Operation Sharpshooter - McAfee
REPORTOperation SharpshooterCampaign Targets Global Defense, Critical InfrastructureMcAfee Advanced Threat Research
REPORTOperation SharpshooterThe McAfee Advanced Threat Research team and McAfee Labs Malware OperationsGroup, employing McAfee Global Threat Intelligence, have discovered a new globalcampaign targeting nuclear, defense, energy, and financial companies. This campaign,Operation Sharpshooter, leverages an in-memory implant to download and retrieve asecond-stage implant—which we call Rising Sun—for further exploitation. According to ouranalysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoorTrojan Duuzer in a new framework to infiltrate these key industries.Operation Sharpshooter’s numerous technical links tothe Lazarus Group seem too obvious to immediatelydraw the conclusion that they are responsible for theattacks, and instead indicate a potential for false flags.Our research focuses on how this actor operates, theglobal impact, and how to detect the attack. We shallleave attribution to the broader security community.Have We Seen This Before?This campaign, while masquerading as legitimateindustry job recruitment activity, gathers informationto monitor for potential exploitation. Our analysis alsoindicates similar techniques associated with other jobrecruitment campaigns.This research has uncovered a new implant frameworkusing code from the 2015 backdoor Duuzer, which was2Operation SharpshooterAuthorsThis report was researchedand written by: Ryan Sherstobitoff Asheer Malhotra Contributions from theMcAfee Advanced ThreatResearch teamlast seen targeting South Korea and Japan in 2015. Apartfrom Rising Sun, we have seen no other variants sincethat time.Global ImpactIn October and November 2018, the Rising Sun implanthas appeared in 87 organizations across the globe,predominantly in the United States, based on McAfeetelemetry and our analysis. Based on other campaignswith similar behavior, most of the targeted organizationsare English speaking or have an English-speakingregional office. This actor has used recruiting as a lureto collect information about targeted individuals ofinterest or organizations that manage data related tothe industries of interest. The McAfee Advanced ThreatResearch team has observed that the majority of targetswere defense and government-related organizations.Connect With Us
REPORTCampaign AnalysisThis operation began October 25. A series of maliciousdocuments carried the author’s name Richard. Thesedocuments contained Korean-language metadata,indicating they were created with a Korean versionof Microsoft Word. All the malicious documents hadEnglish-language job description titles for positions atunknown companies, distributed by an IP address inthe United States and through the Dropbox service. Thedocuments contained a malicious macro that leveragedembedded shellcode to inject the Sharpshooterdownloader into the memory of Word. Once the Wordprocess was infected, the downloader retrieved thesecond-stage implant Rising Sun.The shellcode of the downloader is 3.1KB in size andretrieved another implant hosted athxxps://www.kingkoil.com.sg/query.php.Figure 1. Targeted organizations by sector in October 2018. Colorsindicate the most prominently affected sector in each country.Source: McAfee Global Threat Intelligence.3Operation Sharpshooter
REPORTFigure 2. Infection flow of the Rising Sun implant, which eventuallysends data to the attacker’s control servers.4Operation Sharpshooter
REPORTShellcode behaviorThe shellcode executed by the Visual Basic forApplications macro in winword.exe acts as a simpledownloader for the second-stage implant. The shellcodetakes four steps to infect the endpoint with the secondstage payload:1. It builds Library and API names by populating stringarrays using hardcoded bytes. (String constructionis done 1 byte at a time.) This technique is used forconstructing all strings in the shellcode, including thecontrol server information.2. It resolves the Libraries and APIs usingLoadLibraryA(), GetProcAddress(): 5Operation msetShellExecuteA
REPORT3. The implant downloads two files from its controlserver: Second-stage payload: The second-stage binaryis downloaded fromhttps://www[dot]kingkoil.com.sg/query.phpto the startup folder on the endpoint:%Startup%\mssync.exeThis step ensures persistence on the system forthe second-stage implant as part of the downloadprocess, thereby removing the need for the secondstage implant to set up persistence for itself.Second OLE (Word) document: Another OLEdocument is downloaded fromhttps://www[dot]kingkoil.com.sg/Strategic Planning Manager.docto:%LOCALAPPDATA%\Strategic PlanningManager.docThis document is probably benign, used as adecoy to hide the malicious content.Figure 4. The decoy document downloaded from the control server.Figure 3. The second-stage implant downloaded from the controlserver.4. Once both the second-stage implant and decoydocument have been downloaded, the two payloadsare executed: 6Operation SharpshooterThe second-stage implant is executed using theCreateProcessA() API.The decoy document is opened using theShellExecuteA() with the “open” verb.
