Mfe So All PG CC 6.0.0 PDF

McAfee, Inc.
McAfee Solidifier for HP-UX - Installation Guide
McAfee Change Control 6.0.0 Product Guide
ii
End User License Agreement

BY DOWNLOADING, INSTALLING, COPYING, ACCESSING, OR USING THIS SOFTWARE YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU
ARE ACCEPTING THESE TERMS ON BEHALF OF ANOTHER PERSON OR A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT AND WARRANT
THAT YOU HAVE FULL AUTHORITY TO BIND THAT PERSON, COMPANY, OR LEGAL ENTITY TO THESE TERMS.
IF YOU DO NOT AGREE TO THESE TERMS;
1)
DO NOT DOWNLOAD, INSTALL, COPY, ACCESS, OR USE THE SOFTWARE; AND
PROMPTLY RETURN THE SOFTWARE AND PROOF OF ENTITLEMENT TO THE PARTY FROM WHOM YOU ACQUIRED THEM
Definitions.
a)
Authorized Partner means any of McAfees

distributors, resellers or other business partners.
b)
Grant Letter means a confirmation notice

letter issued electronically by McAfee to you
confirming Software and Support purchased by
you including the applicable product entitlement,
as defined in the Product Entitlement Definitions
(further described at Section 3(a) below) and also 3)
contains download details.
a)
Documentation means explanatory materials in
printed, electronic, or online form accompanying
the Software in English and other languages if
available.
c)
d)
e)
McAfee means (a) McAfee, Inc., a Delaware

corporation, with offices located at 3965
Freedom Circle, Santa Clara, California 95054, b)
USA if the Software is purchased in the United
States, Mexico, Central America, South America,
or the Caribbean; (b) McAfee Ireland Limited,
with offices located at McAfee Ireland Ltd,
Building 2000, City Gate, Mahon, Cork, Ireland,
if the Software is purchased in Canada, Europe,
the Middle East, Africa, Asia (other than Japan), c)
or Oceania ; and (c) McAfee Co., Ltd. with
offices located at Shibuya Mark City West
Building 12-1, Dogenzaka 1-Chome, Shibuyaku, Tokyo 150-0043, Japan if the Software is
d)
purchased in Japan.
Node means any kind of device capable of
processing data and includes any of the following
types of computer devices: diskless workstations, e)
personal computer workstations, networked
computer workstations, homeworker/teleworker
home-based systems, file and print servers, email
servers, Internet gateway devices, storage area
network servers (SANS), terminal servers, or
portable workstations connected or connecting to
the server(s) or network.
f)
f)
Software means each McAfee software

program in object code format licensed by
McAfee and purchased from McAfee or its
Authorized Partners, including Upgrades.
g)
Subsidiary refers to any entity controlled by

you through greater than fifty percent (50%)
ownership of the voting securities.
h)
Support or Technical Support means the

support services offered by McAfee for the
support and maintenance of the Software and
McAfee brand hardware further specified in the
McAfee Technical Support and Maintenance g)
Terms.
i)
j)
2)
Updates are related to content and include

without limitation all DATs, signature sets,
policy updates, database updates for the Software
which are made generally available to McAfees
customer base as a part of purchased Support and
which are not separately priced or marketed by
McAfee.
Upgrade means any and all improvements in
the Software which are made generally available
to McAfees customer base as a part of
purchased Support and which are not separately
priced or marketed by McAfee.
access, install, download, copy or otherwise

benefit from using the Software) listed in the
Grant Letter solely for your own internal
business operations. You acknowledge that
the Software and all related information are
proprietary to McAfee and its suppliers. You
are not granted rights to Updates and
Upgrades unless you have purchased Support
or a service subscription.
period specified in a Grant Letter has expired, you have

no further rights to receive any Support including
Upgrades, Updates, and telephone support.
5)
a)
Copy and Use terms

Product entitlement. The use of the Software
depends on the licenses purchased (e.g. Nodes)
b)
and is subject to the Product Entitlement
Definitions set forth at
http://www.mcafee.com/us/local_content/legal/pr
oduct_entitlement_definitions.pdf on the
applicable date of your Grant Letter.
Multiple platforms/ Bundles. If the Software
supports multiple platforms or if you receive the c)
Software bundled with other software, the total
number of devices on which all versions of the
Software is installed may not exceed your
product entitlement.
Term. The license is effective for a limited time
period (Term) in the event that such Term is
set forth in the Grant Letter, otherwise the
d)
licenses shall be perpetual.
Copies.
You may copy the Software as
reasonably necessary for backup, archival or
disaster recovery purposes.
Subsidiaries. You may permit use of the
Software in accordance with the terms of this
Agreement by a Subsidiary only for so long as
such entity remains your Subsidiary. You shall
be responsible and fully liable for each
Subsidiarys compliance with or breach of the
terms of this Agreement.
Managing Party. If you enter into a contract with
a third party in which the third party manages
your
information
technology
resources
(Managing Party), you may transfer all your
rights to use the Software to such Managing
Party, provided that (a) the Managing Party only
uses the Software for your internal operations
and not for the benefit of another third party or
the Managing Party; (b) the Managing Party e)
agrees to comply with the terms and conditions
of this Agreement, and (c) you provide McAfee
with written notice that a Managing Party will be
Using the Software on your behalf.
General Restrictions. You may not, nor allow
any third party to: (i) decompile, disassemble, or
reverse engineer the Software, except to the
extent expressly permitted by applicable law,
without McAfees prior written consent; (ii) 6)
remove any product identification or proprietary
rights notices of the Software or Documentation;
(iii) lease, lend, or use the Software for
timesharing or service bureau purposes; (iv)
modify or create derivative works of the
Software, (v) except with McAfees prior written
permission, publish any performance or
benchmark tests or analysis relating to the
Software; or (vi) otherwise use or copy the
Software except as expressly provided herein.
License Grant.
4)
Subject to the terms and conditions of this

Agreement, McAfee hereby grants to you a
non-exclusive, non-transferable right to use
the Software (for the purpose of this
Agreement, use of the Software means to
The McAfee Technical Support and Maintenance Terms

apply if you have purchased Support. The McAfee
Technical Support and Maintenance Terms are
incorporated by reference and can be found at
http://www.mcafee.com/us/support/support_terms_n_con
ditions.html. After the support or service subscription
Technical Support and Maintenance.
Limited Warranty and Disclaimer.

Limited Warranty. McAfee warrants that, for a
period of sixty (60) days from the purchase date
(Warranty Period), the Software licensed
hereunder (including Upgrades provided within
the Warranty Period for the remainder of the
Warranty Period) will perform substantially in
accordance with the Documentation.
Exclusive Remedy. In case of any breach of the
above limited warranty, McAfee will (a) repair or
replace the Software or (b) if such repair or
replacement would in McAfees opinion be
commercially unreasonable, refund the price paid
by you for the applicable Software.
Exclusion of Warranty. The above Limited
Warranty will not apply if: (i) the Software is
not used in accordance with this Agreement or
the Documentation; (ii) the Software or any part
thereof has been modified by any entity other
than McAfee; or (iii) a malfunction in the
Software has been caused by any equipment or
software not supplied by McAfee.
Disclaimer. THE ABOVE WARRANTIES ARE
YOUR EXCLUSIVE WARRANTIES AND
REPLACE ALL OTHER WARRANTIES OR
CONDITIONS, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO
WARRANTIES
OR
CONDITIONS
OF
MERCHANTABILITY,
SATISFACTORY
QUALITY, FITNESS FOR A PARTICULAR
PURPOSE,
TITLE
AND
NONINFRINGEMENT. EXCEPT FOR
THE
LIMITED WARRANTY SET FORTH ABOVE,
THE SOFTWARE IS PROVIDED "AS IS"
AND MCAFEE MAKES NO WARRANTY OR
GUARANTEE AS TO ITS USE OR
PERFORMANCE
AND
DOES
NOT
WARRANT OR GUARANTEE THAT THE
OPERATION OF THE SOFTWARE WILL BE
FAIL SAFE, UNINTERRUPTED OR FREE
FROM ERRORS OR DEFECTS OR THAT
THE SOFTWARE WILL PROTECT AGAINST
ALL POSSIBLE THREATS.
Exceptions. Some states or jurisdictions do not
allow the exclusion of express or implied
warranties, so the above disclaimer may not
apply to you. IN THAT EVENT SUCH
EXPRESS OR IMPLIED WARRANTIES
SHALL BE LIMITED IN DURATION TO THE
WARRANTY PERIOD (OR THE MINIMUM
PERIOD REQUIRED BY THE APPLICABLE
LAW).
Limitation of Remedies and Damages
UNDER NO CIRCUMSTANCES AND
UNDER NO LEGAL THEORY, WHETHER
IN TORT, CONTRACT OR OTHERWISE,
SHALL EITHER PARTY BE LIABLE TO
THE OTHER FOR ANY INDIRECT,
SPECIAL,
INCIDENTAL
OR
CONSEQUENTIAL
DAMAGES,
DAMAGES FOR LOSS OF PROFITS, LOSS
OF GOODWILL, LOSS OF PERSONNEL
SALARIES, WORK STOPPAGE, AND/OR
COMPUTER
FAILURE
OR
MALFUNCTION, AND/OR COSTS OF
PROCURING SUBSTITUTE SOFTWARE
OR SERVICES.
Regardless of whether the claim for such damages
is based in contract, tort and/or any other legal
theory, in no event shall either partys aggregate

liability to the other party for direct damages exceed
the lesser of:
a)
the amount of total fees paid or payable by you for

the Software giving rise to such claim during the 12 9)
months immediately preceding the event giving rise a)
to such claim, or
b)
the applicable McAfee list price, at the date of the

purchase, for the Software giving rise to such claim
ordered by you during the 12 months immediately
preceding the event giving rise to such claim, even
if the other party has been advised of the possibility
of such damages.
No provision of this Agreement shall exclude or limit in
any way (i) the liability of either party for death or
personal injury caused by negligence, or (ii) your liability
for excess usage of, and/or any breach of McAfees
intellectual property rights in the Software.
THE LIMITATION OF LIABILITY IN THIS SECTION
IS BASED ON THE FACT THAT END USERS USE
THEIR COMPUTERS FOR DIFFERENT PURPOSES.
THEREFORE, ONLY YOU CAN IMPLEMENT BACKUP PLANS AND SAFEGUARDS APPROPRIATE TO
YOUR NEEDS IN THE EVENT AN ERROR IN THE
SOFTWARE CAUSES COMPUTER PROBLEMS AND
RELATED DATA LOSSES. FOR THESE BUSINESS
REASONS YOU AGREE TO THE LIMITATIONS OF
LIABILITY
IN
THIS
SECTION
AND
ACKNOWLEDGE
THAT
WITHOUT
YOUR
AGREEMENT TO THIS PROVISION, THE FEE
CHARGED FOR THIS SOFTWARE WOULD BE
HIGHER.
7)
a)
b)
8)
Intellectual Property Indemnity

Third party claims. McAfee shall defend and b)
hold you harmless from any claim by a third
party that the Software infringes any patent,
copyright or trade secret of that third party,
provided: (i) McAfee is notified promptly, and
in any event no later than within 14 days upon
your receipt of notice of the claim; (ii) McAfee
receives reasonable cooperation from you
necessary to perform McAfees obligations
hereunder; and (iii) McAfee has sole control over
the defense and all negotiations for a settlement
or compromise of the claim. The foregoing
obligation of McAfee does not apply with respect
to Software or portions or components thereof:
(i) not supplied by McAfee; (ii) used in a manner
not expressly authorized by this Agreement or
the relevant Documentation (iii) made in
accordance with your specifications; (iv)
modified by anyone other than McAfee, if the
alleged
infringement
relates
to
such c)
modification; (v) combined with other products,
processes or materials where the alleged
infringement would not exist but for such
combination; or (vi) where you continue the
allegedly infringing activity after being notified
thereof and provided with modifications that
would have avoided the alleged infringement.
Remedy and Liability. In the event the Software
is held by a court of competent jurisdiction to 10)
constitute an infringement or use of the Software
is enjoined, McAfee shall, at its sole option, do
one of the following: (i) procure for you the
right to continue use of the Software; (ii) provide
a modification to the Software so that its use
becomes non-infringing; (iii) replace the
Software with software which is substantially
similar in functionality and performance; or (iv)
if none of the foregoing alternatives is reasonably
available to McAfee, McAfee shall refund the
residual value of the purchase price paid by you
for the infringing Software, depreciated using a
straight line method of depreciation over a three
(3) year period from the date of delivery of the
Software to you. This Section 7 states McAfees
sole liability and your exclusive remedy for
intellectual property infringement claims.
11)
Termination
a.
Without prejudice to your payment
obligations, you may terminate your license at
any time by de-installing the Software.
McAfee may terminate your license in the
event you materially breach the terms of this
Agreement and you fail to cure such breach

within thirty (30) days of receiving notice of
such breach. Upon such termination you shall
promptly return or destroy all copies of the
Software and Documentation.
Additional Terms.
Evaluation Software. If the Software has been
identified as Evaluation Software, then the
provisions of this section apply and shall
supersede any other conflicting term of this
agreement. Your royalty free, non-transferable, b.
limited license to use the Evaluation Software,
for evaluation purposes only, is limited to thirty
(30) days unless otherwise agreed to in writing
by McAfee. The Evaluation Software may
contain errors or other problems that could cause
system or other failures and data loss.
Consequently, Evaluation Software is provided
to you "AS-IS", and McAfee disclaims any
warranty or liability obligations to you of any
kind. Any information about the Evaluation 12)
Software gathered from its use shall be used
solely for evaluation purposes only and shall not
be provided to any third parties. The restrictions
described in Section 3 g) apply. If you fail to
destroy the Evaluation Software after the
evaluation period has expired, McAfee may, at
its discretion, invoice you in an amount equal to
the McAfee List Price for the Evaluation
Software and you shall pay such invoice upon
receipt.
WHERE
LEGAL
LIABILITY
CANNOT BE EXCLUDED, BUT MAY BE
LIMITED, MCAFEES LIABILITY AND
THAT
OF
ITS
SUPPLIERS
AND
AUTHORIZED PARTNERS SHALL BE
LIMITED TO THE SUM OF FIFTY (50)
DOLLARS OR THE EQUIVALENT IN
LOCAL CURRENCY IN TOTAL.
Beta Software.
If the Software you have
received has been identified Beta Software, 13)
then the provisions of Section 9 a above shall
apply accordingly. McAfee has no obligation to
you to further develop or publicly release the
Beta Software. If requested by McAfee, you will
provide feedback to McAfee regarding testing
and use of the Beta Software, including error or
bug reports. You agree to grant McAfee a
perpetual, non-exclusive, royalty-free, worldwide
license to use, copy, distribute, make derivative
works and incorporate the feedback into any
McAfee product at McAfees sole discretion.
Upon receipt of a later unreleased version of the
Beta Software or release by McAfee of a publicly
released commercial version of the Beta
Software you agree to return or destroy all earlier
Beta Software received from McAfee
Free or Open Source Software. The product
may include programs or code that are licensed
under an Open Source Software (OSS) license
model. OSS programs and code are subject to 14)
the terms, conditions and obligations of the
applicable OSS license, and are SPECIFICALLY
EXCLUDED FROM ALL WARRANTY AND
SUPPORT
OBLIGATIONS
DESCRIBED
ELSEWHERE IN THIS AGREEMENT.
Notice to United States Government End
Users.
The
Software
and
accompanying
Documentation are deemed to be "commercial
computer
software"
and
"commercial
computer
software
documentation,"
respectively, pursuant to DFAR Section
227.7202 and FAR Section 12.212, as
applicable.
Any use, modification,
reproduction, release, performance, display or
disclosure of the Software and accompanying
Documentation by the United States
Government shall be governed solely by the
terms of this Agreement and shall be
prohibited except to the extent expressly
permitted by the terms of this Agreement.
Privacy.
By entering into this Agreement, you agree that
McAfee may collect, retain and use personally
identifiable data, including your name, address, email address and payment details. Your personal
information will be used primarily to provide
services and product functionality to you either by
McAfee or its contractors or business partners.

