As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
For Release To Support (RTS) release notes, contact Technical Support.
Version
Release Date
6.5.2-466
June 13, 2023
6.4.16.140
July 13, 2021
6.4.15.172
May 18, 2021
6.4.14.106
March 9, 2021
6.4.13.113
February 9, 2021
6.4.12.125 (GA)
December 8, 2020
6.4.11.128 (GA)
November 5, 2020
6.4.9.107 (GA)
September 29, 2020
6.4.8.101 (RTS)
August 11, 2020
6.4.7.105
July 21, 2020
6.4.5
May 12, 2020
6.4.4
April 14, 2020
6.4.2.206
February 11, 2020
6.4.1.135
December 10, 2019
6.4.0.132
October 17, 2019
6.3.0.794
August 13, 2019
6.3.0.724 (Linux only)
July 2, 2019
6.3.0.503 (Linux only)
April 9, 2019
6.3.0.418 (Linux only)
March 12, 2019
6.3.0.299 (Linux only)
February 12, 2019
6.3.0.242 (Linux only)
January 8, 2019
6.3.0.180 (Linux only)
November 13, 2018
6.3.0 (Linux only)
October 9, 2018
6.2.0
April 9, 2015
6.1.7 (Linux only)
April 7, 2015
6.1.4 (Linux/UNIX only)
June 16, 2014
6.1.3
April 16, 2014
6.1.2
December 24, 2013
6.1.1
August 30, 2013
6.1.0
February 12, 2013
Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, go to the Product Downloads site.
Critical: There are currently no known critical issues.
Non-critical:
Linux
Reference
Related
Article
Found in Version
Resolved in Version
Description
LIN-2657
6.5.2
Issue: Failed to get platform. Policies error thrown in the logs on Ubuntu 22.
Issue: MVEDR collectors are blocked from running on Linux with Application Control enabled.
Workaround: Configure /opt/McAfee/mvedr/mfemvedr as an updater under Application Control Rules (Unix).
MACC-9369
6.4.x
Issue: Monitoring rules don't work unless a change control rule is in place.
Workaround: Create a dummy change control (write-protect) rule and apply it to the system.
MACC-9633
6.4.2-206
6.4.3-109
Issue: When SC: Enable client task is executed after Application Control for Linux is upgraded from version 6.2.0-463 to 6.4.2-206, Application Control changes to Update mode instead of Enable mode.
MACC-8763
6.4.2-206
6.4.3-109
Issue: When the Disable Task command is executed from ePO, inconsistency is observed in the Solidcore Client Task Log.
MACC-8764
6.4.2-206
6.4.3-109
Issue: When the Enable Task command is executed from ePO, inconsistency is observed in the Solidcore Client Task Log.
MACC-8888
6.4.2-206
6.4.3-109
Issue: When Enable Task is executed from ePO, inconsistency is observed in the Solidcore Client Task Log.
MACC-8889
6.4.2-206
6.4.3-109
Issue: When Disable is executed in the Update Mode, Solidcore Client task events aren't displayed.
1260084
6.3.0-180
-
Issue: When Application Control 6.3.0.180 is installed in the standalone mode in CentOS 7, it displays an error message.
1263554
6.3.0-242
-
Issue: A bash script can be solidified even when the script auth feature is disabled.
MACC-7307
6.3.0-794
-
Issue: Sanity validation fails with an error message. Also, the product can't be enabled when the redirfs module is installed on a system.
MACC-7216
6.3.0-794
6.4.3-109
Issue: You're unable to create a user when ACC is in the Update Mode on Red Hat Enterprise Linux (RHEL) 8 with SSSD version 2.0.0-43 installed.
Issue: Removal of ACC for Linux 6.3.0.794 after you upgrade from 6.3.0.724 in LEL5 32 bits, LEL6 32 bits, and LSES11 32 bits fails.
Workaround: To perform the removal in this case, you must uninstall the previous version. If you're updating from 6.3.0.724 to 6.3.0.794, the workaround to uninstall the product is as follows:
Run "/opt/bitrock/solidcoreS3-6.3.0-724/helperBinaryUninstall"
Run "rpm -e solidcoreS3-6.3.0-794.i386 --noscripts"
Run "rpm -e solidcoreS3-kmod-6.3.0-794.i386 --noscripts"
Issue: Upgrade to 6.3.0-794 from 6.3.0-724 in LEL5 32 bits, LEL6 32 bits, and LSES11 32 bits leaves the system Disabled and Unsolidified.
Workaround: Add a license, solidify if Application Control, and enable.
MACC - 8248
6.4.0.132
-
Issue: The FILE_UNSOLIDIFIED event isn't generated for checksum as updater rule in LEL7.
MACC - 8331
6.4.0.132
6.4.2-206
Issue: [Exploratory] sadmin help auth information doesn't contain how to run the remove option.
MACC - 8334
6.4.0.132
6.4.1.135
Issue: [Security] Blackduck scan: Operational risk factor for OpenSSL.
MACC - 8346
6.4.0.132
6.4.1.135
Issue: [Interop] After you upgrade Endpoint Security for Linux from version 10.6.5 to 10.6.6 on SUSE12 ACC, BVT execution hangs.
Workaround: Add the following ProcPassThruList items to solidcore.conf:
/opt/McAfee/ens/tp/bin/mfetpd
/opt/McAfee/ens/tp/bin/mfetpcli
/opt/McAfee/ens/esp/bin/mfeespd
/opt/McAfee/ens/fw/bin/mfefwd
/opt/McAfee/ens/fw/bin/mfefwcli
MACC - 8355
6.4.0.132
6.4.1.135
Issue: The scsrvc crashes when flushing auth cache (SIGSEGV).
MACC - 8643
6.4.1.135
6.4.2-206
Issue: Default configuration change is needed to generate Core dump info during kernel panic on Red Hat* 8.
Critical: There are currently no known critical issues.
Non-critical:
Linux
Reference
Related
Article
Found in Version
Resolved in Version
Description
1255502
6.3.0-134
6.3.0-242
Issue: After you run the load.java tool, the "/home" file system becomes "Untrusted."
Workaround: Restart the Solidcore service.
1260084
6.3.0-180
6.3.0-242
Issue: An error message is encountered when you install ACC 6.3.0.180 in standalone mode in a CentOS 7 environment.
1261348
6.3.0-180
Issue: Execution denied events for a script are duplicated on solidcore.log.
1263206
6.3.0-242
6.3.0-299
Issue: After you upgrade from 6.3.0-180, a permission denied message is shown for /usr/bin/xauth.
Workaround: Perform the steps below:
Edit the /etc/mcafee/solidcore/solidcore.conf file, set RTEModeOnReboot = 0x0, and reboot the system.
After restart, run the command sadmin check -ror sadmin so.
After check or so finishes, run sadmin enable and restart the service.
1263207
6.3.0-242
Issue: After you upgrade from 6.3.0-180, the ssh service can't be restarted.
Workaround: Perform the steps below:
Edit the /etc/mcafee/solidcore/solidcore.conf file, set RTEModeOnReboot = 0x0, and reboot the system.
After restart, run the command sadmin check -rorsadmin so.
After check or so finishes, run sadmin enable and restart the service.
1263208
6.3.0-242
6.3.0-299
Issue: After you upgrade from 6.3.0-180, sadmin check fails on LUBT12 (AMD64 and x86).
Workaround:
Edit the /etc/mcafee/solidcore/solidcore.conf file, set RTEModeOnReboot = 0x0, and reboot the system.
After restart, run the command sadmin check -r or sadmin so.
After check or so finishes, run sadmin enable and restart the service.
1263552
6.3.0-242
Issue: Error in locking authority file in Ubuntu 16.
1263553
6.3.0-242
Issue: [Exploratory] Warning message is shown when you successfully remove the attr rule.
1263554
6.3.0-242
Won't fix
Issue: [Exploratory] After you disable the script-auth feature, the scripts are still solidifiable.
1263555
6.3.0-242
6.3.0-418
Issue: [Exploratory] Dash interpreter from Ubuntu isn't included in the scripts default list.
1265307
6.3.0-299
6.3.0-418
Issue: Kernel loops in LUBT 14 kernel 4.2.
1265315
6.3.0-299
Issue: Partition /boot isn't solidified after you enable with an ACC license from ePO on some Ubuntu 14.04 endpoints.
1265382
6.3.0-299
Issue: ACC LNX in OL7 remains disabled.
1266298
6.3.0-299
Issue: [Exploratory] Write-denied observations aren't generated when you delete a solidified file in Observe Mode.
1266299
6.3.0-299
Issue: [Exploratory] Log errors in Observe Mode for write-denied events.
1266502
6.3.0-299
Issue: Bad behavior in enablement from ePO in Oracle 7.
1268052
6.3.0-418
Issue: No message is shown on the command line when the scsrvc service restarts in Ubuntu 16.
1268065
6.3.0-418
Issue: The sadmin check command fails after you remove an interpreter and extension from the script auth list in Ubuntu 12.
1269359
6.3.0-503
Issue: A warning message is logged in /tmp/solidcoreS3_uninstall.log after Solidcore removal.
1269365
6.3.0-503
6.3.0-724
Issue: The Dpkg preinstallation script logs an error after installation with build 6.3.0-503.
1273558
6.3.0-607
Issue: When the build target tool fails, some files aren't removed from the system.
Workaround: Remove the files manually.
1273659
6.3.0-671
Issue: XFS with kernel 4.10 and above isn't supported.
Workaround: Technical Support doesn't recommend that you use ACC 6.3.0 on Red Hat Enterprise Linux Server 8 systems if you have kernel version 4.18 or later and XFS. The recommended file system to use is EXT4. See KB73341 for supported EXT versions.
For systems that experience this issue with the following:
USE Enterprise Linux Server 12 or SUSE Enterprise Linux Desktop 12 with kernel 4.10 or later installed
ACC with XFS in Update mode in use
Perform the steps below:
Restart the system with a kernel version lower than 4.10 (see KB90947 for supported kernel versions).
Once the system starts, leave update mode. Execute sadmin eu.
Restart the system again with kernel version higher than 4.10.
1274416
6.3.0-702
Issue: "orig_user_name" isn't correctly reported in events.
MACC-6863
6.3.0-724
Issue: The build target fails to build the kernel module in RHEL8.
MACC-7077
6.3.0-724
6.4.1.135
Issue: The Self-Kernel support tool doesn't work for OL7 UEKR5 unsupported UEK kernel.
MACC-7307
6.3.0-794
Won't fix
Issue: (Interop) VFS file (inode) operation validations fail when the "redirfs" module is loaded.
MACC-7216
6.3.0-794
Won't fix
Issue: A user can't be created when ACC is in update mode on RHEL8 with SSSD version 2.0.0-43 installed.
MACC-7240
6.3.0-794
6.4.1.135
Issue: After you upgrade from ACC for Linux 6.3.0-724 to 6.3.0-794, you can't uninstall 6.3.0-794 in LEL6 32-bit.
