Regardless of whether you use a rule group or policy, the framework available to define rules is the same. For more information on the type of rules you can define, see theManaging protected endpoints section.
Using variables in rules
The path specified in a rule can include system environment variables (only on the Windows platform). The following table lists the supported system variables.
Example value (true for most Windows platforms) Variable
C:\Documents and Settings\All Users %ALLUSERSPROFILE%
C:\Documents and Settings\{username}\Application %APPDATA%
C:\Program Files\Common Files %COMMONPROGRAMFILES%
C:\Program Files (x86)\Common Files %COMMONPROGRAMFILES (x86)%
C: %HOMEDRIVE%
C:\Documents and Settings\{username}(\ on earlier Windows) %HOMEPATH%
C:\Program Files %PROGRAMFILES%
C:\Program Files (x86) (only in 64-bit version) %PROGRAMFILES (x*86)%
C: %SYSTEMDRIVE%
C:\windows (C:\WINNT on earlier Windows versions) %SYSTEMROOT%
C:\Documents and Settings\{username}\local Settings\Temp %TEMP% (system) %tmp% (user)
C:\Temp
C:\Documents and Settings\{username} %USERPROFILE%
(C:WINNT\profiles\{username} for earlier versions)
C:\Windows %WINDIR%
Understanding path considerations
These considerations apply to path-based rules. • Path need not be absolute when specifying rules.
Getting started with Application Control Designing the trust model
For example, when defining an updater you can specify the partial path, such as AcroRd32.exe or Reader\AcroRd32.exe or fully-qualified path, such as C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe. If you specify the partial path, all programs with names that match the specified string are assigned updater privileges. If you specify the fully-qualified path, only the specified program is assigned updater privileges.
Similarly, when banning a file if you specify the partial path, such as notepad.exe, all programs with names that match the specified string are banned. However, if you specify the
fully-qualified path, for example C:\Windows\system32\notepad.exe, only the specified file is banned. Alternatively, if you specify the checksum value, only the file with the specified checksum value is banned.
• Paths can contain white spaces.
• Paths can include the wildcard character (*). However, it can only represent one complete path component. Here are a few examples.
Using \abc\*\def is allowed while \abc\*.doc, \abc\*.*, or \abc\doc.* is not supported. Windows platform
Using /abc/*/def is allowed while /abc/*.sh, /abc/*.*, or /abc/doc.* is not supported. UNIX platform
Are any predefined rules available?
Yes, Application Control includes predefined rules for commonly-used applications. The following predefined rules are included:
• McAfee Default (one each for UNIX and Windows). For detailed information, see theReviewing the predefined rules section.
• Common ActiveX Rules. For detailed information, see theReviewing predefined ActiveX rules section.
• McAfee Applications (McAfee Default). This policy includes McAfee-specific rules that allow other McAfee products to run successfully on protected endpoints. These rules are also included in the McAfee Default (Windows) policy.
How do I define rules?
Use this table to define the rules to design the trust model. You can perform these actions when creating or modifying an Application Control policy or rule group.
Table 5: Designing the Trust Model
Steps Action
1. Select the Updaters tab and click Add. The Add Updater dialog box appears. Add an updater
2. Enter the location of the executable binary.
3. Specify an identification label for the program. For example, if you specifyAdobe Updater changes as the label, all changes made by Adobe 8.0 updater are tagged with this label. 4. Specify conditions that the binary file must meet to run as an updater.
• Select None to allow the binary file to run as an updater without any conditions. • Select Parent to allow the binary file to run as an updater only if it is launched by the
specified parent. For example, when configuring updater.exe as an updater to allow changes to Mozilla Firefox, specify firefox.exe as the parent. Although updater.exe is a generic name that can be part of any installed application, using the parent ensures that only the correct program is allowed to run as an updater.
• Select Library to allow the binary file to run as updater only when it has loaded the specified library. For example, when configuring iexplore.exe as an updater to allow Windows Updates using Internet Explorer, specify wuweb.dll as the library. This ensures that the iexplore.exe program has updater privileges only until the web control library (wuweb.dll) is loaded.
