Administration using the

Command Line Interface

Module 18

McAfee Application Control and Change Control 8.3.2 Administration

© 2020 McAfee M18 - 1

 Module Objectives
By the end of this module you should be able to:

▪ Check system status.

▪ Solidify and unsolidify files and applications.

▪ Discover and configure updaters.

▪ Deny file execution.

▪ Certify a file with a checksum.

▪ Obtain logs and system dumps.

▪ Match features with appropriate commands.

The command line interface is a useful tool for administering systems not connect to McAfee® ePolicy
Orchestrator® (McAfee® ePO™).
What You Will Learn
In this module, you will learn some ways to use the command line interface for administration of McAfee®
Application Control and McAfee® Change Control.

Module Goals
The module goals are:
 Check system status.
 Solidify and unsolidify files and applications.
 Discover and configure updaters.
 Deny file execution.
 Certify a file with a checksum.
 Obtain logs and system dumps.
 Match features with appropriate commands.

© 2020 McAfee M18 - 2

 Solidcore CLI
The CLI offers a command line interface for the endpoint administration of:
▪ Integrity Monitoring
▪ Files
▪ Registry
▪ Process Exit and Termination
▪ User activity
▪ Can filter monitors
▪ McAfee Change Control:
▪ Write protect
▪ Read protect
▪ McAfee Application Control:
▪ Create a whitelist (executables cannot be modified or deleted)
▪ Manage workarounds
▪ Memory protection

You can use the CLI to troubleshoot isolated end user issues and to support systems not currently connected to a
McAfee ePO server.
The Command Line Interface admin guide provides additional information. This module introduces you to the topic
so that you feel more comfortable exploring the CLI after this class.

© 2020 McAfee M18 - 3

 View the CLI Access

▪ Two statuses
▪ Lockdown
▪ Recovered
▪ Viewed
▪ Device
▪ System Details
▪ Queries

The command line interface has two statuses: it is either Lockdown or Recovered. You can see this status for any
device in a number of different places. First, on the device itself, you can open a command shell and navigate to
the Solidcore install directory. Within that directory, the sadmin.exe file accepts input from the keyboard. Type the
“sadmin status” command to bring up information on the current state of the application on the device, as shown
in the screenshot above. The line: Local CLI access: Lockdown identifies that this implementation of MACC on the
this device accepts input from the McAfee Agent and enforces policies as defined by McAfee ePO and downloaded
by the McAfee Agent. Upon installation and enabling of the application, the default state of the CLI will be
Lockdown. Second, you can view the CLI Access state on the System Details page for the device in McAfee ePO
from the System Tree. Additionally, you can run default queries configured specifically to report on the CLI Access
states for all managed devices protected by MACC. If you try to access the CLI or issue commands on the device
prior to Recovering the CLI, the message: Local CLI access: Lockdown appears.

© 2020 McAfee M18 - 4

Change the CLI Access
▪ Create the task within the Client Task Catalog.
▪ Assign and run as necessary.
▪ Review queries for CLI access states.

© 2020 McAfee M18 - 5

Change the CLI Access (continued)
Locally

▪ Recover command can unlock the CLI without using McAfee ePO:
▪ Syntax: sadmin recover
▪ Enter the master password to access the CLI:
▪ Default password is solidcore
▪ Lockdown command can lock the CLI without using McAfee ePO:
▪ Syntax: sadmin lockdown

You can change the CLI access from the command prompt on the local device. You must know the password being
enforced by the assigned policy in McAfee ePO. The password in that policy is what the application accepts to
change the status of the CLI access from Lockdown to Recovered. First, run the “sadmin status” command to
determine the current status of the CLI. If the status is Lockdown, the next command would be “sadmin recover”,
after which it prompts the user for the password. Once the user enters the password correctly, the CLI is placed in
the Recovered status and the application accepts commands from the keyboard rather than from the McAfee
Agent. At this point, the application does not enforce any new policies or modifications to policies downloaded by
the McAfee Agent.
The default password for the application is “solidcore”.

As part of the on-going maintenance of the application within the environment, you should review the queries
pertaining the status of the CLI access on a regular basis to ensure the environment is properly enforcing the
policies configured and assigned within McAfee ePO.

© 2020 McAfee M18 - 6

 Device Status

When the CLI is in a "Recovered" state the McAfee agent in not communicating with the application.
Client tasks configured within ePO, policy or rule modifications configured in ePO are pulled down by the
McAfee Agent and the Agent is unable to communicate that information to the Product on the device.
When the CLI is locked down the policies, and tasks will be then be applied as the application in the
"Lockdown" state is now communicating with the McAfee Agent. Within the ePO, using
the Solidcore Client Task Log, it is possible to see the client tasks that failed. When selecting the failed
task and reviewing the details, the details of "CLI is not locked down" show that the CLI is not in a state
to communicate with the McAfee Agent.

© 2020 McAfee M18 - 7

 Secure the CLI
▪ You can set and delete the password locally:
▪ Command to Set password is sadmin passwd
▪ Command to Delete password is sadmin passwd –d
▪ Once you set a password, if you issue the sadmin passwd command again, you are
prompted to enter the existing password before you can change the password.

