD Import, you must first register an Active Directory with ePO. Search on
user name or Group and select the user(s) and then OK to add them as shown below.
Trust Model - Trusted Directories
Application Control’s protection envelope prevents a client from executing code residing on a network
share. Many organizations, however, maintain shared folders on the internal network where installers
for authorized and licensed applications are kept. Such network shares are within the security
perimeter, they are known and trusted by the customer. This type of policy allows all users to run any
software present on a Trusted Directory identified by its UNC pathname, or additionally allow the
software located at that UNC path modify the endpoint system. In this example we will point to the
scripts and software directories on the evaluation system that were setup earlier.
1. Navigate to Menu | Configuration| Solidcore | Rule Groups and select “Application Control” from
the drop down menu. Locate the “McAfee Evaluation” Rule Group and edit it.
2. Select Trusted Directories and then select “Add”. Add the following directories substituting 148-SC-
2K3VM for the system in your evaluation, using the illustrations below for guidance.
• \\148-SC-2K3VM\EVALUATION\SCRIPTS
• \\148-SC-2K3VM\EVALUATION\SOFTWARE
3. Windows Login Scripts SYSVOL

Another example is Windows Domain Users need to have Login Scripts delivered daily. These are
normally vb scripts and will be denied if this rule is not added to the policy. To allow a rule needs to
be added to the rule group for a trusted directory.
SYSVOL AND LOGIN SCRIPTS
Application Control - Testing and Reporting
This section explores the Application Control capabilities. It shows how systems are solidified, (a process
which permits existing applications and scripts to execute, but prevents any new or changed files from
being executed). It looks at how unsolidified, (unauthorized), files are handled, and how modified files
are treated.
Confirm that the steps 1-5 from the Solidcore Preparation and Setup have been completed prior to
starting this section.
Key concepts within this lab
• Reporting on Solidifier status

• Reporting on unsolidified files
• Solidifier reaction to execution of unauthorized applications
• Solidifier reaction to attempted changes to solidified applications
• Unsolidifying individual files
Confirm that the system is Solidified
1. Confirm that McAfee Application Control is enabled by going to the ePO Dashboard – Solidcore:
Application Control. All the customer test client hosts should be listed in the upper middle
monitor (pie chart). Click this pie chart and you can see that McAfee Application Control is enabled.
2. On each of the test clients go into ePO, select each Test client in the system tree and view the
system detail properties. Select the Product Tab and Select Solidcore under the Product list to show
the details. Verify the Solidification status , as shown below.
Attempt to execute unauthorized applications
3. Restore the file named Deleted.vbs from the Recycle

Bin, and from the C:\EVALUATION folder attempt to
execute it.
NOTE: The deleted items are not solidified and hence
not authorized to execute.
4. Open up the Event Viewer and view the top item in the
Application Event Log.
NOTE: The entry shows the file attempting to be executed,
the process and user attempting to execute it.
Best Practice Tip: Troubleshooting

Any trusted application that has not been identified as an “Updater” and that is attempting to
change the system will be blocked and the results recorded in the Event Viewer logs or Syslog. The
location of the updater will be listed in the log and can then be added to a “Rule Group”. Analyzing
the Event Viewer log or Syslog is an excellent method for assisting in tuning the Updaters once a
system has been initially solidified.
Attempt to modify and execute protected applications
5. Edit C:\EVALUATION\permitted.bat and change the second line from color 0e to color 0f and
attempt to save this file. You should be prevented from overwriting the solidified file.
6. Save the changed file as C:\EVALUATION\permitted2.bat and attempt to execute it.
7. Refresh the Event Log and confirm Solidcore has prevented execution.
9. Copy across the following 3 files to C:\EVALUATION,

• Denied.bat
• Denied.vbs
• md5sum.exe
10. Confirm none of the above files can be executed.
11. Attempt to delete all files from C:\EVALUATION.
NOTE: The following files cannot be deleted since they are protected by Solidcore
• baretail.exe
• Permitted.bat
• Permitted.vbs
Unsolidify protected files and protected applications
12. We now want to unsolidify these remaining files, Navigate to Menu | Policy | Client Task Catalog
and locate the “80 – SC:Unsolidify Files” client task.
13. Edit the 80 – SC: UnSolidify Files Client Task and change the command to unsolidify
c:\evaluation\permitted.bat
14. Click the + button to add another command and enter unsolidify
c:\evaluation\permitted.vbs
15. Click the + button to add another command and enter unsolidify
c:\evaluation\baretail.exe
16. Save the task and Navigate to System Tree | Evaluation Group | Assigned Client Tasks.
17. Enable the task, save it, and then perform an Agent Wakeup.
18. Ensure that those three files can now be deleted from C:\EVALUATION and empty the recycle bin.
Examine Events from the ePO Server
19. Log in to ePO and navigate to the ePO Dashboard and select Solidcore: Application Control from the
dropdown list.
20. Select a System in the “Solidcore: Top 10 Systems with Most Violations Detected in the last 24
hours” to list the violations that occured as a result of the previous steps.
Application Control – Updaters - Testing and Reporting
Most applications and other executable type files are likely to remain unchanged over prolonged
periods of time. However, it may be necessary to allow some applications and other executable type
files the ability to create, modify or delete solidified (and hence protected) files. This section explores
mechanisms for updating a solidified system.
This evaluation scenario will show how you can use scheduled change windows to ensure that systems
can be updated by any method you currently use for updating systems or installing new software.
It will also show how you can use an enterprise software distribution tool to allow updates at any time.
Key concepts within this lab
• Solidifying individual files

• Beginning and Ending Update sessions
• Adding a User as an updater
• Listing and removing updaters
• Authorizing an application as an Updater.
Confirm that the system is Solidified
1. If you completed the “Application Control – Testing and Reporting “section above, you can skip to
steps 3 and 4. If you have not, you will need to perform steps 11-17 above in preparation for this
review section.
3. Copy baretail.exe to C:\EVALUATION
4. Confirm this file cannot be executed, and delete the file and empty the recycle bin.
Examine Update Mode Functionality
The begin-update command starts Update mode for performing software updates and installations. On
issuing this command, the Solidifier begins tracking all file changes.
5. Login to the ePO server, navigate Navigate to System Tree and select your Evaluation Group. Select
the Client Task Catalog and locate the 50 – SC:Begin Update Mode client task and enable it and save
it.
6. Perform an Agent Wakeup.
NOTE: For the purposes of the evaluation, we will run this task immediately. However, in a
production environment this would be scheduled to match your organization’s normal maintenance
windows.

