Hello,
i added a certificate to Solidcore for authorized execution, but it has not the updater privilege. Files with this certificate execute without the need of whit-listing.
An installer package, its uninstaller and some of the binaries inside have this certificate.
But, the files installed by this installer (which is not an updater) get whitelisted automatically at install time. As a result the uninstaller fails to remove the files afterwards, because it is not an updater.
Aditionally all files in the installer are white-listed, not just those with a valid signature .
How can i turn off this auto white-listing? This behaviour is documented only for updaters, so, is this a bug in Solidcore 7.0.1?
Solved! Go to Solution.
You must be observing this because your installer is categorised under "Computed tag=Installer in our inventory.
Files which get this tag, and if its certificate is authorized, we mark it updater as well.
Can be checked under "sadmin ls -lax < file path till its name >.
You can try other option to authorize the file execution, e.g. mark its checksum as authorized.
Regards
Your answer means that uninstallation is not allowed despite the uninstall feature being enabled.
I already know that updaters can do that.
What i am saying is that the updater-auto-promote of installers introduces a problem. Solidcore seems to be incapable to detect uninstallers and because of that end users will experience weird problems if the updater-auto-promote feature is being utilized. End users can install allowed software but are incapable of uninstall the same software they installed, despite the uninstall permission setting.
The workaround/solution is to always sign installers and uninstallers with special updater signatures.
"sadmin cert add -t AuthorizedUpdater -u Authorized_Updater.crt". With this solution it is not possible to disallow uninstalls. Obviously this renders the updater-auto-promote feature useless.
I have a hard time judging wether the described problematic behaviour or my solution introduces security problems. I don't see any at the moment.
You must be observing this because your installer is categorised under "Computed tag=Installer in our inventory.
Files which get this tag, and if its certificate is authorized, we mark it updater as well.
Can be checked under "sadmin ls -lax < file path till its name >.
You can try other option to authorize the file execution, e.g. mark its checksum as authorized.
Regards
It prints:
updater="No"
computed_tags="Installer"
I cannot use checksums, they change each time a new version of this installer is released.
Is there a computed_tags="Uninstaller" also?
How do i make the uninstalled being detected as uninstaller? Currently it is signed by the same certificate but fails to remove the installed files.
How do i turn off Installer computed_tags? It undermines the secuity of the system.
How do i turn off installers (computed_tags) being promoted to updaters?
Or:
How do i make uninstallers being detected as Uninstallers and also promoted to updaters?
Without either of those the behaviour is inconsistent / broken. Software can get installed but not uninstalled.
You cannot turn off installers/uninstaller tag. These are binaries identified as installers, because of a header or extension.
Can you tell me if the feature - Pkg-ctrl allow uninstall is enabled? Did you add the installer/uninstaller to your policy? If you do it should be able to install/uninstall.
You can disable pkg-ctrl and nothing will install/uninstall but i dont recommend that because even windows updates would fail. Do you have a case in support ?
McAfee Support
Benjamin Ellis
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Yes, allow uninstall is enabled.
The installer is an Inno Setup installer, which creates the uninstaller in the install folder with name unins000.exe unins001.exe ...
This is still part of my evaluation of the product if it would work on our machines (running the write-filter), so no, i do not have the ablity to open case tickets.
Have you added the installer to the installer tab of Solidcore Rules? Then have you added the installer to a rule group? Then did you add the installer to a policy?
McAfee Support
Benjamin Ellis
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
No EPO server. This is a standalone/unmanaged SolidCore installation.
The installers certificate is added to the list of allowed executables with "sadmin cert add Authorized_Application.crt". The certificate is not added as an updater. The uninstaller executable that is installed by this installer, is signed with the same certificate.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA