The McAfee University Application Control / Change Control Administration course enables attendees to receive in-depth training on the full benefits and deployment of McAfee Application Control / Change Control products. Enabling administrators to fully understand the capabilities of their security solution not only reduces the risks of mis-configuration but also ensures an organization gets the maximum protection from their installation.

• Understand the capabilities of McAfee’s Application Control / Change Control solution
• Install and administer
• Manage remote
• Protect end points.

Module 1: Introduction to the McAfee Application  Control/Change Control

• What is MACCC?
• Supported Operating Systems
• Solidcore Architecture
• Multi-layered Security Solution
• Whitelisting
• Trust Model
• Image Deviation
• Differentiators
• Visibility and Enforcement for End- to-end Compliance
• File Integrity Monitoring
• Change Prevention
• Install Workflow
• Navigation to Solidcore Components
• Solidcore Configuration
• Updaters or Publishers
• Solidcore Configuration
• Installers
• Solidcore Policies
• Windows Path Definitions
• Solidcore Server Tasks
• Solidcore: Purge Task
• Migration Server Task
• Calculate Predominant Observations (Deprecated)
• Content Change Tracking Report Generation
• Solidcore: Run Image Deviation
• Image Deviation (Application Control)
• Specifying a Golden Image
• Solidcore: Scan a Software Repository

Module 2: Planning a McAfee® ePolicy Orchestrator™ Deployment

• Platform Requirements
• ePO Server Hardware Requirements
• ePO Server Operating Systems
• ePO Server Prerequisite Software
• Supported Web Browsers
• Supported SQL Server Releases
• Default Communication Ports
• Default Ports
• Determining Ports in Use
• Virtual Infrastructure Requirements
• Deployment Guidelines
• Deployment Scenario: Basic Plan
• Solution A: One ePO Server
• Solution B: Two ePO Servers
• Solution C: ePO server with Agent Handlers
• Deployment Scenario: Disk Configuration
• Solution: Less than 5,000 Nodes
• Solution: 5,000 to 25,000 Nodes
• Deployment Scenario: Disk Configuration
• Solution: 25,000 to 75,000 Nodes
• Solution: More than 75,000 Nodes
• Database Sizing
• How Products and Events Affect Calculations
• Example: Calculating Averages
• Calculating Your Environment
• Managing Scalability
• Environmental Factors

Module 3: Security Connected and McAfee® ePolicy Orchestrator™ Overview

• Security Evolution
• Security Connected
• Breadth and Depth for Security
• ePO Solution Overview
• New for this Release
• Basic Solution Components
• How ePO Works
• Essential Features
• Integration with Third-Party Products
• ePO Web Interface
• Menu Page
• Customizing the User Interface
• Architecture and Communication
• Functional Process Logic
• Data Storage

Module 4: McAfee® Agent

• McAfee Agent Overview
• New for This Release
• Agent Components
• Agent-Server Secure Communication Keys
• Communication after Agent Installation
• Typical Agent-to-Server Communication
• McAfee Agent-to-Product Communication
• Forcing Agent Activity from Server
• Wake-up Calls and Wake-up Tasks
• Configuring Agent Wake-up
• Locating Agent Node Using DNS
• Using System Tray Icon
• Forcing McAfee Agent Activity from Client
• Viewing McAfee Agent Log
• ePO 4.x/McAfee Agent 4.x Feature Dependencies
• Agent Files and Directories
• xml
• McAfee Agent Log Files
• Using Log Files
• Installation Folders

Module 5: Application Control/Change Control Extension  Installation

• Extensions in ePO
• Extensions Menu
• Integration of AC/CC Extension
• Installation Requirements
• System Requirements
• ePO Database Sizing
• Installation of Extension
• Solidcore Licensing
• What is Solidcore?
• Install Workflow Review
• Installing Licenses
• Solidcore Database Tables