McAfee may also use your personal information
for additional communication with you subject to
applicable laws. By entering into this Agreement,
you agree to the transfer of your personal
information to McAfee offices worldwide for the
purposes stated above. For more detailed
information on the collection, use and transfer of
your personal information, please read the McAfee
privacy policy on the McAfee web site
(www.McAfee.com).
You acknowledge and agree that the Software may
contain functionality to detect and report threats
and vulnerabilities on your computer network.
Such functionality may automatically collect
information about your system (including without
limitation information regarding network, licenses
used, operating system types, versions, total
scanners deployed, database size etc) and submit
such consolidated information to McAfee.
Audit.
McAfee may, at its expense, upon reasonable
prior written notice to you and during standard
business hours, audit you with respect to your
compliance with the terms of this Agreement
no more than once per year. You understand
and acknowledge that McAfee utilizes a
number of methods to verify and support
software use by its customers. These methods
may include technological features of the
Software that prevent unauthorized use and
provide Software deployment verification.
Upon reasonable request, you will provide a
system generated report verifying your
Software deployment, such request to occur
no more than two (2) times per year. McAfee
will not unreasonably interfere with the
conduct of your business.
Export Controls.
You acknowledges that the Software is
subject to U.S. and when applicable, European
Union export regulations. You shall comply
with applicable export and import laws and
regulations for the jurisdiction in which the
Software will be imported and/or exported.
You shall not export the Software to any
individual, entity or country prohibited by
applicable law or regulation. You are
responsible, at your own expense, for any
local government permits, licenses or
approvals required for importing and/or
exporting the Software. For additional
information regarding exporting and
importing the Software, see
http://mcafee.com/us/about/export_complianc
e/index.html. McAfee reserves the right to
update this website from time to time at its
sole discretion.
Governing Law.
This Agreement will be governed by and
construed in accordance with the substantive
laws in force: (a) in the State of New York, if
you purchased the Software in the United
States, Mexico, Central America, South
America, or the Caribbean;
(b) in the
Republic of Ireland, if you purchased the
Software in Canada, Europe, Middle East,
Africa, Asia (other than Japan), or the region
commonly referred to as Oceania; and (c) in
Japan if you purchased the Software in Japan.
If you purchased the Software in any other
country, then the substantive laws of the
Republic of Ireland shall apply, unless another
local law is required to be applied. This
Agreement will not be governed by the
conflict of laws rules of any jurisdiction or the
United Nations Convention on Contracts for
the International Sale of Goods, the
application of which is expressly excluded.
The
Uniform
Computer
Information
Transactions Act as enacted shall not apply,
The United States District Court for the
Southern District of New York, when New
York law applies, the courts of the Republic
of Ireland, when the law of Ireland applies, the
courts of Japan when Japanese law applies,
shall each have non-exclusive jurisdiction
over all disputes relating to this Agreement.
15)
a)
b)
c)
Miscellaneous.
Except for actions for nonpayment or breach of
McAfees proprietary rights in the Software and
Documentation, no action, regardless of form,
arising out of this Agreement may be brought by
either party more than 2 years after a party knew
or should have known of the claim.
Any terms of this Agreement which by their
nature should survive the termination of this d)
Agreement shall survive such termination.
and in the Grant Letter shall control. This

Agreement may not be modified except by a
written addendum issued by a duly authorized
representative of McAfee. No provision hereof
shall be deemed waived unless such waiver shall
be in writing and signed by McAfee. If any
provision of this Agreement is held invalid, the
remainder of this Agreement shall continue in
full force and effect.
All notices, requests, demands, and determinations
for McAfee under this Agreement (other than
routine operational communications) shall be sent
to: the applicable entity address on the first page
of this Agreement addressed to Attention: Legal
Department.
This Agreement, including all documents

incorporated by reference, represents the entire
agreement between the parties, and expressly
supersedes
and
cancels
any
other
communication, representation or advertising 16)
Product Improvement Information
whether oral or written, on the subjects herein. If Collection Addendum
you issue an order to an Authorized Partner or to
McAfee and the terms and conditions of the a)
You understand and agree that the Software may
order conflict with the terms and conditions of a)
automatically collect data and information about
this Agreement or b) of the Grant Letter, then the
your computer system(s) to assist McAfee
terms and conditions specified in this Agreement
in the provision, support and improvement of
McAfee software and services. All data and

information collected for these reasons are
anonymized prior to transmission to McAfee.
McAfee, Inc.
3965 Freedom Circle
Santa Clara, CA 95054
USA
Document Version:4.0
Product Version:Windows 6.0.0-340
(all except Windows NT and Windows
2000), Windows 5.1.2-8144 (only for
Windows NT and Windows 2000), AIX
5.1.2-8118, Linux 5.1.2-8120, HP-UX
5.1.2-8102, Solaris 5.1.2-8102
Publication Date: December 2011
Table of Contents
PREFACE............................................................................................................................................... 6
ABOUT THIS GUIDE ............................................................................................................................... 6
AUDIENCE ............................................................................................................................................ 6
DOCUMENT ORGANIZATION .................................................................................................................. 6
DOCUMENT CONVENTIONS .................................................................................................................... 7
CONTACTING SUPPORT .......................................................................................................................... 7
INTRODUCTION .................................................................................................................................. 8
PRODUCT FEATURES .............................................................................................................................. 9
SOLIDIFIERS COMMAND-LINE INTERPRETER .......................................................................................... 9
HELP FOR SOLIDIFIER COMMANDS ....................................................................................................... 10
LICENSING .......................................................................................................................................... 11
Adding a license ............................................................................................................................. 11
Listing license information ............................................................................................................. 11
SOLIDIFIER LOGS ................................................................................................................................ 11
CHANGE MONITORING ................................................................................................................... 13
WHAT CAN BE MONITORED? ................................................................................................................ 13
Default Change Monitoring Behavior ............................................................................................. 13
Enabling Change Monitoring ......................................................................................................... 14
Disabling Change Monitoring ........................................................................................................ 15
MONITORING FILE AND DIRECTORY CHANGES ..................................................................................... 16
Monitoring Network Shares ............................................................................................................ 16
Monitoring File Attribute Changes (Windows only) ........................................................................ 17
MONITORING PROCESS EXECUTION ..................................................................................................... 18
MONITORING USER ACCOUNT TRACKING (WINDOWS ONLY) ................................................................ 18
Setting Audit policies for a Non-Domain Controller on Windows 2000, Windows 2003,Windows XP,
Windows Vista, Windows 2008, and Windows 7 .............................................................................. 18
Setting Audit policies for a Domain Controller on Windows 2000, Windows 2003, and Windows
2008............................................................................................................................................... 19
Setting Audit policies on Windows NT............................................................................................. 19
CUSTOMIZATION OF FILTERS ...................................................................................................... 21
THE ROLE OF FILTERS ......................................................................................................................... 21
FILE/DIRECTORY NAME-BASED FILTERS .............................................................................................. 21
Include Filter for a File or Directory .............................................................................................. 22
Exclude Filter for a File or Directory ............................................................................................. 23
Removing a File or Directory Filter................................................................................................ 24
Removing All File or Directory Filters............................................................................................ 24
FILE E XTENSION BASED FILTERS ......................................................................................................... 24
Include Filter for an Extension ....................................................................................................... 25
Exclude Filter for an Extension ...................................................................................................... 25
Removing a File Extension Filter.................................................................................................... 26
Removing All File Extension Filters................................................................................................ 27
REGISTRY KEY FILTERS (WINDOWS ONLY) .......................................................................................... 27
Include Filter for a Registry Key..................................................................................................... 27
Exclude Filter for a Registry Key .................................................................................................... 28
Remove a Registry Key Filter ......................................................................................................... 28
Remove All Registry Key Filters ..................................................................................................... 28
USER NAME FILTERS ........................................................................................................................... 29
Exclude Filter for a User Name ...................................................................................................... 29
Remove a User Name Filter............................................................................................................ 29
Remove All User Name Filters........................................................................................................ 30

PROCESS NAME FILTERS ..................................................................................................................... 30
Include Filter for a Process Name .................................................................................................. 30
Exclude Filter for a Process Name ................................................................................................. 31
Removing a Process Name Filter .................................................................................................... 32
Removing All Process Name Filters ................................................................................................ 32
FILTER RULES ..................................................................................................................................... 33
Filter Precedence Rules ................................................................................................................. 33
File Extension based Filters ........................................................................................................... 33
Path Name Filters .......................................................................................................................... 34
Registry Key Filters (Windows only) ............................................................................................... 34
User Name Filters .......................................................................................................................... 34
Process Name Filters ..................................................................................................................... 35
LISTING ALL FILTERS IN EFFECT ......................................................................................................... 35
REMOVING ALL FILTERS ..................................................................................................................... 35
CHANGE POLICY ENFORCEMENT ............................................................................................... 36
WRITE PROTECTION FOR OS, APPLICATION CONFIGURATION AND LOG FILES ........................................ 36
Enforcing write-protection ............................................................................................................. 37
Excluding write-protection ............................................................................................................. 38
Removing write-protection rule ...................................................................................................... 39
Listing write-protected files ............................................................................................................ 39
Removing all write-protection rules ................................................................................................ 40
READ PROTECTION FOR CRITICAL FILES ................................................................................................ 40
Enforcing read-protection .............................................................................................................. 41
Excluding read protection .............................................................................................................. 42
Restoring read access..................................................................................................................... 43
Listing read-protected files ............................................................................................................. 43
Removing read-protection rules...................................................................................................... 43
WRITE PROTECTION FOR CRITICAL REGISTRY KEYS (WINDOWS ONLY) ................................................... 44
Enforcing protection on registry ..................................................................................................... 44
Restricted Behavior ........................................................................................................................ 45
Excluding protection on a registry .................................................................................................. 45
Removing a registry from protected list .......................................................................................... 45
Listing protected registries ............................................................................................................. 45
Removing all registry protection rules ............................................................................................ 46
TAMPER-PROOFING FOR SOLIDIFIER SOFTWARE AND CONFIGURATION .................................................. 46
CONTROLLING INSTALLATION AND UNINSTALLATION OF SOFTWARE (WINDOWS ONLY) ........................ 48
Exceptions ..................................................................................................................................... 49
ADVANCED CONFIGURATION ....................................................................................................... 50
CONFIGURING SOLIDIFIER FEATURES ................................................................................................... 50
Enabling a feature .......................................................................................................................... 50
Disabling a feature......................................................................................................................... 50
Listing features .............................................................................................................................. 50
CONFIGURING A STANDARD E VENT DELIVERY DESTINATION ............................................................... 51
Assigning an event to a standard destination................................................................................... 51
Removing an event from a standard destination .............................................................................. 51
Viewing event assignments to standard destinations ........................................................................ 52
Viewing sink information for specific event ..................................................................................... 52
CONFIGURING THE EVENT CACHE SIZE ................................................................................................ 52
Modifying the Event Cache size ...................................................................................................... 52
Setting the upper watermark level ................................................................................................... 53
Setting the lower watermark level ................................................................................................... 53
CONFIGURING LOG FILE LOCATION PATH ............................................................................................ 53
CONFIGURING SIZE OF LOG FILE .......................................................................................................... 54
CONFIGURING NUMBER OF LOG FILES ................................................................................................. 54

CONFIGURING PROCESS EXECUTION MONITORING ............................................................................... 55
CONFIGURING PASSWORD PROTECTION FOR THE CLI ........................................................................... 56
Setting a password ......................................................................................................................... 56
Deleting a password ....................................................................................................................... 56
MANAGING MASS DEPLOYMENTS AND SYSTEM UPGRADES .................................................................. 56
Exporting Configuration Settings.................................................................................................... 56
Importing Configuration Settings.................................................................................................... 57
ROUTINE MAINTENANCE ............................................................................................................... 58
ABOUT SOFTWARE UPDATE................................................................................................................. 58
About Auto-Updaters...................................................................................................................... 58
AUTOMATED UPDATES ........................................................................................................................ 58
Adding Authorized Updaters........................................................................................................... 59
Deleting Authorized Updaters ........................................................................................................ 60
Listing Authorized Updaters ........................................................................................................... 61
Removing All (Flushing) Authorized Updaters ................................................................................ 61
MANUAL UPDATES ............................................................................................................................. 61
Using the Update Window .............................................................................................................. 61
SCRIPTS AS UPDATERS ........................................................................................................................ 64
TROUBLESHOOTING ....................................................................................................................... 65
EVENT LOG MESSAGES ....................................................................................................................... 65
TROUBLESHOOTING MICROSOFT WINDOWS RELATED ISSUES ................................................................ 73
TROUBLESHOOTING SOLIDIFIER-RELATED ISSUES ................................................................................. 74
Log File for Debugging .................................................................................................................. 74
LEGITIMATE FAILURES THAT ARE NOT ERRORS ..................................................................................... 75
Attempt to install an MSI based package......................................................................................... 75
Attempt to uninstall an MSI based package ..................................................................................... 75
Attempt to install/uninstall Windows optional components .............................................................. 76
Attempt to install an INF based package ......................................................................................... 76
Attempt to open a read protected file .............................................................................................. 76
Attempt to rename a protected registry key ..................................................................................... 77
APPENDIX: COMMAND QUICK REFERENCE.............................................................................. 78
APPENDIX: DIAGNOSTIC TOOLS .................................................................................................. 82
SCANALYZER ..................................................................................................................................... 82
Usage and Interpretation................................................................................................................ 82
Manual Review of ScAnalyzer Reports ............................................................................................ 83
GATHERINFO ...................................................................................................................................... 84
Usage and Interpretation................................................................................................................ 84
APPENDIX: ADVANCED CONFIGURATION PARAMETERS...................................................... 86
Displaying Configuration parameters ............................................................................................. 86
Modifying the value of configuration parameters ............................................................................ 87
APPENDIX: SOLIDIFIER FEATURE LIST ...................................................................................... 88
DISPLAYING SOLIDIFIER FEATURES ...................................................................................................... 88
APPENDIX: SOLIDIFIER AND SOLARIS 10 ZONES ..................................................................... 89
SOLARIS 10 ZONES EXPLAINED ........................................................................................................... 89
SOLIDIFIER AND SOLARIS 10 SECURITY ................................................................................................ 89
BEST PRACTICES FOR SOLIDIFIER AND SOLARIS 10 ............................................................................... 90
BEST PRACTICES FOR SOLIDIFIER......................................................................................................... 90
APPENDIX: SOLIDIFIER AND AIX 6.1 WORKLOAD PARTITIONS (WPARS).......................... 92
AIX 6.1 WORKLOAD PARTITION (WPAR) EXPLAINED ......................................................................... 92

SOLIDIFIER AND AIX 6.1 INTERACTION ................................................................................................ 92
BEST PRACTICE FOR MCAFEE SOLIDIFIER ............................................................................................ 93
Preface
About This Guide
This guide discusses how you can implement the Solidifier. It describes the configuration of the
Solidifier during the initial implementation and its ongoing maintenance. It also describes remote
administration and troubleshooting. This document is meant to serve as a comprehensive
reference for the initial set up and ongoing maintenance and administration of a host system.
Audience
The intended audience for this guide is the system administrator who will be responsible for
administering the Solidifier. The system administrator is assumed to be familiar with the IT
operations on systems including installation, configuration, etc. of application software and
monitoring system logs. Advanced knowledge of any specific operating system or application is
not required.
Document Organization
This guide is organized as follows:
Chapter Contacting Support
Contact Us | McAfee, Inc.: http://www.mcafee.com/us/about/contact-us.aspx
Homepage: http://www.mcafee.com/us/products/change-control.aspx
Technical Support ServicePortal: https://mysupport.mcafee.com/Eservice/Default.aspx
Phone: +1-800-937-2237
Product & Solutions: https://secure.mcafee.com/apps/downloads/myproducts/login.aspx
Introduction describes the Solidifier concepts.
Chapter Change Monitoring describes the monitoring of changes, the default change
monitoring behavior and how it is enabled and disabled.
Chapter, Customization of Filters introduces the notion of Filters and provides the
motivation for why their judicious use can tune the system dramatically to report
precisely those changes that are exceptions to the change policy.
Chapter, Change Policy Enforcement describes the capability of enforcing control

over changes.
Chapter, Advanced Configuration describes advanced configuration options that you

may optionally choose to apply.
Chapter, Routine Maintenance describes how the system can be updated either
manually or using program automation during maintenance windows.
Chapter, Troubleshooting describes techniques for resolving problems encountered

in the field. It also provides a reference for the event messages and common errors.
Appendix: Command Quick Reference provides a quick reference for the CLI
commands.
Appendix: Diagnostic Tools describes several diagnostic tools that are packaged
together with the product.
Appendix: Advanced Configuration parameters provides a list of configuration

parameters.
Appendix: Solidifier feature list describes the Solidifier features.
Appendix: Solidifier and Solaris 10 Zones describes use of Solidifier in Solaris 10

Zones.
Document Conventions
The following conventions distinguish different types of text:
Commands and keywords are in boldface.
In interactive examples, user input is in boldface.
CLI command syntax is preceded by the prompt > for Windows, by the prompt #
for UNIX, or by prompt > for commands that are applicable for both Windows and
UNIX.
In command syntax statements
Parameters (variables for which a specific value is to be typed) are in italics.
Optional arguments are in [square braces].
Alternative arguments are separated by vertical bars, and are grouped within {curly
braces}.
Names of keys on the keyboard are in square braces, such as the [Tab] key.
A control key is indicated by a caret preceding a letter: ^A means Control-A.
Note: Means reader should take a note. Notes contain helpful suggestions or references to
material not covered in the guide.
Contacting Support
Contact Us | McAfee, Inc.: http://www.mcafee.com/us/about/contact-us.aspx
Homepage: http://www.mcafee.com/us/products/change-control.aspx
Technical Support ServicePortal: https://mysupport.mcafee.com/Eservice/Default.aspx
Phone: +1-800-937-2237
Product & Solutions: https://secure.mcafee.com/apps/downloads/my-products/login.aspx
Introduction
Most IT organizations today recognize the central role that control over change plays for
achieving operational effectiveness. Many have invested in process automation tools such as a
Change Management system or a Service Desk. Yet, a gap persists between actual change activity
and the documented Change Management process. This change control gap results in manual
activity by IT departments to control and minimize the costs of change. McAfee Solidifier
bridges this gap by adding Control to Change Management. This is accomplished by providing
customers with real time visibility of changes being made, accountability to validate change
activity and technology-based enforcement of change policy. Solidifier is easily configurable to
increase the availability of IT services, accelerate the successful implementation of ITIL
(Information Technology Infrastructure Library) projects, and reduce the cost of compliance
initiatives such as Sarbanes-Oxley or PCI.
Solidifier is an operationally-friendly, low-touch, and low-overhead software product that can be
deployed on a wide range of hardware platforms. Solidifier provides change control on servers,
desktops, network devices such as switches, routers and firewalls, and databases.
Unlike scan-based solutions which take and compare snapshots of the state of a system, Solidifier
continuously tracks and validates every attempted change at the endpoint in real-time. This
approach has several important benefits:
Every change across the infrastructure is recorded in an independent change database

the moment it happens
Every attempted change can be validated in real-time, before the change is applied
Little overhead is incurred on the endpoint and there are no spikes in resource
utilization that could interfere with operations.
The ability to capture all changes across servers, desktops, and in real time enables immediate
alerts to exceptional change. It also creates a change database that is comprehensive and always
up-to-date. Intelligent filtering ensures that only relevant change makes it to the database and
minimizes consumption of network bandwidth. The Change Database becomes the foundation for
a powerful search capability that provides the rich forensic information needed to quickly
pinpoint the root cause of any change-related incident. This capability is fully effective even
when the system in question is offline.
Because every change is captured at that exact moment it occurs and includes rich information
including who made the change, highly accurate reconciliation with change tickets is possible.
Finally, the ability to detect and validate attempted change in real-time enables technical
enforcement of change policy. IT can now disallow out-of-policy changes attempted on target
systems before they occur. This greatly reduces change-related outages.
Real-time change visibility into change made across all systems is the foundation of Solidifier
product framework. It provides real-time change tracking with minimal consumption of CPU,
memory, disk and network resources. It comprehensively logs all change attempts made to files
and Windows registry keys on the target systems.
Pre-built and customized filters are available to limit change capture to items of interest. The
module provides rich information about change including where the change was made (which
server/servers), when it was made, which user or application made the change, and how the
change was made. The information is stored in an independent Change Database, separating the
actual storage of information from the system being tracked. The Change Database captures
changes across all networked systems, and provides change information for systems even when
they are down or offline.
Product features
Change Control allows you to monitor and prevent changes to the file system, registry, and user
accounts. You can view details of who made changes, which files were changed, and when and
how the changes were made. You can write protect critical files and registry keys from
unauthorized tampering. You can read protect sensitive files. To ease maintenance, you can
define trusted programs or users to allow updates to protected files and registry keys.
In effect, a change is permitted only if the change is applied in accordance with the update
policies. Using Change Control, you can:
Real-time monitoring for file and registry changes - Real-time monitoring eliminates the need
to perform scan after scan on endpoints and identifies transient change violations, such as
when a file is changed and restored to its earlier state.
Track content and attribute changes for a monitored file - If you enable content change tracking
for a file, any attribute or content change to the file creates a new file version. Although this
feature is available in standalone mode, it is useful and effective only in managed
environments (ePO deployments). For a file for which you are tracking content changes, you
can view and compare the different file versions or files (one the same or different endpoints)
and receive notifications via email whenever the file is modified.
Visibility to ad-hoc changes - Captures every change, including the time of the change, which
user made the change, what program was used to make the change, and whether the change
was made manually or by an authorized program.
Protection rules to eliminate ad-hoc changes - Write protection rules to prevent users from
creating new files (including directories and registry keys) and modifying existing files,
directories, and registry keys. Write-protecting a file or registry key renders it read only and
protects it from unanticipated updates.
Enforce approved change policies and compliance.
Solidifiers Command-line Interpreter

