Technical Articles ID:
KB73484
Last Modified: 2/5/2021
Environment
McAfee Application and Change Control (MACC) 6.x.x
Summary
This article is a consolidated list of common questions and answers for MACC 6.x.x. It is intended for users who are new to the product, but can be of use to all users.
Recent updates to this article
Date
Update
February 5, 2021
Minor format changes.
December 19, 2019
Refreshed content. Performed routine maintenance on the sections.
April 23, 2018
Consolidated all MACC 6.x.x FAQs. Added collapsible sections.
Contents
Click to expand the section you want to view:
How can I verify the version of Application Control or Change Control through the registry?
The Application Control or Change Control version is contained in the following registry key entry:
What's new in Application Control 6.2.0 Policy Discovery?
Site administrators can view and take an action only for the Policy Discovery requests coming from their hosts. They can't take an action from hosts that the logged-on user does not have access to.
Observations are now generated for network path-based file operations. Administrators can discover trusted directory policies for these observations. The observations received from network shares are listed on the Policy Discovery page with the activity Network Path Execution.
New features for Policy Discovery to facilitate better management of the Policy Discovery requests:
The Policy Discovery page now has more filters on activity, trust level, and system name.
Administrators can now set custom policy rules other than rules suggested by the Policy Discovery, Actions, Create Custom Policy option. For this purpose, all policy tabs are now visible. A new action Clear and define rules has been added. These action request details are now available on the Create Custom Policy page.
On the Policy Discovery details page, a binary checksum is shown in the Binary Properties section.
The columns User Name, Host Name, and Binary Path have been added to the Policy Discovery details page. Also, Quick find on Host Name has been added.
Administrators can create custom policy rules from threat events directly. For this purpose, a Create Custom Policy action is shown corresponding to events. These events include write denied, execution denied, package change prevented, and memory protection events. From this action, administrators can review the event details and create policy rules accordingly.
For more information, see the Application Control 6.2.0 Product Guide.
What's new in 6.1.2 Observation mode?
Observation mode feature improvements for scalability from this release.
Policy Discovery page for creating policies for both Observations and Self-Approval events.
Key changes in the Observation mode menu option:
The Self-Approval and Observation mode UI have been merged to create a single Policy Discovery page.
Observation and Self-Approval for the same application has one policy candidate entry. You can drill down on a specific row to check for Self-Approval requests or Observation details.
What has changed in 6.1.2 Observation mode?
The Observation mode feature has been substantially improved for scalability in this release. Administrators will notice a reduction of observations and improved quality.
Changes affecting the workflows around this feature:
The Observation mode menu item is now Deprecated.
Rule discovery analysis is now done at endpoints to make sure that only the needed events are delivered to ePolicy Orchestrator.
The Process Tree is not available in the Policy Discovery user interface (UI). Process tree (Process Created) creation events were among the primary contributors to observations in previous versions of Application Control.
Identical events (for the same binary and activity) from multiple hosts are consolidated into a single row in Policy Discovery. Consolidating the events allows for efficient processing of requests and reducing overhead. This consolidation impacts the Policy creation mechanism from the Events page that was available in previous releases.
The focus is now changed to discover Policy candidates that are the change agentfor allow list content. Doing so makes sure that the right processes are granted the Updater permission. Instead of seeing observations forEXECUTION_DENIEDevents for new files, equivalent events are seen for file additions to the allow list.
Observations are not generated for network path-based file operations.
Temporaryexecution allow rules are created on first invocation of new content. These rules prevent generation of new observations on repeat executions.
A caching mechanism has been implemented for Enable mode so that repeated observation requests are not generated for the same binary.
Renamed the Global Self-Approval Rules rule group to Global Rules.
Deprecated multiple rule groups related to the old Observations implementation and added the suffix Deprecated to the rule group names. For example, Global Observation Rules (Deprecated).
Does Application Control or Change Control 6.x support a Windows 2008 R2 cluster environment?
Yes. Application Control and Change Control 6.x support Windows 2008 R2 in a clustered environment.
Does Application Control support SafeNet ProtectFile: File Encryption and Protection?
No. There is a known incompatibility between Application Control and SafeNet ProtectFile: File Encryption and Protection software.
Why can't I install the Solidcore Agent on Windows XP?
The most common reason for this issue is the default local policy permissions. Perform the following steps and configure the needed permissions:
Log on to the Windows XP computer.
Click Start, Run, type gpedit.msc, and click OK.
Expand Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
Double-click Network Access: Sharing and security model for local accounts.
In the Local Security Setting tab, selectClassic - local machine try \host-name\admin$.
NOTE: You are prompted to provide credentials. After providing the credentials, Admin$ opens.
Attempt to install the Solidcore Agent.
Can the same installer be used for Change Control, Integrity Monitor, and Application Control?
The license key determines which features are enabled. All features can be used at the same time.
How do I know whether the Solidcore Agent is installed and enabled on a client?