Getting started with Application Control Designing the trust model
Steps Action
5. Indicate whether to disable inheritance for the updater. For example, if Process A (that is set as an updater) launches Process B, disabling inheritance for Process A ensures that Process B will not become an updater.
6. Indicate whether to suppress events generated for the actions performed by the updater. Typically, when a updater changes a protected file, a File Modified event is generated for the file. If you select this option, no events are generated for changes made by the updater. 7. Click OK.
1. Select the Binary tab and click Add. The Add Binary dialog box appears. Allow or ban a
binary file 2. Specify an identifier for the rule in the Rule Name field. You can use the identifier to group related rules. For example, you can specifyBanning unauthorized programs as the identifier for all rules that you define to ban unauthorized programs in your organization.
3. Indicate whether to allow or ban the binary file.
4. Indicate whether to allow or ban the binary file based on the file's name or checksum value. 5. Enter the name or checksum value.
6. Click OK.
You can either enter user details or import user or group details from an Active Directory. Ensure that the Active Directory is configured as a registered server.
Specify authorized users permitted to
override the Specify details to authorize users to override the protection in effect . (Windows only) protection in effect
1. Click Add on the Trusted Users tab. The Add User dialog box appears. (only for the
Windows platform) 2. Enter the domain and logon name of the user in the domain\user format.
3. Specify a unique identification label for the user. For example, if you specify John Doe's Changes as the identification label for the John Doe user, all changes made by the user will be tagged with this label.
4. Type the user name. 5. Click OK.
Import user details from an Active Directory.
1. Click AD Import on the Trusted Users tab. The Import from Active Directory dialog box appears.
2. Select the server.
3. Select Global Catalog Search to search for users in the catalog (only if the selected Active Directory is a Global Catalog server).
4. Specify whether to search for users based on the UPN (User Principal Name) or SAM account name. Note that your search will determine the authorized user. If you search using the UPN or common name, the user will be trusted with the UPN and if you search using the SAM account name, the user will be trusted with the SAM account name.
5. Enter the user name. The Contains search criteria is applied for the specified user name. 6. Specify a group name to search for users within a group.
NOTE:You cannot directly add a group present in the Active Directory to a policy. To authorize all users in a group, add the user group to a rule group and include the rule group in a policy. Using groups ensures that all changes to a user group automatically cascade across all rule groups and associated policies.
7. Click Find. The search results are displayed.
8. Select the users to add in the search results and click OK.
1. Select the Publishers tab and click Add. The Add Publisher dialog box appears. Add a publisher
2. Search for and add the certificate. For example, you can search for and add the Microsoft certificate.
3. Optionally, select the Add Publisher(s) as Updater option to provide updater privileges to the publisher. For example, if you set the Microsoft certificate that signs the Internet Explorer Getting started with Application Control
Steps Action
application as an updater, Internet Explorer can download and execute any application from the internet.
4. Specify an identification label for the publisher. 5. Click OK.
1. Select the Installers tab and click Add. The Add Installer dialog box appears. Add an installer
2. Search for and add the installer. For example, you can add the installer for the Adobe Reader to allow users to run the installer on the endpoints.
3. Specify an identification label for the installer. 3. Click OK.
1. Select the Exceptions tab and click Add. The Add Attribute dialog box appears. Add an exception
2. Enter the file name.
3. Select the required options. For detailed information on the available options, see the Defining memory-protection bypass rules section.
4. Click OK.
1. Select the Trusted Directories tab and click Add. The Add Path dialog box appears. Add a trusted
directory 2. Enter the location of the directory.
3. Select Include or Exclude. Use the Exclude option to exclude a specific folder or subfolder within a trusted directory.
4. Optionally, select the Make programs executed from this directory updaters option to allow the software located at that UNC path to modify the endpoints.
5 Click OK.
1. Click Add Rule on the Advanced tab. A new filter row appears. You can create filters based on files, events, programs, registry keys, and users.
Specify advanced exclusion filters
2. Edit the settings to specify the filter.
3. Click + or Add Rule to specify additional AND or OR conditions, respectively.
You can also define advanced exclusion filters from the Events page. For more information, see theExcluding events section.