cancel
Showing results for 
Search instead for 
Did you mean: 

Allowing DLL modification

We are currently monitoring a group of servers in preparation for enabling Application Control on these systems. On one particular server, it is modifying and solidifying 3 DLL files using the SYSTEM process. If we were to enable Solidcore at this point, it would block this operation from happening. How do you safely allow operations like this without making SYSTEM an updater? An example of the message we see is below.

Server                                   File                                                            Operation               User          Process          Workflow ID

GENERICSERVER            C:\GenericFolder\Something.dll          File Modified          UserID     SYSTEM          UPDATE_MODE_2

4 Replies
gjoshi
Level 9
Report Inappropriate Content
Message 2 of 5

Re: Allowing DLL modification

Hello,

If a file is solidified or write-protected  and process is not an Updater, modifications to file will be blocked.  But here the process wriing on the file is 'system' which is not recommended as an Updater.

You can configure the DLLs to remain unsolidified (to allow modification) and add the same as authorized by name (to allow execution).

To prevent the file from solidification:

sadmin skiplist add -a <dll>

Re: Allowing DLL modification

Gaurav,

While that command appears to only be available in App. Control 6.0, it did lead me to this article. I've implemented the workaround using the registry modification listed on the link below. We will see if this solves the issue.

https://kc.mcafee.com/corporate/index?page=content&id=KB75125&pmv=print

Re: Allowing DLL modification

Could you give more details on the names of the DLLs, the application to which they belong and what workflow is causing the DLL to be modified (application update, etc)?

Highlighted
JoeyMc
Level 10
Report Inappropriate Content
Message 5 of 5

Re: Allowing DLL modification

Sadmin skiplist add -d \GenericFolder\Something.dll

Sadmin skiplist add -d \GenericFolder\Something2.dll

Etc

This has worked for my write denied exclusions.

You can also push this out via ePO as a Solidcore task.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community