FAQs

Here are answers to frequently asked questions.

What is an Alternate Data Stream (ADS)? Does Change Control monitor changes to ADS?

On the Microsoft NTFS file system, a file consists of multiple data streams. One stream holds the file contents and another contains security information. You can create alternate data streams (ADS) for a file to associate information or other files with the existing file. In effect, alternate data streams allow you to embed information or files in existing files. The ADSs associated with a file do not affect its contents or attributes and are not visible in Windows Explorer. So, for practical purposes, the ADSs associated with a file are hidden. Malicious users can misuse the ADS feature to associate malicious files with other files without the malicious files being detected.

Change Control monitors changes to any ADS associated with files on Windows platforms. For a monitored file, ADS-related changes, including stream creation, modification, update, deletion, and attribute changes are reported as events. If you are also using Application Control, the base file name is retrieved and permissions for the base file are checked when an ADS is invoked. The ADS is allowed or denied execution based on the permissions of the base file and current mode of Application Control. Also, any executable programs (associated as an ADS with an existing file) are prevented from running. To disable ADS monitoring, execute the SC: Run Commands client task to run the sadmin features disable mon-ads command on the endpoint.

Why am I not receiving the events for user account activity for an endpoint?

User account activity is not tracked by default for endpoints. To track operations for user accounts, you must enable this feature specifically on endpoints where Change Control is deployed and enabled. To enable this feature, execute the SC: Run Commands client task to run the sadmin features enable mon‑uat command on the endpoint.

In addition, you must make sure that the Audit Policy is configured on the Windows operating system to allow generation of user activity events.

To successfully track user account activity for an endpoint, verify the Audit Policy configuration for the endpoint.

  1. Navigate to Control PanelAdministrative Tools.
  2. Double-click Local Security Policy.
  3. Select Local PoliciesAudit Policy.
  4. Double-click the Audit account logon events policy.
  5. Select Success and Failure, then click OK.
  6. Repeat steps 4 and 5 for the Audit account management and Audit logon events policies.
What are the implications of recovering the local CLI access for an endpoint?

To troubleshoot or debug issues, you might need to recover the local CLI access for an endpoint. Recovering the local CLI for an endpoint prevents the enforcement of policies from McAfee ePO to the endpoint. This implies that when the CLI is recovered for an endpoint, no existing or new policies (created on the McAfee ePO server) are applied to that endpoint.

What is the significance of the label specified in a policy while configuring updater processes, installers, and users?

The specified labels help you correlate the generated events with the actions performed by the trusted resources. For example, when an event is generated for an action performed by a trusted user, the Workflow ID attribute for the event includes the label specified for the trusted user.

How do I unsolidify a file, directory, or volume?

To unsolidify a file, directory, or volume, run the SC: Run Commands client task with the sadmin unso <resource name> command.

Note: As a best practice, do not unsolidify a system drive or volume.
I recently fetched inventory for an endpoint but can't review GTI ratings for the inventory items. What can I do?

If GTI ratings are unavailable for inventory items after you fetched inventory, review the logs generated by the Fetch File Details from McAfee GTI Server and Fetch Certificate Reputation from McAfee GTI Server server tasks on the Server Task Log page. Log entries are added atypically for the Fetch File Details from McAfee GTI Server server task to the Server Task Log page.

  • If the task succeeds and the previous run was unsuccessful, a log entry is added.
  • If the task fails, a new log entry indicating failure is added. But, if communication with the server fails continuously, one entry is added for a day. The time stamp indicates the failure time and the log message provides the reason for failure.
So, on the Server Task Log page, you might see fewer entries indicating task success and multiple entries indicating failure for this task.

Do Change Control and Application Control work in Network Address Translation (NAT) environments?

If the McAfee ePO server can communicate with the McAfee Agent in a NAT environment, Change Control and Application Control work.

How can I trust applications developed for use in my organization?

Sign the applications with a self-generated certificate, then trust the certificate.

