I recently opened a ticket with support to get information on how to correct a WRITE_DENIED Event to a file that needs to be updated on a regular basis. The Event ( See Below ) states that since the file: secedit.sdb is solidified, it cannot be modified. The first suggestion from support was to unsolidify the file. My follow-up question was how to create a policy to not solidify certain files. The Support tech I talked to for the second question said that in order for a file to be modified, it MUST be solidified and I had the option of creating an authorized updater or create a trusted directory for the files.
Prior to yesterday, my understanding on whitelists/solidification was that a file needs to be solidified only if it needs to be executed and that Solidcore only solidifies files that are dll, exe.ps1, bat, etc... not Log, txt, type files for example.
What is the correct answer here? If unsolidifying a file allows it to be modified, how do I prevent that file from being solidified when solidifying the local drives?
Attached an example of one of the events:
We seen some micorsoft database files getting solidified. This behavior is random as some system do not report this event within the same environment. The suggestion to fix this is
1. Create a SC: Run Command client task.
2. Type "skiplist -s <path_to_file>" without quotes.
3. Schedule the task to run at least once a day.
The above command tell Solidcore to never solidify the file.