REPORTThe Advanced Threat Research team discovered anotherPDF document (10mins.PDF) by the same author. Itappears to be a smart phone–related questionnaire.This document was hosted on the same server as thetwo job-related malicious documents. The questionnaireappears to come from a big data analytics companythat specializes in antifraud protection and financialcompliance.Figure 5. Control server strings constructed in the shellcode.7Operation SharpshooterFigure 6. 10Mins.PDF
REPORTRising Sun behaviorThe Rising Sun implant is a fully functional modularbackdoor that performs reconnaissance on the victim’snetwork.ImportsThis implant starts by building its imports via dynamicAPI resolution: LoadLibrary()/GetProcAddress(). Thelibrary and API names are hardcoded as DWORD/WORDvalues in the implant and comprise a blob of bytes 0x147bytes in size. This blob of data is decrypted using asimple single-byte XOR scheme with the key 0xC8.This scheme used for building the Library and APInames is a variant of the byte-chunk string-constructiontechnique often used by Lazarus implants. The schemetypically involves: 8Hardcoded library and API names in the form ofDWORD/WORD/byte chunks in the implant.Assigning variables with these hardcoded valuesduring the execution of the implant.Constructing character arrays that consist of thelibrary and API names to be resolved.Optionally these arrays may have to be decoded usingsomething as simple as a single-byte XOR decodingscheme.Using LoadLibrary()/GetProcAddress() to now resolvethe libraries and APIs using the constructed namearrays.Operation SharpshooterFigure 7. XOR-encoded library and API names in the implant.Configuration dataThe configuration data used by the implant is encryptedusing an RC4 stream algorithm. The implant decrypts theconfiguration data at runtime and for communicatingwith the control server. The addresses decrypted fromthe implant: http://34[dot]214.99.20/view style.php http://137[dot]74.41.56/board.php https://www[dot]kingkoil.com.sg/board.php
REPORTAdditional configurationThe implant decrypts additional information during thereconnaissance process:VboxHook.dll tmp SOFTWARE\Microsoft\WindowsNT\CurrentVersion ProductName RUNAS; RUN;DLL; winsta0\default Kernel32.dll lnkSOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Program Files\Internet Explorer\iexplore exe ntuser LOG8Figure 8. The RC4 stream encryption algorithm used to decode theimplant’s configuration data.Initial reconnaissanceThe implant fetches the following data from the endpointand exfiltrates it to the control server: Network adapter infoData encryption and exfiltration Computer name User nameThe implant carries out data encryption and exfiltrationusing the following steps: IP address information Native system information 9This configuration data is not completely used by theimplant, but there is a high possibility of other variants ofthe implant using the complete configuration data. Theconfiguration data may have been copied from anotherimplant family without scrubbing unused strings fromthe data.OS product name from registry:SOFTWARE\MICROSOFT\Windows NT\CurrentVersion ProductNameOperation Sharpshooter Once the data has been gathered from the endpoint,the implant encrypts it using the RC4 streamencryption algorithm.After the data has been encrypted, the implantperforms another layer of obfuscation of the data byBase64-encoding the RC4 encrypted data.
REPORTThe implant performs an HTTP POST request to thecontrol server: https://www[dot]kingkoil.com.sg/board.phpAs part of the request, the implant sends data in one ofthe following formats: boardID random number &page requesttype &wr id encoded time stamp &sessionid RC4 base64 encoded data bo table random number &page requesttype &wr id encoded time stamp &sessionid RC4 base64 encoded data no random number &page requesttype &wr id encoded time stamp &sessionid RC4 base64 encoded data The first variable in the HTTP data can be any of thefollowing (randomly selected) values:var1 enum {“code ”“no ”“bo table ”“boardID ”“pageKey ”“structureid ”}10Operation SharpshooterThe request type can be one of the following values:request type {“free”//indicates initialreconnaissance data“query”//indicates a request to fetchthe command ID from the control server“suggestion” //indicates request to fetchadditional data from the control server“result”//indicates data obtained froma command’s execution}
REPORTImplant capabilitiesThe implant carries 14 backdoor capabilities. It receivesa command code (along with supporting data for thecommand) from the control server to execute a specificfunction. Unless otherwise specified, the implant sendsthe output of an executed command to the control serveras an HTTP POST request with optional data in the form: var1 enum random number &page result&wrid encoded time stamp &session id RC4 Base64-encoded output of command Capability #1: Execute commandsCommand code 0x6D0017005500F7.DescriptionThe implant executes a command specified by thecontrol server. The command is executed using cmd.exe:cmd.exe /c “ command %temp% \AM random .tmp” 2 &1The contents of the temporary file consist of the outputof the command executed. The temp file is read, and thecontents are subsequently sent to the control server. Thetemp file is then deleted from the endpoint. This capabilityalso supports changing the current working directory forthe implant and natively supports specific cd commands,without having to execute them through the shell.Supported cd commands: 11cd directory path cd.cd\Operation SharpshooterFigure 9. Command execution using the CreateProcess() function forcmd.exe.