  1. Perform one of these actions.
    • Locate your certificate if you have an existing certificate.
    • Generate an X.509 certificate pair using a tool, such as makecert.exe (see this for details).
  2. Export the certificate in PEM (Base-64 encoded X.509 - .CER) format.
  3. Upload the certificate and add it to an Application Control policy as a trusted certificate.
  4. Apply the policy to the endpoints.
  5. Use the certificate to sign and verify in-house applications. This can be done using a tool, such as SignTool.exe.
    Note: When working with scripts, convert the script into a self-extracting executable file, then sign the file.
  6. Define the internal certificate as a trusted certificate.

Can I script sadmin commands?

Yes, you can script sadmin commands. While recovering the CLI, you are prompted to enter to password. To achieve this in a script, suffix the sadmin recover command with -z <password>.

How can I resolve discrepancies and inconsistencies in the Solidcore rule groups after upgrading the Solidcore extension? When I access the Rule Groups page, an Internal Server Error is displayed.

Run the Rule Group Sanity Check server task from the McAfee ePO console to fix the inconsistencies in the rule groups. This server task reports and corrects (if possible) discrepancies and inconsistencies in the Solidcore rule groups and policies.

  1. Select MenuAutomationServer Tasks.
  2. Click New Task.

    The Server Task Builder wizard opens.

  3. Type the task name and click Next.
  4. Select Solidcore: Rule Group Sanity Check from the Actions drop-down list.
  5. Click Next.
  6. Specify the schedule for the task.
  7. Click Next.

    The Summary page appears.

  8. Review the task summary and click Save.
  9. Review the logs generated by the server task (on the Server Task Log page) to view the warnings, if any.

How do I manage the predefined rules available with Change Control and Application Control?

Revisit the predefined rules available with Change Control and Application Control when you install or upgrade the Solidcore extension. Because the software installed on the endpoints in your enterprise might change (is added or removed), you must revise the rules periodically. Based on the software installed on the endpoints in your setup, revise the rules and remove unwanted or irrelevant rules.

How can I enable or disable selected features on endpoints from the McAfee ePO console?

Use the Application Control Options (Windows) policy to enable or disable selected features on endpoints from the McAfee ePO console.

  1. Select MenuPolicyPolicy Catalog.
  2. Select the Solidcore 8.0.0: Application Control product.
  3. Select the Application Control Options (Windows) category.
  4. Click the My Default policy.
  5. Switch to the Features tab.
  6. Select Enforce feature control from ePO.

    For more information about these features.

    • ActiveX, see ActiveX controls.
    • Memory Protection, see Memory-protection techniques.
    • Package Control, see Package Control.

  7. Select the features to enable or disable.
  8. Save the policy and apply to the relevant endpoints.

How can I implement change reconciliation and ticket-based enforcement in my setup?

Change reconciliation correlates change events from monitored systems with tickets in your change management system (CMS). This correlation categorizes events as authorized or unauthorized based on whether the change was made during an update window. This information is used for change tracking and compliance reporting. Ticket-based enforcement allows you to automatically open update windows on systems protected with Application Control and Change Control by integrating with your CMS. Based on tickets created in the CMS, update windows open on the protected systems to allow modification of protected files and registry keys. Implementing ticket-based enforcement reduces system outages and improves uptime by allowing only approved changes to the systems.

Perform these steps to configure and implement change reconciliation and ticket‑based enforcement.

  1. Make sure that reconAutoReconcileEvents setting in the database is set to true. Contact McAfee Support for instructions.
  2. Set the required permissions.
    • User must have System Tree access to the systems where the tasks are to be scheduled.
    • User must have permission to send agent wake-up call.
    • Create and edit tags permission is required to run tasks on multiple systems.
    • View and change task settings permission is needed in McAfee Agent if you are using McAfee ePO 5.0 or later.
  3. Understand and use the web service APIs provided by Application Control and Change Control.

