They just released a hotfix for 6.1.3 on Monday morning. Not sure if any of these specific findings have been addressed, however the link you provided provides some remedies. You can create a SC: Run Commands Task and include multiple commands for each of their suggestions below (test and verify before applying to a live environment) Ensure that the client CLI is in lockdown before running any SC: Run Commands task as well as they will ignore any tasks sent from ePO if the CLI is in a "recovered' state.
The following list contains configuration settings, hardening guidelines and
measures to secure the system.
*) Configure a strong password to protect McAfee Application Control
Without specifying a password for McAfee Application Control an attacker can
simply interact with the software to disable all protections.
McAfee Application Control does not enforce a strong password complexity.
It is recommended to use a strong password. (this can also be set in ePO policy settings under Client Config or locally via the command line)
Command: sadmin passwd
*) Remove powershell.exe from the list of default whitelisted applications
Command: sadmin unsolidify C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
Command: sadmin unsolidify C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
(and all other occurrences of powershell.exe, e.g. in C:\Windows\winsxs\...)
*) Remove the default whitelisted ZIP application from the whitelist
Command: sadmin.exe unsolidify C:\Program Files\McAfee\Solidcore\Tools\GatherInfo\zip.exe
*) Remove interpreters (e.g. python, perl), debuggers, outdated software and other
applications which can be abused (e.g. java) from the whitelist
*) Only whitelist required software
To decrease the attack surface the list of whitelisted software should be as minimal
*) Disable memory corruption protections from McAfee Application Control
This ensures that scinject.dll does not allocate a write- and executable
section in all applications. Since the protections offered by McAfee
Application Control correlate to the protections from the operating system,
these protections can be disabled. Only in some special situations
(e.g. the underlying hardware does not support hardware based DEP)
these protections should not be disabled.
Command: sadmin features disable mp
Command: sadmin features disable mp-casp
Command: sadmin features disable mp-vasr
Command: sadmin features disable mp-vasr-forced-relocation
*) Add JS and HTA files to the list of protected scripts
Per default McAfee Application Control does not protect the system from
malicious JS or HTA files. To secure this the hidden scripts command
can be used:
Command: sadmin scripts add .js cscript.exe wscript.exe
Command: sadmin scripts add .hta mshta.exe
*) Remove processes from the list of updaters / do not use the updater list
This recommendation is hard to follow because systems should
regularly be updated. However, the list of update process can be abused by
attackers. Therefore it's recommended to remove all elements from
the list. The recommended way to deal with updates is to add the
update process just before applying the update and remove the update process
after the system is successfully updated.
Command: sadmin updaters list (get a list of all configured updaters)
Command: sadmin updaters flush (remove the identified updaters) * WARNING THIS WILL probably block a lot of legitimate changes on protected systems
*) Do not configure trusted volumes
Trusted volumes completely bypass application whitelisting.
Therefore trusted volumes should not be configured.
Command: sadmin trusted -l (get a list of all configured trusted volumes)
Command: sadmin trusted flush (removes the identified trusted volumes)
*) Regularly apply software and system updates.
This recommendation is not directly related to McAfee Application Control,
however SEC Consult Vulnerability Lab sees the importance to explicitly
mention this here. Keeping the system and all installed software
up-to-date is absolutely mandatory for the security of the system.
McAfee Application Control (MAC) 6.1.3 Hotfix 12 is now available. This release includes fixes for the following issues:
- When the inventory is corrupt on a system, the system might erroneously restart in a loop. This issue occurs because the Federal Information Processing Standard (FIPS) driver fails to load on the system, thereby making it difficult for Application Control to detect the corrupt inventory. (4-9922780391)
- While creating a Windows backup on a system where Application Control is enabled, the system might stop responding. (4-10570835111)
You can sign up to the SNS service to receive notifications related to new releases and hotfixes here
Do you know if MAC 6.2 is vulnerable to these exploits?