Professional Documents
Culture Documents
0 - Linux Product
Guide
(McAfee ePolicy Orchestrator)
COPYRIGHT
Copyright © 2018 McAfee, LLC
TRADEMARK ATTRIBUTIONS
McAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfee LiveSafe, McAfee QuickClean, Safe Eyes,
McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee,
LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE
CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE
RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU
DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF
APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.
1 Product Overview 5
Overview of Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Key features of Change Control . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
How Change Control works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Change Control components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Exclude events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Managing dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Managing queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
View queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
A Feature availability 49
Contents
Overview of Change Control
How Change Control works
Change Control components
Real-time monitoring
The software provides real-time monitoring for file changes. This eliminates the need to perform multiple scans
on endpoints and identifies change violations.
• Who made it
Customizable filters
You can use filters to choose what changes are registered in the database. You can match the file name,
directory name, process name, file extension, and user name.
• Exclude filters to ignore information about events matching the specified filtering criteria.
Read protection
Read protection rules prevent users from reading the content of specified files, directories, and volumes. If a
directory or volume is read-protected, all files in the directory or volume are also read-protected. Subdirectories
inherit read protection rules.
Write protection
Use write protection rules to prevent users from creating and changing files and directories. and protects it
from unanticipated updates.
1 A system user tries to change a file or registry on a managed system where Change Control and McAfee
Agent are installed.
2 The Change Control software on the managed system recognizes the attempted change and uses the
McAfee Agent to send a Change Control event to McAfee ePO.
3 Change Control analyzes the rules and policies enforced on the endpoint, and allows or blocks the change.
The administrator manages these rules and policies through McAfee ePO.
4 Read protection or write protection is enforced and the user’s change attempt is approved or denied.
5 The Change Control database logs the file or registry change attempt and local user account information.
• Monitor and prevent changes to the file system and user accounts.
• View details of who made changes, which files were changed, what changes were made to the files, and
when and how the changes were made.
Contents
Change Control modes
Enable Change Control
Enabled Indicates that the software is in effect and changes are monitored and controlled on the endpoints
according to the defined policies. In Enabled mode, Change Control monitors and protects files and
registry keys as defined by the configured policies. Enabled mode is the recommended mode of
operation.
From Enabled mode, you can switch to Disabled or Update mode.
Update Indicates that the software is in effect, allows ad-hoc changes to the endpoints, and tracks the
changes made to the endpoints. Use Update mode to perform scheduled or emergency changes,
such as software and patch installations.
In Enabled mode, you cannot read the read-protected files or change any write-protected files
(according to the defined policies). But, in Update mode, all read and write protection that is in
effect is overridden. Use Update mode to define a change window during which you can make
changes to endpoints and authorize the changes.
From Update mode, you can switch to Enabled or Disabled mode. Switch to Enabled mode when
the changes are complete.
Disabled Indicates that the software is not in effect. Although the software is installed, the associated
features are not active. When you place the endpoints in Disabled mode, the application restarts
the endpoints.
From Disabled mode, you can switch to Enabled or Update mode.
Task
• Endpoint — Select the endpoint and click Actions | Agent | Modify Tasks on a Single System.
3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.
4 Select Solidcore 8.1.0 | SC: Enable, then click Create New Task to open the Client Task Catalog page.
• Specify the task name and add any descriptive information.
• Select the platform and subplatform, then make sure that Change Control is selected.
5 Click Save, click Next to open the Schedule page. Specify scheduling details, then click Next.
7 (Optional) Wake up the agent to send your client task to the endpoint immediately.
Contents
What are rule groups?
Permissions for rule configuration
Managing rule groups
Rule groups can drastically reduce the effort required to define similar rules across policies. If you have a large
setup and you are deploying the software across numerous endpoints, use rule groups to minimize the
deployment time and effort.
Users who don't own a rule group can only view the rule group and its policy assignments, duplicate the rule
group, and add the rule group to policies. But, if the owner or the McAfee ePO administrator updates a rule in
the rule group, the change cascades across all associated McAfee ePOpolicies.
