Certification Report EAL 3+ Evaluation of McAfee Application Control v5.0, Change Control v5.0, and Integrity Monitor v5.0 with McAfee Agent v4.5 and ePolicy Orchestrator v4.5 y: a Certification Body Canadian Common Criteria Evaluation and Certification Scheme vernment munications Security Establishment Canada, 2011 Evaluation number: 383-4-153-CR Version: 1.0 Date: 14 January 2011 Pagination: i to iii, 1 to 11 Issued b Communications Security Establishment Canad © Go of Canada, Com CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page i of iii - rt, and its established CCS) – using Version 3.1 gy Security certificate, nfiguration. S, and the the evidence e IT product ion that es or gives effect to this report, and its associated certificate, and no warranty for the IT product by the Communications Security Establishment Canada, or any other organization that recognizes or gives effect to this report, and its associated certificate, is either expressed or implied. DISCLAIMER The Information Technology (IT) product identified in this certification repo associated certificate, has been evaluated at an approved evaluation facility – under the Canadian Common Criteria Evaluation and Certification Scheme ( the Common Methodology for Information Technology Security Evaluation, Revision 3, for conformance to the Common Criteria for Information Technolo Evaluation, Version 3.1 Revision 3. This certification report, and its associated apply only to the identified version and release of the product in its evaluated co The evaluation has been conducted in accordance with the provisions of the CC conclusions of the evaluation facility in the evaluation report are consistent with adduced. This report, and its associated certificate, are not an endorsement of th by the Communications Security Establishment Canada, or any other organizat recogniz CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page ii of iii - ovides a ation Technology ommercial Common Criteria Evaluation Facility (CCEF) under the oversight of the CCS Certification Body, which is tion Body to oval is Competence of Testing and Calibration Laboratories. Accreditation is performed under the inistered by the ntario. that the rity target. A of the es. The consumer of certified IT products should review the security target, any assumptions rity requirements, are posted on the roducts list (CPL) and the Common Criteria Portal (the official website of the Common Criteria Project). This certification report makes reference to the following registered trademark:  Windows is a registered trademark of Microsoft Corporation in the United States and other countries. Reproduction of this report is authorized provided the report is reproduced in its entirety. FOREWORD The Canadian Common Criteria Evaluation and Certification Scheme (CCS) pr third-party evaluation service for determining the trustworthiness of Inform (IT) security products. Evaluations are performed by a c managed by the Communications Security Establishment Canada. A CCEF is a commercial facility that has been approved by the CCS Certifica perform Common Criteria evaluations; a significant requirement for such appr accreditation to the requirements of ISO/IEC 17025:2005, General requirements for the Program for the Accreditation of Laboratories - Canada (PALCAN), adm Standards Council of Canada. The CCEF that carried out this evaluation is EWA-Canada located in Ottawa, O By awarding a Common Criteria certificate, the CCS Certification Body asserts product complies with the security requirements specified in the associated secu security target is a requirements specification document that defines the scope evaluation activiti in addition to this certification report, in order to gain an understanding of made during the evaluation, the IT product's intended environment, its secu and the level of confidence (i.e., the evaluation assurance level) that the product satisfies the security requirements. This certification report is associated with the certificate of product evaluation dated 14 January 2011, and the security target identified in Section 4 of this report. The certification report, certificate of product evaluation and security target CCS Certified P CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page iii of iii - ..................... i . .................... ii E .................... 1 1 .................... 2 2 TOE Description ................................................................................................................... 2 3 2 4 .. ............. .... 3 5 . .................... 3 .. ......................... 3 3 7.1 SECURE USAGE ASSUMPTIONS .................................................................................. .. .............. 4 .. ............. 8 4 .... 5 . .................. .... 5 . .................. .... 7 .. ............. .. .............. 11.3 INDEPENDENT PENETRATION TESTING....................................................................... ... .............. 8 ... ............. 12 Results of the Evaluation...................................................................................................... 9 13 Evaluator Comments, Observations and Recommendations ........................................... 9 14 Acronyms, Abbreviations and Initializations................................................................... 10 15 References............................................................................................................................ 