Use the passwd command to set password for the Solidifier Command line interface. Once you set the password,
you can only execute critical sadmin commands on verification of the password. The syntax to set a password is:
sadmin passwd. To delete the current password, you can use sadmin passwd -d.
When the sadmin passwd command executes for the first time, you are prompted for a new password and then
prompted to re-enter the new password for re-confirmation. Once you set a password, subsequent issuance of the
sadmin passwd command additionally prompts for the existing password before prompting for the new password
twice (for entry and confirmation).
The sadmin passwd -d clears the password for Solidifier CLI.

© 2020 McAfee M18 - 8

 Use the CLI

▪ Standard Commands ▪ CLI Usage

▪ Exit ▪ Enter a portion of the command and
▪ Leave the CLI press tab
▪ sadmin help ▪ Attempts to complete the command
▪ Lists commands ▪ Ctrl-C
▪ sadmin help-advanced ▪ Terminates a command
▪ Lists advanced commands
▪ sadmin help <command>
▪ Lists help information and syntax of the command
▪ sadmin status
▪ Displays the status of the solidifier and the local CLI
access settings

This shows some of the standard commands used in the CLI. To exit the CLI, type exit.
sadmin is the first command of any Solidcore command. To list Solidcore commands, run sadmin help. The
sadmin help displays a summary description for basic Solidifier CLI commands. The sadmin help-advanced
command lists summary description of advanced Solidifier CLI commands.

To get help on a particular command, type sadmin help followed by the name of the command. This lists the
detailed help for the command. Similarly, the sadmin help-advanced <command> lists the detailed help for the
advanced command.
One of the first CLI commands that you will use is the sadmin status command. The status command displays the
current status of the Solidifier in terms of operational mode, its connectivity status with System Controller, access
status of the Local CLI, and more.

© 2020 McAfee M18 - 9

SADMIN Commands
▪ sadmin help: List all the standard sadmin ▪ sadmin end-update (eu): End the update
commands window
▪ sadmin aef: Modify or display advanced exclude ▪ sadmin license: Configure Solidcore license
filter rules ▪ sadmin monitor (mon): Modify or display the
▪ sadmin auth: Authorize a checksum monitoring rules
▪ sadmin begin-observe (bo): Start Observe mode ▪ sadmin passwd: Set or unset a password fro the
on the system actionable commands
▪ sadmin begin-update (bu): Begin update ▪ sadmin solidify (so): Solidify the system
window ▪ sadmin status: Show Solidifier status
▪ sadmin cert: Add, list, remove trusted certificates ▪ sadmin trusted: Modify or display rules for
▪ sdamin disable: Disable Solidcore on next reboot trusted paths
▪ sadmin enable: Enable Solidcore on next reboot ▪ sadmin unsolidify (unso): Unsolidify a solidified
▪ sadmin end-observe (eo): End Observe mode on file
the system ▪ sadmin updaters: Add list or remove authorized
▪ sadmin help advanced: Display help for updaters
advanced commands ▪ sadmin version: Display current Solidifier version

Solidcore has a number of features that you can enable and disable. Based upon the enabled feature set, you can
use different commands to configure files, users, executables, and/or registries to which the feature applies and
how the feature functions overall. No matter what feature set you implement, all solidcore commands begin with
sadmin. Most of these commands you can identify and correlate to the various client tasks and policy settings
handled through McAfee ePO that we discussed in prior modules. The command shortcuts are in parenthesis. We
will cover these commands in more detail later in this module.

© 2020 McAfee M18 - 10

 Solidify from the CLI

▪ System solidification command

▪ sadmin solidify (so)
▪ Entire System
▪ Solidify a volume
▪ sadmin solidify <volume>
▪ sadmin solidify c: \
▪ Solidify an application
▪ To solidify an executable after creating the
inventory, or to re-solidify an executable
▪ sadmin solidify <path\filename>
▪ sadmin solidify “c:\test.bat”

The solidify command solidifies supported files, files in a folder/directory, or files of a system volume. Executing the
command sadmin solidify by itself solidifies all supported files (recursively) on all supported volumes.
Alternatively, you can specify a volume or filename that you want to solidified. To do this, execute one of the
following commands:
 sadmin solidify [ –q | –v ] filename1 ... filename
 Solidifies files filename1 ... filenameN.
 sadmin solidify [ –q | –v ] directoryname1 ... directorynameN
 Solidifies all supported files (recursively) under folders/directories directoryname1 ... directorynameN
 sadmin solidify [ –q | –v ] volumename1 ... volumenameN
 Solidifies all supported files (recursively) under system volumes volumename1 ... volumenameN.
You must reboot a system after solidfying, but you can solidify executable files without reboot. You cannot modify
or delete a solidified file.

© 2020 McAfee M18 - 11

 Solidify from the CLI (continued)
Additional arguments

▪ Syntax example: sadmin solidify [ –q | –v ] filename1 ... filenameN

▪ -q = display error messages, log everything else
▪ -v = display all messages (including error messages), and log everything
▪ Neither –q or –v = do not display any message, just add to log

If the –q argument is specified, only error messages are displayed. All other messages are written to the Solidifier
Log. If the –v argument is specified, all messages are displayed as well as written to the Solidifier Log. If neither the
–q argument nor the –v argument are specified, the messages are only written to the Solidifier Log.

