1 Reply Latest reply on Feb 17, 2015 3:48 AM by Troja

    McAfee Application Control vs Microsoft AppLocker?

    web1b

      What are the benefits of McAfee Application Control vs using AppLocker?

        • 1. Re: McAfee Application Control vs Microsoft AppLocker?
          Troja

          Hi,

          i do not know the Microsoft product. Perhaps this technical features help you to compare. :-)

           

          Management Events  

          • Application inventory in central Management availaable 

             Complete file inventory of any managed systems visible

             File inventory by system visible

          • Application classification in entral Management (Infos from vendor e.g. known malicious applications) 

            

          Policies - Enforcement  

          Execution of new files on endpoint can be blocked

          Dynamically generated executeables on endpoints can be blocked     

          Existing trusted executeable code on endpoint is protected from modification or deletion


          Policies - Approach  

          • Policy enforcement is based on application information (Add Remove Programs). -> this is NOT the approach of the McAfee Product

          This means the product uses this information for managing applications" 

          • Each application must be allowed to be started.  -> benefit of McAfee, product uses Dynamic whitelisting

          • Policy enforcement is based on executeable code (executeable files). -> regardless the extension

             

          Policies - Exclusions  

          Exclusions based on named binary • Application can be blocked

          Exclusions based on application chain (e.g. App1.exe executed by App2.exe) 

          Exclusions based an certificate 

          Exclusions based on username or usergroups 

          Exclusions based on trusted directory 

          Exclusions based on script-type 

            

          Memory protection features available  

          • Protecting non-code memory areas on 32-bit endpoints 

          • Prevent code beeing run from non-executeable memory regions (Windows DEP) 

          • Virtual Address Space Randomization (ASLR) protection for systems not supporting ASLR 

             Protection againts ROP-based attacks

             Protection against return-oriented programmed exploits

             Protection againt just-in-time compilation or JIT exploits

          • Prevent code beeing run from non-executeable memory regions (Windows DEP) 

          • Prevent unknown executeables to be loaded to memory 

             Prevent injecting unknown code into memory

          User Interface  

          • Self Approval for blocked applications 

             notification text can by modified

            

          Supported environments  

          32 and 64 Bit support 

          Operation Systems support.  

            

          Selfprotection: Administrative accounts on endpoint e.g. system account can be prevented to do any policy change.  

          • Product can be managed by CLI 

          • CLI is protected by password or other protection feature 

           

           

          This is only some technical background. if you compare the products from different vendors in detail you can see the real differences. Also tamper protection, visibility of events, deployment and so on can expand the list shown above.

          We know how fast and easy product settings can be changed. Also a secure way to manage systems not connected to the corporate network. Managing events, User self aproval and so on are often important things for an application control project.

           

          Hope this helps,

          Cheers