REPORTCapability #2: Get drive informationCapability #3: Launch process from Windows binaryCommand code 0x0AD005F00A300C7.Command code 0x8300DA00C50092.DescriptionDescriptionFor every drive on the system, the implant gets thefollowing information: Launch a process from a binary specified by thefilepath provided by the control server.Send a buffer (size 0x400) containing repeating 0x55to the control server if successful or 0xAA if failed. Drive type Total number of bytes on disk Total number of free bytes on diskCapability #4: Get processes information Name of a specified volumeCommand code 0x62009A001C002B.DescriptionEnumerate all processes currently running and record: Process name Process creation time Process exit time Process kernel mode time Process user mode timeFigure 10. Implant collecting drive information from the endpoint.Figure 11. Process related time stamps collected by the implant12Operation Sharpshooter
REPORTCapability #5: Terminate processCapability #7: Read fileCommand Code 0x57001D00E20060.Command code 0x98009C0034002D.DescriptionDescription Terminate a process specified by the control server. The process can be specified using either: Read the contents of a file specified by the controlserver and exfiltrate the contents of the file. Process name Process ID Send a buffer (size 0x400) containing repeating 0x55to the control server if successful or 0xAA if failed.Capability #6: Get file timesCommand code 0x0A3001A006E00F8.Description Find files based on a filename search string (forexample, *.* or *.txt)For each file found, get the following times: File creation time Last access time (including read, write, or executeoperations)Figure 12. Reading a file’s contents.13Operation Sharpshooter
REPORTCapability #8: Clear process memoryCommand codes 0x1800D50094008F,0x22001A00CA005E, 0x4D00D700AC0091, and0x0C2009200D30028.Description Clear a memory blob in the process by overwriting itwith junk bytes.Capability #9: Write file to diskCommand codes 0x8D001F00FB0061 and0x0B700550029003C.Description 14Get a file path from the control server and create a filecorresponding to the file path.Get content to be written to the file from the controlserver by sending an HTTP POST request with HTTPdata in the format: var1 enum randomnumber &page suggestion&wr id encodedtime stamp &name jquery2017 encoded timestamp 09.cssSend a buffer (size 0x400) containing repeating 0x55to the control server if successful or 0xAA if failed.Operation SharpshooterFigure 13. Getting file contents from the control server to create a file.
REPORTCapability #10: Delete file The implant also records other data about MZ files:Command code 0x78005D008B00C6. File attributesDescription File size Delete a file specified by the control server if it is not adirectory.Send a buffer (size 0x400) containing repeating 0x55to the control server if successful or 0xAA if failed. File creation time Last access time File write time MZ compile timeCapability #11: Get additional file information for filesin a directoryCommand code 0x0D0057005B00C4.Description If the file path specified is a directory, then enumerateall files in the directory and send to the control server,including: File size File attributes File creation time If the file path is not a directory (regular file), then theimplant fetches a DWORD pointed to by offset 0x3C inthe file. This parses MZ (executable) files, in particular wherethe location of IMAGE NT HEADERS is specified atoffset 0x3C. The implant reads the compile date of the MZ filesby reading the time stamp (DWORD) at IMAGE NTSIGNATURE 0x08.15Operation SharpshooterFigure 14. Implant reading the compilation timestamp of a specified MZ(Windows executable) file.
REPORTCapability #12: Connect to an IP addressCommand code 0x0B700150099005C.Description Tests a connection to a specified network IP addressover a specified port number.The implant only attempts to connect to the networkaddress.Based on the connection attempt, sends a buffer(size 0x400) containing repeating 0x55 to the controlserver if successful or 0xAA if failed.Capability #13: Change file attributesCommand code 0x0EC001700B2005D.Description Modifies the following file information based on thecontent specified by the control server: File attributes (hidden, system, etc.) If the file is an MZ, then the compile time stamp ofthe file is also modified in the PE header. If the file is not an MZ, then the implant can movethe file to a different location after modifying itsattributes.16Operation SharpshooterFigure 15. Implant modifying the attributes and file times for a file.Capability #14: Variant of change file attributes(capability #13)Command code 0x0E200D2007C008E.Description Changes file attributes (hidden, system, etc.) andmoves the file to a different location.
