Documente Academic
Documente Profesional
Documente Cultură
0 - Windows
Product Guide
(McAfee ePolicy Orchestrator)
COPYRIGHT
Copyright © 2018 McAfee, LLC
TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,
McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,
LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
1 Product Overview 5
Overview of Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Key features of Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
How Change Control works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Change Control components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
A Feature availability 61
Contents
Overview of Change Control
How Change Control works
Change Control components
Real-time monitoring
The software provides real-time monitoring for file and registry changes. This eliminates the need to perform
multiple scans on endpoints and identifies change violations.
• Who made it
Customizable filters
You can use filters to choose what changes are registered in the database. You can match the file name,
directory name, registry key, process name, file extension, and user name.
• Exclude filters to ignore information about events matching the specified filtering criteria.
Read protection
Read protection rules prevent users from reading the content of specified files, directories, and volumes. If a
directory or volume is read-protected, all files in the directory or volume are also read-protected. Subdirectories
inherit read protection rules.
Write protection
Use write protection rules to prevent users from creating and changing files, directories, and registry keys. and
protects it from unanticipated updates.
1 A system user tries to change a file or registry on a managed system where Change Control and McAfee
Agent are installed.
2 The Change Control software on the managed system recognizes the attempted change and uses the
McAfee Agent to send a Change Control event to McAfee ePO.
3 Change Control analyzes the rules and policies enforced on the endpoint, and allows or blocks the change.
The administrator manages these rules and policies through McAfee ePO.
4 Read protection or write protection is enforced and the user’s change attempt is approved or denied.
5 The Change Control database logs the file or registry change attempt and local user account information.
• Monitor and prevent changes to the file system, registry, and user accounts.
• View details of who made changes, which files were changed, what changes were made to the files, and
when and how the changes were made.
Contents
Change Control modes
Enable Change Control
Enabled Indicates that the software is in effect and changes are monitored and controlled on the endpoints
according to the defined policies. In Enabled mode, Change Control monitors and protects files and
registry keys as defined by the configured policies. Enabled mode is the recommended mode of
operation.
From Enabled mode, you can switch to Disabled or Update mode.
Update Indicates that the software is in effect, allows ad-hoc changes to the endpoints, and tracks the
changes made to the endpoints. Use Update mode to perform scheduled or emergency changes,
such as software and patch installations.
In Enabled mode, you cannot read the read-protected files or change any write-protected files
(according to the defined policies). But, in Update mode, all read and write protection that is in
effect is overridden. Use Update mode to define a change window during which you can make
changes to endpoints and authorize the changes.
From Update mode, you can switch to Enabled or Disabled mode. Switch to Enabled mode when
the changes are complete.
Disabled Indicates that the software is not in effect. Although the software is installed, the associated
features are not active. When you place the endpoints in Disabled mode, the application restarts
the endpoints.
From Disabled mode, you can switch to Enabled or Update mode.
Task
• Endpoint — Select the endpoint and click Actions | Agent | Modify Tasks on a Single System.
3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.
4 Select Solidcore 8.1.0 | SC: Enable, then click Create New Task to open the Client Task Catalog page.
• Specify the task name and add any descriptive information.
• Select the platform and subplatform, then make sure that Change Control is selected.
5 Click Save, click Next to open the Schedule page. Specify scheduling details, then click Next.
7 (Optional) Wake up the agent to send your client task to the endpoint immediately.
Contents
What are rule groups?
Permissions for rule configuration
Managing rule groups
Rule groups can drastically reduce the effort required to define similar rules across policies. If you have a large
setup and you are deploying the software across numerous endpoints, use rule groups to minimize the
deployment time and effort.
Users who don't own a rule group can only view the rule group and its policy assignments, duplicate the rule
group, and add the rule group to policies. But, if the owner or the McAfee ePO administrator updates a rule in
the rule group, the change cascades across all associated McAfee ePOpolicies.
You can assign one of these permissions for the Rule Groups page. By default, the McAfee ePO administrator has
edit permissions for all pages.
Permission Details
No permissions Indicates that the page is not visible to the user.
For example, if no permissions are granted to a user for the Rule Groups page, the tab isn't
visible from the Solidcore Rules and Policy Catalog (rule group assignments) pages. Also, the
user inherits no permissions on the Updater Processes, Users, and Filters tabs.
View Indicates that the page is visible to the user. But, the user can't perform changes.
permissions For example, if view permissions are granted to a user for the Rule Groups page, the tab is
visible from the Solidcore Rules and Policy Catalog (rule group assignments) pages. While the
user can view rule group information and check assignments, the user is not allowed to edit,
duplicate, or add rule groups.
Edit Indicates that the tab is visible and the user can perform all actions available on the page.
permissions For example, if edit permissions are granted to a user on the Rule Groups page, the page is
visible from the Solidcore Rules and Policy Catalog (rule group assignments) pages and the user
is allowed to perform all operations.
When No Permissions or View Permissions are granted to a user, certain actions might not be available.
Task
1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.
• Select Change Control to view or define a rule group for preventing unauthorized changes on critical
resources.
d Click OK.
The rule group is created and listed on the Rule Groups page.
Task
1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.
2 On the Rule Groups tab in the Owners column, click the owner for a rule group to open the Rule Group Ownership
page.
3 Change the default ownership by selecting or deselecting users listed on the page.
4 Click Save.
Changes made to owners are reflected in the Owners column for the selected rule group.