You can assign one of these permissions for the Rule Groups page. By default, the McAfee ePO administrator has
edit permissions for all pages.
Permission Details
No permissions Indicates that the page is not visible to the user.
For example, if no permissions are granted to a user for the Rule Groups page, the tab isn't
visible from the Solidcore Rules and Policy Catalog (rule group assignments) pages. Also, the
user inherits no permissions on the Updater Processes, Users, and Filters tabs.
View Indicates that the page is visible to the user. But, the user can't perform changes.
permissions For example, if view permissions are granted to a user for the Rule Groups page, the tab is
visible from the Solidcore Rules and Policy Catalog (rule group assignments) pages. While the
user can view rule group information and check assignments, the user is not allowed to edit,
duplicate, or add rule groups.
Edit Indicates that the tab is visible and the user can perform all actions available on the page.
permissions For example, if edit permissions are granted to a user on the Rule Groups page, the page is
visible from the Solidcore Rules and Policy Catalog (rule group assignments) pages and the user
is allowed to perform all operations.
When No Permissions or View Permissions are granted to a user, certain actions might not be available.
Task
1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.
• Select Change Control to view or define a rule group for preventing unauthorized changes on critical
resources.
d Click OK.
The rule group is created and listed on the Rule Groups page.
Task
1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.
2 On the Rule Groups tab in the Owners column, click the owner for a rule group to open the Rule Group Ownership
page.
3 Change the default ownership by selecting or deselecting users listed on the page.
4 Click Save.
Changes made to owners are reflected in the Owners column for the selected rule group.
Task
1 On the McAfee ePO console, select Menu | User Management | Permission Sets.
4 Select the users you want to assign the permission set to.
The level of permissions that you specify in the permission set is granted to the user. When multiple
permission sets are applied to a user account, they aggregate. Consider this as you plan your strategy for
granting permissions to the users in your environment.
5 Click Save.
8 Grant permissions selectively for the tabs (Updater Processes, Users, and Filters) contained in rule group and
policy pages, as needed.
This is based on the permissions the user has on the Rule Groups page. For information, see Permissions for
rule configuration.
9 Click Save.
Task
1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.
• To delete a rule group, click Delete and click Yes to close the Delete Rule Group dialog box.
If you are the owner of the rule group or the global administrator, you can import the rule group XML file to the
target McAfee ePO server. But, if you are a non-global administrator, you can import rules only for the tabs where
you have permissions. All other rules are not imported and details are available on the Server Task Log page.
Also, when you import rule groups to a (target) McAfee ePO server, the user logged on to the McAfee ePO
server becomes the owner of the imported rule group. When you export rule groups from a source McAfee ePO
server, the owner information is not exported.
When importing or exporting rule groups with Trusted Groups, make sure that the Active Directory server on the
source and destination McAfee ePO servers is configured using the same domain name, server name, or IP
address.
You can import or export rule groups using the McAfee ePO console or web service APIs.
Tasks
• Use the McAfee ePO console on page 15
Based on your setup, you can import or export rule groups using the McAfee ePO console.
• Use web service APIs on page 15
Based on your setup, you can import or export rule groups using web service APIs provided by
Application Control and Change Control.
Task
• To export selected rule groups to an XML file, select the rule groups, click Export, and save the file.
Task
1 Open the command prompt, then navigate to this directory.
<ePO installation directory>\Remote‑Client\
For example, C:\Program Files\McAfee\ePolicy Orchestrator\Remote‑Client\
Task
1 On the McAfee ePO console, select Menu | Configuration | Solidcore Rules.
2 On the Rule Groups tab, click Assignments to view the policies to which the selected rule group is assigned.
Contents
How monitoring rules work
Defining monitoring rules
Review predefined monitoring rules
Create monitoring policies
Settings for tracking content change
Configure settings for tracking content changes
Track content changes
Manage file versions
Compare files
• Offline
Path considerations
These considerations apply to path-based rules.
• Paths must be absolute when specifying rules to monitor files and directories.