    Web service API Description
    begin-update (systemNames/systemIds, workflowId, time, wakeupAgent) Opens an Update window to perform ticket-related changes. This service takes these parameters:
    systemNames/systemIds (Required) Comma-separated list of system names, IP addresses, or system IDs (from the McAfee ePO database). If you specify system IDs and system names, only the specified system IDs are considered.
    workflowId (Required) Ticket ID from the ticketing system for the update window. The specified ticket ID is associated with the updated records.
    time (Required) Time when to open the Update window on the endpoints. Use the yyyy-mm-dd hh:mm:ss format to provide the value.
    wakeupAgent (Optional) Flag to indicate whether to wake up agents after scheduling the task. The default value for this parameter is true.
    This service returns the ID associated with the client task that opens the Update window on the specified endpoints.
    end-update (systemNames/systemIds, workflowId, time, wakeupAgent) Closes the Update window after performing ticket-related changes. This service takes these parameters:
    systemNames/systemIds (Required) Comma-separated list of system names, IP addresses, or system IDs (from the McAfee ePO database). If you specify system IDs and system names, only the specified system IDs are considered.
    workflowId (Required) Ticket ID from the ticketing system for the update window.
    time (Required) Time when to close the Update window at the endpoints. Use the yyyy-mm-dd hh:mm:ss format to provide the value.
    wakeupAgent (Optional) Flag to indicate whether to wake up agents after scheduling the task. The default value for this parameter is true.
    This service returns the ID associated with the client task that closes the Update window on the specified endpoints.
    delete-task (taskIds) Deletes the client tasks created to open and close the Update window for a ticket. This service takes only one parameter.
    taskIds (Required) Comma-separated list of IDs associated with the client tasks that open and close the Update window on the specified endpoints. The client tasks that are associated with the IDs are deleted.
    This service returns a list of true and false values corresponding to each specified client task ID. True indicates that the client task associated with the specified ID was successfully deleted.

    These web service APIs can be accessed through URLs. Here are a few examples to help you understand the type of calls you can make to the web service APIs.

    • begin-update — https://<epo-server>:<port>/remote/scor.updatewindow.updateWindowCommand.do?:output=json&action=begin-update&systemNames=<comma separated IP addresses or names>&time=2013-12-19%2011:05:00&workflowId=ticket1&wakeupAgent=true
    • end-update — https://<epo-server>:<port>/remote/scor.updatewindow.updateWindowCommand.do?:output=json&action=end-update&systemNames=<comma separated IP addresses or names>&time=2013-12-19%2012:05:00&workflowId=ticket1&wakeupAgent=true
    • delete-task — https://<epo-server>:<port>/remote/scor.updatewindow.updateWindowCommand.do?:output=json&action=delete-task&taskIds=123,234

  4. Review the sample Java connector that is shipped with the Solidcore extension. You can download and save the SampleConnector.zip file from the McAfee Downloads site. This file is available for your reference and can help you understand how to integrate with the web service APIs in your setup.

After I deploy Application Control, how can I check the status of the memory protection techniques, such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), provided by the Windows operating system?

Review the status of the techniques for one endpoint
  1. Click the endpoint on the Systems page to view details for the selected endpoint.
  2. Click the Products tab.
  3. Click the Solidcore row to view product details.
  4. Review the values for the Memory Protection (ASLR) and Memory Protection (DEP) properties.
Review the status of the techniques for multiple endpoints
  1. On the McAfee ePO console, select MenuReportingQueries and Reports.
  2. Select the Application Control group under McAfee Groups.
  3. Click New.
  4. Select Solidcore Client Properties for the Result Type and click Next.
  5. Select Table in the Display Results As list, select System Name in the Sort By list, and click Next.
  6. Add the Memory Protection (ASLR) and Memory Protection (DEP) properties and click Next.
  7. Click Run to view details for the endpoints in your setup.

Here are the possible values for DEP and ASLR.

Technique Possible value Description
DEP Enabled (Always On) DEP is enabled for all processes.
Disabled (Always Off) DEP is disabled for all processes.
Disabled (With Opt In) DEP is enabled only for Windows system components and services.
Enabled (With Opt Out) DEP is enabled for all processes. You can choose to remove processes from the DEP technique.
Not Supported DEP technique is not supported on the hardware.
ASLR Enabled ASLR is enabled for all processes.
Disabled ASLR is disabled for all processes.
Enabled (Partial) ASLR is enabled and VASR bypass rules might be present.

The software is allowing the execution of a banned file. What could be the reason?
When defined rules are applied, the software combines or aggregates the rules defined for a file. When applying the rules, it uses the following order to determine whether the file execution is allowed or blocked. The order in which the methods are listed indicates the precedence the software applies to the method.
  1. Banned by SHA-1 or SHA-256
  2. Executed by updater process or trusted user
  3. Allowed by SHA-1 or SHA-256
  4. Allowed by certificate
  5. Banned by name
  6. Allowed by name
  7. Executed from trusted directory
  8. Added to whitelist

If none of the above apply for a file, the software blocks the execution of the file.