Workaround: Perform the following steps:
Run "/opt/bitrock/solidcoreS3-6.3.0-724/helperBinaryUninstall"
Run "rpm -e solidcoreS3-6.3.0-794.i386 --noscripts"
Run "rpm -e solidcoreS3-kmod-6.3.0-794.i386 --noscripts"
Critical: There are currently no known critical issues.
Non-critical:
Solidcore Extension
Reference
Related
Article
Found in Version
Resolved in Version
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow.
Workaround: If an error displays in Internet Explorer 6, use Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. This approach avoids possible network delays.
607452
Issue: ePO 4.6 reports and dashboard entries aren't removed after the Solidcore Extension is uninstalled.
Workaround: If you uninstall and reinstall the Solidcore Extension, remove the reports and dashboards manually after you uninstall, and before you reinstall.
607517
Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.
608347
Issue: The Solidcore Policy Assignments By System report displays all policies derived from the root, irrespective of the SKUs enabled on the platform.
609304
Issue: It isn't possible to export data from the Reporting, Solidcore Events page.
Workaround: Use Queries (Reporting, Queries) to export event data.
636769
Issue: If you upgrade from ePO 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table aren't migrated to the ePO Events table.
636352
Issue: After you remove the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display garbage data.
607554
Issue: Solidcore policies can't be duplicated with the Policy Details page because the OK button is disabled.
Workaround: Use the Policy Catalog page to duplicate policies.
643854
Issue: When you use the Guided Configuration page on the ePO 4.6 console, the Save Policy button isn't enabled when changes are made to Solidcore Policies.
Workaround: Edit the policy with the Policy Catalog without Guided Configuration.
608374
Issue: When you try to enable an already enabled Solidcore Agent, the error displayed isn't translated.
607908
Issue: It's not possible to export more than 50,000 records from any table or report.
608025
Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU isn't added.
609911
Issue: Export of rule groups doesn't work in Internet Explorer when opened from the ePO server.
Workaround: Use Internet Explorer from a different computer and export rule groups.
610303
Issue: The Server Task pages in ePO might not work properly if you use Mozilla Firefox version 3.0.
Workaround: If you encounter issues, Technical Support recommends that you use Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
608753
Issue: Sometimes, using the username field of reported events in ePO as a trusted user might not work if the client system is part of an Active Directory (AD) domain. This issue occurs because the domain name reported in the events isn't the full AD domain.
Workaround: Use the environment variable USERDNSDOMAIN of the AD client as the domain name. Or, review the properties of the My Computer icon and identify the complete username to specify as the trusted user.
609220
Issue: Saving of an Application Control policy that's a copy of the McAfee Default policy is slow.
Workaround: Because Application Control policies are multi-slot policies, Technical Support recommends that you create a new blank policy and add new rules to it. Follow this method rather than copying and changing the McAfee Default policy.
656518
Issue: If you install Solidcore Extension 5.1.2 on an existing ePO 4.5 system and then upgrade to ePO version 4.6 FIPS mode, the event parser stops working.
Workaround: Run the following command and upgrade the required DLL: https://<ePO_IP_address: port>/remote/scor.upgradeEventParser.do
607950
Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.
707486
Issue: When you use the ePO 4.6 console, quick navigation through the Events and Inventory pages logs off the user.
714176
Issue: With ePO 4.6 Update 1 or 2, if you add multiple commands to a Run Commands client task while you create the task, you can't later remove the commands from the saved client task.
719796
Issue: Global catalog search for AD groups isn't supported.
Workaround: Search for a group in a specific AD server instead of using the Global Catalog.
To add a specific group:
Log on to the ePO 4.x console.
Add the AD server with the group as a Registered Server.
Search for the group. Select the registered AD server. Make sure that the option Use Global Catalog is deselected.
Add the group to a policy as a trusted group.
722045
Issue: Adding new columns, such as Solidcore Status and Solidification Status, for an endpoint by clicking Actions, Choose columns, noncompliant Solidcore Agent might not display values for all endpoints. This issue occurs because the noncompliant Solidcore Agent section includes only noncompliant agent properties.
Workaround: When you add new columns for an endpoint, click Actions, Choose columns, Solidcore Client Properties instead of Actions, Choose columns, noncompliant Solidcore Agent.
812003
Issue: The Self-Approval page displays a link for .MSI-based applications, which displays an empty list when you drill down.
890978
Issue: The GTI cloud server entry isn't removed from ePO after the Solidcore Extension is uninstalled.
926122
Issue: File Deviation details are missing in an exported file from the Image Deviation page.
950063
Issue: A few Strings aren't properly localized in languages other than English.
1033281
Issue: Upgrade to Solidcore Extension 6.2.0 might fail immediately after extension restart while you perform an upgrade from a version older than 6.1.2.
985336
Issue: The event pages in ePO might not work properly if you use Mozilla Firefox version 3.5.
Workaround: If you encounter issues, Technical Support recommends that you use Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
939528
Issue: Systems with a large inventory fail to send inventory data to the ePO server and a corresponding log entry is made in the Server Task Log after 6 hours.
987715
Issue: For the Application Control Options (Windows) policy, an import of a policy from Extensions earlier than 6.2.0 causes the Inventory Advanced Exclusion Filter (AEF) tab to populate with its default value. Default values aren't saved in the policy until you make some change and save the policy.
1043052
Issue: You can't upgrade Solidcore help extension from previous versions to 6.2.
Workaround: Uninstall the old help extension and install the new one.
1050955
Issue: With ePO 5.x, GTI communication with Kerberos authentication fails when you use a proxy server.
Issue: Unsolidified scripts can't be copied with the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by a script interpreter configured for that script is denied. It also generates unauthorized execution events. Such problems can be avoided when you perform the file operation with Windows Explorer.
608647
Issue: On 64-bit systems, multiple events might be generated when an unauthorized binary file is executed. The events are generated because the Windows operating system tries to run the binary multiple times using a reduced set of attributes until final failure.
608745
Issue: Files that the user read-protects (with the sadmin read-protect command) can't be solidified.
643688
Issue: If you try an ActiveX installation before you enable the ActiveX feature, and retry the installation after you enable the ActiveX feature, ActiveX might not install properly.
Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, and remove all .cab files in the temporary internet files. Then, install the ActiveX control on the endpoint.
616147
Issue: For standalone Solidcore Agent installation on endpoints where Oracle is installed, you must run finetune.bat manually at the endpoints to apply Oracle-specific rules. (A standalone Solidcore Agent installation means one that's not done via ePO.)
599348
Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126
Issue: When you copy solidified files to a rewritable CD, although the files are copied successfully, deny-write errors are logged.
601427
Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
616089
Issue: In the output of the sadmin diagcommand on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, the output
Issue: Multiple deny-write events might be generated for a single deny-write action. For example, on deletion of a file with Windows Explorer, up to eight file-deletion events are reported. When the application denies deletion of a file, Windows Explorer tries multiple methods to delete the file, which results in an event for each attempt.
695246
Issue: Although the Solidcore NX protection is based on system DEP, it's possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to the Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663
Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes in the ePO console, the change isn't reflected on the endpoints.
713989
Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
652602
Issue: If you disable the deny-exec-exesfeature on any Windows (64-bit) operating system, change the extension of an exe to .sys, and try to run the .sys file; execution of the .sys file is prevented. If you change the file extension to dll, you can run the file even if the deny-exex-dlls feature is enabled.
607574
Issue: When you open a network share (for systems running Windows Vista, Windows 7, and Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. These events are generated because Windows Explorer tries to fetch the icons for the files stored on the network share.
768708
Issue: You're unable to set the flag fs-passthru 'p'and the flagvasr forced reloc 'v'together with the extra information flag'o' in the attrcommand.
770362
Issue: You're unable to set more than one dll to bypass from VASR forced reloc.
794445
Issue: Solidified batch files, when copied using another batch file, fail.
803731
Issue: With network tracking disabled, Self-Approval function doesn't work for network shares.
803948
Issue: Deny-Exec on a Script file is reported if Network tracking is disabled on a 64-bit architecture.
808857
Issue: A Self-Approval pop-up displays if a file is opened with the execute flag even if the file isn't executed.
808964
Issue: An Auth rule for a process making file changes isn't added correctly if allowed through Self-Approval.
812964
Issue: If you remove the Updater flag for a certificate rule, the certificate is still listed as an Updater on the endpoint.
816108
Issue: A file, authorized by checksum, is denied for execution when run from a network share.
810072
Issue: While you run a 16-bit executable with Self-Approval enabled, the file type is listing as script.
819876
Issue: A process that doesn't work as an Updater is configured as an Updater through auth by checksum.
Workaround: Configure the process as an Updater by name.
888634
Issue: An unclean removal of Adobe Flash Player occurs when pkg-ctrl-allow-uninstall is enabled.
Issue: You're unable to install Visual Studio 2010 Ultimate via Updater.
Workaround: See the related article for details.
887965
Issue: Uninstallation of applications isn't blocked even if the pkg-ctrl-allow-uninstallation feature is disabled.
Workaround: Run the sadmin clg command after each installation of an application to block the removal. This command removes all cached GUIDs from the system.
888878
Issue: Multiple package control prevention events are seen while you uninstall and repair Visual Studio 2010.
Issue: Solidifier upgrade from 6.1.1 to 6.1.2 fails in Observe mode.
Workaround: See the related article for details.
910080
Issue: Package Control, if an application has ctor.dll in its uninstall string, another application using ctor.dll isn't installed when pkg-ctrl-allow-uninstall is disabled.
Workaround: As a workaround for mode 1 of package control, the user can make the ctor.dll an Updater using the complete path (for example, C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll). For Package Control modes, see the ACC 6.1.1 Addendum.
916640
Issue: Deny Execution isn't skipped for a drive after you remove the skiplist -v flag without a reboot.
Issue: The upgrade version isn't updated on the ePO server and the McTray About field after an endpoint upgrade.
Workaround: See the related article for details.
940286
Issue: A Pkg-modification-prevented event is raised during an Application Control upgrade.
948349
Issue: Multiple deny-write events for a Self-Approval pop-up forputty.exeare recorded when execution is done after you download the file from the internet.
Issue: The Windows kernel paged pool is consumed by a growing inventory file size and, when the kernel paged pool is depleted, one of the following issues is observed:
System crash
System hangs
Application failure
Low memory condition
NOTE: These issues occur on 32-bit systems where kernel pool resources are scarce and might run out quickly.
Solution: As mentioned above, this issue can occur when many files are added to the inventory. To resolve this issue, perform the following:
In Disable mode, delete the file <drive>\solidcore\scinv from all drives.
Resolidify the system:
For standalone deployments, start Solidification and switch to Observe mode or Enable mode.
For ePO-managed deployments, run the SC: Enable task.
Issue: The following error appears in the Orion.log file when you try to purge ACC events from the ePO database:
The DELETE statement conflicted with the REFERENCE constraint "SCOR_EVENTS_EPO_EVENTS".
The conflict occurred in database "", table "dbo.SCOR_EVENTS", column 'EPO_EVENT_AUTO_ID'.
