cancel
Showing results for 
Search instead for 
Did you mean: 
lozaza
Level 8
Report Inappropriate Content
Message 1 of 4

Solidcore: Order of rules and Block execution by user.

Hi Mcafee Experts,

I am a new McAfee user, do have a question. Thanks all the helps and efforts in advance.

This is regarding explicit of the rules it says in the ACCC admin guide 8-22 the order of the rules from highest precedence to lowest is checksum, publisher, name, trusted path, whitelist. But where is the trusted user in the order?

Also is this order list different from versions. Below is what I found in ACCC Product guide 7.0.0.

Capture1.JPG

Below is ACCC product guide 6.2

Capture2.JPG

But the funny thing is I did a test in my ACCC(7.0) EPO environment. I have add a user in trusted user group(I added from AD so mis spelling here) then ban iexplorer.exe by name. So by theory in figure 1 above This user should be able to use iexplorer while others can’t but still denied execution(I did log out and back and re-enforce the policies several times). Is my understanding correct, seems the user cannot overwrite banned executables.

Also Whats the best way to give different application access to different certain people like only john can run IBM tool or only Josh can run HP tool.

Regards,

JS

3 Replies

Re: Solidcore: Order of rules and Block execution by user.

Did you review the Windows Event (Application ) logs for any events generated by Solidcore? Also it my pay to review the `Solidcore.log` diagnostic log in the path C:\ProgramData\McAfee\Solidcore\Logs\.

For what it is worth my understanding of the Trusted User privilege is that is allows the user to make dynamic changes to the local whitelist, I don't believe its a mechanism to implement granular access to execute a binary based on user. I wouldn't expect Solidcore to treat execution of a binary as a modification attempt therefore the Trusted User rule would not be applicable and I would expect the Banned Binary rule to be the next match hence the Execution Denied behaviour.

HTH,

Mick

lozaza
Level 8
Report Inappropriate Content
Message 3 of 4

Re: Solidcore: Order of rules and Block execution by user.

Thanks Mick, I agree with you and I am going to implement this in change control to give read access to a particular executable.

Js

Highlighted

Re: Solidcore: Order of rules and Block execution by user.

Js,

I haven't tested this myself, but a possible workaround is could be using the `skiplist -s C:\Program Files (x86)\Internet Explorer\iexplore.exe` command to prevent Internet Explorer from being added to the local system whitelist. Remove your Banned Binary rule for `iexplore.exe` and then attempt to execute as a standard user and then as a Trusted User; can you launch Internet Explorer? Note that if this workaround is successful the `iexplorer.exe` wouldn't have any write protection, therefore malicious code could potentially be injected into Internet Explorer that a Trusted User could execute. I'd be interested to know if this does work.

Cheers,

Mick

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community