I have defined variables on the Linux platform. Can I use these variables to define rules in Application Control or Change Control?

User-defined variables are not supported in the McAfee ePO-managed configuration.

The McAfee ePO interface is slow or unresponsive and count of observations on the Predominant Observations page is high. What is the cause and how can I resolve this problem?

Application Control includes predefined rules to filter non-relevant and unnecessary observations you receive from endpoints. The rules are included in the Observation Filter Rules (Deprecated) rule group (shipped with the product). By default, these rules are applied to the global root in the System Tree and hence are inherited by all McAfee ePO-managed endpoints.

If you remove this rule group, you might receive many observations that cause the McAfee ePO interface to be slow or unresponsive. Review your setup and make sure that this rule group is applied to the endpoints.

How can I check the solidification or whitelisting status for an endpoint?

Perform these steps to review the solidification or whitelisting status for an endpoint.

  1. From the McAfee ePO console, select Menu | Systems | System Tree.
  2. Select the group associated with the endpoint in the System Tree pane.

    The endpoints in the group are listed in the Systems tab.

  3. Click Actions | Choose Columns.
  4. Navigate to the Solidcore Client Properties list and select the Solidification Status property.
  5. Click Save to return to the Systems tab.
  6. Navigate to the row corresponding to an endpoint and review the value listed in the Solidification Status column.

How can I apply multiple policies to one node in the System Tree?

Perform these steps to apply multi-slot policies to a group or specific endpoints.

  1. From the McAfee ePO console, select Menu | Systems | System Tree.
  2. Perform one of these actions.
    • Group — Select a group in the System Tree and switch to the Assigned Policies tab.
    • Endpoint — Select the endpoint on the Systems page, then click ActionsAgentModify Policy on a Single System.
  3. Click Edit Assignments for the multi-slot policy where you want to assign multiple policies.
  4. Click New Policy Instance.
  5. Select the policy that you want to assign from the Assigned policy field.
  6. Click Save.

I am trying to fetch the software inventory for an endpoint, but the SC: Pull Inventory client task fails and I receive a message that the inventory cannot be fetched. What is the reason and how can I fetch the inventory successfully?

By default, you can fetch the inventory for an endpoint once in seven days. This value is set as the minimum interval between consecutive inventory runs. But, if needed, you can configure this value for your enterprise. See Configure settings for fetching the inventory.

What is the difference between custom action and taking global actions for a request?

For selected endpoints, to define custom rules to allow, ban, or allow by certificate an application or executable file, use the Create Custom Policy action. You can also define custom rules to allow a network path for selected endpoints. But, to allow, ban, allow by certificate an application or executable file globally (on all endpoints in your enterprise), or to allow a network path globally, take global actions.

I am using the Number of Systems where Throttling Initiated in Last 7 days monitor on the Health Monitoring dashboard. Why is no data visible when I select List events that initiated throttling for a system link?

When you select the List events that initiated throttling for a system link, the Events page lists events that resulted in the generation of the Data Throttled or Data Dropped events. The list includes all events that were generated in the 7-days period before receiving the Data Throttled or Data Dropped events.

In these two scenarios, the Events page does not list any data.

  • Consecutive Data Throttled and Data Dropped events are received for a system.
  • Events yet to be received at the McAfee ePO console. This can occur when the endpoint for which throttling initiated is parsing older data and is yet to send the newer events to the McAfee ePO server.

Also, the same scenario can occur for policy discovery requests (observations) and inventory updates.

I want to change the value of a configuration parameter for a managed endpoint. I cannot find a policy or method to complete this from the McAfee ePO console. How can I complete tasks for which no method is available on the McAfee ePO console?

From the McAfee ePO console, you can use the SC: Run Commands client task to run any CLI commands remotely on one or more endpoints. The commands can include tasks that can or cannot be completed using McAfee ePO, such as enable or disable the product, change the value for configuration parameters, or fetch the software inventory.

