Application whitelisting review: McAfee Application Control

McAfee Application Control 5.0 (due out Dec. 15) is the result of McAfee's acquisition of Solidcore and the integration of Solidcore S3 Control with McAfee ePolicy Orchestrator (ePO). McAfee Application Control rivals SignaCert for the broadest client support among all the products in InfoWorld's review. It also boasts write protection and ownership protection of whitelisted files, good reporting and alerting, and no significant cons.

McAfee Application Control can enforce whitelisting policies on Windows NT 4 through Windows Server 2008 (Windows 7 support is forthcoming), Suse Linux 9 and 10, Oracle Enterprise Linux, Red Hat Linux 3 through 5 (and CentOS), and Solaris 8 through 10. Its precursor, Solidcore S3 Control, is in use on thousands of client nodes and is deployed on more than 250,000 ATMs.

McAfee Application Control's management console is a dashboard component of McAfee ePO 4.5 (screen image). Administrators connect via a secure browser session, where they can manage Application Control and any other McAfee security solutions they have deployed.

Protected PCs are considered "Solidified," a term that harkens back to the product's Solidcore days. The client interface is minimal, consisting of command-line instructions and parameters. Clicking an icon on the client desktop, called the McAfee Solidifier Command Line (screen image), gives access to all the Solidifier console commands, which allows a user to control everything an administrator could from within the ePO management console. Of course, ePO configurations can prevent local commands from working.

What McAfee Application Control may lack in client interface it makes up for in overall functionality. It can allow or deny program executions by file name, SHA-1 hash, path rules, and digital certificates. McAfee's solution is one of only two products in this review (the other is Lumension) to allow or deny individual scripts or files of any type, although configuring these policies takes extra steps in McAfee. (SignaCert can monitor individual scripts, or any file type, but cannot block executions.) An administrator must first create a rule about the script interpreter or originating process, but then can allow or prevent individual scripts and files. For example, to prevent individual Perl scripts, the administrator would have to create a rule regarding Perl.exe, but then can allow or deny individual Perl scripts. Similarly, 16-bit applications can be controlled by first creating a rule about Ntdvm.exe, and then marking the individual 16-bit applications.

Test Center Scorecard
	30%	15%	25%	10%	20%
McAfee Application Control 5.0	9	9	9	8	8	8.7 Very Good

Whitelisting rules can be created by defining trusted binaries, users, publishers, and directories. Trusted directories can include excluded subfolders so that not every location and file under a trusted parent folder is automatically trusted by default.

McAfee Application Control can also allow or prevent individual Java applets and provide memory write protection against buffer overflows. Here again, McAfee is one of only two products in this review to provide this protection. However, McAfee's buffer overflow protection is not quite as strong as CoreTrace's solution, and it could not cut off previously existing buffer overflows that were running before the product was enabled.

Like Bit9 Parity and CoreTrace Bouncer, McAfee write-protects whitelisted application files to prevent modifications, deletions, and moves. McAfee also prevents any user from "taking ownership" of protected files, which could allow an elevated user to obtain full control of someone else's file. Text and configuration files, such as the DNS Hosts file, can be protected from the client command line (by using the sadmin.exe wp command) and centrally through a separate ePO module called Change Control.

Programs and applications that are intended by administrators as the official way to upgrade existing files can automatically be trusted by running from a trusted folder, being classified as a trusted binary, or being identified as a trusted updater. McAfee comes with more than 30 predefined trusted updaters. Updaters can be further restricted by path and parent executables. For example, winlogon.exe could be allowed to update other files only when first called by the Microsoft Systems Management Server updater application. This sort of restrictive defining might prevent unauthorized users from manipulating trusted installers and other files to install unauthorized software.

Client-side blocking and warning messages cannot be customized, but the ePO management console has strong reporting and alerting (screen image). Events are captured to each client's local Application event log and reported to the centralized log database. There are at least 20 reports (called Queries) out of the box, each of which can show a graphical representation and allow drill downs into the underlying data. Existing reports can be moderately edited and new custom reports (and Dashboard queries) created. Alerts can be sent using e-mail, SNMP traps, and syslog. Using the management console, specific instances of any binary can be found on any managed computer, including its complete history, such as when it appeared, who installed it, and so on.

McAfee's ePO is a powerful, extensible, centralized computer security console, and it brings sophisticated management and reporting tools to Solidcore's whitelisting product. However, it sometimes introduces additional steps in the configuration process.

This story, "Application whitelisting review: McAfee Application Control," and reviews of competing products from Bit9, CoreTrace, Lumension, SignaCert, and Microsoft, were originally published at InfoWorld.com. Follow the latest developments in information security and endpoint security at InfoWorld.com.