cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

How to add a folder to skiplist

Jump to solution

Hi everyone,

I have multiple Solidcore events like the following for different users:

C:\Users\xxxxxx\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\ServiceWorkerFiles\different Number for each User\CQgeT-GPWMQ_1.js

 

-> File write denied by C:\Windows\System32\dllhost.exe

I know that I can't create a policy because its a Generic Launcher Process, which is why I attemted to exclude the whole folder using skiplist -i.

Exclude path from write-protection rules

%LocalAppData%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\ServiceWorkerFiles\

 

Also, the rulegroup and according policy are updated and enforced on my endpoints but so far it's not working. Is there a better way or did I do something wrong?

Any help concerning this issue would be appreciated.

Thanks in advance & regards!

2 Solutions

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: How to add a folder to skiplist

Jump to solution

Hello eifooDcMReport

Specify a path component with the command. When a path component is specified with this command, files present in the whitelist under that path and subdirectories are removed from the whitelist. But, files generated or modified on such paths and subdirectories are added to the whitelist in unso state only regardless of the Application Control mode (Enabled mode or Update mode) or using an updater. When files are added to the whitelist in unso state, modifications to the files are allowed but execution is denied for all such files.

Volume relative rules can also be specified using *\<vol_rel_name>.

An asterisk (*) can be used to represent any 1 component in the path. On addition of rules with asterisk (*), files in that path are not removed from the whitelist, but files generated in Enabled mode, Update mode, or using an updater are added to the whitelist in unso state only. Because files are not removed from the whitelist while adding rules with asterisk (*), write protection is observed for whitelisted files on such paths.

C:\user\xxx\ is absolute path under C:\

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

 

View solution in original post

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: How to add a folder to skiplist

Jump to solution

Try "Skiplist -d "

\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!121\MicrosoftEdge\Cache\

This will allow things to be over written becuase .js is on your scripts list ("sadmin scripts list")

It will be overwritten but not be allowed to run if called directly.. Since its cache you should be ok. 

 

 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

7 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: How to add a folder to skiplist

Jump to solution

Hi eifooDcMREport

Thanks for posting details in the community.

For Skiplist, you can refer to the document below. 

https://docs.mcafee.com/bundle/application-control-8.0.0-product-guide-unmanaged/page/GUID-25138B14-...

Kindly let us know if your query is answered. 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: How to add a folder to skiplist

Jump to solution

Thanks for your reply and the information!

"Specify a path component to add skip rules and not the absolute or relative path. Application Control searches the specified path component across all volumes and applies skip rules on that particular path component present on a system."

So paths like:

\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\ServiceWorkerFiles\

should work?

And one more question:

"User mode paths and paths with volume name do not work with this command."

So a path like C:\user\xxx\ is a user mode path, or have i misunderstood something?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: How to add a folder to skiplist

Jump to solution

Hello eifooDcMReport

Specify a path component with the command. When a path component is specified with this command, files present in the whitelist under that path and subdirectories are removed from the whitelist. But, files generated or modified on such paths and subdirectories are added to the whitelist in unso state only regardless of the Application Control mode (Enabled mode or Update mode) or using an updater. When files are added to the whitelist in unso state, modifications to the files are allowed but execution is denied for all such files.

Volume relative rules can also be specified using *\<vol_rel_name>.

An asterisk (*) can be used to represent any 1 component in the path. On addition of rules with asterisk (*), files in that path are not removed from the whitelist, but files generated in Enabled mode, Update mode, or using an updater are added to the whitelist in unso state only. Because files are not removed from the whitelist while adding rules with asterisk (*), write protection is observed for whitelisted files on such paths.

C:\user\xxx\ is absolute path under C:\

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

 

View solution in original post

Highlighted

Re: How to add a folder to skiplist

Jump to solution

Thank you, the skiplist is now clearer!

I don't think I am understanding the user mode paths though.

What would a user mode path look like?

(I already googled it but I hadn't had any luck with finding a good explanation - or rather multiple contradicting ones)

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: How to add a folder to skiplist

Jump to solution

I have attached a skiplist doc, to help clear things up. This doc will be added in our new Best practice guide coming out in August. 

 

User mode path means: 

c:\user\***

 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: How to add a folder to skiplist

Jump to solution

Again, thank you very much 🙂

If I'm reading the doc correctly, there is no way to add a user mode path (folder or single file) to our skiplist.

Now I'm wondering what the recommended way to deal with events like this is:

C:\Users\xxxx\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!121\MicrosoftEdge\Cache\D1M3364V\cft.data-tab[1].js 

-> File Write denied

This event is observable for different users and varying  parts after Cache\ and the goal is to allow writing, execution & installation.

I can't define a policy because it's a generic launcher process.

I can't add it to the skiplist because it's a user mode path.

Even if I'm including the path as a trusted directory with updater rights as follows:

%LocalAppData%\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!121\MicrosoftEdge\Cache\*

this won't be granting it the right to modify files in solidified state, correct?

As it is still advised to consult support if you create a skiplist, I'm also asking myself if there is a simpler solution for my problem which isn't requiring one?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 8

Re: How to add a folder to skiplist

Jump to solution

Try "Skiplist -d "

\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!121\MicrosoftEdge\Cache\

This will allow things to be over written becuase .js is on your scripts list ("sadmin scripts list")

It will be overwritten but not be allowed to run if called directly.. Since its cache you should be ok. 

 

 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community