8. Edit the 50 – SC:Begin Update Mode task. Disable it and save it.
9. Edit the 51 – SC:End Update Mode task. Enable it, save it, and then perform an Agent Wakeup.
10. Confirm this file (baretial.exe) can now be executed.
11. Now copy Denied.exe to C:\EVALUATION and attempt to execute it.
NOTE: This file will not execute because it was not added to the system during the update period.
12. Try deleting both files from C:\EVALUATION.
NOTE: You can only delete Denied.exe and not baretail.exe. This is because baretail.exe is now
solidified and protected by McAfee Application Control.
13. Edit the 51 – SC:End Update Mode task. Disable it and save it.
14. Edit the 50 – SC:Begin Update Mode task. Enable it, save it, and then perform an Agent Wakeup.
15. Delete all files from C:\EVALUATION and empty the recycle bin.
16. Edit the 50 - Begin Update Mode task. Disable it and save it.
17. Edit the 51 - End Update Mode task. Enable it, save it, and then perform an Agent Wakeup.
18. Review the events from the ePO Dashboard – Solidcore: Application Control or browse the events
by Navigating to Menu | Reporting | Solidcore and select Solidcore Evaluation Group from the
system tree.
19. Highlight that before the update mode began there were multiple denied events, then during the
update modes, there were no denied events.
20. Navigate to the ePO Dashboard – Solidcore: Application Control and examine the events
21. Edit the 51 - End Update Mode task. Disable it and save it.
Examine Update User Functionality
A user can be configured so that all update events by that user are authorized.
NOTE: Either domain users or groups or local accounts can be used for this process, but for the sake
of simplicity a local account is used within this lab. When Trusted User is logged in, changes made
to the system are solidified real-time. Run-as is not supported.
22. Navigate to Menu | Policy | Policy Catalog | SolidCore: 5.1.x: Application Control | Application
Control Rules (Windows).
Duplicate the McAfee Default policy and rename it to McAfee Evaluation.
23. Edit the McAfee Evaluation policy and locate Yahoo Messenger and remove it from the Rule Group
24. Add the McAfee Evaluation Rule Group that was created in the previous Trust Model section.
Select add and located the McAfee Evaluation Rule Group. Select it and press OK to save it. On
one of the test client, confirm that a user account “you created in the rule group” exists on the test
client. If it does not exist create it now. You can use any name you would like... Make sure that they
are part of the “Administrators” group on the test client to execute adding applications
Best Practice Tip: Rule Groups
25. Save the policy and go back to the system tree, select the Evaluation Group, and assign this policy to
that group for the Application Control. Perform an agent wakeup call so the test clients get the new
policy.
26. Next login to one of the test clients and copy the YahooMessenger.exe to the desktop.
27. Attempt to install it. You will get an error message.
28. Login to the test client as the trusted updater named in the rule group and perform the same steps.
Notice how the application can not only be executed, but open up the Event Viewer and observe
how the process is capturing and solidifying the files associated with this application.

30. Confirm this file can now be executed.
31. Open the event viewer and confirm the file add event was logged, using the UPDATER tag specified
above.
32. Log off as the “Trusted Updater” user and Log in to Windows using the previous account being used
33. Confirm this file can still be executed. Any files added by an update user can be executed on the
system.
Examine Authorized application Functionality
Applications and scripts can be authorized to make changes to a solidified system.
34. Copy filegen.vbs to C:\EVALUATION.

35. Confirm this file cannot be executed.
36. Solidify filegen.vbs. Navigate to Menu | Policy | Client Task Catalog and locate the 81 – SC:Solidify
Files task.
37. Edit the client task 81 – SC:Solidify Files and in the configuration section, change the command to
solidify c:\evaluation\filegen.vbs. Remove the remaining solidify commands by
hitting the “-“.
38. Save it and Navigate to the System Tree and Assigned Client Tasks. Locate the task, edit it, enable it,
and save it. Perform an agent wake up.
39. Confirm filegen.vbs can now be executed and notice that it generates a file called newfile.bat.
40. Confirm newfile.bat cannot be executed, and delete this file.
Authorized Application Updaters
In order for applications or scripts to be allowed to make changes (additions, modifications, deletions)
the application or script needs to be authorized. We will use our McAfee Evaluation Rule Group to add
this in.
41. Add filegen.vbs as an authorized updater. Navigate to Menu | Configuration | Solidcore |
Application Control. Locate and select the McAfee Evaluation rule group, Edit it and select
Updaters. Add c:\evaluation\filegen.vbs as a “Binary”.
42. Save the Rule Group and perform an Agent Wakeup. Notice that we did not have to modify the
Policy, only the Rule Group.
43. Confirm filegen.vbs can now be executed and notice that once again it generates a file called
newfile.bat
44. Confirm newfile.bat can now be executed, but no longer delete as this file is solidified, (authorized
to execute and protected from change).
Examine Events from the ePO Server
45. Log in to ePO and navigate to the ePO Dashboard – Solidcore: Application Control and explore the
events that have occurred throughout this evaluation scenario.
Detailed Instructions – Application Control – Image Deviation Use

and Reporting
The Image Deviation feature of allows IT managers and administrators to ensure that all the servers in
their system adhere to a gold standard set of executables/scripts. The gold standard is defined as a set
of executable binaries or scripts and their checksum values, if known. The methodology involves
solidifying servers with Application Control enabled, gathering the solidified inventory image from the
servers and comparing them with the solidified image on one or more gold standard servers.
Gathering Inventory from clients systems on a regular basis is useful in order to compare a Gold Image
to the image being queried to examine changes. The tasks that perform these functions can be
scheduled an automated so that Inventory is collected on a scheduled basis (i.e once a week) and
compared to a Gold Image, all in the background.
In this example we use two identical systems in order to simplify the results. For evaluation purposes,
use two systems that are very similar in order to minimize the results in the image deviation. One for
the gold image and the other to analyze the differences against the gold image using the files provided
in the “Reviewers Guide Resource Kit” or you can analyze files known to be different on each system.
For this example, we will use the files in the Reviewers Guide Resource Kit.
Business Use Case

In typical scenarios this capability can be used to compare many existing systems with a “Gold
Standard” system to ensure that there is no unwanted/undesired software installed. This
capability is particularly useful in situations where there are many homogeneous systems (e.g.
kiosks, POS systems, process control systems, manufacturing/plant floor systems or others).
Key concepts within this Scenario
• Gathering Inventory information from a Client system