On Windows
The Solidifiers command-line interpreter sadmin (pronounced s-admin) is invoked in
Solidifiers custom command shell. To invoke this command shell, perform any of the following
steps:
1. Double-click on the McAfee Solidifier Command-line icon on the desktop.
2. Use the Start | Programs | McAfee | Solidifier | McAfee Solidifier Command Line menu
option.
You can also open a command prompt window and start executing Solidifier commands.
On UNIX
Open a UNIX terminal and start executing Solidifier commands on the command prompt. You
can access Solidifiers command-line interpreter sadmin from <ss-install-dir>/mcafee
/solidcore/bin/sadmin.
Help for Solidifier Commands

List of basic Solidifier commands can be obtained in this command shell as follows:
> sadmin help
Or
# sadmin help
Help for a basic Solidifier command can be obtained in this command shell as follows:
> sadmin help command
Or
# sadmin help command
List of advanced Solidifier commands can be obtained as follows:

> sadmin help-advanced
Or
# sadmin help-advanced
Help for an advanced Solidifier commands can be obtained as follows:

> sadmin help-advanced command
Or
# sadmin help-advanced command
10
Licensing
You can add another license or display licensing information of the product(s) installed on your
system. Currently, there are separate licenses for enabling the Change Control and Runtime
Control modules of the Solidifier.
Adding a license
Issue the command given below to add another license license_key.
> sadmin license add license_key
A reboot is required to activate the new features in the Windows Solidifier, as per the license
added. These new features may require additional configuration for the Solidifier to work
properly. Refer Advanced Configuration section for more details.
On UNIX, no reboot is required to activate the new features in the Solidifier, as per the license
added. However, Solidifier service restart is required.
The features already installed on the system will retain the same state (enabled or disabled) after
the new license has been added.
Note: You can add product license only when the Solidifier is running in Disabled mode.
Listing license information

Issue the command given below to display the list of licenses installed on your system:
> sadmin license list
The following listing is printed for the Change Control module license:
xxxx-xxxx-xxxx-xxxx-xxxx (Change Control, Unlimited)
The following listing is printed for the limited period Change Control module license (available
only on Windows):
xxxx-xxxx-xxxx-xxxx-xxxx (Change Control, 30 Day Trial)
Note: The sadmin license list command can be issued in all modes.
Solidifier Logs
Solidifier generates its own log (solidicore.log) and Solidifier-specific event logs are also written
to the system logs.
On Windows
Solidifier log file (solidcore.log) is generated in the Logs folder.
11
To view the event logs generated by Solidifier in the system logs, click at Start > Programs >
Administrative Tools > Event Viewer > Application menu option.
On UNIX
To view Solidifier log on UNIX, follow the steps given below:
1. Open the UNIX terminal.
2. Change to the /var/log/mcafee/solidcore directory using the following command:
# cd /var/log/mcafee/solidcore
3. Open the solidcore.log file using the following command:

# tail f
solidcore.log
Solidifier event logs are added to the system logs generated in the /var/adm/messages (AIX),
/var/log/messages (Linux), /var/adm/messages (Solaris), or /var/adm/syslog (HP-UX) directory.
12
Change Monitoring
This chapter introduces you to the change actions that can be monitored, the monitoring of
change actions performed for files and directories that are local or on a network share, and
describes how change monitoring is enabled or disabled on the Solidifier.
This chapter covers the following topics:
What can be monitored?
Monitoring File and Directory Changes
Monitoring Process Execution
Monitoring User Account Tracking
What can be monitored?

The Solidifier can monitor change actions happening on your system. Monitoring is enabled by
default. The Solidifier can monitor changes to the following:
Files
Windows Registry entries (Windows only)
Process execution/termination
User activity (Logon/Logoff) (Windows only)
Default Change Monitoring Behavior

By default, Change Monitoring is enabled on installation. Even when Change Monitoring is
disabled, it is possible to configure the events filters. On enabling Change Monitoring, the
Solidifier starts generating the change events. When monitoring is enabled, the Solidifier starts
tracking all changes in the system. To reduce these reported events, exclude filters can be added.
There are a set of default filters which are in place when the Solidifier is installed on the system.
The primary objective of having these default filters is to govern the event traffic and eliminate
unwanted events from appearing in log files/event viewer. It is possible to override the default
filter list by customizing filters to suit your specific requirements.
On Windows, the following list shows these default filters:
FRRRRR-
'*'
'HKEY_CLASSES_ROOT'
'HKEY_CURRENT_CONFIG'
'HKEY_CURRENT_USER'
'HKEY_LOCAL_MACHINE'
'HKEY_USERS'
On UNIX, the following list shows these default filters:

F- '*'
13
Enabling Change Monitoring

After the successful installation of Solidifier on the system, two more steps are required for the
system to be ready to use:
The Solidifier must be in the Enabled Mode, and
The system must be rebooted when using full-feature mode (no restart is needed in
limited feature activation or reboot-free mode)
To enable Change Monitoring, execute the following command:

> sadmin enable
The following message is displayed upon the completion of this command:

McAfee Solidifier will be enabled on service restart.
The following Event Log entry is also generated:
Local Administrator executed command 'sadmin enable' at Wed Apr 02 2008
11:32:12 (Return status: 0).
Note: Refer to Solidifier Logs section of this document for instructions on how to view events
generated by the Solidifier.
Reboot the computer.
Note: On UNIX, you can also enable change monitoring without reboot by enabling and
restarting the Solidifier service (scsrvc). Issue the following commands:
# sadmin enable
# <ss-path>/scripts/scsrvc restart
Here, <ss-path> is <ss-install-path>/mcafee/solidcore directory. However,

reporting/filtering/protection based on path names or process names may not work as expected.
McAfee Solidifier is currently enabled.
This denotes that the Solidifier has been enabled. You can also verify that the Solidifier is in
Enabled mode using the following command:
> sadmin status
On Windows, the following message is displayed:
14
McAfee Solidifier:
Enabled
McAfee Solidifier on reboot: Enabled
ePO Managed:
Disconnected
Local CLI access:
Recovered
[fstype]
* NTFS
[status]
Unsolidified
[driver status]
Attached
[volume]
C:\
On UNIX, the following message is displayed:

McAfee Solidifier:
Enabled
ePO Managed:
Disconnected
Local CLI access:
Recovered
[fstype]
* reiserfs
[status]
Unsolidified
[driver status] [volume]

Attached
/
Disabling Change Monitoring

Change Monitoring is disabled using the disable command. However, it remains active until
the next system reboot.
> sadmin disable
The following message is displayed upon the completion of this command:

McAfee Solidifier will be disabled on next reboot.
The Solidifiers status display will show that it is currently in Enabled mode but will enter
Disabled Mode after the next reboot:
> sadmin status
On Windows, the following message is displayed:

McAfee Solidifier:
Enabled
McAfee Solidifier on reboot: Disabled
ePO Managed:
Disconnected
Local CLI access:
Recovered
[fstype]
[status]
[driver status]
* NTFS
Unsolidified
Attached
[volume]
C:\
On UNIX, the following message is displayed:
15
McAfee Solidifier:
Enabled
McAfee Solidifier on reboot: Disabled
ePO Managed:
Disconnected
Local CLI access:
Recovered
[fstype]
* reiserfs
[status]
Unsolidified
[driver status] [volume]

Attached
/
Monitoring File and Directory Changes

Solidifier monitors change actions in real time, as they happen, on files and directories and
generates events for the following types of actions:
Creation
Modification of contents
Deletion
Renaming
File attribute modification
ACL modification
Owner modification (Windows only)
You can enable or disable file and directory change monitoring through the sadmin monitor
command.
Note: All hard links to a file or directory must also be added to the monitoring rules in addition to
the target file or directory. Then, the changes on the target and its hard link are individually
reported by Solidifier.
For all soft links or symbolic paths, only the target file name needs to be added to monitoring
rules after which Solidifier starts reporting changes done to that file.
Monitoring Network Shares

Solidifier also generates change events for network file shares that are of the same type and have
the same richness of information as events generated for local file/directory changes.
Note: (Windows only) Network share tracking is disabled by default. Enable the network tracking
feature to enable network share tracking.
Solidifier supports Change Monitoring for Network File Server (NFS) for UNIX platform and
network tracking for Windows, and a Client for NFS Services (NFS Client) or both depending
upon the location where it is installed. An NFS is a system that exports a share whereas an NFS
Client is a system that mounts a share and also you can track files on SMB points in Windows
platform. For event generation on NFS, NFS Client or both, the following scenarios are
supported:
16
Solidifier is installed on both NFS and NFS Client

When Solidifier is installed on both NFS and NFS Client, changes to a file residing on an NFS
share that are initiated at the NFS Client cause the generation of events at both the NFS Client
and the NFS. Even though they are duplicate events, they enable the scenario where Solidifier is
installed on only one of the systems.
Changes initiated at the NFS cause generation of events that are purely local at the NFS. The NFS
Clients do not generate any change events for this scenario.
Solidifier is installed only on NFS
Changes initiated at the NFS for files residing on the NFS cause generation of events that are
purely local at the NFS. The NFS Clients do not generate any change events for this scenario.
Changes performed at the NFS Client for local files do not generate any events at the NFS.
Changes initiated at the NFS Client for a file residing on the NFS share, cause change events to
be generated at the NFS.
No matter what is the source of change (local or remote), the changes are tracked.
Solidifier is installed only on NFS Client
The changes performed at the NFS Client for local files cause change events to be generated at
NFS Client. The NFS does not generate any change events.
Changes initiated at the NFS for files residing on the NFS share do not cause generation of events
either at the NFS or the NFS Client.
Changes performed at the NFS for local files do not generate any events either at the NFS or at
the NFS Client.
Monitoring File Attribute Changes (Windows only)

The Solidifier monitors changes to file attributes by default, for the following attributes:
FILE_ATTRIBUTE_ENCRYPTED
FILE_ATTRIBUTE_HIDDEN
FILE_ATTRIBUTE_OFFLINE
FILE_ATTRIBUTE_READONLY
FILE_ATTRIBUTE_SYSTEM
FILE_ATTRIBUTE_INDEX
You can enable or disable file attribute change monitoring through the mon-fattr feature.
The following event is raised in the Event log when an attribute is added to a file:
McAfee Solidifier detected addition of attribute 'attr_name' to file
'file_name' by program prog_name (User: user_name).
The following event is raised in the Event log when an attribute is removed from a file:
17
McAfee Solidifier detected removal of attribute 'attr_name' from file

'file_name' by program prog_name (User: user_name).
Monitoring Process Execution

The Solidifier can also monitor the start and stop events for process execution. The process
start/exit event includes time, user, process name, process id, full path of the program, parent
process name, parent process id fields in the event. Process Execution monitoring is disabled by
default and can be enabled/disabled using the mon-proc-exec feature.
The following event is raised when process process-name (Process ID PID) having parent
process parent-process-name (Process ID PPID) is started by user user-name:
McAfee Solidifier detected start of process process-name (Process Id: PID,
Parent Process Id: PPID, Parent Process -name: process-name, User: user-name,
Original User: original-user-name).
The following event is raised when process process-name (Process ID PID) having parent
process parent-process-name (Process ID PPID) is stopped by user user-name:
McAfee Solidifier detected exit of process process-name (Process Id: PID,
Parent Process Id: PPID, Parent Process -name: parent-process-name, User:
user-name, Original User: original-user-name).
Monitoring User Account Tracking (Windows only)

Solidifier can monitor the success or failure of user logon/logoff attempts and other account
changes by default.
This monitoring capability requires that the Windows Audit Policy is enabled. Success/failure for
the following audit policies should be enabled to get all events supported by the mon-uat
(monitor-user-account-tracking) feature:
Audit account logon events
Audit logon events
Audit account management
Setting Audit policies for a Non-Domain Controller on Windows 2000,

Windows 2003, Windows XP, Windows Vista, Windows 2008, and Windows
7
Follow the steps given below to set up audit policies for a Non-Domain Controller:
1. Click at Start > Settings > Control Panel > Administrative Tools > Local Security Policy.
Alternatively, this can be accessed by clicking at Start > Run > gpedit.msc. Navigate to
Windows Settings.
2. Navigate through the tree structure to Security Settings > Local Policies > Audit Policy.
3. Enable success/failure for the above mentioned audit policies.
18
Setting Audit policies for a Domain Controller on Windows 2000, Windows

2003, and Windows 2008
Follow the steps given below to set up audit policies for a Domain Controller:
1. Click at Start > Settings > Control Panel > Administrative Tools > Domain Security Policy.
2. Navigate to Security Settings > Local Policies > Audit Policy.
Setting Audit policies on Windows NT

Follow the steps given below to set up auditing:
1. Click at Start > Settings > Control Panel > Administrative Tools > User manager for
Domains.
2. In the User Manager window, select Policies > Audit.
3. In the Audit Policy window, check on Audit These Events radio button.
You can enable or disable user account tracking like Logon/Logoff monitoring through the
mon-uat feature.
Note: While events are normally viewed from the Application category of the Event Viewer, the
Logon/logoff events can be viewed from the Security category of the Event Viewer.
The following event is raised when a logon is successfully attempted by user user-name of
domain domain-name on host machine host-machine:
"McAfee Solidifier detected 'successful' logon by domain-name/user-name on
host-machine"
The following event is raised when a logon is unsuccessfully attempted by user user-name of
domain domain-name on host machine host-machine:
"McAfee Solidifier detected 'failed' logon by domain-name/user-name on hostmachine"
The following event is raised when a logon is successfully attempted by user user-name of
domain domain-name from remote machine remote-machine using process process-name on host
machine host-machine:
"McAfee Solidifier detected 'successful' logon by domain-name/user-name on
host-machine (from remote-machine by process-name process)."
The following event is raised when a logon is unsuccessfully attempted by user user-name of
domain domain-name from remote machine remote-machine using process process-name on host
machine host-machine:
19
"McAfee Solidifier detected 'failed' logon by domain-name/user-name on hostmachine (from remote-machine by process-name process)."
The following event is raised when a logoff is attempted by user user-name:

McAfee Solidifier detected logoff by user-name.
The following event is raised when the user account user2-name of domain domain2-name is
created by user account user1-name of domain domain1-name:
"McAfee Solidifier detected 'creation' of user account domain2-name/user2-name
by domain1-name/user1-name."
The following event is raised when the user account user2-name of domain domain2-name is
deleted by user account user1-name of domain domain1-name:
"McAfee Solidifier detected 'deletion' of user account domain2-name/user2-name
by domain1-name/user1-name."
The following event is raised when user account user2-name of domain domain1-name is
modified by user account user1-name of domain domain1-name:
"McAfee Solidifier detected modification of user account domain2-name/user2name by domain1-name/user1-name. Modification type : modification-type."
Here, modification-type can be account locked, account unlocked, account enabled, account
disabled, and password changed.
20
Customization of Filters
This chapter introduces you to filters and how they should be used. Solidifier supports several
different types of filters to provide the flexibility for tuning the Change Monitoring and reporting
of change events to suite your specific business needs.
The Role of Filters
File/Directory Name-based Filters
File Extension based Filters
Registry Key Filters
User Name Filters
Process Name Filters
Filter Rules
Listing All Filters In Effect
Removing All Filters
The Role of Filters

Filters can be set on files, directories, registries, process names, file extensions, and user names.
Filters match criteria based on file extension, path name, process name, user name or registry
name for change events. Filters can be configured in two different modes:
Include filters cause events matching the filtering criterion to be reported to the user.
Exclude filters cause events matching the condition to be suppressed and not reported
to the user.
Filtering of Change Monitoring events is essential in order to govern the volume of change
events, primarily because a large volume of changes are program-generated and may not be worth
the attention of the Solidifier product administrator. In the extreme situation, where there is a lot
of programmatic and automatic change activity, a large volume of change events may overwhelm
the system generating the events. Filters ensure that only relevant change events are recorded.
This helps in reducing the noise on the system.
File/Directory Name-based Filters

The Solidifier monitors file creation, file modification, file attribute modification, file renaming
and file deletion actions. For each of these actions, a separate event is recorded. Each event
contains user name, time, event id, action, timestamp, Solidifier server_name, event type, event
sink, server state, file name and name of the program which is making the change.
There are different types of filtering mechanisms. You can set up filters on files and directories
using the sadmin monitor command.
21
Include Filter for a File or Directory

On Windows
Include a local file using the following command:
> sadmin monitor file -i C:\test.doc
Include a network share using the following command:

> sadmin monitor file -i \\192.168.82.24\shared
Include a directory using the following command:

> sadmin monitor file -i c:\WINDOWS\system32\config
Display the filters that are in effect

> sadmin monitor list
The following list is displayed:

F+ "C:\test.doc"
F+ "C:\WINDOWS\system32\config"
F+ "\\192.168.82.24\shared"
The prefix F represents a File Filter, F+ indicates that the file is included for Change Monitoring.
Note: The non-existent paths and volumes can also be added in the monitoring rules.
On UNIX
Include a local file using the following command:
# sadmin monitor file -i /usr/test.sh
Include a network share using the following command:

# sadmin monitor file -i /nfsshare/shared/test1
Include a directory using the following command:

# sadmin monitor file -i /usr/config
Display the filters that are in effect:

# sadmin monitor list
The following list is displayed:
22
F+ "/nfsshare/shared/test1"
F+ "/usr/config"
F+ "/usr/test.sh"
The prefix F represents a File Filter; F+ indicates that the file is included for Change Monitoring.
Exclude Filter for a File or Directory

On Windows
Exclude a file from monitoring using the following command:
> sadmin monitor file -e C:\test.doc
Exclude a directory by using the following command:

> sadmin monitor file -e c:\WINDOWS\system32\config
Exclude a network share using the following command:

> sadmin monitor file -e \\192.168.82.24\shared
View the files and folders on which filters have been applied using the following command:
After execution of this command, the following message appears on the screen:
FFFF-
"C:\Program Files"
"C:\test.doc"
"C:\WINDOWS\system32\config"
"\\192.168.82.24\shared"
The F- indicates that the file is excluded from Change Monitoring.