• Paths are not required to be absolute when specifying rules to monitor program activity. You can specify the
partial path or fully qualified path. If you specify the partial path, all programs with names that match the
specified string are monitored. If you specify the fully qualified path, activity is monitored for only the
specified program.
• Paths can include the wildcard character (*). But, it can only represent one complete path component. Here
are a few examples.
• Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is not supported.
You cannot use the wildcard character while defining a rule to track content and attribute changes for a file.
Monitoring rules
You can perform these actions when creating or changing a monitoring policy or rule group.
Action Steps
Monitor files and 1 Click Add on the File tab. The Add File dialog box appears.
directories
2 Specify the file or directory name.
4 (Optional) To track content and attribute changes for a file, select Enable Content
Change Tracking and specify the other options. For more information, see Track
content changes.
5 Click OK.
Monitor specific file types 1 Click Add on the Extension tab to open the Add Extension dialog box.
2 Type the file extension. Don't include the period (dot) in the extension. For
example, log.
3 Indicate whether to include for or exclude from monitoring and click OK.
Action Steps
Monitor program activity 1 Click Add on the Program tab to open the Add Program dialog box.
(in effect choose to track
or not track all file changes 2 Enter the name or full path of the program.
made by a program)
3 Indicate whether to include for or exclude from monitoring and click OK.
Specify the users to 1 Click Add on the User tab to open the Add User dialog box.
exclude from monitoring
(in effect all changes made 2 Specify the user name.
by the specified user are
not tracked) 3 Click OK.
Specify advanced exclusion 1 Click Add Rule on the Filters tab to add a new filter row.
filters for events
2 Edit the settings to specify the filter.
3 Click + or Add Rule to specify additional AND or OR conditions.
Task
4 Select a rule group in the Rule Groups pane to review the filters included in the rule group.
To override any rules included in the Minimal System Monitoring policy, you can duplicate the relevant rule group
(in which the required rules are present), edit the rule group to add the new rules, and add the rule group to a
policy. For most other purposes, make sure that the Minimal System Monitoring policy is applied on the endpoints
and extra rules are applied by using a separate policy.
5 Click Cancel.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 Click New Policy to open the Create a new policy dialog box and select the category.
4 Select Blank Template from Create a policy based on this existing policy list to define a policy from scratch, specify
the policy name, then click OK.
c Click OK.
7 Add the monitoring rules to the policy, then save the policy.
Setting Description
Maximum file size By default, you can track changes for any file with a size of 1000 KB or lower. You can
also configure the maximum file size for tracking content changes.
Changing the maximum file size affects the McAfee ePO database sizing requirements
and might have an impact on performance.
File extensions for For executable files, the content change tracking feature tracks only attributes (content
which to track only changes are not tracked). By default, only attribute changes are tracked for these
attribute changes extensions.
Setting Description
• zip • tar • bz2 • tiff
• bmp • gz • jpg • sys
• 7z • bz • exe • png
• pdf • tgz • gif • jar
• rar • dll
You can edit the list to specify file extensions specific to your setup for which to track
only attribute changes.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 In the Configuration (Client) category, click Duplicate for the McAfee Default policy.
Task
1 Navigate to the File tab.
You cannot track changes for network files (files placed on network paths).
6 Click OK.
Task
1 On the McAfee ePO console, select Menu | Reporting | Content Change Tracking.
All files for which content change tracking is enabled are listed.
• Sort the list based on the system name, file path, or status.
To do this... Do this...
Review the file The File Status column denotes the status of content change tracking.
status.
Review Click View versions. The File Versions page displays all versions for the file. From this page you
version. can compare file versions, specify the base version, and delete file versions from the
McAfee ePO database.
Compare the 1 Specify what to compare.
file versions.
• Click Compare with previous for a version to compare that version with the previous
version of the file available on the McAfee ePO console.
• Click Compare with base for a version to compare that version with the base version.
• Select any two versions (by clicking the associated checkboxes), then select Actions |
Compare Files to compare the selected versions.
The versions are compared and differences between the file content and file attributes
are displayed.
2 Click Close.
To do this... Do this...
Reset the base 1 Select a file version to set as the base version by clicking the associated checkbox.
version.
