Loading...

Knowledge Center


FAQs for Application and Change Control 6.x.x
Technical Articles ID:   KB79576
Last Modified:  4/23/2018
Rated:


Environment

McAfee Application and Change Control (MACC) 6.x.x

Summary

This article is a consolidated list of common questions and answers for MACC 6.x.x. It is intended for users who are new to the product, but can be of use to all users.

Recent updates to this article
Date Update
April 23, 2018 Consolidated all MACC 6.x.x FAQs. Added collapsible sections.

Contents
Click to expand the section you want to view:

How can I verify the version of Application Control or Change Control through the registry?
The Application Control or Change Control version is contained in the following registry key entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{432DB9E4-6388-432F-9ADB-61E8782F4593}\DisplayVersion

What's new in Application Control 6.2.0 Policy Discovery?
 
  • Site administrators can view and take action only for the Policy Discovery requests coming from their hosts, but not from the hosts that the logged on user does not have access to.
  • Observations are now generated for network path-based file operations. Administrators can discover trusted directory policies for these observations. The observations received from network shares are listed on the Policy Discovery page with the activity Network Path Execution.
  • New features have been added to Policy Discovery to facilitate better management of the Policy Discovery requests:
    • The Policy Discovery page now has additional filters on activity, trust level, and system name.
    • Administrators can now set custom policy rules other than rules suggested by the Policy Discovery, Actions, Create Custom Policy option. For this purpose, all policy tabs are now visible, a new action Clear and define rules has been added, and request details are now available on the Create Custom Policy page.
    • On the Policy Discovery details page, a binary checksum is shown in the Binary Properties section.
    • The columns User Name, Host Name, and Binary Path have been added to the Policy Discovery details page. Also, Quick find on Host Name has been added.
       
  • Administrators can create custom policy rules from threat events directly. For this purpose, a Create Custom Policy action is shown corresponding to events such as write denied, execution denied, package change prevented, and memory protection events. From this action, administrators can review the event details and create policy rules accordingly.
For more information, see the Application Control 6.2.0 Product Guide.

What's new in 6.1.2 Observation mode?
 
  • The Observation mode feature has been substantially improved for scalability from this release.
  • The Policy Discovery page has been introduced for creating policies for both Observations and Self Approval events. 
  • There are also some key changes in the Observation mode menu option:
    • The Self Approval and Observation mode UI have been merged to create a single Policy Discovery page.
    • Observation and Self Approval for the same application has one policy candidate entry. You can drill down on a specific row to check for Self Approval requests or Observation details.
       
What has changed?
 
  • The Observation mode feature has been substantially improved for scalability from this release. As a result, administrators see an immediate impact in the number and quality of observations reduced in Application Control releases from now.
  • Changes affecting the workflows around this feature:
    • The Observation mode menu item is now Deprecated.
    • Rule discovery analysis is now done at endpoints to ensure that only the required events are delivered to ePolicy Orchestrator.
    • The Process Tree is not available in the Policy Discovery user interface (UI). The events generated to create the process tree (Process Created) were among the primary contributors to observations in previous versions of Application Control.
    • Identical events (for the same binary and activity) from multiple hosts are consolidated into a single row in Policy Discovery allowing for efficient processing of requests and reducing overhead. This consolidation impacts the Policy creation mechanism from the Events page that was available in previous releases.
    • The focus is now changed to discover Policy candidates that are the change agent for whitelist content. Doing so ensures that the right processes are granted the Updater permission. So, instead of seeing observations for EXECUTION_DENIED events for new files, equivalent events are seen for file additions to the whitelist.
    • Observations are not generated for network path-based file operations.
    • Temporary execution allow rules are created on first invocation of new content at endpoints, preventing generation of new observations on repeat executions.
    • A caching mechanism has been implemented for Enable mode so that repeated observation requests are not generated for the same binary.
    • Renamed the Global Self-Approval Rules rule group to Global Rules.
    • Deprecated multiple rule groups related to the old Observations implementation and added the suffix Deprecated to the rule group names. For example, Global Observation Rules (Deprecated).

Back to Top
Does Application Control or Change Control 6.x support a Windows 2008 R2 cluster environment?
Yes. Application Control and Change Control 6.x support Windows 2008 R2 in a clustered environment.

Does Application Control support SafeNet ProtectFile: File Encryption and Protection?
No. There is a known incompatibility between McAfee Application Control and SafeNet ProtectFile: File Encryption and Protection software.

Why am I unable to install the Solidcore Agent on Windows XP?
The most common reason for this issue is the default local policy permissions. Perform the following steps to configure the needed permissions:
  1. Log on to the Windows XP computer.
  2. Click Start, Run, type gpedit.msc, and click OK.
  3. Expand Computer Configuration, Windows Settings, Security SettingsLocal PoliciesSecurity Options.
  4. Double-click Network Access: Sharing and security model for local accounts.
  5. In the Local Security Setting tab, select Classic - local machine try \host-name\admin$.

    NOTE: You are prompted to provide credentials. After providing the credentials, Admin$ opens. 
     
  6. Attempt to install the Solidcore Agent.
Can the same installer be used for Change Control, Integrity Monitor, and Application Control?
The license key determines which features are enabled. All features can be used at the same time.