• Creating an gold image
• Report on deviations from gold image
• List unsolidified files
• Solidify individual files
• Utilize Solidcore “Get Diagnostics for Programs” to assist in tuning Trusted Updaters
Prepare the Test Clients for Evaluating Image Deviation
1. In each of the Test clients, ensure the C:\EVALUATION directory is empty. If is not, enable and run
the Client Task “50 – SC:Begin Update Mode”. Perform an Agent wake-up call to execute the task.
2. Delete the files in the C:\EVALUATION directory.
3. Then enable and run “51 – SC:End Update Mode” to re-secure the systems. Make sure each of the
client tasks are “disabled” once this is complete.
Image Deviation
1. Pull Inventory data from the Test Clients. Navigate to System Tree | Evaluation Group | Assigned
Client Tasks
2. Edit the 40 – SC: Pull Inventory” task, and enable it. Save it and perform an Agent Wakeup and
select the Force complete policy & task update option. If this task does not exist, refer to Appendix
A, General Setup Tasks, for guidance on setting this up.
3. After the first wake-up call completes, wait a few minutes and then perform another wake-up call is
required in order to send the result set to ePO.
Create a Gold Image and Perform and Initial Image Deviation Comparison
4. Navigate to Menu | Automation | Server Tasks. Locate the 61 – SC: Image Deviation task. If this
does not exist, refer to Appendix A, General Setup Tasks, for guidance on setting this up. Edit the
task and under Actions, select the Test client to be used as a Gold Image and then select the Test
clients to be compared against. Save the task and then select Run. Observe the completion in the
Server Task Log.
5. Once complete, navigate to Menu | Reporting | Solidcore | Image Deviation and locate the Image
Deviation results from the Automated Task that just completed. In this example, there are 4 files
added and 4 files missing... This will form the basis of our image deviation baseline for this
document.
6. Click the “View” link (in the far right) to bring up the details. This data can be exported for further
analysis by selecting the “Options” tab in the far right corner. For Example, this data could be
exported in an CSV format and imported into an Excel Spreadsheet.
Modify the a non-Gold Image client and check against the gold image
6. On the one of the Test clients other than the one designated as the Gold Image, copy across the
following 2 files to C:\EVALUATION. The files can be found in the Reviewer Resource Kit
• Extra.bat
• Extra.vbs
7. Attempt to run each of these applications to ensure they are not authorized
8. Edit the 40 – SC: Pull Inventory task, and enable it. Save it and perform an Agent Wakeup and select
the Force complete policy & task update option.
9. On Test clients, open the McAfee Agent Monitor and confirm that the task completed. Once
completed, perform an Agent Wakeup and select the Force complete policy & task update option..
10. Navigate to Menu | Automation | Server Tasks. Locate the 61 – SC: Image Deviation task. Select
Run. Observe the completion in the Server Task Log.
11. Navigate to Menu | Reporting | Solidcore. Select Image Deviation and locate the Image Deviation
results from the Automated Task that just completed. Notice that the two new executables show
up as new 2 new files added.
12. Click the “View” link (in the far right) to bring up the details to show the two files added. Even
though these files have been added to the Test client, they are not authorized to run.
Best Practice Tip: Preventing Unwanted Executables from running
This is an example of a piece of malware or unauthorized software inadvertently being added to the
system. Even though a directory may not be write-protected, McAfee’s MAC will prevent these
two files from being executed as they are not part of the whitelist since they have not been added
by an authorized change mechanism.
13. On the Test client, delete everything in the C:\EVALUATION folder and empty the recycle bin.
Solidify Changes to the Gold Image Test client
14. On the Test client designated as the Gold Image, copy across the following 2 files to
C:\EVALUATION.
• Extra.bat
• Extra.vbs
NOTE: If you were to Pull and Inventory prior to solidifying these files, despite new executables
being added to the Gold Image, the Image Deviation will not change the protected files on the
image do not include the new executables.
15. Navigate to Menu | Policy | Client Task Catalog

Edit the “81 – SC: Solidify Files” task and add the following commands. If this task does not exist,
refer to Appendix A, General Setup Tasks, for guidance on setting this up.
• solidify c:\evaluation\extra.bat
• solidify c:\evaluation\extra.vbs
16. Navigate to System Tree | Evaluation Group | Assigned Client Tasks.
Locate 81 – SC: Solidify Files. Enable the task, save it and perform an Agent Wakeup. Confirm the
task has run on the Test clients. Perform a second wake up call to send events to ePO.
17. Edit the 81 – SC:Solidify Files task, disable it and save it.
18. Edit the 40 – Pull Inventory task, and enable it. Save it and perform an Agent Wakeup and select
the Force complete policy & task update option.
19. On each Test clients, open the McAfee Agent Monitor and confirm that the task completed. Once
completed, perform an Agent Wakeup and select the Force complete policy & task update option to
send the Inventory Data to ePO.
20. Navigate to Menu | Automation | Server Tasks. Locate the 61 – SC: Image Deviation task. Select
Run. Observe the completion in the Server Task Log.
21. Navigate to Menu | Reporting | Solidcore |Image Deviation and locate the Image Deviation results
from the Automated Task that just completed. Notice the new executables added to the Gold
Image are missing from the test client.
Detailed Instructions – Change Control – Monitoring File Systems

and Registry
File Systems Monitoring is one essential component to achieving integrity monitoring. File integrity
monitoring is critical for security and configuration compliance initiatives, and is a requirement for PCI
compliance. McAfee File Integrity Monitor (MIM) operates in real-time to provides an auditing solution
that gives you the ability to monitor changes to an asset as they happen, rather than merely periodically.
However many applications perform legitimate changes to the system when they execute which may
not be required to be monitored. For example, they create, rename and delete temporary files, update
log files or update configuration files. On Windows, in particular, web browsers and many other
applications maintain proprietary state in the Windows Registry Keys and update them dynamically. In
addition, they can also update the resource section of DLL’s. It is usually not meaningful to record every
such change because it does not serve any business purpose. Of more significance are exceptions to
critical applications code and configuration, critical data, within critical time windows.
McAfee’s FIM enables administrators to filter change events by file names, directory, names and file
extensions, Windows registry key names, process names and user names so that such events are
recorded and reported on. A collection of such filter rules is called a rule group. A rule group is applied
at the solidified host whereby filtered changes are not monitored, recorded and reported from the
source.
Business Use Case
This capability is frequently used to monitor key files and registry settings for security
parameters for mission critical applications. This assists in ensuring business continuity.
Prepare the Client
In this example, you can use the files in the resource kit and follow the step by step guide below or use
your own directory structure.
1. Copy across the following file to C:\EVALUATION if it is not there already.

