Release Notes - McAfee® Application Control® 6.0.0

About this document

Thank you for using McAfee® Application Control® software version 6.0.0. This document contains important information about this release. We strongly recommend that you read the entire document.

New features

Here is a list of new and updated features included with this release of the product.

Addition of Observe Mode #

Using the Observe mode, you can perform a dry run for Application Control. When running in Observe mode, Application Control emulates the Enabled mode but logs observations (on the McAfee ePO console) instead of preventing any applications or code from running. An observation is logged corresponding to each action Application Control will take when in Enabled mode.

For example, if not authorized, the execution of the Adobe Reader application will be prevented in Enabled mode. Whereas, in Observe mode, the Adobe Reader application is allowed to execute and an observation is generated to indicate that the execution was permitted.

Observe mode is available only on the Windows platform. You can place the endpoint in Observe mode to:
  • Check the compatibility of Application Control with existing software during initial deployment
  • Test an application prior to enterprise-wide deployment on endpoints already running Application Control

You can use the observations logged in the Observe mode to discover policy rules required to run existing or new applications in Enabled mode.

Support for customizable end-user notifications # In previous releases, if Application Control prevented or blocked an action on an endpoint, no notification was displayed on the endpoint. Starting with this release, if Application Control protection prevents an action on an endpoint, you can choose to display a customized message for the event on the endpoint. You can configure the notification to be displayed on the endpoints for each type of event.
Improvement of exception handling capabilities # End-users can now request the McAfee ePO administrator for approval for an action denied or prevented by Application Control. You can configure the product to ensure end-users can review notifications for the blocked actions in the Application Control Events window. If needed, end-users can send a request (by clicking a button) to the McAfee ePO administrator for approval of certain actions. The administrator can review the event details (included in the request) and take actions to approve the action for the end-user.
Support for reboot-free activation # In previous releases, you were required to restart endpoints, including critical servers to enable Application Control functionality. Also, because the time taken to create the whitelist varied for each endpoint, there was no method to predict when an endpoint could be restarted.

Starting with the 6.0.0 release, you can choose to enable limited Application Control functionality without restarting the endpoints. Based on your convenience, you can restart the endpoints later to enable all Application Control functionality. When you enable limited features (without restarting), all features except memory protection features available. Note that the memory-protection features are available only after the endpoint is restarted.

Integration with the McAfee GTI file reputation service Application Control is now integrated with the McAfee GTI file reputation service. The software synchronizes with the GTI file reputation service on a regular basis to fetch information. For each binary file, GTI provides these values:
  • Cloud Trust Level — Indicates if the file is a good, bad, or unknown file.
  • Cloud Trust Score — Indicates the reliability or credibility of the file.
Based on the information fetched, Application Control effectively sorts your inventory files into Good, Bad, and Unclassified categories.
Enhancement of inventory views In previous releases, viewing the software inventory for an endpoint listed all the binary and executable files for the endpoint. The files were not categorized or sorted in any way.
Starting with this release, the inventory user interface has been enhanced to allow you review detailed information. Using the improved interface, you can:
  • Sort files based on application, vendor, binary name, binary SHA1, or trust level
  • Review detailed information for a file and easily allow or ban the binary file (from the Inventory interface)
  • Use the pre-shipped filters to instantly review information for your enterprise
  • Use the improved search capabilities to quickly find a file
  • View the status of the endpoints' inventory by using the new inventory dashboards
Support for one-click exclusion In previous releases, creating Advanced exclusion filters (AEF) rules was relatively difficult and error prone. You were required to manually enter detailed information to create an AEF rule.

Starting with this release, we have simplified the creation of AEF rules. You can directly create AEF rules from the Events page. Select the events to ignore in future and create new or update existing rule groups. You do not need to manually enter details because rules are auto-populated based on the selected events. You only need to review the rules generated by the wizard.

Improvement of image deviation results

Starting with this release, image deviation results can be sorted based on applications or binaries. In addition, you can use custom queries to review reports generated for image deviation data.

Note: The features that are highlighted with # are not available on the Windows NT and Windows 2000 platforms. This is because in the 6.0.0 release we are shipping the 5.1.2-8144 build for the Solidcore client for these two platforms.

Known issues

For known issues in this product release, refer to KnowledgeBase article KB72754.

Resolved issues

Solidcore Extension

  • On localized platforms, the View link on Image Deviation Summary page fails to show details if the ePO web page is opened from ePO server itself using Internet Explorer 8. (610779)
  • You cannot add multiple binary files when using the Add from Inventory window to search and add rules to the Binary tab of an Application Control policy. If you select multiple binary files and click Add, only the binary file that you selected first is added. All subsequently selected binary files are not added. (672867)
  • The Image Deviation feature considers Windows file-names as case-sensitive. (608535)

Solidcore Client

Windows (Applicable to all or as indicated for each issue)
  • Errors are logged in the solidcore.log file for MSIEXEC, rundll32 and nvidia drivers. (3-1541527271)
  • On the Windows platform, a new .sctmp file is created at each policy enforcement interval (5 minutes by default). This rapidly fills up the C:\Windows\Temp directory and can cause performance issues on servers with limited disk space. (3-1527818949)
  • Unable to install the Adobe Reader update when the application is in enable mode. (3-1439068411)
  • After operating system patches are applied, the application fails to update hash in the software inventory. (3-1264491821)
  • Although the script-auth feature is enabled, any unsolidified bat file prefixed with temp or named temp and stored in the c:\Temp directory runs. (3-1492370002)
  • A delay in startup time is observed when comparing a endpoint in Disabled mode with solidifier service running with a system in Disabled mode with solidifier service stopped. (3-1319590163)
  • The following and other related error messages were included in the solidcore.log file. (3-1482860231)

    ERROR: schooks.c : 383: Failed to open file '(null)' for creating section. err = 2.

