Embed Size (px)
Citation preview
Release NotesMcAfee Application Control 8.0.0• About this release• New features• Installation instructions• Resolved issues• Known issues• Find product documentation
◦ Product documentation
About this releaseThis document contains important information about the current release. We recommend that you read the whole document.
This McAfee® Application Control release is available only for the Windows platform and includes:
• Solidcore extension 8.0.0–182
• Solidcore client 8.0.0–651
We have developed this release for use with these McAfee® ePolicy Orchestrator® (McAfee® ePO™) versions:
• 5.1.0–5.1.3
• 5.3.0-5.3.2
New featuresHere are the details about the new features included in this release.
Protection from fileless malware and script-based attacksWith this release, you can define additional execution control attribute-based rules for files in your setup for protection from fileless malware and script-based attacks. Application Control performs multiple checks to determine whether to allow or block a file's execution. If a file's execution is allowed after the Application Control checks, these rules, if any are defined, come into play. The rules are based on the concept of fine-grained whitelisting and can be created on the attributes of a file. You can define specific rules using one or more attributes of the file to allow, block, or monitor the file.
• Context-based allowing or blocking of files — On a protected system, only whitelisted interpreters are allowed to execute. But, in certain scenarios, whitelisted interpreters might be misused to execute malicious scripts. For example, a powershell.exe script can be used to execute unsolidified scripts and execute file-less scripts by invoking its execution with atypical input arguments. You can prevent misuse of interpreters by defining attribute-based rules to block potentially malicious scenarios.
• Flexibility and control — Attribute-based rules provide flexibility to allow or block file execution, as needed. You might need to block a user from running a specific file. If an administrator wants to block the execution of powershell.exe for a specific user, a rule can be added to prevent its execution by the user. Other users in your setup can execute powershell.exe. You can achieve such scenarios using attribute-based rules.Similarly, you might choose to block execution of a certain file in your setup completely, unless when run by a specific parent process. You can achieve this by creating a generic block rule and a parent process-based allow rule for the file. Because the allow rule has precedence over the block rule, it overrides the block rule when applied.
Or, you might choose to only observe or monitor a file to determine its execution in your setup. To do this, you can define a monitor rule for the file.
Support for AND to combine rulesFor enhanced security, Application Control now supports the AND operator to combine rules. When defining attribute-based or execution control rules, you can use the AND operator to combine rules based on different attributes.
CASP support for 64-bitApplication Control now provides Critical Address Space Protection (CASP) on 64-bit operating systems. CASP is a memory-protection technique that renders useless any shellcode running from the non-code area. Code running from the non-code area is an abnormal event that usually happens because a buffer overflow is exploited.
SHA-256 supportApplication Control now supports file SHA-256 values for various workflows (Windows platform) in addition to SHA-1 and MD5. If you perform upgrade from earlier versions, you must fetch the inventory in order to view the SHA-256 values on the McAfee ePO console.
Multiple wildcard character supportIn this release, we have simplified rule creation and management by providing multiple wildcard character support. Paths can include the * and ? wildcard characters to specify file paths and file names. You can use wildcards when defining rules for trusted directories and updaters.
Notifications for CLI breach attemptStarting with the 8.0.0 release, you can configure Application Control to notify the administrator of any unsuccessful attempts to recover the CLI on the endpoint. In case any attempt is made to breach security, the CLI should be immediately disabled to thwart the attempt.
Inventory fetch optimizationWith this release, we have enhanced the inventory fetch workflows. For Application Control, the minimum interval between consecutive inventory fetch runs is set to seven days by default. This implies that for an endpoint you can pull inventory once a week. Starting with the 8.0.0 release, if less than seven days have passed since last fetch inventory, inventory updates are fetched. If more than seven days have passed since last fetch inventory, complete inventory details are fetched.
Note For releases 7.0.1 and earlier, if inventory for the endpoint was fetched in the last seven days, the client task fails.
Corrupt inventory fallbackIn this release, we have added local whitelist backup support to Application Control. Application Control maintains backup of local whitelist or inventory for endpoints. This allows users to easily recover a corrupted inventory without resolidifying the endpoint in most of the cases. If the internal inventory for an endpoint is corrupt, Application Control tries to recover the inventory from the backup copy. Also, generates Recovered Inventory event in case of success and Unable to Recover Inventory event in case of failure. For more information, see KB88222.
Installer detection enhancementsIn the 8.0.0 release, we have enhanced Application Control heuristics for detecting installers. As a result, Application Control can detect more installers with improved efficacy. These enhancements also help reduce the number of false positives detected. For example, because of the enhanced heuristics we can now easily detect winrar-x64-50b6.exe and BullseyeCoverage-8.3.3-Windows.exe.
User comments supportYou can now record additional information for an event or request on the Solidcore Events or Policy Discovery page, respectively. If needed, you can filter events and requests based on specified comments.
Installation instructions Here is information specific to the 8.0.0 release for installation and upgrade.
System requirements To review system requirements for this release, see the McAfee KnowledgeBase article KB73341.
Supported platformsThis release is available for Microsoft Windows 7 and later platforms. This release is unavailable on the Microsoft Windows Vista platform.
Supported McAfee ePO versions
Installation and upgrade of Solidcore extension 8.0.0 is supported on McAfee ePO versions 5.1.0–5.1.3 and 5.3.0–5.3.2.