2 Select Actions | Set as base version to open the Set as base version dialog box.
3 Click OK. This resets the base version and deletes all previous versions (older than the
new base version) of the file.
The software can track up to 200 versions for a file. If the number of versions exceeds 200,
the application deletes the oldest versions to bring the version count to 200. Then, it
automatically sets the oldest version as the base version. If needed, you can configure the
number of versions to maintain for a file. Contact McAfee Support for assistance in
configuring the number of versions to maintain for a file.
Delete file Deleting file versions removes the selected file versions from the McAfee ePO database. It
versions. does not change or remove the actual file present on the endpoint.
1 Select one or more file versions by clicking the associated checkboxes.
4 Click Close.
Compare files
You can compare two files or two versions of a single file. You can compare files or versions on the same
endpoint or on different endpoints.
Task
1 On the McAfee ePO console, select Menu | Reporting | Content Change Tracking.
7 Click Close.
Contents
How protection rules work
Define protection rules
Create a protection policy
Enable read protection
Read Prevent users from reading the content of specified files, directories, and volumes.
protection
rules When a directory is read-protected, all files in the directory are read-protected. Any
unauthorized attempt to read data from protected files is prevented and an event is
generated. Writing to read-protected files is allowed.
Write Prevent users from creating files (including directories and registry keys) and changing
protection existing files, and directories.
rules
• Define write protection rules for files and directories to protect them from unauthorized
changes. Only protect critical files. When a directory is included for write protection, all files
in that directory and its subdirectories are write protected.
• Specify programs that are permitted to selectively override the read or write protection.
• Specify users who can selectively override the read or write protection.
Path considerations
These considerations apply to path-based rules.
• Paths must be absolute when specifying rules to read-protect or write-protect files and directories.
• Paths need not be absolute when specifying rules to add a trusted program or updater. If you specify the
partial path, all programs with names that match the specified string are added as trusted programs. If you
specify the fully qualified path, only the specified program is added as a trusted program.
• Paths can include the wildcard characters to specify file paths and file names. When using wildcards, ensure
that specified string matches a limited set of file paths or file names. If the specified string matches many
files, we recommend you revise the string.
• Paths can include the * wildcard character. Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*,
or /abc/doc.* isn't supported.
Task
b Specify the file or directory name and indicate whether to include or exclude from read protection.
c Click OK.
b Specify the file or directory name and indicate whether to include or exclude from write protection.
c Click OK.
3 Specify trusted programs permitted to override the read and write protection rules:
a Click Add on the Updater Processes tab. The Add Updater dialog box appears.
• Select Parent to allow the file to run as an updater only if it is started by the specified parent. For
example, when configuring updater.sh as an updater to allow changes to Mozilla Firefox, specify
firefox as the parent. Although updater.exe is a generic name that can be part of any installed
application, using the parent makes sure that only the correct program is allowed to run as an
updater.
e Indicate whether to disable inheritance for the updater. For example, if Process A (that is set as an
updater) starts Process B, disabling inheritance for Process A makes sure that Process B does not
become an updater.
f Indicate whether to suppress events generated for the actions performed by the updater. Typically, when
an updater changes a protected file, a File Modified event is generated for the file. If you select this
option, no events are generated for changes made by the updater.
g Click OK.
Protection rules
You can define protection rules when changing or creating a protection policy or rule group.
Action Steps
Read-protect files and directories 1 Click Add on the Read-Protect tab. The Add File dialog box
appears.
2 Specify the file or directory name.
4 Click OK.
Write-protect files and directories 1 Click Add on the Write-Protect File tab. The Add File dialog box
appears.
2 Specify the file or directory name.
4 Click OK.
Action Steps
Specify trusted programs permitted to 1 Click Add on the Updater Processes tab. The Add Updater dialog box
override the read and write protection rules appears.
2 Enter the location of the file.
3 Enter a unique identification label for the executable file.
Action Steps
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 Click New Policy to open the Create a new policy dialog box.