Task
1 On the McAfee ePO console, select Menu | User Management | Permission Sets.
4 Select the users you want to assign the permission set to.
The level of permissions that you specify in the permission set is granted to the user. When multiple
permission sets are applied to a user account, they aggregate. Consider this as you plan your strategy for
granting permissions to the users in your environment.
5 Click Save.
8 Grant permissions selectively for the tabs (Updater Processes, Users, and Filters) contained in rule group and
policy pages, as needed.
This is based on the permissions the user has on the Rule Groups page. For information, see Permissions for
rule configuration.
9 Click Save.
Task
1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.
• To delete a rule group, click Delete and click Yes to close the Delete Rule Group dialog box.
If you are the owner of the rule group or the global administrator, you can import the rule group XML file to the
target McAfee ePO server. But, if you are a non-global administrator, you can import rules only for the tabs where
you have permissions. All other rules are not imported and details are available on the Server Task Log page.
Also, when you import rule groups to a (target) McAfee ePO server, the user logged on to the McAfee ePO
server becomes the owner of the imported rule group. When you export rule groups from a source McAfee ePO
server, the owner information is not exported.
When importing or exporting rule groups with Trusted Groups, make sure that the Active Directory server on the
source and destination McAfee ePO servers is configured using the same domain name, server name, or IP
address.
You can import or export rule groups using the McAfee ePO console or web service APIs.
Tasks
• Use the McAfee ePO console on page 15
Based on your setup, you can import or export rule groups using the McAfee ePO console.
• Use web service APIs on page 15
Based on your setup, you can import or export rule groups using web service APIs provided by
Application Control and Change Control.
Task
• To export selected rule groups to an XML file, select the rule groups, click Export, and save the file.
Task
1 Open the command prompt, then navigate to this directory.
<ePO installation directory>\Remote‑Client\
For example, C:\Program Files\McAfee\ePolicy Orchestrator\Remote‑Client\
Task
1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.
2 On the Rule Groups tab, click Assignments to view the policies to which the selected rule group is assigned.
Contents
How monitoring rules work
Defining monitoring rules
Review predefined monitoring rules
Create monitoring policies
Settings for tracking content change
Configure settings for tracking content changes
Track content changes
Manage file versions
Compare files
User account • User account creation • User logon (success and failure)
• User account modification • User logoff
• User account deletion
User account tracking is disabled by default. You must enable this feature to track operations for
user accounts. To enable this feature, execute the SC: Run Commands client task to run the sadmin
features enable mon-uat command on the endpoint.
• Offline
System variables
The path specified in a monitoring rule can include system environment variables. This table lists the supported
system variables.
%APPDATA% C:\Users\(username)\AppData\Roaming
C:\Documents and Settings\{username}\Application (in earlier
Windows versions)
%USERPROFILE% C:\Users\(username)
C:\Documents and Settings\{username} (in earlier Windows
versions)
C:WINNT\profiles\{username}(in earlier Windows versions)
%WINDIR% C:\Windows
Path considerations
These considerations apply to path-based rules.
• Paths must be absolute when specifying rules to monitor files and directories.
• Paths are not required to be absolute when specifying rules to monitor program activity. You can specify the
partial path, such as AcroRd32.exe or Reader\AcroRd32.exe or fully qualified path, such as C:\Program
Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If you specify the partial path, all programs with
names that match the specified string are monitored. If you specify the fully qualified path, activity is
monitored for only the specified program.
• Paths can include the wildcard character (*). But, it can only represent one complete path component. Here
are a few examples.
• Using \abc\*\def is allowed while \abc\*.doc, \abc\*.*, or \abc\doc.* is not supported.
You cannot use the wildcard character while defining a rule to track content and attribute changes for a file.
• Paths used in registry key-based rules can include the wildcard character (*). But, the wildcard character can
only represent one path component in the registry path. Make sure that you don't use the character for the
component at the end of the complete registry path.
Also, at any time, the CurrentControlSet in the Windows Registry is linked to the relevant HKEY_LOCAL
_MACHINE\SYSTEM\ControlSetXXX key. For example, the HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet can be linked to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 key. When a
change is made to either link, it is automatically updated on both links. For a monitored key, events are
always reported with the path of CurrentControlSet and not ControlSetXXX.
Monitoring rules
You can perform these actions when creating or changing a monitoring policy or rule group.
Action Steps
Monitor files and 1 Click Add on the File tab. The Add File dialog box appears.
directories
2 Specify the file or directory name.
4 (Optional) To track content and attribute changes for a file, select Enable Content
Change Tracking and specify the other options. For more information, see Track
content changes.
5 Click OK.
Monitor registry keys 1 Click Add on the Registry tab to open the Add Registry dialog box.
(Windows platform
only) 2 Specify the registry key.
3 Indicate whether to include for or exclude from monitoring and click OK.
Monitor specific file 1 Click Add on the Extension tab to open the Add Extension dialog box.
types
2 Type the file extension. Don't include the period (dot) in the extension. For example,
log.
3 Indicate whether to include for or exclude from monitoring and click OK.
Monitor program 1 Click Add on the Program tab to open the Add Program dialog box.
activity (in effect
choose to track or not 2 Enter the name or full path of the program.
track all file or registry
changes made by a 3 Indicate whether to include for or exclude from monitoring and click OK. We
program) recommend that you exclude background processes, such as the lsass.exe
process.