© 2020 McAfee M18 - 12

 Solidify from the CLI (continued)
▪ Command: List-solidified files (ls)
▪ sadmin list-solidified [ –l ]
▪ sadmin list-solidified [ –l ] filename1 ... filenameN
▪ sadmin list-solidified [ –l ] directoryname1 ... directorynameN
▪ sadmin list-solidified [ –l ] volumename1 ... volumenameN
▪ Get file details
▪ sadmin ls –lax <filename>

The list-solidified command displays the list of solidified files, folders/directories, or volumes (Windows only).
 sadmin list-solidified [ -l ]
 Lists all solidified files, folders/directories, and volumes. If the –l argument is specified, solidification
details are also listed.
 sadmin list-solidified [ -l ] filename1 ... filename
 Lists all solidified files out of files filename1 ... filenameN. If the –l argument is specified, solidification
details are also listed.
 sadmin list-solidified [ -l ] directoryname1 ... directorynameN
 Lists all solidified files under folders/directories directoryname1 ... directorynameN. If the –l
argument I specified, solidification details are also listed.
 sadmin list-solidified [ -l ] volumename1 ... volumenameN
 Lists all solidified files under volumes volumename1 ... volumenameN. If the –l argument Is specified,
solidification details are also listed.

© 2020 McAfee M18 - 13

 Unsolidify

▪ Unsolidify a file:
▪ sadmin unso <path\filename>
▪ sadmin unso “c:\test.bat”

▪ List unsolidified files:

▪ sadmin list-unsolidified c:
▪ sadmin lu c:

You can also use a similar command syntax to unsolidfy solidified files. The unsolidify command, unsolidify (unso),
unsolidifies solidified files. You can use this command on Linux, Solaris, or Windows. The proper syntax is as
follows: sadmin unsolidify filename1 ... filenameN.
In the same manner, you can use the list-unsolidified (lu) commend to list unsolidified files. The proper syntax is as
follows:
 sadmin list-unsolidified
 Lists all unsolidified files, folders/directories, and volumes.
 sadmin list-unsolidified filename1 ... filenameN
 Lists all unsolidified files out of files filename1 ... filenameN.
 sadmin list-unsolidified directoryname1 ... directorynameN
 Lists all unsolidified files under folders/directories directoryname1 ... directorynameN.
 sadmin list-unsolidified volumename1 ... volumenameN
 Lists all unsolidified files under volumes volumename1 ... volumenameN.

© 2020 McAfee M18 - 14

What is Solidcore’s Status?
sadmin status

▪ Status of Solidifier
▪ Disabled
▪ Update
▪ Enabled
▪ Observe
▪ Inventory
▪ Reboot status
▪ Disabled
▪ Update
▪ Enabled
▪ Observe
▪ Inventory
▪ CLI access status
▪ Recovered
▪ Lockdown

The “sadmin status” command reports the current status of the solidifier, the status after reboot, and whether or
not the CLI is lockdown or recovered mode. In addition to the statuses of Enabled or Disabled, you may also see
the statuses of Update or Observe. Update mode occurs when the system has been placed in update mode to
allow a window of changes. This means that the Solidifier may return to Enabled at a later time.
For the CLI access, the status may be either Recovered or Lockdown. In lockdown mode, you cannot execute any
commands (other than help, help-advanced, status, version, lockdown, recover, and license). In recovered mode,
the CLI is unlocked for command input.

© 2020 McAfee M18 - 15

 Begin the Update Status
▪ Update status of Solidifier:
▪ Allows updates to occur for a “window of time”
▪ Use begin-update command
▪ Syntax: sadmin begin-update [ workflow-id
[comment] ]
▪ Workflow-ID and comment are optional:
▪ If you do not specify a workflow-id, one e
automatically generates
▪ Changes status to Update:
▪ If original state was Enabled, begins immediately
tracking changes
▪ If original state was Disabled, begins tracking
changes after a reboot

Update mode is a very useful state. It allows administrators to temporarily allow changes to occur on the system
for a window of time. You can enter the update state to change your system status from Enabled to Update by
using the sadmin command.
The begin-update command starts Update mode for performing software updates and installations. If the Solidifier
is currently in Enabled mode, then it begins tracking all file changes. If the Solidifier is currently in Disabled mode,
then it starts tracking all file changes after a reboot.
The syntax for executing the command is: sadmin begin-update [ workflow-id [ comment ]
Specifying an identification ID workflow-id and a description comment for the current Update mode session are
both optional. You can use this information for a change management or trouble ticketing system. If you do not
provide these options, the workflow-id sets to an automatically generated string, AUTO_n, where n is a number
that increments each time you open an Update window or add an Updater.

© 2020 McAfee M18 - 16

End the Update Status

▪ Ending Update status:

▪ Use end-update command
▪ Syntax: sadmin end-update
▪ Changes status from Update to Enabled.

After making the changes to the system, return the system to an Enabled state.
You can also return the system to an Enabled state using a sadmin command. The end-update command ends the
Update mode and changes the Solidifier’s operational mode from Update to Enabled, thereby preventing further
software modifications and/or installations except through the trust model. To correctly send the end-update
command to the solidifier, use the following syntax: sadmin end-update.

© 2020 McAfee M18 - 17

Enable and Disable Solidifier

▪ Change the status directly

▪ Use disable or enable command
▪ Syntax:
▪ sadmin disable
▪ sadmin enable
▪ Changes status to Enabled or
Disabled

The enable command enables the Solidifier. It changes the Solidifier’s operational mode from Disabled mode to
Enabled mode and becomes effective after the next reboot. The syntax to use is: sadmin enable. This command is
only supported in Disabled mode.
The disable command disables the Solidifier. It changes the Solidifier’s operational mode from Enabled or Update
to Disabled and becomes effective after the next reboot. The syntax to use is: sadmin disable. This command is
supported in either Enabled mode to Update mode.

