3 Replies Latest reply on Oct 28, 2015 5:02 PM by neelima

    Copying Solidcore whitelist between systems

    aus_mick

      Just wondering if anybody else has played around with copying the Solidcore inventory (whitelist) C:\Solidcore\scinv between systems? To give the scenario, I have a client with a large fleet of systems that are all running a Standard Operating Environment from a hardware, OS and application perspective (and to be honest it is freakishly consistent) and we're evaluating the best way to deploy Application Control (v6.2) in the most efficient way. Unfortunately these systems have very low hardware specifications and performance testing we have undertaken suggests the initial Solidification process takes up to 40 minutes (when using low priority), during which time the responsiveness of the system is degraded. This is not acceptable to my client as it means that the system is not usable during that time and there are concerns that if somebody attempted to use during the time their automatic reaction would be to reboot the machine and interrupt the Solidification process and potentially corrupt the inventory (whitelist) and impact MAC functionality.

       

      We have been investigating if it is at all possible to copy the scinv file from a system that has been previous solidified to another system post the installation Application Control and prior to enabling and subsequently rebooting. As I understand the inventory doesn't contain anything unique to the system on which it was created other than if there are binaries present on the system to be copied that weren't on the system from which the inventory was cloned that they would be unable to execute. If this is possible are there any other files on top of the scinv file that would need to be copied to allow this cloning to work?

       

      Thanks in advance for any insights or experiences anybody can provide.

       

      Regards,

      Mick

        • 1. Re: Copying Solidcore whitelist between systems

          Mick, Application Control inventory is a factor of file location and checksum(along with tons of meta data about the files which is system specific). In our experience, however may the 2 images look alike on the surface, this combination for the OS files is never the same.

           

          A quick and easy way to validate this is to put the inventory off the gold image's system volume on the system volume of another system(based off that image) and run command >sadmin  check (https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 24000/PD24673/en_US/mac_610_standalone_C…)

           

          If you see no filenames dumped after running this command, you can think about copying the inventory(because the 2 images are actually same). However, if even one of the system files is different or left over, there can be issues in enable mode.

           

          Hope this explains why we do not recommend copying inventories across the systems.

          • 2. Re: Copying Solidcore whitelist between systems
            aus_mick

            Thanks for the feedback neelima. We did do some testing and yes your right, while on the surface the systems may be running the same image there are enough variations in binaries that we run into a few issues. Instead we opted to look for ways to improve the solidification time given the hardware limitations in play. We found that by adding the Solidcore service binary scsrvc.exe into a VSE On-Access Low Risk Processes Policy so it was excluded from AV scanning. We also removed all Windows hotfix roll-back directories in C:\Windows\. I'm looking forward to the next major MAC release as I believe the functionality to exclude directories from the solidification process is being incorporated. With just those two actions alone we were able to achieve a halving of the solidification time from around 40 minutes to 20 minutes which my client has conceded they can live with.

             

            Regards,

            Mick

            • 3. Re: Copying Solidcore whitelist between systems

              Mick, I would like to discuss other threads also. Can you message me your contact info so that I can setup a call?

               

              Thanks much.