McAfee Change Control and McAfee Application Control 6.1.4 ... · Important/Caution: Valuable...

Installation Guide

McAfee Change Control and McAfeeApplication Control 6.1.4For use with ePolicy Orchestrator 4.6.0 - 5.1.1 Software

COPYRIGHTCopyright © 2014 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, PolicyLab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Othernames and brands may be claimed as the property of others.

Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee Change Control and McAfee Application Control 6.1.4 Installation Guide

http://mcafee.com

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1 Installing the software 7Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Install the Solidcore extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Specify licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Install the Solidcore client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Add the package to the repository . . . . . . . . . . . . . . . . . . . . . . . . 9Install the Solidcore client on the endpoints . . . . . . . . . . . . . . . . . . . . 9Verify the Solidcore client installation . . . . . . . . . . . . . . . . . . . . . . . 10Enable the Solidcore client . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Upgrading the software 15Upgrade the Solidcore extension . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Upgrade the Solidcore client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Add the Solidcore client package to the repository . . . . . . . . . . . . . . . . . 17Upgrade the Solidcore client on the endpoints . . . . . . . . . . . . . . . . . . . 18Verify the Solidcore client upgrade . . . . . . . . . . . . . . . . . . . . . . . . 19Place the endpoints in Enabled mode . . . . . . . . . . . . . . . . . . . . . . 19

3 Uninstalling the software 21Remove the Solidcore client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Remove the Solidcore extension . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Remove the Solidcore client package . . . . . . . . . . . . . . . . . . . . . . . . . . 23

A Create builds for unsupported Linux kernels 25

B Frequently Asked Questions 31

Index 35

McAfee Change Control and McAfee Application Control 6.1.4 Installation Guide 3

Contents


Preface

This guide provides the information you need to work with your McAfee product.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term,emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.

User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialogboxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing anoption.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.


Find product documentationAfter a product is released, information about the product is entered into the McAfee online KnowledgeCenter.

Task1 Go to the McAfee ServicePortal at http://support.mcafee.com and click Knowledge Center.

2 Enter a product name, select a version, then click Search to display a list of documents.

PrefaceFind product documentation


http://support.mcafee.com

1 Installing the software

Install Change Control or Application Control in the McAfee® ePolicy Orchestrator® (McAfee ePO™)environment.

Contents Prerequisites Install the Solidcore extension Specify licenses Install the Solidcore client

PrerequisitesBefore installing Change Control or Application Control, make sure that your environment conforms tothese requirements.

• Verify that the McAfee ePO server and database are installed and configured. McAfee ePO is amanagement tool that installs software and deploys policies on the managed endpoints. It alsoallows you to monitor client activity, create reports, and store and distribute content and softwareupdates. For instructions, see the ePolicy Orchestrator Installation Guide and ePolicy OrchestratorProduct Guide.

• Make sure that the McAfee Agent is installed on each endpoint where you want to install ChangeControl or Application Control. McAfee Agent acts as the intermediary between the Solidcore clientand McAfee ePO server. It sends data to the client from the McAfee ePO server and vice versa.

• Download the Solidcore extension package from the McAfee Downloads site. The Solidcoreextension file is typically named Solidcore_epo_extn_<ver>.<build>.zip.

• Download the Solidcore client package from the McAfee Downloads site. Here are the availableSolidcore client packages.

Operating system Package name

Microsoft Windows SOLIDCOR<version>-<build>_WIN.zip

Linux SOLIDCOR<version>-<build>_LNX.zip

AIX SOLIDCOR<version>-<build>_AIX.zip

In the file name, <version> and <build> represent the version and build number associated with theproduct. For example, the SOLIDCOR614-211_WIN.zip file includes the Solidcore client (version6.1.4 and build number 211) for the Windows platform.

• Make sure that the target platforms where you need to install the Solidcore client are supported.See KB76459 (for Change Control) and KB73341 (for Application Control).

1


https://kc.mcafee.com/corporate/index?page=content&id=KB76459


• Review KB82066 for information about the supported kernels for the Linux operating system. If thetarget kernel is not mentioned in this article, there are two ways to get support:

• Compile the kernel module in your test environment and deploy immediately to productionendpoints using McAfee ePO Endpoint Deployment Kit (EEDK) or manually. For moreinformation, see Create builds for unsupported Linux kernels.

• Request for kernel support through the McAfee Accept portal by filing a Product EnhancementRequest (PER). For information about how to submit a PER, see KB60021.

• Determine the database sizing requirements for your setup (see KB72753).

• Review the minimum system requirements for Change Control and Application Control (seeKB76579).

• Review the release notes to acquaint yourself with the known issues and identify dependencies youneed to consider.

Install the Solidcore extensionThe Solidcore extension integrates with the McAfee ePO console and provides Change Control andApplication Control features. The Solidcore extension installs on versions 4.6, 5.0, and 5.1 of theMcAfee ePO server.

TaskFor option definitions, click ? in the interface.

1 Make sure that the extension file is stored at an accessible location.

2 On the McAfee ePO console, select Menu | Software | Extensions to open the Extensions page.

3 Click Install Extension.

4 Browse and select the Solidcore_epo_extn_<ver>.<build>.zip file, then click OK.

5 Verify the information on the Install Extension page, then click OK.

6 Verify that the Solidcore product name appears in the Extensions list.

Specify licensesLicenses determine the product features available to you. You can enable one or all features. Addlicenses to enable the required features.