• Web.config
2. Import the EVALUATION.reg key in to the registry, if it was not imported.
Select and Edit the Rule Group
10. Navigate to Menu | Policy | Policy Catalog | Solidcore 5.1.x: Integrity Monitoring (Windows).
View the “Minimal System Monitoring (McAfee Default) policy.
11. Click Next to scroll through the list of filters and locate and select the Windows XP Base Filter. Notice
there are various types of objects, (File, Directory, Registry, Extension, User, Process), either
included or excluded within the rule group.
12. Duplicate the Blank Policy and rename it “McAfee Evaluation” and save it.
13. We will use a Rule Group to define the FIM filters. Navigate to Menu | Configuration | Solidcore |
Integrity Monitoring. Create a new Rule Group and name it “McAfee Evaluation”.
14. Add a File Filter. Select File, Add and add “C:\EVALUATION\Web.config”.
15. Add a Registry Filter. Select Registry, Add and add
HKEY_LOCAL_MACHINE\SOFTWARE\EVALUATION\TESTKEY”
16. Save the Rule Group. Navigate to Menu | Policy | Policy Catalog | File Integrity Monitoring and
locate the policy, McAfee Evaluation. Edit it and include the new McAfee Evaluation rule group.
Save it.
Apply the McAfee Policy to the Test clients
17. Navigate to the System Tree | Evaluation Group | Assigned Policies | Solidcore 5.1.x: Integrity
Monitor and change the Integrity Monitoring Rules (Windows) so that the McAfee Evaluation policy
is assigned. Perform an Agent Wakeup and confirm the policy was received the test client
NOTE: When applying a new or modified rule group to a new policy it is recommended to
create a second Policy instance instead of replacing the McAfee Default. The default policy
contains the OS monitoring. By replacing it that auditing will cease to be active.
Modify the test data
17. On the Test clients, open web.config with Wordpad and make some changes, (add text, delete text
and change text).
18. Open the registry using Regedit and some changes, (add keys, delete values and modify data) to
HKEY_LOCAL_MACHINE\SOFTWARE\EVALUATION
19. Open up the McAfee Agent Status Monitor and select “Send Events” to send the Events to the ePO
Server.
Report on changes
20. Go to the ePO dashboards and observe the results in the Solidcore: Integrity Monitoring dashboard.
21. Focus on the module, Solidcore: Top 10 Systems with Most Change Events in the last 7 days. Select
the test client where the web.config and registry interaction was performed.
22. Scroll through the report to locate the changes made to web.config and the registry key.
Detailed Instructions – Change Control – Protecting File Systems

