cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12

App Control, Win7 in ESX/vsphere - anyone using? Success? Or abject pain?

I'm currently evaluating Application Control/SolidCore 6.1.0 for a client and running into an issue that neither the SE nor assigned 2nd tier support person seems to have no seen before.   3rd tier seemed rather stumped too, but we at least narrowed it down to a confluence of pkg-ctrl and MP-nx features conspiring to create the misery.   

The issue:   attempting to run cmd.exe  results in either

  • NX protection preventing it from running...  (C:\Windows\System32\cmd.exe NX_VIOLATION_DETECTED "McAfee Application Control prevented an attempt to hijack the process by executing code from writable memory area. To permit execution of the process, define a policy with the relevant rules." )
  • or, in the best case (in observation mode, or if cmd.exe is added to an exception list (sadmin attr add -ncmd.exe with the CLI unlocked),  cmd.exe then simply crashes.

Unfortunately, I'm seeing this on 2 out of 2  win7 VM's I've deployed the product to. 

I have  so far pushed the agent to one other windows 7 box, a physical hardware box... and it it in observation mode and running as you'd expect.

There are 2 XP boxes as part of the test group that are also not giving any surprises.

After about 2 hours of work with tier 3 we isolated down a workaround... disabling pkg-ctrl feature and adding cmd.exe as an exception to the MP-nx rules would allow cmd.exe to both not get blocked by solidcore's NX protection, but also not crash. 

I'm not looking for a fix so much as at least some confidence there are some VSphere  environments out there with win7 desktops deployed into them running this with any level of success.   Right now my assumption is suddenly a horrified "maybe not?"

Thanks in advance for any insights or experience.

on 6/4/13 3:04:47 PM CDT
0 Kudos
3 Replies
gjoshi
Level 9

Re: App Control, Win7 in ESX/vsphere - anyone using? Success? Or abject pain?

Hello,

I was over the remote with youi today where we identified the workarounds.

The real issue seems to be with pkg-ctrl where cmd.exe is crashing but not due to MP-NX violations. To tell you, McAfee is coming with an all new pkg-ctrl feature in the next release. I would highly suggest you to try the beta version and see if the cmd.exe crash issue goes away.

In parallel, we will keep working on the issue through the collected data.

Regards,

Gaurav

gjoshi
Level 9

Re: App Control, Win7 in ESX/vsphere - anyone using? Success? Or abject pain?

Also to answer your doubt about Vspehere envirorments, Application control is extensively tested on in-house VM images over Vsphere. We have not observed any issue locally or from field where something is not working as expected due to VSphere enviroment. 

Regis
Level 12

Re: App Control, Win7 in ESX/vsphere - anyone using? Success? Or abject pain?

This issue continues in a support request.   Why the VM's of this particular client are unique we haven't discovered yet, but we hope to find out soon!

0 Kudos