On UNIX
Exclude a file from monitoring using the following command:
# sadmin monitor file -e /usr/test.sh
Exclude a directory by using the following command:

# sadmin monitor file -e /usr/config
View the files and directories on which filters have been applied using the following command:
23
F- "/usr/config"
F- "/usr/test.sh"
The F- indicates that the file is excluded from Change Monitoring.
Removing a File or Directory Filter

On Windows
Remove the filter on a file using the following command:
> sadmin monitor file -r C:\test.doc
Remove the filter on a folder using the following command:

> sadmin monitor file -r c:\WINDOWS\system32\config
View the files and folders on which filters have been applied using the following command:
The list displays that the following filters are in effect:

F- "C:\Program Files"
F- "\\192.168.82.24\shared"
On UNIX
Remove the filter on a file using the following command:
# sadmin monitor file -r /usr/test.sh
Remove the filter on a directory using the following command:

# sadmin monitor file -r /usr/config
Removing All File or Directory Filters

Remove all (Flush) the file or directory based filters by using the following command:
> sadmin monitor file -f

You can also set filters on file extensions which monitors any creation, modification, attribute
modification, renaming and deletion events on all files having that particular extension. Each
event contains user name, time, event id, action and file name and name of the program which is
making the change. These set of filters can be applied to include or exclude the monitoring of
files with a certain extension.
24
Include Filter for an Extension

On Windows
Include file extension, for example, exe using the following command:
> sadmin monitor extn -i exe
Its effect can be viewed as shown below:


X+ "exe"
F+ "C:\Program Files\McAfee\Solidcore"
The prefix X represents a File Extension Filter, X+ indicates that the file extension is included for
Change Monitoring.
Note: The extension can be specified with or without the leading ..
On UNIX
Include file extension, for example, conf using the following command:
# sadmin monitor extn -i conf
Its effect can be viewed using the command given below:


X+ "conf"
The prefix X represents a File Extension Filter; X+ indicates that the file extension is included for
Change Monitoring.
Exclude Filter for an Extension

On Windows
Exclude a file extension using the following command:
> sadmin monitor extn -e exe

25

X- "exe"
The prefix X- indicates that the file extension is excluded from Change Monitoring.
On UNIX
Exclude a file extension using the following command:
# sadmin monitor extn -e conf
Its effect can be viewed using the following command:


X- "conf"
The prefix X- indicates that the file extension is excluded from Change Monitoring.
Removing a File Extension Filter

On Windows
Remove a File Extension filter using the following command:
> sadmin monitor extn -r exe

The list displays that no File Extension Filters are in effect:

On UNIX
Remove a File Extension filter using the following command:
# sadmin monitor extn -r conf

26
The list displays that no File Extension Filters are in effect.
Removing All File Extension Filters

The example below illustrates that two File Extension Filters are in effect:
X+
X+
F+
F+
"doc"
"exe"
"C:\test.doc"
"C:\test1.doc"
Remove all (Flush) File Extension Filters using the following command:
> sadmin monitor extn f

The list displays that no File Extension Filters are in effect:

F+ "C:\test.doc"
F+ "C:\test1.doc"
Registry Key Filters (Windows only)

The Solidifier monitors the registry changes also. You can set filters on Registry Keys and record
changes due to their modification, renaming and deletion. For each of these actions a separate
event is recorded. Each event contains the user name, time, event id, action, and registry key
name and name of the program which is making the change.
Include Filter for a Registry Key

Include a registry key for monitoring using the following command:
> sadmin monitor reg -i HKEY_LOCAL_MACHINE

R+ "HKEY_LOCAL_MACHINE"
The prefix R represents a Registry Key Filter, R+ indicates that the registry key is included for
Change Monitoring.
27
Exclude Filter for a Registry Key

Exclude a registry key using the following command:
> sadmin monitor reg -e HKEY_LOCAL_MACHINE

R- "HKEY_LOCAL_MACHINE"
The prefix R- indicates that the registry key is excluded from Change Monitoring.
Remove a Registry Key Filter

Remove a Registry Key filter as shown below:
> sadmin monitor reg -r HKEY_LOCAL_MACHINE

Remove All Registry Key Filters

The example below illustrates that two Registry Filters are in effect:
X+
F+
FR+
R+
"exe"
"C:\test.doc"
"C:\test1.doc"
"HKEY_CURRENT_USER"
"HKEY_LOCAL_MACHINE"
Remove all (Flush) File Extension Filters using the following command:
> sadmin monitor reg -f

28
X+ "exe"
F+ "C:\test.doc"
F- "C:\test1.doc"
The list displays that all Registry Key Filters have been removed
User Name Filters

Solidifier monitors the changes based on user names. You can exclude change events for files,
directories, and registry keys by user names. By default, all users are monitored.
Note: Only exclude filters are allowed based on user names.
Exclude Filter for a User Name

Exclude a user name using the following command:
> sadmin monitor user -e John Tom

On Windows, the following output appears on the screen:

U- "*\John"
U- "*\Tom"
On UNIX, the following output appears on the screen:
U- "John"
U- "Tom"
The prefix U represents a User Name Filter, U- indicates that the user name is excluded from
Change Monitoring.
Remove a User Name Filter

Remove a user name using the following command:
> sadmin monitor user -r John
The remaining User Name Filters are displayed as shown:

On Windows, the following output appears on the screen:

U- "*\Tom"
On UNIX, the following output appears on the screen:
29
U- "Tom"
Remove All User Name Filters

Remove all (Flush) User Name Filters using the following command:
> sadmin monitor user -f

Solidifier monitors the changes based on process names also. You can set filters on process
names to record or ignore changes performed on files, directories or registry keys by specific
processes.
Note: The sadmin monitor process command supports both absolute and relative path of
filenames in order to match a particular file. For instance, on Windows, C:\Windows\test.exe file
can be added to monitoring rules using full path (C:\Windows\test.exe) or just the base name
(test.exe). Likewise, on UNIX, /test/test.sh file can be added to monitoring rules using full path
(/test/test.sh) or just the base name (test.sh).
Include Filter for a Process Name

On Windows
Include a process name using the following command:
> sadmin monitor process -i "C:\Program Files\Internet
Explorer\IEXPLORE.EXE"

P+
X+
F+
F-
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

"exe"
"C:\Program Files\McAfee\Solidcore"
"C:\Program Files"
The prefix P represents a Process Name Filter, P+ indicates that the process name is included for
Change Monitoring.
On UNIX
Include a process name using the following command:
# sadmin monitor process -i mv

30

U- "Tom"
P+ "mv"
The prefix P represents a Process Name Filter; P+ indicates that the process name is included for
Change Monitoring.
Exclude Filter for a Process Name

On Windows
Exclude a process name using the following command:
> sadmin monitor process -e "C:\Program Files\Internet

PX+
F+
F-

"exe"
"C:\Program Files\McAfee\Solidcore"
"C:\Program Files"
The prefix P- indicates that the process name is excluded from Change Monitoring
On UNIX
Exclude a process name using the following command:
# sadmin monitor process -e mv


U- "Tom"
P- "mv"
The prefix P- indicates that the process name is excluded from Change Monitoring.
31
Removing a Process Name Filter

On Windows
Remove Process Name Filter using the following command:
> sadmin monitor process -r "C:\Program Files\Internet

X+ "exe"
The display shows that the Process Name Filter was removed.
On UNIX
Remove Process Name Filter using the following command:
# sadmin monitor process -r mv

The list displays that no process filters are in effect.
Removing All Process Name Filters

The example below illustrates that two Process Name Filters are in effect:
P+
P+
X+
X+
F+
F+
"C:\Program Files\Messenger\msmsmg.exe"
"doc"
"exe"
"C:\test.doc"
"C:\test1.doc"
Remove all (Flush) the Process Name Filters using the following command:
> sadmin monitor process -f

32
X+
X+
F+
F+
"doc"
"exe"
"C:\test.doc"
"C:\test1.doc"
The display shows that there are no Process Name Filters in effect.
Filter Rules
Filter Precedence Rules
The highest level precedence rules for filters are as shown:
1. Filters based on user name will have highest precedence over all other filter rules.
2. Filters based on process name will have precedence over file extension and file name or
directory based filters.
3. Filters based on file extension will have precedence over filters based on file name.
4. Filters based on file names will have precedence over filters based on folder / directory name.
5. Within name based filters, the longest pathname will take precedence. For example,
On Windows, if folder C:\Folder1\Folder2 is included but folder C:\Folder1 is excluded, any
change operations performed on a file in folder C:\Folder1\Folder2 will record events
because C:\Folder1\Folder2 (longest pathname) has higher precedence over C:\Folder1.
Hence, all other folders present under C:\Folder1 will not be monitored.
On UNIX, if directory /usr/dir1/dir2 is included but /usr/dir1 is excluded, any
change operations performed on files in /usr/dir1/dir2 will record events because
/usr/dir1/dir2 (longest pathname) has higher precedence over /usr/dir1.
The sadmin monitor list lists the filters in the order in which checks are performed for a new
change event. This means list of filters is sorted in decreasing order of precedence.

The rules for file extension based filters are:
1. File Extension Filter has higher precedence than (File or Directory) Path Name filter.
2. A file extension can be specified with or without the '.' character. The rule for applying the
filter is listed without the '.' character.
3. The comparison of extensions is performed working backwards from the end of the filename
referenced in the change event. For example,
On Windows, for a File Extension filter created for the extension .pst, change events
referencing pst.exe will not qualify but those referencing outlook.pst and archive.pst will.
33
On UNIX, for a File Extension filter created for the extension ps, change events
referencing ps.exe will not qualify but those referencing shutdown.ps and restart.ps
will.
Path Name Filters

The rules for path name filters are:
1. A Path Name Filter has lower precedence than File Extension Filters.
2. Pathnames used in configuration for these filters can be of any length and can also contain
white spaces.
3. Spaces in path names should be specified within quotes.
4. The comparison of pathnames is performed from the beginning of pathname, for the file or
directory name referenced in the change event.
5. A wildcard character (*) is supported in pathnames with the exception that it can only
represent one complete path component. For example,
On Windows, \abc\*\def is allowed while \abc\*.doc or \abc\*.* or \abc\doc.* is not
supported.
On UNIX, /abc/*/def is allowed while /abc/*.doc or /abc/*.* or /abc/doc.* is not
supported.
Registry Key Filters (Windows only)

The Windows Registry contains internal links named CurrentControlSet to
HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX key. For example,
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet is a link to
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 key.
1. When a change is made to either link, it is reflected on both the links automatically. The
events are always reported with the path of CurrentControlSet and not ControlSetXXX.
Filtering rules, if needed, should be applied to the CurrentControlKey and not to the
ControlSetXXX key.
2. Wildcard character (*) is supported for registry key names with the exception that it can only
represent one path component between the registry path. The wildcard should not be used for
the component at the end of the complete registry path, otherwise the filter will not be
effective.
User Name Filters

The rules for user name filters are:
1. Filters based on user names will have higher precedence over all the other filter rules.
34
2. The user name specified for the Filter is compared with the user name referenced in the
change event.
3. Spaces in user names should be specified within quotes.
4. On Windows, the Domain name can be a part of the user name. If the Domain name is not
specified, the user name is excluded for all Domains. For excluding all users from a particular
domain use MY-DOMAIN\* or *@MY-DOMAIN.
5. On Windows, the listing will show rules in the format DOMAIN-NAME\USER for all user
rules.

The rules for process name filters are:
1. Process Name Filters have higher precedence over File extension, File Name, and Registry
Key Filters.
2. The process name specified for the Filter is compared with the process name referenced in the
change event.
Listing All Filters In Effect

The list of all files, directories and registry keys on which filters have been applied can be
displayed using the following command:
> sadmin monitor list or
> sadmin mon list
Removing All Filters

All Filters on files, directories, registry keys, user names, processes, etc. are removed (flushed)
using the following command:
> sadmin monitor flush
Issue the following command to confirm:

The list is empty and does not show any filters.
35
Change Policy Enforcement

Note: Change Policy Enforcement is available for Change Control product suite only.
This chapter introduces you to the capabilities that enforce the policies of preventing writes or
reads to files and directories under the purview of the Solidifier.
Write protection for OS, Application Configuration and Log Files
Read protection for critical files
Write protection for critical registry keys
Tamper-proofing for Solidifier Software and Configuration
Controlling Installation and Uninstallation of Software
Write protection for OS, Application Configuration and Log Files

Critical files, directories and volumes can be write-protected using the deny-write feature. The
write-protection rules applied on the specified files render them as read only thereby protecting
your valuable data. You can control the following operations on a write-protected file:
Deletion
Renaming
Creation of hard links
Modifying contents
Appending
Truncating
Changing owner
Creation of ADS (Windows only)
When a directory or volume is specified for write-protection, all files in that directory or volume
are added to the write protected list. The rules are inherited by sub-directories as well. Hence, all
file operations mentioned above cannot be performed on a file if it resides in a write-protected
directory or volume. Creation of new files is also denied. You are not allowed to rename the
parent directory if any file or directory resident in it is write-protected.
Note: On Windows and UNIX, all existing hard links to a file must be put under Solidifier
protection otherwise changes done to that file can still be made from an un-protected path. In
enabled mode, the Solidifier does not allow creation of hard links to a protected file.
For soft links or lofs mounts (--bind mount on Linux), only the actual file needs to be protected.
The protection is then enforced via symbolic links as well.
36
All operations mentioned above on a write-protected file, directory or volume are considered
unauthorized and are reported by Solidifier. Any unauthorized attempt is stopped and an event is
generated in the Event log.
Note: Please refrain from using this feature on the Solidifier internal files such as solidcore.log,
diag.log (created only on Windows), etc.
This feature is enabled by default. For this feature to work, the Solidifier should be running in
Enabled mode. You can view the operational mode of the Solidifier using the sadmin status
command.
Once the deny-write feature is enabled, writing data to protected files by updaters or signed
binaries (applicable only for Windows) is allowed through one of the following mechanisms:
The Solidifier is in Update mode
The file has been marked as an updater
The file has been marked as a signed binary (applicable only for Windows)
Enforcing write-protection
You can enforce write-protection rules on to a file, directory or volume in order to protect them
from unauthorized access. You should only write protect files that are not routinely being updated
by programs.
Note: On Windows, the write-protected files, directories and volumes can be neither compressed
nor encrypted.
The following command can be used to make files, such as configuration files, documents, etc.
read-only by making them write protected:
> sadmin write-protect i pathname
Or
> sadmin wp i pathname
The pathname signifies the complete path of the file, directory or volume to be write-protected.
For instance, to write protect a file, issue the following command:
On Windows
> sadmin write-protect -i "C:\test.txt"
On UNIX
# sadmin write-protect -i /test.sh
Note: You can also use the wildcard * character in the pathname which represents one complete
path component, for instance, C:\test\*\myfile.txt. However, the wild card * character should
not be used as the last component of the rule. The same rule applies on UNIX also.
37
The Event Log entry of the following form is generated for both Windows and UNIX:
Local Administrator executed command 'sadmin write-protect i <pathname>' at
Wed Apr 02 2008 20:30:05 (Return status: 0).
Note: On both Windows and UNIX, the hard link to a write-protected file should also be writeprotected so that it does not modify the original file.
For enforcing write-protection rules over mounted network file systems, the network path should
be specified in the sadmin wp command in any one of the following forms:
On Windows
\\server-name\share-name
\\server-ip\\share-name
mapped-drive-letter:\
For instance, a server named ftpserver with IP as 192.168.0.1 exporting a share named documents
and having been mapped to W:\ on the client machine be included as shown below to prevent any
writes to the share from this client machine.
\\ftpserver\documents or
\\192.168.0.1\documents or
W:\
On UNIX
/mount-point
For instance, you can write-protect file/directories located on a mount point.
Excluding write-protection
Exclusion means that the rule does not apply to the specified path used for excluding. You can
exclude a particular file, directory or volume from write-protection using the following
command:
> sadmin write-protect e pathname
Or
> sadmin wp e pathname
The pathname signifies the complete path of the file, directory or volume to be excluded from
write-protection.
For instance, to write unprotect a file, issue the following command:
On Windows
> sadmin write-protect -e "C:\test.txt"
38
On UNIX
# sadmin write-protect -e /test.sh
Local Administrator executed command 'sadmin write-protect e <pathname>' at
Wed Feb 02 2008 20:30:05 (Return status: 0).
Exclusion finds special significance in scenarios where the whole directory is write-protected and
you may choose to unprotect selective files in that protected directory. The applicability and
usage of write-protection rules vary depending upon your specific need and requirement.
Removing write-protection rule

The write-protection rules applied to a file, directory or volume can be removed using the
following command:
> sadmin write-protect -r pathname
Or
> sadmin wp r pathname
The pathname signifies the complete path of the file, directory or volume to be removed from
write-protection.
For instance,
On Windows
> sadmin write-protect -r "C:\test.txt"
On UNIX
# sadmin write-protect -r /test.sh
Local Administrator executed command 'sadmin write-protect r <pathname>' at
Wed Apr 02 2008 20:30:05 (Return status: 0).
Listing write-protected files

You can obtain a complete list of files, directories and volumes that have been write protected
> sadmin write-protect l
Or
> sadmin wp l
39
Local Administrator executed command 'sadmin write-protect l' at Wed Apr 02
2008 20:30:05 (Return status: 0).
Removing all write-protection rules

All write-protection rules on files, directories and volumes are removed (flushed) using the
following command:
> sadmin write-protect f
Or
> sadmin wp f
Local Administrator executed command 'sadmin write-protect f' at Wed Apr 02
2008 20:30:05 (Return status: 0).