and Registry
McAfee Change Control can not only monitor system integrity but can also enforce change control. This
section will review file change control and registry change control. In addition, this section with review
how McAfee Change Control can prevent viewing of files and copying read protected files. You can use
the files in the Reviews Guide Resource kit and follow the step by step review guide below or create
your own similar scenario. The specific capabilities of McAfee’s Change Control are listed below.
Business Use Case
This capability is leveraged to ensure that systems remain available. Key files and registry settings
are protected from unauthorized change (such as init.ora settings for an Oracle database on a key
ERP server). Out of policy change to settings is prevented and in-policy change is captured and
tracked for auditing purposes. This can also be used to ensure that only authorized applications
can make change to their own settings and files.
Read Protect
McAfee Change Control can enforce read-protection rules on critical files or directories to protect them
from unauthorized access. When a directory is specified for read protect, all files in that directory are
scanned and added to the read protection list. Any unauthorized attempt made to read data from these
files is stopped and an event is generated.
Write Protect
McAfee Change Control can enforce write protection rules on critical files or directories in order to
protect them from unauthorized modifications. You should only protect files that are not routinely
being updated by programs for example log files. The write protection rules applied on the specified
files render them as read only thereby protecting your data. When a directory is specified for write
protect, all files in that directory are scanned and added to the write protection list.
Registry Protect
McAfee Change Control can enforce write protection rules on critical registry keys to protect them
against change using the deny write feature. All enforcement rules to control modifications to registry
keys can be applied using this feature.
Create a McAfee Change Control Policy
1. Navigate to Menu | Policy | Policy Catalog | Solidcore 5.1.x: Change Control Rules (Windows).
Duplicate the McAfee Default and rename it to McAfee Evaluation.
2. We will use a Rule Group to define the Updaters for the McAfee Change Control. Navigate to Menu
| Configuration | Solidcore | Change Control. Create a new Rule Group and name it “McAfee
Evaluation”.
3. Add “Read Protect”: C:\EVALUATION\SECRET
4. Add “Write Protect”: C:\EVALUATION
5. Add “Write Protect Registry”: HKEY_LOCAL_MACHINE\SOFTWARE\EVALUATION\TESTKEY
6. Save the Rule Group. Navigate to the Menu | Policy |Policy Catalog | Change Control Policy and
locate the policy, McAfee Evaluation. Edit it and include the new McAfee Evaluation rule group.
Save it.
7. Navigate to Systems Tree | Evaluation Group | Assigned Policies | Solidcore 5.1.x: Change Control.
8. Change the “Change Control Rule (Windows) assignment to the “McAfee Evaluation” policy.
9. Perform an Agent Wakeup to apply the changes.
10. Copy the “CV.txt” file to the C:\EVALUATION folder
11. Create a subdirectory C:\EVALUATION\SECRET
12. Copy across the following files to C:\EVALUATION\SECRET
• Eyes only.jpg
• Top secret.jpg
13. Confirm that McAfee Change Control is enabled by Navigating to ePO Dashboard – Solidcore:
Change Control. All the customer test client hosts should be listed in the upper middle monitor
(pie chart). Click this pie chart and you can see that McAfee Change Control is enabled.
Enable Read Protection one or more Evaluation Test Clients
14. Enable read-protection (deny-read). Navigate to System Tree | Evaluation Group |Assigned Client
Task
Edit the “60 – SC: Enable Read Protect task and enable it and save it. Perform an Agent Wakeup and
select the Force complete policy & task update option
Confirm the client has read and write protection enabled
15. On one or more of the test clients, open C:\EVALUATION\CV.txt and attempt to make changes.
Confirm this file is write-protected by attempting to save changes. Peruse the Event View on the
client.
16. Open the C:\EVALUATION\SECRET folder and attempt to open either of the contained files. Confirm
they are both read-protected.
17. Open the registry using Regedit and attempt to delete
HKEY_LOCAL_MACHINE\SOFTWARE\EVALUATION\TESTKEY and confirm this is write-protected.
18. On the test clients, open up the McAfee Status Monitor and hit “Send Events” to send the latest
activity to ePO.
Examine the Attempted Violations per Host report
19. Navigate to Dashboards | Solidcore:Change Control dashboard. Examine the Solidcore: Top 10
Systems with Most Violations Detected in the last 7 days.
20. Select one of the devices in the module and examine the changes made by the Windows account
used in this lab.
Detailed Instructions – Post Evaluation Cleanup
This concludes the evaluation for McAfee’s Application Control, Change Control, and File Integrity
Monitoring. Use the POC Statement of Work template located in the Appendices to document the
activities performed in this Guide and use the document as a basis for proving out the significant
capabilities of the product. Once that is complete, you can start clean up the test clients and remove
the evaluation files.
To clean-up the environment, unsolifiy the systems and remove the Solidcore agent. Navigate to
System Tree | Assigned Client Tasks. Edit and enable the 99 – SC:Disable Solidcore to start the clean-up
process on each of the test clients. Save it and perform an agent wake up call. Observe the activities in
the client system by opening up the McAfee Agent Status Monitor. Once the task is complete, the
system will need to be rebooted. Upon reboot, create a client task to uninstall the Solidcore Plugin and
delete the all the files and folders in the C:\EVALUATION directory structure.
Appendix A, General Setup Tasks
This appendix provides guidance on how to create various client tasks and automated task used in this
Reviewers Guide. Some of these tasks are actually built as part of the Evaluation process. The
significant ones are documented here for reference in case a step was missed.
ePO Client Tasks
Navigate to Menu | Policy | Client Task Catalog and create the following tasks and save them. Some of
these tasks are actually created in various sections of this guide, but it perfectly ok to create them in
advance and skip the step. It is recommended that you use the names listed in the figure below as they
are referenced throughout the guide.
NOTE: Since ePO doesn’t have any client task prioritization the deploy task can be built in the
“Client Task Catalog” and assigned and enabled as needed.
ePO Automated Tasks
Create the following ePO Automated Task by Navigating to Menu | Automation | Server Tasks. Create
a new task for each of the items listed below and use the screenshots as guidance.
01 – SC:Update Inventory Search Index
Each time an Inventory is pulled from one or more clients and submitted to ePO, this task must be run in
order for the results to be seen in the Image Deviation Process and any other ePO functions where
Inventory is referenced.
1. Navigate to Menu | Automation | Server Tasks and create a new task. Name it 01 – SC:Update
Inventory Search Index. Select Next.
2. Select Solidcore: Update Inventory Search Index and select Next.
3. Select a time that is relevant for your application and save it. In the evaluation, you can pick any
time as this task with be invoke manually on occasion.
02 – SC:Image Deviation
1. Navigate to Menu | Automation | Server Tasks and create a new task. Name it 02 – SC:Image
Deviation and select Next.
2. Select Solidcore: Run Image Deviation and fill in the parameters for your specific environment. In
this example, we are pointing to one the test systems as a gold image (149-SC-2K3VM) and
comparing that to my other test system. You can include one or more systems using System,
Group, or Tag.
03 – SC:Get Updaters Setting up a Software Repository Scan automated task
1. Navigate to Menu | Automation | Server Tasks and create a new task. Name it 03 – SC:Get
Updaters and select Next.
2. Select Solidcore: Scan a Software Repository and fill in the parameters for your specific
environment. In this example, I’m pointing to one of my test servers where I setup a software share
to be used as a repository for other systems. Select the “McAfee Evaluation” Rule Group to add all
the details about the extracted certificates and installers. Select Next.
Appendix B, Initial Configuration and Tuning of Policies
Using Application Control Learn Mode
Application Control has a learning mode called the Update mode. After enabling Application Control,
run the SC: Begin Update Mode client task and use the client systems in update mode for one or two
weeks. After Run the SC: Get Diagnostics for programs client task to get updater recommendations and
add the new updaters in the Application Control policy using Diagnostic Suggestions.
Using Diagnostics Suggestions to Identify Updaters
This feature can be used to help identify updater rules in case certain applications do not function
correctly after Solidcore is enabled. Solidcore Agent keeps track of attempts made by authorized
executables to modify/run other executables / protected files which are denied by Solidcore. It is
possible to use this data to configure such executables as updaters so that they are not denied by
Solidcore the next time. There are two main tasks to be done for using the Diagnostic feature Fetch the
diagnostic recommendations from the client into ePO.
1. Run the SC: Get Diagnostics for Programs client task to get diagnostic output from the client.
Navigate to System Tree | Evaluation Group | Assigned Client Tasks. Locate 90 – SC:Get
Diagnostics. Edit and enable it.
2. Perform an Agent Wakeup call. Wait for 2-3 minutes and perform another Agent Wakeup call to
send the results to ePO. Check if the task was successful from Reporting | Solidcore | Client Task
Log. This task collects the diagnostic data at the end point which then sent to ePO as events at the
next Agent communication interval.
NOTE: To send the data immediately, open the McAfee Agent Status Monitor on the client system
then click Send Events to upload events to ePO.
Perform these steps to use the diagnostic recommendations in ePO for defining updaters in an
Application Control policy. In this example, Rule Groups are used to implement this capability.
4. Navigate to Menu | Configuration | Solidcore | Application Control. Locate the McAfee Evaluation
rule group and edit it.
3. Select Updates and click Diagnostic Suggestions. The Add Updater dialog box appears.
4. Search for a list of executables/binaries that are suggested as updaters by diagnostics.
5. Select the required executables/binaries, then click OK.
6. Save the Rule Group to add the rule to it.
Appendix C, Best Practice Tips
Appendix D, Deployment Scenarios
POS Sale Systems
• Define “Gold” system image

• Deploy Application Control to endpoint systems
• Place endpoint systems in update mode
• Perform Image Deviation scans comparing endpoints to Gold system
• Issue Binary Ban policies for any applications which are discovered on endpoints that are
unwanted/undesired
• Remediate endpoint systems to “Gold” image standard based on capability or refresh schedule
Servers
• Classify systems by business criticality