Module 6: Solidcore Client

• Solidcore Architecture
• The agent plug-in and how it works
• Types of Platforms Protected
• Supported Systems
• Check in Agent Plug-in Package into ePO
• Deploying the Solidcore Agent Plug- in
• Verifying Installation from the Endpoint
• Solidcore Client Tasks
• Enable Solidcore Agent Task
• Disable Solidcore Agent Task
• Initial Scan to Create Whitelist
• Pull Inventory
• Begin Update Mode
• End Update Mode
• Change Local CLI Access
• Collect Debug Info
• Run Commands
• Get Diagnostics for Programs
• Features for the Client
• Client Notifications and Events
• Client Events and Approvals
• Customizing Client Notifications

Module 7: Application Control Initial
Configuration

• What are Observations?
• Observe Mode
• Manage requests
• Review requests
• Process requests
• Allow by checksum on all endpoints
• Allow by publisher on all endpoints
• Ban by checksum on all endpoints
• Define custom rules for specific endpoints
• Allow by adding to whitelist for specific endpoints
• Define bypass rules for all endpoints
• Delete requests
• Review created rules
• Throttle observations
• Define the threshold value
• Review filter rules
• Manage accumulated requests
• Exit Observe mode
• Inventory Introduction
• Fetch Inventory
• GTI Integration
• Trust level and score
• Cloud Trust Score
• Inventory Without Access to GTI
• Fetch McAfee GTI ratings for isolated networks
• Export SHA1s of all binaries
• Run the Offline GTI tool
• Fetch Inventory – Bad File Found Event
• Manage the inventory
• Manage Binaries
• Application Control Policies
• Role of the Policy
• Application Control Configuration
• Managing Rule Groups
• Creating an Application Control Rule Group
• Updater Tab
• Trusted Users
• Exceptions
• Using a Rule Group to Block an Application

Module 8: Application Control Feature Administration

• What is Update Mode?
• How to Update a Solidified System
• Auto-Updaters
• Authorized Updaters
• Determining Updaters
• Understanding Publishers
• Understanding Installers
• Scan a Software Repository
• Revisit – Solidcore Permission Sets
• Reboot Free Activation
• Inventory Management Enhancements
• Inventory Management – Pull Inventory
• Inventory By Application
• Inventory By Systems
• Inventory Application Drill-down
• Inventory Binary Drill-down
• Search Filters
• Modifying Enterprise Trust Level

Module 9: Event and Alerts

• Understanding Events
• What Creates an Event
• When Are Events Sent Back?
• Viewing Events
• Advanced Filters
• Selecting Columns to Display
• Viewing the Details of an Event
• Solidcore Events
• Example of Solidcore Events
• Application Control Events
• Planning Automatic Responses
• Throttling, Aggregation, and Grouping
• Alerts
• Understanding Alerts
• Scenarios
• Configuring a Solidcore Alert
• Viewing an Alert
• Support of SNMP Alerts
• Customizing End User Notifications
• Syslog Enhancements

Module 10: Change Control Initial
Configuration

• Application Control & Change Control
• Change Control & Integrity Monitoring
• Scenario
• File Integrity Monitoring
• Workflow
• Disable Solidcore
• Enable Solidcore on the Endpoint
• Verifying Client Task Completion
• Integrity Monitoring Policies
• Using Integrity Monitor
• Creating an Integrity Monitor policy
• Integrity Monitoring Policies
• Testing your Monitoring
• Reducing “Noise”
• Example of Reducing “Noise”

Module 11: Using the Policy Catalog and Managing Policies

• Change Control Policies
• Role of the Policy
• Variables for Use in Policies
• Example of Variables in a Rule Group
• Scenario
• Write Protect a File, Trusted Program can Alter
• Write Protect a Registry Key, Program can Alter
• Write Protect a File, Trusted User can Alter
• Verifying only Trusted User can Alter
• Read Protection must be Enabled
• Read Protect a File, Trusted Program can Access
• Emergency Changes
• Content Change Tracking
• One Click Exclusion (Advanced Exclusion Filtering)
• One Click Exclusion Configuration
• Troubleshooting

