Hi McAfee Support Team,
We created a JS file (Sample tool) > whne double click it will call the Calc.exe file (to open).
var jsRun = new ActiveXObject('WSCRIPT.Shell');
Then I save it as Calc.js. Making Sure Solidcore status is ENABLED. Running Version 8.3.2.x With McAfee Agent 5.7.x
As soon as I double click it as a normal user (not as administrator). Calculator program opens. Solidcore did not detect that this (JS file) is a foreign file and I am expecting this is EXECUTION DENIED.
But it went run smoothly.
*Making sure, this file is not solidified by running (in command prompt sadmin unso < with the file name>).
Is there a log that I can check what trigger this file to run and not being block by Solidcore ?
Good day to you!
Can you please confirm if the Solidcore is enabled mode?
Please open the command prompt with admin rights is run the command below:
I created a JS file with the content that you have provided and solidcore is not allowing the execution of the file.
the status is Enabled
PS C:\Windows\system32> sadmin status
McAfee Solidifier: Enabled
McAfee Solidifier on reboot: Enabled
ePO Managed: Yes
Local CLI access: Lockdown
[fstype] [status] [driver status] [volume]
* NTFS Solidified Attached C:\
Do you know what log file I can check, to see what possible rule (if there are...) that allowing this JS file to run?
After I wake up the agent (to refresh the logs).
I opened Solidcore.log and S3diag.log and query > anything with calc.js or calc.exe these is the only log/lines.
<PROCESS_CREATED file_name="C:\Windows\System32\calc.exe" pid="87***" process_name="c:\windows\system32\wscript.exe" ppid="38***" parent_process_name="c:\windows\explorer.exe" cksum="c882f09eafddb75843bddbacb796b90195445***" cksum256="a103a57d50b32469c5811e2808f021adf9d9220093b540b8a9c83b5c821d3***" event_time="1632158126***" event_time_system="Sep 20 2021:17:15:26" user_name="***.******.***.***\***qu" workflow_id="NONE" />
Is this correct?