I discovered a strange behaviour of Application Control.
On Windows 7 (x64) a newly solidified file can be deleted and an event (WRITE_DENIED) is generated.
On Windows XP (x86) the behaviour is different: the newly solidified file cannot be deleted.
Weird is also that the deletion on the Windows 7 system doesn’t work for windows-files (like wmplayer.exe). It only works with custom binaries.
McAfee Agent Version on both systems: 18.104.22.1682
Application Control Version on both systems: 22.214.171.1247
Step by step instruction to reproduce the issue:
- Activate Solidcore on Windows 7 (x64) system
- Copy any binary to that system
- Try to execute the binary => Execution denied
- Solidify this binary via CLI (sadmin so <Path of binary>)
- Try to execute the binary => Execution allowed
- Try to delete the binary => "WRITE_DENIED" event generated
- Windows UAC is asking you for administrator permission
- Continue with admin rights => the binary will be DELETED
Same issue with newer versions of Agent 126.96.36.1998 and AC 188.8.131.523.
Is it a bug or a feature?