> sadmin wp -l
The list is empty and does not show any rules.
Read protection for critical files

You can read-protect critical files, directories and volumes using the deny-read feature. The denyread feature enforces read-protection on specified files, directories and volumes and also denies
the execution of script files. However, the execution of binaries is allowed on Windows, AIX,
and HP-UX whereas they are not allowed to execute on Linux and Solaris.
In a nutshell, the following operations are denied on Windows, AIX, and HP-UX:
Reading data
Execution of script files
The following operations are denied on Linux and Solaris:
Reading data
Execution of script files
Execution of binaries
When a directory or a volume is specified for read protection, all files in that directory or volume
are added to the read protected list. The rules are inherited by sub-directories as well.
Note: You can move a read-protected file/directory within the same drive on Windows whereas a
read-protected file/directory can be moved within the same file system on UNIX.
40
Any unauthorized attempt made to read data from a read-protected file is stopped and an event is
generated in the Event log.
The deny-read feature is disabled by default. You can enable this feature using the following
command:
> sadmin features enable deny-read
Note: No reboot is required after enabling or disabling this feature.

For this feature to work, the Solidifier should be running in Enabled mode. You can view the
operational mode of the Solidifier using the sadmin status command.
Note: Please restrain yourself from using this feature on the Solidifier internal files such as
Solidcore.log, diag.log (created only on Windows), etc.
Once the deny-read feature is enabled, reading data from a read-protected file is not permitted
except through one of the following mechanisms:
The Solidifier is in Update mode
The file has been marked as an updater
The file has been marked as a signed binary (applicable only for Windows)
Note: In order to provide extra protection to a read protected file in every possible way so that its
contents are not allowed to be viewed either by renaming, copying or moving that file, you must
ensure that the file is write-protected also using the deny-write feature. A file that is only readprotected (and not write-protected also) becomes readable if it is renamed or copied/moved to
another location.
Enforcing read-protection
You can enforce read-protection rules on to a file, directory or volume in order to protect them
from unauthorized reading attempts.
Note: On Windows, the read-protected files, directories and volumes can be neither compressed
nor encrypted.
You should issue the following command to read protect a local file;
> sadmin read-protect i pathname
The pathname signifies the complete path of the file, directory or volume to be read-protected.
For instance, to read protect a file, issue the following command:
On Windows
> sadmin read-protect -i "C:\test.txt"
41
On UNIX
# sadmin read-protect -i /test.sh
Note: You can also use the wildcard * character in the pathname which represents one complete
path component, for instance, C:\test\*\myfile.txt. However, the wild card * character should
not be used as the last component of the rule. The same rule applies on UNIX also.
Local Administrator executed command 'read read-protect i <pathname>' at Wed
Apr 02 2008 20:30:05 (Return status: 0).
The enforcement of read-protection rules over mounted network file systems for deny read
feature remain same as that of deny write. The network path should be specified in the
sadmin rp command in any one of the following forms:
\\server\share
\\192.168.2.1\share
W:\
On UNIX
/mount-point
For instance, you can read-protect file/directories located on a mount point.
Excluding read protection

Exclusion means that the rule does not apply to the specified path used for excluding. You can
exclude a particular file, directory or volume from read-protection using the following command:
> sadmin read-protect e pathname
Or
> sadmin rp e pathname
Exclusion finds special significance in scenarios where the whole directory is read-protected and
you may choose to unprotect selective files in that protected directory. The applicability and
usage of this rule varies depending upon your specific need and requirement.
For instance, to read unprotect a file, issue the following command:
On Windows
> sadmin read-protect -e "C:\test.txt"
On UNIX
# sadmin read-protect -e /test.sh
42
Local Administrator executed command 'read-protect e <pathname>' at Wed Apr 02
2008 20:30:05 (Return status: 0).
Restoring read access

You can restore read access to the specified path by removing that file, directory or volume from
the read-protected list using the following command:
> sadmin read-protect r pathname
Or
> sadmin rp r pathname
For instance, to restore read access to a file, issue the following command:
On Windows
> sadmin read-protect -r "C:\test.txt"
On UNIX
# sadmin read-protect -r /test.sh
Local Administrator executed command 'read-protect r <pathname>' at Wed Apr 02
2008 20:30:05 (Return status: 0).
Listing read-protected files

You can view the list of files, directories and volumes included for read protection using the
following command:
> sadmin read-protect l
Or
> sadmin rp l
Local Administrator executed command 'sadmin read-protect l' at Wed Apr 02
2008 20:30:05 (Return status: 0).
Removing read-protection rules

All read-protection rules on files, directories and volumes are removed (flushed) using the
following command:
> sadmin read-protect f
43
Or
> sadmin rp f
Local Administrator executed command 'sadmin read-protect f' at Wed Apr 02
2008 20:30:05 (Return status: 0).

> sadmin rp -l
Write protection for critical registry keys (Windows only)

Critical registry keys can be protected against change using the deny-write feature. All
enforcement rules to control modifications to registry keys can be applied using this feature. The
write-protect-registry (wpr) command takes the registry path name as a parameter value.
Enforcing protection on registry

You should issue the following command to protect a registry file;
> sadmin write-protect-reg i registryname
Or
> sadmin wpr i registryname
For instance,
> sadmin wpr i HKEY_LOCAL_MACHINE\Software\Yahoo\Essentials
Note: A wildcard character (*) is supported in pathnames with the exception that it can only
represent one complete path component. For example, HKEY_LOCAL_MACHINE\*\Microsoft is
allowed while HKEY_LOCAL_MACHINE\* or HKEY_LOCAL_MACHINE\*\* is not supported. The
wildcard should not be used in the last path component otherwise the filter will not be effective.
This will protect the registry key from modification attempts and the following Event Log entry
will be generated when a change is attempted.
McAfee Solidifier prevented an attempt to modify Registry key
'HKEY_LOCAL_MACHINE\SOFTWARE\Yahoo\Essentials' by process
C:\WINDOWS\regedit.exe (Process Id: 2240, User: MYDOMAIN\Administrator).
An error message also appears saying that value contents cannot be edited/deleted/modified.
Note: New keys can be added in the registry but modification to a key is not allowed.
44
Restricted Behavior
Registry Protection is supported only for the HKEY_LOCAL_MACHINE registry key hive. For every
other hive, irrespective of whether it is a top level hive or just a symbolic link, registry protection
behavior is undefined.
Warning: Registry keys should be judiciously chosen for protection. Protecting incorrect keys
for protection can even lead to unspecified OS behavior. For example, you must not protect the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry.
Excluding protection on a registry

You can use the command given below to exclude a registry from protection rules:
> sadmin write-protect-reg e registryname
Or
> sadmin wpr e registryname
The Protection rules will be applied based on the longest prefix match. If you include
HKEY_LOCAL_MACHINE\Software for protection but exclude
HKEY_LOCAL_MACHINE\Software\Microsoft, then if any attempt is made to delete keys or values
under HKEY_LOCAL_MACHINE\Software\Microsoft (for example,
HKEY_LOCAL_MACHINE\Software\Microsoft\Office), the modification will succeed.
Removing a registry from protected list

Remove a registry file from the protected list using the following command:
> sadmin write-protect-reg r registryname
Or
> sadmin wpr r registryname
Listing protected registries

You can view the list of registries included/excluded for protection using the following
command:
> sadmin write-protect-reg l
Or
> sadmin wpr l
After the successful execution of this command, the following message appears on the screen:
45
+ 'HKEY_LOCAL_MACHINE\Software\Yahoo\Essentials'
Removing all registry protection rules

Remove all (Flush) the registries from the registry enforcement rules using the following
command:
> sadmin wpr f

> sadmin wpr -l
Tamper-proofing for Solidifier Software and Configuration

There is a class of Solidifier implementations where there are very stringent requirements for
controlling changes, such as those for meeting auditory compliance standards, or, there is the
business requirement to ensure that the Solidifier software is not overwritten to gain control over
the system, such as for ATM machines and devices that flow through a multi-stage OEM channel.
The Solidifier supports the Product Integrity for tamper-proofing its software and registry key
entries. This is to ensure that the product does not become unusable from their accidental or
malicious modifications.
Product Integrity protects the following files:
On Windows
File
Control Settings
<installation path>\sadmin.exe
Write protection enabled
scormapl.dll
scormcpl.dll
scevtgen.exe
S3diag.log
evt_mcpl_cache_file
evt_mcpl_cache_file.tmp
S3observe.log
<installation path>\scsrvc.exe
46
File
Control Settings
<installation path>\passwd
The passwd file stores the encrypted password

using SHA-1, which is a significantly strong
encryption technique. The file is read protected
and write protected by product integrity.
<System32 folder>\drivers\swin.sys
All files in <root volume>\solidcore
Files added afterwards can only be modified by

the Solidifier.
In order to permit Solidifier upgrades, Product Integrity is disabled in Update mode even if the
feature is shown as enabled.
Only the Solidifier is permitted to change the values for the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\swin
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\scsrvc
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Applicati
on\System Solidifier
Modifications through the keys HKEY_LOCAL_MACHINE\System\CurrentControlSet

are also prevented, since they are links to the HKEY_LOCAL_MACHINE\System\ControlSetXXX
registry keys.
However the following, sub keys are not protected because their presence is not essential for the
Solidifiers correct functioning.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\swin\Enum
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\scsrvc\Enum
Note: The authorized updaters have been provided with the capability to override Product
Integrity. With Product Integrity enabled, the modifications to Solidifier-protected files and
registries can be done through the updaters command and the changes are also tracked by logging
events in the Event log.
On UNIX
File
Control Settings
/etc/mcafee/solidcore/solidcore.conf
Tamper-proofing enabled
All files in <installation

path>/mcafee/solidcore directory
Tamper-proofing enabled for existing files.

Files added afterwards can only be modified
by the Solidifier Service.
47
Controlling Installation and Uninstallation of Software (Windows

only)
The capability to control installation and uninstallation of software is called Package Control. The
Package Control feature also enforces the following scenarios:
All Windows optional components are blocked from installation/uninstallation.
All INF files when right clicked give install option. Installation is blocked by this option.
There are some INF files which can also be installed using certain exported functions from
setupapi.dll or advpack.dll. These installations are also blocked.
Any unauthorized attempt to install/uninstall a package is stopped and an event is generated in the
Event log.
File name
Internal file name
Attributes and Version information of the file
Manifest
The Package Control feature is split into two features:

pkg-ctrl
The pkg-ctrl feature controls installation and uninstallation of all MSI -based
installers. The pkg-ctrl feature is enabled by default and can be managed by
> sadmin features enable/disable pkg-ctrl
Note: You must reboot the system after enabling or disabling this feature.
pkg-ctrl-inf
The pkg-ctrl-inf feature prevents installation and uninstallation of all INFbased installers. The pkg-ctrl-inf feature is disabled by default and can be
managed by using the following command:
> sadmin features enable/disable pkg-ctrl-inf
Note: The installation/uninstallation of Windows optional components and

INF based installers can be carried out only in Update mode.
For these features to work, the Solidifier should be running in Enabled mode. You can view the
operational mode of the Solidifier using the sadmin status command.
After Package Control is enabled, software cannot be installed using standard commercial
installers except through one of the following mechanisms:
The installer has been marked as an updater using the sadmin updaters command.
The installation/uninstallation of the application can also be carried out in the update mode.
The installer is marked as a signed binary.

48
Exceptions
This section enumerates exceptional behaviors caused by interactions with Windows that are
documented here for the readers benefit.
The following behavior is specific to some Windows optional components, particularly

games. When an administrator attempts to uninstall a Windows optional component
while the Package Control is in effect, the uninstallation seems to succeed. The Add or
Remove Programs screen shows that the component is no longer installed. However,
the component remains installed and is executable.
When the 'Next' or 'Cancel' button is clicked on the Windows Components Wizard
window, even without making any changes to the selected components, the following
error message appears:
"McAfee Solidifier Prevented package modification by 'windows

optional component manager' by user: <user_name>."
Some utilities like WinDriver tools (wdreg.exe) can bypass this mechanism and
install/uninstall .INF files.
Some optional Windows components can be installed using standard Windows tool like
secedit and gpupdate. By default, installation/uninstallation from these tools is not
prevented.
After installing the Fax Services from Add/Remove Programs > Add/Remove
Windows Components, Fax Services gets installed but several deny write errors related
to Spoolsv.exe are observed in the Event viewer. However, the Fax service works fine
even with these errors. This specific case appears when rundll32.exe has been added as
an updater candidate.
Some application executables like VNC server and client may not be able to execute
when this feature is enabled. On running these applications, the following event is
generated in the Event log:
McAfee Solidifier prevented package modification by

'<executable-name>' by user: <username>.
In order to execute such applications, issue the following command:
> sadmin attr i <executable-name>
This command will override this features implementation on the executable.
49
Advanced Configuration
This chapter introduces the following advanced configuration topics:
Configuring Solidifier features
Configuring a Standard Event Delivery Destination
Configuring the Event Cache Size
Configuring Log File Location Path
Configuring Size of Log File
Configuring Number of Log Files
Configuring Process Execution Monitoring
Configuring Password Protection for the CLI
Managing Mass Deployments and System Upgrades
Configuring Solidifier features

This section provides information about configuring the Solidifier features. You can choose to
enable or disable a particular feature. Some of these features may require a reboot for completion.
Enabling a feature
To enable a feature, execute the following command:
> sadmin features enable featurename
The following Event Log entry is generated in the operating system logs:
Local Administrator executed command 'sadmin features enable featurename' at
Tue Apr 01 2008 11:52:05 (Return status: 0).
Disabling a feature
To disable a feature, execute the following command:
> sadmin features disable featurename
Local Administrator executed command 'sadmin features disable featurename' at
Listing features
To view the complete listing of features along with their configured state, execute the following
command:
50
> sadmin features list
Local Administrator executed command 'sadmin features list' at Tue Apr 01 2008
Please refer Appendix: Solidifier feature list to see the complete feature list.
Configuring a Standard Event Delivery Destination

The Solidifier tracks changes on the system and records events in the operating system log. Each
event records the occurrence of change. The events can be logged at one or more locations called
event sinks. The Solidifier supports four types of event sinks, namely,
Operating system log (oslog )
System Controller (sc)
Debugging output (debuglog)
Popup
Note: The Popup event sink is not available on UNIX. Also, the System Controller (sc) refers to
the McAfee ePO console.
Assigning an event to a standard destination

The Solidifier events can be configured for logging at the desired event sink. The command to log
all events to a standard destination is given below:
> sadmin event sink a ALL <sink_name>
For instance, the following command logs all the events onto the Operating system log:
> sadmin event sink -a ALL oslog
The following Event Log entry is generated:

Local Administrator executed command 'sadmin event sink -a ALL oslog' at Tue
Removing an event from a standard destination

The Solidifier events can also be stopped from being logged at the desired event sink. The
command to stop all events from being logged at a standard destination is given below:
> sadmin event sink r ALL <sink_name>
For instance, the following command does not log any event onto the Operating system log:
> sadmin event sink -r ALL oslog
51

Local Administrator executed command 'sadmin event sink -r ALL oslog' at Tue
Viewing event assignments to standard destinations

To view the list of events along with their sink configuration, execute the following command:
> sadmin event sink

Local Administrator executed command 'sadmin event sink' at Tue Apr 01 2008
Viewing sink information for specific event

To view the sink information of a particular event, execute the following command:
> sadmin event sink <event_name>

Local Administrator executed command 'sadmin event sink <event_name>' at Tue
Note: You can specify only one event name in the command.
Configuring the Event Cache Size

The change events are buffered on the Solidifier to deal with network outrage, etc. The default
event buffer size on the Solidifier is 2MB. When the buffer limits are about to be reached, then an
event is logged in the system log stating that the cache is about to overflow. When the buffer
limits are exceeded, then the new events are dropped until the number of events in the buffer falls
below its high watermark. You can set the upper watermark level that defines the upper limit
when an alert is raised that signifies that the cache is about to overflow. Likewise, setting the
lower watermark level signifies that the cache has recovered from overflow.
The upper and lower watermark levels are configurable through the EventCacheWMHigh and
EventCacheWMLow parameters respectively. The input value of the parameter
EventCacheWMHigh should range between 50 to 100 and the input value of the parameter
EventCacheWMLow should be configured above 20 and should be less than the
EventCacheWMHigh.
While configuring these parameters, ensure that the value of the lower watermark level should
always be less than the value of the upper watermark level.
Modifying the Event Cache size

To set the event cache size to the specified value, execute the following command:
52
> sadmin config set EventCacheSize=<no>
The following Event Log entry is also generated in the operating system logs:
Local Administrator executed command 'sadmin config set EventCacheSize=<no>' at
Setting the upper watermark level

To set the upper watermark level, execute the following command:
> sadmin config set EventCacheWMHigh=<no>
Local Administrator executed command 'sadmin config set EventCacheWMHigh=<no>'
at Tue Apr 01 2008 10:46:50 (Return status: 0).
Setting the lower watermark level

To set the lower watermark level, execute the following command:
> sadmin config set EventCacheWMLow=<no>
Local Administrator executed command 'sadmin config set EventCacheWMLow=<no>'
at Tue Apr 01 2008 10:50:43 (Return status: 0).
Configuring Log File Location Path

On Windows
At install time, the Solidifier installer creates a log file named solidcore.log. The default path of
the log file for various operating systems is:
C:\Program Files\McAfee\Solidcore\Logs folder on endpoints running Windows 2000

and Windows NT
C:\Documents and Settings\All Users\Application Data\McAfee\Solidcore\Logs folder on

endpoints running Windows 2003 and Windows XP
C:\ProgramData\McAfee\Solidcore\Logs folder on endpoints running Windows Vista,

Windows 2008, and Windows 7
You can configure this path so that the log file gets installed at a different location other than the
default one by modifying the value of the following registry key:
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swin\Parameters\LogFilePa
th
You should note that:
53
1. Changing this registry key to an incorrect value can adversely impact the functioning of the
Solidifier.
2. The specified path must only be for the system volume.
3. The specified path should not be relocated to network shares or mapped drives.
4. The full path including the drive letter must be specified in this registry key value.
5. The Solidifer service must be restarted for the change to be applicable.
6. The GatherInfo tool collects logs from the current logfile path (mentioned in registry) as well
as from the default installation location (McAfee\Solidcore\Logs).
On UNIX
At install time, the Solidifier installer creates a log file named solidcore.log in the
/var/log/mcafee/solidcore directory. You can configure this path so that the log file gets installed
at a different location other than the default one by modifying the value of the parameter
LogFilePath in /etc/mcafee/solidcore/solidcore.conf file.
You should note that:
1. The Solidifier service must be restarted for the change to be applicable.
2. The GatherInfo tool collects logs from the current logfile path (mentioned in solidcore.conf
file) as well as from the default installation location (/var/log/ mcafee/solidcore directory).
Configuring Size of Log File

You can configure the size of the solidcore.log log files created by Solidifier using the parameter
LogFileSize. The default size of this file is 2048 KB. When this parameter is set to 0, then the
default value is applicable. Issue the following command to configure the size of this log file:
> sadmin config set LogFileSize=<size>
Note: The LogFileSize parameter takes value in Kilobytes only.