Solution: Drop the constraint and re-create the constrained AUTO_IDs. Run the following command against the ePO database:
alter table [dbo].[SCOR_EVENTS] drop constraint SCOR_EVENTS_EPO_EVENTS;
alter table [dbo].[SCOR_EVENTS] add constraint SCOR_EVENTS_EPO_EVENTS
foreign key (EPO_EVENT_AUTO_ID) references [dbo].[EpoEvents] ON DELETE
CASCADE ON UPDATE CASCADE;
Issue: Users are duplicated in client policy when synchronizing the Trusted Users group in ePO with AD.
Solution: There's no issue as this behavior is by design. ACC supports legacy operating systems and is needed to pull both Netbios\user and UPN\SAM accounts.
Issue: Server task "Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server" runs indefinitely.
Workaround: The purpose of the Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server task is to improve the product and isn't a function of the product. If you disable this feature, it doesn't affect the functionality of ACC. Inventory feedback data isn't being used for analytics, which means that you can safely disable this feature on the extension side. When the data is used and the back-end processing issues are fixed, re-enable this feature.
Steps to disable Solidcore:
Send Policy and Inventory Feedback to McAfee GTI Server task:
Go to https://<ePO-IP>/remote/core.reload-plugin.do?name=SOLIDCORE_META.
Go to Server Tasks, Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server.
Click Edit, and then select the Actions tab.
Deselect the option Inventory: Sends detailed information for files, such as SHA-1, base name, embedded application name, and embedded application version.
Click Save.
Go to Server Tasks and run Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server task.
Verify whether the issue is resolved.
NOTE: The hung task is logged in the server task log as progress (0%), which indicates that the task isn't running. A cleanup of the string from the user interface is needed, but functionality isn't affected.
Issue: Can't validate file name OR file name is invalid (file operations in ACC fail if the file path length exceeds 256 characters).
Solution: This issue is fixed in newer builds.
Workaround:
For standalone deployments, run the following command from the CLI:
sadmin features disable network-tracking
For ePO-managed deployments, create a run command client task with the argument features disable network-tracking and push the task to clients.
-
6.2.505 and below
6.2.0.507
Issue: You might observe the following issues with a Distributed File System network share that accesses files from a system with Application Control enabled.
Issue: Self-Approval Client pop-up text field limitations within Application Control
Solution: The Self-Approval Client pop-up text field has a maximum character limitation of 296 characters. The text field for Self-Approval within ePO has a maximum character limitation of 300 characters. Because of the fixed nature of the text field, scrolling of text within the pop-up field on the client isn't allowed.
Issue: Installation of plan failed. FatalIOException: Unable to create file (vSphere fails to load when Application Control is installed).
Solution: To resolve this issue, upgrade to ACC 7.0 and configure the following sadmin feature to prevent long path lengths from being incorrectly blocked.
Open an Application Control command-line session and type sadmin recoverand press Enter.
Type the ePO password to recover the Solidcore command-line session.
Type sadmin config set SkipValidateFileLength=1and press Enter.
Put the system back into lockdown mode to continue being managed by ePO:
Typesadmin lockdown and press Enter.
IMPORTANT: If you don't lock down the Solidcore command-line, ePO can't manage Solidcore.
You can also perform the following steps through ePO to push this change out to several systems at once.
Open the ePO manager.
Create a Client task.
Select the Solidcore Command-line task.
Paste the following command into the task: sadmin config set SkipValidateFileLength=1
Issue:ERROR: fshooks.c : 687: Could not validate file name OR file name is invalid: (DFS replication fails with Application and Change Control installed)
Solution: To resolve this issue, upgrade to ACC 7.0 and configure the following sadmin feature to prevent long path lengths from being incorrectly blocked.
Open a Solidcore command-line session and type sadmin recover and press Enter.
Type the ePO password to recover the Solidcore command-line session.
Type sadmin config set SkipValidateFileLength=1and press Enter.
Put the system back into lockdown mode to continue being managed by ePO:
Type sadmin lockdownand press Enter.
IMPORTANT: If you don't lock down the Solidcore command-line, ePO can't manage Solidcore.
You can also perform the same steps through ePO to push this change out to several systems at once.
Open the ePO manager.
Create a Client task.
Select the Solidcore Command-line task.
Paste the following command into the task: sadmin config set SkipValidateFileLength=1
Issue: Performance issues on Application Control endpoints when GTI and Threat Intelligence Exchange (TIE) communication fails.
Solution: Turn off reputation checking of binaries using the TIE server or GTI service if the errors described in this article are frequently logged in the Solidcore.log. By default, a policy to enable reputation-based execution is applied to all endpoints running the Solidcore client. The settings in the policy indicate how endpoints communicate with the configured reputation sources.
All versions
Issue:deny_reason="File-cksum-mismatch" (generated when executables are configured as updaters in Application Control).
Workaround:
Verify InvMergeTimeout in (Swin\parameters Reg), or by running the command sadmin config show | findstr -i InvMergeTimout from a command prompt or ePO run command.
NOTE: If it's anything other than 1800, reset to Default by running the command sadmin config set InvMergeTimeout=1800from a command prompt or ePO run command.
Run check -r from an ePO run command or Solidcore CLI.
Attempt to reproduce the issue.
If the issue still exists, use the ePO run command or Solidcore CLI and resolidify the drive:
Put the client in Update mode or Disable mode.
NOTE: Disable requires you to restart the client.
Run the clean solidification command: sadmin clean <driveletter>
NOTE: This command only works if you place ACC in Disable mode. This step can be skipped if you put ACC in Update mode.
Issue: Third-party services that use Java might not start properly after enabling Application Control and Change Control.
Solution: To resolve this issue, Technical Support recommends that you modify the Java memory space for the third-party application (JvmMs and JvmMx values) to use less than the maximum values. This change usually allows the services for the application to start properly.
Issue: Installer Detection bypass option is Deprecated for endpoints running version 6.1.1 and later (Package Control in relation to the architecture rules for the attr -i command).
Issue: System hangs while shutting down when Application Control is enabled.
Solution: This issue doesn't occur if you bypass searchprotocolhost.exe from Application Control's memory-protection feature.
For ePO-managed deployments, make sure that the default list under Solidcore Rules in the ePO console is imported to the policy and applied to the systems.
For standalone deployments, add the following rules using the Application Control command line:
Issue: Uninstallation of applications fails and causes your client to stop responding when Symantec Endpoint Protection 12.1 is installed alongside Application Control.
Issue: Installer Detection bypass option is Deprecated for endpoints running version 6.1.1 and later (Package Control in relation to the architecture rules for the attr -i command).
Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065
Issue: If you're using Application Control in the Enable mode on the Windows XP SP1 operating system, virtual memory usage increases for most processes.
Workaround: Upgrade to Windows XP Service Pack 2.
793102
Issue: DLL rebasing doesn't work when a complete path to the DLL is specified.
809646
Issue: A Self-Approval pop-up might hang while running non-whitelist binaries from the Desktop.
Windows 2003
Microsoft ended extended support for Windows Server 2003 SP2 on July 14, 2015. As of the end of 2015, the only product we support with Windows Server 2003 SP2 is Application and Change Control.
Reference
Related Article
Found in Version
Resolved in Version
Description
607361
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exeprocess is hijacked.
Workaround: Add javaw.exeto the attributes list with the-n option:
sadmin attr add -n javaw.exe
832241
Issue: A Non-Trusted user can execute an unsolidified bat file using runas CLI on Windows 2003 (x64). The issue is intermittent.
Windows 2000 could not start because the following file is missing or corrupt:
\WINNT\SYSTEM32\CONFIG\SYSTEM.ced startup options for Windows 2000, Press F8
On system boot, the screen shows:
Windows 2000 could not start because the following file is missing or corrupt: \WINNT\System32\Drivers\Ntfs.sys
The system boots successfully but Solidcore driver "swin.sys" isn't loaded. A quick way to check whether this issue is the output of "sadmin status" command is as follows: If the Solidcore driver isn't loaded, with Solidcore Enabled, it shows the driver status as Unattached for system volume.
Cause: This issue isn't an Application Control or Change Control issue but a limitation on the size of the "system hive" in Windows. The system hive is limited to about 10.3 MB in size in a Windows 2000 Server. The reason is because the system hive and Windows kernel files must fit below 16 MB when Windows starts. If the system hive is close to its limit, installation of Application Control or Change Control or any other product that starts at system boot can cause this behavior.
Solution: Apply the suggestions described in the Microsoft article. The system might not start when creating many logical units and volumes.
Windows 2008 R2 (64-bit)
Reference
Description
608636
Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, you see that Windows installer encounters a validation error for the msiexec.exeand kernelbase.dllfiles.
Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.
Windows 2008 (64-bit)
Reference
Description
609780
Issue: On the Windows 2008 (64-bit) platform, therundll32.exefile crashes if an application is uninstalled with Add/Remove Programs but the SetupInstallFromInfSection() function is initially used to install the application.
Windows 2008/Vista (32-bit and 64-bit), Windows XP/Windows 7/Windows 2008 R2 (64-bit)
Reference
Description
609757
Issue: In Enable mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.
Windows Vista
Reference
Description
607541
Issue: For Windows Vista and later platforms, the Solidcore Agent configuration selects a service called Windows Modules Installer (TrustedInstaller.exe) as an Updater. It's selected as such to allow Windows Update to work properly. This service can both install and remove Windows components even if thepkg-ctrl feature is enabled.
Linux
Reference
Article
Found in Version
Resolved in Version
Description
1253820
6.2.0-463
Issue: ACC 6.2.0-463 doesn't communicate with MA 5.6.0.
1253953
6.2.0-463
Issue: Inventory isn't successfully fetched on CentOS 5 x64 endpoint.
1249593
6.2.0-419
6.2.0-463
Issue: The "/home" partition is labeled as Untrusted after a fresh install in CentOS 7.
Workaround: This issue only happens when any partition doesn't contain binary files or script files to solidify. If any script file or binary file is added later on that partition, you must run "service scsrvc restart" or "reboot" to completely enable your system.
1249280
6.2.0-419
6.2.0-463
Issue: After installing ACC and enabling it in standalone mode, the status is Solidified - Untrusted CentOS5 Kernel 2.6.18-430.el5.
Workaround: To work around this issue, reboot the system. To avoid rebooting the system, run the following commands:
sadmin disable
service scsrvc restart
sadmin enable
1247986
6.2.0-419
6.2.0-463
Issue: The file system status displays as Solidified - Untrusted after installing ACC 6.2.0-419 (standalone mode) with the ACC-Unlimited license and solidifying the system.
1243884
6.2.0-347
Issue: Gnome UI doesn't respond on CentOS 7 after installing Solidcore.
Workaround: Add the Gnome shell process as the updater.
1243879
6.2.0-347
Issue: On Ubuntu endpoints, the file events expected for some tests aren't the ones generated.
1243874
6.2.0-347
Issue: Events aren't generated on RHEL 6 endpoint with Solidcore installed and enabled.
1243872
6.2.0-347
Issue: Some endpoints are in Disabled* mode after installation from ePO.
1240825
6.2.0-347
Issue: A Java file is executed without getting blocked.