  1. From the McAfee ePO console, select Menu | Systems | System Tree.
  2. Perform one of these actions.
    • To apply the client task to a group, select a group in the System Tree and switch to the Assigned Client Tasks tab.
    • To apply the client task to an endpoint, select the endpoint on the Systems page, then click ActionsAgentModify Tasks on a Single System.
  3. Click ActionsNew Client Task Assignment to open the Client Task Assignment Builder page.
  4. Select the Solidcore 8.0.0 product, SC: Run Commands task type, then click Create New Task to open the Client Task Catalog page.
  5. Specify the task name and add any information.
  6. Specify the command you want to run on the endpoints.

    For example, to change the value of configuration parameters, specify the sadmin config set <ParameterName>=<ParameterValue> command.

  7. (Optional) Specify the option to receive the result of the command by clicking Requires Response.

    The command output is available on the MenuAutomationSolidcore Client Task Log page.

  8. Click Save.

How can I lock down or recover the local CLI for managed endpoints?

By default, the local CLI is locked down for McAfee ePO-managed endpoints. But, you can recover the CLI for one or more endpoints, if needed.

Important: When you recover the CLI, any changes to configuration, policies, tasks pushed from the McAfee ePO server are not enforced on the endpoint. So, the CLI status must be set to Restrict to enforce any changes to the endpoint.

  1. From the McAfee ePO console, select Menu | Systems | System Tree.
  2. Perform one of these actions.
    • To apply the client task to a group, select a group in the System Tree and switch to the Assigned Client Tasks tab.
    • To apply the client task to an endpoint, select the endpoint on the Systems page, then click ActionsAgentModify Tasks on a Single System.
  3. Click ActionsNew Client Task Assignment to open the Client Task Assignment Builder page.
  4. Select the Solidcore 8.0.0 product, SC: Change Local CLI Access task type, then click Create New Task to open the Client Task Catalog page.
  5. Change CLI status to Restrict or Allow.
  6. Click Save.

I seem to have run into issues while applying a content update package in my setup. How can I resolve this?

If the McAfee ePO server is temporarily unavailable when a content update is being applied, you might run into issues. We recommend that you wait until the update is applied. Review the Content update for Application Control and Change Control entry on the Server Task Log page to verify if the content update was applied successfully. If the issue isn't resolved or the update status is failed, contact McAfee Support for assistance.

I am trying to access a page and it displays the Content update is in progress warning message. Why is this happening?

We can now automatically push content updates for Application Control and Change Control through the McAfee ePO console. This eliminates the need for customers to apply hotfixes for configuration changes, such as rules, policies, or McAfee GTI settings. For example, any changes to the McAfee GTI settings or certificate are automatically applied in your setup.

When a content update is being applied, you should not make any changes to existing rules and configuration. The warning message is displayed while the content update is being applied and disappears after the update is complete. For every content update that is applied, a corresponding Content update for Application Control and Change Control entry is added to the Server Task Log page. You can review the entry for details of the changes made.

How can I view the reputation for a specific file on an endpoint?

To view the reputation for a specific file on an endpoint, fetch the file reputation from a source (TIE server, McAfee GTI, or Advanced Threat Defense), as applicable. But, make sure that the reputation setting is enabled in Application Control (Options) policy applied to the endpoint. For more information about how to enable reputation settings, see Configure reputation settings.

Use the SC: Run Commands client task to run this command on the endpoint.

sadmin getreputation [ -v | -b ] -f <filename> -m <md5> -h <sha-1> -s <reputation-source>

You must specify MD5 and SHA-1 value for a file to fetch its reputation. But, if you also specify the file name with its MD5 and SHA-1 value, the file name is considered for fetching the reputation.

This table lists the supported arguments and their description.

Argument Description
-v Specify this argument to display all sources and the file reputation stored in them.
-b Specify this argument to bypass the internal cache for stored file reputation and fetches the reputation from the specified source.
-f Specify the file name for which you want to fetch the reputation.
-m Specify the MD5 value of the file for which you want to fetch the reputation.
-h Specify the SHA-1 value of the file for which you want to fetch the reputation.
-s Include the source to fetch the file reputation from.

How can I recover the CLI for an endpoint if the CLI is disabled after multiple incorrect password attempts?

