cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
avilt
Level 8
Report Inappropriate Content
Message 1 of 7

SC How to bypass all protections for Processes

Jump to solution

I have a custom corporate application and would like to bypass all the security features of Application Control based on the process names or any other means for this application except folder exclusion.. How do I do that?

1 Solution

Accepted Solutions

Re: SC How to bypass all protections for Processes

Jump to solution
avilt: When you have that window open in your screenshot, if you hit save, it will add that process under the exclusions and then you can add more. Just thought I'd answer if you haven't discovered that already.
6 Replies
McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: SC How to bypass all protections for Processes

Jump to solution

There is several things you can do. 

Skiplist -i (ignore process), always allow binary, always allow checksum

skiplist -d (Write Prodtect)

skiplist -s (solidification)

attr -w (ignore injection) 

 

Just depends on what is affecting this process. but your best bet is to try 

"ignore path for file operations" or "exclude path from file operations"

These are found in the exclusion tab under the rule group under Advanced options.

It states relative path meaning "\path\process.exe"

 

Here is a little more about each.

 

File operations and script-auth

Skiplist -f (think File)

 

Skiplist -f is used to create file operations passthrough. This rule will allow you to create , modify, and delete files regardless of solidification. It will not allow you to overwrite links and rename files.

 

Use Case

When files are noisy and updated frequently if a filter does not work.

 

Applying this feature to an endpoint

This skiplist can be applied by a policy within ePO or a sadmin run command. To apply it as a policy, go to the specified rule group, click filters, and select exclude path from file operations rules. Must specify a path for file.

Sadmin skiplist add -f <path/file>

 

Risk

A skiplist -f has a high risk associated with it and should be used when a filter is not working.

 

File operations and deny exec Skiplist -I (think folder)

Skiplist -I or Ignore passthrough attribute, ignores paths and works very similar to a skiplist -f.

 

Use Case

When on a 64 bit platform it can be used with 32 bit and earlier processes. A reboot is required for this rule to work. Another use case is jar files that are modified frequently that do not run without an intrepretor.

 

Applying this feature to an endpoint

This skiplist can be applied by a policy within ePO or a sadmin run command. To apply it as a policy, go to the specified rule group, click filters, and select Ignore path for file operations rules. Must specify a path for file.

Sadmin skiplist add -i <path/file>

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

avilt
Level 8
Report Inappropriate Content
Message 3 of 7

Re: SC How to bypass all protections for Processes

Jump to solution

Please let me know if the settings shown in the attached picture are sufficient..

How can I add multiple processes?

 

Exclusions-1.JPG

Re: SC How to bypass all protections for Processes

Jump to solution
avilt: When you have that window open in your screenshot, if you hit save, it will add that process under the exclusions and then you can add more. Just thought I'd answer if you haven't discovered that already.
avilt
Level 8
Report Inappropriate Content
Message 5 of 7

Re: SC How to bypass all protections for Processes

Jump to solution

What is the SC commend to list those exception from client side?

Re: SC How to bypass all protections for Processes

Jump to solution

I have a follow-up questsion on this:

My use case is that I want to allow users to modify files, but I also want Solidcore to not even care about the file operations in that network share on the server.

The reason is that it seems when Solidcore is in Observe/Enabled mode, saving files that are related to Microsoft Office takes an extended amount of time to complete the operation.

I already have the network shares setup with skiplist -s. But, it seems Solidcore might still be doing something in those locations that causes the extended save times, even though it is allowing it. Is there a way to have the share path ignored by Solidcore where it doesn't even monitor it (while still blocking executables from it?). I looked into skiplist -i and -f, but it seems I have to name an executable for those and they are not meant to ignore/exclude entire folders from file operations.

Is there another way to effect what I am trying to do?

McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: SC How to bypass all protections for Processes

Jump to solution

Skiplist -i can exclude a folder. Skiplist -f is more for file but you can use file/folder in either one. 

 

Just make sure your path is relative i believe "\windows\system32\" - Example dont use that.

 

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community