Hello All,
I have installed Solidcore in Observe mode on several servers and the issue was reported to me that Solidcore is blocking the deleting or renaming the files.
This is the event for example. I'm kinda new to Solidcore so any help will be appreciated.
McAfee Application Control prevented an attempt to modify this file because this file is whitelisted. To make changes to whitelisted files, define a policy with the relevant rules. |
File Write Denied |
E:\XXXXXXX\Install_Fonts.vbs |
10/22/19 11:08:10 AM CEST |
20719 |
WRITE_DENIED |
1,955 |
No |
No |
XXX |
11624 |
044f48aa4b726924881597815a7c1b06 |
C:\Windows\explorer.exe |
2381c7077d48ca9d7a39af7fa39f3d367678cc3a |
888a2105f62ea40654a1b78de8e76ca1131c16e1d9fd28c75d7f4f3e1c0b8ff5 |
Not yet Reconciled |
Not Applicable |
3 |
FCN02 |
Thanks
Solved! Go to Solution.
Hi @Maros,
Thank you for your response. Ideally, Block should not have happened. I am surprised that you have 2 machines with the same issue. Hence I would recommend creating a Service Request with us.
Can you confirm if a re-installation has any effect at all?
Apart from the below reason or a pending reboot, There should not be any other reason for Observe mode to block the script!
Why am i seeing blocking in observe mode?
If reputation is enabled in the Application Control Options policy, MAC still prevents execution of potentially malicious files while in Update/Observe mode. It is advised to trust applications which are needed in the environment yet given a low reputation score in the TIE reputations page. If the reputation is from GTI, open a service request with Technical Support to analyze and suppress the detection.
Source: https://kc.mcafee.com/corporate/index?page=content&id=KB78223
Hi @Maros,
Thank you for your post. May I know the result of this command when run on your command prompt as an administrator?
sadmin status
Kindly please share the same with us.
Hi Adithyan,
It was in observe on both lines, current status and status after reboot too. I had to switch it to update mode now because on several servers files were being blocked. Exchange powershell for example.
But here's the result from different server on which I got PREVENTED_FILE_EXECUTION too
C:\Windows\system32>sadmin status
McAfee Solidifier: Observe
McAfee Solidifier on reboot: Observe
ePO Managed: Yes
Local CLI access: Lockdown
[fstype] [status] [driver status] [volume]
* NTFS Solidified Attached C:\
NTFS Unsolidified Attached E:\
NTFS Solidified Attached F:\
Hi @Maros,
Thank you for your response. Can you kindly reboot the machine to check. Is this a fresh installation or an upgrade?
Hi @Maros,
Apologies for the previous response. Looks like you have already tried a reboot. Please ensure you are using the latest version and if the issue still repeats, please do create a case with support for further investigation.
@Maros When you say "Solidcore is blocking the deleting or renaming the files".
Do you mean to say users are trying to delete or rename the files and they are not able to delete or rename the files.
In observe Mode Application Control is running but it only monitors and logs observations. The application control does not prevent any execution or changes made to the endpoints. Instead, it monitors execution activities and compares them with the local inventory and predefined rules.
Observe mode also supports reputation-based execution. When you execute a file, Application Control fetches its reputation and that of all certificates associated with the file to determine whether to allow or ban the file execution.
All files that are allowed to run in Observe mode are automatically added to the whitelist, if not already present in the whitelist. An observation is logged that corresponds to the action Application Control takes in Enabled mode.
From the logs you have shared, it appears to me that explorer.exe is trying to make changes to E:\XXXXXXX\Install_Fonts.vbs and it is being reported to the ePO.
Could you let me know what is the version of Solid core installed on the machine.
Hi,
Yes, users are not able to remove or delete files. And that's why i opened the topic, because Solidcore was in observe mode and was blocking access to files.
Version of Solidcore is 8.2.1.435.
I have edited the path of executed file of course, but it was vbs script, which is still visible from the log.
MAC ships with a default policy that includes rules identified in-house to make most common, known applications work seamlessly in a MAC-enabled environment. But many environments have applications or versions that have not yet been tested by McAfee. If these applications create and execute new files or modify the whitelisted files, MAC blocks the action. This blocking can cause application issues or functionality loss.
Please refer to the section "If changes are allowed in Update mode, why is Observation mode needed?" from the below KB article
https://kc.mcafee.com/corporate/index?page=content&id=KB78223
I hope this answers your question
I understand your point and that's exactly why we put our servers to observe mode at first. What I don't understand is why SC blocks the files when it's in Observed mode.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA