cancel
Showing results for 
Search instead for 
Did you mean: 
avilt
Level 7

Application Control A Few Questions

Jump to solution

1. Can we do away with the antivirus software on systems with application control installed? Please elaborate.

2. Where does the application control keeps the data about solidified system? Local or on ePO server? How is this data protected?

3. Is it possible for a hacker to replace an existing file on the system with the malicious file (may be using the same name, hash)? What are the protection techniques used by application control?

0 Kudos
1 Solution

Accepted Solutions
Troja
Level 14

Re: Application Control A Few Questions

Jump to solution

Ups :-)

Sorry for that.

We discussed this several times. Solidcore protects executeablecode. But when taking a look at advanced threats, multi-vector,multi-stage and so on solidcore cannot protect every time. Many malware does not use executeable code. Instead binay or obfuscated data is used to get malware up and running.

From my side solidcore will not completely replace a virusscan solution.

If such files are located on your system solidcore is not able to remove tis files.

Example:  a crafted JPG File with binary encoded data included.

Cheers,

Thorsten

0 Kudos
7 Replies
Troja
Level 14

Re: Application Control A Few Questions

Jump to solution

Hi,

here some infos

ad1) yes, this is no probelm. just take care to exclude the solidcore processes from sanning. Also take care if there is any 3rd Party software installed (also McAfee VSE or HIPS) which delivers any other memory protection feature. If you have VSE installed take a look at the solidcore best practice guide. This guide contains many really useable hints and tricks.

ad2) The solidified data is always stored locally. There is a file in the folder "solidcore" where the whitelist is stored. This list cannot be copied to another system. Actually i don´t know how this file is protected.

ad3) no, application control protects against modification of executeable code. If someone tries to change, rename, modify or delete executeable code, this is blocked by the solidcore agent. Only updaters or installers are allowed to do this. Additional solidcore agent must be configured using observed mode or update mode to modify executeable code. Actually i don´t know if there are different hashed used. But i thin a hash for the file and also a hash for the signer is used. Therefore it is really hard replacing a file.

Additional any file, if configured, is reported to EPO and compared with the GTI cloud,

cheers,

Thorsten

avilt
Level 7

Re: Application Control A Few Questions

Jump to solution

You did not understand my first question. If I have solidcore installed, can I run a system without antivirus since application control is already protecting my system from malware.

Also detailed explanation for other queries are welcomed.

0 Kudos
Troja
Level 14

Re: Application Control A Few Questions

Jump to solution

Ups :-)

Sorry for that.

We discussed this several times. Solidcore protects executeablecode. But when taking a look at advanced threats, multi-vector,multi-stage and so on solidcore cannot protect every time. Many malware does not use executeable code. Instead binay or obfuscated data is used to get malware up and running.

From my side solidcore will not completely replace a virusscan solution.

If such files are located on your system solidcore is not able to remove tis files.

Example:  a crafted JPG File with binary encoded data included.

Cheers,

Thorsten

0 Kudos
avilt
Level 7

Re: Application Control A Few Questions

Jump to solution

Thank You very much.

I can not see similar discussions in this forum, I can view only past two weeks discussions in this forum.

0 Kudos
Troja
Level 14

Re: Application Control A Few Questions

Jump to solution

Sorry, was not fully clear.

We discussed this with several customers and McAfee SEs at several Partnermeetings like the Techforum in New Orleans.

Best,

Thorsten

0 Kudos
avilt
Level 7

Re: Application Control A Few Questions

Jump to solution

OK. so can I get such information on this forum? In this Application Control Forum, I can see discussion of past two weeks only. How can I see all the discussion threads?

0 Kudos
neelima
Level 12

Re: Application Control A Few Questions

Jump to solution

avilt,

Troja has answered most of the questions.Thanks Troja...let me take a shot at what was left unanswered.

1. Can we do away with the antivirus software on systems with application control installed? Please elaborate.

>This can be recommended for very specific environments, low end machines or static or closed environments. For rest, it is absolutely recommended to have either ODS or OAS enabled(to be decided based on a combination of environment and critical nature of the device)


2. Where does the application control keeps the data about solidified system? Local or on ePO server? How is this data protected?

>This file is protected by self-integrity feature.

3. Is it possible for a hacker to replace an existing file on the system with the malicious file (may be using the same name, hash)? What are the protection techniques used by application control?

>Troja has already answered this.