5 Select Blank Template from Create a policy based on this existing policy list to define a policy from scratch.
The read-protect feature is disabled by default. To use read protection rules, enable the read-protect feature
for the endpoints.
Task
• Endpoint — Select the endpoint on the Systems page and click Actions | Agent | Modify Tasks on a Single
System.
b Select the Solidcore 8.1.0 product, SC: Run Commands task type, and click Create New Task.
The Client Task Catalog page appears.
4 Select Requires Response if you want to view the status of the commands in Menu | Automation | Solidcore Client
Task Log tab.
5 Click Save.
9 (Optional) Wake up the agent to send your client task to the endpoint immediately.
Contents
Monitoring and reporting
Manage events
View content changes
Exclude events
Managing dashboards
Managing queries
View queries
Manage events
You can review events by specifying the time duration and endpoint details.
Task
2 Specify the time duration by selecting an option from the Time Filter list.
• To add user comments for multiple events, select the events and click Actions | Add Comments.
Site administrator has the permissions to overwrite the user comments which are added by a global
administrator.
c Click OK.
c Click Back.
• FILE_DELETED • FILE_ATTR_CLEAR
• FILE_MODIFIED • ACL_MODIFIED
• FILE_RENAMED • OWNER_MODIFIED
• FILE_ATTR_MODIFIED
You can track these events and see the details of the changes.
Task
4 Click Close.
Exclude events
You can define rules to exclude routine system-generated change events not relevant for monitoring or
auditing.
Task
1 On the McAfee ePO console, select Menu | Reporting | Solidcore Events, and select the events to exclude.
3 Select the target platform and the rule group type, then click Next to open the Define Rules page.
5 Add the rules to an existing or new rule group, then click Save.
6 Check that the rule group is added to the relevant policy and the policy is assigned to the endpoints.
Once excluded, similar new events are no longer displayed on the McAfee ePO console. Excluding events
doesn't remove the existing or similar events from the Solidcore Events page.
Managing dashboards
Dashboards are collections of monitors that help you keep an eye on your environment.
Change Control provides these default dashboards.
• Solidcore: Integrity Monitor dashboard allows you to observe the monitored endpoints
• Solidcore: Change Control dashboard helps you keep a check on the protected endpoints
• Solidcore: Health Monitoring dashboard helps you monitor the health of the protected endpoints in your
enterprise
Managing queries
Use the available queries to review information about the endpoints based on the data stored in the McAfee
ePO database.
These Change Control and Health Monitoring queries are available from the McAfee ePO console.
Top 10 Programs with Most Displays the top 10 programs with most changes during the last 7 days. The chart
Change Events in the Last 7 includes a bar for each program and indicates the number of events generated by
Days each program. The bar chart sorts the data in descending order. Click a bar on the
chart to review detailed information.
Top 10 Systems with Most Displays the top 10 systems with the most changes during the last 7 days. The
Change Events in the Last 7 chart includes a bar for each system and indicates the number of events
Days generated for each system. The bar chart sorts the data in descending order. Click
a bar on the chart to review detailed information.
Top 10 Systems with Most Displays the top 10 systems with the maximum number of violations in the last 24
Violations in the Last 24 Hours hours. The chart includes a bar for each system and indicates the number of
violations for each system. Click a bar on the chart to review detailed information.
Top 10 Systems with Most Displays the top 10 systems with the maximum number of violations in the last 7
Violations in the Last 7 Days days. The chart includes a bar for each system and indicates the number of
violations for each system. Click a bar on the chart to review detailed information.
Top 10 Users with Most Change Displays the top 10 users with the most changes during the last 7 days. The chart
Events in the Last 7 Days includes a bar for each user and indicates the number of events generated by
each user. The bar chart sorts the data in descending order. Click a bar on the
chart to review detailed information.
Top 10 Users with Most Displays the top 10 users with the most policy violation attempts in the last 7
Violations in the Last 7 Days days. The chart includes a bar for each user and indicates the number of policy
violation attempts for each user. The bar chart sorts the data in descending order.
Click a bar on the chart to review detailed information.
