Application Control & Change Control Administration

The McAfee University Application Control / Change Control Administration course enables attendees to receive in-depth training on the full benefits and deployment of McAfee Application Control / Change Control products. Enabling administrators to fully understand the capabilities of their security solution not only reduces the risks of mis-configuration but also ensures an organization gets the maximum protection from their installation.

Pre-Requisites

It is recommended that the students have a working knowledge of Microsoft Windows administration, system Administration concepts, a basic understanding of computer security concepts, and a general understanding of viruses and anti-virus technologies.

Course objectives

• Understand the capabilities of McAfee’s Application Control / Change Control solution

• Install and administer

• Manage remote

• Protect end points.

Target Audience:

System and network administrators, security personnel, auditors, and/or consultants concerned with network and system security should take this

Module 1: Introduction to the McAfee Application  Control/Change Control

• What is MACCC?

• Supported Operating Systems

• Solidcore Architecture

• Multi-layered Security Solution

• Whitelisting

• Trust Model

• Image Deviation

• Differentiators

• Visibility and Enforcement for End- to-end Compliance

• File Integrity Monitoring

• Change Prevention

• Install Workflow

• Navigation to Solidcore Components

• Solidcore Configuration

• Updaters or Publishers

• Solidcore Configuration

• Installers

• Solidcore Policies

• Windows Path Definitions

• Solidcore Server Tasks

• Solidcore: Purge Task

• Migration Server Task

• Calculate Predominant Observations (Deprecated)

• Content Change Tracking Report Generation

• Solidcore: Run Image Deviation

• Image Deviation (Application Control)

• Specifying a Golden Image

• Solidcore: Scan a Software Repository

Module 2: Planning a McAfee® ePolicy Orchestrator™ Deployment

• Platform Requirements

• ePO Server Hardware Requirements

• ePO Server Operating Systems

• ePO Server Prerequisite Software

• Supported Web Browsers

• Supported SQL Server Releases

• Default Communication Ports

• Default Ports

• Determining Ports in Use

• Virtual Infrastructure Requirements

• Deployment Guidelines

• Deployment Scenario: Basic Plan

• Solution A: One ePO Server

• Solution B: Two ePO Servers

• Solution C: ePO server with Agent Handlers

• Deployment Scenario: Disk Configuration

• Solution: Less than 5,000 Nodes

• Solution: 5,000 to 25,000 Nodes

• Deployment Scenario: Disk Configuration

• Solution: 25,000 to 75,000 Nodes

• Solution: More than 75,000 Nodes

• Database Sizing

• How Products and Events Affect Calculations

• Example: Calculating Averages

• Calculating Your Environment

• Managing Scalability

• Environmental Factors

Module 3: Security Connected and McAfee® ePolicy Orchestrator™ Overview

• Security Evolution

• Security Connected

• Breadth and Depth for Security

• ePO Solution Overview

• New for this Release

• Basic Solution Components

• How ePO Works

• Essential Features

• Integration with Third-Party Products

• ePO Web Interface

• Menu Page

• Customizing the User Interface

• Architecture and Communication

• Functional Process Logic

• Data Storage

Module 4: McAfee® Agent

• McAfee Agent Overview

• New for This Release

• Agent Components

• Agent-Server Secure Communication Keys

• Communication after Agent Installation

• Typical Agent-to-Server Communication

• McAfee Agent-to-Product Communication

• Forcing Agent Activity from Server

• Wake-up Calls and Wake-up Tasks

• Configuring Agent Wake-up

• Locating Agent Node Using DNS

• Using System Tray Icon

• Forcing McAfee Agent Activity from Client

• Viewing McAfee Agent Log

• ePO 4.x/McAfee Agent 4.x Feature Dependencies

• Agent Files and Directories

• xml

• McAfee Agent Log Files

• Using Log Files

• Installation Folders

Module 5: Application Control/Change Control Extension  Installation

• Extensions in ePO

• Extensions Menu

• Integration of AC/CC Extension

• Installation Requirements

• System Requirements

• ePO Database Sizing

• Installation of Extension

• Solidcore Licensing

• What is Solidcore?