Action Steps
Specify the users to 1 Click Add on the User tab to open the Add User dialog box.
exclude from
monitoring (in effect 2 Specify the user name using these considerations:
all changes made by
the specified user are • Spaces in user names are specified in quotes.
not tracked) • Domain name can be a part of the user name on the Windows platform. If the
domain name isn't specified, the user name is excluded from monitoring for all
domains.
• Exclude all users in a particular domain (on the Windows platform) by using
MY-DOMAIN\* or *@MY-DOMAIN.
3 Click OK.
Specify advanced 1 Click Add Rule on the Filters tab to add a new filter row. You can create filters based
exclusion filters for on files, events, programs, registry keys, and users.
events
2 Edit the settings to specify the filter.
3 Click + or Add Rule to specify additional AND or OR conditions.
Task
4 Select a rule group in the Rule Groups pane to review the filters included in the rule group.
To override any rules included in the Minimal System Monitoring policy, you can duplicate the relevant rule group
(in which the required rules are present), edit the rule group to add the new rules, and add the rule group to a
policy. For most other purposes, make sure that the Minimal System Monitoring policy is applied on the endpoints
and extra rules are applied by using a separate policy.
5 Click Cancel.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 Click New Policy to open the Create a new policy dialog box and select the category.
4 Select Blank Template from Create a policy based on this existing policy list to define a policy from scratch, specify
the policy name, then click OK.
c Click OK.
7 Add the monitoring rules to the policy, then save the policy.
Setting Description
Maximum file By default, you can track changes for any file with a size of 1000 KB or lower. You can also
size configure the maximum file size for tracking content changes.
Changing the maximum file size affects the McAfee ePO database sizing requirements and
might have an impact on performance.
File extensions For executable files, the content change tracking feature tracks only attributes (content
for which to changes are not tracked). By default, only attribute changes are tracked for these
track only extensions.
attribute
changes • zip • tar • bz2 • tiff
• bmp • gz • jpg • sys
• 7z • bz • exe • png
• pdf • tgz • gif • jar
• rar • dll
Setting Description
You can edit the list to specify file extensions specific to your setup for which to track only
attribute changes.
Maximum When you apply the content change tracking rule on a directory, base versions of all files in
number of files the directory that match the specified include or exclude patterns, if any, are collected and
to retrieve per sent to the McAfee ePO server. These base versions are used to track content changes and
rule allow comparison with future versions of the files.
If the number of qualifying files for one rule is too high, operational performance of the
endpoint and occasionally of the McAfee ePO server can deteriorate. To prevent such
disruptions, you can specify a value to control the maximum files to retrieve per rule. This
limit applies to the number of qualifying files in the directory and not to the total number of
files in the directory. If the number of qualifying files for a specified rule exceeds the set
threshold value, the base versions of the files are not retrieved to the McAfee ePO server. All
subsequent changes to the files are reported and base versions of new files are sent to the
McAfee ePO server.
By default, the limit is set to 100 files per rule. You can configure this setting, as needed, for
your setup.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 In the Configuration (Client) category, click Duplicate for the McAfee Default policy.
Task
1 Navigate to the File tab.
You cannot track changes for network files (files placed on network paths).
b Select Recurse Directory to track changes for files in all subdirectories of the specified directory.
c (Optional) Specify patterns to match file names in the Include Patterns or Exclude Patterns. While specifying
multiple patterns, make sure that each pattern is on a separate line.
If you do not specify a pattern, all files are included for change tracking. You can add an asterisk (*) at the
beginning or end of a pattern. If you specify *.txt as an include pattern, only txt files in the directory
are monitored. If you specify *.ini as an exclude pattern, all ini files in the directory are not
monitored. Also, while specifying multiple patterns, make sure that each pattern is on a separate line.
For example:
*.log
Test.txt
Test*
If you erroneously add *.log and Test.txt in one line, the software considers it as a single pattern and
matches accordingly.
Exclude patterns take precedence over include patterns. For example, if you erroneously define an
include and exclude pattern for the same file, the exclude pattern applies.
7 Click OK.
Task
1 On the McAfee ePO console, select Menu | Reporting | Content Change Tracking.
All files for which content change tracking is enabled are listed.
• Sort the list based on the system name, file path, or status.
To do this... Do this...
Review the file The File Status column denotes the status of content change tracking.
status.
Review Click View versions. The File Versions page displays all versions for the file. From this page you
version. can compare file versions, specify the base version, and delete file versions from the
McAfee ePO database.
Compare the 1 Specify what to compare.
file versions.
• Click Compare with previous for a version to compare that version with the previous
version of the file available on the McAfee ePO console.
• Click Compare with base for a version to compare that version with the base version.
• Select any two versions (by clicking the associated checkboxes), then select Actions |
Compare Files to compare the selected versions.
The versions are compared and differences between the file content and file attributes
are displayed.
2 Click Close.
Reset the base 1 Select a file version to set as the base version by clicking the associated checkbox.
version.
2 Select Actions | Set as base version to open the Set as base version dialog box.
3 Click OK. This resets the base version and deletes all previous versions (older than the
new base version) of the file.
The software can track up to 200 versions for a file. If the number of versions exceeds 200,
the application deletes the oldest versions to bring the version count to 200. Then, it
automatically sets the oldest version as the base version. If needed, you can configure the
number of versions to maintain for a file. Contact McAfee Support for assistance in
configuring the number of versions to maintain for a file.
Delete file Deleting file versions removes the selected file versions from the McAfee ePO database. It
versions. does not change or remove the actual file present on the endpoint.
