V-74243

Discussion

When McAfee Application Control is deployed on a system, it creates a whitelist of all executable binaries and scripts present on the system. The whitelist contains all authorized files, and only files that are present in the whitelist are allowed to execute. An executable binary, script, or process that is not in the whitelist is said to be unauthorized and is prevented from running. McAfee Application Control uses a centralized repository of trusted applications and dynamic whitelisting to reduce manual maintenance effort. Running frequent Pull Inventory tasks ensures inventory information does not become stale. There must be the minimum interval between consecutive inventory pull runs (when the inventory information is fetched from the endpoints). By default, this value is 7 days and is the recommended setting. Pulling at an interval of greater than 7 days will allow for the inventory of endpoints to become stale.

Check Content

Consult with the ISSO to determine the endpoints used for the sampling of inventory pulls.

From the McAfee ePO console, select Menu >> Systems >> System Tree.

If sampling is a group, select the group in the System Tree and switch to the “Assigned Client Tasks” tab.

Otherwise, select each endpoint on the “Systems” page and then click Actions >> Agent >> Modify Tasks on a Single System.

Confirm a client task exists with an “SC: Pull Inventory” task type. Review the task properties to validate the task is configured to run at least as frequently as every 7 days.

If a sampling of endpoints does not have a “Pull Inventory” task type applied and/or the “Pull Inventory” task is not configured to run at least as frequently as every 7 days, this is a finding.