I am trying to integrate our new software at a client's location that uses McAfee on a domain. Our software creates its own Database files and starts a LocalDB instance. (Creating the instance files at runtime and using them to start sqlservr.exe). I get an access denied error when the process tries to start a second time. The security descriptors on the files seem ok but I also have some audit logs that are actively changing security descriptors on HANDLES. Could this be an effect of the McAfee suite? Would any of the endpoint security processes be changing the security descriptors of running handles to only allow users from the domain to use specific files?
If you are looking to determine ENS module involvement in your issue, the best method for isolating which component (if any) is the perpetrator would be progressive disablement. Does the issue still occur if you temporarily disable Access Protection? What about On-Access Scanner? If so for either, then you would want to do the following, respectively: check the AP log at %deflogdir% to determine the triggered rule for which you could implement a process exclusion, or implement the ZZZ test to determine if a strategic OAS exclusion of your software's processes may resolve the issue.
ENS will not change the descriptors of running handles, but depending on product rules in place/configuration, it can prevent actions attempted by processes on the system.
Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply so together we can help other members?