cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 2

Solidifier Driver/Endpoint Security Sensor Blocked?

My organization is in the planning stage of implementing MACC. This is a project I have inherited, and it looks like someone had already started building a whitelist. I'm not very familiar with this product. I've gone through the product guide, which is helpful, but I'm still not sure what to do.

I have a few devices currently in observe mode. I just deployed Solidcore to another device. As it was going through the solidification process, there were several alerts with the following:

McAfee Solidifier prevented an attempt to modify file 'C:\WINDOWS\system32\DRIVERS\swin.sys' by process/script C:\Windows\System32\rphcp.exe

Isn't swin.sys the Solidifier driver and rphcp.exe the security sensor?

The event viewer on the device shows:

Description McAfee Application Control prevented an attempt to modify this file because this file is whitelisted. To make changes to whitelisted files, define a policy with the relevant rules.
Event Display Name File Write Denied
Event File Name C:\WINDOWS\system32\DRIVERS\swin.sys
Event Generated Time 10/22/20 7:56:23 AM CDT
Event ID 20719
Event Name WRITE_DENIED
Event Sequence Number 2
Generated by an Updater No
Generated in an Update Window No
Performed By NT AUTHORITY\SYSTEM
Process ID 5164

How can I fix this? It looks like it's appearing on a few of the test endpoints but not all of them.

Solidcore 8.3.0

ePolicy Orchestrator 5.10.0 (Build 2428)

Windows 10 1909 Enterprise

1 Reply
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Solidifier Driver/Endpoint Security Sensor Blocked?

@jstar : Thank you for reaching out to community.

I understand you see issues with Write denied events from the Windows Events logs.

Can you kindly share the Solidcore logs or s3logs so that we can see the actual reason on this failure?

For Write Denied events, you can follow the small workaround below.

  1. Open an existing Solidcore Rule Group or create a rule group specifically for Application Control.
  2. Edit the existing or new rule group.
  3. Select the Exclusions tab and click Add.
  4. Expand Advanced options.
  5. Enable Exclude local path and all its contained files and sub-directories from the whitelist.

Kindly do keep us posted. 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community