Supported McAfee Agent versionsThis release supports McAfee Agent versions 5.0.3 and later. Install or upgrade of Solidcore client on earlier versions of McAfee Agent will fail.
Supported TIE/DXL versionsTo review supported TIE/DXL versions for this release, see the McAfee KnowledgeBase article KB88183.
Upgrade support
Component Details
Solidcore extension This release supports upgrading from these Solidcore extension versions:
• 6.0.0, 6.0.1
• 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4
• 6.2.0
• 7.0.0
• 7.0.1
Note When you upgrade the Solidcore extension, you should not make any changes to existing rules and configuration until the Solidcore: Migration server task completes. Also, when upgrading to the Solidcore 8.0.0 extension, the migration task can take longer than usual. Depending on the volume of inventory data in your environment, the task can take a few hours or a day to complete. For more information, see KB84651.
If you are upgrading Solidcore extension from 6.0.0 or a later release but earlier than 6.1.2-150, you must follow these steps.
1 Upgrade Solidcore extension to any version between 6.1.2-150 and 6.2.0.
2 Upgrade McAfee ePO to 5.1.0 or later.
3 Upgrade Solidcore extension from any version between 6.1.2-150 and 6.2.0 to the 8.0.0 release.
Solidcore client
This release supports upgrading from these Solidcore client versions:
• 6.1.0, 6.1.1, 6.1.2, 6.1.3
• 6.2.0
• 7.0.0
• 7.0.1
Important If you are upgrading the Solidcore client from an older release, you must first upgrade to the 6.1.0 release, then to the 8.0.0 release.
Resolved issuesThe current release of the product resolved these issues. For a list of issues fixed in earlier releases, see the Release Notes for the specific release.
Solidcore extension
Solidcore version Hotfix build number Description Issue #
All (earlier than 8.0.0) N/A Application Control policies take several minutes to open and save.
1145395
All (earlier than 8.0.0) N/A Unable to view Application Control help content on the McAfee ePO console.
1152557
All (earlier than 8.0.0) N/A When you upgrade the Solidcore extension version to 7.0.1-156 or later, rules are not synchronized in contained policies.
1161036
7.0.1 N/A The Threat Event Log page on the McAfee ePO console erroneously displays only Solidcore threat events.
1131058
Solidcore client
Solidcore version Operating system Hotfix build number Description Issue #
7.0.0, 7.0.1 Windows all 7.0.0-688, 7.0.1-275 On a system running Windows 8 or Windows 10 where Japanese locale is set, discrepancies are observed for the Write Denied event between the Windows Event viewer and solidcore.log file.
1133908
7.0.0, 7.0.1 Windows all 7.0.0-688, 7.0.1-275 On a system running Application Control where Japanese locale is set, the EULA is unreadable.
1143719
7.0.0, 7.0.1 Windows all 7.0.1-275 On a protected system running the 7.0.0-666 build, high CPU usage and performance degradation is observed.
1151097
7.0.0, 7.0.1 Windows all 7.0.1-275 After you upgrade existing products, such as McAfee Agent, Data Loss Prevention , VirusScan Enterprise, and Application Control on a system, the system crashes.
1155093
7.0.0, 7.0.1 Windows 8 or later 7.0.1-275 When Application Control is deployed, although a PS1 script is assigned updater privileges, it isn't working as expected.
1155568
7.0.0, 7.0.1 Windows 10 N/A On a system where Application Control is enabled, when you execute Windows update, error 0x80075b4 is observed.
1142789
7.0.1 Windows 8 or later 7.0.1-275 On a protected 64-bit system running Windows 8 or later, 32-bit interpreters crash when the script-as-updater feature is enabled.
1152477
7.0.1 Windows 8 or later 7.0.1-275 Updater privileges are erroneously not revoked from a script file when it is executed by an interpreter.
1154252, 1161842
Known issuesFor a list of known issues in this product release, see this McAfee KnowledgeBase article: KB87839.
Find product documentationOn the ServicePortal, you can find information about a released product, including product documentation, technical articles, and more.
Task1 Go to the ServicePortal at https://support.mcafee.com and click the Knowledge Center tab.
2 In the Knowledge Base pane under Content Source, click Product Documentation.
3 Select a product and version, then click Search to display a list of documents.
Product documentation
Every McAfee product has a comprehensive set of documentation.
Document Configuration Description
McAfee Change Control and McAfee Application Control 8.0.0 Product Guide
Managed Information to help you configure, use, and maintain the product.
McAfee Change Control and McAfee Application Control 8.0.0 Help
Managed Information to help you configure, use, and maintain the product. Also, includes context-sensitive Help for all product-specific interface pages and options in McAfee ePO.
McAfee Change Control and McAfee Application Control 8.0.0 Installation Guide
Managed Information to help you install, upgrade, and uninstall the product.
McAfee Application Control 8.0.0 Product Guide
Standalone Information to help you use and maintain the product.
McAfee Change Control and McAfee Application Control 8.0.0 Installation Guide
Standalone Information to help you install, upgrade, and uninstall the product.
McAfee Application Control 8.0.0 Command Line Interface Guide
Standalone All Application Control commands that are available when using the command line interface (CLI).
© 2016 Intel Corporation
Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
