3 Replies Latest reply on Sep 8, 2016 10:35 PM by aus_mick

    Solidcore: Order of rules and Block execution by user.

    lozaza

      Hi Mcafee Experts,

       

      I am a new McAfee user, do have a question. Thanks all the helps and efforts in advance.

       

      This is regarding explicit of the rules it says in the ACCC admin guide 8-22 the order of the rules from highest precedence to lowest is checksum, publisher, name, trusted path, whitelist. But where is the trusted user in the order?

       

      Also is this order list different from versions. Below is what I found in ACCC Product guide 7.0.0.

       

      Capture1.JPG

      Below is ACCC product guide 6.2

       

      Capture2.JPG

       

      But the funny thing is I did a test in my ACCC(7.0) EPO environment. I have add a user in trusted user group(I added from AD so mis spelling here) then ban iexplorer.exe by name. So by theory in figure 1 above This user should be able to use iexplorer while others can’t but still denied execution(I did log out and back and re-enforce the policies several times). Is my understanding correct, seems the user cannot overwrite banned executables.

       

      Also Whats the best way to give different application access to different certain people like only john can run IBM tool or only Josh can run HP tool.

       

      Regards,

       

      JS

        • 1. Re: Solidcore: Order of rules and Block execution by user.
          aus_mick

          lozaza

           

          Did you review the Windows Event (Application ) logs for any events generated by Solidcore? Also it my pay to review the `Solidcore.log` diagnostic log in the path C:\ProgramData\McAfee\Solidcore\Logs\.

           

          For what it is worth my understanding of the Trusted User privilege is that is allows the user to make dynamic changes to the local whitelist, I don't believe its a mechanism to implement granular access to execute a binary based on user. I wouldn't expect Solidcore to treat execution of a binary as a modification attempt therefore the Trusted User rule would not be applicable and I would expect the Banned Binary rule to be the next match hence the Execution Denied behaviour.

           

          HTH,

          Mick

          • 2. Re: Solidcore: Order of rules and Block execution by user.
            lozaza

            Thanks Mick, I agree with you and I am going to implement this in change control to give read access to a particular executable.

             

            Js

            • 3. Re: Solidcore: Order of rules and Block execution by user.
              aus_mick

              Js,

               

              I haven't tested this myself, but a possible workaround is could be using the `skiplist -s C:\Program Files (x86)\Internet Explorer\iexplore.exe` command to prevent Internet Explorer from being added to the local system whitelist. Remove your Banned Binary rule for `iexplore.exe` and then attempt to execute as a standard user and then as a Trusted User; can you launch Internet Explorer? Note that if this workaround is successful the `iexplorer.exe` wouldn't have any write protection, therefore malicious code could potentially be injected into Internet Explorer that a Trusted User could execute. I'd be interested to know if this does work.

               

              Cheers,

              Mick