• Install Workflow Review

• Installing Licenses

• Solidcore Database Tables

Module 6: Solidcore Client

• Solidcore Architecture

• The agent plug-in and how it works

• Types of Platforms Protected

• Supported Systems

• Check in Agent Plug-in Package into ePO

• Deploying the Solidcore Agent Plug- in

• Verifying Installation from the Endpoint

• Solidcore Client Tasks

• Enable Solidcore Agent Task

• Disable Solidcore Agent Task

• Initial Scan to Create Whitelist

• Pull Inventory

• Begin Update Mode

• End Update Mode

• Change Local CLI Access

• Collect Debug Info

• Run Commands

• Get Diagnostics for Programs

• Features for the Client

• Client Notifications and Events

• Client Events and Approvals

• Customizing Client Notifications

Module 7: Application Control Initial

Configuration

• What are Observations?

• Observe Mode

• Manage requests

• Review requests

• Process requests

• Allow by checksum on all endpoints

• Allow by publisher on all endpoints

• Ban by checksum on all endpoints

• Define custom rules for specific endpoints

• Allow by adding to whitelist for specific endpoints

• Define bypass rules for all endpoints

• Delete requests

• Review created rules

• Throttle observations

• Define the threshold value

• Review filter rules

• Manage accumulated requests

• Exit Observe mode

• Inventory Introduction

• Fetch Inventory

• GTI Integration

• Trust level and score

• Cloud Trust Score

• Inventory Without Access to GTI

• Fetch McAfee GTI ratings for isolated networks

• Export SHA1s of all binaries

• Run the Offline GTI tool

• Fetch Inventory – Bad File Found Event

• Manage the inventory

• Manage Binaries

• Application Control Policies

• Role of the Policy

• Application Control Configuration

• Managing Rule Groups

• Creating an Application Control Rule Group

• Updater Tab

• Trusted Users

• Exceptions

• Using a Rule Group to Block an Application

Module 8: Application Control Feature Administration

• What is Update Mode?

• How to Update a Solidified System

• Auto-Updaters

• Authorized Updaters

• Determining Updaters

• Understanding Publishers

• Understanding Installers

• Scan a Software Repository

• Revisit – Solidcore Permission Sets

• Reboot Free Activation

• Inventory Management Enhancements

• Inventory Management – Pull Inventory

• Inventory By Application

• Inventory By Systems

• Inventory Application Drill-down

• Inventory Binary Drill-down

• Search Filters

• Modifying Enterprise Trust Level

Module 9: Event and Alerts

• Understanding Events

• What Creates an Event

• When Are Events Sent Back?

• Viewing Events

• Advanced Filters

• Selecting Columns to Display

• Viewing the Details of an Event

• Solidcore Events

• Example of Solidcore Events

• Application Control Events

• Planning Automatic Responses

• Throttling, Aggregation, and Grouping

• Alerts

• Understanding Alerts

• Scenarios

• Configuring a Solidcore Alert

• Viewing an Alert

• Support of SNMP Alerts

• Customizing End User Notifications

• Syslog Enhancements

Module 10: Change Control Initial

Configuration

• Application Control & Change Control

• Change Control & Integrity Monitoring

• Scenario

• File Integrity Monitoring

• Workflow

• Disable Solidcore

• Enable Solidcore on the Endpoint

• Verifying Client Task Completion

• Integrity Monitoring Policies

• Using Integrity Monitor

• Creating an Integrity Monitor policy

• Integrity Monitoring Policies

• Testing your Monitoring

• Reducing “Noise”

• Example of Reducing “Noise”