    ERROR: imgp_decoy_k32.c: 997: Failed to rebase "\Device\HarddiskVolume1\Solidcore\bernel32.dll" to "\Device\HarddiskVolume1\Solidcore\k32___s_.dll" at 0x63000000. err = 2.

  • When the application is enabled and the floppy drive is set as a trusted drive to solidifier, executable files are denied execution. (3-1380986322)
  • On the Windows XP, Windows Vista, and Windows 7 operating systems, if you open the command window (without selecting the Run As Administrator option) and execute a command, although the command executes successfully the permission denied error message is displayed. (3-1563910501)
  • On the Windows 2003 and Windows XP operating systems (32-bit only), the endpoint hangs when the mp-mangling feature is enabled. (3-1713836601)
  • While importing a configuration file (exported from an endpoint) to another endpoint, not all rules are imported. (3-1701705101)
  • The installation of a customer-specific application (set as an Updater) fails if the pkg-ctrl feature is enabled. (3-1572001611)
  • On the Windows 2003 and Windows 2008 operating systems, if you are using Distributed File System replication for your Domain Controllers (DC) and a solidified file is modified on one DC in Update mode or by using an updater, changes to the file are reflected on other DCs but the file is erroneously removed from the inventory. (3-1566114764)
  • On the Windows XP (32-bit) operating system, the blue screen is displayed if you disable MP-CASP, enable MP-Mangling, and enable Pkg-ctrl. (3-1612748001)
  • A Parity Check or Memory Parity error occurs when the Solidcore client is enabled. (3-1664142473)
  • On the Windows Vista, Windows 2008, and Windows 7 operating systems (32-bit only), McAfee services, such as framework service, mcafee agent, and vteps do not run if the MP-CASP feature is enabled. (3-1603870243)
  • On the Windows 2008 R2 operating system (64-bit only), if Application Control and ESET anti virus are installed on an endpoint, the system hangs when restarted. (3-1667403421)
  • If a solidified file is renamed (by using an authorized updater), the entry for the file is deleted from the inventory. (3-1658814391)
  • If you apply Service pack 1 on the Windows 7 platform in the Enabled mode (when predefined Windows Updates rules are applied), the operating system corrupts and endpoint does not restart. (3-1645915669)
  • The product allows execution of an unauthorized .class file although java.exe has attr -p attribute set. (3-1588899171)
  • On the Windows XP platform, you cannot run the Autocad application when the product is in Enabled mode. (656771)
  • When upgrading to the 5.1.2 version, the upgrade completes successfully but the scormapl.dll file fails to upgrade. This causes the old product version to be displayed on the McAfee ePO console. (3-1593240456)
  • Multiple error messages stating that the unauthorized execution of C:\Solidcore\bernel32.dll file was prevented are logged to the solidcore.log file. (3-1600151861)
  • The installation of an ActiveX control fails if script files are embedded in cab files. (3-1496883698)
  • After solidcore is installed, the endpoint does not shut down correctly. When shut down, the endpoint runs for 20 minutes and then hangs. (3-1408587222)
  • On the Windows platform, sctmp files are created in the temp directory and not deleted each time policies are enforced. (3-1739334453)
  • McAfee VirusScan Enterprise 8.8 (patch 1) is not compatible with Solidcore version 5.1.2. (711861)

Installation instructions

For detailed install and upgrade information, see the McAfee Change Control and Application Control 6.0.0 Installation Guide.

System requirements

To review system requirements for this product release, refer to KnowledgeBase article KB72867.

Upgrade support

This release supports upgrade from Solidcore Extension versions 5.1.0, 5.1.1, and 5.1.2. This release supports upgrade from Solidcore Client versions 5.1.0, 5.1.1, and 5.1.2. This release also supports upgrade (for Solidcore Client) from the following HotFixes:
  • Windows HotFix 5.1.0 Build 7700
  • Windows HotFix 5.1.1 Build 8001
  • Windows HotFix 5.1.2 Build 8131
  • Windows HotFix 5.1.2 Build 8800
  • Windows HotFix 5.1.2 Build 8140
  • Windows HotFix 5.1.2 Build 8144

Supported platforms and kernels

To review the supported platforms and kernels for this product release, refer to KnowledgeBase article KB73341.

Solidcore help extension installation

Starting with this release, the help extension (for Change Control and Application Control) is available as an independent file and is not integrated with the Solidcore extension. To access the help pages, you must first install the Solidcore extension and then install the Solidcore help extension. For detailed instructions on how to install the Solidcore extension, see the McAfee Change Control and Application Control 6.0.0 Installation Guide. To install the Solidcore help extension, repeat the steps performed to install the Solidcore extension.

Contacting Support

Finding product documentation

McAfee provides the information you need during each phase of product implementation, from installing to using and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase.

  1. Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
  2. Under Self Service, access the type of information you need:
    To access user documentation To access the KnowledgeBase
    1. Click Product Documentation.
    2. Select a Product, then select a Version.
    3. Select a product document.
    • Click Search the KnowledgeBase for answers to your product questions.
    • Click Browse the KnowledgeBase for articles listed by product and version.
COPYRIGHT

COPYRIGHT

Copyright © 2011 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONS

TRADEMARK ATTRIBUTIONS

AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

LICENSE INFORMATION

LICENSE INFORMATION

License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.