Top 10 Users with Most Displays the top 10 users with the most policy violation attempts in the last 24
Violations in the Last 24 Hours hours. The chart includes a bar for each user and indicates the number of policy
violation attempts for each user. The bar chart sorts the data in descending order.
Click a bar on the chart to review detailed information.
View queries
You can view a Change Control or Solidcore Health Monitoring query.
Task
1 On the McAfee ePO console, select Menu | Reporting | Queries & Reports.
2 Select the Change Control or Solidcore Health Monitoring group under McAfee Groups.
Contents
Monitor enterprise health
Review congestion status and trend
Configure notifications
Make emergency changes
Configure CLI breach notifications
Change the CLI password
Place the endpoints in Disabled mode
Purge reporting data
Task
1 Select Menu | Reporting | Dashboards.
2 Select the Solidcore: Health Monitoring dashboard from the Dashboard list.
• Check the Inventory Data Congestion Trend in Last 7 Days monitor to review the weekly trend.
• Check the Observations Data Congestion Trend in Last 7 Days monitor to review the weekly trend.
Configure notifications
You can configure alerts or automatic responses to receive a notification when data congestion begins for your
environment.
To receive a notification when congestion begins for your setup, you can configure an alert for the Data
Congestion Detected event. Similarly, to receive a notification when data is deleted from the McAfee ePO database
to resolve congestion, you can configure an alert for the Clogged Data Deleted event.
Task
1 Select Menu | Automation | Automatic Responses.
3 Select the ePO Notification Events group and Threat event type.
5 Select My Organization for the Defined at property, then Select Threat Name from the Available Properties pane.
7 Specify aggregation details, then click Next to open the Actions page.
8 Select Send Email, specify the email details, and click Next to open the Summary page, then review the details
and click Save.
Tasks
• Place the endpoints in Update mode on page 39
Place the endpoints in Update mode to make emergency changes.
• Place the endpoints in Enabled mode on page 39
Place the endpoints back in Enabled mode after you complete the required changes in Update
mode.
Task
1 Select Menu | Systems | System Tree.
• Endpoint — Select the endpoint on the Systems page, then click Actions | Agent | Modify Tasks on a Single
System.
3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.
4 Select Solidcore 8.1.0 for the product, SC: Begin Update Mode task type, then click Create New Task to open the Client
Task Catalog page.
a Specify the task name and add any descriptive information.
c Click Save.
Task
1 On the McAfee ePO console, select Menu | Systems | System Tree.
• To apply the client task to an endpoint, select the endpoint on the Systems page, then click Actions | Agent
| Modify Tasks on a Single System.
3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.
a Select Solidcore 8.1.0 for the product, SC: End Update Mode for the task type, then click Create New Task to open
the Client Task Catalog page.
b Specify the task name and add any information you want.
d Specify the task name and add any information you want.
4 (Optional) Wake up the agent to send your client task to the endpoint immediately.
This feature is available only in McAfee ePO-managed configuration and unavailable in standalone configuration.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 In the Configuration (Client) category, click Duplicate for the McAfee Default policy.
7 Specify the number of failed attempts and the interval after which to disable the CLI in case of a security
breach.
By default, the CLI is disabled if a user makes three unsuccessful attempts in 30 minutes.
8 Specify how long to disable the CLI if any user makes unsuccessful logon attempts.
By default the CLI is disabled for 30 minutes.
9 Click Save.
• Any attempt to recover the CLI with an incorrect password generates the Unable to Recover Local CLI event.
When the user exceeds the permitted number of failed attempts (as defined in the policy), the CLI recovery is
disabled to prevent the breach attempt. The Disabled Local CLI Access event is generated. This is priority event and
is sent immediately to the McAfee ePO console.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 In the Configuration (Client) category, click Duplicate for the McAfee Default policy.
The Duplicate Existing Policy dialog box appears.
8 Click Save.
Task
1 Select Menu | Systems | System Tree.
• Endpoint — Select the endpoint on the Systems page, then click Actions | Agent | Modify Tasks on a Single
System.
3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.
4 Select Solidcore 8.1.0 for the product, SC: Disable task type, then click Create New Task to open the Client Task
Catalog page.
