Hello, I am in the process of whitelisting my systems but am having trouble in understanding how the whitelist is created and enforced through policy. Through what I have read in the docs, I have deployed Solidcore with the license, run the SC Enable task with Application Control Enabled, and have pulled an inventory from a test system. I can specify malicious files from that inventory and block them easily enough but I am confused on how this translates into the solidcore policy.
From my understanding, you should deploy solidcore, create a whitelist, create a policy based off of the whitelist, and enforce from there. Is this correct? If so how do I translate the initial inventory results into a policy that I can deploy onto multiple systems. If I am incorrect, please clarify me. I have tried looking through the docs but there is extremely little information on managing Solidcore through EPO; it only specifies tasks through Sadmin which isn't an option in my environment.
Thank you for your post. The explanation on inventory/Whitelist collected is provided in the below link:
In very simple terms, When you install MACC client, and send the SC Enable task, essentially, you get the collection of inventory back to you, at the same time, the endpoint has a local copy of it which it uses to ensure NO OTHER APPLICATIONS apart from those mentioned in the list are able to run when you switch Application Control to "Enabled" mode. The Application Control policies would come in handy here when you wish to allow something that is not a part of the whitelist or would usually be blocked by Application control in enabled mode unless you explicitly exclude the file or action.
I sincerely hope this helps.
Thank you for the help; what you said cleared up most of my confusion. I just have a couple more questions. Is there a way to use a known good whitelist created for one endpoint and use it as a template for all related endpoints? Or do I have to create an individual whitelist for each endpoint using the SC Enable task?
Thank you for your kind response.
I am afraid we cannot use a common whitelist as such. Each endpoint, rather, each Drive within each endpoint develops a set of white list for all the PE and script files present within the driver and hence they cannot be used across multiple drives or endpoint.
Each endpoint must go through their individual solidification process and will gather their own inventory as needed. Here is a previous post from community that explains this in detail:
I sincerely hope this is helpful in clarifying your query.