1 On the McAfee ePO console, select Menu | Configuration | Server Settings to open the Setting Categoriespage.

2 Select Solidcore, then click Edit to open the Edit Solidcore page.

3 Enter the license keys, then click Save.

Evaluation licenses valid for 30 days and available only for the Windows platform.

1 Installing the softwareInstall the Solidcore extension



https://mcafee.acceptondemand.com/




Install the Solidcore client The Solidcore client provides change monitoring, change prevention, and whitelisting features on theendpoints where it is installed. You can install and deploy the Solidcore client on Windows, Linux, andAIX platforms. For all supported platforms, the Solidcore client works well on both physical and virtualmachines (VM).

Tasks

• Add the package to the repository on page 9Before you install the Solidcore client, add the Solidcore client package to the McAfee ePOrepository.

• Install the Solidcore client on the endpoints on page 9Install the Solidcore client on endpoints.

• Verify the Solidcore client installation on page 10Verify that the Solidcore client was installed successfully on an endpoint.

• Enable the Solidcore client on page 11Place the Solidcore client in Enabled mode to activate the software.

Add the package to the repositoryBefore you install the Solidcore client, add the Solidcore client package to the McAfee ePO repository.


1 On the McAfee ePO console, select Menu | Software | Master Repository.

2 From the Packages in the Master Repository page, select Actions | Check In Package.

3 Set the package type to Product or Update (.ZIP).

4 Browse and select the package zip file and click Next to open the Package Options page.

5 Confirm the information.

• Package Info: Verify the package details.

• Branch: Select the desired branch. Set to Current for new products.

• Options: (Optional) Select Move the existing package to the Previous branch to move an existing package tothe previous branch.

• Package signing: Indicates if the package is signed by McAfee or is a third-party package.

6 Click Save to add the package.

The new package appears in Packages in Master Repository list.

Install the Solidcore client on the endpointsInstall the Solidcore client on endpoints.

Before you beginBefore installing on the Linux operating system, review KB82066 for information about thesupported kernels. We add support for new kernels through kernel release cycles.Therefore, we recommend that you review the kernel list before installing. If the targetkernel is not mentioned in KB82066, there are two ways to get support:

Installing the softwareInstall the Solidcore client 1




• Compile the kernel module in your test environment and deploy immediately toproduction endpoints using McAfee ePO Endpoint Deployment Kit (EEDK) or manually.For more information, see Create builds for unsupported Linux kernels.

• Request for kernel support through the McAfee Accept portal by filing a ProductEnhancement Request (PER). For information about how to submit a PER, see KB60021.


1 On the McAfee ePO console, select Menu | Systems | System Tree.

2 Perform one of these actions:

• To apply the client task to a group, select a group in the System Tree and switch to the AssignedClient Tasks tab.

• To apply the client task to an endpoint, select the endpoint on the Systems page and click Actions |Agent | Modify Tasks on a Single System.

3 Click Actions | New Client Task Assignment to open the Client Task Assignment Builder page.

4 Select the McAfee Agent product and Product Deployment task type, then click Create New Task.

5 Specify the task name and add any descriptive information.

6 Select the target platform.

For example, when installing the Solidcore client package on the Windows operating system, selectWindows as the target platform.

7 Specify the component and action.

a Select the appropriate package from the Products and components list.

b Select the Install action.

c Select the language of the package.

d Specify the branch where to add the package.

8 Click Save, then click Next to open the Schedule page.

9 Specify scheduling details, then click Next.

10 Review and verify the task details, then click Save.

11 (Optional) Wake up the agent to send your client task to the endpoint immediately.

On all UNIX platforms, if you are using McAfee Agent 4.5 (earlier than patch 1), restart the McAfeeAgent service after you install, uninstall, or upgrade the Solidcore client.

Verify the Solidcore client installationVerify that the Solidcore client was installed successfully on an endpoint.



2 Select a group or endpoint from the list to view details for the selected node in the Systems tab.

1 Installing the softwareInstall the Solidcore client




3 Review logs from the McAfee ePO console.

a Select a system on the Systems page.

b Select Actions | Agent | Show Agent Log to view the agent log for the endpoint.

By default, agent logs are not enabled on the McAfee ePO console. For information about how toenable agent logs, see ePolicy Orchestrator Product Guide.

c Check the log to verify if the software was successfully installed at the endpoint.

4 Review the properties for the system.

a Wake up the agent to fetch properties immediately.

Typically, information is exchanged between the agent and server after the agent-servercommunication interval (ASCI) lapses. Default ASCI value is 60 minutes. Send an agentwake-up call to make sure immediate communication and data exchange between the serverand the agent, without waiting for the ASCI to expire.

b Click a system on the Systems page to view details for the selected endpoint.

c Click the Products tab and review the Solidcore version. Click the row to review additionalinformation, including the product version and installation path.

Enable the Solidcore clientPlace the Solidcore client in Enabled mode to activate the software.







4 Select the Solidcore 6.1.4 product and SC: Enable task type, then click Create New Task.

5 On the Client Task Catalog page, specify the task name and add any descriptive information.

6 Select these fields.

a Select the platform.

b Select the subplatform (only for the Windows and Unix platforms).

c Select the version (only for the All except NT/2000 subplatform).

d Indicate whether to enable Change Control, Application Control, or both.