• Consider change control policies, practices and workflows to develop policies for authorized
change (e.g. create change windows with Update Mode based on scheduled maintenance
windows, create authorized updaters based on applications that need to be able to make
change)
• Consider more restrictive policies (Authorized Updaters, Certificate Based, Service Desk
Integration) for more critical systems, less restrictive policies (User Updaters, Trusted Directory,
Time Based Windows) for dev/QA/Test systems
Common Operating Environment Workstations and Laptops
• Match policies to existing workflows that define how change can be made (i.e. end users cannot
make change, only Helpdesk personnel can, so have User Updaters for Helpdesk Staff)
Appendix E, POC Statement of Work Template
Document Definitions
For the purposes of this document, “Customer” will refer to <Customer Name>.
Project Description
The purpose of this Proof of Concept (POC) Statement of Work (SOW) is to define the amount of effort,
the details of the work to be performed and the deliverables required to demonstrate the following
McAfee Change & Application Control modules and business initiatives in a non-production, Proof of
Concept environment:
• PCI Compliance
• Application Control
• Change Control
It is estimated that all the elements of this POC can be completed in:
X Or X # of
Hours days.
This POC will be conducted by the <Customer Name> with the assistance of McAfee Sales Engineers
conducted onsite at <Customer Location>.
Client Business Goals
<Insert Client Goals Here >.
Project Scope
In Scope
For this Proof of Concept we will validate the use of McAfee Change Control in the following non-
production client environments:
X # Customer Client Systems
For this Proof of Concept, we will validate the use of McAfee’s Application Control software the
following non-production client environments:
X # Customer Client Systems
As part of the POC demonstration, McAfee will test Application Control capabilities on the above end
points, as well as EPO Server (central console) functionality such as Image Deviation, Reports, and Alerts.
This POC will be conducted by installing McAfee software on selectively identified servers and end point
systems in a non-production, client environment that closely resembles the production environment for
which the client is considering purchasing McAfee.
This McAfee supplied solution is made up of 2 server components as well as end point software for
monitored/protected file systems. The McAfee server is made up of:
• McAfee E-Policy Orchestrator (EPo) Server with Solidcore 5.x extension
• SQL Server 2005 Express/2005/2008 Database
For the purposes of this POC, it is acceptable to install these components on a single, non-production
server meeting the minimum system requirements outlined in this document. McAfee does not
recommend this configuration for production purposes.
All systems involved in this POC must be non-production systems.
Phase 1 – Pre-Implementation
1. Discovery
General Discovery and Project Planning workshop

Deliverables: Workshop results documents (if applicable)
Phase 2 – Application Control
1. Infrastructure Setup
The McAfee Application Control solution enables retailers to centrally secure and control widely
distributed infrastructures in a manner that is operationally efficient and cost effective.
Application Control server infrastructure setup:
• McAfee ePO Server Virtual Machine/ Or Physical System with backend MS SQL 2005/2008
Database
• McAfee Solidcore 5.1 extension and all licensing
• Install Application Control Solidifier on the following test systems that are representative of the
client’s production environment:
<Client Systems>
2. Application Control Functional Scope Testing
The POC will test and validate the use of McAfee’s Application Control capabilities within the test
environment.
• Compare the image of a server with golden image (another server)
• Make sure that no unauthorized code can execute
• Show that the authorized binaries and scripts cannot be tampered with
• Show that changes to the system can be made via client’s normal updating mechanism.
Phase 3 – Change Control
1. Infrastructure Setup
Server infrastructure setup:

• McAfee ePO Server Virtual Machine with backend SQL 2005/2008 Database
• McAfee Solidcore 5.x extension and all licensing
The POC will test and validate the use of McAfee Change Control functional capabilities within the client
TEST environment:
<Client Systems>
2. Integrity Monitoring Functional Scope testing
Demonstrate File Integrity Monitoring in the POS and/or server platforms:

• Install limited number of representative end-points in scope in the Test environment
• Apply default O/S and custom application-level filter policies according to results of Visibility
workshops
• Demonstrate that filtering can give precise control over the changes to be tracked
• Demonstrate that the event monitoring shows who made the change, what was changed, when
the change was made, and how it was made.
• Demonstrate that alerts are generated for notifying IT personnel
• Demonstrate documentation for audits through McAfee reports
3. Change Control Implementation
The Proof of Concept will test and validate the use of McAfee Change Controlfunctional capabilities
within the following client environments:
<Client Systems>
The McAfee POC team will work with the client to choose an appropriate sample file or directory to use
for Change Control demonstration using the methodology outlined below:
• Define sensitive enforcement parameters
o Identify files that should be protected
o Identify files that should be protected to comply with COMPLIANCE controls
o Determine change window policies
• Implementation of change policy
o Definition of change policies as Scheduled Change Windows
o Definition of Authorized Updaters
4. Change Control Functional Scope and Testing
The scope of the project will test the following functional capabilities within the POC environment.
• Demonstrate how McAfee Change Control can show deviation from enterprise change policy
o with scheduled update windows
o By programs designated as Authorized Updaters
o Via various manual means
• Demonstrate the ability to view, to be notified and to report on violations of change policy
Phase 4 – Acceptance
1. Acceptance
The acceptance Criteria for this implementation will be the following:

• The acceptance Criteria for this project will be the confirmation of the installation and testing of
the McAfee Change Control and Application Control offerings in a non-production client
environment for the scope of work outlined in this document.
• Once the POC meets previously defined requirements, the identified executive sponsors will sign
off that the business use case has been demonstrated in a successful manner and meets all
requirements.
• The following table states the Acceptance Criteria for the engagement.
Accepted
Goal Description Success Criterion
(Yes/No)
Application Control
Accepted
(Yes/No)
Deploy Solidcore Agent via Push Solidcore agent to Successful Delivery of Solidcore
EPO Server Windows systems package.
Create baseline on each Automatically create Baseline inventory image is
machine and enable via authorized list of successfully created.
EPO policy. programs on a given
machine.
“Gold image” is compared with
Create the list of
similar system and deviations
protected files (critical
successfully identified.
files as well as data file)
Show the deviation
from the original build.
Demonstrate Solidcore Create tasks on EPO Successfully execute task on
tasks via EPO server server client system
Security: only authorized Attempts to run Unauthorized programs should
programs can run unauthorized be stopped. There should be an
executables fail event describing the action.
Attempts to modify an
authorized executable
fail
Security: Only allow Configure deployment Normal update processes should
authorized processes to tools as authorized be unimpeded.
update the system. updaters. Run through
the normal update
processes.
Demonstrate the use of Create Policy and push New Policy is pushed to McAfee
EPO policies to manage to McAfee Agent agent. New Policy is applied on
Solidcore the agent and correct change
events are captured and
reported.
Test Image Deviation Add solidified hosts to Report should be generated with
capability the console. differences.
Create differences in
the image (e.g. Install a
new package on
solidified machines).
Show the differences
between the images.
Reports Demonstrate EPO Successful generation of MAC
reporting capability reports
File Integrity Monitoring
Accepted
(Yes/No)
Connect with all end- Solidifiers are installed All end-points are connected
points within scope on all the end-points successfully.
and are shown as
connected from the
Console’s
administration GUI
successfully
Demonstrate how Change Solidifiers report Server change events are
Control can continuously change events in real- monitored successfully.
monitor critical change time. The events are
events on a server so that stored in Change
no change is missed Control’s database and
are visible in the
Change Control
console
Demonstrate that only Allow only event Customer identified filter policies
critical files identified by monitoring of files, are applied successfully
the customer will be directories, and
monitored. registry keys identified
by the customer for
critical applications.
These filters are
applied to track only
relevant change
information.
Demonstrate that the audit Audit trail is viewable Change audit events viewed
trail shows who made the from Change Control’s successfully.
change, what was Reporting/Events
changed, when the change screen.
was mode and how it was
made
Demonstrate that alerts Alerts are delivered to Alerts generated successfully.
are generated for notifying the Change Control
IT personnel dashboard or via email.
Change Prevention
Demonstrate Change Write-protect a specific The files could not be changed
Control allows specific set of files/directories outside of an
servers/directories/files to on the Server to ensure
approved time window or by an
be locked-down except
they cannot be authorized updater.
during specific
changed outside of an
maintenance windows or
approved change
via other authorized
window or by
methods.
an authorized updater.
Accepted
(Yes/No)
NOTE: The above product functionality with be demonstrated only in a test, development, or staging
test environment provided by the client.
Documentation
Documentation is limited to standard Product Deployment and User Guides.
Client Responsibilities
The following table outlines the prerequisites and responsibilities for this engagement:
Prerequisites Provided by <CUSTOMER NAME> Provided by

