cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Delete a Solidified folder and its contents

I am facing a scenario where I need to delete a whitelisted folder and its contents (contains vbs and bat files) at the end of a component installation.

The process which is trying to delete this folder is "SYSTEM" process and for security reasons I cannot configure this process as an updater.

I can't use an user or a file as an updater.

I tried using exclude write-protection (sadmin wp -e C:\sample) for this folder and tried to delete, but this is failing.

Is there any other method using which I can delete a whitelisted folders and files ?

Message was edited by: sagarmc004 on 1/15/14 11:59:53 PM CST
5 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

Re: Delete a Solidified folder and its contents

six years later. i have this exact issue (different contents). what's the best way to proceed?
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: Delete a Solidified folder and its contents

Hi @mlajoie  If you unsolidify the directory/files, then any process can delete them (e.g., they are no longer protected from WRITES, but now no longer can be executed, since they are not whitelisted (if you have any rules that allow execution (e.g., Trusted Directory, filename/hash rules, Certificate, etc. then they could still be executed).

Run: "sadmin unso <dir>"

Example: "sadmin unso c:\temp\"

 

This would unsolidify any files in the C:\temp\ directory, so you can delete them properly.  If you don't unsolidify the files, then you'd need an Updater to do so, and you wouldn't want to add the SYSTEM process, or cmd.exe/explorer.exe, as an Updater.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Delete a Solidified folder and its contents

Interesting. OK. Basically, I'm trying to delete an executable from my desktop and it is being denied. Why would that be? How would a user manage their files if they can't delete what they want? I don't think unsolidifing a directory is sustainable? Is there a better way to manage it in the environment?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Delete a Solidified folder and its contents

Depends the issue is the files on the user desktop are files that are solidified.

 

See the "Sadmin scripts list" command:

These files are what we protect. If something needs to delete or update them once solidified you can make that an updater. 

Or you can create a Skiplist -d rule for the user desktop. or make their admin a trusted user. There are several options. If you would like to discuss by phone you call support and we will be glad to walk you through configuration.

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Delete a Solidified folder and its contents

If the file on the desktop is solidified (whitelisted), then the MACC product will prevent WRITE (delete) actions against the file.  Only an Updater is allowed to write to solidified files, but as before, you don't want explorer.exe or cmd.exe (the process typically doing the delete) to be an updater.

Options:

  • Unsolidify the files (manually or via SC:RunCommand client task from ePO server) using 'sadmin unso' command.
  • Use a 'skiplist -s' rule (App Ctrl Rules policy -> Exclusions -> Advanced Options -> "Exclude local path and all its contained files and sub-directories from the whitelist") which prevents whitelisting/solidification of files/directories (again, if files aren't whitelisted, they aren't allowed to execute unless you have another rule that gives execute permissions).
  • Use a "skiplist -d rule" ("Exclude path from write-protection rules") which removes FILE WRITE protection from a file or directory; the file stays solidified (if it already is so) and executable, but now ANY process can write to it.
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community