cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Help with "File Write Denied" events

Hello I hope all is well.

Recently I am seeing a few random blocks and was wondering if you guys could guide me on what is the best way to add them to the skiplist. These are good and legit files we need for daily operations:

Example 1:

Event Description:
McAfee Application Control prevented an attempt to modify this file because this file is whitelisted. To make changes to whitelisted files, define a policy with the relevant rules.

Event Display Name:
File Write Denied

Event File Name:
C:\Windows\ADDMRemQuery_x86_64_v2.exe

Process Name:
System


Example 2:
 
Event Description:
McAfee Application Control prevented an attempt to modify this file because this file is whitelisted. To make changes to whitelisted files, define a policy with the relevant rules.

Event Display Name:
File Write Denied

Event File Name:
C:\Users\thegoodguy\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Process Name:
C:\Windows\System32\cmd.exe
 
 
Questions:

1) Is the right approach here to go to:
Rule group > Exclusions > Advanced options > Exclude path from write-protection rules?
 
2) How would the path look like? 
 
\ADDMRemQuery_x86_64_v2.exe  or \Windows\ADDMRemQuery_x86_64_v2.exe
 
\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe or \OneDriveSetup.exe
 
It is not very clear to me how the file or path should be added there.

Any help or tips are greatly appreciated.

Thanks! 

Thanks and have a great day!
8 Replies
Dayananda
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: Help with "File Write Denied" events

Hello

Thank you for reaching out to the Mcafee community.

If I'm not wrong you have an open ticket with Mcafee support with the same query, right.

Have you tried to "skiplist -d <filename>" like below
skiplist -d C:\Windows\ADDMRemQuery_x86_64_v2.exe

was it helpful?

Regards,
Daya

Re: Help with "File Write Denied" events

I haven't yet, I am just a little confused how would the policy would look like.

Should I include the full path with the driver letter as well or just:

\Windows\ADDMRemQuery_x86_64_v2.exe 

or \ADDMRemQuery_x86_64_v2.exe 

 

Skip path components from write protection to remove write protection applied to all files in that path. Also, write denied event is not observed for such paths.

User mode paths and paths with volume name do not work with this command. Text added with this command is treated as complete component. For example, text can start with a forward slash (/) and end with a backward slash (\), dot (.), or null character.

 
 

 

 

Dayananda
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: Help with "File Write Denied" events

Hello

Try the below format and let us know the result.
skiplist -d C:\Windows\ADDMRemQuery_x86_64_v2.exe

I look forward to your reply.

Regards,
Daya

Regards,
Daya

Re: Help with "File Write Denied" events

Thanks, will try.

 

About example number 2?

Example 2:
 
Event Description:
McAfee Application Control prevented an attempt to modify this file because this file is whitelisted. To make changes to whitelisted files, define a policy with the relevant rules.

Event Display Name:
File Write Denied

Event File Name:
C:\Users\thegoodguy\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Process Name:
C:\Windows\System32\cmd.exe
ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 9

Re: Help with "File Write Denied" events

Hi @thegoodguy 

'Skiplist -d' rules remove file write protection from the designated file so that any process can write to the file, even if they are solidified.  Use this sparingly as needed though; as they are usually not the first choice of applicable config changes.

  • If a solidified file is getting "file-write denied", first review the process doing the write to determine if it can be an updater.  In your Example#2, that process is cmd.exe, which would not be a good Updater rule. 
    • If this were through another process, one that could be trusted (according to your own security needs), then add an update rule for that process.  That way the next time that process goes to write to the file, it will be allowed.
      • Giving a process Updater permissions allows it to change any solidified files on the system.  Be aware and careful of which processes you give Updater permissions to.
  • If an updater rule is not applicable/recommended, then you can remove write protection from the file, hence the 'skiplist -d' rule.  This will allow any process to write to that specific file, but it will still retain its solidification status.
    • The alternative would be to 'skiplist -s' the file which removes solidification, but that also removes execution permissions from being solidified/whitelisted.  You'd then have to add execution permission back in via another rule, if it does need to execute, which is why the 'skiplist -d' rule might be a better config change.

Re: Help with "File Write Denied" events

Hi all, thank you so much for the information and education. I truly appreciate it! 

Let's forget about command line for a second and think about ePO policy (client/extension 8.2.6), how would those 2 examples I gave look like? Should I include the full path including the driver letter, part of the path or just the file starting with a "\"?

 
\ADDMRemQuery_x86_64_v2.exe  or
\Windows\ADDMRemQuery_x86_64_v2.exe

image.png
image.pngimage.png
 



\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe or 
\OneDriveSetup.exe

Full pathFull pathPart of the pathPart of the pathfile onlyfile only

 
Why do I keep coming back to these examples? We have an older policy in production that was created by some other analyst a long time ago and none of them include the driver letter. That's why I want to make sure what would be the correct way.

Exclude path from write-protection rules\Framepkg.exe  
Exclude path from file operations\Framepkg.exe

Exclude path from write-protection rules\WINDOWS\Security\Database\tmp.edb  
Exclude path from write-protection rules\WINDOWS\Security\Database\secedit.sdb  
Exclude path from write-protection rules \Windows\ccmsetup\cache\ccmsetup.exe

Re: Help with "File Write Denied" events

Hi all,

Any suggestions regarding my last reply? Any help is greatly appreciated.

Thanks!

BenEllis
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 9

Re: Help with "File Write Denied" events

You would do a partial path. just like the example. 

 

Exclude path from write-protection rules \WINDOWS\Security\Database\secedit.sdb

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community