I have searched extensively and cannot find a straight answer - how does McAfee Application Control / Solidcore create the initial whitelist for any given Windows device? Forget updaters, etc. Just how is the whitelist created for the Windows operating system. Thank you in advance.
To create whitelist:
1. From ePO console, select option 'Perform Initial Scan to create whitelist' while running SC Enable task
2. Locally at endpoint, open McAfee Solidifier command line and run command "sadmin so"
Note: For 1, make sure that Local CLI is locked down, whereas for 2, local CLI must be recovered.
If a file is created or modified in update mode it gets solidified but if that file try to exploit the system it will be blocked as Memory Protection Feature remains enabled in UPDATE mode. Also if suspected file will try to make any modifications in Enable mode that will also be blocked as changes to solidified files are allowed only if process is authorized to do so.
It is always recommended to create individual inventory per system rather than creating one and using it on similiar systems.
If you want to track differences you can use IMAGE DEVIATION task to compare inventory of GOLD system with other systems.
That is part of the caviot of application control. It is assumed that the system you are installing Solidcore on it a "good" build. There isn't a way to build a "gold standard" because there are so many variables from system to system, even of the same computer model, related to the binaries that are on that system. Since App Control is down to the hash level, if you build a gold standard and whitelisted only that, it would be almost impossible to keep up with the varity of small version differences (thus hash differences) in file versions. When this happens at a system or OS file level, it can cause pretty big crashes.
If you need to have a "gold standard" type of setup, build the standard, make an image from it, then when you apply the image to systems, install app control. With your updaters in place; all things should be good from there. To your specific question, the whitelist is created when a Solidcore is enabled the frist time on a system, that whitelist is build on the endpoint and with the latest version of SC, everything is enabled except memory protection immediatly. When you reboot the system, then memory protection gets enabled. Hope this helps
There's a problem with the premise of your question. You cannot just ignore updaters. That's the giant difference in our Application Control and lots of others (including previous MFE products that did this). The idea that we will create a base whitelist and then attempt to distribute that list to other machines does not work. That's the whole reason we effectively abandonned the UI within Host IPS 8. That style of whitelisting is unmanageable with more than 2 machines. It simply isn't possible to keep two machines perfectly synchronized over long periods of time. Whitelists are individually built PER MACHINE. If you have machines that are already built and you want to compare them then use the Image Comparison. You simply designate one of the systems as the base system and then you can easily compare all the others to it.
MAC in general overcomes this management limitation with the inclusion of trusted updaters as the management model. And in MAC 6, we include GTI so that you can test the validity of those files on the whitelist.Message was edited by: petersimmons on 9/19/12 1:28:37 AM EDT
In reference to the whitelists, we will have an individual list for each server that we administer. That is what I am taking away from this discussion. The only way around this is to basically standardize our servers. Is that good analysis?
Maintaining high assurance standardized server images with the whitelist baked in will ensure that the servers are production ready at any given point of time.
Pulling out the whitelist leaves a windows for mismatch(chekcum,names) for critical file that the central whitelist may have not been updated with.