1 Select one or more file versions by clicking the associated checkboxes.
4 Click Close.
Compare files
You can compare two files or two versions of a single file. You can compare files or versions on the same
endpoint or on different endpoints.
Task
1 On the McAfee ePO console, select Menu | Reporting | Content Change Tracking.
7 Click Close.
Contents
How protection rules work
Define protection rules
Create a protection policy
Enable read protection
Read Prevent users from reading the content of specified files, directories, and volumes.
protection
rules When a directory is read-protected, all files in the directory are read-protected. Any
unauthorized attempt to read data from protected files is prevented and an event is
generated. Writing to read-protected files is allowed.
Write Prevent users from creating files (including directories and registry keys) and changing existing
protection files, registry keys, and directories.
rules
• Define write protection rules for files and directories to protect them from unauthorized
changes. Only protect critical files. When a directory is included for write protection, all files
in that directory and its subdirectories are write protected.
• Define write protection rules for critical registry keys to protect them against change.
• Specify programs that are permitted to selectively override the read or write protection.
• Specify users who can selectively override the read or write protection.
System variables
The path specified in a protection rule can include system environment variables. This table lists the supported
system variables.
%WINDIR% C:\Windows
Path considerations
These considerations apply to path-based rules.
• Paths must be absolute when specifying rules to read-protect or write-protect files and directories.
• Paths need not be absolute when specifying rules to add a trusted program or updater. For example, you
can specify the partial path, such as AcroRd32.exe or Reader\AcroRd32.exe or fully qualified path, such
as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If you specify the partial path, all
programs with names that match the specified string are added as trusted programs. If you specify the fully
qualified path, only the specified program is added as a trusted program.
• Paths can include the wildcard characters to specify file paths and file names. When using wildcards, ensure
that specified string matches a limited set of file paths or file names. If the specified string matches many
files, we recommend you revise the string.
• Paths can include the * and ? wildcard characters.
When specifying a file path, C:\Test1\*\*\Test.txt, C:\Test\????*?, and C:\?Test*
\Test1\Test.txt are allowed while *:\Test1\*\*\Test.txt, *\Test1\Test2\Test.txt, and *:
\Test1\Test2\Test.txt are not.
• Paths used in registry key-based rules can include the wildcard character (*). But, the wildcard character can
only represent one path component in the registry path. Make sure that you do not use the character for the
component at the end of the complete registry path (if used at the end, the rule is not effective).
Task
b Specify the file or directory name and indicate whether to include or exclude from read protection.
c Click OK.
b Specify the file or directory name and indicate whether to include or exclude from write protection.
c Click OK.
b Specify the registry key and indicate whether to include for or exclude from write protection.
c Click OK.
4 Specify trusted programs permitted to override the read and write protection rules:
a Click Add on the Updater Processes tab. The Add Updater dialog box appears.
b Specify whether to add the updater based on the file name, SHA-1, or SHA-256. If you add the updater by
name, the updater is not authorized automatically. But, when you add the updater by SHA-1 or SHA-256,
the updater is authorized.
c Enter the location of the file (when adding by name), SHA-1, or SHA-256 of the executable file.
d Enter a unique identification label for the executable file. For example, if you specify Adobe Updater Changes
as the identification label for the Adobe_Updater.exe file, all change events made by the Adobe
_Updater.exe file are tagged with this label.
• Select Library to allow the file to run as updater only when it has loaded the specified library. For
example, when configuring iexplore.exe as an updater to allow Windows Updates using Internet
Explorer, specify wuweb.dll as the library. This makes sure that the iexplore.exe program has
updater rights only until the Web Control library (wuweb.dll) is loaded.
• Select Parent to allow the file to run as an updater only if it is started by the specified parent. For
example, when configuring updater.sh as an updater to allow changes to Mozilla Firefox, specify
firefox as the parent. Although updater.exe is a generic name that can be part of any installed
application, using the parent makes sure that only the correct program is allowed to run as an
updater.
f Indicate whether to disable inheritance for the updater. For example, if Process A (that is set as an
updater) starts Process B, disabling inheritance for Process A makes sure that Process B does not
become an updater.
g Indicate whether to suppress events generated for the actions performed by the updater. Typically, when
an updater changes a protected file, a File Modified event is generated for the file. If you select this
option, no events are generated for changes made by the updater.
h Click OK.
5 Specify users permitted to override the read and write protection rules
a On the Users tab, click Add. The Add User dialog box appears.
b On the Add User dialog box, create two rules for each user: one with UPN/SAM and domain account name
(in domainName\user format) and another with domain netbiosName (in netbiosName\user format).
c Specify a unique identification label for the user. For example, if you specify John Doe Changes as the
identification label for the John Doe user, all changes made by the user are tagged with this label.
Protection rules
You can define protection rules when changing or creating a protection policy or rule group.
Action Steps
Read-protect files 1 Click Add on the Read-Protect tab. The Add File dialog box appears.
and directories
2 Specify the file or directory name.
4 Click OK.
Write-protect files 1 Click Add on the Write-Protect File tab. The Add File dialog box appears.
and directories
2 Specify the file or directory name.
4 Click OK.
Write-protect 1 Click Add on the Write-Protect Registry tab. The Add Registry dialog box appears.
registry keys
2 Specify the registry key.
4 Click OK.
Action Steps
Specify trusted 1 Click Add on the Updater Processes tab. The Add Updater dialog box appears.
programs
permitted to 2 Specify whether to add the updater based on the file name, SHA-1, or SHA-256. If you
override the read add the updater by name, the updater is not authorized automatically. But, when you
and write add the updater by SHA-1 or SHA-256, the updater is authorized.
protection rules
3 Enter the location of the file (when adding by name), SHA-1, or SHA-256 of the
executable file.