Local Administrator executed command 'sadmin config set LogFileSize=<size>' at
Configuring Number of Log Files

You can configure the number of log files (applicable only for solidcore.log) to be created
through the LogFileNum parameter. The default value of this parameter is 4 which mean that at
most five log files will be created starting from solidcore.log file up to solidcore.log.4. When this
parameter is set to 0, then the default value is applicable. Issue the following command to
configure the number of log files to be created:
54
> sadmin config set LogFileNum=<no>
Local Administrator executed command 'sadmin config set LogFileNum=<no>' at Tue
Note: The LogFileNum parameter when configured sets the number of files to be created only for
the solidcore.log file.
Configuring Process Execution Monitoring

Solidifier permits the tracking of process start and exits through Process and User filters. The user
can choose to include individual processes that are to be tracked for start/exit.
Process execution monitoring holds higher precedence over the other filters viz. file/directory,
extension, registry, username and process name and remains unaffected by filtering rules for
change events.
Note: Process execution monitoring works the same way on Windows and UNIX.
In order to enable the tracking of process starts and exits, establish the filter rules on a process,
iexplore.exe by issuing the following commands (sadmin mon process and
sadmin mon procexec):
> sadmin mon process e iexplore.exe
The above command ensures that no change events are issued when this process makes any
changes to any file.
Include the filter to track process iexplore.exe by issuing the following command:
> sadmin mon procexec i C:\Program Files\Internet
Explorer\iexplore.exe
Now, even while the process iexplore.exe has been excluded from the change event filtering rule,
any time this process is started or terminated, the process start and exit events will be logged for
this process.
Establish the filter rules on a user, john by issuing the following command:
> sadmin mon user e john
The above command ensures that no change events are raised when the changes are made by the
user John.
Include the filter to track process iexplore.exe by issuing the following command:
> sadmin mon procexec i C:\Program Files\Internet
Explorer\iexplore.exe
55
Now, even while the user John has been excluded from the change event filtering rule, any time
the user John starts the explorer, the process start and exit events will be logged for this process
Configuring Password Protection for the CLI

The password protection feature of the Solidifier restricts the usage of critical sadmin commands
by individuals only to the sadmin administrator. Once the password has been set, password
protection is enabled, all critical commands are password protected and can be accessed only
after supplying the password.
Setting a password
Password protection is set using the following command:
> sadmin passwd
This command is used to set the password. It prompts for the old password (if password is set)
and then for the confirmation of the new password twice.
Deleting a password
An existing password can be deleted using the following command:
> sadmin passwd -d
Managing Mass Deployments and System Upgrades

Solidifier provides a means for extracting and storing all identified configuration items in an
exportable format. This exported configuration can then be imported to any other installation to
permit an upgrade of the OS or the Solidifier application on the same system, or on other systems,
where there is no variation in images.
You can add, delete or modify the contents of an exported file and import the modified
configuration file to affect new parameters. For some parameters, module specific rules are
displayed. Hence, modifying such lists is not straightforward and is not recommended. Such
parameters include Monitoring Rules List, Updaters List etc.
Exporting Configuration Settings

Export the configuration to a file using the following command:
> sadmin config export filename
filename is the name of the file, where configuration is to be exported.

An Event Log entry is also generated as shown:
Local Administrator executed command 'sadmin config export filename at Tue Apr
01 2008 13:05:53 (Return status: 0).
56
Importing Configuration Settings

> sadmin config import filename
An Event Log entry is also generated as shown:

Local Administrator executed command 'sadmin config import filename' at Tue Apr
01 2008 13:07:55 (Return status: 0).
57
Routine Maintenance
This chapter discusses the changes to the routine maintenance operations, which are performed
periodically and require the installation of new software or updates to existing software, after the
Solidifiers write-protections have been enabled.
About Software Update
Automated updates
Manual Updates
About Software Update

Systems managed by IT periodically require the installation of updates to existing software. In
order to permit updates to a system on which the Solidifier is providing write protection for files,
directories, registry keys (applicable only on Windows), the system must be placed in Update
Mode before software maintenance is performed. The Update Mode allows all update actions to
be bracketed within an update window, including addition, removal or modification of software
on the system. It tracks every update action (change).
About Auto-Updaters
On Windows, auto-updaters are applications that update the system in an automated fashion or
according to a user-defined schedule. Typical examples are:
Software provisioning systems that download, install, and run new code, e.g.,
Microsoft software update, Tivoli, custom scripts.
Self updating applications, e.g., antivirus.
Applications that create executable code at run time, e.g., antivirus, custom
applications.
Applications that write to existing system or application code on disk (binaries, DLLs,
scripts etc), e.g., backup agents, antivirus.
Automated updates
The Solidifier prevents the modification of protected executable files and also controls the
unauthorized installation/uninstallation of MSI-based installers without entering Update mode on
Windows. On UNIX, the Solidifier can prevent the modification or deletion of protected binaries
or scripts.
Note: Reboot is not required after adding MSI files to the updaters list.
It provides the updaters command to unconditionally authorize legitimate programs to update
software on a protected system and these legitimate programs are called authorized updaters.
58
Note: The write-protected files which are deleted or renamed in Update mode or through updaters
will continue to remain write-protected. As a result, a new file having the same name at the same
path cannot be created again in Enabled mode, unless the file is write-unprotected before its
deletion or renaming.
Adding Authorized Updaters

On Windows
Any executable file can be added to the updaters list by using the following command:
> sadmin updaters add WindowsInstaller-KB893803-v2-x86.exe
The above example unconditionally authorizes the Windows Installer for a HotFix, KB893803, to
perform updates on protected files or registry keys.
Local Administrator executed command 'sadmin updaters add WindowsInstallerKB893803-v2-x86.exe' at Fri Nov 02 2007 12:56:19 (Return status: 0).
Any MSI file can be added to the updaters list by using the following command:
> sadmin updaters add Ica32Pkg.msi
The above example unconditionally authorizes the Windows Installer for an MSI file,
Ica32Pkg.msi, to perform updates on protected files or registry keys.
Local Administrator executed command 'sadmin updaters add Ica32Pkg.msi at Fri
Nov 02 2007 15:36:19 (Return status: 0).
The following command sets iexplore.exe as an authorized updater only when it is launched by
svchost.exe as its parent
> sadmin updaters add -p svchost.exe iexplore.exe
The following command sets svchost.exe as an authorized updater only when its loads the library
system32\wuauserv.dll
> sadmin updaters add -l system32\wuauserv.dll svchost.exe
The following example illustrates the addition of Windows Updaters using a scheduled update.
The t option causes the associated tag, for example, Win_up_schedule1 to be written to the log
for all files.
> sadmin updaters add -t Win_up_schedule1 -l system32\wuauserv.dll
svchost.exe
> sadmin updaters add -t Win_up_schedule2 -l system32\wuaueng.dll
svchost.exe
59
> sadmin updaters add -t Win_up_schedule3 -p svchost.exe iexplore.exe

> sadmin updaters add -t Win_up_schedule4 -p svchost.exe wuauclt.exe
> sadmin updaters add -t Win_up_schedule5 -p svchost.exe update.exe
> sadmin updaters add -t Win_up_schedule6 -p svchost.exe
WindowsInstaller-KB893803-v2-x86.exe
> sadmin updaters add -t Win_up_schedule7 -p svchost.exe bitinst.exe
> sadmin updaters add -d -t Win_up_schedule8 winlogon.exe
On UNIX
Any binary or script file can be added to the updaters list by using the following command:
# sadmin updaters add test.sh
The above example unconditionally authorizes the test.sh script to perform updates on protected
files.
Local Administrator executed command 'sadmin updaters add test.sh' at Wed Apr
02 2008 12:56:19 (Return status: 0).
The following command sets child.sh as an authorized updater only when it is launched by
parent.sh as its parent:
# sadmin updaters add -p parent.sh child.sh
The following example illustrates the addition of updaters using a scheduled update. The t
option causes the associated tag, for example, tag1 to be written to the log for all files.
# sadmin updaters add -t tag1 test.sh
# sadmin updaters add -t tag2 test.sh
# sadmin updaters add -t tag3 -p parent.sh child.sh
Note: On Windows, you should re-start the system after adding authorized updaters.
Deleting Authorized Updaters

Any updater can be removed from the updaters list by using the following command:
> sadmin updaters remove <updater_name>
Where updater_name provides the name of the updater that needs to be removed from the
authorized updaters list.
60

Local Administrator executed command 'sadmin updaters remove pathname' at Wed
Listing Authorized Updaters

The updaters can be listed using the following command:
> sadmin updaters list
-t
AUTO_2
luall.exe

Local Administrator executed command 'sadmin updaters list' at Wed Apr 02 2008
Removing All (Flushing) Authorized Updaters

To remove all (flush) the complete list of authorized updaters, enter:
> sadmin updaters flush
Manual Updates
Using the Update Window
Figure 1 summarizes the steps to implement the Update Mode on a Solidifier host:
61
Figure 1: The Manual Update Mode
To perform manual software update in Update Mode, perform the following steps:
Check the current status of the Solidifier using the following command:
> sadmin status
McAfee Solidifier:
Enabled
Begin Update Mode using the following command:

> sadmin bu
McAfee Solidifier is in update mode.
Local Administrator executed command 'sadmin bu' at Wed Apr 02 2008 13:37:21
(Return status: 0).
The Solidifier status during Update mode is viewed using the following command:
> sadmin status
62
McAfee Solidifier:
Update
McAfee Solidifier on reboot: Update
Now, you can perform software update actions: Add/delete/modify software on the computer.
On Windows
Double-click some program, for example, Windows2000-KB822831-x86-enu.exe to install it on
the computer. Follow the application installation procedures as presented through the setup
wizard. It may include restarting the computer.
Install the INF based driver, for instance, mmdriver.inf on your system.
After successful installation, the following Event Log entry is generated:
McAfee Solidifier allowed package modification of Installer: <installer_name>.
(Workflow Id: UPDATE_MODE: AUTO_2)
On UNIX
Likewise, install Apache on the UNIX Solidifier host.
After successful installation, normal file operation events such as FILE_CREATED_UPDATE,
FILE_MODIFIED_UPDATE, etc. are generated.
End Update mode using the following command:
> sadmin eu
McAfee solidifier exiting from update mode.
Local Administrator executed command 'sadmin eu' at Wed Apr 02 2008 13:46:38
(Return status: 0).
Check the current status of the Solidifier using the following command:
> sadmin status
McAfee Solidifier:
Enabled
Note: Windows2000-KB822831-x86-enu.exe is the Update for Windows Server 2000. This is an

example only and the same procedure applies to other installations and software updates.
63
Scripts as Updaters
Starting with version 4.9.0, you can also declare scripts as updaters so that the file changes made
by these scripts are treated as authorized changes.
Note: The Scripts as Updaters functionality is available on all Windows platforms except
Windows Vista (64-bit), Windows Server 2008 (64-bit), and Windows Server 2003 (IA64).
To declare a script as updater, use the following syntax:
> sadmin updaters add SCRIPT
Here, SCRIPT is the full path name of the script. For example:
> sadmin updaters add C:\myscripts\myscript12.bat
To unmark a script that was earlier declared as updater, use the following syntax:
> sadmin updaters remove SCRIPT
Here, SCRIPT is the full path name of the script. For example:
> sadmin updaters remove C:\myscripts\myscript42.bat
Note: Other updaters command arguments like -l, -p, are not applicable when you are
specifying a script as updater.
64
Troubleshooting
On Windows, Solidifier events can be viewed in the Application Event Logs: (Start menu
Programs Administrative Tools Event Viewer Application.
On UNIX, the Solidifier events can be viewed from the system logs in /var/adm/messages (AIX),
/var/log/messages (Linux), /var/adm/messages (Solaris), or /var/adm/syslog (HP-UX) directory.
Event Log Messages

Event Name
Category
Event log Entry
ACL_MODIFIED
Information
McAfee Solidifier detected

modification to ACL of filename by
program program_name (User:
user_name, Original User:
original_user_name).
ACL_MODIFIED_UPDATE
Information

modification to ACL of filename by
original_user_name, Workflow Id:
workflow_id).
BOOTING_DISABLED
Warning
McAfee Solidifier is currently

disabled.
BOOTING_ENABLED
Information
McAfee Solidifier is currently

enabled.
BOOTING_UPDATE_MODE
Information
System is booting in McAfee

Solidifier update mode.
BEGIN_UPDATE
Information
McAfee Solidifier is starting update

mode on the system to allow updates
(Workflow Id: workflow_id, Comment:
comment).
COMMAND_EXECUTED
Information
user_name executed command command

at end_time (Return status: status).
DISABLED_DEFFERED
Warning
McAfee Solidifier will be disabled

on next reboot.
ENABLED_DEFFERED
Information
McAfee Solidifier will be enabled on

next reboot.
65
Event Name
Category
Event log Entry
END_UPDATE
Information
McAfee Solidifier is ending update

mode on the system (Workflow Id:
workflow_id).
*FILE_ATTR_CLEAR
Information
McAfee Solidifier detected removal

of attribute attribute_name from
file filename by program
program_name (User: user_name).
*FILE_ATTR_SET
Information
McAfee Solidifier detected addition

of attribute attribute_name to file
filename by program program_name
(User: user_name).
*FILE_ATTR_SET_UPDATE
Information

of attribute attribute_name to file
(User: user_name, Workflow Id:
workflow_id).
*FILE_ATTR_CLEAR_UPDATE
Information

of attribute attribute_name from
file filename by program
program_name (User: user_name,
Workflow Id: workflow_id).
FILE_CREATED
Information
McAfee Solidifier detected creation

of filename by program program_name
(User: user_name, Original User:
FILE_DELETED
Information
McAfee Solidifier detected deletion

FILE_MODIFIED
Information

modification to filename by program
Original User:
FILE_ATTR_MODIFIED
Information

modification to attributes of
66
Event Name
Category
Event log Entry
FILE_RENAMED
Information
McAfee Solidifier detected renaming

of filename to new_filename by
FILE_CREATED_UPDATE
Information

workflow_id).
FILE_DELETED_UPDATE
Information

workflow_id).
FILE_MODIFIED_UPDATE
Information

modification of filename by program
Original User: original_user_name,
FILE_ATTR_MODIFIED_UPDATE
Information

modification of attributes of
workflow_id).
FILE_READ_UPDATE
Information
McAfee Solidifier detected read for

'%s' by program %s (User: %s,
Original User: %s, Workflow Id: %s).
FILE_RENAMED_UPDATE
Information

of filename to new_filename by
workflow_id).
WRITE_DENIED
Error
McAfee Solidifier prevented an

attempt to modify file filename by
process processname (Process Id:
PID, User: user_name).
67
Event Name
Category
Event log Entry
*OWNER_MODIFIED
Information

modification to OWNER of filename by
process processname (User:
user_name).
*OWNER_MODIFIED_UPDATE
Information

modification to OWNER of filename by
user_name, Workflow Id:
workflow_id).
PROCESS_EXITED
Information
McAfee Solidifier detected exit of

process 'processname' (Process Id
PID, User user_name, Original User
original_user_name) by process
'PPN' (Process Id
parent_process_id).
PROCESS_STARTED
Information
McAfee Solidifier detected start of

process 'processname' (Process Id:
PID, User: user_name, Original
User: original_user_name) by
process: 'PPN' (Process Id:
parent_process_id).
*REG_VALUE_WRITE_DENIED
Error

attempt to modify Registry key
registry_keyname with value value by
*REG_KEY_WRITE_DENIED
Error

attempt to modify Registry key
registry_keyname by process
processname (Process Id: PID, User:
user_name).
*REG_KEY_CREATED
Information

of registry key registry_keyname by
user_name).
*REG_KEY_DELETED
Information

user_name).
68
Event Name
Category
Event log Entry
*REG_VALUE_MODIFIED
Information

modification to registry value
value_name under key
registry_keyname by program
*REG_VALUE_DELETED
Information

of registry value value_name under
key registry_keyname by program
*REG_KEY_CREATED_UPDATE
Information

workflow_id).
*REG_KEY_DELETED_UPDATE
Information

workflow_id).
*REG_VALUE_MODIFIED_UPDATE
Information

modification to registry value
value_name under key
registry_keyname by program
*REG_VALUE_DELETED_UPDATE
Information

of registry value value_name under
key registry_keyname by program
STREAM_CREATED
Information

of '%s:%s' by program %s (User: %s,
Original User: %s).", file_name,
stream_name, prog_name, user_name,
orig_user_name.
STREAM_DELETED
Information

orig_user_name.
69
Event Name
Category
Event log Entry
STREAM_MODIFIED
Information

modification to '%s:%s' by program
%s (User: %s, Original User: %s).",
file_name, stream_name, prog_name,
user_name, orig_user_name.
STREAM_ATTR_MODIFIED
Information

modification to attributes of
'%s:%s' by program %s (User: %s,
orig_user_name.
STREAM_CREATED_UPDATE
Information
"McAfee Solidifier detected creation

