I am able to modify a solidified dll using a notepad on a Windows XP system.
The version of SolidCore deployed is 184.108.40.2062.
Solidcore log when a dll is modified is shown below.
<FILE_MODIFIED file_name="C:\Program Files\TF\ltif.dll" pid="2952" process_name="C:\WINDOWS\system32\notepad.exe" ppid="4924" parent_process_name="C:\WINDOWS\system32\rundll32.exe" file_type="Unknown" is_system_file="false" user_name="Appox" workflow_id="PKGC_DEFAULT_ALLOW_UNINSTALL: rundll32.exe" />
a) I took a backup of the dll before modifying.
b) I deleted the content of the original dll by opening it in a notepad and saved it.
c) Application depending on this dll crashed when executed.
d) When I tried to replace this modified dll with the backup one, access denied message is displayed.
Why modification of the dll is allowed, but blocked from overwriting ?
Certainly could be a bug, but it sounds more like the difference between rights and rules for the two executables notepad.exe and explorer.exe.
SecurityGeek, How did you invoke notepad.exe from rundll32.exe?
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center
2821 Mission College Blvd.
Santa Clara, CA 95054 USA
Consumer Support | Enterprise Support | McAfee.com
Legal | Privacy | Copyright © 2019 McAfee, LLC