6 Replies Latest reply on Oct 4, 2011 11:10 AM by Sumdumgi

    Security Update for SQL failing

    Sumdumgi

      We are currently using Integrity Monitor, 5.1.0-6824.  Application Control and Change Control are not installed/configured. 

       

      On June 25, 2011, the Security Update for SQL, KB 2494089 failed to install with error 0x80070643 on four different SQL servers.  Solidcore was instantly blamed by the support staff.  On one server, we disabled Solidcore, rebooted the server, and the patch promptly began to install.  It appears that Solidcore is blocking something even though it should be monitoring only. 

       

      I reviewed the settings and ran sadmin to see if i was missing something.  Here are the results:

       

      sadmin rp -l          no results (as expected)

      sadmin wp -l         no results (as expected)

      sadmin wpr -l       no results (as expected)

       

      So it seems that nothing should be blocked.  But then i checked one more setting:

       

      sadmin features list          deny-write Enabled

       

      Is this setting normal and could it be the cause of the patch not installing?  Other patches install just fine with Solidcore enabled, just not this particular one.  I could always disable this feature, but wanted to find out if this is standard behavior.

       

      Thanks,

        • 1. Re: Security Update for SQL failing
          gjoshi

          It is possible if the patch is trying to write over 'pendingfilerenameoperation' registry value.

          Please switch to update mode using 'BU task' from ePO or running 'sadmin bu' command locally on the host and install the patch.

          • 2. Re: Security Update for SQL failing
            Sumdumgi

            Thanks for responding Joshi.  Yes, this server, and others are showing "Solidifier prevented an attempt to modify Registry key...PendingFileRenameOperations"

             

            I can understand using an update mode for application or change control, but we are only using Integrity Monitor.  We do not want to block any actions taken on the servers, just monitor all activity.

             

            If Integrity Monitor still blocks hidden values, where can we view these values?  As you can see from my previous post, nothing appears to be write protected. 

             

            Is disabling the deny-write feature a good alternative? 

            Or is it possible that this problem was corrected in a later patch?

             

            Any help would be appreciated.  Thanks

            • 3. Re: Security Update for SQL failing
              gjoshi

              This is not an issue, this is done deliberately as anyone can write an entry (to delete any system file) to the registry and machine can be compromised.

              Yes, disabling deny-write feature should help here but then write-protection will not work. If you know the process that is trying to modify the registry, please configure it as Updater.

              • 4. Re: Security Update for SQL failing
                Sumdumgi

                I think we are having a misunderstanding here.  We purchased Integrity Monitoring as a monitoring software.  We did not install or configure Application Control or Change Control.  We did not want to hamper the ability of the server or the applications on the server to function.  This involves a vendor created application, and by contract we are not allowed to prevent any modification on the server, but by the same token, we need to monitor any changes for audit purposes.  We were encouraged to purchase Integrity Monitoring for this purpose. 

                 

                When you run sadmin wp or wpr, there are no rules showing that anything is write protected.  But what you are saying, is that no matter what, Integrity Monitoring will still "prevent" some modifications to the O/S.  Right now, Solidcore is being blamed for performance issues, and the occasional "Solidifier prevented an attempt..." only exacerbates the situation.  This message only appears when Microsoft security updates are installed.  Not all updates, and not all servers.

                 

                Are you sure that Integrity Monitor is supposed to prevent modification, just like Application Control and Change Control?  If so, then we were misled when we purchased this software.

                • 5. Re: Security Update for SQL failing
                  RobertM

                  Integrity Monitor will prevent modification to Solidcore install directory and Registry. Please see Tamper-proofing for Solidifier Software and Configuration, section in Solidifier Product Guide for Integrity Monitor and Change Control.

                   

                  It is suggested to configure updaters or change to update mode to apply changes to the system. Disable write-deny will open the system for process or users to overwrite Solidcore files.

                   

                  There are other customers reported the same issue. I suggest you submit a PER (Product Enhancement Request) to change Solidcore designed or add features to allow modification to PendingFileRenameOperations registry key. You can follow the URL below to submit a PER.

                   

                  https://mcafee.acceptondemand.com/

                  • 6. Re: Security Update for SQL failing
                    Sumdumgi

                    I received a replay back from McAfee Support, and after they finally understood that we were only using Integrity Monitoring, and that we desited no Write Protect, they agreed that my suggestion of disabling the Write Protect feature was the correct response to this error.