Original User: %s, Workflow Id:
%s).", file_name, stream_name,
prog_name, user_name,
orig_user_name, workflow_id.
STREAM_DELETED_UPDATE
Information

STREAM_MODIFIED_UPDATE
Information

modification of '%s:%s' by program
%s (User: %s, Original User: %s,
Workflow Id: %s).", file_name,
STREAM_ATTR_MODIFIED_UPDAT
E
Information

modification of attributes of
'%s:%s' by program %s (User: %s,
STREAM_ATTR_SET
Information

of attribute '%s' to file '%s:%s' by
program %s (User: %s).", attr_name,
file_name, stream_name, prog_name,
user_name.
STREAM_ATTR_CLEAR
Information

of attribute '%s' from file '%s:%s'
by program %s (User: %s).",
attr_name, file_name, stream_name,
prog_name, user_name.
70
Event Name
Category
Event log Entry
STREAM_ATTR_SET_UPDATE
Information

of attribute '%s' to file '%s:%s' by
program %s (User: %s, Workflow Id:
%s).", attr_name, file_name,
workflow_id.
STREAM_ATTR_CLEAR_UPDATE
Information

of attribute '%s' from file '%s:%s'
by program %s (User: %s, Workflow
Id: %s).", attr_name, file_name,
workflow_id.
STREAM_RENAMED
Information

of '%s:%s' to '%s:%s' by program %s
(User: %s, Original User: %s).",
src_file_name, src_stream_name,
dst_file_name, dst_stream_name,
orig_user_name.
STREAM_RENAMED_UPDATE
Information

of '%s:%s' to '%s:%s' by program %s
(User: %s, Original User: %s,
Workflow Id: %s).", src_file_name,
src_stream_name, dst_file_name,
dst_stream_name, prog_name,
user_name, orig_user_name,
workflow_id.
*BOOTING_DISABLED_SAFEMODE
Warning
McAfee Solidifier is disabled

because system is in safe mode.
*BOOTING_DISABLED_INTERNAL_
ERROR
Error
McAfee Solidifier is disabled

because of internal error error.
ALERT_CACHE_OVERFLOW
Error
Event Cache Watermark Overflowed.
ALERT_CACHE_WM_BREACHED
Warning
Event Cache Watermark Breached.

Level = level percent of cache size.
ALERT_CACHE_WM_RECOVERED
Information
Event Cache Watermark Recovered.

Level = level percent of cache size.
*PKG_MODIFICATION_PREVENTED
Error
McAfee Solidifier prevented package

modification by filename by user:
user_name.
71
Event Name
Category
Event log Entry
*PKG_MODIFICATION_PREVENTE
D_2
Error
McAfee Solidifier prevented package

user_name.
*PKG_MODIFICATION_ALLOWED_
UPDATE
Information
McAfee Solidifier allowed package

user_name.
*SGN_MSI_SIGNATURE_MISMATC
H
Error
McAfee Solidifier signature is not

verified for installer: filename.
READ_DENIED
Error

attempt to read file filename by
UPDATE_MODE_DEFERRED
Information
McAfee Solidifier will be in update

mode on next reboot (Workflow Id:
%s, Comment: %s).
*USER_LOGON_SUCCESS
Information

successful logon by user_name on
hostname (from remote_host_name by
logon_process process).
*USER_LOGON_FAIL
Information
McAfee Solidifier detected failed

logon by user_name on hostname (from
remote_host_name by logon_process
process).
*USER_LOGOFF
Information
McAfee Solidifier detected logoff by

user_name'.
*USER_ACCOUNT_CREATED
Information

of user account accountname by
user_name.
The sink for the PKG_MODIFICATION_PREVENTED_2 event is Popup only and must not be modified.
72
Event Name
Category
Event log Entry
*USER_ACCOUNT_DELETED
Information

of user account accountname by
user_name.
*USER_ACCOUNT_MODIFIED
Information

modification of user account
accountname by user_name.
Modification type:
modification_type
Note: The event names preceded by * appear only on Windows.
Troubleshooting Microsoft Windows related issues

STOP Error message appears on the screen when the computer is a part of the domain
Symptom
Consider a scenario in which a computer is part of a domain with Microsoft

Windows XP (SP2) or Microsoft Windows Server 2003 (SP1) and more than
three programs related to file security (antivirus or file-encryption programs)
are installed on it.
In this scenario, when the administrator tries to log on to the domain, then a
Stop error message similar to the one given below is displayed:
STOP 0x00000035 (0x8207ecd8, 0x00000000,
0x00000000, 0x00000000) NO_MORE_IRP_STACK_LOCATIONS
Note: The first parameter in this error message may vary.
Cause
This problem occurs because the Mup.sys driver assumes that there must be
no more than three file-system filter drivers running at the same time. The
Mup.sys driver handles Distributed File System (DFS) file I/O requests. If
there are four or more file system filter drivers, the I/O request packet (IRP)
location buffer that is pre-allocated by Mup.sys will overflow. When this
occurs, the Stop error described above is displayed.
Refer to this link for the resolution:
http://support.microsoft.com/kb/906866
73
Troubleshooting Solidifier-related issues

This section highlights the errors seen while executing Solidifier commands.
UNKNOWN COMMAND Error message appears on the screen
Symptom
On executing the following command

> sadmin deny-read "C:\Documents and
Settings\Administrator\Desktop\key.txt"
the following error message appears on the screen:

Unknown command. Type 'sadmin help' for usage.
Cause and
Solution
This problem can occur because of two reasons:

1) The command syntax is not right. Please use the following command to
check the syntax of the command:
> sadmin help <commandname>
2) The feature in use is in disabled state. You can verify this using the
following command:
Log File for Debugging

The Solidifier log file solidcore.log is created in the Logs folder on Windows. The default path
of the log file for various Windows operating systems is:
C:\Program Files\McAfee\Solidcore\Logs folder on endpoints running Windows 2000

and Windows NT
C:\Documents and Settings\All Users\Application Data\McAfee\Solidcore\Logs folder on

endpoints running Windows 2003 and Windows XP
C:\ProgramData\McAfee\Solidcore\Logs folder on endpoints running Windows Vista,

Windows 2008, and Windows 7
On UNIX, the Solidifier log file, solidcore.log is created in the /var/log/mcafee/solidcore

directory. When the Solidifier log file reaches the threshold size of 2 MB, it is renamed to
solidcore.log.1 and a new Solidifier log file named solidcore.log is started. When the new
Solidifier log file also reaches the threshold size of 2 MB, the same process is repeated so that the
existing solidcore.log.1 is renamed to solidcore.log.2, the existing solidcore.log file is renamed to
solidcore.log.1 and a new Solidifier log file named solidcore.log is started. At any time, at most
five such log files can be present in this folder/directory. The log files are generated with the
following names:
solidcore.log
solidcore.log.1
74
solidcore.log.2
solidcore.log.3
solidcore.log.4
The logs are rotated in the chronological order such that the solidcore.log file always has the
newest logs and solidcore.log.4 file has the oldest logs.
Note: The above information is based on the default settings of the solidcore.log file. However, if
you have configured any of the settings viz, size or number of this file, then you should take the
new configuration into consideration while trouble-shooting.
Legitimate failures that are not errors

This section introduces you to the behavior of the Solidifier (on Windows) through examples:
Attempt to install an MSI based package

When an attempt is made to install an MSI based package Ica32Pkg.msi, the operation fails and
the following pop-up window is displayed:

McAfee Solidifier prevented package modification by 'C:\Documents and
Settings\Administrator\Desktop\Ica32Pkg.msi' by user: MYDOMAIN\Administrator.
The Event Log shows that the Solidifier prevented the execution of unauthorized code. An error
message is displayed in the Event Viewer. No user action is required.
Note: The event logs will appear if the package control feature is in enabled state.
Attempt to uninstall an MSI based package

When an attempt is made to uninstall an MSI based package Ica32Pkg.msi, the operation fails
and the following pop-up window is displayed:
75

McAfee Solidifier prevented package modification by 'C:\Documents and
Settings\Administrator\Desktop\Ica32Pkg.msi' by user: MYDOMAIN\Administrator.
Attempt to install/uninstall Windows optional components

When an attempt is made to install/uninstall Windows optional components through Add remove
programs, the operation fails and the following Event Log entry is generated:
McAfee Solidifier Prevented package modification by 'windows optional component
manager' by user: <user_name>
Attempt to install an INF based package

When an attempt is made to install an INF mmdriver.inf by right clicking on it, the operation fails
and the following Event Log entry is generated:
McAfee Solidifier prevented package modification by mmdriver.inf by user:
MYDOMAIN\Administrator.
Attempt to open a read protected file

When an attempt is made to read a file that has been read protected, the operation fails and the
following pop-up window is displayed:
76

McAfee Solidifier prevented an attempt to read file 'C:\Documents and
Settings\Administrator\Desktop\key.txt' by process
C:\WINDOWS\system32\notepad.exe (Process Id: 2060, User:
MYDOMAIN\Administrator).
The Event Log shows that the Solidifier prevented an attempt to read a file. An error message is
displayed in the Event Viewer. No user action is required.
Attempt to rename a protected registry key

When an attempt is made to rename a registry key that has been protected using Solidifier
protection rules, the operation fails and the following pop-up window is displayed:

McAfee Solidifier prevented an attempt to modify Registry key
'HKEY_LOCAL_MACHINE\SOFTWARE\Yahoo\Essentials\Restore\Main' by process
C:\WINDOWS\regedit.exe (Process Id: 2688, User: MYDOMAIN\Administrator).
The Event Log shows that the Solidifier prevented the attempt to modify the registry key. An
error message is displayed in the Event Viewer. No user action is required.
77
Appendix: Command Quick Reference

The sadmin utility enables system administrators to perform initialization, maintenance, and
monitoring operations from the Windows command line interface. The usage of the commands is
as follows:
> sadmin command [command-arguments]...
This chapter discusses the syntax and usage of the sadmin commands. The sadmin commands
are divided into two categories: basic sadmin command and advanced sadmin commands.
All basic commands can be viewed using the help command and all advanced commands can be
viewed using the help-advanced command. The sadmin commands are case in-sensitive.
The commands can be issued in upper, lower and mixed case.
Table 1: Solidifier Administration Command Reference
McAfee Solidifier Command Line (sadmin) Reference

Command
Parameters
Description and usage note
Required
server state or
mode to
execute
command
Type
begin-update
(bu)
sadmin bu
[work-flow id [comment]]
This command starts the Update

Mode
Enabled and
Disabled mode
Basic
disable
N/A
This command disables McAfee

Solidifier
Enabled mode
Basic
enable
N/A
This command enables McAfee

Solidifier
Disabled mode
Basic
end-update (eu)
sadmin eu
This command ends the Update

Mode
Update mode
Basic
help
This command displays help for

basic commands
Any mode
help-advanced
This command displays help for

advanced commands
Any mode
This command allows you to add a

license or list the licenses
installed on the system
Disabled mode
Basic
This command modifies or

displays the monitoring rules
Any mode
Basic
license
sadmin license
add license-key
sadmin license list
monitor (mon)
On Windows:
sadmin monitor file
[ [-e | -i [-d [-n ENCODING] ] | -r]
[FILE | DIRECTORY | VOLUME]
... ] | -f
sadmin monitor reg [ [-e | -i | -r
] [REGISTRY-KEY] ... ] | -f
sadmin monitor extn [ [-e | -i | r] [FILE-EXTENSION] ... ] | -f
sadmin monitor process [ [-e | i | -r ] [PROCESS-NAME] ... ] | -f
sadmin monitor user [ [-e | -r ]
[USER-NAME] ... ] | -f
sadmin monitor procexec [ [-e |
78

Command
Parameters
Required
server state or
mode to
execute
command
Type
-i | -r] [PROCESS-PATH |
DIRECTORY] ... ] | -f
sadmin monitor list
sadmin monitor flush
On UNIX:
sadmin monitor file [ [-e | -i | -r]
[FILE | DIRECTORY] ... ] | -f
sadmin monitor extn [ [-e | -i | r] [FILE-EXTENSION] ... ] | -f
sadmin monitor process [ [-e | i | -r] [PROCESS-NAME] ... ] | -f
sadmin monitor user [ [-e | -r]
[USER-NAME] ... ] | -f
sadmin monitor procexec [ [-e |
-i | -r] [PROCESS-PATH |
DIRECTORY] ... ] | -f
sadmin monitor list
sadmin monitor flush
passwd
sadmin passwd [-d]
This command changes the

McAfee Solidifier Administrator
password.
Any mode
Basic
status
sadmin status [volume]
This status command displays the

current status of the Solidifier
Any mode
Basic
updaters
On Windows:
This command enables you to

add, list or remove authorized
updaters
Any mode
Basic
This command displays the

version of the Solidifier
Any mode
Basic
sadmin updaters add [-d] [-n] [t ruleid] [-l libraryname]

exename
sadmin updaters add [-d] [-n] [t ruleid] [-p parent-exe-name]
exename
sadmin updaters remove [-l
libraryname] exename
sadmin updaters remove [-p
parent-exe-name] exename
sadmin updaters list
sadmin updaters flush
On UNIX:
sadmin updaters add [-d] [-n] [t RULE-ID] [-p parentname]
binaryname / scriptname
sadmin updaters remove [-p
parentname] binaryname /
scriptname
sadmin updaters list
sadmin updaters flush
version
N/A
79

Command
Parameters
Required
server state or
mode to
execute
command
Type
attr
sadmin attr add [-a | -b | -d | -e |

-f | -i | -p | -r | -u ] filename
This command is used to modify

or display the attributes list.
Any mode
Advanced
This command is used to export

configuration of the Solidifier
installation to a described disk file
or import the configuration from
the described file. It also allows
changing the values of
configuration parameters and to
display a list of them.
Any mode
Advanced
This command displays the list of

events and their sink
configuration.
Any mode
Advanced
This command allows you to

enable, disable or display the list
of Solidifier features.
Any mode
Advanced
Any Mode
Advanced
sadmin attr remove [-a | -b | -d |

-e | -f | -i | -p | -r | -u ] filename
sadmin attr list [-a | -b | -d | -e |
-f | -i | -p | -r |-u ] [filename]
sadmin attr flush [-a | -b | -d | -e
| -f | -i | -p | -r | -u ]
Note: On Windows, only the -a,
-i, and -u configuration
attributes are applicable and
operative for the Change
Control module in case of 32bit installer. However, on 64-bit
installer, -a and -u
configuration arguments are
operative. Thus, other
configuration arguments
should not be set for the
Change Control module as
they will have no effect if set.
However, all configuration
attributes are applicable and
operative for the Runtime
Control module.
Note: On UNIX, only a
(available only in Run Time
Control Module) and p
configuration attributes are
available. Other attributes are
listed, but they will have no
effect if set.
config
sadmin config export filename

sadmin config import [-a]
filename
sadmin config set
NAME=VALUE
sadmin config show
event
sadmin event sink [eventname]

sadmin event sink [-a|-r]
eventname | ALL sinkname |
ALL
features
sadmin features [enable |

disable] featurename
sadmin features list
lockdown
N/A
This command disables the Local

CLI.
read-protect
(rp)
sadmin read-protect [-e | -i | -r ]

pathname ...
This command allows you use the

deny-read feature.
Advanced
sadmin read-protect -l
sadmin read-protect -f
80

Command
Parameters
Required
server state or
mode to
execute
command
Type
recover
N/A
This command enables a local

administrator to recover the Local
CLI
Any Mode
Advanced
write-protect
(wp)
sadmin write-protect [-e | -i | -r ]

pathname ...
This command adds the supplied

file or directory or a volume to
inventory and write-protects it.
Any Mode
Advanced
This command allows you to use

the deny-write feature.
Any mode
Advanced
sadmin write-protect -l
sadmin write-protect -f
write-protectreg (wpr)
sadmin write-protect-reg [-e | -i

| -r ] [registry-key] ...
sadmin write-protect-reg -l
sadmin write-protect-reg f
Note: This command is
available on Windows only.
81
Appendix: Diagnostic Tools

Tool name
Role
ScAnalyzer
Discover the run-time characterization of a system and whether prerequisites for deploying the Solidifier are met
GatherInfo
Gather diagnostic data from logs
ScAnalyzer
ScAnalyzer is a lightweight deployment tool which is used by field engineers, or professional
services personnel, for characterizing a hosts run-time environment, and discovering whether the
host satisfies the pre-requisites for installing Solidifier. The run-time characterization includes:
Operating system version
Service pack level
Processor and memory configuration
Installed applications
Installed Hot fixes
Installed services
System devices
List of running processes
List of open network ports
It is run once before and once more after Solidifier is installed to discover differences in the
run-time characterization and address them if necessary.
Usage and Interpretation

