cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
eltonito
Level 8
Report Inappropriate Content
Message 1 of 8
‎02-08-2011 02:03 PM

Advice on policy config for .msi files?

Jump to solution

Aloha,

I'm generally comfortable with updaters, binaries, installers, etc but I've run into a snag whitelisting an msi that we need to execute in the field.  Since the msi itself isn't truly an executable, it shouldn't be able to function as an updater.

Examing the event logs,  I see that explorer.exe calls msiexec.exe when the msi in question is double-clicked.  Granting updater status to explorer.exe is an obviously bad idea and I'm not too fond of giving msiexec.exe such status either, so I'm trying to determine the best strategy.  I've toyed with parent and library settings, but none seem to achieve the granularity I'd prefer in regards to the specific msi. 

Does anyone have any suggestions/feedback on Application Control policies and msi's?

Thanks,

T.

0 Kudos
Reply
1 Solution

Accepted Solutions
aacordoba
Level 9
Report Inappropriate Content
Message 2 of 8
‎02-10-2011 09:35 AM

Re: Advice on policy config for .msi files?

Jump to solution

Hi,

Try running the following command

sadmin features enable pkg-ctrl

you need to reboot the system, after that you will be able to run msi from an autorized share folder

View solution in original post

0 Kudos
Reply
7 Replies
aacordoba
Level 9
Report Inappropriate Content
Message 2 of 8
‎02-10-2011 09:35 AM

Re: Advice on policy config for .msi files?

Jump to solution

Hi,

Try running the following command

sadmin features enable pkg-ctrl

you need to reboot the system, after that you will be able to run msi from an autorized share folder

View solution in original post

0 Kudos
Reply
aponjos613
Level 8
Report Inappropriate Content
Message 3 of 8
‎10-30-2020 02:46 PM

Re: Advice on policy config for .msi files?

Jump to solution

So in the Application Control Options in ePO 5.10 with SC extension v. 8.32.103 what does the Package Control  and Bypass Package Control. Is this the same as the command.

sadmin features enable pkg-ctrl

0 Kudos
Reply
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8
‎10-30-2020 03:15 PM

Re: Advice on policy config for .msi files?

Jump to solution

Hi @aponjos613 Yes, the "sadmin features enable pkg-ctrl" command is the MACC Package Control feature.  Please reference the Product Guide for further details about how this feature work.  There are 3 separate options to the Package Control feature.  Package Control is the main feature, with options to "Allow Uninstallation" and "Bypass Package Control" subfeatures.  You can see the status of all three, if you run "sadmin features list" in an Admin cmd prompt.  

NOTE: Use the "Bypass Package Control" if you're wanting to just allow any .msi installer to install/uninstall on systems; rather than 'disabling' the Package Control feature.

https://docs.mcafee.com/bundle/application-change-control-8.3.x-product-guide-windows/page/GUID-347B...

0 Kudos
Reply
CIPHENT.com
Level 11
Report Inappropriate Content
Message 5 of 8
‎02-20-2011 10:29 PM

Advice on policy config for .msi files?

Jump to solution

How about adding the msi as an installer...?

0 Kudos
Reply
eltonito
Level 8
Report Inappropriate Content
Message 6 of 8
‎02-22-2011 08:51 AM

Advice on policy config for .msi files?

Jump to solution

@Ciphent - I experimented with the msi as an installer/updater, but utlimately an msi functions as a document, not an executable.

@aacordoba - Good info, I will look into that.  Is there a way to translate that into a policy or would I have to run that as a command line task through ePO?

0 Kudos
Reply
aacordoba
Level 9
Report Inappropriate Content
Message 7 of 8
‎02-22-2011 08:54 AM

Advice on policy config for .msi files?

Jump to solution

So far now I just run a command in ePO.

But what I can´t know if what system already have this feature enable, If you are able to find some query regarding this please let me know.

Regards.

0 Kudos
Reply
eltonito
Level 8
Report Inappropriate Content
Message 8 of 8
‎02-22-2011 12:05 PM

Advice on policy config for .msi files?

Jump to solution

Hmm...

I can setup a Solidcore Command Line task to enable or list features, but the results are only viewable in ePO on a per system basis in a similar manner to an 'xray' command line task.  Reviewing the data I can query, I don't believe there is a way to create a query of the status of Solidcore features via ePO 4.5.

I enabled the package control feature and it appears to have given me a lot more flexibility with the MSI's, but the required reboot is a deal killer in the short term.

Thanks again for the info!

-T.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC