2 Replies Latest reply on Feb 18, 2015 10:08 AM by Troja

    Solidifier command line Application Control  Questions

    elmere2

      I'm in the midst of evaluating the Solidifier command line Application Control.

       

      1. In the documentation

       

      Only solidified code can run. Any code that is created or modified at run-time, after the solidification step completes is considered unauthorized and not allowed to run.

       

      Scenario: Completely solidified drive c: and reboot. I try to run an executable file but it run smoothly.  How solidfier works?

       

      How can block any new exe. dll. & scripts.

       

      2. Can I block any process using Solidfier?

       

      Best Regards,

       

      Ryl

        • 1. Re: Solidifier command line Application Control  Questions
          Richard Carpenter

          Hi elmere2

           

          Application Control / Solidcore is based on a Trusted Source Model.

           

          When a Machine is set to Enabled, Solidcore scans the system for Executable code and builds a dynamic whitelist based on what is present on the machine at the moment Solidcore is Enabled. These whitelisted executables are permitted to run on the machine.

           

          Updaters is a whole other subject but that is the basics of the Solidcore Product.

           

          Regards

          Rich

          Volunteer Moderator

          Certified McAfee Product Specialist - ePO

          • 2. Re: Solidifier command line Application Control  Questions
            Troja

            2. Can I block any process using Solidfier?

             

            Hi Ryl, yes this is the main goal of Application Control. After installing the product and solidifying the system any executeable code is protected from change. Also, if enabled, any change in the memory.

            Take a look at this threat for some technical background in this threadMcAfee Application Control vs Microsoft AppLocker?

             

            This means..

            - if you copy a file on the system, this file could not be executed on the endpoint, because it is not located on the internal whitelist

            - if some "advanced thing" tries to change an application in the memory this is also blocked.

            Finally, any executeable code on your system is protected, is allowed to run and is protected from any change.

             

            To change you system in the future you have to define updaters, trusted users, installers and so on (based on the Trusted Source Model). You can call them all together as "trusted updaters"

             

            The benefit is, you don´t have to specify which application is allowed to run furthermore you have to define how the system can be change in the future (Dynamic Whitelisting)

             

            If the system is changed by an trusted updater any new executeable code is automatically added to the internal whitelist an can be executed in the future.

             

            Hope this helps,

            Cheers