cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
mfriedrich
mfriedrich
Level 9
Report Inappropriate Content
Message 1 of 19
‎01-18-2019 11:06 AM

Signed installer gets binaries auto white-listed

Jump to solution

Hello,

i added a certificate to Solidcore for authorized execution, but it has not the updater privilege. Files with this certificate execute without the need of whit-listing.

An installer package, its uninstaller and some of the binaries inside have this certificate. 

But, the files installed by this installer (which is not an updater) get whitelisted automatically at install time. As a result the uninstaller fails to remove the files afterwards, because it is not an updater.

Aditionally all files in the installer are white-listed, not just those with a valid signature .

How can i turn off this auto white-listing? This behaviour is documented only for updaters, so, is this a bug in Solidcore 7.0.1?

0 Kudos
Reply
2 Solutions

Accepted Solutions
gnautiya
McAfee Employee gnautiya
McAfee Employee
Report Inappropriate Content
Message 2 of 19
‎01-18-2019 11:17 AM

Re: Signed installer gets binaries auto white-listed

Jump to solution

You must be observing this because your installer is categorised under "Computed tag=Installer in our inventory.

 

Files which get this tag, and if its certificate is authorized, we mark it updater as well.

Can be checked under "sadmin ls -lax < file path till its name >.

You can try other option to authorize the file execution, e.g. mark its checksum as authorized.

 

Regards

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Reply
mfriedrich
mfriedrich
Level 9
Report Inappropriate Content
Message 12 of 19
‎01-31-2019 07:38 AM

Re: Signed installer gets binaries auto white-listed

Jump to solution

Your answer means that uninstallation is not allowed despite the uninstall feature being enabled.

I already know that updaters can do that.

What i am saying is that the updater-auto-promote of installers introduces a problem. Solidcore seems to be incapable to detect uninstallers and because of that end users will experience weird problems if the updater-auto-promote feature is being utilized. End users can install allowed software but are incapable of uninstall the same software they installed, despite the uninstall permission setting.

The workaround/solution is to always sign installers and uninstallers with special updater signatures.
"sadmin cert add -t AuthorizedUpdater -u Authorized_Updater.crt". With this solution it is not possible to disallow uninstalls. Obviously this renders the updater-auto-promote feature useless.

I have a hard time judging wether the described problematic behaviour or my solution introduces security problems. I don't see any at the moment.

0 Kudos
Reply
18 Replies
gnautiya
McAfee Employee gnautiya
McAfee Employee
Report Inappropriate Content
Message 2 of 19
‎01-18-2019 11:17 AM

Re: Signed installer gets binaries auto white-listed

Jump to solution

You must be observing this because your installer is categorised under "Computed tag=Installer in our inventory.

 

Files which get this tag, and if its certificate is authorized, we mark it updater as well.

Can be checked under "sadmin ls -lax < file path till its name >.

You can try other option to authorize the file execution, e.g. mark its checksum as authorized.

 

Regards

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Reply
mfriedrich
mfriedrich
Level 9
Report Inappropriate Content
Message 3 of 19
‎01-18-2019 11:37 AM

Re: Signed installer gets binaries auto white-listed

Jump to solution

It prints:
updater="No"
computed_tags="Installer"

 

I cannot use checksums, they change each time a new version of this installer is released.

 

Is there a computed_tags="Uninstaller" also?

How do i make the uninstalled being detected as uninstaller? Currently it is signed by the same certificate but fails to remove the installed files.

0 Kudos
Reply
mfriedrich
mfriedrich
Level 9
Report Inappropriate Content
Message 4 of 19
‎01-18-2019 11:41 AM

Re: Signed installer gets binaries auto white-listed

Jump to solution

How do i turn off Installer computed_tags? It undermines the secuity of the system.

0 Kudos
Reply
mfriedrich
mfriedrich
Level 9
Report Inappropriate Content
Message 5 of 19
‎01-31-2019 04:55 AM

Re: Signed installer gets binaries auto white-listed

Jump to solution

How do i turn off installers (computed_tags) being promoted to updaters?

Or:

How do i make uninstallers being detected as Uninstallers and also promoted to updaters?

 

Without either of those the behaviour is inconsistent / broken. Software can get installed but not uninstalled.

0 Kudos
Reply
BEllis
McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 6 of 19
‎01-31-2019 06:02 AM

Re: Signed installer gets binaries auto white-listed

Jump to solution

You cannot turn off installers/uninstaller tag. These are binaries identified as installers, because of a header or extension.

 

Can you tell me if the feature - Pkg-ctrl allow uninstall is enabled? Did you add the installer/uninstaller to your policy? If you do it should be able to install/uninstall. 

 

You can disable pkg-ctrl and nothing will install/uninstall but i dont recommend that because even windows updates would fail. Do you have a case in support ?

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
mfriedrich
mfriedrich
Level 9
Report Inappropriate Content
Message 7 of 19
‎01-31-2019 06:14 AM

Re: Signed installer gets binaries auto white-listed

Jump to solution

Yes, allow uninstall is enabled.

The installer is an Inno Setup installer, which creates the uninstaller in the install folder with name unins000.exe unins001.exe ...

 

0 Kudos
Reply
Highlighted
mfriedrich
mfriedrich
Level 9
Report Inappropriate Content
Message 8 of 19
‎01-31-2019 06:20 AM

Re: Signed installer gets binaries auto white-listed

Jump to solution

This is still part of my evaluation of the product if it would work on our machines (running the write-filter), so no, i do not have the ablity to open case tickets.

0 Kudos
Reply
BEllis
McAfee Employee BEllis
McAfee Employee
Report Inappropriate Content
Message 9 of 19
‎01-31-2019 06:39 AM

Re: Signed installer gets binaries auto white-listed

Jump to solution

Have you added the installer to the installer tab of Solidcore Rules? Then have you added the installer to a rule group? Then did you add the installer to a policy?

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
mfriedrich
mfriedrich
Level 9
Report Inappropriate Content
Message 10 of 19
‎01-31-2019 07:08 AM

Re: Signed installer gets binaries auto white-listed

Jump to solution

No EPO server. This is a standalone/unmanaged SolidCore installation.

The installers certificate is added to the list of allowed executables with "sadmin cert add Authorized_Application.crt". The certificate is not added as an updater. The uninstaller executable that is installed by this installer, is signed with the same certificate.

0 Kudos
Reply
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

      • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center