7 Replies Latest reply on Oct 27, 2014 6:26 PM by neelima

    Application Control A Few Questions

    avilt

      1. Can we do away with the antivirus software on systems with application control installed? Please elaborate.

      2. Where does the application control keeps the data about solidified system? Local or on ePO server? How is this data protected?

      3. Is it possible for a hacker to replace an existing file on the system with the malicious file (may be using the same name, hash)? What are the protection techniques used by application control?

        • 1. Re: Application Control A Few Questions
          Troja

          Hi,

          here some infos

          ad1) yes, this is no probelm. just take care to exclude the solidcore processes from sanning. Also take care if there is any 3rd Party software installed (also McAfee VSE or HIPS) which delivers any other memory protection feature. If you have VSE installed take a look at the solidcore best practice guide. This guide contains many really useable hints and tricks.

           

          ad2) The solidified data is always stored locally. There is a file in the folder "solidcore" where the whitelist is stored. This list cannot be copied to another system. Actually i don´t know how this file is protected.

           

          ad3) no, application control protects against modification of executeable code. If someone tries to change, rename, modify or delete executeable code, this is blocked by the solidcore agent. Only updaters or installers are allowed to do this. Additional solidcore agent must be configured using observed mode or update mode to modify executeable code. Actually i don´t know if there are different hashed used. But i thin a hash for the file and also a hash for the signer is used. Therefore it is really hard replacing a file.

           

          Additional any file, if configured, is reported to EPO and compared with the GTI cloud,

           

          cheers,

          Thorsten

          • 2. Re: Application Control A Few Questions
            avilt

            You did not understand my first question. If I have solidcore installed, can I run a system without antivirus since application control is already protecting my system from malware.

             

            Also detailed explanation for other queries are welcomed.

            • 3. Re: Application Control A Few Questions
              Troja

              Ups :-)

              Sorry for that.

               

              We discussed this several times. Solidcore protects executeablecode. But when taking a look at advanced threats, multi-vector,multi-stage and so on solidcore cannot protect every time. Many malware does not use executeable code. Instead binay or obfuscated data is used to get malware up and running.

              From my side solidcore will not completely replace a virusscan solution.

              If such files are located on your system solidcore is not able to remove tis files.

               

              Example:  a crafted JPG File with binary encoded data included.

               

              Cheers,

              Thorsten

              • 4. Re: Application Control A Few Questions
                avilt

                Thank You very much.

                I can not see similar discussions in this forum, I can view only past two weeks discussions in this forum.

                • 5. Re: Application Control A Few Questions
                  Troja

                  Sorry, was not fully clear.

                  We discussed this with several customers and McAfee SEs at several Partnermeetings like the Techforum in New Orleans.

                  Best,

                  Thorsten

                  • 6. Re: Application Control A Few Questions
                    avilt

                    OK. so can I get such information on this forum? In this Application Control Forum, I can see discussion of past two weeks only. How can I see all the discussion threads?

                    • 7. Re: Application Control A Few Questions

                      avilt,

                       

                      Troja has answered most of the questions.Thanks Troja...let me take a shot at what was left unanswered.

                       

                      1. Can we do away with the antivirus software on systems with application control installed? Please elaborate.

                      >This can be recommended for very specific environments, low end machines or static or closed environments. For rest, it is absolutely recommended to have either ODS or OAS enabled(to be decided based on a combination of environment and critical nature of the device)


                      2. Where does the application control keeps the data about solidified system? Local or on ePO server? How is this data protected?

                      >This file is protected by self-integrity feature.

                       

                      3. Is it possible for a hacker to replace an existing file on the system with the malicious file (may be using the same name, hash)? What are the protection techniques used by application control?

                      >Troja has already answered this.