7 Complete these steps to enable Change Control.



Solidcore client version Steps

On Solidcore client version:• 5.1.5 or earlier (Windows)

• 6.0.1 or earlier (UNIX)

Select Force Reboot with the task to restart the endpoint.Restarting the system is necessary to enable the software.

On the Windows platforms, a pop-up message is displayed at theendpoint 5 minutes before the endpoint is restarted. This allowsthe user to save work and data on the endpoint.

On UNIX platforms, the endpoint is restarted as soon as the taskis applied.

On Solidcore client version6.0.0 or later (Windows)

No configuration is needed.

On Solidcore client version6.1.0 or later (UNIX)

Deselect Force Reboot with the task.When using Solidcore client version 6.1.0 or later, restarting thesystem is not necessary to enable the software.

8 Complete these steps to enable Application Control.


On Solidcore clientversion:• 5.1.2 or earlier (UNIX)

• 5.1.5 or earlier(Windows)

1 Select Perform Initial Scan to create whitelist to create the whitelist whenenabling Application Control.Application Control requires the creation of a list of all trustedexecutable files present on the endpoint system (known as thewhitelist). The one-time activity of creating the whitelist is knownas whitelisting or solidification. You can choose to create theinventory while enabling the Solidcore client or defer to create itlater.

If you defer the scan, run the SC: Initial Scan to create whitelist clienttask after the SC: Enable task is applied and system is restarted.

2 Select Force Reboot with the task to restart the endpoint aftersolidification is complete.Restarting the system is necessary to enable the software. Apop-up message is displayed at the endpoint 5 minutes before theendpoint is restarted. This allows the user to save work and dataon the endpoint.

On Solidcore client version6.1.0 or later (UNIX)

Deselect Force Reboot with the task.When using Solidcore client version 6.1.0 or later, restarting thesystem is not necessary to enable the software.

On Solidcore client version6.0.0 or later (Windows)

Solidcore clientversion 6.1 is notavailable for theWindows NT,Windows 2000,Solaris, AIX, andWindRiver Linuxplatforms.

1. Specify the scan priority.

The set scan priority determines the priority of the thread that is runto create the whitelist on the endpoints. We recommend you set thescan priority to Low. This make sure that Application Control causesminimal performance impact on the endpoints but might take longer(than when you set the priority to High) to create the whitelist.

2. Specify the activation option.

Limited Feature Activation The endpoints are not restarted andlimited features of Application Control(memory protection features areunavailable) are activated. MemoryProtection features are available only afterthe endpoint is restarted.




Full Feature Activation The endpoints are restarted, whitelistcreated, and all features of ApplicationControl including Memory Protection areactive. Restarting the endpoints isnecessary to enable the memoryprotection features. The endpoint isrestarted 5 minutes after the client task isreceived at the endpoint. A pop-upmessage is displayed on the endpointbefore the endpoint is restarted.

3. Select Start Observe Mode to place the endpoints in Observe mode.

The Observation mode feature is available only on the Windowsoperating system.

4. (Optional) Select Pull Inventory.

If you select this option, the software fetches the inventory details forthe endpoints (after the whitelist is created) and makes the detailsavailable on the McAfee ePO console when the ASCI lapses. Werecommend you select this option if you wish to manage theinventory using the McAfee ePO console.


10 Specify scheduling details, then click Next.

11 Review and verify the task details, then click Save.


13 Verify that the software is enabled.


b Click a system on the Systems page.

The details for the selected system are displayed.

c Select the Products tab and review the Solidcore version. Click the row to review the license status.





2 Upgrading the software

Upgrade Change Control or Application Control to access features available in recent releases.

Contents Upgrade the Solidcore extension Upgrade the Solidcore client

Upgrade the Solidcore extensionUpgrade the Solidcore extension to access the new features in a release.


1 Back up the relevant files before you upgrade the Solidcore extension.

a Stop the McAfee ePO Event Parser service.

1 Select Control Panel | Administrative Tools | Services.

2 Right-click the McAfee ePolicy Orchestrator <version> Event Parser service and click Stop.

b Back up these.

• McAfee ePO database

• <McAfee ePO install dir>\Server\extensions\installed\Solidcore directory

• <McAfee ePO install dir>\Server\conf\Catalina\localhost\SOLIDCORE_META.xml file

2 Make sure that the extension file is stored at an accessible location.


4 Click Install Extension, then browse and select the Solidcore_epo_extn_<ver>.<build>.zip file.

A warning message states that the existing extension will be replaced.

5 Click OK.

6 Verify the information on the Install Extension page, then click OK.

7 Verify that the Solidcore product name appears in the Extensions list.

After you upgrade the Solidcore extension, the domain netbiosName for existing users importeddirectly from an Active Directory to rule groups and policies will not be populated. To make sure thedomain netbiosName is available for such users, delete and reimport users from the ActiveDirectory. After the upgrade, any users that you import from the Active Directory and add to new orexisting rule groups and policies will automatically include the domain netbiosName.

2


8 Start the McAfee ePO Event Parser service.

a Select Control Panel | Administrative Tools | Services.

b Right-click the McAfee ePolicy Orchestrator <version> Event Parser service and click Start.

9 Verify that migration of data was successful.

a On the McAfee ePO console, select Menu | Automation | Server Task Log.

b Check if the Solidcore: Migration server task was completed.

This server task completes upgrade-related activities.

c If the migration fails, review the server task log, resolve any issues, and run the Solidcore:Migration server task manually to complete the migration.