4 Enter a unique identification label for the executable file. For example, if you specify
Adobe Updater Changes as the identification label for the Adobe_Updater.exe file, all
change events made by the Adobe_Updater.exe file are tagged with this label.
Action Steps
Specify users You can either enter user details or import user or group details from an Active Directory.
permitted to Make sure that the Active Directory is configured as a registered server.
override the read
and write Specify details to authorize users to override the read or write protection rules.
protection rules 1 On the Users tab, click Add. The Add User dialog box appears.
5 Click OK.
3 Select Global Catalog Search to search for users in the catalog (only if the selected Active
Directory is a Global Catalog server).
4 Specify whether to search for users based on the UPN (User Principal Name) or SAM
account name. Your search criteria determines the authorized user. Make sure that
you use the trusted account to log on to the endpoint. If you use the UPN name while
adding a user, make sure that the user logs on with the UPN name at the endpoint to
enjoy trusted user rights.
5 Enter the user name. The Contains search criteria is applied for the specified user name.
6 Specify a group name to search for users in a group. You cannot directly add a group
present in the Active Directory to a policy. To authorize all users in a group, add the
user group to a rule group and include the rule group in a policy. When you include a
user group in a rule group, the following actions occur.
a Application Control runs a task in the background to query the configured Active
Directory server and fetch user details.
b Active Directory server sends list of users and associated attributes, such as
netbiosName and user name, for all users in the specified user group. These details
are saved to the rule group.
c Application Control adds each user in the user group as a trusted user. These users
are not listed as individual users on the user interface but the user list is available
when you export the rule group information to an XML file.
Adding user groups makes sure that all changes to a user group automatically cascade
across all rule groups and associated policies.
8 Select the users to add in the search results, then click OK.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 Click New Policy to open the Create a new policy dialog box.
5 Select Blank Template from Create a policy based on this existing policy list to define a policy from scratch.
The read-protect feature is disabled by default. To use read protection rules, enable the read-protect feature
for the endpoints.
Task
• Endpoint — Select the endpoint on the Systems page and click Actions | Agent | Modify Tasks on a Single
System.
b Select the Solidcore 8.1.0 product, SC: Run Commands task type, and click Create New Task.
The Client Task Catalog page appears.
4 Select Requires Response if you want to view the status of the commands in Menu | Automation | Solidcore Client
Task Log tab.
5 Click Save.
9 (Optional) Wake up the agent to send your client task to the endpoint immediately.
Contents
Monitoring and reporting
Manage events
View content changes
Exclude events
Managing dashboards
Managing queries
View queries
Manage events
You can review events by specifying the time duration and endpoint details.
Task
2 Specify the time duration by selecting an option from the Time Filter list.
• To add user comments for multiple events, select the events and click Actions | Add Comments.
Site administrator has the permissions to overwrite the user comments which are added by a global
administrator.
c Click OK.
c Click Back.
• FILE_DELETED • FILE_ATTR_CLEAR
• FILE_MODIFIED • ACL_MODIFIED
• FILE_RENAMED • OWNER_MODIFIED
• FILE_ATTR_MODIFIED
You can track these events and see the details of the changes.
Task
4 Click Close.
Exclude events
You can define rules to exclude routine system-generated change events not relevant for monitoring or
auditing.
Task
1 On the McAfee ePO console, select Menu | Reporting | Solidcore Events, and select the events to exclude.
3 Select the target platform and the rule group type, then click Next to open the Define Rules page.
5 Add the rules to an existing or new rule group, then click Save.
6 Check that the rule group is added to the relevant policy and the policy is assigned to the endpoints.
Once excluded, similar new events are no longer displayed on the McAfee ePO console. Excluding events
doesn't remove the existing or similar events from the Solidcore Events page.
Managing dashboards
Dashboards are collections of monitors that help you keep an eye on your environment.
Change Control provides these default dashboards.
• Solidcore: Integrity Monitor dashboard allows you to observe the monitored endpoints
• Solidcore: Change Control dashboard helps you keep a check on the protected endpoints
• Solidcore: Health Monitoring dashboard helps you monitor the health of the protected endpoints in your
enterprise
Managing queries
Use the available queries to review information about the endpoints based on the data stored in the McAfee
ePO database.
These Change Control and Health Monitoring queries are available from the McAfee ePO console.
Top 10 Programs with Most Displays the top 10 programs with most changes during the last 7 days. The chart
Change Events in the Last 7 includes a bar for each program and indicates the number of events generated by
Days each program. The bar chart sorts the data in descending order. Click a bar on the
chart to review detailed information.
Top 10 Systems with Most Displays the top 10 systems with the most changes during the last 7 days. The
Change Events in the Last 7 chart includes a bar for each system and indicates the number of events
Days generated for each system. The bar chart sorts the data in descending order. Click
a bar on the chart to review detailed information.
Top 10 Systems with Most Displays the top 10 systems with the maximum number of violations in the last 24
Violations in the Last 24 Hours hours. The chart includes a bar for each system and indicates the number of
violations for each system. Click a bar on the chart to review detailed information.