© 2020 McAfee M18 - 18

Advanced SADMIN Commands
sadmin help-advanced

Solidcore also contains a number of advanced commands. For example, the McAfee Change Control features, such
as read and write protect of files and registries, are under advanced commands. Additionally, some McAfee
Application Control features accessed via the auth command are also an advanced command.
There are also advanced commands for the configuration of Solidcore events and creation of log files. The
solidifying and unsolidifying a system appear under the advanced commands, as well as the recovery and
lockdown feature of the CLI itself.

© 2020 McAfee M18 - 19

 Solidcore Commands

▪ sadmin features list

▪ sadmin features <feature> enable
▪ sadmin features <feature> disable

Troubleshooting
Tip
Is a command not
working?

Make sure the feature

set is enabled.

To display a list of the Solidcore command features, use the sadmin command features list. When you review the
list, you can easily match some of the commands to what the features are called within McAfee ePO, while some of
the commands are not as obvious. Due to the extensive list of features available for use, we do not cover all of the
features in this course. For more information on specific feature and their use, refer to the Solidifier Command
Line Reference Guide.
Once you identify the appropriate command you want to use, use sadmin features <feature> enable/disable to
enable or disable the feature. For example, to enable McAfee Application Control you first need to identify which
feature relates to McAfee Application Control. This feature is app-control; therefore, to enable McAfee Application
Control, type the following: sadmin features app-control enable.

© 2020 McAfee M18 - 20

CLI Commands

sadmin begin-observe [workflow-id [comment]]

▪ The begin-observe command starts Observe mode on the system. On issuing this
command:
▪ The endpoint system goes into observe mode and starts tracking all the changes done on the
endpoint.
▪ In this mode, the expected behavior of the solidifier such as deny-exec, deny-read of solidifier in
enable mode, would be notified to the user through Diag logs, but actual deny operation would
not be performed.
sadmin end-observe [ -d ]
▪ (-d) This flag unauthorizes all file changes during Observe mode. If this option is not provided, all
file changes during Observe mode will be authorized.

© 2020 McAfee M18 - 21

 Read/Write Protect Files
Use case

▪ Customer wants to make sure all the Marketing documents on its website are write-protected.

▪ The following demonstration shows you how to write protect files or directories.

To gain a better understanding of how to use the Command Line Interface (CLI), let’s look at a real-world example
to see what CLI commands to use.
First, let’s examine CLI commands that relate to McAfee Change Control. Specifically, let’s look at how to write
protect files without changing the files.
Note: Remember, you must add anything you configure on the device to the McAfee ePO policy; otherwise, when
you put the CLI in Lockdown, the McAfee Agent enforces the policy that it has from McAfee ePO and overwrite any
locally made changes.

© 2020 McAfee M18 - 22

 McAfee Change Control Commands
Write protection

▪ Involves read and write protection commands.

▪ Recall once a whitelisted file, directory, or volume is read or write protected, it can only be
read or modified if:
▪ Solidifier is in Update Objective Command Example
mode. Create a rule to write protect a sadmin write-protect -i sadmin wp -i “c:\test.exe”
file, directory or volume. <path>
▪ File is marked as an
Exclude a file from write sadmin write-protect -e sadmin wp -e “c:\results.txt”
Updater. protection. Rule remains in rule <path>
▪ File is marked as a list but is not enforced.

Signed Executable Remove a write protection rule. sadmin write-protect -r sadmin wp -r “c:\test.txt”
<path>
(Publisher).
List all the write protection rules. sadmin write-protect -l sadmin wp -l
▪ Change attempts Flush all the write protection sadmin write-protect -f sadmin wp -f
recorded as events. rules from the list.

You can correlate the Advanced CLI commands for read protection and write protection to the McAfee Change
Control features discussed earlier. Recall, if you read or write protect a file, this file can only be read or modified via
the trust model. Alternatively, if you do not enter an authorized updater or publisher, then you will need to enter
into Update mode when you want to update the file.
Shown here are the various commands to create, modify, and remove write protection rules. When protecting a file
on a shared network path, make sure you use the full UNC name.

© 2020 McAfee M18 - 23

How to Write Protect a File
▪ Given:
▪ A text file is created in c:\testingfolder\DemoWP.txt using Notepad.exe

In this example, we created a file named DemoWP.txt in the C:\TestingFolder. As an unsolidified file, it can be
modified, renamed, or deleted.

© 2020 McAfee M18 - 24

 How to Write Protect a File (continued)
▪ Use sadmin command to write protect the file
▪ Syntax: sadmin wp –i <path and file to be write protected>
▪ Example: sadmin wp –i c:\testingfolder\DemoWP.txt
▪ wp = Write Protect
▪ -i = include

If we go to the McAfee Solidifier command line, we can write protect the DemoWP.txt file using the sadmin wp -i
command. The syntax to use this command is: sadmin wp –i <path and file to be write protected>.

© 2020 McAfee M18 - 25

How to Write Protect a File (continued)

Once you write protect the file, any attempt to modify the contents results in an error. You can also use the
sadmin wp - l command to view a list of write protected files instead of trying to access the file.