When you upgrade the Solidcore extension (from the 5.1.5 or earlier version), existing inventoryand image deviation data is not migrated. After you upgrade, you must fetch inventory details, asneeded. Also, during upgrade one of these occurs for dashboards and reports:

• If you did not edit a default dashboard or report, the upgrade operation overwritesthe dashboard or report.

• If you edited a default dashboard or report, the upgrade operation retains the editeddashboard or report and adds the corresponding new dashboard or report with asuffix.

10 (Optional) Run the Rule Group Sanity Check server task from the McAfee ePO console to fix theinconsistencies in the rule groups.

This server task reports and corrects (if possible) discrepancies and inconsistencies in the Solidcorerule groups and policies.

a On the McAfee ePO console, select Menu | Automation | Server Tasks.

b Click New Task to open the Server Task Builder wizard.

c Type the task name and click Next.

d Select Solidcore: Rule Group Sanity Check from the Actions drop-down list, then click Next.

e Specify the schedule for the task, then click Next to open the Summary page.

f Review the task summary and click Save.

g Review the logs generated by the server task (on the Server Task Log page) to view the warnings,if any.

Upgrade the Solidcore clientYou can upgrade the Solidcore client on Windows, Linux, and AIX platforms. For all supportedplatforms, the Solidcore client works well on both physical and virtual machines (VM).

Before you beginBefore upgrading on the Linux operating system, review KB82066 for information about thesupported kernels. We add support for new kernels through kernel release cycles.Therefore, we recommend that you review the kernel list before upgrading. If the targetkernel is not mentioned in KB82066, there are two ways to get support:

2 Upgrading the softwareUpgrade the Solidcore client




• Compile the kernel module in your test environment and deploy immediately toproduction endpoints using McAfee ePO Endpoint Deployment Kit (EEDK) or manually.For more information, see Create builds for unsupported Linux kernels.

• Request for kernel support through the McAfee Accept portal by filing a ProductEnhancement Request (PER). For information about how to submit a PER, see KB60021.

For information about the supported operating systems, see KB76459 (for Change Control) andKB73341 (for Application Control).

If you cannot upgrade the Solidcore clients on your critical endpoints, the endpoints work well with theupgraded Solidcore extension. However, the new features available in the 6.1.4 version are not availableon the endpoints until you upgrade the Solidcore client version.

Tasks• Add the Solidcore client package to the repository on page 17

Before you can upgrade, you must add the Solidcore client package to the McAfee ePOrepository.

• Upgrade the Solidcore client on the endpoints on page 18Upgrade the Solidcore client on the endpoints to access new features available in the recentversion.

• Verify the Solidcore client upgrade on page 19Verify that the Solidcore client was upgraded successfully on an endpoint.

• Place the endpoints in Enabled mode on page 19If you did not upgrade in Enabled mode, you must place the endpoints in Enabled modeafter you upgrade the Solidcore client.

Add the Solidcore client package to the repositoryBefore you can upgrade, you must add the Solidcore client package to the McAfee ePO repository.


1 On the McAfee ePO console, select Menu | Software | Master Repository to open the Packages in the MasterRepository page.

2 Select Actions | Check In Package.

3 Set the package type to Product or Update (.ZIP).

4 Browse and select the package zip file, then click Next to open the Package Options page.

5 Confirm the information.

• Package Info: Verify the package details.

• Branch: Select the desired branch. Set to Current for new products.

• Options: (Optional) Select the Move the existing package to the Previous branch option to move an existingpackage to the previous branch.

• Package signing: Indicates if the package is signed by McAfee or is a third-party package.

6 Click Save to check in the package.

The new package appears in Packages in Master Repository list.

Upgrading the softwareUpgrade the Solidcore client 2






Upgrade the Solidcore client on the endpointsUpgrade the Solidcore client on the endpoints to access new features available in the recent version.You can upgrade the Solidcore client in various modes. Before upgrading, review this information toplace the endpoints in the suitable mode.

Enabled mode In Enabled mode, you can upgrade the Solidcore client on all supported Windowsplatforms except Windows NT and Windows 2000. Upgrade in Enabled mode is notavailable on the UNIX platforms.By default, the McAfee default policy that includes the McAfee publishers rule groupis applied to the endpoints. If you choose to upgrade in Enabled mode and havechanged the default policies, verify that the McAfee publishers rule group is assignedto policies that are applied on the endpoints.

Update mode For the Linux and AIX operating systems, we recommend that you upgrade using theUpdate mode.

Observe mode Observe mode is available on all supported Windows platforms except Windows NTand Windows 2000. Observe mode is not available on the UNIX platforms.

If you are upgrading from the 6.1.1 release, we recommend that you upgrade inEnabled or Update mode. If you choose to upgrade in Observe mode, review KB79517before upgrading.

Disabled mode If your endpoint is currently in Disabled mode, you can upgrade in the Disabledmode.

If you are upgrading a Linux system in Disabled mode from 6.1.0 to a later release,restart the endpoint before upgrading.

For information about how to place the endpoints in Update, Disabled, or Observe mode, see theMcAfee Change Control and McAfee Application Control Product Guide.







4 Select the McAfee Agent product, Product Deployment task type, then click Create New Task to open the ClientTask Catalog page.



For example, when installing the Solidcore client package on the Windows operating system, selectWindows as the target platform.



b Select the Install action.





d Set branch to Current for new packages.