• Version 6.1.0 and later – Deselect Reboot endpoint to restart the endpoints.
9 (Optional) Wake up the agent to send your client task to the endpoint immediately.
Task
1 On the McAfee ePO console, select Menu | Automation | Server Tasks.
• Purge records older than — Select this option to purge the entries older than the specified age.
• Purge by query — Select this option to purge the records for the selected feature that meet the query
criteria. This option is only available for reporting features that support queries in McAfee ePO. Also, this
option is supported only for tabular query results.
No seeded queries are available for purging. Before purging records, you must create the query from the
Menu | Reporting | Queries & Reports page.
7 Specify schedule details, then click Next open the Summary page.
Contents
Configure a syslog server
Solidcore permission sets
Customize end-user notifications
Task
1 Add the syslog server as a registered server.
a On the McAfee ePO console, select Menu | Configuration | Registered Servers, then click New Server to open
the Registered Server Builder wizard.
c Specify the server name, add any notes, then click Next.
f Select the type of logs the server is configured to receive by selecting a value from the Syslog Facility list.
h Click Save.
You can choose to send specific responses to the syslog server (complete step 2) or use the seeded
response to send all Solidcore events to the syslog server (complete step 3).
d Select the ePO Notification Events group and Threat event type.
f Define the relevant filters, then click Next to open the Aggregation page.
g Specify aggregation details, then click Next to open the Actions page.
j Select the appropriate syslog servers (one or more), then click Next.
b Edit the Send Solidcore events to Syslog Server response to configure these options.
• Set the status to Enabled.
Permission sets only grant rights and access — no permission set removes rights or access. When multiple
permission sets are applied to a user account, they aggregate.
For example, if one permission set does not provide any permissions to server tasks, but another permission
set grants all permissions to server tasks, that user account has all permissions for server tasks. Consider this
as you plan your strategy for granting permissions to the users in your environment.
For global administrators, all permissions to all products and features are automatically assigned.
When a new product extension is installed, it adds the product-specific permission sets to McAfee ePO. The
Solidcore extension for Change Control and Application Control adds the Solidcore Admin and Solidcore Reviewer
permission sets on the Menu | User Management | Permission Sets page.
Because users don't have access to the My Organization group, they need extra permissions to access the
following components.
Global administrators can assign permissions while creating or editing user accounts or permission sets.
To use Solidcore-related McAfee ePO features, users created with Solidcore Admin or Solidcore Reviewer
permission set need extra permissions. Here are the permissions you must assign.
1 Assign at least one more permission set that grants access to needed products and groups of the System
Tree. To make sure that users have access to the My Organization group in the System Tree page and overcome
the limitations of the Solidcore permission sets, edit the Solidcore Admin or Solidcore Reviewer permission
set. Duplicate the Solidcore Admin permission set to use it as a starting point and edit it according to your
requirements. After you edit the permission sets, assign the edited permission set to the users.
2 Assign these permissions for specific Solidcore features by navigating to Menu | User Management | Permission
sets.
Task
1 On the McAfee ePO console, select Menu | Policy | Policy Catalog.
3 Select the Application Control Options category and click the My Default policy to edit it.
4 Click the End User Notifications tab and select Show the messages dialog box when an event is detected and display the
specified text in the message to display a message box at the endpoint each time any of the earlier mentioned
events is generated.
Mail To Represents the email address to which all approval requests are sent.
Mail Subject Represents the subject of the email message sent for approval requests.
Link to Website Indicates the website listed in the Application Control and Change Control
Events window on the endpoints.
McAfee ePO IP Address and Port Specifies the McAfee ePO server address and port.
b Select Show Event in Dialog to make sure that all events of the selected event type (such as Execution
Denied) are listed in the Application and Change Control Events window on the endpoints.
8 From the endpoints, users can review the notifications for the events and request for approval for certain
actions.
a Right-click the McAfee Agent icon in the notification area on the endpoint.
d Request approval for a certain action by selecting the event and clicking Request Approval.
Here is a list of and Change Control features and their availability for the operating system and supported
configuration.