cancel
Showing results for 
Search instead for 
Did you mean: 
shall13
Level 7

Allowing DLL modification

We are currently monitoring a group of servers in preparation for enabling Application Control on these systems. On one particular server, it is modifying and solidifying 3 DLL files using the SYSTEM process. If we were to enable Solidcore at this point, it would block this operation from happening. How do you safely allow operations like this without making SYSTEM an updater? An example of the message we see is below.

Server                                   File                                                            Operation               User          Process          Workflow ID

GENERICSERVER            C:\GenericFolder\Something.dll          File Modified          UserID     SYSTEM          UPDATE_MODE_2

0 Kudos
4 Replies
gjoshi
Level 9

Re: Allowing DLL modification

Hello,

If a file is solidified or write-protected  and process is not an Updater, modifications to file will be blocked.  But here the process wriing on the file is 'system' which is not recommended as an Updater.

You can configure the DLLs to remain unsolidified (to allow modification) and add the same as authorized by name (to allow execution).

To prevent the file from solidification:

sadmin skiplist add -a <dll>

0 Kudos
shall13
Level 7

Re: Allowing DLL modification

Gaurav,

While that command appears to only be available in App. Control 6.0, it did lead me to this article. I've implemented the workaround using the registry modification listed on the link below. We will see if this solves the issue.

https://kc.mcafee.com/corporate/index?page=content&id=KB75125&pmv=print

0 Kudos
deepak_yadav
Level 9

Re: Allowing DLL modification

Could you give more details on the names of the DLLs, the application to which they belong and what workflow is causing the DLL to be modified (application update, etc)?

0 Kudos
JoeyMc
Level 10

Re: Allowing DLL modification

Sadmin skiplist add -d \GenericFolder\Something.dll

Sadmin skiplist add -d \GenericFolder\Something2.dll

Etc

This has worked for my write denied exclusions.

You can also push this out via ePO as a Solidcore task.

0 Kudos