9 Specify scheduling details and click Next.

10 Review and verify the task details and click Save.


On all UNIX platforms, if you are using McAfee Agent 4.5 (earlier than patch 1), restart the McAfeeAgent service after you install, uninstall, or upgrade the Solidcore agent.

12 Restart the endpoints.

Verify the Solidcore client upgradeVerify that the Solidcore client was upgraded successfully on an endpoint.



2 Select a group or endpoint from the list to view details for the selected node in the Systems tab.

3 Review logs from the McAfee ePO console.

a Select an endpoint on the Systems page.

b Select Actions | Agent | Show Agent Log to view the agent log for the endpoint.

By default, agent logs are not enabled on the McAfee ePO console. For information about how toenable agent logs, see the ePolicy Orchestrator Product Guide.

c Check the log to verify if the software was successfully upgraded at the endpoint.

4 Review the properties for the endpoint.


Typically, information is exchanged between the agent and server after the agent-servercommunication interval (ASCI) lapses. The default ASCI value is 60 minutes. Send an agentwake-up call to ensure immediate communication and data exchange between the server andthe agent, without waiting for the ASCI to expire.

b Click an endpoint on the Systems page to view details for the selected endpoint.

c Select the Products tab and review the Solidcore version. Click the row to review additionalinformation, including the product version and installation path.

Place the endpoints in Enabled mode If you did not upgrade in Enabled mode, you must place the endpoints in Enabled mode after youupgrade the Solidcore client.

• If you upgraded in Update mode, exit Update mode to place the endpoints back in Enabled mode.

• If you upgraded in Disabled mode, enable the Solidcore client.

• If you upgraded in Observe mode, exit Observe mode and place the endpoints in Enabled mode.

Upgrading the softwareUpgrade the Solidcore client 2


For information about how to exit Update, Disabled, or Observe mode, see the McAfee Change Controland McAfee Application Control Product Guide.



3 Uninstalling the software

If you are no longer using the software, uninstall Change Control or Application Control.

Contents Remove the Solidcore client Remove the Solidcore extension Remove the Solidcore client package

Remove the Solidcore clientTo discontinue use of the software, remove the Solidcore client from the endpoints.


1 Place the endpoints in Disabled mode.

For detailed information, see McAfee Change Control and McAfee Application Control Product Guide.

2 Restart the endpoints.






6 Select the McAfee Agent product, Product Deployment task type, and click Create New Task to open the ClientTask Catalog page.





b Select Remove.


d Set branch to Current for new packages.

3



11 Specify scheduling details and click Next.

12 Review and verify the task details and click Save.


14 Verify the Solidcore client removal.


Typically, information is exchanged between the agent and server after theagent‑to‑server‑communication interval (ASCI) lapses. Default ASCI value is 60 minutes. Sendan agent wake‑up call to make sure immediate communication and data exchange between theserver and the agent, without waiting for the ASCI to expire.

b Click an endpoint on the Systems page to view details for the selected endpoint.

c Click the Products tab and make sure Solidcore is not listed.

Remove the Solidcore extensionTo discontinue use of the software, remove the Solidcore extension from the McAfee ePO server.



2 Select Solidcore from the Extensions list.

3 Click Remove.

When you remove the Solidcore extension, all product-specific tables (SCOR tables) are removedfrom the database. However, all default and user-defined dashboards and reports are retained inthe database.

• Remove all Solidcore dashboards.

1 On the McAfee ePO console, select Menu | Reporting | Dashboards to open the Dashboards page.

2 Review the items in the Dashboard list.

3 Delete these dashboards.

• Solidcore: Application Control

• Solidcore: Change Control

• Solidcore: Integrity Monitor

• Solidcore: Inventory

3 Uninstalling the softwareRemove the Solidcore extension


• Remove the Solidcore queries.

1 On the McAfee ePO console, select Menu | Reporting | Queries & Reports.

2 Expand the Shared Groups category and delete these folders.

• Application Control

• Change Control

When you remove queries, the Application Control and Change Control folders are deletedincluding all the queries contained in the folders. If you wish to save a query, save the specificquery in a different folder.

Remove the Solidcore client packageAfter you uninstall the software, remove the Solidcore client package from the McAfee ePO server.


1 On the McAfee ePO console, select Menu | Software | Master Repository to open the Packages in MasterRepository page.

2 Select Delete for a package.

Uninstalling the softwareRemove the Solidcore client package 3


3 Uninstalling the softwareRemove the Solidcore client package


A Create builds for unsupported Linuxkernels

Here is information about how to create builds for unsupported Linux kernels.

In the 6.1.4 release, we have added support for numerous kernels. This allows you to directly installthe software on kernels listed in KB82066. If you need to install on a kernel that is not listed inKB82066, you can perform one of these tasks:

• Create a build file for the target kernel (on a testbed) and deploy the build to other productionendpoints using McAfee ePO Endpoint Deployment Kit (EEDK) or manually.

• Request for kernel support through the McAfee Accept portal by filing a Product EnhancementRequest (PER). The Product Management team will accommodate the kernel in upcoming kernelrelease cycles. For information about how to submit a PER, see KB60021.

What are the possible deployment scenarios?

The installation workflow on the Linux operating system varies based on whether the target kernel issupported. Review KB82066 to verify whether support is available for the target kernel.







How do I install when the target kernel is supported?

Query Response

Has anything changed for me since the previousrelease?

No. If the target kernel is supported, directinstallation occurs on the kernel.