Top 10 Systems with Most Displays the top 10 systems with the maximum number of violations in the last 7
Violations in the Last 7 Days days. The chart includes a bar for each system and indicates the number of
violations for each system. Click a bar on the chart to review detailed information.
Top 10 Users with Most Change Displays the top 10 users with the most changes during the last 7 days. The chart
Events in the Last 7 Days includes a bar for each user and indicates the number of events generated by
each user. The bar chart sorts the data in descending order. Click a bar on the
chart to review detailed information.
Top 10 Users with Most Displays the top 10 users with the most policy violation attempts in the last 7
Violations in the Last 7 Days days. The chart includes a bar for each user and indicates the number of policy
violation attempts for each user. The bar chart sorts the data in descending order.
Click a bar on the chart to review detailed information.
Top 10 Users with Most Displays the top 10 users with the most policy violation attempts in the last 24
Violations in the Last 24 Hours hours. The chart includes a bar for each user and indicates the number of policy
violation attempts for each user. The bar chart sorts the data in descending order.
Click a bar on the chart to review detailed information.
View queries
You can view a Change Control or Solidcore Health Monitoring query.
Task
1 On the McAfee ePO console, select Menu | Reporting | Queries & Reports.
2 Select the Change Control or Solidcore Health Monitoring group under McAfee Groups.
Contents
Monitor enterprise health
Review congestion status and trend
Configure notifications
Make emergency changes
Administer throttling for your enterprise
Configure CLI breach notifications
Change the CLI password
Place the endpoints in Disabled mode
Purge reporting data
Task
1 Select Menu | Reporting | Dashboards.
2 Select the Solidcore: Health Monitoring dashboard from the Dashboard list.
• Check the Inventory Data Congestion Trend in Last 7 Days monitor to review the weekly trend.
• Check the Observations Data Congestion Trend in Last 7 Days monitor to review the weekly trend.
5 (Optional) Review congestion levels for self-approval requests and client task logs.
a From the McAfee ePO console, select Dashboard Actions | Duplicate for Solidcore: Health Monitoring dashboard,
click OK in the Duplicate Dashboard dialog box, then click Add Monitor.
c Click and drag the Self-Approval Data Congestion Level and Client Task Logs Data Congestion Level monitors.
f In the New Monitor dialog box, click the Monitor Content drop-down list.
g Navigate to the McAfee Groups - Solidcore Health Monitoring section (McAfee ePO console), select the
Self-Approval Data Congestion Trend in Last 7 Days query, and click OK.
h Repeat steps d through g for the Client Task Logs Data Congestion Trend in Last 7 Days query.
i Review the Self-Approval Data Congestion Level and the Self-Approval Data Congestion Trend in Last 7 Days to review
the weekly trend.
j Review the Client Task Logs Data Congestion Level and the Client Task Logs Data Congestion Trend in Last 7 Days
monitor to review the weekly trend.
Configure notifications
You can configure alerts or automatic responses to receive a notification when data congestion begins for your
environment.
To receive a notification when congestion begins for your setup, you can configure an alert for the Data
Congestion Detected event. Similarly, to receive a notification when data is deleted from the McAfee ePO database
to resolve congestion, you can configure an alert for the Clogged Data Deleted event.
Task
1 Select Menu | Automation | Automatic Responses.
3 Select the ePO Notification Events group and Threat event type.
5 Select My Organization for the Defined at property, then Select Threat Name from the Available Properties pane.
7 Specify aggregation details, then click Next to open the Actions page.
8 Select Send Email, specify the email details, and click Next to open the Summary page, then review the details
and click Save.
Tasks
• Place the endpoints in Update mode on page 46
Place the endpoints in Update mode to make emergency changes.
• Place the endpoints in Enabled mode on page 46
Place the endpoints back in Enabled mode after you complete the required changes in Update
mode.
Task
1 Select Menu | Systems | System Tree.
• Endpoint — Select the endpoint on the Systems page, then click Actions | Agent | Modify Tasks on a Single
System.
3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.
4 Select Solidcore 8.1.0 for the product, SC: Begin Update Mode task type, then click Create New Task to open the Client
Task Catalog page.
a Specify the task name and add any descriptive information.
c Click Save.
Task
1 On the McAfee ePO console, select Menu | Systems | System Tree.
• To apply the client task to an endpoint, select the endpoint on the Systems page, then click Actions | Agent
| Modify Tasks on a Single System.
3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.
a Select Solidcore 8.1.0 for the product, SC: End Update Mode for the task type, then click Create New Task to open
the Client Task Catalog page.
b Specify the task name and add any information you want.
d Specify the task name and add any information you want.
4 (Optional) Wake up the agent to send your client task to the endpoint immediately.
2 Data is stored in a cache at the endpoints. When the cache is full, data starts dropping with the oldest.
Data is stored in the cache only for event and policy discovery requests. The inventory data is not stored in
the cache; instead, it is updated at the endpoints locally.
3 Throttling is reset no less than 24 hours after the first event, policy discovery request, or inventory update
for the day.
When throttling of inventory updates is initiated, the Pull Inventory client task is disabled. This indicates that
you cannot fetch inventory until throttling resets.
4 Data stored in the cache is sent to the McAfee ePO server in batches (starting with the oldest data).
After throttling resets for events and policy discovery requests, further generated data is stored in the cache
and not sent to the McAfee ePO server until the cache is empty.
