I have some question related to ApplicationWhitelisting (Application Controller).
1. The ApplicationController will block only the exe or also the assemblies (dll)?
2. Can I replace the VirusScanner with Application Controller? Since the Application Controller completely block the other application.
3. Will ApplicationController takes care of the OperationSystem related exe and dlls? (mainly Windows OS I am looking for)
This question belongs in the Business section, so it's been moved into Application and Change Control for attention. It looks like a question about SolidCore, which is not something the Consumer mods or other posters will know much about.
1. Application Control will take an inventory of all the existing Program and Script files (exe, dll, vbs, bat, etc.) It will then allow these files that are part of its "Whitelist" to run and make calls. However even if a program is on the Whitelist is will still not be given access to alter any of these same types of files. So it will block any Program or script that is not part of its whitelist. Policy can be set in ePO to provide additional control, this is where you would provide for updaters, files that are allowed to make modifications to other programs and scripts. Or to identify programs and scripts that are allowed to run even if they were not present on the system at the time of the whitelist creation aka Solidification.
2. This is not a simple yes or no answer. In a perfect world you would have both systems in place, security in depth. You could however alleviate the need for On-Access Scanning with Application control, but Application control does not remove or quaratine any problematic files. So operating without VirusScan would be unadvisable. If you needed to put the system into update mode, only logs changes to the system but does not prevent anything, this would open up your system to any existing viruses, trojans, or other malware which Application control would have blocked but not removed. At the very least you would want to have On-Demand scans available to run from time to time, and before any type of changes are made to application control. But yet again the two products do not provide the same function so you would not be able to replace one with the other.
3. Application Control does not care what the exe, dll, bat, vbs, etc purpose is. The system operates the same for all, so if you try to update program or script files, without a rule/policy in place it will prevent/block that function. We do have pre-built rule sets for a number of programs and types of functionality to make creating policies easier.
I hope this answers your questions.
Thanks for your reply.
We have our medical devices which also has a PC with it. In this case we will be always doing a clean and fresh installation, After doing this if I just configure the ApplicationController and that will allow only the required applications, we wont have the possibility of the virus entering the machine.
In this scenario is it ok to have only the ApplicationController? I dont see the way via which Virus can enter in this case.
When the systems are placed in Update Mode, which you may or may not use in your environment, any application can run including malware if you have no AV protection.
You do not need to use UpdateMode if you have whitelisted all the possible updater applications or if you never update. I have found this almost impossible as sometimes the updater applications run sub-applications. For me it is safer to place the computer in update mode for a couple hours rather than have a half installed application/update. We place our SolidCore systems in update mode when we are running patches for OS or application upgrades.
Also you may use authorized updater logins. For instance JaneDoe might be an allowed updater on all systems. What if JaneDoe has a virus on her workstation? As IT personnel we are highly susceptible to malware because we are always looking online for "fixes" for things... At least in my organization.
I agree that a system that is properly solidcored is obviously less likely to be infected with malware, but I would not bet my career on it! Application Control is still a fairly new mainstream adopted protection method. Just because it provides a high level of protection today, doens't mean that tomorrow someome won't find a way around it.
Also in the Medical field aren't there compliance laws that you need to have a managed AV running on all systems?
On a side note, for better performance I have scsrvc.exe as a low risk process in McAfee VSE.
We do follow some security measures, Now we thought of introducing the ApplicationController and have more controlled environment, in that case we dont want to worry about the viruses.
Still need to try the ApplicationController and see how it helps.
Will MCAfee ApplicationController take care of the OS (Windows) related applications by default? or we have to configure that?
on 8/4/12 9:33:38 AM CDT
McAfee Application Control will take care of OS files/apps (including exe, dlls, scripts) i.e. it will allow them to run and protect them from tampering. Default set of policies ensure that Windows update is able to install patches from Microsoft.