On Windows
The ScAnalyzer tool is available in C:\Program Files\McAfee\Solidcore\Tools\ScAnalyzer folder.
Issue the following command to run the tool:
> scanalyzer
The following parameters can be used with this command:
-h
Displays help for using ScAnalyzer
82
-v
Displays version of ScAnalyzer
[-c <checklist>]
Detects if any of the application in the checklist is

installed on the system
-d
Compares difference in running services, processes and

open ports in two ScAnalyzer reports
-o <output file>
Writes the output to the output file. If no file is specified

output is printed on console
-s <scan_file>
Detects if any of the application in the checklist is

present in the ScAnalyzer report
-q
Runs the ScAnalyzer in quiet mode
-n
No time stamp is added in output file name
On executing the ScAnalyzer tool, the

data\scan<machine_name>_<date>_<time>.txt file is generated in the current
working directory.
Manual Review of ScAnalyzer Reports

A manual review of the ScAnalyzer report should check the following:
Check OS Version and Service pack level for supported versions.
The existence of Hot Fixes that are pre-requisites for the Solidifier should be verified,
and applied, when necessary.
Certain applications such as Anti Virus update their code when they run. The ScAnalyzer
output should be checked for these applications so that the system configuration can be
changed to register them as Auto-Updaters.
When ScAnalyzer is executed, it compares the software installed on the system with an
internal, prepackaged check list for creating a file named scanalysis.bat, which
lists all programs that Auto-Updaters and exceptions for bypassing the stringent API
validation checks. This file can be edited by the user for further customization. This file
should be used for effecting configuration changes for the Solidifier.
On Unix
The ScAnalyzer tool is available in <install-dir>/mcafee/solidcore/tools/scanalyzer/ folder. Issue
the following command to run the tool:
# ./scanalyzer.sh

-h or --help
Displays help for using ScAnalyzer
-v or --version
Displays version of ScAnalyzer
83
-d <rep1 rep2>
Compare differences in two ScAnalyzer reports
-r <install path>
Path for disk space check
-o <output file>
Writes the output to the output file
-q
Runs ScAnalyzer in quiet mode
-n
On executing the ScAnalyzer tool, the data/report-<machine_name><date>_<time> file is generated in the current working directory.
GatherInfo
This tool gathers information related to log files, inventory, version, system state, etc. needed by a
Technical Support Engineer to troubleshoot field issues. It is shipped as a part of the Solidifier
product and is installed in the Solidifier installation directory.
Note: The GatherInfo tool collects logs from the installation directory path as well as from the
changed location
Usage and Interpretation

On Windows
The GatherInfo tool is available in C:\Program Files\McAfee\Solidcore\Tools\GatherInfo folder.
Issue the following command to run the tool:
> gatherinfo

-h
Displays help for using GatherInfo
-v
Displays version of GatherInfo
-q
Gathers logs in quiet mode
-x
Excludes security logs collection
On executing the GatherInfo tool, the gatherinfo.zip file is generated in the current
working directory. These logs can be used to identify the most common support issues.
On Unix
The GatherInfo tool is available in <install-dir>/mcafee/solidcore/tools/gatherinfo/ folder. Issue
the following command to run the tool:
# ./gatherinfo.sh
84
h or --help
Displays help for using GatherInfo
-v or --version
Displays version of GatherInfo
-c <core-file> or --core <core-file>
Use this core file for getting backtrace
-q
Gathers logs in quiet mode
-n
On executing the GatherInfo tool, the gatherinfo-<machine_name><date>_<time>.tar.gz file is generated in the current working directory. These logs can
be used to identify the most common support issues.
85
Appendix: Advanced Configuration parameters

Displaying Configuration parameters
The administrator can display a list of the configuration parameters using the following
command:
> sadmin config show
On Windows, the following message is displayed at the command prompt:

CustomerConfig
20 (0x14)
ssLangId
Default
CustomizedEventCacheSize
1000 (0x3e8)
EventCacheSize
2 (0x2)
EventCacheWMHigh
90 (0x5a)
EventCacheWMLow
70 (0x46)
FailSafeConf
0 (0x0)
* FeaturesEnabled
2190778696701759
(0x7c88069ff973f)
* FeaturesEnabledOnReboot
2190778696701759
(0x7c88069ff973f)
* FeaturesInstalled
3633552264724721
(0xce8b2500300f1)
* FileAttrCTrack
5024 (0x13a0)
* FileDenyReadOptions
1024 (0x400)
* FileDenyWriteOptions
4831 (0x12df)
FileDiffMaxSize
10 (0xa)
FipsMode
0 (0x0)
* LockdownStatus
0 (0x0)
LogFileNum
4 (0x4)
* LogFilePath
C:\Documents and Settings\All
Users\Application Data\McAfee\Solidcore\Logs
LogFileSize
2048 (0x800)
* RTEMode
1 (0x1)
* RTEModeOnReboot
1 (0x1)
SoPriority
0 (0x0)
* WorkFlowId
UPDATE_MODE: AUTO_103
ObservationLogsRotationMillis 60000 (0xea60)
Note: All the parameter names preceded by * cannot be configured by the administrator. The
usage and steps to configure the rest of the parameters have been discussed in the relevant
sections of this document.
86
On UNIX, the following message is displayed at the command prompt:
*
*
*
*
*
*
*
*
*
*
EventCacheSize
EventCacheWMHigh
EventCacheWMLow
FailSafeConf
FeaturesEnabled
FeaturesEnabledOnReboot
FeaturesInstalled
FileAttrCTrack
FileDenyReadOptions
FileDenyWriteOptions
HeartbeatInterval
HeartbeatTimeout
LockdownStatus
LogFileNum
LogFilePath
LogFileSize
MobilityIntervalMax
MobilityIntervalMin
MobilityResponseTimeout
MobilityState
Proxy
RTEMode
RTEModeOnReboot
SCAddress1
SCAddress2
SCPort
SCUUID
SSTag
WorkFlowId
2 (0x2)
90 (0x5a)
70 (0x46)
0 (0x0)
67174417 (0x4010011)
67174417 (0x4010011)
69055086641 (0x1014010031)
4912 (0x1330)
735 (0x2df)
735 (0x2df)
2 (0x2)
120 (0x78)
0 (0x0)
4 (0x4)
/var/log/mcafee/solidcore
2048 (0x800)
30 (0x1e)
5 (0x5)
10 (0xa)
0 (0x0)
NULL
1 (0x1)
1 (0x1)
NULL
NULL
5125 (0x1405)
NULL
NULL
None
Note: All the parameter names preceded by * cannot be configured by the administrator. The
usage and steps to configure the rest of the parameters have been discussed in the relevant
sections of this document.
Modifying the value of configuration parameters

The value of the configuration parameters can be modified depending upon the requirements. The
syntax to modify the value of the configuration parameters is given below:
> sadmin config set NAME=VALUE
The NAME signifies the configuration parameter name. The VALUE refers to the new value
of the configuration parameter that is going to be applicable after the change.
87
Appendix: Solidifier feature list

Displaying Solidifier features
You can view the complete list of Solidifier features by using the following command:
Note: Starting with the 6.0.0, release, the feature list has been minimized to show only the
features that require tweaking for routine purposes.
On Windows, the following message is displayed at the command prompt (only commonly-used
features are listed below):
activex
deny-read
deny-write
enduser-notification
integrity
network-tracking
pkg-ctrl
Disabled
Disabled
Enabled
Enabled
Disabled
Disabled
Disabled
Note: The pkg-ctrl feature is not available on the IA64 architecture.

On UNIX, the following message is displayed at the command prompt:
deny-read
deny-write
integrity
mon
mon-file
mon-proc-exec
ssl
Disabled
Enabled
Disabled
Enabled
Enabled
Disabled
Enabled
88
Appendix: Solidifier and Solaris 10 Zones

This section describes the best practices and recommendations for deploying McAfee Solidifier
in a Solaris 10 Zones environment.
Solaris 10 Zones Explained

Solaris 10 Zones is a virtualization technology that allows creation of isolated and secure
environments for running applications. For end-users, these environments look just like separate
abstract machines with Solaris 10 installed on them. Inside each zone, the processes do not see
anything happening in all other zones on a system. Isolation is done on such a level that processes
of one zone cannot see or affect processes of any other zone.
The feature is implemented at the software level. By default, every Solaris 10 machine has a
global zone which is the only zone from where you can view processes of all other zones on your
system. Upon the completion of a Solaris 10 install, you are immediately put into the global zone.
Solidifier works at the global zone level and therefore can view all processes and function calls
made in all zones. This ability allows Solidifier to solidify the entire system.
Note: Solidifier is managed at the global zone level only and cannot be managed from other
zones (sparse or local zones).
Solidifier and Solaris 10 Security

Solaris 10 utilizes role-based access control (RBAC) as an alternative to the traditional all-ornothing super-user model. RBAC is based on the principle that no user should have more
privileges than are necessary for performing an operation (the principle of least privilege).
Using RBAC, you can configure any number of roles (special identities for executing privileged
programs, such as setuid ones). Examples of common roles are Primary Administrator, System
Administrator, and Operator. These roles are assigned to users. A role's capabilities become
available to a user upon assuming the role. Roles derive their capabilities from rights profiles,
which contain authorizations (permissions for performing a normally disallowed set of
operations) and privileged commands (that is, commands that need to be executed with
administrator capabilities). Privileges are distinct rights that can be granted to a role, a user, a
command, or even the system. Privileges are logically grouped into categories such as FILE, IPC,
NET, PROC, and SYS.
Solaris 10 RBAC is the methodology that Solaris 10 uses to manage its users. This mechanism
does not affect the way Solidifier enforces at the global zone level. Solidifier creates an inventory
of all executables at the global zone level and enforces run-time enforcement on the solidified
files.
All Solidifier administrative users are created at the global level so each administrator has
visibility to the entire system. Solaris User Rights Management and Process Rights Management
89
offer fine-grained privileges in the kernel and user access space of Solaris. The practical benefit
of these technologies is the elimination of the need for applications or users to have unlimited
access to the system in order to perform their duties. The kernel itself in Solaris 10 checks only
for Process Rights Management attributes not 'root' or super-user access. Solidifier functions at
the global level and will log all changes and enforce security for each user on the system
regardless of the zone the user is in.
Best Practices for Solidifier and Solaris 10

The Solidifier application is installed in the global zone Super Zone; however, the application
installation information necessary to make the Solidifier application appears to be installed in
non-global zones sub-zone and is replicated in all non-global Zones. When a non-global Zone
inherits a file system from the global Zone, an application installed in that file system is visible in
a non-global Zone, although not all Solidifier files contained in the application are visible (or
required) within the non-global Zone.
All pathnames are reported relative to the global Zone Super Zone in events. For example,
consider the case where the Solidifier is running on the global Zone Super Zone and a nonglobal sub-zone Zone zone1 is installed at /Zone/zone1/. If a process http.exe running in
zone1 modifies a file located at /test contained in zone1, then the pathname recorded in the
event will be /Zone/zone1/root/test. The file is solidified and recorded at the global zone level or
the absolute path.
The following figure shows how Solidifier installed on a Zoned Solaris 10 Server
ZONE_SERVER records/reports a file located in three different zones:
Best Practices for Solidifier

1. Solidifier can only be installed and uninstalled in the global Zone Super Zone.
2. Solidifier Service can only be started or stopped from the global Zone Super Zone.
90
3. sadmin commands can only be executed from the global Zone Super Zone. In the case of
sparse Zone sub zone, sadmin commands are visible but cannot be executed.
4. Use absolute paths relative to the global zone in all Solidifier commands that require a
pathname. For example, name http.exe file located in Zone3 as /Zone/zone3/root/http.exe.
If the root of zone 'zone1' is /zone/1/root/, then issue the following command from the global
zone to write-protect file /foo in zone1:
# sadmin wp /zone/1/root/foo
For sparse zones, some file systems inside a zone may be loopback (lofs) mounts of a
physical file system present in the global zone. For such cases, the actual physical path should
be used in all Solidifier commands. For example, the /usr file system in sparse zone 'zone1'
may have the following mount table entry, indicating that it is a loopback mount of the /usr
file system present in global zone:
/usr - /zone/1/root/usr lofs - no ro,nodevices,nosub
Then, to make /usr/bin/touch file an updater, issue the following command from global zone:
# sadmin updaters add /zone/1/root/usr/bin/touch
91
Appendix: Solidifier and AIX 6.1 Workload

Partitions (WPARS)
AIX 6.1 Workload Partition (WPAR) Explained
This section describes the best practices and recommendations for deploying McAfee Solidifier in
AIX 6.1 WPAR environment.
AIX 6.1 WPARs is a virtualization technology that allows creation of isolated and secure
environments for running applications. For end-users, these environments look just like separate
abstract machines with AIX 6.1 installed on them. Each WPAR is isolated from other WPARs. It
is unaware of running processes and even the file system used by other WPARs.
The feature is implemented at the software level. By default, every AIX 6.1 machine has a global
environment which is the only environment from where all processes of WPARs on the system
can be seen. Upon the completion of AIX 6.1 install, user is immediately put into the global
environment.
Solidifier works at the global environment and therefore can view all processes running in all
WPARs. This ability allows Solidifier to have a unified view of the entire system.
Note: Solidifier is managed at the global environment level only and cannot be managed from
WPARs (System or Application WPARs).
Solidifier and AIX 6.1 interaction

Solidifier is installed in the global environment; however, the Solidifier installation information is
also available in WPARs. When a System WPAR (shared) or Application WPAR inherits a file
system from the global environment, an application installed in that file system is visible in a
WPAR, although not all Solidifier files contained in the application are visible within the WPAR.
All pathnames are reported relative to the global environment in the events. For example,
consider the case where the Solidifier is running in the global environment and a WPAR wpar1
is installed at /Wpar/wpar1/. If a process http.bin running in wpar1 modifies a file located at
/test contained in wpar1, then the pathname recorded in the event will be /Wpar/wpar1/test.
The following figure shows how Solidifier installed on a WPAR-enabled AIX 6.1 Server
records/reports a file located in three different WPARs:
92
Best Practice for McAfee Solidifier

1. Solidifier can only be installed and uninstalled in the global environment.
2. Solidifier Service can only be started or stopped from the global environment.
3. sadmin commands can only be executed from the global environment. In the case of Shared
System or Application WPAR, sadmin commands are visible but cannot be executed.
4. Use absolute paths in all Solidifier commands that require a pathname. For example, name
http.bin file located in wpar1 as /Wpar/wpar1/http.bin.
If the root of WPAR 'wpar1' is /Wpar/wpar1/, then issue the following command from the
global environment to write-protect file /foo in wpar1:
# sadmin wp /Wpar/wpar1/foo
For Shared System or Application WPAR, some file systems inside a WPAR may be
loopback (namefs) mounts of a physical file system present in the global environment. For
such cases, the actual physical path should be used in all Solidifier commands. For example,
the /usr file system in shared system WPAR 'wpar1' may have the following mount table
entry, indicating that it is a loopback mount of the /usr file system present in global
environment:
/usr
/Wpars/wpar1/usr namefs Jun 30 19:13 ro
Then, to make the /usr/bin/touch file an updater, issue the following command from global
environment:
# sadmin updaters add /Wpar/wpar1/usr/bin/touch
93

Mfe So All PG CC 6.0.0 PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Mfe So All PG CC 6.0.0 PDF

Caricato da

Copyright:

Formati disponibili

McAfee, Inc.

McAfee Solidifier for HP-UX - Installation Guide

McAfee Change Control 6.0.0 Product Guide

End User License Agreement

DO NOT DOWNLOAD, INSTALL, COPY, ACCESS, OR USE THE SOFTWARE; AND

Authorized Partner means any of McAfees

Grant Letter means a confirmation notice

McAfee means (a) McAfee, Inc., a Delaware

Software means each McAfee software

Subsidiary refers to any entity controlled by

Support or Technical Support means the

Updates are related to content and include

access, install, download, copy or otherwise

period specified in a Grant Letter has expired, you have

Copy and Use terms

Subject to the terms and conditions of this

The McAfee Technical Support and Maintenance Terms

Technical Support and Maintenance.

Limited Warranty and Disclaimer.

theory, in no event shall either partys aggregate

the amount of total fees paid or payable by you for

the applicable McAfee list price, at the date of the

Intellectual Property Indemnity

Agreement and you fail to cure such breach

McAfee or its contractors or business partners.

and in the Grant Letter shall control. This

This Agreement, including all documents

McAfee software and services. All data and

Remove All User Name Filters........................................................................................................ 30

CONFIGURING NUMBER OF LOG FILES ................................................................................................. 54

AIX 6.1 WORKLOAD PARTITION (WPAR) EXPLAINED ......................................................................... 92

Chapter Contacting Support

Contact Us | McAfee, Inc.: http://www.mcafee.com/us/about/contact-us.aspx

Technical Support ServicePortal: https://mysupport.mcafee.com/Eservice/Default.aspx

Product & Solutions: https://secure.mcafee.com/apps/downloads/myproducts/login.aspx

Introduction describes the Solidifier concepts.

Chapter, Change Policy Enforcement describes the capability of enforcing control

Chapter, Advanced Configuration describes advanced configuration options that you

Chapter, Troubleshooting describes techniques for resolving problems encountered

Appendix: Advanced Configuration parameters provides a list of configuration

Appendix: Solidifier feature list describes the Solidifier features.

Appendix: Solidifier and Solaris 10 Zones describes use of Solidifier in Solaris 10

Commands and keywords are in boldface.

In interactive examples, user input is in boldface.

In command syntax statements

Parameters (variables for which a specific value is to be typed) are in italics.

Optional arguments are in [square braces].

A control key is indicated by a caret preceding a letter: ^A means Control-A.

Contact Us | McAfee, Inc.: http://www.mcafee.com/us/about/contact-us.aspx

Technical Support ServicePortal: https://mysupport.mcafee.com/Eservice/Default.aspx

Product & Solutions: https://secure.mcafee.com/apps/downloads/my-products/login.aspx

Every change across the infrastructure is recorded in an independent change database

Enforce approved change policies and compliance.

Solidifiers Command-line Interpreter

Help for Solidifier Commands

List of advanced Solidifier commands can be obtained as follows:

Help for an advanced Solidifier commands can be obtained as follows:

Listing license information

3. Open the solidcore.log file using the following command:

What can be monitored?

Monitoring File and Directory Changes

Monitoring Process Execution

Monitoring User Account Tracking