McAfee
Staffing
Subject Matter Expert(s) for Skilled resources to augment the technical skills of Designated
client production environment the McAfee team to physically install the McAfee Solution
servers software. Architect/ Sales
Engineer
Initiate any change request processes required by
implementation requirements
Hardware
Server Hardware for Windows 2003/2008 Enterprise/Standard/Web/R2
implementing Enterprise/R2 Standard SP2 or later
the McAfee Console
2.7GHz Dual Core or higher
(ePolicy Orchestrator 4.5 +
SQL SVR 2005/2008 database) 2 – 4 GB RAM, 20 – 30 GB free disk space
Hardware must be in a non- Required ports are configurable. Will need several
Production environment ports for HTTP & HTTPS communication.
SMTP Server info and credentials to send alert
emails
Note: See ePO Evaluation Guide document for
detailed and up-to-date system requirements and
deployment recommendations.
Infrastructure
Servers to be used in the Host Servers
Prerequisites Provided by <CUSTOMER NAME> Provided by

McAfee
implementation Administrator access
List of Directories/Filenames of Applications to be
monitored
Work Environment
System Access Provide the access and resources for McAfee
personnel to access the implementation for the
deployment of its' Solidifier agents
Proposal and Quotation Information
The information (data) contained within this document is covered by the Mutual Non Disclosure
Agreement between <Customer Name> and McAfee.
Terms and Conditions
Services performed under this SOW will be subject to the following terms and conditions:
• Prior to beginning the engagement, <Customer Name> and McAfee will mutually agree on the
named servers (not to exceed [2] Windows 2000 Virtual Machines supplied by McAfee, to be
included in the implementation.
• <Customer Name> will use supplied Virtual/ Physical Machines with McAfee software for testing
purposes only. Customer agrees to fully uninstall the software and/ or delete the virtual
machines at the conclusion of the Proof of Concept.
• Professional Services for this Proof of Concept will be provided free of charge.
Authorization
Signature below indicates <Customer Name> acceptance of this consulting services proposal and
constitutes authorization for McAfee, Inc., to begin work. Signature below does not imply obligation to
purchase McAfee Software or Services.
McAfee Inc. <Customer Name>
Signature – McAfee Account Manager Signature
Printed Name Printed Name
Date Date
Please sign this document and return to McAfee Inc.

If required, McAfee will sign and return one copy to your attention. Return signed copies to:
<Customer Name>
Customer Address
Customer City, State
Primary contact name:

Primary contact email:
Primary contact phone #:
Appendix F, Business Use Cases

For the purposes of this document, “client” will refer to CUSTOMER. Business Use Case Description
This document outlines the Business Use Cases which, via demonstrated scenarios, will address the
CUSTOMER business drivers of increasing security, reducing operational and audit costs to support the
infrastructure, increasing reliability and service levels, and meeting compliancy requirements. Utilize the
Business Use cases to further document the POC Statement of work (Template is in Appendix E)
Use Case Requirement Met Via:

Business Driver: Increase Service and Availability Levels
Increase uptime and • Monitoring of critical entities (files, directories, DB data, Network Devices) to
service availability identify outages and reduce MTTR process
across the
• Alert to specific file change event activities (database, server)
infrastructure
• Roll back to “Gold Standard” on network devices
• Alerts to Failed Audit Compliance tests – drill down to the exact change that
took it out of compliance
• Ability to automate change policies through selective policy control and
eliminate Ad Hoc or Emergency change from being deployed that doesn’t
comply with agreed to defined change policies – time windows, authorized
processes
• Ability to identify authorized vs. unauthorized changes and the evidence to roll
back the changes
• Decrease outage duration times – Incident and problem process – reduce
forensic time (Real Time Visibility)
• Alert to certain kinds of change – by user by file type, by infrastructure (server)
(Real Time Visibility)
• Threshold alerts to identify deviations in volumes of change (Real Time
Visibility)
Identify Unauthorized Change (Automated Reconciliation)
• Identify deviations between tested and production change (Automated
Correlation)
• Prevent out of policy change from occurring (tested environment only Policy
Control)
Business Requirement: Reliability
Demonstrate ability to • Alerts and Saved Search created for change occurring outside of authorized
track items which change window(s)
affect reliability of
systems • Reports automatically generated for change policy compliance to show
unauthorized change is at a minimum
• Demonstrate ability to document out-of-policy change events in Application,
Subsystem and OS layer via S3 Control interface