© 2020 McAfee M18 - 26

Modify Read/Write Protected Files

The file could be modified if we:

▪ Disabled Solidcore
▪ sadmin disable

▪ Put Solidcore in Update mode

▪ sadmin begin-update

Two standard options exist for updating the file if needed. To modify the file, you can either use the sadmin
disable command to disable Solidcore entirely, or you can use the sadmin begin-update command to put
Solidcore in update mode.
Remember, you can perform the same functions from McAfee ePO by running client tasks.

© 2020 McAfee M18 - 27

Modify Read/Write Protected Files (continued)

The more secure method of modifying a file:

▪ Specify an authorized updater or trusted user
▪ sadmin help updaters
▪ Add…
▪ exename
▪ libraryname exename
▪ parent-exename exename
▪ username
▪ scriptname
▪ Syntax is different for Windows, Linux, and
Solaris

The updaters command adds, deletes, lists or flushes programs in the list of authorized updaters. The syntax and
descriptions for the Windows updaters command is as follows:
 sadmin updaters add [ -d ] [ -n ] [ -t rule-id ] exename
 Adds an updater rule for execution file exename.
 If the –d argument is specified, the child processes of execution file exename are not included in
the updater rule.
 If the –n argument is specified, the logging is disabled.
 If the –t argument is specified, the tag rule-id will be present in the Event Log for all the files
processed due to this updater rule.
 sadmin updaters add [ -d ] [ -n ] [ -t rule-id ] -l libraryname exename
 Adds an updater rule for execution file exename.
 The updater rule is applicable only when the associated library libraryname is also loaded.
 If the –d argument is specified, the child processes of execution file exename are not included in
the updater rule.
 If the –n argument is specified, the logging is disabled.
 If the –t argument is specified, the tag rule-id will be present in the Event Log for all the files
processed due to this updater rule.

© 2020 McAfee M18 - 28

Hidden

 sadmin updaters add [ -t rule-id ] –u username

 Adds an updater rule for user username so that all update events by the user are authorized.
 If the –t argument is specified, the tag rule-id will be present in the Event Log for all the files
processed due to this updater rule.
 sadmin updaters add scriptname
 Adds an updater rule for script scriptname so that all update events by the scripts are authorized.
 sadmin updaters remove exename
 Removes the updater rule for execution file exename.
 sadmin updaters remove -u username
 Removes the updater rule for user username.
 sadmin updaters remove -l libraryname exename
 Removes the updater rule for execution file exename having associated library libraryname.
 sadmin updaters remove -p parent-exename exename
 Removes the updater rule for execution file exename having associated parent execution file
parent-exename.
 sadmin updaters remove scriptname
 Removes the updater rule for script scriptname.
 sadmin updaters list
 Lists all updater rules.
 sadmin updaters flush
 Deletes all updater rules.

© 2020 McAfee M18 - 29

The syntax and descriptions for the Linux/Solaris updaters command is as follows:
sadmin updaters add [ -d ] [ -n ] [ -t rule-id ] -{ binaryname | scriptname }
Adds an updater rule for execution file binaryname or scriptname.
If the –d argument is specified, the child processes of execution file binaryname or scriptname are not
included in the updater rule.
If the –n argument is specified, the logging is disabled.
If the –t argument is specified, the tag rule-id will be present in the Event Log for all the files processed due to
this updater rule.

 sadmin updaters add [ -d ] [ -n ] [ -t rule-id ] { -p parent-programname } { binaryname | scriptname }

 Adds an updater rule for execution file binaryname or scriptname.
 The updater is applicable only when the parent execution file parent-programname is also running.
 If the –d argument is specified, the child processes of execution file binaryname or scriptname are
not included in the updater rule.
 If the –n argument is specified, the logging is disabled.
 If the –t argument is specified, the tag rule-id will be present in the Event Log for all the files
processed due to this updater rule.
 sadmin updaters remove { binaryname | scriptname }
 Removes the updater rule for execution file binaryname or scriptname.
 sadmin updaters remove [ -p parent-programname ] { binaryname | scriptname }
 Removes the updater rule for execution file binaryname or scriptname having associated parent
execution file parent-programname.
 sadmin updaters list
 Lists all updater rules.
 sadmin updaters flush
 Deletes all updater rules.

© 2020 McAfee M18 - 30

 Modify read/write Protected Files (continued)
▪ Syntax to add updater: sadmin updaters add <exename>
▪ Specify the absolute path of the executable
▪ In our example, notepad is the exe used to access the file
▪ sadmin updaters add “c:\windows\system32\notepad.exe”

When using the updaters command, specify the absolute path of the executable. Either specify the file name alone
or specify one or more folders/directories up the tree. If you specify 'dir\file.exe', the rule applies if and only if
'file.exe' resides in a folder/directory named 'dir'. On Windows, full path names containing the drive letter or
starting with a slash character are not a valid entry for the rule names; such names are ignored. For example, if you
specify c:\foo\bar.exe, the updater rule is added for \foo\bar.exe, ignoring the drive letter.
In our example, we added notepad.exe to the list of updaters. Once we completed this, we could change the file in
notepad and save without error.