1243019
6.2.0-337
Issue: A wrong transition occurs from update mode to Disabled* mode (Global Pass-through).
1238936
6.2.0-236
6.2.0-347
Issue: Bad behavior with write-protected files in observe mode.
1239252
6.2.0-236
Issue: In SUSE 11 x86, "touch" binary as the updater isn't working properly.
1238336
6.2.0-236
Issue: "No such a process" message is shown when trying to restart the scsrvc service.
1236431
6.2.0-187
Issue: Remove a process from the updaters list when added from its full path.
1235599
6.2.0-179
Won't fix
Issue: The script is unsolidified when editing with "vim" in Observe mode.
1234313
6.2.0-158
Issue: Wrong message is displayed in Change of State.
Issue: After disabling Application Control without a system reboot, Application Control 6.1.7-674 enters a partially disabled state and the system is allowed to execute.
1214591
6.1.7-673
Won't fix
Issue: Docker 1.13 containers fail to run in enabled mode with Docker as Updater.
1205485
6.1.7-504
Won't fix
Issue: Linux Desktop Timeout with Root login or logoff when Solidcore is Enabled or Updated.
Workaround: Create the file /etc/X11/xinit/xinitrc.d/00-gvfs-disable-fuse.sh with the following contents:
GVFS_DISABLE_FUSE=1
export GVFS_DISABLE_FUSE
This script disables the fuse's daemon running in the background, so the fuse filesystem isn't mounted. Restart the system so the changes can take effect.
UNIX (All Versions)
Reference
Article
Found in Version
Resolved in Version
Description
1203232
6.1.7-540
Issue: The Solomon automated test tool can't verify some events.
1202241
6.1.7-504
Issue: The events aren't generated in RHEL 6 x86.
818828
6.1.0-9463
Issue: With VirusScan Enterprise for Linux (VSEL) 1.7 installed, the VSEL service stops with errors on the CLI.
797363
6.1.0-9323
Issue: The sadmin Xray command doesn't list the attr specific configurations for the running process.
607014
4.9.0-238
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to unexpected behavior.
1053355
6.1.7-192
Won't fix
Issue: If you erroneously try to stop the Solidcore service by using the systemctl command in Enabled mode, a subsequent attempt to stop the service in Disabled mode might fail.
Workaround: To stop the service in Disabled mode, use the following commands:
Issue: Installation of Solidifier shouldn't occur in a symbolic link path.
812578
6.1.0-9437
Won't fix
Issue: On some kernels, error messages related to scdrv are displayed in the console during system boot.
811983
6.1.0-9434
Won't fix
Issue: Property collection on ePO and the endpoint might show different versions of Solidifier if the system isn't rebooted after upgrade.
807180
6.1.0-9402
Won't fix
Issue: Installation on a non pre-compiled kernel fails if you run the installer from a Windows share that's mounted using CIFS.
798843
6.1.0-9323
Won't fix
Issue: You might observe unexpected behavior if a process exits without closing the modified files.
797291
6.1.0-9323
Won't fix
Issue: After Dynamic Kernel Module compilation, an empty file named 2 gets created in the dksdirectory.
762449
6.1.0-9301
Won't fix
Issue: Events are generated if a special device file is renamed.
616089
5.1.0-6817
Won't fix
Issue: Localized strings aren't consistent. Partial localization occurs in some events and messages.
610254
5.0.1-1
Won't fix
Issue: When you run the Debug Info client task for a UNIX system, the name of the generated file is suffixed with the host name and time stamp. For example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz. (This result occurs even though the log states that the gatherinfo.tar.ga file is generated.)
607024
4.0.0-5920
Won't fix
Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent, but is effective only after the deny-read feature is enabled on the Solidcore Agent.
604604
4.8.3-164
Issue: Write/read protection doesn't work on files added via cachefs/lofs.
Critical: There are currently no known critical issues.
Non-critical:
Solidcore Extension
Reference
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow.
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
607452
Issue: ePO 4.6 reports and dashboard entries aren't removed after the Solidcore Extension is uninstalled.
Workaround: If you're uninstalling and reinstalling the Solidcore Extension, remove the reports and dashboards manually after uninstalling and before reinstalling.
607517
Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.
608347
Issue: The Solidcore Policies Applied on Hosts report displays all policies derived from the root, regardless of the SKUs enabled on the platform.
609304
Issue: It's not possible to export data from the Reporting, Solidcore Events page.
Workaround: Use Queries (Reporting, Queries) to export event data.
636769
Issue: If you upgrade from Solidcore 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table aren't migrated to the ePO Events table.
636352
Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display erroneous data.
607554
Issue: Solidcore policies can't be duplicated by using the Policy Details page because the OK button is disabled.
Workaround: Use the Policy Catalog page to duplicate policies.
643854
Issue: When you use the Guided Configuration page on the ePO 4.6 console, the Save Policy button isn't enabled when changes are made to Solidcore Policies.
Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.
608374
Issue: When you try to enable an already enabled Solidcore Agent, the error displayed isn't translated.
607908
Issue: It's not possible to export more than 50,000 records from any table or report.
608025
Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU isn't added.
609911
Issue: Export of rule groups doesn't work in Internet Explorer when opened from the ePO server.
Workaround: Use Internet Explorer from a different computer and export the rule groups.
610303
Issue: The Server Task pages on ePO might not work properly if you use Mozilla Firefox version 3.0.
Workaround: We recommend using Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
608753
Issue: Sometimes, using the username field of reported events on the ePO server as a trusted user might not work if the client system is part of an AD domain. The domain name reported in the events isn't the full AD domain and might prevent this method from working.
Workaround: Use the environment variable USERDNSDOMAIN as the domain name for AD clients. Or, review the properties of the My Computer icon to identify the complete username to specify as the trusted user.
609220
Issue: Saving an Application Control policy that's a copy of the McAfee Default policy is slow.
Workaround: Because Application Control policies are multi-slot policies, we recommend that you create a new blank policy and add new rules to it instead of copying and changing the McAfee Default policy.
656518
Issue: If you install Solidcore Extension 5.1.2 (or later) on an existing ePO 4.5 system and then upgrade to ePO 4.6 FIPS mode, the event parser stops working.
Workaround: Run the following command and upgrade the required DLL: https://<ePO_IP_address: port>/remote/scor.upgradeEventParser.do
607950
Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.
707486
Issue: When using the ePO 4.6 console, navigating quickly through the Events and Inventory pages logs off the user.
714176
Issue: On ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while creating the task, you can't later remove the commands from the saved client task.
719796
Issue: Global catalog search for AD groups isn't supported.
Workaround: Search for a group in a specific AD server instead of using the Global Catalog.
To add a specific group:
Log on to the ePO 4.x console.
Add the AD server with the group as a Registered Server.
Search for the group by selecting the registered AD server. Make sure that the Global Catalog Search option is deselected.
Add the group to a policy as a trusted group.
722045
Issue: Adding new columns, such as Solidcore Status and Solidification Status, for an endpoint by clicking Actions, Choose columns, noncompliant Solidcore Agent might not display values for all endpoints. This issue is because the noncompliant Solidcore Agent section includes only noncompliant agent properties.
Workaround: When adding new columns for an endpoint, click Actions, Choose columns, Solidcore Client Properties instead of Actions, Choose columns, noncompliant Solidcore Agent.
812003
Issue: The Self-Approval page displays a link for .MSI-based applications, which displays an empty list when drilling down.
890978
Issue: The GTI cloud server entry isn't removed from ePO after the Solidcore Extension is uninstalled.
937037
Issue: You can't upgrade the Solidcore help extension from a previous release.
Workaround: Uninstall the old help extension and install the new one.
926122
Issue: File Deviation details are missing in an exported file from the Image Deviation page.
950063
Issue: A few strings aren't properly localized in languages other than English.
Issue: Application Control and Change Control 6.1.7 aren't compatible with VSEL 2.0.
900761
Issue: When Application Control is placed in a Disabled state and the endpoint isn't rebooted, upgrading Application Control doesn't successfully complete. This issue is because the driver isn't unloaded.
Workaround: Reboot the endpoint after disabling Application Control, and perform the upgrade task again.
608671
Issue: If Solidcore Agent is installed in a non-default path, upgrading via ePO isn't supported. Such an upgrade might leave the Solidcore Agent in an inconsistent state. We recommend that you uninstall the existing version and then install the new version using ePO.
608737
Issue: If the partition with the/opt/McAfee/cmadirectory has insufficient space, events might not be generated and a Failed to generate event xml error message is added to the solidcore.logfile. Free up space in the partition with the /opt/McAfee/cma directory.
601728
Issue: According to the NFS protocol, if a file present on the NFS share is opened once on the NFS client, it can't be reopened until the file attributes are changed. As a result, if a read-protected file is opened on a client-side NFS share in Update mode, the file can be read on the client. The file remains in a readable state even after entering Enabled mode from Update mode. The file remains readable until the attributes are changed on the server.
601734
Issue: Changing a hard link might cause the name of the link or program to display in events.
601914
Issue: For daemon processes, the reported username and original username are the same.
602653
Issue: A write-protected file can be changed through its hard link if the hard link is already created.
602772
Issue: Scripts without the#!tag can't act as updaters.
Issue: For loopback file systems, some features, such as updater and monitoring, don't work correctly when the loopback path is used instead of the physical path in the sadmin commands. For instance, if/optis mounted as a loopback file system at/mnt, to add/mnt/abcas an updater, you must add the path/opt/abcas an updater.
606674
Issue: A write-protected file can be changed or deleted if the file system is mounted to a different directory.
602990
Issue: Some features, such as updaters and mon-proc-exec, don't work properly for unsupported file formats. Only executable binaries and#!scripts are supported file formats.
603462
Issue: The BOOTING_ENABLEDand BOOTING_UPDATE_MODEevents aren't added to the system log.
Workaround: At boot time, start the syslog service before the Solidcore Agent service.
603490
Issue: You observe the following issues when an updater calls another updater:
If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.
604780
Issue: For processes that aren't directly associated with a terminal, the original_user field is the same as the user field. For example, when you run a script through Runlevel/init scripts, original_user is the same as the user.
605062
Issue: The mmap system call at the NFS client doesn't work if the file is read-protected.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to unexpected behavior.
607024
Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.
607245
Issue: No events are generated for changes to a file with the stringsolidcore.log in its name, for example, mysolidcore.log.
601763
Issue: Process information can't be determined for those processes that are invoked before the Solidcore Agent driver is loaded. This fact has the following implications:
If such a process makes file changes, these changes might not be reported.
For processes that start before the driver is loaded, only the partial program names are reported.
For NFS, for the changes made by the client, the change events displaying on the server have only the relative name for the NFS daemon (in other words, nfsd or nfsktcpd).
No Process Start and Process Stop events are generated for already running processes.
On only the AIX platform, Change Tracking / Prevention on file systems mounted by such processes might or might not work because system calls executed by already running processes can't be trapped. The running processes can't be trapped because of differences in the way system calls are implemented for the AIX platform. As a workaround, you can restart such processes.