• Identify Unauthorized Change
• Automation of documentation of change - report wise and through on-line
dashboards
• Alert to certain kinds of change, certain file changes, threshold of change
• Alert to deviations between testes and production changes – patches and
software updates
• Prevent out of policy change
Business Requirement: Compliancy
Demonstrate and • Ability to identify compliance results at any given point in time – all reports
maintain compliancy available and ready to report on, benchmarks on demand or scheduled
• Ability to drill down on failures to comply and have evidentiary information –
searching via the console
• Ability to schedule reports (automation of reporting) to provide the auditors
for reporting requirements to meet compliance requirements
• Configuration Audit compliance – pass and failures any given point of time with
evidentiary data to determine the exact change for failures
• Meet all FIM requirements based upon the granular level of data tracked –
Databases, Servers etc.
• Ability to automate change policies to meet the requirements for authorized
changes to critical components of infrastructure
• Demonstrate ability to document in-policy and out-of-policy change events
• Log in and Log Outs (to be performed on Windows only)
• Who made change (originating log ins) – (Real Time Visibility)
• Program Mod/Deletes/Adds (Real Time Visibility)
• Data Add/Mod/Deletes (Real Time Visibility)
• Mod/Add/Deletion of Database Files (Real Time Visibility)
• Changes to system settings – data stored in files only (Real Time Visibility)
• Changes to user accounts and permissions – data stored in files only (Real Time
Visibility)
Business Requirement: Cost Reduction and Automation
Demonstrate • Validate that all administrative management and control of the solution can be
automation of process done through a centralized console
• Users are able to receive critical alerts through email/SNMP such that they do
not have to be on-line to receive the reports
• Show reduction of manual processes through Incident and Problem, Change
Management and Change Control, Audit and Compliance and Security
(forensics), and Operations (automated deployment of S3 Control agents)

• Demonstrate ability to get up to speed on the solution – short learning curve
• Demonstrate that data is not stored at the end points and therefore there are
no scans or excel spreadsheets required to pull the data together and analyze
it, all through an easy to use query dashboard
• Ability to set up on-line alerts using two different methods
• Demonstrate ability to deploy Selective Control Policies through the central
console
• Demonstrate automated documentation of all change eliminating the need for
customer administrators to document changes
• Show automated reporting which reduces costs for audit and compliancy
• Show automated benchmarking which reduces costs for operations,
compliancy and provides patching process reduction
• Eliminate the need to document change as S3 Control will document all change
• Eliminate manual reconciliation of expected change with deployed change
• Eliminate the need to manually look for deviations between tested and
deployed change
• Reduce forensic time during MTTR process
• Eliminate the need to manually monitor change within all infrastructure using
the alert and thresholds of change capabilities
• Eliminate the need to run manual queries and reports to meet compliance and
audit requirements for file integrity monitoring, privileged use
Business Requirement: Security
Demonstrate Selective • Show how system is automatically whitelisted and all existing binaries are
Policy Control & Run added to the whitelist dynamically with write/uninstallation protection
Time Control (TEST
• Show how authorized processes, change windows, signing utility can be used
ENVIRONMENT ONLY)
allowing specific to securely update the system with dynamic whitelisting
servers/directories/files • Demonstrate ability to protect against known and unknown threats by
to be locked-down attempting to exploit the system
except during specific
maintenance windows • Show increased visibility to change for traceability and auditability
or via an authorized • Write-protect a specific set of files/directories on a Server to ensure they
process cannot be changed outside of an approved change window or by an authorized
updater, and provide risk mitigation.
• Evidentiary data associated with all software change event activity and reads
to the database are maintained in once secured central database
• Ability to automate change policies within critical infrastructure to ensure that
only authorized change is deployed
• All access denied attempts are reported on including, Who, When, What
• Reports on all authorized vs. unauthorized change events even if Selective

Policy Control is not turned on to it’s full capability
• Alerts and notification of critical file changes or database changes
• Configuration Audit Assessments (Benchmarks) based upon CIS standards
which can then be customized to provide real time
• Correlation with SEIM Data – Identify what a user did within the infrastructure
through business use case scenarios.
• Identify WHO is making change and what changes they are making
• Ability to identify out of policy changes
• Ability to prevent out of policy change within critical infrastructure and
eliminate the need for risk mitigation including malicious attempts
• Ability to not turn the prevention of change off even if the agent is
disconnected from the central console
• Ability to not tamper with the central console
• Assessments with the ability to drill down to the exact events which took a
specification out of compliance and which can then be locked to prevent
future changes
• All control remains on even if the end point is disconnected from the central
console
• Demonstrate ability to provide HIPS via locking of configuration settings on
endpoint
• Demonstrate that data can be read protected so that only authorized
applications can read sensitive data

McAfee Solidcore Reviewers Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

McAfee Solidcore Reviewers Guide

Uploaded by

Copyright:

Available Formats

McAfee Application Control, Change Control,

and File Integrity Monitoring

Confidential McAfee Internal Use Only

Date Version Author Comments

About This Guide

McAfee Application Control

McAfee Change Control

McAfee Integrity Monitoring

Detailed Instructions - Install and Initial Deployment

Reviewers Guide Resource Kit

Hashtab .zip ProcessExplorer.zip EVALUATION.zip

The following files can be downloaded as below...

Solidcore Preparation and Setup

5. On one of more of the Test clients, create the following directories.

Post Deployment Tasks - Collect Inventory (Application Control only)

• 40 – SC: Pull Inventory Set to Run immediately, Enabled

Detailed Instructions – Application Control – Setup, Use, and

Updater Method Level of Restriction Business Use Case Notes

Two ePO Client Tasks

Help desk user ability to remotely login

Customer can be their own CA and

Update Existing Whitelisted

Allow or block program execution

A non whitelisted standalone Useful for software

Printer drivers on remote share, Easier to manage

Solidcore Update Mechanisms - Overview

Trust Model – Authorized Updaters

Trust Model – Publishers

Trust Model – Publishers – Custom Scripts

Trust Model - Installers

Trust Model - Trusted Users

Trust Model - Trusted Directories

3. Windows Login Scripts SYSVOL

SYSVOL AND LOGIN SCRIPTS

Application Control - Testing and Reporting

Key concepts within this lab

• Reporting on Solidifier status

Confirm that the system is Solidified

Attempt to execute unauthorized applications

3. Restore the file named Deleted.vbs from the Recycle

Best Practice Tip: Troubleshooting

Attempt to modify and execute protected applications

9. Copy across the following 3 files to C:\EVALUATION,

Unsolidify protected files and protected applications

Examine Events from the ePO Server

Application Control – Updaters - Testing and Reporting

Key concepts within this lab

• Solidifying individual files

Confirm that the system is Solidified

Examine Update Mode Functionality

7. Copy baretail.exe to C:\EVALUATION

Examine Update User Functionality

Best Practice Tip: Rule Groups

29. Copy baretail.exe to C:\EVALUATION

Examine Authorized application Functionality

Applications and scripts can be authorized to make changes to a solidified system.

34. Copy filegen.vbs to C:\EVALUATION.

Authorized Application Updaters

Examine Events from the ePO Server

Detailed Instructions – Application Control – Image Deviation Use

Business Use Case

Key concepts within this Scenario

• Gathering Inventory information from a Client system