cancel
Showing results for 
Search instead for 
Did you mean: 

Application Control and Prelink detections on Linux Systems

All,

Our Linux systems are firing thousands of times a day for #PRELINK items.

We cant find a way to suppress these, eventhough its legitimate behavior.

Has anyone else run into this and were you able to fix it?

3 Replies
Highlighted

Re: Application Control and Prelink detections on Linux Systems

​,

When you say firing thousands of times at day can you clarify what event its being reported? Is it that prelink is creating a bunch of new binaries that cannot be executed, or is it trying to write to (update) existing binaries which is being prevented? Have you considered adding the prelink binary as a trusted Updater so any changes it makes are dynamically reflected in the Solidcore inventory (whitelist)?

^Disclaimer: my Linux System Administration is limited so please undertake your own review of any advice provided for appropriateness based on your individual circumstances

HTH,

Mick

Re: Application Control and Prelink detections on Linux Systems

we are seeing the Object Name of this variety....usr/bin/ausyscall.#prelink#.XYZ123 with the last part random

we also see aulast...auvirt....aureport...migratepages....libnumo...etc

prelink also seems to be the updater

Re: Application Control and Prelink detections on Linux Systems

I'm going to assume the Error Name is one of WRITE_DENIED if so have you considered adding the `/usr/bin/prelink` binary as an Updater? Are you managing Application Control via an ePO or are your installations locally managed?  Either way its relatively simple to add an Updater. I would be inclined to disable inheritance so that any sub-process executed by prelink doesn't assume the Updater privilege. Also it depends on your organisations policy around maintaining accountability of changes on a system, but if the goal is to minimise the amount of events generated and your IT policy permits then you could also suppress events so changes made by the prelink binary (while permitted) are not logged.

HTH,

Mick

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community