604604
Issue: Write/read protection doesn't work on files added via cachefs/lofs.
613214
Issue: If the installation path is a mount point, forcibly unmounting (for example, using the umount –fcommand) might lead to non-deterministic behavior.
603386
Issue: The Solidcore Agent can't be installed, upgraded, or uninstalled through init scripts that run at system boot time.
Workaround: Add the following two statements in the init script before invoking the installer:
HOME=""/"" export HOME
610254
Issue: When you run the Debug Info client task for a UNIX system, the log states that the gatherinfo.tar.gzfile is generated. The actual name of the generated file is suffixed with the host name and time stamp. For example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz.
616089
Issue: Localized strings aren't consistent. Partial localization occurs in some events and messages.
774493
Issue: Change of binary in Update mode doesn't change or update the corresponding hard-link in allow list.
797291
Issue: After Dynamic Kernel Module compilation, an empty file named 2 gets created in the dksdirectory.
797363
Issue: The sadmin xraycommand doesn't list the attr-specific configurations for the running process.
798843
Issue: You might observe unexpected behavior if a process exits without closing the changed files.
802433
Issue: If the volume is unsolidified, it's not listed as unsolidified in the output of sadmin status.
807180
Issue: Installation on a non-pre-compiled kernel fails if you run the installer from a Windows share that's mounted using CIFS.
Workaround: Mount the Windows share using NFS.
811983
Issue: Property collection on ePO and the endpoint might show different versions of Solidifier if the system isn't rebooted after upgrade.
812578
Issue: On some kernels, error messages related to scdrv are displayed in the console during system boot.
818828
Issue: With VSEL 1.7 and later versions installed, the VSEL service stops with errors on the CLI.
989865
Issue: Installation of Solidifier shouldn't occur in a symbolic link path.
Issue:After upgrading to Application Control 6.1.7, new AEFs or updaters and attr rules aren't added as default rules.
1049005
Issue:When uninstalling in Enabled mode, an incorrect message stating Unable to initialize installer is added to the/tmp/solidcoreS3_uninstall.log file.
1144705
Issue: The Scripts command isn't supported on SUSE10 x86.
1143376
Issue:Script-auth fails if the interpreter is a symlink with a name different from the target.
Workaround: Add a rule with the target in your scripts. For example, if python is added as the interpreter in scripts and python is a symlink of python2.6 /usr/bin/python->python2.6, then add a rule for python 2.6.
053355
Issue:If you erroneously try to stop the Solidcore service by using the systemctlcommand in Enabled mode, an attempt to stop the service in Disabled mode might fail.
Workaround: To stop the service in Disabled mode, use the following commands:
Issue: When you log on to a solidified system using Telnet as a non-root user, the original_user name displays as root.
1009579
Issue: On a protected system running RHEL 5 with kernel 2.6.18-308.EL5 or later, the deny-read feature doesn't work on an NFSv4 mounted partition.
1211104
Issue: After running the automated testing tool (Solomon), there's a crash in UBUNTU 16.04 x86 platform with kernel 4.4.0-47-generic.
1205485
Issue: Linux Desktop Timeout with Root login or logoff occurs when Solidcore is Enabled or Updated.
Workaround: Create the file /etc/X11/xinit/xinitrc.d/00-gvfs-disable-fuse.sh with the following contents:
GVFS_DISABLE_FUSE=1
export GVFS_DISABLE_FUSE
This script disables the fuse's daemon running in the background, so the fuse filesystem isn't mounted. Restart the system so the changes can take effect.
1214591
Issue: Docker 1.13 containers fail to run in enabled mode with Docker as Updater.
1219099
Issue: Unsolidified bash script can show executed events when script-auth is enabled.
Workaround: Reboot endpoint and script-auth works as expected.
1224787
Issue: ACC service stops working after running the command sadmin disable and restarting the Solidcore service.
Workaround: Reboot the system and complete entering the disabled mode. After rebooting the system, it operates as expected.
Issue: Incompatibility between VSEL 2.0.2 and Application Control 6.1 is seen.
Solution: Don't install Application Control 6.1 and VSEL 2.0.2 on the same system.
If you've already installed Application Control 6.1 and VSEL 2.0.2 on the same system, you must uninstall one, and then install a different version not affected by this issue.
6.1.7
Issue: Content Change Tracking for Linux only reports file change events and no directory change events.
Critical: There are currently no known critical issues.
Non-critical:
Solidcore Extension
Reference
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow.
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
607452
Issue: ePO 4.6 reports and dashboard entries aren't removed after the Solidcore Extension is uninstalled.
Workaround: If you're uninstalling and reinstalling the Solidcore Extension, remove the reports and dashboards manually after uninstalling and before reinstalling.
607517
Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.
608347
Issue: The Solidcore Policies Applied on Hosts report displays all policies derived from the root, irrespective of the SKUs enabled on the platform.
609304
Issue: It's not possible to export data from the Reporting, Solidcore Events page.
Workaround: Use Queries (Reporting, Queries) to export event data.
636769
Issue: If you upgrade from Solidcore 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table aren't migrated to the ePO Events table.
636352
Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display erroneous data.
607554
Issue: Solidcore policies can't be duplicated by using the Policy Details page because the OK button is disabled.
Workaround: Use the Policy Catalog page to duplicate policies.
643854
Issue: When you use the Guided Configuration page on the ePO 4.6 console, the Save Policy button isn't enabled when changes are made to Solidcore Policies.
Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.
608374
Issue: When you try to enable an already enabled Solidcore Agent, the error displayed isn't translated.
607908
Issue: It's not possible to export more than 50,000 records from any table or report.
608025
Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU isn't added.
609911
Issue: Export of rule groups doesn't work in Internet Explorer when opened from the ePO server.
Workaround: Use Internet Explorer from a different computer and the export rule groups.
610303
Issue: The Server Task pages on ePO might not work properly if you use Mozilla Firefox version 3.0.
Workaround: Technical Support recommends using Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
608753
Issue: Sometimes, using the username field of reported events on the ePO server as a trusted user might not work if the client system is part of an AD domain. The reason is because the domain name reported in the events isn't the full AD domain.
Workaround: Use the environment variable USERDNSDOMAIN as the domain name for AD clients. You can review the properties of the My Computer icon to identify the complete username and specify as the trusted user as well.
608759
Issue: If ePO is installed on the Japanese version of Windows, exporting the dashboard data to HTML format fails if the generated HTML file name contains digits.
609220
Issue: Saving an Application Control policy that's a copy of the McAfee Default policy is slow.
Workaround: Because Application Control policies are multi-slot policies, Technical Support recommends that you create a new blank policy and add new rules to it instead of copying and changing the McAfee Default policy.
656518
Issue: If you install Solidcore Extension 5.1.2 on an existing ePO 4.5 system and then upgrade to ePO version 4.6 FIPS mode, the event parser stops working.
Workaround: Run the following command and upgrade the required DLL: https://<ePO_IP_address: port>/remote/scor.upgradeEventParser.do
607950
Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.
707486
Issue: When using the ePO 4.6 console, navigating quickly through the Events and Inventory pages logs off the user.
714176
Issue: On ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while creating the task, you can't later remove the commands from the saved client task.
719796
Issue: Global catalog search for AD groups isn't supported.
Workaround: Search for a group in a specific AD server instead of using the Global Catalog.
To add a specific group:
Log on to the ePO 4.x console.
Add the AD server with the group as a Registered Server.
Search for the group by selecting the registered AD server. Make sure that the Global Catalog Search option is deselected.
Add the group to a policy as a trusted group.
722045
Issue: Adding new columns, such as Solidcore Status and Solidification Status,for an endpoint by clicking Actions, Choose columns, noncompliant Solidcore Agent might not display values for all endpoints. The reason is because the noncompliant Solidcore Agent section includes only noncompliant agent properties.
Workaround: When adding new columns for an endpoint, click Actions, Choose columns, Solidcore Client Properties instead of Actions, Choose columns, noncompliant Solidcore Agent.
812003
Issue: The Self-Approval page displays a link for .MSI based applications, which displays an empty list when drilling down.
890978
Issue: The GTI cloud server entry isn't removed from ePO after the Solidcore Extension is uninstalled.
937037
Issue: You can't upgrade the Solidcore help extension from a previous release to 6.1.2.020.
Workaround: Uninstall the old help extension and install the new one.
926122
Issue: File Deviation details are missing in an exported file from the Image Deviation page.
950063
Issue: A few strings aren't properly localized in languages other than English.
Issue: For an unsupported kernel, the Build property of the endpoint on the ePO properties screen displays as Compiled.
944538
Issue: Application Control and Change Control 6.1.4 are not compatible with VSEL 2.0.
900761
Issue: When the endpoint is Disabled and not rebooted, the product upgrade isn't successful. The reason is because the driver isn't unloaded.
Workaround: Reboot the endpoint system and perform the upgrade task again.
The following issues are from the Application Control 6.1.0 Linux/UNIX release.
608671
Issue: If Solidcore Agent is installed in a non-default path, upgrading via ePO isn't supported. Such an upgrade can leave the Solidcore Agent in an inconsistent state. Technical Support recommends that you uninstall the existing version and then install the new version using ePO.
608737
Issue: If the partition with the/opt/McAfee/cma directory has insufficient space, events might not be generated and a Failed to generate event xml error message is added to the solidcore.logfile. Free up space on the partition with the /opt/McAfee/cma directory.
601728
Issue: According to the NFS protocol, if a file present on the NFS share is opened once on the NFS client, it can't be reopened until the file attributes are changed. As a result, if a read-protected file on an NFS share is opened on the client side in update mode, the user can read it on the client. The file can read it even in enable mode (after coming out of the update mode) until the file attributes are changed on the server.
601734
Issue: Changing a hard link might cause the name of the link or program to display in events.
601914
Issue: For daemon processes, the reported username and original username are the same.
602653
Issue: A write-protected file can be changed through its hard link if the hard link is already created.
602772
Issue: Scripts without the#!tag can't act as updaters.
602977
Issue: For loopback file systems, some features, such as updater and monitoring, don't work correctly when the loopback path is used instead of the physical path in the sadmin commands. For instance, if/optis mounted as a loopback file system at/mnt, to add/mnt/abcas an updater, you must add the path/opt/abcas an updater.
602990
Issue: Some features, such as updaters and mon-proc-exec, don't work properly for unsupported file formats. Only executable binaries and #! scripts are supported file formats.
603462
Issue: The BOOTING_ENABLEDand BOOTING_UPDATE_MODEevents aren't added to the system log.
Workaround: At boot time, start the syslog service before the Solidcore Agent service.
603490
Issue: The following issues are observed when an updater calls another updater:
If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.
604780
Issue: For processes that aren't directly associated with a terminal, the original_user field is the same as the user field. For example, when you run a script through Runlevel/init scripts, original_user is the same as the user.
605062
Issue: The mmap system call at the NFS client doesn't work if the file is read-protected.
606674
Issue: A write-protected file can be changed or deleted if the file system is mounted to a different directory.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) can lead to unexpected behavior.
607024
Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.
