0 Replies Latest reply on Aug 9, 2017 4:32 AM by forusim

    Solidified binaries can be deleted in Windows 7


      Hello community,


      I discovered a strange behaviour of Application Control.


      On Windows 7 (x64) a newly solidified file can be deleted and an event (WRITE_DENIED) is generated.

      On Windows XP (x86) the behaviour is different: the newly solidified file cannot be deleted.

      Weird is also that the deletion on the Windows 7 system doesn’t work for windows-files (like wmplayer.exe). It only works with custom binaries.


      McAfee Agent Version on both systems:
      Application Control Version on both systems:


      Step by step instruction to reproduce the issue:

      -  Activate Solidcore on Windows 7 (x64) system
      -  Copy any binary to that system

      -  Try to execute the binary => Execution denied

      -  Solidify this binary via CLI (sadmin so <Path of binary>)

      -  Try to execute the binary => Execution allowed
      -  Try to delete the binary =>  "WRITE_DENIED" event generated

      -  Windows UAC is asking you for administrator permission

      -  Continue with admin rights => the binary will be DELETED


      Same issue with newer versions of Agent and AC


      Is it a bug or a feature?