We are currently monitoring a group of servers in preparation for enabling Application Control on these systems. On one particular server, it is modifying and solidifying 3 DLL files using the SYSTEM process. If we were to enable Solidcore at this point, it would block this operation from happening. How do you safely allow operations like this without making SYSTEM an updater? An example of the message we see is below.
Server File Operation User Process Workflow ID
GENERICSERVER C:\GenericFolder\Something.dll File Modified UserID SYSTEM UPDATE_MODE_2
If a file is solidified or write-protected and process is not an Updater, modifications to file will be blocked. But here the process wriing on the file is 'system' which is not recommended as an Updater.
You can configure the DLLs to remain unsolidified (to allow modification) and add the same as authorized by name (to allow execution).
To prevent the file from solidification:
sadmin skiplist add -a <dll>
While that command appears to only be available in App. Control 6.0, it did lead me to this article. I've implemented the workaround using the registry modification listed on the link below. We will see if this solves the issue.
Sadmin skiplist add -d \GenericFolder\Something.dll
Sadmin skiplist add -d \GenericFolder\Something2.dll
This has worked for my write denied exclusions.
You can also push this out via ePO as a Solidcore task.