About whitelist
All applications within the whitelist can be executed, those that are not within the whitelist cannot be executed. One of the scenarios of malicious file being inadvertently downloaded by the user, this file downloaded cannot be executed since it is not within the whitelist.
The whitelist application used for this post is McAfee Application Control aka McAfee Solidifier, this is a very easy to use application, the only difficult part is to manually add applications to the whitelist and manually add updaters to the whitelist, however this is simplified by McAfee with its finetune.bat.
Checklist
Here is the checklist of what should be done before whitelist and during whitelist.
1. Scan the server/workstation thoroughly, preferably use different vendor antivirus scanners and rootkits scanner to ensure the machine is free from virus or other malicious files (zero day cannot be detected btw)
2. Use finetune.bat to add U-WindowsUpdate, A-McAfee and E-WSUSServer, these three are updaters for windows update, WSUS synchronization and McAfee Virus Scan.
C:\Program Files\McAfee\Solidcore>finetune.bat add E-WSUSServer *****ADDING solidifier CUSTOMIZATIONS***** Adding solidifier rules for Windows Server Update Services2.0 sp1... Rules added sucessfully. WARNING! Reboot your system before proceeding further as some rules take effect only on system restart. C:\Program Files\McAfee\Solidcore>finetune.bat add A-McAfee *****ADDING solidifier CUSTOMIZATIONS***** Adding solidifier rules for Mcafee. Rules added sucessfully. WARNING! Reboot your system before proceeding further as some rules take effect only on system restart.
3. Solidify the C volume. Solidify means to whitelist the volume/file/directories. If you do not specify volumes or folders or files, by default sadmin will solidify all volumes that is available in your computer if this is not what you want you should specify explicitly for example sadmin so c:\
C:\Program Files\McAfee\Solidcore>sadmin so Password: Solidifying volume C:\ 00:09:09: Total files scanned 72308, solidified 28002 C:\Program Files\McAfee\Solidcore>
4. Set McAfee Application Control password.
C:\Program Files\McAfee\Solidcore>sadmin passwd New Password: Retype Password: Password changed.
5. Backup the windows server, or create restore point if you are using Windows 7.
6. Enable McAfee Application control.
C:\Program Files\McAfee\Solidcore>sadmin enable Password: McAfee Solidifier will be enabled without Memory Protection on service restart. Memory Protection will be available on next reboot. C:\Program Files\McAfee\Solidcore>
7. Reboot the machine.
cyruslab 