10 TABLE OF CONTENTS Disclaimer.................................................................................................................. Foreword................................................................................................................. .. xecutive Summary.................................................................................................. Identification of Target of Evaluation ............................................................ Evaluated Security Functionality........................................................................................ Security Target.............................................................................................. .. ... Common Criteria Conformance................................................................... .. 6 Se ... ..................................................................... .. curity Policy. ................. 7 Assumptions and Clarification of Scope............................................................................. 4 7.2 ENVIRONMENTAL ASSUMPTIONS ............................................................. .. 7.3 CLARIFICATION OF SCOPE........................................................................ .. . 4 Evaluated Configuration...................................................................................................... 9 Documentation .................................................................................................................. 10 Evaluation Analysis Activities ................................................................. .. ... 11 ITS Product Testing.................................................................................. .. ... 11.1 ASSESSMENT OF DEVELOPER TESTS ........................................................ .. . 7 11.2 INDEPENDENT FUNCTIONAL TESTING ...................................................... .. 7 8 11.4 CONDUCT OF TESTING ............................................................................ .. 11.5 TESTING RESULTS................................................................................... .. . 8 CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page 1 of 11 - v5.0 with fee AC, CC & IM with Agent & ePO), from McAfee, Incorporated, is the Target of Evaluation (TOE) for e control, and s this by at are to be e a program attempts to execute, or a process or user attempts to modify a ther the action s completed on nadian es assumptions ee AC, CC, & IM with nts, and the level of confidence (evaluation assurance nsumers are fied in the ons and this product provide e that it meets the EAL 3 augmented assurance requirements for the mmon ision 3, for aluation, .2 - Flaw Communications Security Establishment Canada, as the CCS Certification Body, declares that the McAfee AC, CC, & IM with Agent & ePO evaluation meets all the conditions of the Arrangement on the Recognition of Common Criteria Certificates and that the product will be listed on the CCS Certified Products list (CPL) and the Common Criteria portal (the official website of the Common Criteria Project). Executive Summary McAfee Application Control v5.0, Change Control v5.0, and Integrity Monitor McAfee Agent v4.5 and ePolicy Orchestrator v4.5 (hereafter referred to as McA this Evaluation Assurance Level (EAL) 3 augmented evaluation. McAfee AC, CC, & IM with Agent & ePO provides application control, chang integrity monitoring of servers, desktops, network devices, and databases. It doe collecting information about the program code, files, directories, and volumes th protected. Each tim protected resource, the TOE analyzes the attempted action and determines whe should be permitted. EWA-Canada is the CCEF that conducted the evaluation. This evaluation wa 16 December 2010 and was carried out in accordance with the rules of the Ca Common Criteria Evaluation and Certification Scheme (CCS). The scope of the evaluation is defined by the security target, which identifi made during the evaluation, the intended environment for the McAf Agent & ePO, the security requireme level) at which the product is intended to satisfy the security requirements. Co advised to verify that their operating environment is consistent with that speci security target, and to give due consideration to the comments, observati recommendations in this certification report. The results documented in the Evaluation Technical Report (ETR)i for sufficient evidenc evaluated security functionality. The evaluation was conducted using the Co Methodology for Information Technology Security Evaluation, Version 3.1 Rev conformance to the Common Criteria for Information Technology Security Ev version 3.1 Revision 3. The following augmentation is claimed: ALC_FLR Reporting Procedures. CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page 2 of 11 - ugmented rity Monitor v5.0 with McAfee Agent v4.5 and ePolicy Orchestrator v4.5 (hereafter referred to as McAfee gent & ePO), from McAfee, Incorporated. control, and s this by ation about the program code, files, directories, and volumes that are to be ts to execute, or a process or user attempts to modify a pted action and determines whether the action e list of evaluated security functionality for McAfee AC, CC, & IM with Agent n Section 1.5.2 of the Security T le ertificate # 1 Identification of Target of Evaluation The Target of Evaluation (TOE) for this Evaluation Assurance Level (EAL) 3 a evaluation is McAfee Application Control v5.0, Change Control v5.0, and Integ AC, CC, & IM with A 2 TOE Description McAfee AC, CC, & IM with Agent & ePO provides application control, change integrity monitoring of servers, desktops, network devices, and databases. It doe collecting inform protected. Each time a program attemp protected resource, the TOE analyzes the attem should be permitted. 