607245
Issue: No events are generated for changes to a file with the stringsolidcore.log in its name, for example, mysolidcore.log.
601763
Issue: Process information can't be determined for those processes that are invoked before the Solidcore Agent driver is loaded. This issue has the following implications:
If such a process makes file changes, these changes might not be reported.
For processes that start before the driver is loaded, only the partial program names are reported.
For NFS, for the changes made by the client, the change events displaying on the server have only the relative name for the NFS daemon (in other words, nfsd or nfsktcpd).
No Process Start and Process Stop events are generated for already running processes.
On only the AIX platform, Change Tracking / Prevention on file systems mounted by such processes might or might not work. System calls executed by already running processes can't be trapped due to differences in the way system calls are implemented for the AIX platform. As a workaround, you can restart such processes.
604604
Issue: Write or read protection doesn't work on files added via cachefs/lofs.
613214
Issue: If the installation path is a mount point, forcibly unmounting (for example, using the umount –fcommand) might lead to non-deterministic behavior.
603386
Issue: The Solidcore Agent can't be installed, upgraded, or uninstalled through init scripts that run at system boot time.
Workaround: Add the following two statements in the init script before invoking the installer:
HOME=""/"" export HOME
610254
Issue: When you run the Debug Info client task for a UNIX system, the log states that the gatherinfo.tar.gzfile is generated. The name of the generated file is suffixed with the host name and time stamp. For example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz.
616089
Issue: Localized strings aren't consistent. Partial localization occurs in some events and messages.
708279
Issue: For RHEL5/RHEL6 (Kernel less than 2.6.32-220) and kernels of SLES 10/SUSE11 (excluding SLES11 SP2), FILE_CREATEDevents are incorrectly reported as FILE_ATTR_MODIFIEDover an NFSv4 partition.
762449
Issue: Events are generated if a special device file is renamed.
774493
Issue: Change of a binary in Update mode doesn't change or update the corresponding hard link in the allow list.
797291
Issue: After Dynamic Kernel Module compilation, an empty file named 2 gets created in the dks directory.
797363
Issue: The sadmin xraycommand doesn't list the attr specific configurations for the running process.
798843
Issue: Unexpected behavior might be observed if a process exits without closing one or more changed files.
802433
Issue: If the volume is unsolidified, it's not listed as unsolidified in the output of sadmin status.
807180
Issue: Installation on a non pre-compiled kernel fails if you run the installer from a Windows share that's mounted using CIFS."
Workaround: Mount the Windows share using NFS.
811983
Issue: Property collection on ePO and the endpoint might show different versions of Solidifier if the system isn't rebooted after upgrade.
812578
Issue: On some kernels, error messages related to scdrv are displayed in the console during system boot.
818828
Issue: With VSEL 1.7 installed, the VSEL service stops with errors on the CLI.
989865
Issue: Installation of Solidifier occurs in a symbolic link path.
Critical: There are currently no known critical issues.
Non-critical:
Solidcore Extension
Reference
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow.
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
607452
Issue: ePO 4.6 reports and dashboard entries aren't removed after the Solidcore Extension is uninstalled.
Workaround: If you're uninstalling and reinstalling the Solidcore extension, remove the reports and dashboards manually after uninstalling and before reinstalling.
607517
Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.
608347
Issue: The Solidcore Policies Applied on Hosts report displays all policies derived from the root, irrespective of the SKUs enabled on the platform.
609304
Issue: It's not possible to export data from the Reporting, Solidcore Events page.
Workaround: Use Queries (Reporting, Queries) to export event data.
636769
Issue: If you upgrade from 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table aren't migrated to the ePO Events table.
636352
Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display garbage data.
607554
Issue: Solidcore policies can't be duplicated by using the Policy Details page because the OK button is disabled.
Workaround: Use the Policy Catalog page to duplicate policies.
643854
Issue: When using the Guided Configuration page on the ePO 4.6 console, the Save Policy button isn't enabled when changes are made to Solidcore Policies.
Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.
608374
Issue: When trying to enable an already enabled Solidcore Agent, the error displayed isn't translated.
607908
Issue: It's not possible to export more than 50,000 records from any table or report.
608025
Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU isn't added.
609911
Issue: Export of rule groups doesn't work in Internet Explorer when opened from the ePO server.
Workaround: Use Internet Explorer from a different computer and export rule groups.
610303
Issue: The Server Task pages on ePO might not work properly if you're using Mozilla Firefox version 3.0.
Workaround: If you encounter issues, Technical Support recommends that you use Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
608753
Issue: Sometimes, using the username field of reported events on the ePO as a trusted user might not work if the client system is part of an AD domain. The reason is because the domain name reported in the events isn't the full AD domain.
Workaround: Use the environment variable USERDNSDOMAIN of the AD client as the domain name. You can review the properties of MyComputer, identify the complete username, and specify it as the trusted user as well.
608759
Issue: If ePO is installed on Japanese Windows, exporting the dashboard data to HTML format fails if the generated HTML file name contains digits.
609220
Issue: Saving an Application Control policy that's a copy of the McAfee Default policy is slow.
Workaround: Because Application Control policies are multi-slot policies, we recommend that you create a new blank policy and add new rules to it instead of copying and changing the McAfee Default policy.
656518
Issue: If you install Solidcore Extension 5.1.2 on an existing ePO 4.5 system and then upgrade to ePO version 4.6 FIPS mode, the event parser stops working.
Workaround: Run the following command and upgrade the required DLL: https: //<ePO IP address: port>/remote/scor.upgradeEventParser.do
607950
Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.
707486
Issue: When using the ePO 4.6 console, navigating quickly through the Events and Inventory pages logs off the user.
714176
Issue: On ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while creating the task, you can't later remove the commands from the saved client task.
719796
Issue: Global catalog search for AD groups isn't supported.
Workaround: Search for a group in a specific AD server instead of using the Global Catalog.
To add a specific group, perform the steps below:
Log on to the ePO 4.x console.
Add the AD server with the group as a Registered Server.
Search for the group by selecting the registered AD server. Make sure that the Global Catalog Search option is deselected.
Add the group to a policy as a trusted group.
722045
Issue: Adding new columns, such as Solidcore Status and Solidification Status for an endpoint by clicking Actions, Choose columns, noncompliant Solidcore Agent might not display values for all endpoints. The reason is because the noncompliant Solidcore Agent section includes only noncompliant agent properties.
Workaround: When adding new columns for an endpoint: Click Actions, Choose columns, Solidcore Client Properties instead of Actions, Choose columns, noncompliant Solidcore Agent.
812003
Issue: The Self-Approval page displays a link for .MSI based applications, which displays an empty list when drilling down.
890978
Issue: The GTI cloud server entry isn't removed from ePO after Solidcore extension is uninstalled.
937037
Issue: You can't upgrade Solidcore help extension from a previous release to 6.1.2.020.
Workaround: Uninstall the old help extension and install the new one.
926122
Issue: File Deviation details are missing in an exported file from the Image Deviation page.
950063
Issue: A few Strings aren't properly localized in languages other than English.
Issue: If Solidcore Agent is installed on the non-default path, upgrade from ePO isn't supported. Such an upgrade might leave Solidcore Agent in an inconsistent state. Technical Support recommends that you uninstall the existing version and then install the new version using ePO.
608737
Issue: If the partition with the/opt/McAfee/cmadirectory has insufficient space, events might not be generated and the Failed to generate event xml error message is added to the solidcore.logfile. Free up space in the partition with the /opt/McAfee/cma directory.
601728
Issue: According to the NFS protocol, if a file present on the NFS share is opened once on the NFS client, it can't be reopened until the file attributes are changed. As a result, if a read-protected file in an NFS share is opened on the client side in Update mode, the user can read it on the client. This issue occurs in Enable mode (after coming out of the Update mode) until the file attributes are changed on the server.
601734
Issue: Changing a hard link might cause the name of the link or program to display in events.
601914
Issue: For daemon processes, the reported user name and original user name are the same.
602653
Issue: A write-protected file can be changed through its hard link if the hard link is already created.
602772
Issue: Scripts without the#!tag can't act as updaters.
602977
Issue: For loopback file systems, some features such as updater and monitoring don't work correctly when the loopback path is used instead of the physical path in the sadmin commands. For instance, if/optis mounted as a loopback file system at/mnt, to add/mnt/abcas an updater, you must add the path/opt/abcas an updater.
602990
Issue: Some features like updaters and mon-proc-exec don't work properly for unsupported file formats. Only executable binaries and #! scripts are supported file formats.
603462
Issue: The BOOTING_ENABLED and BOOTING_UPDATE_MODEevents aren't added to the system log.
Workaround: At boot time, start the syslog service before the Solidcore Agent service.
603490
Issue: The following issues are observed when an updater calls another updater:
If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.
604780
Issue: For processes that aren't directly associated with a terminal, the original_user field is a replica of the user field. For example, when you run a script through Runlevel/init scripts, original_user is the same as the user.
605062
Issue: The mmapsystem call at the NFS client doesn't work if the file is read-protected.
606674
Issue: A write-protected file can be changed or deleted if the file system is mounted to a different directory.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
607024
Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.
607245
Issue: No events are generated for changes to a file with the string "solidcore.log" in its name, for example, mysolidcore.log.
601763
Issue: Process information can't be determined for those processes that are invoked before the Solidcore Agent driver is loaded. This issue has the following implications:
If such a process makes file changes, these changes might not be reported.
For processes that start before the driver is loaded, only the partial program names are reported.
For NFS, for the changes done by the client, the change events displaying on the server have only the relative name for the NFS daemon (in other words, nfsd or nfsktcpd).
No Process Start and Process Stop events are generated for already running processes.
On only the AIX platform, Change Tracking / Prevention on file systems mounted by such processes might or might not work. The reason is that system calls executed by already running processes can't be trapped because of a difference in the way system calls are implemented under the AIX platform. As a workaround, you can restart such processes.
604604
Issue: Write or read protection doesn't work on files added via cachefs/lofs.
613214
Issue: If the install path is a mount point, forcibly unmounting (Example: Using the umount –f command) might lead to non-deterministic behavior.
603386
Issue: The Solidcore Agent can't be installed, upgraded, or uninstalled through init scripts that run at system boot time.
Workaround: Add the following two statements in the init script before invoking the installer:
HOME=""/"" export HOME
610254
Issue: When you run the Collect debug information client task for a UNIX system, the log states that the gatherinfo.tar.gzfile is generated. The name of the generated file is suffixed with the host name and time stamp, for example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz.
616089
Issue: Localized strings aren't consistent. Partial localization occurs in some events and messages.
708279
Issue: For RHEL5/RHEL6 (Kernel less than 2.6.32-220) and kernels of SLES 10/SUSE11 (excluding SLES11 SP2), FILE_CREATED events are being incorrectly reported as FILE_ATTR_MODIFIED over an NFSv4 partition.
762449
Issue: Events are generated if a special device file is renamed.
774493
Issue: Change of binary in Update mode doesn't change or update the corresponding hard link in the allow list.
797291
Issue: During Dynamic Kernel Module compilation, an empty file named 2 gets created in the dks directory.