© 2020 McAfee M18 - 31

McAfee Change Control Features
Write protection
▪ Protect Registries
▪ sadmin write-protect-registry (wpr) <registry name>
▪ EX: sadmin wpr –i HKEY_LOCAL_MACHINE\Software\Yahoo\Essentials
Wpr
▪ Watch Inclusions/Exclusions: Longest match used to apply Command Purpose
rules. Options

▪ Include HKEY_LOCAL_MACHINE\Software -e Exclude rule

▪ Exclude HKEY_LOCAL_MACHINE\Software\Microsoft -l List rules

▪ Anything below this level can still be modified or deleted -i Include rule
▪ Support for wildcard in path if used to represent entire directory -f Flush rules
structure.
▪ Supported:
▪ HKEY_LOCAL_MACHINE\*\Microsoft
▪ Not Supported:
▪ HKEY_LOCAL_MACHINE\*
▪ HKEY_LOCAL_MACHINE\*\*

In addition to protecting files, registries can also be detected. To detect registries, use the write-protect-registry
command. When you configure write protection for a registry file, take care when specifying your inclusions and
exclusions. The longest match takes precedence.

For example, if you specify that HKEY_LOCAL_MACHINE\Software is protected, but you exclude
HKEY_LOCAL_MACHINE\Software\Microsoft , then anything below the Microsoft level is excluded.

For more information on how to write protect your registry, refer to the Solidifier Command Line Reference Guide.

© 2020 McAfee M18 - 32

 McAfee Application Control Features
▪ Use the McAfee Application Control feature to control the execution of non-whitelisted
DLLs, EXEs, and more.
▪ Remember: To run any executable, it must be solidified and in inventory or allowed via the
trust model.
▪ To allow executables not on the whitelist/in the inventory/solidified, use the auth
command:
▪ Checksum is verified before application can run
▪ Syntax for authorization: sadmin auth –a [ –u ] –c CHECKSUM
▪ Syntax for banning: sadmin auth –b –c CHECKSUM

McAfee Application Control controls the ability of a non-solidified executable to run on a solidified system. You can
use the auth command to authorize or ban an executable using a checksum. Use the auth command to declare
applications allowed to run on your system and applications banned from running on your system.
You can declare any application (executables, installers, or batch files) as authorized or banned. These applications
may be locally installed or invoked applications or may be installed on or invoked from a shared drive.
The syntax to authorize or ban an application is as follows:
 sadmin auth –a [ –u ] –c CHECKSUM
 Declares application indicated by CHECKSUM as an authorized application.
 CHECKSUM is the SHA1 hash value of the application file.
 If the –u argument is specified, the application is registered as an authorized updater application.
 sadmin auth –b –c CHECKSUM
 Declares application indicated by CHECKSUM as a banned application.
 CHECKSUM is the SHA1 hash value of the application file.

© 2020 McAfee M18 - 33

 Authorize Command Arguments

▪ Use arguments to authorize or ban.

Options Purpose
-a Authorize a binary using a checksum
-b Ban a binary using a checksum
-c Used to specify a checksum
-f Flush all rules
-l List all rules
-r Remove a rule
-t Specify a rule-id
-u Make binary into an updater using
checksum

The syntax to authorize or ban an application is as follows:

 sadmin auth –r CHECKSUM
 Removes the registration of application indicated by CHECKSUM as an authorized or a banned
application.
 sadmin auth –l
 Lists all registrations added till now.
 sadmin auth –f
 Removes all registrations.
Attributes
The auth command used in McAfee Application Control is one of the advanced commands that utilize attributes.
The following slides cover some of the attributes associated with the auth command.

© 2020 McAfee M18 - 34

 Use Attributes to Control File Execution

▪ Allow execution of non whitelisted programs:

▪ sadmin attr add –a <path>
▪ Syntax:
▪ sadmin attr add [ -a | -b | -d | -e | -f | -i | -p | -r | -u | -n ] filename1 ... filenameN
▪ For our example, we created a bat file called justice.bat:
▪ Since it is not solidified, it will not run
▪ To allow the file to run, add the –a attribute so it will always be allowed to run

You can use attributes as another method to allow (or block) a program execution. Unlike the diag command, using
the attr command requires that you know and enter the path to what you want to allow or disallow. Use the attr
command to modify or list the Solidifier's configuration attributes list. The -a attribute always allows execution.

The Windows syntax to use attributes is as follows:

 sadmin attr add [ -a | -b | -d | -e | -f | -i | -p | -r | -u | -n ] filename1 ... filenameN
 Adds a Solidifier Configuration attribute to solidified files filename1 ... filenameN.
 You must specify the argument for at least one configuration attribute with the sadmin attr add
command.
 sadmin attr add –o parent=filename2 –p filename1
 (Windows only) Adds the –p Solidifier Configuration attribute to solidified file filename1 so that it can
passthru if and only if it was invoked by filename2.
 sadmin attr remove [ -a | -b | -d | -e | -f | -i | -p | -r | -u | -n ] filename1 ... filenameN
 Removes the Solidifier Configuration attribute set on solidified files filename1 ... filenameN.
 You need not specify any argument for configuration attributes with the sadmin attr remove
command. When no arguments for any configuration attribute are specified, it is assumed that
arguments for all configuration attributes have been specified.

