cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Signed installer gets binaries auto white-listed

Jump to solution

Hello,

i added a certificate to Solidcore for authorized execution, but it has not the updater privilege. Files with this certificate execute without the need of whit-listing.

An installer package, its uninstaller and some of the binaries inside have this certificate. 

But, the files installed by this installer (which is not an updater) get whitelisted automatically at install time. As a result the uninstaller fails to remove the files afterwards, because it is not an updater.

Aditionally all files in the installer are white-listed, not just those with a valid signature .

How can i turn off this auto white-listing? This behaviour is documented only for updaters, so, is this a bug in Solidcore 7.0.1?

2 Solutions

Accepted Solutions
McAfee Employee gnautiya
McAfee Employee
Report Inappropriate Content
Message 2 of 19

Re: Signed installer gets binaries auto white-listed

Jump to solution

You must be observing this because your installer is categorised under "Computed tag=Installer in our inventory.

 

Files which get this tag, and if its certificate is authorized, we mark it updater as well.

Can be checked under "sadmin ls -lax < file path till its name >.

You can try other option to authorize the file execution, e.g. mark its checksum as authorized.

 

Regards

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Signed installer gets binaries auto white-listed

Jump to solution

Your answer means that uninstallation is not allowed despite the uninstall feature being enabled.

I already know that updaters can do that.

What i am saying is that the updater-auto-promote of installers introduces a problem. Solidcore seems to be incapable to detect uninstallers and because of that end users will experience weird problems if the updater-auto-promote feature is being utilized. End users can install allowed software but are incapable of uninstall the same software they installed, despite the uninstall permission setting.

The workaround/solution is to always sign installers and uninstallers with special updater signatures.
"sadmin cert add -t AuthorizedUpdater -u Authorized_Updater.crt". With this solution it is not possible to disallow uninstalls. Obviously this renders the updater-auto-promote feature useless.

I have a hard time judging wether the described problematic behaviour or my solution introduces security problems. I don't see any at the moment.

18 Replies
McAfee Employee gnautiya
McAfee Employee
Report Inappropriate Content
Message 2 of 19

Re: Signed installer gets binaries auto white-listed

Jump to solution

You must be observing this because your installer is categorised under "Computed tag=Installer in our inventory.

 

Files which get this tag, and if its certificate is authorized, we mark it updater as well.

Can be checked under "sadmin ls -lax < file path till its name >.

You can try other option to authorize the file execution, e.g. mark its checksum as authorized.

 

Regards

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Signed installer gets binaries auto white-listed

Jump to solution

It prints:
updater="No"
computed_tags="Installer"

 

I cannot use checksums, they change each time a new version of this installer is released.

 

Is there a computed_tags="Uninstaller" also?

How do i make the uninstalled being detected as uninstaller? Currently it is signed by the same certificate but fails to remove the installed files.

Re: Signed installer gets binaries auto white-listed

Jump to solution

How do i turn off Installer computed_tags? It undermines the secuity of the system.

Re: Signed installer gets binaries auto white-listed

Jump to solution

How do i turn off installers (computed_tags) being promoted to updaters?

Or:

How do i make uninstallers being detected as Uninstallers and also promoted to updaters?

 

Without either of those the behaviour is inconsistent / broken. Software can get installed but not uninstalled.

McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 6 of 19

Re: Signed installer gets binaries auto white-listed

Jump to solution

You cannot turn off installers/uninstaller tag. These are binaries identified as installers, because of a header or extension.

 

Can you tell me if the feature - Pkg-ctrl allow uninstall is enabled? Did you add the installer/uninstaller to your policy? If you do it should be able to install/uninstall. 

 

You can disable pkg-ctrl and nothing will install/uninstall but i dont recommend that because even windows updates would fail. Do you have a case in support ?

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Signed installer gets binaries auto white-listed

Jump to solution

Yes, allow uninstall is enabled.

The installer is an Inno Setup installer, which creates the uninstaller in the install folder with name unins000.exe unins001.exe ...

 

Re: Signed installer gets binaries auto white-listed

Jump to solution

This is still part of my evaluation of the product if it would work on our machines (running the write-filter), so no, i do not have the ablity to open case tickets.

McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 9 of 19

Re: Signed installer gets binaries auto white-listed

Jump to solution

Have you added the installer to the installer tab of Solidcore Rules? Then have you added the installer to a rule group? Then did you add the installer to a policy?

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Signed installer gets binaries auto white-listed

Jump to solution

No EPO server. This is a standalone/unmanaged SolidCore installation.

The installers certificate is added to the list of allowed executables with "sadmin cert add Authorized_Application.crt". The certificate is not added as an updater. The uninstaller executable that is installed by this installer, is signed with the same certificate.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.