cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
jkhughes68
Level 7

McAfee Application Control and SQL Server Reporting Services

Installed, solidified and enabled McAfee Application Control (Solidifier) 8.0.0.875 on WES7 (Window 7 Embedded) system, that has Microsoft SQL Server 2012 and SQL Server Reporting Services (SSRS) also installed.  

However when SSRS is used to create a report it either copies or creates a DLL (ReportingServicesWebServer.DLL) in a deeply nested "tmp" folder and tries to execute it, however McAfee Application Control prevents it from running with the deny reason of:  "Local Whitelist - File Not Present (deny reason code: 2) reputation score: 1000".

McAfee Solidifier prevented unauthorized execution of 'C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\RSTempFiles\reportserver\c2a527bc\9cd1a7f9\assembly\tmp\5ZY4HSUI\ReportingServicesWebServer.DLL' (sha1: c951266218a2b82b338c9b20be656dd77076e3bb, md5: 93e168e931ae8a018c7989abe257c1dc, sha256: df26f9739a6b2e505a2ab5908f79e568ee4f9ebe03aae22604a76e96b406e983, File Type: pe32) by process C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe (Process Id: 2872, User: NT SERVICE\ReportServer) whose parent is process C:\Windows\System32\services.exe, deny_reason : Local Whitelist - File Not Present (deny reason code: 2) reputation score: 1000

Another issue is that the computer generated directory that it tries to execute the DLL out of changes each time:

C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\RSTempFiles\reportserver\c2a527bc\9cd1a7f9\assembly\tmp\ETJ9KXQ4\ReportingServicesWebServer.DLL
C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\RSTempFiles\reportserver\c2a527bc\9cd1a7f9\assembly\tmp\BIX4ZJ7U\ReportingServicesWebServer.DLL
C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\RSTempFiles\reportserver\c2a527bc\9cd1a7f9\assembly\tmp\YKHTPFPN\ReportingServicesWebServer.DLL
C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\RSTempFiles\reportserver\c2a527bc\9cd1a7f9\assembly\tmp\5ZY4HSUI\ReportingServicesWebServer.DLL
C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\RSTempFiles\reportserver\c2a527bc\9cd1a7f9\assembly\tmp\4YXWQNBI\ReportingServicesWebServer.DLL

What is the best way to handle this situation within McAfee Application Control?  I've tried adding whitelist rules, however I have not had any luck getting them to work.  Here are some examples of the whitelist commands I have tried:

sadmin whitelist add -i "\ReportingServicesWebServer.DLL"

sadmin whitelist add -i "C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\RSTempFiles\reportserver\*\*\*\*\*\ReportingServicesWebServer.DLL"

sadmin whitelist add -s "C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\RSTempFiles\reportserver\*\*\*\*\*\ReportingServicesWebServer.DLL"

sadmin whitelist add -s "C:\Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\RSTempFiles\reportserver\*\*\*\*\*\*"

I also have another question:  If a path or file is updated using the "sadmin <add|remove > <argument> <path|file>" does it take effect immediately or is a restart of the workstation required?

 

Thanks,

Jeff

0 Kudos