REPORTAttributionComparing Rising Sun to DuuzerAttributing an attack to any threat group is oftenriddled with challenges, including potential “false flag”operations by other threat actors. Technical evidencealone is not sufficient to attribute this activity withhigh confidence. However, based on our analysis, thisoperation shares multiple striking similarities with otherthe Lazarus Group attacks; thus we present them forfurther analysis. Although these similarities point toLazarus, we also must consider the possibility of falseflags.The Advanced Threat Research team found that RisingSun shares code with the Duuzer implant family, whichwas identified by the security community as belonging toLazarus. We compared the following samples and detailtheir similarities and differences. 17The malicious Word documents were created in aKorean-language environment. (The code page is inKorean.)The implant uses a variant of the dynamic APIresolution technique we have observed with multipleLazarus implants.The operation is very similar to a Lazarus operationfrom 2017 that targeted the US defense and energysectors. The techniques, tactics, and proceduresmatch those in this previous operation.Rising Sun is an evolution of the Lazarus backdoorDuuzer, which was circulated in 2015 and targetedSouth Korea.Operation SharpshooterSamples used for comparison: Rising Sun: f3bd9e1c01f2145eb475a98c87f94a25 Duuzer: 73471f41319468ab207b8d5b33b0b4beConfiguration dataAlthough the decryption schemes used by Rising Sunand Duuzer are different, both implants use similarconfiguration data used to drive their reconnaissancecapabilities:Configuration datadecoded by DuuzerConfiguration datadecoded by Rising SunVboxHook.dlltmp Name RUNAS;RUN; DLL; winsta0\default Kernel32.dll lnk 000 datVboxHook.dlltmp Name RUNAS;RUN; DLL; winsta0\default Kernel32.dll lnk ogram Files\Internet Explorer\iexplore exe ntuserLOG8
REPORTLibrary/API resolutionLibrary namesBoth implants use the same technique of constructingand decoding library and API names for dynamic APIresolution. We explained this technique (a variant ofbyte-chunk library/API name construction) in a precedingsection. Although the encoded data blob consisting ofthe library/API strings in Duuzer is 0x181 bytes in sizeand is decoded using 0x30 as the XOR key, the encodeddata blob in Rising Sun is 0x147 bytes in size and isdecoded using 0xC8 as the XOR key.Another similarity between the two implant familiesis that some of the decoded library names consist ofrandomized characters. For example, Duuzer capitalizesrandom characters of the following library name:Figure 16. Duuzer string blob (at left) compared to a Rising Sun stringblob.Figure 17. Matching Duuzer (at left) and Rising Sun data blob decodingschemes.18Operation Sharpshooter uSEr32.dlLRising Sun does something similar in these librarynames: vErsIon.dll advapI32.dLL
REPORTSimilarities between Rising Sun and DuuzerThe implant families are a direct match in severalcapabilities as well as in the code structure and APIuse to implement these capabilities. The followingcapabilities are a direct match:Initial reconnaissance (gather preliminary systeminfo)Both implants capture the same information from theendpoint during their initial reconnaissance. The orderof information and the API/code signatures are an exactmatch.Information captured by both implants: Network adapter info Computer name User name IP address information Native system information OS product name from registry:SOFTWARE\MICROSOFT\Windows NT\CurrentVersion ProductNameFigure 18. Similarities in Duuzer (at left) and Rising Sun in theirpreliminary reconnaissance code.19Operation Sharpshooter
REPORTCapability #1: Execute commandsBoth implants can execute commands using cmd.exewith the output redirected to a temp file on theendpoint: cmd.exe /c “ command %temp% \ TempFile Prefix random .tmp” 2 &1Both implants support changing directories natively,without having to execute cd commands through theshell. Supported cd commands: cd directory path cd. cd\Figure 19. Duuzer (at left) and Rising Sun show similar code signaturesfor executing commands.Figure 20. Similar “cd” command checks in Duuzer (at left) and Rising Sun.20Operation Sharpshooter
REPORTCapability #2: Get drive informationCapability #4: Get processes informationBoth implants gather the same data using similar codesignatures:Both implants exfiltrate the exact same processinformation: Drive type Process name Total number of bytes on disk Process creation time Total number of free bytes on disk Process exit time Name of a specified volume Process kernel mode time Process user mode timeFigure 22. Duuzer’s (at left) and Rising Sun’s process time informationgathering code signatures.Capability #5: Terminate processBoth implants support the capability to terminate aprocess running on the system based on either the:Figure 21. Similar code signature and drive information gathered byDuuzer (at left) and Rising Sun.Capability #3: Launch a process from Windows binaryBoth implants use the same API and flags to launch newprocesses on the endpoint.21Operation Sharpshooter Process Name Process ID