3 Evaluated Security Functionality The complet & ePO is identified i arget (ST). The following cryptographic module is included in the TOE and was evaluated to the FIPS 140-2 standard: Cryptographic Modu C RSA BSAFE Crypto-C Micro Edit 608 ion v2.0 The following Government of Ca McAf nad d cryptographic algorithms were evaluated for ee AC, CC, & IM with Agent & ePO: nda Certificate # a approve correct implementation in Cryptographic Algorithm Sta rd Digital Signature Verification (DSA IPS 18 143 ) F 6-2 Triple-DES (3DES) FIPS 46-3 378 Advanced Encryption Standard (AES) FIPS 197 303 Rivest Shamir Adleman (RSA) FIPS 186-2 96 Secure Hash Algorithm (SHA-1) FIPS 180-2 380 Keyed-Hash Message Authentication Code (HMAC) FIPS 198 113 CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page 3 of 11 - ing nomenclature: d Integrity Monitor gent v4.5 and ePolicy Orchestrator v4.5 Security Target The evaluation was conducted using the Common Methodology for Information Technology 3, for conformance to the Common Criteria for nctional requirements based upon requirements C.1 - Application and Change Control Data is; and ria Part 3 conformant, with security assurance requirements based only components in Part 3; and ments in the . plements policies pertaining to Security Audit, gement, Protection trol. Further details of the ST. 7 Assumptions and Clarification of Scope Consumers of the McAfee AC, CC, & IM with Agent & ePO product should consider assumptions about usage and environmental settings as requirements for the product’s installation and its operating environment. This will ensure the proper and secure operation of the TOE. 4 Security Target The ST associated with this Certification Report is identified by the follow Title: McAfee Application Control v5.0, Change Control v5.0, an v5.0 with McAfee A Version: 0.6 Date: 14 December 2010 5 Common Criteria Conformance Security Evaluation, Version 3.1 Revision Information Technology Security Evaluation, Version 3.1 Revision 3. The McAfee AC, CC, & IM with Agent & ePO is: a. Common Criteria Part 2 extended, with security fu functional components in Part 2, except for the following explicitly stated defined in the ST: EXT_MAC_SD Collection; EXT_MAC_ANL.1 - Application and Change Control Analys EXT_MAC_RCT.1 - Application and Change Control React. b. Common Crite upon assurance c. Common Criteria EAL 3 augmented, with all the security assurance require EAL 3, as well as the following: ALC_FLR.2 - Flaw Reporting Procedures 6 Security Policy McAfee AC, CC, & IM with Agent & ePO im Cryptographic Support, Identification and Authentication, Security Mana of the TOE Security Functions, and McAfee Application and Change Con on these security policies may be found in Section 6 (Security Requirements) CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page 4 of 11 - petent individuals assigned to manage the TOE and the  and d in a manner that allows it to appropriately address changes in the IT System the TOE monitors. ions; E; OE will be located within controlled access facilities, unauthorized physical access; and ment will be protected protected ophisticated prises: McAfee Application Control v5.0, Change Control v5.0, Integrity Monitor v5.0, and McAfee Agent v4.5 running on Windows 2000, Windows XP, Windows Vista, Windows NT Server, Windows Server 2000, Windows Server 2003, or Windows Server 2008; and  ePolicy Orchestrator v4.5 running with Microsoft SQL Server 2005 on Windows Server 2003 or Windows Server 2008. 7.1 Secure Usage Assumptions The following Secure Usage Assumptions are listed in the ST:  There will be one or more com security of the information it contains; The authorized administrators are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the TOE documentation;  The TOE will be manage 7.2 Environmental Assumptions The following Environmental Assumptions are listed in the ST:  The TOE has access to all the IT System data it needs to perform its funct  The IT Environment will provide reliable timestamps for the use of the TO  The processing resources of the T which will prevent  The TOE hardware and software critical to security policy enforce from unauthorized physical modification. 7.3 Clarification of Scope The McAfee AC, CC, & IM with Agent & ePO is suitable for use in well- environments; it is not intended for environments in which attackers use s attacks. 