© 2020 McAfee M18 - 35

Use Attributes to Control File Execution (continued)
Options Purpose (x86) (x64) UNIX

-a Always authorized attribute Y Y Y

-b Bypassed from memory control Y N N
-c Bypassed from mp-casp Y N N
-d Bypassed from process stack randomization Y N N
-e Rebase dll attribute Y N N
-f Full crawl attribute Y N N
-i Bypassed from anti-debug Y N N
-l Process context file operations bypass Y N N
-p Process context file operations bypass Y Y Y
-o Process context file operations bypass Y Y Y
(conditional)
-r Bypass from dll relocation attribute Y N N
-u Always unauthorized attribute Y Y Y
-n Bypass from DEP protection attribute N Y N

The Windows syntax to use attributes is as follows:

 sadmin attr list [ -a | -b | -d | -e | -f | -i | -p | -r | -u | -n ] [ filename1 ... filenameN ]
 Lists Solidifier Configuration attributes set on solidified files filename1 ... filenameN.
 If file names are not specified, the configuration attributes for all solidified files are listed.
 You need not specify any argument for configuration attributes with the sadmin attr list command.
When no arguments for any configuration attribute are specified, it is assumed that arguments for
all configuration attributes have been specified.
 sadmin attr flush [ -a | -b | -d | -e | -f | -i | -p | -r | -u | -n ]
 Removes the specified Solidifier Configuration attribute(s) from all files.
 When no arguments for any configuration attribute are specified with the sadmin attr flush
command, it is assumed that arguments for all configuration attributes have been specified and
hence, all Solidifier Configuration attributes from all files are removed.

© 2020 McAfee M18 - 36

Use Attributes to Control File Execution (continued)
The Linux, Solaris syntax to use attributes is as follows:
▪ sadmin attr add [ -a | -p | -u ] filename1 ... filenameN
▪ Adds a Solidifier Configuration attribute to solidified files filename1 ... filenameN.
▪ You must specify the argument for at least one configuration attribute with the sadmin attr add
command.
▪ sadmin attr add –o parent=filename2 –p filename1:
▪ Adds the –p Solidifier Configuration attribute to solidified file filename1 so that it can passthru if and
only if it was invoked by filename2.
▪ sadmin attr remove [ -a | -p | -u ] filename1 ... filenameN:
▪ Removes the Solidifier Configuration attribute set on solidified files filename1 ... filenameN.
▪ You need not specify any argument for configuration attributes with the sadmin attr remove
command. When no arguments for any configuration attribute are specified, it is assumed that
arguments for all configuration attributes have been specified.

 sadmin attr list [ -a | -p | -u ] [ filename1 ... filenameN ]

 Lists Solidifier Configuration attributes set on solidified files filename1 ... filenameN.
 If file names are not specified, the configuration attributes for all solidified files are listed.
 You need not specify any argument for configuration attributes with the sadmin attr list command.
When no arguments for any configuration attribute are specified, it is assumed that arguments for
all configuration attributes have been specified.
 sadmin attr flush [ -a | -p | -u ]
 Removes the specified Solidifier Configuration attribute(s) from all files.
 When no arguments for any configuration attribute are specified with the sadmin attr flush
command, it is assumed that arguments for all configuration attributes have been specified.

© 2020 McAfee M18 - 37

Use Attributes to Control File Execution (continued)
▪ Prevent the execution of whitelisted programs:
▪ sadmin attr add –u <path>

▪ For our example, we created a bat file called

calc.bat.
▪ If we solidify the .bat, it runs and opens the
calculator.
▪ To disallow the execution of the file, add the –u
attribute.

This example shows a .bat that starts the calc.exe. In its unsolidified state, it will not run; however, once solidified it
executes fine. To prevent its execution, we can place the attribute –u on the file. The –u attribute specifies an
always unauthorized attribute.

© 2020 McAfee M18 - 38

 McAfee Application Control
Use case

▪ You receive errors about programs that do

not execute even though you added the
application as an authorized updater.
▪ You do not know what programs to add as
authorized Updaters.

Now, let’s take a look at how to use the Command Line Interface (CLI) with a real-world example using CLI
commands with McAfee Application Control.

Specifically, let’s look at how to add a program as an authorized updater.

© 2020 McAfee M18 - 39

McAfee Application Control (continued)
Solution

▪ Temporarily suspend blocking of applications in Solidcore:

▪ sadmin begin-update

▪ Run the Solidcore diagnostics to capture all the programs that make runtime updates to a
log file:
▪ sadmin diag

▪ Run the diag fix and reboot the system:

▪ sadmin diag fix

© 2020 McAfee M18 - 40

 Discover and Add Updaters
▪ Temporarily suspend blocking using sadmin begin-update.

▪ Run the Solidcore diagnostics to capture all the programs that make runtime updates to a
log file. (sadmin diag).

A program designated as an authorized updater should be able to perform updates on a solidified system. If,
however, you receive a log file that shows an authorized program as blocked from executing some change, then
you may need to modify the updaters list to explicitly allow a program to run when the solidifier is enabled.
After you place the solidifier in update mode, you can use the diag command to see a list of applications making
changes during runtime. The diag command determines interoperability configuration for programs on the
system.
The syntax for using the diag command is: sadmin diag. This command identifies candidate Auto-Updaters and
provides the command syntax for authorizing such programs to perform updates when they execute.

© 2020 McAfee M18 - 41

 Discover and Add Updaters (continued)
SADMIN diag notations

▪ * = restricted program that may give user ability to make changes

▪ ! = file is an updater
▪ *! = program is an updater, but more configuration is needed
▪ -t = changes are logged
▪ DIAG = program was added as an updater using sadmin

The output from the sadmin diag command may have an asterisk (*) or exclamation mark notation at the front of
some entries. The asterisks designates a restricted program that may give the user more power to make changes
on the system than intended. It should have a restricted configuration. The Exclamation mark indicates that this file
is already an updater. The two notations together indicate that the program you can configure the file as an
updater but it requires additional configuration for proper execution.
The –t indicates that changes are logged. The DIAG: in front of the file name indicates that this program was added
as an updater using the sadmin diag command.