The throttling feature is available on all supported Windows platforms. You can manage throttling by identifying
the endpoints where throttling is initiated and taking remedial actions. If needed, you can configure throttling
for your enterprise.
Tasks
• Set up throttling on page 47
By default, the throttling feature is enabled for events, inventory updates, and policy discovery
requests.
• Configure throttling values on page 48
For most enterprises, the default settings for the throttling feature are enough. But, if needed, you
can change the default configuration for the feature.
• Manage throttling on page 48
You can determine if throttling is initiated for any endpoint in your setup and you can take action to
manage the feature.
Set up throttling
By default, the throttling feature is enabled for events, inventory updates, and policy discovery requests.
Enabling or disabling this feature also enables or disables all its subfeatures.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 In the Configuration (Client) category, click Duplicate for the McAfee Default policy.
7 (Optional) Disable the throttling feature selectively for Events, Inventory Updates, and Policy Discovery
(Observations).
When the throttling feature is enabled, you can disable one or more types of throttling by deselecting the
corresponding checkbox.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 In the Configuration (Client) category, click Duplicate for the McAfee Default policy.
6 Edit the values for events, inventory updates, and policy discovery requests, as needed.
Value Description
Events The value for threshold and cache size is defined in number of event XML files. By
default, 2000 XML files can be processed per endpoint in 24 hours. Also, the default
event cache size is set to 7000 XML files per endpoint.
Inventory Updates The value for threshold is defined in number of file elements containing inventory
updates. By default, 15000 files elements can be processed per endpoint in 24 hours.
Policy Discovery The value for threshold and cache size is defined in number of request XML files. By
(Observations) default, 100 XML files can be processed per endpoint in 24 hours. Also, the default
event cache size is set to 700 XML files per endpoint.
Manage throttling
You can determine if throttling is initiated for any endpoint in your setup and you can take action to manage the
feature.
On the Solidcore: Health Monitoring dashboard, check the Number of Systems where Throttling Initiated in Last 7 days
monitor to take notice of the systems that might require immediate action.
Task
1 Determine if throttling is initiated and identify the affected endpoints.
Event Description
Data Throttled Generated for an endpoint when event or policy discovery request throttling is initiated. After
throttling resets, this event is generated daily until the cache is empty.
Data Dropped Generated in 2 scenarios for an endpoint.
• When the cache is full and the oldest data is dropped from the event or request cache.
• When throttling of inventory updates is initiated for the endpoint.
3 Process data generated for affected endpoints and create relevant rules. You must process data quickly to
make sure that data isn't dropped.
Tasks
• Identify endpoints where throttling is initiated on page 49
You can identify endpoints where Data Throttled and Data Dropped events are generated.
• Review throttling status on page 49
For endpoints where throttling is initiated, you can review the throttling status.
• Process data where throttling is initiated on page 50
On endpoints where throttling is initiated, you can create relevant rules or filters to process data.
This helps you control the flow of data by gradually reducing the amount of received data.
Task
1 On the McAfee ePO console, select Menu | Reporting | Solidcore Events.
2 Review the event list and locate endpoints where these events are generated.
Event Action
Data Throttled Review the Object Name column for information about throttling of events or policy discovery
requests (observations) for the corresponding endpoints. Based on the type of throttling, you
must immediately review the throttling status and process data for the endpoint to make
sure that you don't lose data.
Data Dropped Review the Object Name column for information about throttling of inventory updates. This
column also provides information if data has started dropping for events and policy discovery
requests (observations). Typically, this occurs when data isn't processed quickly for the
endpoint. Based on the type of throttling, you must immediately process data or manage
inventory updates.
Task
1 From the McAfee ePO console, select Menu | Systems | System Tree.
2 On the Systems page, click the endpoint where throttling is initiated to view its details.
Property Description
Throttling Status: Provides this information.
Events • Cache usage
Throttling Status: This indicates the percentage of event or request cache that is already used by the
Policy Discovery stored events or requests.
(Observations)
• Number of dropped events or requests
When the cache usage reaches 100%, events or requests start dropping and the Data
Dropped event is generated and displayed on the Threat Event Log and Solidcore Events
pages.
• Time when the threshold was reached
This indicates the time when event or request throttling was initiated.
Inventory Fetch Time Indicates the time when the inventory was last fetched. When throttling of inventory
(Last) updates is initiated, the Pull Inventory client task is disabled and you can't fetch the
inventory until throttling resets.
Inventory Fetch Time Indicates the time when you can fetch the inventory for the endpoint. When throttling
(Next) of inventory updates resets (24 hours after the first inventory update was generated),
the Pull Inventory client task is enabled again to allow you to fetch the inventory. In such
scenarios, this property displays the time when throttling resets.
Task
• On the McAfee ePO console, take relevant actions based on the type of data.
a Events – Select Menu | Reporting | Solidcore Events.
On the identified endpoints where throttling is initiated, review the generated events, then create
relevant rules for events based on details such as event type, generation time, and number of
occurrences. Define advanced exclusion filters to exclude non-meaningful events from the endpoints.
b Requests – Create relevant rules to process requests and define advanced exclusion filters to exclude
non-meaningful requests from the endpoints.
c Inventory updates – Define advanced exclusion filters to exclude non-meaningful inventory updates from
the endpoints.
This feature is available only in McAfee ePO-managed configuration and unavailable in standalone configuration.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 In the Configuration (Client) category, click Duplicate for the McAfee Default policy.
7 Specify the number of failed attempts and the interval after which to disable the CLI in case of a security
breach.