Module 12: Dashboards and  Reporting

• The Dashboard
• ePO Dashboards
• Queries As Dashboard Monitors
• Dashboard Access
• Dashboard Configuration
• Solidcore Dashboards
• Application Control Dashboard
• Change Control Dashboard
• Integrity Monitor Dashboard
• Inventory Dashboard
• Solidcore Queries
• Reporting > Solidcore
• Application Control > Inventory
• Application Control > Image Deviation
• Automation > Solidcore Client Task Log
• Scenario
• Creating a Customized Dashboard
• Making a Dashboard Public
• Set the Default Dashboard

Module 13: Troubleshooting

• Solidcore Architecture and Components
• Solidcore 6.1.3 Architecture
• Troubleshooting References
• Location of Solidcore Files on Endpoint
• ePolicy Orchestrator Application Server Service Logs
• Solidcore Registry Keys on Endpoint
• Solidcore Services
• Troubleshooting Best Practice
• Escalation Best Practices
• Troubleshooting GTI Cloud Issues Best Practice
• Top Issues – Task Failure
• Top Issues – Denied Execution Issues
• Top Issues – Denied Execution of a Network Share
• Top Issues – Network Share
• Top Issues – KB
• Useful Tools
• Solidcore Event Logs
• Solidcore User Notifications
• Solidcore Troubleshooting Tools
• Escalation Tools
• Solidcore Database Tables
• Minimum Escalation Requirements (MER)
• Running MER Tool on Client
• Dump Tools

Module 14: Case Studies

• A Case from History
• Unpatched, Known Vulnerabilities in the Client
• Browser-based Exploits
• The Remedy
• Application Whitelisting
• Increasing Compliance Requirements
• Remedy
• File Monitoring
• Complete the Task

Module 15: CLI Administration

• Solidcore CLI
• Location of Solidcore Files on Endpoint
• Viewing the CLI Access
• Enabling the CLI
• Unlocking the CLI Locally
• Securing the CLI
• Using the CLI
• SADMIN Commands
• Solidifying from the CLI
• Unsolidifying
• What is Solidcore’s Status?
• Beginning the Update Status
• Ending the Update Status
• Enabling and Disabling Solidifier
• SADMIN Commands
• Advanced SADMIN Commands
• Solidcore Commands
• New CLI Commands
• Application Control Rules & Helpful Commands
• Read/Write Protect Files
• Change Control Commands – Write Protection
• How To Write Protect a File
• Modifying a Read/Write Protected Files
• Change Control Features – Write Protection
• Application Control
• Authorize Command Arguments
• Discovering and Adding Updaters
• SADMIN Diag Notations
• Discovering and Adding Updaters
• Using Attributes to Control File Execution
• Attributes
• Using Attributes to Control File Execution
• Viewing Solidcore Events
• Event Sinks
• Logging Events
• Event Names and Log Entries
• Product Tools

Module 16: Best Practices

• Review of Initial Setup Tasks
• Systems Tree Infrastructure
• Communication between ePO and Agent
• Activation Options: Application Control Only
• Inventory Collection Scan
• Protection State Selection
• Protection State Delivery
• Testing Protection mechanisms
• Policies and Rule Groups
• Policy Tuning
• Bypass Rules and Exclusions
• Inventory and Whitelist
• Updaters
• Application Control Memory Protection
• Maintenance
• Basic Troubleshooting and FAQs
• Solving Memory Discrepancies
• Helpful Resources

• System and network administrators, security personnel, auditors, and/or consultants concerned with network and system security should take this

It is recommended that the students have a working knowledge of Microsoft Windows administration, system Administration concepts, a basic understanding of computer security concepts, and a general understanding of viruses and anti-virus technologies.