Do I need to take care of any prerequisites? None.

How do I install? Perform the steps listed in Install the Solidcoreclient on the endpoints.

How do I install on an unsupported target kernel?

Starting with the 6.1.0 release, we have included capability to create kernel modules for targetkernels. You can automatically create build on a testbed and deploy the kernel module to productionendpoints running the same kernel using EEDK or manually.

A Create builds for unsupported Linux kernels


Component Prerequisites How do I install?

Testbed Make sure these tools are installed on thetestbed. Any non-conformance to the listedbuild environment will result in build andinstallation failures.

Make sure the testbed meets theprerequisites and then follow theinstructions listed in Install theSolidcore client on the endpoints.The needed build is placed in the<install directory>/dks directoryof the testbed and the software isinstalled on the testbed.

Build andpackaging tools

• gmake (provided bypackage make)

• gcc (provided by packagegcc)

• ld (provided by packagebinutils)

• ar (provided by packagebinutils)

• rpmbuild (provided bypackage rpm-build on RedHat and package rpm onSUSE)

• cpio (provided by packagecpio)

Package versions should bethe same as the versions thatare packaged with thedistribution ISO.

Kbuildframework

Make sure framework isinstalled under /lib/modules/<kernelversion>/build/(provided by packagekernel-source on SUSE 10,linux-headers on Ubuntudistributions, and packagekernel-devel on otherdistributions).

Create builds for unsupported Linux kernels A


Component Prerequisites How do I install?

Kernel sourcepackage

If you are running a 3.5.x orlater kernel, make sure thatyou download the kernelsource package and place it inthe /usr/src directory.

Productionendpoints

• No build or package tools are needed onproduction endpoints.

• Make sure that you create the /opt/solidcore directory on each productionendpoint. This directory does not exist bydefault and needs to be manually created.

1 Create the /opt/solidcoredirectory on each productionendpoint.

2 Fetch the created build from the<install directory>/dksdirectory of the testbed.The file name includes kerneldetails. The naming conventionfollowed for the builds issolidifier‑kmod‑<rel>‑<build>.<distro>.<kernel>.<arch>.<ext>.

• <distro> — the availabledistributions. LEL5 represents RedHat Enterprise Linux 5, LEL6represents Red Hat EnterpriseLinux 6, LSES10 represents SuSEEnterprise Linux 10, LSES11represents SuSE Enterprise Linux11, and LUBT12 representsUbuntu 12.

• <kernel> — the kernel for whichthe build was created.

• <arch> — i386 for 32-bitarchitecture and x86_64 for AMD64-bit architecture.

• <ext> — .deb for Ubuntuand .rpm for other distributions.

Here is an example of a buildcreated for the Red Hat EnterpriseLinux 6 version:

solidifier‑kmod‑6.1.0‑9321.LEL6.2.6.32‑279.2.1.el6.i686.i386.rpm

3 Distribute the created build toproduction endpoints (to the /opt/solidcore directory) running thesame kernel using EEDK ormanually. For more information,see How do I distribute builds toendpoints using McAfee EEDK.

4 Follow the instructions listed inInstall the Solidcore client on theendpoints.



How do I distribute builds to endpoints using McAfee EEDK?

McAfee ePO Endpoint Deployment Kit (EEDK) integrates with McAfee ePO versions 4.5, 4.6, 5.0, and5.1 to provide a packaging tool for creating McAfee ePO deployable packages. Use the McAfee EEDKtool to create a package of the compiled kernel modules and the EEDK script.

Compiled kernelmodules

Represent one or more kernel modules (kmod rpm packages) built for varioustarget kernel versions.

EEDK script Allows you to distribute the compiled kernel modules to production endpointsrunning Application Control and Change Control (version 6.1.0 and later).Download the EEDK script from the 6.1.0 patches section of the McAfeeDownloads website.

When you deploy the package created by EEDK on the target endpoints, the EEDK script copies thekernel module files specific to the platform and architecture of the target endpoints. These files arethen reused by the Solidcore client on all endpoints that are running the same kernel.

1 Download the EEDK tool. For more information about the tool, see the documents available withthe EEDK tool package.

2 Identify all kernels where kmod rpm distribution is required using the EEDK script.

3 Create the kernel modules (kmod rpm packages) for all identified kernels by executing builds oncorresponding testbeds.

4 Place these files in a single directory on a Windows system:

• EEDK script

• One or more kernel modules (kmod rpm packages built for various target kernels)

5 Click EEDK.exe to run the EEDK tool.

6 Specify these values:

• Path to folder containing needed kernel modules and EEDK script.

• Name to identify the package. For example, you can specify the Product Name as MACEEDK.

• ID to distinguish the package from the previously-created packages. For example, you canspecify the Product ID as 5000.

• Version to indicate the package version.

• Description text that represents the product name listed in the McAfee ePO master repository.Use this field to distinguish the EEDK package from other packages in the master repository.

• Command to execute using the ./<eedk_script> [MAC/MCC Version] syntax. Here <eedk_script> is the name of the EEDK script. The Application Control or Change Control (MAC/MCC)version argument is optional, and you must specify it in the form of<Major>.<Minor>.<Patch>-<Build>, for example, 6.1.0-9500. If you provide the versioninformation, the script will copy the kmod packages only for the specified Application Control orChange Control version to the /opt/solidcore directory. However, if the script doesn't find therpm file for the specified version in the package, it considers that no version information isprovided and tries to copy the kmod packages for all Application Control or Change Controlversion to the /opt/solidcore directory.

