cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
glange
Level 8
Report Inappropriate Content
Message 1 of 5

File write denied for edb.chk files

Jump to solution
I have noted a number of "File write denied" events for the following path: C:\ProgramData\Microsoft\Network\Downloader\edb.chk IAW KB article https://kc.mcafee.com/agent/index?page=content&id=KB90849 a workaround for this would be to exclude the path. That particular KB is edb.log files but I believe the principle is the same. The process name is C:\Windows\System32\dllhost.exe , thus creating a policy or rule cannot be made. Would excluding this path be the best option?
1 Solution

Accepted Solutions
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: File write denied for edb.chk files

Jump to solution

An exclusion would be better for this file (rather than a Filter rule ).  Negate the activity vs negating the event.

Either a Exclude local path and all its contained files and sub-directories from the whitelist (skiplist -s) or Exclude path from write-protection rules (skiplist -d) rule would work in this situation.

  • The "skiplist -s" rule would prevent the file from being solidified (removing solidification unwhitelists the file and removes write protection; solidified=no, writeable=yes
  • The "skiplist -d" rule would remove write protection from the file only. It keeps the file solidified and execution-allowed (which doesn't apply to this file anyways), but allows any process to modify it (not just updaters).

I would suggest applying the KB90849 solution (which is the "skiplist -s" rule; not the "skiplist -d" as I originally mentioned).  Another thing to mention is that the "skiplist -s" rule requires the full path.

  • skiplist -s rule:  C:\ProgramData\Microsoft\Network\Downloader\edb.chk
  • skiplist -d rule:  \ProgramData\Microsoft\Network\Downloader\edb.chk

View solution in original post

4 Replies
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: File write denied for edb.chk files

Jump to solution

Hi @glange Yes, if the edb.chk file is not an executable file (which it probably is not), then applying the 'skiplist -d' exclusion (to remove write protection from the file) will prevent the FILE WRITE DENIED events.

glange
Level 8
Report Inappropriate Content
Message 3 of 5

Re: File write denied for edb.chk files

Jump to solution

Thank you.  According to what I found the edb.chk file is described as founf here:

https://docs.microsoft.com/en-us/archive/blogs/servergeeks/active-directory-files-and-their-function...

Edb.chk

"Edb.chk is a checkpoint file. It is used by the transaction logging system to mark the point at which updates are transferred from the log files to Ntds.dit. As transactions are committed, the checkpoint moves forward in the Edb.chk file. If the system terminates abnormally, the pointer tells the system how far along a given set of commits had progressed before the termination."

Is placing this in the 'Exclusions' tab in the Rule group or would the  Filters ►Observations & Events  be better?  I just want to be sure I understand the skiplist -d exclusion.

ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: File write denied for edb.chk files

Jump to solution

An exclusion would be better for this file (rather than a Filter rule ).  Negate the activity vs negating the event.

Either a Exclude local path and all its contained files and sub-directories from the whitelist (skiplist -s) or Exclude path from write-protection rules (skiplist -d) rule would work in this situation.

  • The "skiplist -s" rule would prevent the file from being solidified (removing solidification unwhitelists the file and removes write protection; solidified=no, writeable=yes
  • The "skiplist -d" rule would remove write protection from the file only. It keeps the file solidified and execution-allowed (which doesn't apply to this file anyways), but allows any process to modify it (not just updaters).

I would suggest applying the KB90849 solution (which is the "skiplist -s" rule; not the "skiplist -d" as I originally mentioned).  Another thing to mention is that the "skiplist -s" rule requires the full path.

  • skiplist -s rule:  C:\ProgramData\Microsoft\Network\Downloader\edb.chk
  • skiplist -d rule:  \ProgramData\Microsoft\Network\Downloader\edb.chk
glange
Level 8
Report Inappropriate Content
Message 5 of 5

Re: File write denied for edb.chk files

Jump to solution

Thank you, I believe that did it.

I also see 'Execution Denied' files, such as this 

C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.17763.973_none_369d387561b4654f\GdiPlus.dll

The 'Create Rule works here but for SHA-1 and 256 values only (created when I click Create policy).  These can easily change.  Would an Installers rule work better here for C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus (I deprecated the rest of the file)  ?

evt_AUTO_GdiPlus.dll Allow File SHA-1 01c822f98d62f631499c24d00c2a0400dfbf8091
evt_AUTO_GdiPlus.dll_sha-256 Allow File SHA-256 b4827886fb5ad9b3e1520058cca85f1d553672c0f38504b1600b0e0646bbe80d

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community