New features

Here are the details about the new features included in this release.

Protection from fileless malware and script-based attacks

With this release, you can define additional execution control attribute-based rules for files in your setup for protection from fileless malware and script-based attacks. Application Control performs multiple checks to determine whether to allow or block a file's execution. If a file's execution is allowed after the Application Control checks, these rules, if any are defined, come into play. The rules are based on the concept of fine-grained whitelisting and can be created on the attributes of a file. You can define specific rules using one or more attributes of the file to allow, block, or monitor the file.

  • Context-based allowing or blocking of files — On a protected system, only whitelisted interpreters are allowed to execute. But, in certain scenarios, whitelisted interpreters might be misused to execute malicious scripts. For example, a powershell.exe script can be used to execute unsolidified scripts and execute file-less scripts by invoking its execution with atypical input arguments. You can prevent misuse of interpreters by defining attribute-based rules to block potentially malicious scenarios.
  • Flexibility and control — Attribute-based rules provide flexibility to allow or block file execution, as needed. You might need to block a user from running a specific file. If an administrator wants to block the execution of powershell.exe for a specific user, a rule can be added to prevent its execution by the user. Other users in your setup can execute powershell.exe. You can achieve such scenarios using attribute-based rules.

    Similarly, you might choose to block execution of a certain file in your setup completely, unless when run by a specific parent process. You can achieve this by creating a generic block rule and a parent process-based allow rule for the file. Because the allow rule has precedence over the block rule, it overrides the block rule when applied.

    Or, you might choose to only observe or monitor a file to determine its execution in your setup. To do this, you can define a monitor rule for the file.

Support for AND to combine rules

For enhanced security, Application Control now supports the AND operator to combine rules. When defining attribute-based or execution control rules, you can use the AND operator to combine rules based on different attributes.

CASP support for 64-bit

Application Control now provides Critical Address Space Protection (CASP) on 64-bit operating systems. CASP is a memory-protection technique that renders useless any shellcode running from the non-code area. Code running from the non-code area is an abnormal event that usually happens because a buffer overflow is exploited.

SHA-256 support

Application Control now supports file SHA-256 values for various workflows (Windows platform) in addition to SHA-1 and MD5. If you perform upgrade from earlier versions, you must fetch the inventory in order to view the SHA-256 values on the McAfee ePO console.

Multiple wildcard character support

In this release, we have simplified rule creation and management by providing multiple wildcard character support. Paths can include the * and ? wildcard characters to specify file paths and file names. You can use wildcards when defining rules for trusted directories and updaters.

Notifications for CLI breach attempt

Starting with the 8.0.0 release, you can configure Application Control to notify the administrator of any unsuccessful attempts to recover the CLI on the endpoint. In case any attempt is made to breach security, the CLI should be immediately disabled to thwart the attempt.

Inventory fetch optimization

With this release, we have enhanced the inventory fetch workflows. For Application Control, the minimum interval between consecutive inventory fetch runs is set to seven days by default. This implies that for an endpoint you can pull inventory once a week. Starting with the 8.0.0 release, if less than seven days have passed since last fetch inventory, inventory updates are fetched. If more than seven days have passed since last fetch inventory, complete inventory details are fetched.

Note: For releases 7.0.1 and earlier, if inventory for the endpoint was fetched in the last seven days, the client task fails.

Corrupt inventory fallback

In this release, we have added local whitelist backup support to Application Control. Application Control maintains backup of local whitelist or inventory for endpoints. This allows users to easily recover a corrupted inventory without resolidifying the endpoint in most of the cases. If the internal inventory for an endpoint is corrupt, Application Control tries to recover the inventory from the backup copy. Also, generates Recovered Inventory event in case of success and Unable to Recover Inventory event in case of failure. For more information, see KB88222.

Installer detection enhancements

In the 8.0.0 release, we have enhanced Application Control heuristics for detecting installers. As a result, Application Control can detect more installers with improved efficacy. These enhancements also help reduce the number of false positives detected. For example, because of the enhanced heuristics we can now easily detect winrar-x64-50b6.exe and BullseyeCoverage-8.3.3-Windows.exe.

User comments support

You can now record additional information for an event or request on the Solidcore Events or Policy Discovery page, respectively. If needed, you can filter events and requests based on specified comments.