By default, the CLI is disabled if a user makes three unsuccessful attempts in 30 minutes.
8 Specify how long to disable the CLI if any user makes unsuccessful logon attempts.
By default the CLI is disabled for 30 minutes.
9 Click Save.
• Any attempt to recover the CLI with an incorrect password generates the Unable to Recover Local CLI event.
When the user exceeds the permitted number of failed attempts (as defined in the policy), the CLI recovery is
disabled to prevent the breach attempt. The Disabled Local CLI Access event is generated. This is priority event and
is sent immediately to the McAfee ePO console.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 In the Configuration (Client) category, click Duplicate for the McAfee Default policy.
The Duplicate Existing Policy dialog box appears.
8 Click Save.
Task
1 Select Menu | Systems | System Tree.
• Endpoint — Select the endpoint on the Systems page, then click Actions | Agent | Modify Tasks on a Single
System.
3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.
4 Select Solidcore 8.1.0 for the product, SC: Disable task type, then click Create New Task to open the Client Task
Catalog page.
• Version 6.0.0 and later – Select Reboot endpoint to restart the endpoints.
• Version 6.1.0 and later – Deselect Reboot endpoint to restart the endpoints.
9 (Optional) Wake up the agent to send your client task to the endpoint immediately.
Task
1 On the McAfee ePO console, select Menu | Automation | Server Tasks.
• Purge records older than — Select this option to purge the entries older than the specified age.
• Purge by query — Select this option to purge the records for the selected feature that meet the query
criteria. This option is only available for reporting features that support queries in McAfee ePO. Also, this
option is supported only for tabular query results.
No seeded queries are available for purging. Before purging records, you must create the query from the
Menu | Reporting | Queries & Reports page.
7 Specify schedule details, then click Next open the Summary page.
Contents
Configure a syslog server
Solidcore permission sets
Customize end-user notifications
Task
1 Add the syslog server as a registered server.
a On the McAfee ePO console, select Menu | Configuration | Registered Servers, then click New Server to open
the Registered Server Builder wizard.
c Specify the server name, add any notes, then click Next.
f Select the type of logs the server is configured to receive by selecting a value from the Syslog Facility list.
h Click Save.
You can choose to send specific responses to the syslog server (complete step 2) or use the seeded
response to send all Solidcore events to the syslog server (complete step 3).
d Select the ePO Notification Events group and Threat event type.
f Define the relevant filters, then click Next to open the Aggregation page.
g Specify aggregation details, then click Next to open the Actions page.
j Select the appropriate syslog servers (one or more), then click Next.
b Edit the Send Solidcore events to Syslog Server response to configure these options.
• Set the status to Enabled.
Permission sets only grant rights and access — no permission set removes rights or access. When multiple
permission sets are applied to a user account, they aggregate.
For example, if one permission set does not provide any permissions to server tasks, but another permission
set grants all permissions to server tasks, that user account has all permissions for server tasks. Consider this
as you plan your strategy for granting permissions to the users in your environment.
For global administrators, all permissions to all products and features are automatically assigned.
When a new product extension is installed, it adds the product-specific permission sets to McAfee ePO. The
Solidcore extension for Change Control and Application Control adds the Solidcore Admin and Solidcore Reviewer
permission sets on the Menu | User Management | Permission Sets page.
Because users don't have access to the My Organization group, they need extra permissions to access the
following components.
Dashboards Predominant Observations monitor in the Solidcore: Application Control dashboard.
Applications Based on Final Reputation and Top 5 Malicious Files in Running State monitors in the Solidcore:
Inventory dashboard.
Pages • By Applications page
• Predominant Observations (Deprecated) page
• Solidcore category on Server Settings page
Only McAfee ePO administrators are allowed to view and edit this category.
Global administrators can assign permissions while creating or editing user accounts or permission sets.
To use Solidcore-related McAfee ePO features, users created with Solidcore Admin or Solidcore Reviewer
permission set need extra permissions. Here are the permissions you must assign.
1 Assign at least one more permission set that grants access to needed products and groups of the System
Tree. To make sure that users have access to the My Organization group in the System Tree page and overcome
the limitations of the Solidcore permission sets, edit the Solidcore Admin or Solidcore Reviewer permission
set. Duplicate the Solidcore Admin permission set to use it as a starting point and edit it according to your
requirements. After you edit the permission sets, assign the edited permission set to the users.
2 Assign these permissions for specific Solidcore features by navigating to Menu | User Management | Permission
sets.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 Select the Application Control Options (Linux) category and click the My Default policy to edit it.
4 Click the End User Notifications tab and select Show the messages dialog box when an event is detected and display the
specified text in the message to display a message box at the endpoint each time any of the earlier mentioned
events is generated.
Mail To Represents the email address to which all approval requests are sent.
Mail Subject Represents the subject of the email message sent for approval requests.
Link to Website Indicates the website listed in the Application Control and Change Control
Events window on the endpoints.
McAfee ePO IP Address and Port Specifies the McAfee ePO server address and port.
b Select Show Event in Dialog to make sure that all events of the selected event type (such as Execution
Denied) are listed in the Application and Change Control Events window on the endpoints.
8 From the endpoints, users can review the notifications for the events and request for approval for certain
actions.
a Right-click the McAfee Agent icon in the notification area on the endpoint.
d Request approval for a certain action by selecting the event and clicking Request Approval.
Here is a list of and Change Control features and their availability for the operating system and supported
configuration.