In our company, we have Solidcore set up to alert us of when .dll's such as printer drivers are prevented from being modified by something such as an executable. This in turn sends us an alert in the form of an email letting us know that an executable or something such as nt authority\system has tried to modify the .dll We want to stop getting those email alerts for things like printer drivers.
So for example, we are receiving emails about a common Dell printer driver sdo2mdu.dll being executed by userinit.exe, and we were getting tons of emails. We were able to block emails coming from Solidcore saying that sdo2mdu.dll is being modified by userinit.exe. The problem we're having is we're getting tons of emails stating that sdo2mdu.dll is being modified by nt authority\system. We've tried adding nt authority\system as a binary, and we've tried adding sdo2dmu.dll as the Parent/library, however we're still getting these emails saying that nt authority\system is trying to modify the following file: sdo2mdu.dll. All our other exceptions are working.
When we add our exceptions to block reporting emails, we go into Solidcore, then Menu, then Configuration, then Solidcore, and under the drop down menu called 'Type', we choose Application Control, and under that application control we have our list of exceptions that we've set up. I'm wondering if because nt authority\system isn't an executable, is that the reason why we can't blocked getting those emails saying that sdo2dmu.dll is being modified by nt authority\system? If anyone can shed light on this that would be great. Thanks!
NT AUTHORITY\SYSTEM is a user so you cannot configure this as an updater or exception rule. What is the exact event name? Is it FILE_MODIFIED or FILE_MODIFIED_UPDATE? This will indicate if event is generated by FIM or MAC.