Module 11: Using the Policy Catalog and Managing Policies

• Change Control Policies

• Role of the Policy

• Variables for Use in Policies

• Example of Variables in a Rule Group

• Scenario

• Write Protect a File, Trusted Program can Alter

• Write Protect a Registry Key, Program can Alter

• Write Protect a File, Trusted User can Alter

• Verifying only Trusted User can Alter

• Read Protection must be Enabled

• Read Protect a File, Trusted Program can Access

• Emergency Changes

• Content Change Tracking

• One Click Exclusion (Advanced Exclusion Filtering)

• One Click Exclusion Configuration

• Troubleshooting

Module 12: Dashboards and  Reporting

• The Dashboard

• ePO Dashboards

• Queries As Dashboard Monitors

• Dashboard Access

• Dashboard Configuration

• Solidcore Dashboards

• Application Control Dashboard

• Change Control Dashboard

• Integrity Monitor Dashboard

• Inventory Dashboard

• Solidcore Queries

• Reporting > Solidcore

• Application Control > Inventory

• Application Control > Image Deviation

• Automation > Solidcore Client Task Log

• Scenario

• Creating a Customized Dashboard

• Making a Dashboard Public

• Set the Default Dashboard

Module 13: Troubleshooting

• Solidcore Architecture and Components

• Solidcore 6.1.3 Architecture

• Troubleshooting References

• Location of Solidcore Files on Endpoint

• ePolicy Orchestrator Application Server Service Logs

• Solidcore Registry Keys on Endpoint

• Solidcore Services

• Troubleshooting Best Practice

• Escalation Best Practices

• Troubleshooting GTI Cloud Issues Best Practice

• Top Issues – Task Failure

• Top Issues – Denied Execution Issues

• Top Issues – Denied Execution of a Network Share

• Top Issues – Network Share

• Top Issues – KB

• Useful Tools

• Solidcore Event Logs

• Solidcore User Notifications

• Solidcore Troubleshooting Tools

• Escalation Tools

• Solidcore Database Tables

• Minimum Escalation Requirements (MER)

• Running MER Tool on Client

• Dump Tools

Module 14: Case Studies

• A Case from History

• Unpatched, Known Vulnerabilities in the Client

• Browser-based Exploits

• The Remedy

• Application Whitelisting

• Increasing Compliance Requirements

• Remedy

• File Monitoring

• Complete the Task

Module 15: CLI Administration

• Solidcore CLI

• Location of Solidcore Files on Endpoint

• Viewing the CLI Access

• Enabling the CLI

• Unlocking the CLI Locally

• Securing the CLI

• Using the CLI

• SADMIN Commands

• Solidifying from the CLI

• Unsolidifying

• What is Solidcore’s Status?

• Beginning the Update Status

• Ending the Update Status

• Enabling and Disabling Solidifier

• SADMIN Commands

• Advanced SADMIN Commands

• Solidcore Commands

• New CLI Commands

• Application Control Rules & Helpful Commands

• Read/Write Protect Files

• Change Control Commands – Write Protection

• How To Write Protect a File

• Modifying a Read/Write Protected Files

• Change Control Features – Write Protection

• Application Control

• Authorize Command Arguments

• Discovering and Adding Updaters

• SADMIN Diag Notations

• Discovering and Adding Updaters

• Using Attributes to Control File Execution

• Attributes

• Using Attributes to Control File Execution

• Viewing Solidcore Events

• Event Sinks

• Logging Events

• Event Names and Log Entries

• Product Tools

Module 16: Best Practices

• Review of Initial Setup Tasks

• Systems Tree Infrastructure

• Communication between ePO and Agent

• Activation Options: Application Control Only

• Inventory Collection Scan

• Protection State Selection

• Protection State Delivery

• Testing Protection mechanisms

• Policies and Rule Groups

• Policy Tuning

• Bypass Rules and Exclusions

• Inventory and Whitelist

• Updaters

• Application Control Memory Protection

• Maintenance

• Basic Troubleshooting and FAQs

• Solving Memory Discrepancies

• Helpful Resources