7 Select the Linux checkbox in the OS Support field.

For all other fields, do not change the default values.

8 Navigate to Tools | Options and specify the folder to store the created package in the Build Folder field.

9 Click Save to return to the main screen.

Create builds for unsupported Linux kernels A


http://www.mcafee.com/in/downloads/downloads.aspx

http://www.mcafee.com/in/downloads/downloads.aspx

https://community.mcafee.com/docs/DOC-3401

10 Click Build Package.

11 Check in the created package to the McAfee ePO master repository.

12 Verify that the name specified in the Product Description field is listed in the master repository.

13 Create a product deployment task for this EEDK package using McAfee ePO and push the packageto the target endpoints.

Pushing the product deployment task creates the /opt/solidcore directory and copies therespective kmod rpm packages to the endpoints.

14 Perform one of these steps:

• For Solidcore client installation or upgrade — Push product deployment task for Solidcoreclient from McAfee ePO to the target endpoints.

• For kernel upgrade (Solidcore client is already installed on endpoints) — Restartendpoints in the new kernel.

How does installation occur?

When you run the Product Deployment task, the software executes the installation script to performinstallation. The installation script performs these checks and tasks.



B Frequently Asked Questions

Here are answers to frequently asked questions.

Can the same Solidcore client be used for Change Control and Application Control?

The license key determines the features available for use; any or all features can be used at a time. Atany time, you can add and enable a new stock-keeping unit (SKU) on an endpoint where the Solidcoreclient is enabled. For example, if you are currently using Change Control and want to add and useApplication Control, complete these steps.

1 Disable the Solidcore client on the endpoint.

For more information, see McAfee Change Control and McAfee Application Control Product Guide.

2 Enter the license.

For more information, see Specify licenses.

3 Enable the Solidcore client on the endpoint.

For more information, see Enable the Solidcore client.

Can the Solidcore client be deployed on a virtual machine?

The Solidcore client works on a virtual machine if the operating system installed on the virtualmachine is supported by the Solidcore client. For a list of the supported platforms, see KB76459 (forChange Control) and KB73341 (for Application Control).

Can I use third-party software to distribute and deploy this software?

You can install, upgrade, or uninstall the Change Control and Application Control software usingthird-party tools, such as Microsoft System Center Configuration Manager. For more information aboutsoftware distribution, see the documentation for your third-party tool.

Before using a software distribution tool, assign updater privileges to relevant binary files of the tool.For more information about how to add updaters, see the McAfee Change Control and McAfeeApplication Control Product Guide.

How can I upgrade the kernel on my Linux system where Change Control orApplication Control is installed?

1 Place Change Control or Application Control in Update mode. For information about how to placethe system in Update mode, see the McAfee Change Control and McAfee Application ControlProduct Guide.

2 Install the new kernel.

3 Exit Update mode and place Change Control or Application Control in Enabled mode. Forinformation about how to exit Update mode, see the McAfee Change Control and McAfeeApplication Control Product Guide.




4 Review KB82066 to verify whether the target kernel is supported.

5 Perform one of these steps.

• If the target kernel is supported, boot with the new kernel to upgrade the software.

• If the target kernel is not supported, create a build on a testbed and then install on the endpointusing the created build.

1 Make sure that the testbed meets the needed prerequisites. For detailed information, seeCreate builds for unsupported Linux kernels.

If the target kernel is not supported and you have filed a PER to get support, upgrade thesoftware before booting with the new kernel.

2 Perform one of these tasks:

• If Change Control or Application Control was already installed on the testbed, boot withthe new kernel to upgrade the software.

• If Change Control or Application Control is not installed on the testbed, install thesoftware on the testbed by following the instructions listed in Install the Solidcore clienton the endpoints.

3 Create the /opt/solidcore directory on the endpoint.

4 Fetch the created build from the <install directory>/dks directory of the testbed andplace it in the /opt/solidcore directory of the production endpoints. You can deploy thebuild to production endpoints using EEDK or manually. For detailed information about usingEEDK, see Create builds for unsupported Linux kernels.

5 Boot with the new kernel to upgrade the software. Regardless of the mode in which theChange Control or Application Control is running, the software automatically detects the newkernel.

I installed Change Control or Application Control on kernel 2.6.32–279.EL6.x86_64. Will my existing setup work accurately if I upgrade to 2.6.32–279.1.1.EL6.x86_64, 2.6.32–279.2.1.EL6.x86_64, or any other similar kernel?

While it seems like only minor differences exist between the kernels, 2.6.32–279.1.1.EL6.x86_64 and2.6.32–279.2.1.EL6.x86_64 are different from the installed kernel 2.6.32–279.1.1.EL6.x86_64.Because these are different, you must follow the workflow that you would follow when you upgradethe kernel.

To verify if two kernels are the same, check the output of the uname -r for both kernels. If the outputsfor both commands match, the kernels are that same. A few accepted exceptions exist for SuSE 11.For example, if kernel 3.0.80–0.7.1 is installed, output for the uname -r command kernel is 3.0.80–0.7.

I installed Change Control or Application Control and am now unable to place myLinux endpoint in Enabled mode. Alternatively, I am unable to place my Linuxendpoint in Enabled or Update mode from Disabled mode. What could be thecause?