8 Evaluated Configuration The evaluated configuration for McAfee AC, CC, & IM with Agent & ePO com  CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page 5 of 11 - onsumer are as follows: uide; Guide; n Guide; McAfee ePolicy Orchestrator 4.5 Reporting Guide; McAfee ePolicy Orchestrator 4.5 Log Files Reference Guide; O 4.0 and 4.5; .5; 4.0 and 4.5; McAfee Solidcore Extension Product Guide for use with ePO 4.0 and 4.5; Windows Runtime Control User’s Guide; The evaluation analysis activities involved a structured evaluation of the McAfee AC, CC, & IM with Agent & ePO, including the following areas: Development: The evaluators analyzed the McAfee AC, CC, & IM with Agent & ePO functional specification and design documentation; they determined that the design completely and accurately describes the TOE security functionality (TSF) interfaces, the TSF subsystems and how the TSF implements the security functional requirements (SFRs). The 9 Documentation The McAfee documents provided to the c McAfee ePolicy Orchestrator 4.5 Product G McAfee ePolicy Orchestrator 4.5 Evaluation McAfee ePolicy Orchestrator 4.5 Installatio Release Notes for McAfee ePolicy Orchestrator 4.5; McAfee Application Control Quick Start Guide for use with eP McAfee Change Control Quick Start Guide for use with ePO 4.0 and 4 McAfee Integrity Monitor Quick Start Guide for use with ePO McAfee Solidcore Extension Installation Guide 5.0.0 for use with ePO 4.0 and 4.5; Release Notes for McAfee Solidcore Extension 5.0.0; Solidcore S3 Control Solidifier User’s Guide; Solidcore S3 Control Solidifier for Solidcore S3 Control Solidifier for Windows Installation Guide; and Solidcore S3 Control Solidifier for Windows 5.0 Release Notes. 10 Evaluation Analysis Activities CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page 6 of 11 - architectural hat the security ependently e correct. IM with Agent & at it nto its ined t they were complete & ePO performed. The ation items described in the configuration ess to the lso observed res and rity measures for the development environment Agent & ePO a documented hat the life-cycle model provides for the necessary control over the development and maintenance of the TOE. scribed all of IM with Agent & rporated for xamined the hat the flaws, and distribute the flaw product. Vulnerability Assessment: The evaluators conducted an independent vulnerability analysis of McAfee AC, CC, & IM with Agent & ePO. Additionally, the evaluators conducted a review of public domain vulnerability databases, and a search of all evaluation deliverables. The evaluators identified potential vulnerabilities for testing applicable to the McAfee AC, CC, & IM with Agent & ePO in its operational environment. All these evaluation activities resulted in PASS verdicts. evaluators analyzed the McAfee AC, CC, & IM with Agent & ePO security description and determined that the initialization process was secure and t functions are protected against tamper and bypass. The evaluators also ind verified that the correspondence mappings between the design documents wer Guidance Documents: The evaluators examined the McAfee AC, CC, & ePO preparative user guidance and operational user guidance and determined th sufficiently and unambiguously described how to securely transform the TOE i evaluated configuration and how to use and administer the product. The evaluators exam and tested the preparative and operational guidance, and determined tha and sufficiently detailed to result in a secure configuration. Life-Cycle Support: An analysis of the McAfee AC, CC, & IM with Agent configuration management system and associated documentation was evaluators found that the McAfee AC, CC, & IM with Agent & ePO configur were clearly marked and that the access control measures as management documentation are effective in preventing unauthorized acc configuration items. The developer’s configuration management system was a during the site visit, and it was found to be mature and well developed. During the site visit the evaluator examined the development security procedu determined that they detailed sufficient secu to protect the confidentiality and integrity of the McAfee AC, CC, & IM with design and implementation. The evaluator confirmed that the developer used model of the TOE life-cycle and t The evaluator examined the delivery documentation and determined that it de the procedures required to maintain the integrity of McAfee AC, CC, & ePO during distribution to the consumer. The evaluator reviewed the flaw remediation procedures used by McAfee, Inco McAfee AC, CC, & IM with Agent & ePO. During a site visit, the evaluator e evidence generated by adherence to the procedures. The evaluator concluded t procedures are adequate to track and correct security information and corrections to consumers of the CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page 7 of 11 - Testing at EAL 3 consists of the following three steps: assessing developer tests, performing d performing penetration tests. by examining The evaluators analyzed the developer’s test coverage and depth analysis and found them to rrespondence between the tests identified in the developer’s plete. During this evaluation, the evaluator developed independent functional tests by examining ation, at augmented the epeatability ting procedures and results. Resulting from this test coverage approach is the following list of EWA-Canada test goals: is to confirm that the TOE can be installed rovided with the  Repeat of Developer's Tests: The objective of this test goal is to repeat a subset of the rator to create out to the  Application control alert: The objective of this test goal is to verify policy enforcement on endpoints and ePolicy alert handling of policy circumventing;  Application code modification alert: The objective of this test goal is to verify policy enforcement on endpoints for executable file protection and ePolicy alert handling of policy circumventing; 11 ITS Product Testing independent functional tests, an 11.1 Assessment of Developer Tests The evaluators verified that the developer has met their testing responsibilities their test evidence, and reviewing their test results, as documented in the ETR. be complete and accurate. The co test documentation and the functional specification and TOE