How do I know whether the Solidcore Agent is installed and enabled on a client?
To confirm that the Solidcore Agent has been successfully deployed:
  • View the Agent Log file from the ePolicy Orchestrator (ePO) console.
    1. Log on to the ePO 4.x console.
    2. Click Menu, SystemsSystem Tree and click a client from the displayed list.
    3. Click Actions, Agent, Show Agent Log.
       
  • Once the agent deployment is complete, click Wake Up Agents and use the following procedure to view the Solidcore Agent system properties:
    1. Log on to the ePO 4.x console.
    2. Click Menu, SystemsSystem Tree and then select a client.
    3. Click your host. You then see the System Details page.
    4. Scroll down to Solidcore to see the product version and installation path.
    5. Click More to view the status of the Agent (enabled/disabled) and the licenses of various features installed on the computer.
       
Can Application Control or Change Control be deployed on a virtual machine?
Yes. The Solidcore Agent runs successfully on a virtual machine that has an operating system supported by the Solidcore Agent.

What happens during upgrades from releases earlier than MAC 6.1.2?
  • The Observation mode menu item is still available, but highlighted as Deprecated.
  • Self Approval requests raised in earlier versions are populated in the Policy Discovery UI.
What happens during fresh installations of the MAC 6.1.2 extension?
  • Only the Policy Discovery page is displayed.
  • All Self Approval requests and Observations raised in Observation or Enable mode are displayed on this page.
  • Only endpoints with 6.1.2 (and later) are able to report observations in this UI.
  • All endpoints with 6.1.0 (and later) builds are able to report Self Approval requests in this UI.
     
What is FailSafeConf (under the 'sadmin config show' key), and how do I configure it?
FailSafeConf is used to determine how Application Control behaves if the event inventory becomes corrupted.

FailSafeConf value can be set to 0 or 1:
Value =0 (default): The system restarts with Application Control in disabled mode.
Value =1: The system goes into a continuous restart loop.
Which events can disable Application Control or Change Control 6.x?
The following events change the state to Disabled:
  • INVENTORY_CORRUPT (Application Control)
  • TRIAL_EXPIRED (Application Control and Change Control)
Can I force the output of Application Control or Change Control 6.x to be displayed in English without changing the operating system locale?
No. You cannot configure the language for Application Control or Change Control 6.x. It is based on the language set in the operating system. The output is generated in English if Solidcore detects an unsupported locale.

In future releases, what happens to the rules added to the deprecated rule groups?
When these rule groups are removed, all relevant policy rules included in the deprecated rule groups are preserved and migrated to other rule groups.

Why is the "Show Suggestions" link missing from the Events page for new observations?
Before the 6.1.2 release:
  • Observations and events had a one-to-one mapping.
  • The Events page included the Show Suggestions link for observations generated in Enable mode that allowed the user to discover policy rules.
As of the 6.1.2 release and later:
  • The Policy Discovery page serves as a centralized console for discovering policy rules, regardless of the mode in which the endpoint is running.
  • The Policy Discovery page consolidates identical events (for the same binary and activity) from multiple hosts into a single record allowing for efficient processing of requests and reducing overhead.
Thus, the unified policy discovery mechanism cuts down the need for the Show Suggestions link, and it has been removed as a part of the redesign for this feature.

What events are generated with 6.1.2 in Observe mode and Enable mode?

See the table below for events generated in workflow in Observe mode and Enable mode.
 
Type of Event Mode Operations
Deny Exec (Non network path)     Enable Generate observation for "Auth by checksum"
Observe
  • Solidify the binary /script
  • Allow operation
  • No observation
Deny Write Enable Generate observation "Updater by name"
Observe
  • Generate observation
  • Allow operation
Deny Exec (network path)     Enable No observation
Observe No observation
Package Control Denial Enable Generate observation for "Updater by checksum"
Observe
  • Generate observation
  • Allow operation
Active X Denial Enable Generate observation for certificate
Observe
  • Generate observation
  • Allow operation
Memory Protection NX/Process hijack    Enable Generate observation for attr bypass
Observe
  • Generate observation
  • Allow operation
Executable extracting MSI files Enable Generate observation for "Updater by checksum"
Observe
  • Generate observation
  • Allow operation
Executable extracting binary files (exe, dll, driver) and script files Enable Generate observation for "Updater by Name"
Observe
  • Generate observation
  • Allow operation


What events are generated with 6.2.0 (Linux) in Observe mode and Enable mode?

See the table below for events generated in workflow in Observe mode

NOTE: Linux does not generally support package control, Active X, MP, MSI detection, and any form of installer (by itself). Also, there are no observations created in Enabled mode on Linux.
 
Type of Event Mode Operations
Deny Exec     Enable
  • Out of scope for the first iteration: Generate Rule for "Attribute authorize by name"
Observe
  • Allow operation
  • Generate rule for "Attribute authorize by name"
  • Out of scope for first iteration: Generate observation "Updater by name"
Deny Write Enable
  • Out of scope for first iteration: Generate observation "Updater by name"
Observe
  • Allow operation
  • Generate observation for "Updater by name"
  • Out of scope for the first iteration: "Mark current process an updater as a temporary rule"


Back to Top
 

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.