If the CLI is disabled after multiple incorrect password attempts, there are two methods to recover the CLI:

  • To immediately recover the CLI, the administrator can send the SC: Change Local CLI Access client task from the McAfee ePO console.
  • To recover the CLI from the endpoint, enter the correct CLI recover password on the CLI after the disable time period lapses.
When the CLI is recovered, the Recovered Local CLI event is sent to the McAfee ePO console to notify the administrator.

I am reviewing inventory items and can see the Inventory for one or more systems could not be processed. Increase memory allocated for Java Virtual Machine. message. How can I resolve this?

Starting with the 8.0.0 release, Application Control can process large volume of inventory items. If inventory cannot be fetched from an endpoint due to lack of Java Virtual Machine memory on the server, the Inventory for one or more systems could not be processed. Increase memory allocated for Java Virtual Machine. message is displayed on the By Applications and By Systems pages. To resolve this, complete these steps:

  1. Navigate to the By Systems page.
  2. Select the Systems with Failed Inventory Fetch filter.
  3. Review the listed systems.
  4. For each system where Inventory Fetch Status is set to Failed (low JVM memory), hover over the status to review information about JVM memory needed.
  5. Optionally, select Actions | Choose Columns and select JVM Memory Required (in GB) from Available Columns list and click Save. You can review the minimum memory required for each system.
  6. Increase memory according to listed requirements for the endpoints. Before upgrading to the suggested JVM value, make sure that your system meets the needed RAM requirements. For more information, review this link.

When using Application Control and Change Control, which features and workflow support SHA-1 and SHA-256?

Starting with the 8.0.0 release, we have added support for file SHA-256 values (for the Windows platform). This table lists how existing features and workflows use SHA-1 and SHA-256 values.

Feature Capability SHA-1 SHA-256
Executable files Define allow or ban rules for executable files (in policy or rule group) Yes Yes
Updater Processes Define allow or ban rules for updater processes (in policy or rule group) Yes Yes
Installers Define allow or ban rules for installer (in policy or rule group) Yes Yes
Certificates Add rules for trusted certificates (in policy or rule group) Yes Yes
View certificate details about Solidore pages Yes No
Policy discovery Add rules to process requests Yes Yes
Group requests for display on Policy Discovery page Yes No
Inventory Add rules for inventory items Yes Yes
Group items for display on Inventory pages Yes No
Solidcore events Review event information and file details Yes Yes
Rule groups Add rules to a rule group to associate with a policy Yes Yes
Reputation-based rules Add rules to allow or ban files based on their reputation Yes No
Scan a Software Repository server task Scan a repository to add installers and certificates to McAfee ePO Yes Yes
Send McAfee GTI feedback Send feedback to McAfee about your current use of the McAfee GTI and Application Control features Yes No
Offline GTI Tool Fetch McAfee GTI ratings for files and certificates Yes No
McAfee GTI reputation Determine file reputation and classification Yes No
TIE server Determine file reputation and classification Yes No

Except when stated, all other Application Control and Change Control workflows are based on file SHA-1 values. In other words, the linking between events (on Solidcore Events page), file details (on Inventory pages), and requests (Policy Discovery page) are based on the file's SHA-1 values.

I recently fetched inventory for an endpoint and need to fetch inventory for it again. How can I do this?

For Application Control, the minimum interval between consecutive inventory runs (when the inventory information is fetched from the endpoints) is set to seven days. This is the default value and implies that for an endpoint you can pull inventory once a week. But, if needed, you can configure this value for your enterprise. See Configure settings for fetching the inventory.

One of these happen when you fetch inventory for an endpoint:

  • If inventory for the endpoint was fetched in the last seven days, inventory updates are fetched.
  • If inventory for the endpoint was not fetched in the last seven days, complete inventory details are fetched.

I received the Unable to Recover Inventory event for an endpoint. What can I do?
The Inventory Corrupted event is generated for an endpoint if the internal inventory for the endpoint is corrupt. Application Control maintains inventory backup for the endpoint and recovers the inventory for the endpoint from the backup copy.
  • If the inventory is recovered successfully from the backup copy, the Recovered Inventory event is generated.
  • If for some reason, the inventory cannot be recovered from the backup copy, the Unable to Recover Inventory event is generated. To rectify, execute the SC: Run Commands client task with the sadmin so command.