cancel
Showing results for 
Search instead for 
Did you mean: 
Maros
Level 7
Report Inappropriate Content
Message 1 of 11

Solidcore blocking file write in observation mode

Jump to solution

Hello All,

I have installed Solidcore in Observe mode on several servers and the issue was reported to me that Solidcore is blocking the deleting or renaming the files.

This is the event for example. I'm kinda new to Solidcore so any help will be appreciated.

 

 

McAfee Application Control prevented an attempt to modify this file because this file is whitelisted. To make changes to whitelisted files, define a policy with the relevant rules.
File Write Denied
E:\XXXXXXX\Install_Fonts.vbs
10/22/19 11:08:10 AM CEST
20719
WRITE_DENIED
1,955
No
No
XXX
11624
044f48aa4b726924881597815a7c1b06
C:\Windows\explorer.exe
2381c7077d48ca9d7a39af7fa39f3d367678cc3a
888a2105f62ea40654a1b78de8e76ca1131c16e1d9fd28c75d7f4f3e1c0b8ff5
Not yet Reconciled
Not Applicable
3
FCN02

 

 

Thanks

1 Solution

Accepted Solutions
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 11 of 11

Re: Solidcore blocking file write in observation mode

Jump to solution

Hi @Maros,

Thank you for your response. Ideally, Block should not have happened. I am surprised that you have 2 machines with the same issue. Hence I would recommend creating a Service Request with us.

Can you confirm if a re-installation has any effect at all?

Apart from the below reason or a pending reboot, There should not be any other reason for Observe mode to block the script!

Why am i seeing blocking in observe mode?
If reputation is enabled in the Application Control Options policy, MAC still prevents execution of potentially malicious files while in Update/Observe mode. It is advised to trust applications which are needed in the environment yet given a low reputation score in the TIE reputations page. If the reputation is from GTI, open a service request with Technical Support to analyze and suppress the detection.

Source: https://kc.mcafee.com/corporate/index?page=content&id=KB78223

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T

View solution in original post

10 Replies
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 2 of 11

Re: Solidcore blocking file write in observation mode

Jump to solution

Hi @Maros,

Thank you for your post. May I know the result of this command when run on your command prompt as an administrator?

sadmin status

Kindly please share the same with us. 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Maros
Level 7
Report Inappropriate Content
Message 3 of 11

Re: Solidcore blocking file write in observation mode

Jump to solution

Hi Adithyan,

It was in observe on both lines, current status and status after reboot too. I had to switch it to update mode now because on several servers files were being blocked. Exchange powershell for example.

 

But here's the result from different server on which I got PREVENTED_FILE_EXECUTION too

C:\Windows\system32>sadmin status
McAfee Solidifier: Observe
McAfee Solidifier on reboot: Observe

ePO Managed: Yes
Local CLI access: Lockdown

[fstype] [status] [driver status] [volume]
* NTFS Solidified Attached C:\
NTFS Unsolidified Attached E:\
NTFS Solidified Attached F:\

 

 

McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 4 of 11

Re: Solidcore blocking file write in observation mode

Jump to solution

Hi @Maros,

Thank you for your response. Can you kindly reboot the machine to check. Is this a fresh installation or an upgrade?

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 5 of 11

Re: Solidcore blocking file write in observation mode

Jump to solution

Hi @Maros,

Apologies for the previous response. Looks like you have already tried a reboot. Please ensure you are using the latest version and if the issue still repeats, please do create a case with support for further investigation.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
McAfee Employee Thussain
McAfee Employee
Report Inappropriate Content
Message 6 of 11

Re: Solidcore blocking file write in observation mode

Jump to solution

@Maros  When you say "Solidcore is blocking the deleting or renaming the files"

Do you mean to say users are trying to delete or rename the files and they are not able to delete or rename the files

In observe Mode Application Control is running but it only monitors and logs observations. The application control does not prevent any execution or changes made to the endpoints. Instead, it monitors execution activities and compares them with the local inventory and predefined rules.

Observe mode also supports reputation-based execution. When you execute a file, Application Control fetches its reputation and that of all certificates associated with the file to determine whether to allow or ban the file execution.

All files that are allowed to run in Observe mode are automatically added to the whitelist, if not already present in the whitelist. An observation is logged that corresponds to the action Application Control takes in Enabled mode.

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
McAfee Employee Thussain
McAfee Employee
Report Inappropriate Content
Message 7 of 11

Re: Solidcore blocking file write in observation mode

Jump to solution

From the logs you have shared, it appears to me that explorer.exe is trying to make changes to E:\XXXXXXX\Install_Fonts.vbs and it is being reported to the ePO. 

Could you let me know what is the version of Solid core installed on the machine. 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Maros
Level 7
Report Inappropriate Content
Message 8 of 11

Re: Solidcore blocking file write in observation mode

Jump to solution

Hi,

Yes, users are not able to remove or delete files. And that's why i opened the topic,  because Solidcore was in observe mode and was blocking access to files.

Version of Solidcore is 8.2.1.435.

I have edited the path of executed file of course, but it was vbs script, which is still visible from the log.

McAfee Employee Thussain
McAfee Employee
Report Inappropriate Content
Message 9 of 11

Re: Solidcore blocking file write in observation mode

Jump to solution

MAC ships with a default policy that includes rules identified in-house to make most common, known applications work seamlessly in a MAC-enabled environment. But many environments have applications or versions that have not yet been tested by McAfee. If these applications create and execute new files or modify the whitelisted files, MAC blocks the action. This blocking can cause application issues or functionality loss.

Please refer to the section "If changes are allowed in Update mode, why is Observation mode needed?" from the below KB article 

https://kc.mcafee.com/corporate/index?page=content&id=KB78223

I hope this answers your question

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Maros
Level 7
Report Inappropriate Content
Message 10 of 11

Re: Solidcore blocking file write in observation mode

Jump to solution

I understand your point and that's exactly why we put our servers to observe mode at first. What I don't understand is why SC blocks the files when it's in Observed mode.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community