REPORTCapability #6: Get file timesCapability #9: Write a file to diskBoth implants implement the same capabilities:Both implants can write content served by the controlserver to a file on disk (with file path also specified by thecontrol server) using the same sequence of actions: Find files based on a filename search string (forexample, *.* or *.txt)For each file found, get the following times: File creation time Last access time (including read, write, or executeoperations) Get a file path from the control server and create a filecorresponding to the file path.Fetch content to be written to the file from the controlserver using the implant-specific communicationmechanism.Once the content has been written to the file path,send either a success or a failure response to thecontrol server.Capability #10: Delete fileBoth implants can delete a file specified by the controlserver if it is not a directory.Figure 23. Similarities in Duuzer’s (at left) and Rising Sun’s code forgathering file times.Capability #7: Read a fileBoth implants can read the contents of a file specified bythe control server and exfiltrate the contents of the file.Capability #8: Clear process memoryThere are no significant similarities between the twoimplants.22Operation SharpshooterFigure 24. Similarities in Duuzer’s (at left) and Rising Sun’s code fordeleting a file.
REPORTCapability #11: Get additional file information for filesin a directoryBoth implants have the same capability to get fileinformation for files in a specified directory, including thefollowing data:Capability #12: Connect to an IP addressBoth implants test connections to a specified IP addressusing the same actions, APIs, and code signatures: File attributes File size File creation time Last access time File write time MZ compile timeTest a connection to a specified network IP addressover a specified port number.Only attempt to connect to the network address.Based on the connection attempt, send either asuccess or a failure response to the control server.Capability #13: Change file attributesBoth implants can modify the same file attributes: File attributes (hidden, system, etc.)If the file is an MZ, then the compile time stamp of thefile is also modified in the PE header.Figure 25. Similar code between Duuzer (at left) and Rising Sun forreading the MZ’s compile time stamp.Figure 26. Similar code used by both Duuzer (at left) and Rising Sun tomodify file attributes and times.Capability #14: Variant of change file attributesBoth implants can change file attributes and move thefile to a different location.23Operation Sharpshooter
REPORTDifferences between Rising Sun and DuuzerConclusionThere are some notable differences in implementationbetween the two families.Our discovery of a new, high-function implant isanother example of how targeted attacks attempt togain intelligence. The malware moves in several steps.The initial attack vector is a document that contains aweaponized macro to download the next stage, whichruns in memory and gathers intelligence. The victim’sdata is sent to a control server for monitoring by theactors, who then determine the next steps.Communication mechanism: Duuzer uses a simplesocket-based communication mechanism to send andreceive data from its control server. Rising Sun usesan HTTP-based mechanism. This difference may be anenhancement by the attackers because masking thecontrol server communication is more effective againstdetection by the human eye and network intrusionprevention systems. High-level differences in thecommunication mechanisms: Communication schemes (native socket vs. HTTP). Command codes used to indicate a specific capability Return codes/data indicating success or failure of acommand’s executionEncoding schemes: Apart from the library and APIname construction and decoding, the encryptionschemes used in the implant are quite different. WhileDuuzer uses a custom XOR scheme to decode itsconfiguration data, Rising Sun uses the RC4 streamalgorithm.24Operation SharpshooterWe have not previously observed this implant. Basedon our telemetry, we discovered that multiple victimsfrom different industry sectors around the world havereported these indicators. Operation Sharpshooter’ssimilarities to Lazarus Group malware are striking, butthat does not ensure attribution. Was this attack justa first-stage reconnaissance operation, or will there bemore? We will continue to monitor this campaign andwill report further when we or others in the securityindustry receive more information. The McAfeeAdvanced Threat Research team encourages ourpeers to share their insights and attribution of who isresponsible for Operation Sharpshooter.
