I discovered a strange behaviour of Application Control.
On Windows 7 (x64) a newly solidified file can be deleted and an event (WRITE_DENIED) is generated.
On Windows XP (x86) the behaviour is different: the newly solidified file cannot be deleted.
Weird is also that the deletion on the Windows 7 system doesn’t work for windows-files (like wmplayer.exe). It only works with custom binaries.
McAfee Agent Version on both systems: 126.96.36.1992Application Control Version on both systems: 188.8.131.527
Step by step instruction to reproduce the issue:
- Activate Solidcore on Windows 7 (x64) system- Copy any binary to that system
- Try to execute the binary => Execution denied
- Solidify this binary via CLI (sadmin so <Path of binary>)
- Try to execute the binary => Execution allowed- Try to delete the binary => "WRITE_DENIED" event generated
- Windows UAC is asking you for administrator permission
- Continue with admin rights => the binary will be DELETED
Same issue with newer versions of Agent 184.108.40.2068 and AC 220.127.116.113.
Is it a bug or a feature?