cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Dwillert
Level 7
Report Inappropriate Content
Message 1 of 4

Allow File Modification - Secedit.sdb

We've enabled McAfee Application Control on several machines for testing and we've been going through the events adding things to the Allowlist. However, we're having issues with one file in particular.

 

The description we receive is: McAfee Application Control prevented an attempt to modify this file because this file is whitelisted. To make changes to whitelisted files, define a policy with the relevant rules

File Write Denied

Event File Name: C:\Windows\Security\Database\secedit.sdb

Process Name: C:\Windows\System32\services.exe

 

I tried to create the Exclusion in the Solidcore Rules a couple different ways:

skiplist -d \Windows\Security\Database\

skiplist -d C:\Windows\Security\Database\secedit.sdb

attr -p Process Name: secedit.sdb Parent process: services.exe

However, this event still occurs on various machines. How do I setup a rule to allow this file write and stop these events?

3 Replies
Sivakumar1
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Allow File Modification - Secedit.sdb

Hello @Dwillert . Thank you for reaching out McAfee Enterprise Support Community. I did check with the post. You are correct. 

You can use "Write Protection Skiplist -d"

Skiplist –d is used to deny write Passthrough attribute. This skiplist removes write protection from a file allowing it to be changed by any source.

Use case :

This skiplist should be used when attempting to modify a file with a generic updater. Instead of allowing a genric process to update a file you can remove write protection from a file. This will allow the file to remain solidified but can create hash mismatches. Netframework and directories where libraries are frequently upgraded and require execution.

Applying this feature to an endpoint

This skiplist can be applied by a policy within ePO or a sadmin run command. To apply it as a policy, go to the specified rule group, click filters, and select exclude path from write protect rules. Must specify a path for file.

Sadmin skiplist add -d path/file

For example,

This can be used as below :

Sadmin skiplist add -d C:\ProgramData\Microsoft\Network\Downloader\

With the above command , it will allow you to modify all the files within Downloader folder . If you need to modify a single file , it shoule be as below: 

Sadmin skiplist add -d C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Like wise a different policy needs to be created for different drive .

Additional information : Kindly refer the https://docs.mcafee.com/bundle/application-control-8.2.0-product-guide-windows/page/GUID-3A8AE466-27... to understand the use of wildcards 

Please do try this on one machine and monitor it and apply it all from EPO.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

rfranci
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: Allow File Modification - Secedit.sdb

Hi @Dwillert ,

Thankyou for reaching us on community !

I would recommend checking the event ID generated comparing the the below article :
https://docs.trellix.com/bundle/application-control-8.2.0-product-guide-windows/page/GUID-70A19635-9...

If the event ID is 20719, this is a change control event. So, i would first try adding exclusion in change control rules policy.

The skip list rule that you created "skiplist -d C:\Windows\Security\Database\secedit.sdb" must work. If the rule is added from policy, make sure the machine was in 'lock down' mode before enforcing the policy.

To add standalone rules, you can refer the below document for syntax :
https://docs.trellix.com/bundle/application-control-8.0.0-product-guide-unmanaged/page/GUID-25138B14...

In case if this event is just creating alerts and this not causing any block or issue with other applications, you can add filters to avoid this event being flagged :

https://docs.trellix.com/bundle/application-control-8.0.0-product-guide-unmanaged/page/GUID-016CB277...

I hope this helps !

-Rohit Francis 
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query! 

Dwillert
Level 7
Report Inappropriate Content
Message 4 of 4

Re: Allow File Modification - Secedit.sdb

Thank you for your response. 

The event ID is 20719, but we don't have Change Control as a licensed feature added to this ePO, Application Control is the only licensed feature. I'm unable to make changes in Change Control. 

Is there a specific amount of time that it takes between adding something to a rule group and the policy takes effect? Hours after I created that exception in the Rule Group already (attached to the policy) and have forced Agent Wake Up with Force Complete Policy and Task Update checked, I still see similar events. 

I understand the skip list rule "must work." But I have this exclusion and others configured identically and it still doesn't work on some of them.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community