0 Replies Latest reply on Aug 9, 2017 4:32 AM by forusim

    Solidified binaries can be deleted in Windows 7

    forusim

      Hello community,

       

      I discovered a strange behaviour of Application Control.

       

      On Windows 7 (x64) a newly solidified file can be deleted and an event (WRITE_DENIED) is generated.

      On Windows XP (x86) the behaviour is different: the newly solidified file cannot be deleted.


      Weird is also that the deletion on the Windows 7 system doesn’t work for windows-files (like wmplayer.exe). It only works with custom binaries.

       

      McAfee Agent Version on both systems: 5.0.3.272
      Application Control Version on both systems: 6.2.0.567

       

      Step by step instruction to reproduce the issue:

      -  Activate Solidcore on Windows 7 (x64) system
      -  Copy any binary to that system

      -  Try to execute the binary => Execution denied

      -  Solidify this binary via CLI (sadmin so <Path of binary>)

      -  Try to execute the binary => Execution allowed
      -  Try to delete the binary =>  "WRITE_DENIED" event generated

      -  Windows UAC is asking you for administrator permission

      -  Continue with admin rights => the binary will be DELETED

       

      Same issue with newer versions of Agent 5.0.5.658 and AC 7.0.1.413.

       

      Is it a bug or a feature?