© 2020 McAfee M18 - 42

 Discover and Add Updaters (continued)
Run the diag fix and reboot the system

▪ sadmin diag fix

The sadmin diag fix command lets you add those files related to an upper level program with a single command.
You can also use this process to identify the programs that you want to add to a list of approved applications.
If you specify the –f argument when running the diag command, the restricted programs are also included in the
candidate Auto-Updaters authorized to perform updates.
Once the diag –f command has been executed, reboot your system.

© 2020 McAfee M18 - 43

 View Solidcore Events

▪ Use the Event Viewer to see Solidcore events locally.

▪ Use McAfee ePO to view Solidcore events for the system and/or the network.

As you may have noticed, the Event Viewer displays Solidcore events that occur on the endpoint. You can also go
back to McAfee ePO and view the events there.

© 2020 McAfee M18 - 44

 Product Tools

▪ In addition to configuring McAfee Application Control, McAfee Change Control, and

Integrity Monitoring, the CLI gives you access to some product tools:
▪ Gatherinfo.bat
▪ sadmin xray
▪ ScGetCerts.exe
▪ SCAnalyzer.exe
▪ Finetune.bat

Understanding all of the features of the CLI can be an extensive undertaking. There are several commands with
many commands having additional arguments. This section of training gives you a foundational knowledge of the
CLI in case you want to explore its use further. For many customers, operations of McAfee Application Control and
McAfee Change Control will be conducted using McAfee ePO.
In addition to configuring McAfee Application Control, McAfee Change Control, and Integrity Monitoring, the CLI
gives you access to some product tools. The next few pages, introduces you to some of these product tools.

© 2020 McAfee M18 - 45

Product Tools (continued)
Gatherinfo.bat

▪ Creates gatherinfo.zip.

Gatherinfo.bat collects all the system information log files, registries, and events. It runs the Solidcore Scanalyzer.
Then, it zips up all of the gathered information into a tar file for export to McAfee or for use in escalation cases. The
logs in this file are used by McAfee Support to identify issues.

© 2020 McAfee M18 - 46

Product Tools (continued)
sadmin xray

▪ View all the processes.

The sadmin xray command allows you to view all the processes running on the system. It also gives you other
information like whether the process is an updater, or if it bypasses memory protection.

© 2020 McAfee M18 - 47

Product Tools (continued)
ScGetCerts.exe
▪ Obtain certificate and move to Solidifier Certificates store.
▪ Run scgetcerts.exe <executable path> <output folder>.

▪ Output:
▪ info.xml file
▪ certificate

The ScGetCerts.exe tool is an automated tool used to extract the certificate from an application and allow storage
in the Solidifier certificate store.

The outputs from the command are an info.xml file, and if it is a signed program, the certificate.

© 2020 McAfee M18 - 48

Product Tools (continued)
sadmin cert add <certificate path>

▪ After you use the ScGetCerts.exe, add the certificate to the Solidifier Certificates store.
▪ Use sadmin cert add <certificate path> to add the certificate to the store.

If the signing
feature is
enabled (sadmin
features enable
signing)
and the
application’s
certificate is in
the store, then
the application
can run without
being solidified.

Once you obtain certificates using the ScGetCerts.exe product tool, you can use the sadmin cert command to add
the certificate to the Solidifiers Certificate store. The certificate store is located at the system root > McAfee >
Solidcore.
If the signing feature is enabled (sadmin features enable signing) and the application’s certificate is in the store,
then the application can run without being solidified.

© 2020 McAfee M18 - 49

 Product Tools (continued)
SCAnalyzer.exe

▪ SCAnalyzer.exe: Verifies the current

Solidifier configuration.
▪ Also runs as part of the Gatherinfo.bat.
▪ Finetune.bat: Use to quickly add or
remove specific applications as updaters.

The SCAnalyzer.exe program verifies the current Solidifier configuration. It also runs as part of the Gatherinfo.bat.
If this program fails, you can look in the log files and see what products failed to work.
The Finetune.bat allows you to quickly add customization to specific applications, as noted in the bat file, such as
making them and all their supporting applications into authorized updaters.

© 2020 McAfee M18 - 50

Review
Key points

▪ The Solidcore installation on the endpoint includes a Solidcore Command Line Interface (CLI).
▪ Type in Command at the Start Search window then you will see Command Prompt App. At
the Command Prompt app, right click and choose "run as administrator." If prompted, select
yes.
▪ This interface allows direct review of endpoint logs, manipulation of Solidcore policy settings,
and enforcement for both Change Management and McAfee Application Control features.
▪ You can use the CLI to troubleshoot isolated end user issues and to support systems not
currently connected to an McAfee ePO server.
▪ The command line interface has two statuses: it is either Lockdown or Recovered.
▪ Once you establish that you need to change the current status of the CLI, the recommended
approach is to create and assign a Client Task to perform the function.
▪ To display a list of the Solidcore command features, use the sadmin command features list.

© 2020 McAfee M18 - 51

 Thank you.

© 2020 McAfee M18 - 52