If your target kernel is not supported, the software automatically creates the required build for theinstalled kernel (if all prerequisites are available). After installation is complete, the software runs thesanity suite to validate the installation. You might be unable to place the endpoint in Enabled mode ifthe sanity suite fails. Review the properties for your Linux system to verify the status of the sanitysuite.




1 Wake up the agent to fetch properties immediately.

Typically, information is exchanged between the agent and server after the agent-servercommunication interval (ASCI) lapses. Default ASCI value is 60 minutes. Send an agent wake-upcall to make sure immediate communication and data exchange between the server and the agent,without waiting for the ASCI to expire.

2 Click the Linux system on the Systems page to view details for the endpoint.

3 Click the Products tab.

4 Click the Solidcore row and verify the value for the Build Validation property. Contact McAfee Support ifthe value is Failed.

How can I determine if I need to restart an endpoint running the Windowsoperating system after I upgrade from the 6.1.3 version of Change Control orApplication Control?

Determine ifyou need torestart aspecificendpoint

1 Click the endpoint on the Systems page to view details for the selected endpoint.

2 Click the Products tab.

3 Click the Solidcore row to view product details.

4 Review the value for the Upgrade Status property.

Determine ifyou need torestart multipleendpoints

1 On the McAfee ePO console, click Menu | Queries and Reports | McAfee Groups | ApplicationControl.

2 Click New.

3 Select Solidcore Client Properties for the Result Type and click Next.

4 Select Table in the Display Results As list, select System Name in the Sort By list, and clickNext.

5 Add the Upgrade Status property and click Next.

6 Click Run to view details for the endpoints in your setup.

On the Ubuntu platform, I am trying to create a kernel module for a target kerneland have completed the prerequisites for the testbed. However, I am still unableto create a build for a target kernel.

Before you create a kernel module for a 3.5.x or later kernel on the Ubuntu platform, you must installthe source package of the kernel. Verify the folder name of the kernel source package that is placed inthe /usr/src directory. Make sure the folder name is similar to linux‑lts‑<release‑name>‑<kernel x.x.x>.

For example, if you are running the 3.8.0-41-generic kernel, the corresponding directory will be /usr/src/linux‑lts‑raring‑3.8.0. Similarly, for kernel 3.5.0-23-generic the corresponding directory willbe /usr/src/linux‑lts‑quantal‑3.5.0.

Frequently Asked Questions B




Index

Aabout

licenses 8Solidcore client 9Solidcore extension 8

about this guide 5activation, See Enabled mode addition

licenses 8Solidcore client package 9, 17

agent logs 10, 19

agent-server communication interval 10, 19, 21

Application Controlkernel upgrade 31

place in Enabled mode 11, 19

prerequisites 7Solidcore client 31

ASCI, See agent-server communication interval

CChange Control

kernel upgrade 31


prerequisites 7Solidcore client 31

conventions and icons used in this guide 5

Ddashboards, Solidcore 22

database sizing 7deployment scenarios for Linux 25

Disabled mode 18, 19

documentationaudience for this guide 5product-specific, finding 6typographical conventions and icons 5

EEnabled mode

about 11, 18, 19

troubleshoot on Linux 31

evaluation licenses 8

Ffix inconsistencies

policies 15

rule groups 15

Gguidelines

Active Directory 15

database sizing 7installation on Linux 9remove queries 22

supported platforms 7system requirements 7uninstall 22

UNIX platforms 9, 18

upgrade 15

upgrade on Linux 18

Iinstallation

deployment scenarios for Linux 25

Solidcore client 9Solidcore extension 8verify 10

workflow on Linux 25

Llicenses 8Linux

build location 25

deployment scenarios 25

installation guidelines 7, 9installation workflow 25

kernel upgrade 31

prerequisites 7reuse builds 25

troubleshoot 31

upgrade guidelines 18

MMcAfee Agent

about 7


McAfee Agent (continued)on UNIX platforms 9, 18

McAfee ePO 7McAfee ServicePortal, accessing 6migration, See upgrade modes

Disabled 18, 19

Enabled 11, 18, 19

Observe 18, 19

Update 18, 19

OObserve mode 18, 19

Ppackage

add 9, 17

remove 23

policieschange default 18

fix inconsistencies 15

prerequisites 7

Qqueries, Solidcore 22

Rremoval

dashboards 22

queries 22

Solidcore client 21

Solidcore client package 23

Solidcore extension 22

rule groupsfix inconsistencies 15

McAfee publishers 18

SServicePortal, finding product documentation 6Solidcore client

about 9download package 7for virtual machines 31

Solidcore client (continued)install 9install package 9, 17


remove package 23

supported platforms 9uninstall 21

upgrade 18

verify install 10

verify upgrade 19

Solidcore dashboards 22

Solidcore extensionabout 8file name 7install 8uninstall 22

upgrade 15

Solidcore queries 22

supported platforms 7, 9system requirements 7

Ttechnical support, finding product information 6

Uuninstallation

guidelines 22

Solidcore client 21


verify 21

UNIX platforms 9, 18

Update mode 18, 19

upgradeSolidcore client 18


verify 19

Vverification

install 10

software, enabled 11, 19

uninstall 21, 22

upgrade 15, 19

Index


00

Date post:	26-Jun-2020
Category:	Documents
Upload:	others
View:	10 times
Download:	0 times

McAfee Change Control and McAfee Application Control 6.1.4 ... · Important/Caution: Valuable...

Documents