To confirm that the Solidcore Agent has been successfully deployed:
View the Agent Log file from the ePolicy Orchestrator (ePO) console.
Log on to the ePO console.
Click Menu, Systems, System Tree and click a client from the displayed list.
Click Actions, Agent, Show Agent Log.
Once the agent deployment is complete, click Wake Up Agents and use the following procedure to view the Solidcore Agent system properties:
Log on to the ePO console.
Click Menu, Systems, System Tree and then select a client.
Click your host. You see the System Details page.
Scroll down to Solidcore to see the product version and installation path.
Click More to view the status of the Agent, whether enabled or disabled. You can also view the licenses of several features installed on the computer.
Can Application Control or Change Control be deployed on a virtual machine?
Yes. The Solidcore Agent runs successfully on a virtual machine that has an operating system supported by the Solidcore Agent.
What happens during upgrades from releases earlier than MAC 6.1.2?
The Observation mode menu item is still available, but highlighted as Deprecated.
Self-Approval requests raised in earlier versions are populated in the Policy DiscoveryUI.
What happens during fresh installations of the MAC 6.1.2 extension?
Only the Policy Discovery page is displayed.
All Self-Approval requests and Observations raised in Observation or Enable mode are displayed on this page.
Only endpoints with 6.1.2 and later can report observations in this UI.
All endpoints with 6.1.0 and later builds can report Self-Approval requests in this UI.
What is FailSafeConf (under the 'sadmin config show' key), and how do I configure it?
FailSafeConf is used to determine how Application Control behaves if the event inventory becomes corrupted.
FailSafeConf value can be set to 0 or 1: Value =0 (default): The system restarts with Application Control in disabled mode.
Value =1: The system goes into a continuous restart loop.
Which events can disable Application Control or Change Control 6.x?
The following events change the state to Disabled:
INVENTORY_CORRUPT (Application Control)
TRIAL_EXPIRED (Application Control and Change Control)
Can I force the output of Application Control or Change Control 6.x to be displayed in English without changing the operating system locale?
No. You can't configure the language for Application Control or Change Control 6.x. It is based on the language set in the operating system. The output is generated in English if Solidcore detects an unsupported locale.
In future releases, what happens to the rules added to the deprecated rule groups?
When these rule groups are removed, all relevant policy rules in the deprecated rule groups are preserved and migrated to other rule groups.
Why is the "Show Suggestions" link missing from the Events page for new observations?
Before the 6.1.2 release:
Observations and events had a one-to-one mapping.
The Events page included the Show Suggestions link for observations generated in Enable mode that allowed the user to discover policy rules.
As of the 6.1.2 release and later:
The Policy Discovery page serves as a centralized console for discovering policy rules, regardless of the mode in which the endpoint is running.
The Policy Discovery page consolidates identical events (for the same binary and activity) from multiple hosts. These events are consolidated into a single record. This consolidation allows for efficient processing of requests and reduces overhead.
Thus, the unified policy discovery mechanism cuts down the need for the Show Suggestions link. It has been removed as a part of the redesign for this feature.
What events are generated with 6.1.2 in Observe mode and Enable mode?
See the table below for events generated in workflow in Observe mode and Enable mode.
Type of Event
Mode
Operations
Deny Exec (Non-Network path)
Enable
Generate observation for "Auth by checksum"
Observe
Solidify the binary /script
Allow operation
No observation
Deny Write
Enable
Generate observation "Updater by name"
Observe
Generate observation
Allow operation
Deny Exec (network path)
Enable
No observation
Observe
No observation
Package Control Denial
Enable
Generate observation for "Updater by checksum"
Observe
Generate observation
Allow operation
ActiveX Denial
Enable
Generate observation for certificate
Observe
Generate observation
Allow operation
Memory Protection NX/Process hijack
Enable
Generate observation for attr bypass
Observe
Generate observation
Allow operation
Executable extracting MSI files
Enable
Generate observation for "Updater by checksum"
Observe
Generate observation
Allow operation
Executable extracting binary files (exe, dll, driver) and script files
Enable
Generate observation for "Updater by Name"
Observe
Generate observation
Allow operation
What events are generated with 6.2.0 (Linux) in Observe mode and Enable mode?
See the table below for events generated in workflow in Observe mode
NOTE: Linux does not generally support package control, ActiveX, MP, MSI detection, and any form of installer by itself. Also, there are no observations created in Enabled mode on Linux.
Type of Event
Mode
Operations
Deny Exec
Enable
Out of scope for the first iteration: Generate Rule for "Attribute authorize by name"
Observe
Allow operation
Generate rule for "Attribute authorize by name"
Out of scope for first iteration: Generate observation "Updater by name"
Deny Write
Enable
Out of scope for first iteration: Generate observation "Updater by name"
Observe
Allow operation
Generate observation for "Updater by name"
Out of scope for the first iteration: "Mark current process an updater as a temporary rule"