797363
Issue: The sadmin xraycommand doesn't list the attr specific configurations for the running process.
798843
Issue: Unexpected behavior might be observed if a process exits without closing the changed file.
802433
Issue: If the volume is unsolidified, it's not listed as unsolidified in the output of sadmin status.
807180
Issue: Installation on a non pre-compiled kernel fails if the installer is run from a Windows share that's mounted using CIFS.
Workaround: Mount the Windows share using NFS.
811983
Issue: Property collection on ePO and the endpoint might show different versions of the solidifier if the system isn't rebooted after upgrade.
812578
Issue: On a few Kernels, error messages related to scdrv might show up on the console while the system starts.
818828
Issue: With VSEL 1.7 installed, the VSEL service stops with errors on the CLI.
Issue: The trusted, solidified, and write-protect features don't work correctly for folder-mounted volumes.
Workaround: Contact Technical Support for assistance if the setup uses folder-mounted volumes.
604153
Issue: Post install script customization isn't available during upgrades. It can be used only during a fresh installation of the Solidcore Agent.
608036
Issue: Mapped drive names can't be used in commands issued by remote users/ePO.
609249
Issue: You can't perform upgrades in UI mode for existing 5.0.0 deployments (that were done manually and not via ePO). Use the following methods to upgrade such standalone deployments:
UI -> Silent
Silent -> Silent
634733
Issue: If the database tables are corrupted, upgrade of the Solidcore Agent fails and you see the following error message:
""Database: . Could not load table 'Control' in SQL query: SELECT `Control`,
`Type`, `X`, `Y`, `Width`, `Height`, `Attributes`, `Property`, `Text`,
`Control_Next`, `Help` FROM `Control` WHERE `Dialog_`=?"""
Workaround: Use silent installation instead of UI mode installation.
605369
Issue: When the Solidcore Agent installer is run by an agent installer with the /? argument, a series of unwanted dialog boxes appear owing to a bug in the third-party packaging software. These dialog boxes can be ignored.
609311
Issue: Manual uninstallation of Solidcore Agent (deployed from ePO) fails on a client computer having MA version 4.0 (or earlier).
Workaround: Contact Technical Support for assistance if manual uninstallation has already been tried.
Issue: Unsolidified scripts can't be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by a script interpreter configured for that script is denied. This fact generates unauthorized execution events. Such problems can be avoided by performing the file operation using Windows Explorer.
594596
594770
595290
Issue: Antivirus software applications generate logs when the Solidcore Agent is enabled.
Workaround: Use appropriate applications as updaters.
594707
Issue: Roaming and Mandatory profiles with code files don't work properly. Copying files from a Central store on a domain controller to a member server and back might fail.
594790
Issue: Solidcore Protection prevents updating of applications, such as Microsoft Office and Office tools,after the initial installation. When executing the applications for the first time, Technical Support recommends that you run these applications in the Update mode.
596425
Issue: Print server logs errors on Runtime Control module systems with the Solidcore Agent active in the Enable mode.
Workaround: Add the printer share as a trusted share.
601158
Issue: The Runtime Control module uses MP-CASPas the default Memory Protection technique. If you want to enable MP-VASR, contact Technical Support.
607414
Issue: When script interpreters are added to memory protection bypass (casp or mangling-decoying), even after a script selected as an updater exits, the script interpreter's updater privilege isn't revoked.
608647
Issue: On 64-bit systems, multiple events might be generated when an unauthorized binary file is executed. The Windows operating system tries to run the binary multiple times by using a reduced set of attributes until final failure.
609632
Issue: After the initial scan task completes, the Application Control Initial Scan task is complete, and the McAfee Application Control is enforced on the system now message displays, the system is said to be solidified.
608745
Issue: Files that are read-protected by the user (using the 'sadmin read-protect' command) can't be solidified.
624015
Issue: If enabled on a 64-bit computer, the memory protection feature prevents the installation of ActiveX.
Workaround: From the ePO console, complete the following steps to add the Internet Explorer executable (iexplore.exe) to the memory protection bypass list.
Log on to the ePO 4.x console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 5.1.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Click the created policy and click Add.
Enter iexplorer.exeas the file name, select Bypassed from Memory Control,and click OK.
Click Save.
Apply the policy to the appropriate endpoints.
From the endpoint, run ActiveX after adding the Internet Explorer executable (iexplore.exe) to the memory protection bypass list. Use the following command to add the executable to the bypass list.
sadmin attr add –n iexplore.exe
643688
Issue: If you try an ActiveX installation before enabling the ActiveX feature and retry the installation after enabling the ActiveX feature, ActiveX might not get installed properly.
Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, and remove all .cab files in the temporary internet files. Now, install the ActiveX control on the endpoint.
602194
Issue: The package control feature isn't able to stop the installation of some applications, such as Gvim and Winrar.
602929
Issue: If a package-based installer is executed before the package control feature can detect the package change, the deny-execfeature might prevent the execution of the installer.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
616147
Issue: For standalone Solidcore Agent installation (in other words, installation not done via ePO) on endpoints where Oracle is installed, finetune.bat must be run manually at the endpoints to apply Oracle-specific rules.
595067
Issue: The system might hang while installing the security hotfix WindowsXP-KB884020-x86-enu.exe.
Workaround: Disable the Solidcore Agent before installing this hotfix.
598286
Issue: The system hangs after installing Citrix MetaFrameXP with feature release 3.0.
Workaround: Add csrss.exeto the bypass list.
599348
Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126
Issue: When copying solidified files to a rewritable CD, although the files are copied successfully, deny-write errors are logged.
601427
Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
609812
Issue: For an ePO-managed endpoint with a valid Application Control license for which the Initial Scan is deferred and that has many executable files installed, the Initial Scan client task after a reboot completes successfully. But, the system remains in Update mode for some time before going to Enable mode. During this time, another client task sent to the endpoint might fail.
610206
Issue: The pop-up message regarding the completion of the Initial Scan client task sent from ePO doesn't display on remote desktop sessions.
616089
Issue: In the output of the sadmin diagcommand on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, the following output
Issue: Multiple deny-write events might get generated for a single deny-write action.
Example: On deletion of a file using Windows Explorer, up to eight file deletion events are reported. The reason is because when the application denies deletion of a file, Windows Explorer tries multiple other methods to delete the file, resulting in the generation of an event for each attempt.
724600
Issue: ActiveX alerts aren't generated on 64-bit Windows systems.
Workaround: Complete these steps if you're using the ePO console:
Log on to the ePO 4.x. console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 6.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Open the created policy and click Add.
Enter iexplore.exeas the file name, select Bypassed from Memory Control,and click OK.
Click Add.
Type ieinstal.exe as the file name, select Bypassed from Memory Control, and click OK.
Click Save.
Apply the policy to the endpoints.
Complete these steps from the endpoint if you're using the product in Standalone mode.
Execute the following commands to define the required memory-protection bypass rules.
Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c:\program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.
695246
Issue: Although the Solidcore NX protection is based on system DEP, it's possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to the Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663
Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes on the ePO console, the change isn't reflected on the endpoints.
723624
Issue: Execution Denied events might be generated for some DLL files with searchprotocolhost.exeas the process name. These events have no functionality impact.
Workaround: If many events are generated, create an AEF rule to prune the events.
725204
Issue: For the 6.0 release, the Yahoo, Adobe Acrobat, CuteFTP, and WinZip rule groups have been removed from the default Application Control policy because of their security implications. Also, when you upgrade, these rule groups are removed from the default policies. If needed, you need to add these rule groups to policies manually.
702580
Issue: For Application Control-related internal files (such as finetune.bat and gatherinfo.bat), version details including binary version, vendor, application name, and application version aren't available.
713989
Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
652602
Issue: If you disable the deny-exec-exesfeature on any Windows (64-bit) operating system, change the extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. If you change the file extension to dll, you can run the file even if the deny-exex-dlls feature is enabled.
713011
Issue: Observations are erroneously generated for 64-bit binary files that aren't supported on 32-bit platforms.
607574
Issue: On opening a network share (for systems running Windows Vista, Windows 7, and Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. This issue occurs because Windows Explorer tries to fetch the icons for the files stored on the network share.
726020
Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a Msg not found error.
Workaround: Restart the endpoint to make sure that all commands added or changed in the 6.0 release work correctly.
608868
Issue: On the Windows 2008, Windows 7, and Windows Vista operating systems, you might receive an An unauthorized change made to the Windows error.
Workaround: Disable the MP-CASP feature.
768708
Issue: You're unable to set the flag fs-passthru 'p'and the flag vasr forced reloc 'v' together with the extra information flag 'o' in the attr command.
770362
Issue: You're unable to set more than one dll to bypass from VASR forced reloc.
770524
Issue: The Scormcpl.dlldisplays an older version in the inventory after it's upgraded.
794445
Issue: Solidified batch files, when copied using another batch file, fail.
803731
Issue: With network tracking disabled, Self-Approval function doesn't work for network shares.
803948
Issue: Deny-Exec on a Script file is reported if Network tracking is disabled on a 64-bit architecture.
808857
Issue: A Self-Approval pop-up window displays if a file is opened with the execute flag even if the file isn't executed.
808964
Issue: An Auth rule for a process making file changes doesn't get added correctly if allowed through Self-Approval.
812964
Issue: If the updater flag for a certificate rule is removed, the certificate is still listed as an updater on the endpoint.
816108
Issue: A file, authorized by checksum, is denied for execution when run from a network share.
656298
Issue: Upgrade via a hotfix build might fail in Update mode when run through Product Update Task.
603318
Issue: A blue screen error with bug check 0x00000050 (0xFFB4B000, 0x00000000, 0x80463723, 0x00000000) might be observed after the system is solidified and rebooted.
810072
Issue: While running a 16-bit executable with Self-Approval enabled, the file type is listed as script.
819876
Issue: A process that doesn't work as Updater is configured as an Updater through auth by checksum.
Workaround: Configure the process as an Updater by name.
888634
Issue: An unclean uninstallation of Adobe Flash Player occurs when pkg-ctrl-allow-uninstall is enabled.
Issue: You're unable to install Visual Studio 2010 Ultimate via updater.
887965
Issue: Uninstallation of applications isn't blocked even if the pkg-ctrl-allow-uninstallation feature is disabled.
Workaround: Run the sadmin clg command after each installation of an application to block the uninstallation. This command clears out all cached GUIDs from the system.
888878
Issue: Multiple package control prevention events are seen while uninstalling and repairing Visual Studio 2010.
Workaround: Add "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to the trusted path: "sadmin trusted -u "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin".
884396
Issue: You're unable to install Adobe Flash Player 11 when the pkg-ctrl-bypass feature is enabled.
Issue: Solidifier upgrade from 6.1.1 to 6.1.2 fails in Observe mode.
Workaround: See the related article for details.
910080
Issue: Package Control, if an application has ctor.dll in its uninstall string, another application using ctor.dll, isn't installed when pkg-ctrl-allow-uninstall is disabled.
