cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rbenson09
Level 10
Report Inappropriate Content
Message 1 of 10

add PSEXESVC.EXE to whitelist

is there any way to whitelist PSEXEC? When I try to go to Solidcore events > create policy I get an error message "Rule recommendations are not populated because file checksum is unavailable.". Adding it to Solidcore Rules > Executable tab also does not appear to be working.

9 Replies
BenEllis
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: add PSEXESVC.EXE to whitelist

You should be able to add it by name.. In the Executables tab then click add allow by name.

 

You can also test by running "sadmin attr add -a psexesvc.exe"

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

rbenson09
Level 10
Report Inappropriate Content
Message 3 of 10

Re: add PSEXESVC.EXE to whitelist

thank you. so i tried that and ran the command you gave. it had a return code of 0. does this just add the file to the local whitelist?

BenEllis
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: add PSEXESVC.EXE to whitelist

No this adds it to your always allow  rules. THis will always allow to run even if not solidified. 

 

If you want to add it to whitelist. "Sadmin so <path\file>" then it will be added to the whitelist.

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

rbenson09
Level 10
Report Inappropriate Content
Message 5 of 10

Re: add PSEXESVC.EXE to whitelist

how would I allow it to run globally? I added PSEXESVC.EXE to the global rule under executables but its still being blocked

BenEllis
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: add PSEXESVC.EXE to whitelist

so did you verify that the rule is on your machine? you can check the machine for "Sadmin attr list" 

Did you do it via attr or solidification?  Lets start there. Do you have a block from a machine that still blocking? Can you tell me what it says in the S3diag.log.. Also i need you to confirm how you added it to your policy. A screen shot will work.

 

If you added it by name in your policy then also collect "sadmin attr list" from that client when collecting data.

McAfee Support

Benjamin Ellis

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

GenS
Level 8
Report Inappropriate Content
Message 7 of 10

Re: add PSEXESVC.EXE to whitelist

@BenEllis 

I added PSEXESVC.exe to the executables tab in my policy. On my Solidcore-enabled device, this is the output line from sadmin attr list:

a------------------- "pSEXESVC.exe"

The entries from S3diag.log related to this:

<WRITE_DENIED file_name="C:\Windows\PSEXESVC.exe" pid="4" process_name="System" ppid="4" parent_process_name="System" event_time="1605533964511" event_time_system="Nov 16 2020:13:39:24" is_system_file="false" deny_reason="File-solidified" user_name="domain\admin" />
<WRITE_DENIED file_name="C:\Windows\PSEXESVC.exe" pid="4" process_name="System" ppid="4" parent_process_name="System" event_time="1605533964589" event_time_system="Nov 16 2020:13:39:24" is_system_file="false" deny_reason="File-solidified" user_name="domain\admin" />
<WRITE_DENIED file_name="C:\Windows\PSEXESVC.exe" pid="4" process_name="System" ppid="4" parent_process_name="System" event_time="1605533964714" event_time_system="Nov 16 2020:13:39:24" is_system_file="false" deny_reason="File-solidified" user_name="domain\admin" />
<WRITE_DENIED file_name="C:\Windows\PSEXESVC.exe" pid="4" process_name="System" ppid="4" parent_process_name="System" event_time="1605533964714" event_time_system="Nov 16 2020:13:39:24" is_system_file="false" deny_reason="File-solidified" user_name="domain\admin" />

Screenshot of policy is attached.

ktankink
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 10

Re: add PSEXESVC.EXE to whitelist

To negate the WRITE_DENIED block for C:\Windows\PSEXESVC.exe, you'll need to add a 'skiplist -d' rule for the executable (since you should not add 'System' as an Updater).

In the Application Control Rules policy, under the Exclusion tab, add an Exclude path from write-protection rules rule for \Windows\PSEXESVC.exe.  This will allow any process to modify the C:\Windows\PSEXESVC.exe file without the need for Updater permissions.

GenS
Level 8
Report Inappropriate Content
Message 9 of 10

Re: add PSEXESVC.EXE to whitelist

@ktankink Thank you. Excluding the path from write-protection rules resolved this one for me.

GenS
Level 8
Report Inappropriate Content
Message 10 of 10

Re: add PSEXESVC.EXE to whitelist

Did you ever get this issue resolved? I'm having the same issue. Like many places, we use PSEXEC for remote administration. We're currently in the planning stages of deploying Solidcore to our endpoints. When we try to remotely connect via PSEXEC to an endpoint with Solidcore enabled, it's blocked. Like you, I tried Ben's suggestion, but it isn't resolving the issue. I've tried a few different ways to try to get PSEXEC to work, but I'm stuck. I think an execution policy needs to be configured, but I can't get it to work.
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community