cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 4

Allow File Modification

Have this event.  What is the best way to allow that file to be modified, through policy, for multiple servers?  SVCHOST.EXE is a generic launcher so I can't make it an updater.  Please advise.

 

 

Monitoring Events: Information

Description
McAfee Application Control prevented an attempt to modify this file because this file is whitelisted. To make changes to whitelisted files, define a policy with the relevant rules.
Event Display Name
File Write Denied
Event File Name
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
Event Generated Time
7/28/20 12:34:08 PM EDT
Event ID
20719
Event Name
WRITE_DENIED
Event Sequence Number
9,805
Generated by an Updater
No
Generated in an Update Window
No
Performed By
NT AUTHORITY\SYSTEM
Process ID
928
Process MD5
8a0a29438052faed8a2532da50455756
Process Name
C:\Windows\System32\svchost.exe
Process SHA-1
a1385ce20ad79f55df235effd9780c31442aa234
Process SHA-256
7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6
Reconciliation Status
Not yet Reconciled
Reconciliation Ticket
Not Applicable
Severity
3
System Name
****************
User Comments

User Name
NT AUTHORITY\SYSTEM

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Allow File Modification

Hello , 

 

You can use "Write Protection Skiplist -d"

Skiplist –d is used to deny write Passthrough attribute. This skiplist removes write protection from a file allowing it to be changed by any source.

 

Use Case

This skiplist should be used when attempting to modify a file with a generic updater. Instead of allowing a genric process to update a file you can remove write protection from a file. This will allow the file to remain solidified but can create hash mismatches. Netframework and directories where libraries are frequently upgraded and require execution.

Applying this feature to an endpoint

This skiplist can be applied by a policy within ePO or a sadmin run command. To apply it as a policy, go to the specified rule group, click filters, and select exclude path from write protect rules. Must specify a path for file.

Sadmin skiplist add -d path/file

McAfee Support

Rajesh Yadav

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: Allow File Modification

the policy is asking for a relative path. i'm not sure I understand, completely, how to write that.

How do I write a relative path for this:
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

how would I write the relative path if it was on a different drive:
D:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Allow File Modification

Hello ,

This can be used as below :

Sadmin skiplist add -d C:\ProgramData\Microsoft\Network\Downloader\

With the above command , it will allow you to modify all the files within Downloader folder . If you need to modify a single file , it shoule be as below: 

Sadmin skiplist add -d C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

 

Like wise a different policy needs to be created for different drive .

Additional information : Kindly refer the https://docs.mcafee.com/bundle/application-control-8.2.0-product-guide-windows/page/GUID-3A8AE466-27... to understand the use of wildcards 

 

McAfee Support

Rajesh Yadav

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community