If you do not really know Solidcore and there are 1000s of systems using it in your environment, I would hope that someone in your organization supports it??? To answer some of your questions, yes, App Control is likely blocking stuff and it is generating events that need to be reviewed. Upon review, configuration changes would then need to be made in the policies being applied to those systems. Solidcore is a dynamic whitelisting application in that it takes inventory of the system in its current state and then locks it down saying only this list of apps and files can be modified.... but there are configuration changes that can be made after the fact (hence the term: "dynamic") that will allow new apps to run or existing apps to udpate etc... You really need to understand Solidcore though in order to do these things. You will either need to mange them locally (man I hope not with that many systems) or you need to manage it via ePO.
Does that help at all?
Yes, they have a team of people supporting the systems and I'm sure they would be using ePO. No apps are updated but it would seem that the whitelisting is not allowing inter process communication somehow originating from the NTVDM. The whitelisting inventory of files is probably fine since the files are not changing aside from a few logs. Where are the Solidcore logs generated/stored, locally or on a central server? What command would be run so that we can review the logs to try to see what it's generating? Once we find the offending option it can be disabled as necessary I hope.
That's good to hear. You should be able to ask them and their ePO admin should be able to view the events in their ePO Console. There are logs located on the local system, the most useful being the Windows Application events... especially for blocked events, but here are the Solidcore generated ones:
- Solidcore version previous to 6.0: <installation-dir>\Program Files\McAfee\Solidcore\Logs
- Windows 2000, 2003, XP: <installation-dir>\Documents and Settings\All Users\Application Data\McAfee\Solidcore\Logs
- Windows 7 (and later): <installation-dir>\Program data\McAfee\Solidcore\Logs
Dozens of re-imaged machines later... I'm marking the logs as correct because the logs helped to narrow down the problem after many months and the problem seems to be resolved after adding the blocked executables to the 'exceptions list'. I haven't received further feedback so I'm guessing that this is not an issue for them any more.