design was com 11.2 Independent Functional Testing design and guidance documentation, examining the developer's test document executing a sample of the developer's test cases, and creating test cases th developer tests. All testing was planned and documented to a sufficient level of detail to allow r of the tes  Initialization: The objective of this test goal and configured into the evaluated configuration following the guidance p product; developer's tests on the evaluator’s TOE installation;  Endpoint setup: The objective of this test goal is to use the ePO Orchest groups, add workstations to these groups, and push the agent installation workstations; CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page 8 of 11 - e objective of this test goal is to verify events are  Change control test: The objective of this test goal is to use the ePO Orchestrator to ator to add it logging from the client he ePO management console; and bjective of this test goal is to determine that tion Testing and all was conducted. of these tests were to determine that the TOE continues to operate ations failure occurs and that duplicate user names could not be ities in the & IM + Agent and ePO was subjected to a comprehensive suite of formally luation and ding sults are documented in a separate Test Procedures and Test Results document. 11.5 Testing Results The developer’s tests and the independent functional tests yielded the expected results, giving assurance that the McAfee AC, CC, & IM with Agent & ePO behaves as specified in its ST, functional specification, TOE design, and security architecture description.  Dashboard event reporting: Th registered and sent to the Dashboard;  Application run control: The objective of this test goal is to use the ePO Orchestrator to create and enforce an application run control policy; create change control rules that disallow editing key files;  Integrity monitor: The objective of this test goal is to use the ePO Orchestr integrity monitoring and reporting on the C:\temp folder of the agent workstation;  Show agent log: The objective of this test goal is to enable aud endpoint to be visible at t  Secure communications: The o communications are encrypted. 11.3 Independent Penetra Subsequent to the independent review of public domain vulnerability databases evaluation deliverables, limited independent evaluator penetration testing The penetration tests focused on:  Misuse: The objectives when a communic created. The independent penetration testing did not uncover any exploitable vulnerabil intended operating environment. 11.4 Conduct of Testing McAfee AC, CC documented, independent functional and penetration tests. The testing took place at the McAfee development site and at the Information Technology Security Eva Testing (ITSET) Facility at EWA-Canada. The detailed testing activities, inclu configurations, procedures, test cases, expected results and observed re CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page 9 of 11 - nce. The overall verdict e in the ETR. s fee AC, CC, & IM with Agent & ePO includes text-sensitive McAfee AC, CC, & IM with Agent & ePO is straightforward to configure, use and integrate into a corporate network. 12 Results of the Evaluation This evaluation has provided the basis for an EAL 3+ level of assura for the evaluation is PASS. These results are supported by evidenc 13 Evaluator Comments, Observations and Recommendation The complete documentation for the McA comprehensive Evaluation, Installation, and Users Guides with searchable con Help available to the user from the user console. CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page 10 of 11 - 14 Acronyms, Abbreviations and Initializations cronym/Abbreviat A ion/ Initialization Description AC Application Control CC EF ria Evaluation Facility S Criteria Evaluation and Scheme L st AL Assurance Level TSET ion Technology Security Evaluation LCAN he Accreditation of Laboratories ST Security Target Structured Query Language 15 This section lists all documentation used as source material for this report: a. cal Oversight, Version 1.8, October 2010. b. ion 3.1 c. Common Methodology for Information Technology Security Evaluation, CEM, Version 3.1 Revision 3, July 2009. d. McAfee Application Control v5.0, Change Control v5.0, and Integrity Monitor v5.0 with McAfee Agent v4.5 and ePolicy Orchestrator v4.5 Security Target, Revision No. 0.6, 14 December 2010. Change Control CC Common Crite CC Canadian Common Certification CP Certified Products li E Evaluation ePO ePolicy Orchestrator Evaluation Technical Report ETR IM IT Inform Integrity Monitor ation Technology I Informat and Testing PA Program for t Canada SQL TOE Target of Evaluation TSF TOE Security Functionality References CCS Publication #4, Techni Common Criteria for Information Technology Security Evaluation, Vers Revision 3, July 2009. CCS Certification Report McAfee, Incorporated McAfee AC, CC, & IM with Agent & ePO ___________________________________________________________________________ Version 1.0 14 January 2011 - Page 11 of 11 - e. v5.0, Change ePolicy valuation Number: 383-4- 153, Document No. 1657-000-D002, Version 1.3, 16 December 2010. Evaluation Technical Report (ETR) McAfee Application Control Control v5.0, and Integrity Monitor v5.0 with McAfee Agent v4.5 and Orchestrator v4.5, EAL 3+ Evaluation, Common Criteria E i The ETR is a CCS document that contains information proprietary to the developer and/or the evaluator, and is not releasable for public review.