REPORTIndicators of CompromiseControl serversMITRE ATT&CK techniques 34.214.99.20/view style.php Account discovery 137.74.41.56/board.php File and directory discovery kingkoil.com.sg/board.php Process discovery System network configuration discovery System information discovery System network connections discovery System time discovery Automated exfiltration Data encrypted Exfiltration over command and control channel Commonly used port RDN/Generic Downloader.x Process injection Rising-Sun Rising-Sun-DOCHashes25 8106a30bd35526bded384627d8eebce15da35d17 66776c50bcc79bbcecdbe99960e6ee39c8a31181 668b0df94c6d12ae86711ce24ce79dbe0ee2d463 9b0f22e129c73ce4c21be4122182f6dcbc351c95 31e79093d452426247a56ca0eff860b0ecc86009Operation SharpshooterDocument URLs hxxp://208.117.44.112/document/Strategic Business m/s/2shp23ogs113hnd/Customer Service Representative.doc?dl 1McAfee detection
About McAfeeMcAfee is the device-to-cloud cybersecurity company.Inspired by the power of working together, McAfeecreates business and consumer solutions that make ourworld a safer place. By building solutions that work withother companies’ products, McAfee helps businessesorchestrate cyber environments that are truly integrated,where protection, detection, and correction of threatshappen simultaneously and collaboratively. By protectingconsumers across all their devices, McAfee secures theirdigital lifestyle at home and away. By working with othersecurity players, McAfee is leading the effort to uniteagainst cybercriminals for the benefit of all.About McAfee Labs and Advanced ThreatResearchMcAfee Labs, led by McAfee Advanced ThreatResearch, is one of the world’s leading sources forthreat research, threat intelligence, and cybersecuritythought leadership. With data from millions of sensorsacross key threats vectors—file, web, message, andnetwork—McAfee Labs and McAfee Advanced ThreatResearch deliver real-time threat intelligence, criticalanalysis, and expert thinking to improve protection andreduce e.com.2821 Mission College Blvd.Santa Clara, CA 95054888.847.8766www.mcafee.com26Operation SharpshooterMcAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries.Other marks and brands may be claimed as the property of others. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation.Copyright 2018 McAfee, LLC. 4197 1218DECEMBER 2018
Operation Sharpshooter The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group, employing McAfee Global Threat Intelligence, have discovered a new global campaign targeting nuclear, defense, energy, and financial companies. This campaign, Operation Sharpshooter,
McAfee Management of Native Encryption (MNE) 4.1.1 McAfee Policy Auditor 6.2.2 McAfee Risk Advisor 2.7.2 McAfee Rogue System Detection (RSD) 5.0.4 and 5.0.5 McAfee SiteAdvisor Enterprise 3.5.5 McAfee Virtual Technician 8.1.0 McAfee VirusScan Enterprise 8.8 Patch 8 and Patch 9 McA
4 From McAfee.com, copy the McAfee ePO software to the virtual McAfee ePO server. 5 From the McAfee ePO server, run the setup utility. 6 Using a remote browser, log on to McAfee
McAfee Firewall Enterprise Control Center Release Notes, version 5.3.1 McAfee Firewall Enterprise Control Center Product Guide, version 5.3.1 McAfee Firewall Enterprise McAfee Firewall Enterprise on CloudShield Installation Guide, version 8.3.0 McAfee Network Integrity Agent Product Guide, version 1.0.0.0
McAfee ePolicy Orchestrator web API Scripting Guide McAfee ePolicy Orchestrator Log File Reference Guide These guides are available from the McAfee Support Website. Preface About this guide 8 McAfee ePolicy
the McAfee Firewall Admin Console client software, the hardware or virtual platform for running the firewall software. Configuration B. comprises: the McAfee Firewall Enterprise software, including its SecureOS operating system, the McAfee Firewal
McAfee, Inc. McAfee Firewall Enterprise 4150E Hardware Part Number: NSA-4150-FWEX-E Firmware Versions: 7.0.1.03 and 8.2.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 2 Document Version: 0.6 Prepared for: Prepared by: McAfee, Inc. Corsec Security, Inc. 282
2.2 McAfee Application Control Configuring McAfee Application Control 10 Commissioning Manual, 07/2011, A5E03658595-01 2.2 McAfee Application Control McAfee Application Control can be used to block execution of unauthorized applications on servers and workstations. This means that once it
Reference list The reference list must have the title word References, which should capitalised, in bold and centred. The reference list should contain full details of all the sources mentioned in your text, arranged alphabetically by surname of first author. List entries should be double-spaced (both within and between entries), and the first line of each reference is flush left with .