Workaround: As a workaround for mode 1 of package control, the user can make the ctor.dll as updater using the complete path (for example, C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll). For Package Control modes, see the ACC 6.1.1 Addendum.
916640
Issue: Deny Execution isn't skipped for a drive after removing the skiplist -v flag without a reboot.
Issue: The upgrade version isn't updated on the ePO server and the McTray About field after an endpoint upgrade.
941675
Issue: Any changes to predefined rules for skiplist and Script-Auth aren't applied for upgrades.
940921
Issue: Write-Denied events are seen for sadmin.exe and Instaconfig.exe by the process csrss.exe.
940286
Issue: A Pkg-modification-prevented event is raised during an Application Control upgrade.
948349
Issue: Multiple deny-write events for a self-approval pop-up forputty.exeare recorded when execution is done after downloading the file from the internet.
961454
Issue: An older version of the deployment task runs even though a newer version is installed and replaces a few .DLL files on the new version.
Issue: The system hangs with Microsoft Security Essentials installed.
Windows 2003
Reference
Description
607361
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exeprocess is hijacked.
Workaround: Add javaw.exeto the attributes list with the-n option:
sadmin attr add -n javaw.exe
892432
Issue: Deny-Exec and Deny-Write events are seen for .Net files via Windows update on Windows 2003.
Workaround: Add Netfxupdate.exe as an updater by name with inheritance enabled to successfully install Windows update for .NET.
832241
Issue: A Non-Trusted user can execute an unsolidified bat file using runas CLIon Windows 2003 (x64). This issue is intermittent.
Workaround: Use the following command:
sc config wuauserv type= own
Windows 2008 R2 (64-bit)
Reference
Description
608636
Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, you see that Windows installer encounters a validation error for the msiexec.exeand kernelbase.dllfiles.
Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.
Windows 2008 (64-bit)
Reference
Description
609780
Issue: On the Windows 2008 (64-bit) platform, therundll32.exefile crashes if an application is uninstalled by using Add/Remove Programs, and initially the SetupInstallFromInfSection()function is used to install the application.
Windows 2008/Vista (32-bit and 64-bit), Windows XP/Windows 7/Windows 2008 R2 (64-bit)
Reference
Description
609757
Issue: In Enable mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.
Windows Vista
Reference
Description
607541
Issue: For Windows Vista and later platforms, the Solidcore Agent configuration selects a service called Windows Modules Installer (TrustedInstaller.exe) as the updater. This action is performed to allow Windows Update to work properly. This service can both install and remove Windows components even if the pkg-ctrlfeature is enabled.
Windows 2012
Reference
Description
911734
Issue: Spurious events are generated when configuring AD on Windows 2012.
913943
Issue:Attr rules for MP NX and MP vasr are getting applied on Windows 2012.
1045414
Issue: In the system Event Viewer logs, a "Microsoft-Windows-Kernel-General" error message is logged while writing to the registry during start.
Windows 2003 IA
Reference
Description
911734
Issue: The Solidifier service stops responding on Windows 2003 IA.
Critical:There are currently no known critical issues.
Non-critical:
Solidcore Extension
Reference
Article
Found in Version
Resolved in Version
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow.
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
605369
Issue: When Solidcore Agent installer is run by an agent installer with the /? argument, a series of unwanted dialog boxes appear due to a bug in the third-party packaging software. These dialog boxes can be ignored.
609311
Issue: Manual uninstallation of Solidcore Agent (deployed from ePO) fails on a client computer having MA version 4.0 (or earlier).
Workaround: Contact Technical Support for assistance in case manual uninstallation has already been tried.
Issue: Unsolidified scripts can't be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by the script interpreter configured for that script is denied. This denial generates unauthorized execution events. Such problems can be avoided by performing file operation using Windows Explorer.
594596
594770
595290
Issue: Antivirus software applications generate logs when the Solidcore Agent is enabled.
Workaround: Use appropriate applications as updaters.
594707
Issue: Roaming and Mandatory profiles with code files don't work properly. Copying files from the Central store on a domain controller to a member server and back might fail.
594790
Issue: Solidcore Protection prevents updating of applications, such as Microsoft Office and Office tools after the initial installation. When executing the applications for the first time, Technical Support recommends that you run these applications in the Update Mode.
596425
Issue: Print server logs errors on Runtime Control module systems with the Solidcore Agent active in Enabled mode.
Workaround: Add the printer share as a trusted share.
601158
Issue: The Runtime Control module uses MP-CASP as the default Memory Protection technique. If you want to enable MP-VASR, contact Technical Support.
607414
Issue: When script interpreters are added to memory protection bypass (casp or mangling-decoying), even after a script marked as an updater exits, the script interpreter's updater privilege isn't revoked.
608647
Issue: On 64-bit systems, multiple events might get generated when an unauthorized binary file is executed. The Windows operating system tries to run the binary multiple times by using a reducing set of attributes until final failure.
609632
Issue: After the initial scan task completes and the Application Control Initial Scan task is complete and McAfee Application Control is enforced on the system now message displays, the system is said to be solidified.
608745
Issue: Files that are read-protected by the user (using 'sadmin read-protect' command) can't be solidified.
624015
Issue: If enabled on a 64-bit computer, the memory protection feature prevents the installation of ActiveX.
Workaround: From the ePO console, complete the following steps to add the Internet Explorer executable (iexplore.exe) to the memory protection bypass list.
Log on to the ePO 4.x console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 5.1.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Click the created policy and click Add.
Enter iexplorer.exeas the file name, select Bypassed from Memory Control,and click OK.
Click Save.
Apply the policy to the appropriate endpoints.
From the endpoint, run ActiveX after adding the Internet Explorer executable (iexplore.exe) to the memory protection bypass list. Use the following command to add the executable to the bypass list.
sadmin attr add –n iexplore.exe
643688
Issue: If you try an ActiveX installation before enabling the ActiveX feature and retry the installation after enabling the ActiveX feature, the ActiveX might not get installed properly.
Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, remove all .cab files in the temporary internet files. Now, install the ActiveX control on the endpoint.
602194
Issue: The package control feature isn't able to stop the installation of some applications, such as Gvim and Winrar.
602929
Issue: If a package-based installer is executed before the package control feature can detect the package change, the deny-execfeature might prevent the execution of the installer.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
616147
Issue: For standalone Solidcore Agent installation (in other words, installation not done via ePO) on endpoints where Oracle is installed, finetune.bat must be run manually at the endpoints to apply Oracle-specific rules.
595067
Issue: The system might hang while installing the security hotfix WindowsXP-KB884020-x86-enu.exe.
Workaround: Disable the Solidcore Agent before installing this hotfix.
598286
Issue: System hangs after installing Citrix MetaFrameXP with feature release 3.0.
Workaround: Add csrss.exeto the bypass list.
599348
Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126
Issue: When copying solidified files to a rewritable CD, although the files are copied successfully, deny-write errors are logged.
601427
Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
609812
Issue: For an ePO-managed endpoint with a valid Application Control license for which the Initial Scan is deferred and that has many executable files installed, the Initial Scan client task after a reboot completes successfully. But, the system remains in Update mode for some time before going to Enabled mode. During this time, sending another client task to the endpoint might fail.
610206
Issue: The pop-up message regarding the completion of the Initial Scan client task sent from ePO doesn't display on remote desktop sessions.
616089
Issue: In the output of the sadmin diagcommand on the Spanish locale, read 'actualizadores agregar' as 'updaters add.'
For example, the following output
Issue: Multiple deny-write events might get generated for a single deny-write action.
Example: On deletion of a file using Windows Explorer, up to eight file-deletion events are reported. The reason is because when the application denies deletion of a file, Windows Explorer tries multiple other methods to delete the file, resulting in the generation of an event for each attempt.
724600
Issue: ActiveX alerts aren't generated on 64-bit Windows systems.
Workaround: Complete these steps if you're using the ePO console:
Log on to the ePO 4.x. console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 6.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Open the created policy and click Add.
Enter iexplore.exe as the file name, select Bypassed from Memory Control,and click OK.
Click Add.
Type ieinstal.exe as the file name, select Bypassed from Memory Control and click OK.
Click Save.
Apply the policy to the endpoints.
Complete these steps from the endpoint if you're using the product in Standalone mode.
Execute the following commands to define the required memory-protection bypass rules.
Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c: \program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.
695246
Issue: Although the Solidcore NX protection is based on system DEP, it's possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to the Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663
Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes on the ePO console, the change isn't reflected on the endpoints.
723624
Issue: Execution Denied events might be generated for some DLL files with searchprotocolhost.exeas the process name. These events have no functionality impact.
Workaround: If many events are generated, create an AEF rule to prune the events.
725204
Issue: For the 6.0 release, the Yahoo, Adobe Acrobat, CuteFTP, and WinZip rule groups are removed from the default Application Control policy because of their security implications. Also, when you upgrade, these rule groups are removed from the default policies. If needed, you need to add these rule groups to policies manually.
702580
Issue: For Application Control-related internal files (such as finetune.bat and gatherinfo.bat), version details including binary version, vendor, application name, and application version aren't available.
713989
Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
685124
Issue: If you're running VirusScan Enterprise (VSE) 8.8 with the Access Protection Level set to Maximum on an endpoint, you can't deploy Solidcore on the endpoint.
652602
Issue: If you disable the deny-exec-exesfeature on any Windows (64-bit) operating system, change the extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. You can change the file extension to dll to run the file even if the deny-exex-dlls feature is enabled.
713011
Issue: Observations are erroneously generated for 64-bit binary files that aren't supported on 32-bit platforms.
607574
Issue: On opening a network share (for systems running Windows Vista, Windows 7, Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. The events are generated because Windows Explorer tries to fetch the icons for the files stored on the network share.
726020
Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a 'Msg not found'error.
Workaround: Restart the endpoint to make sure that all commands added or changed in the 6.0 release work correctly.
608868
Issue: On the Windows 2008, Windows 7, and Windows Vista operating systems, you might receive the 'An unauthorized change made to the Windows' error.
Workaround: Disable the MP-CASPfeature.
768708
Issue: Unable to set flag fs-passthru 'p'and flag vasr forced reloc 'v'together with extra info flag 'o' in the attr command.
770362
Issue: Unable to set more than one dll to bypass from VASR forced reloc.
770524
Issue: The Scormcpl.dlldisplays an older version in the inventory after it's upgraded.
794445
Issue: Solidified batch files when copied using another batch file fails.
803731
Issue: With network tracking disabled, Self-Approval function doesn't work for network shares.
803948
Issue: Deny-Exec on Script file is reported if Network tracking is disabled on 64-bit architecture.
808857
Issue: Self-Approval pop-up shows up if files are opened with the execute flag even if the file isn't executed.
808964
Issue: Auth rule for a process making file changes doesn't get added correctly if allowed through Self-Approval.
812964
Issue: If the updater flag for a certificate rule is removed, the certificate is still listed as an updater on the endpoint.
816108
Issue: A file, authorized by checksum, is denied for execution when run from network share.
656298
Issue: Upgrade via hotfix build might fail in Update Mode when run through Product Update Task.
603318
Issue: Crash with bug check 0x00000050 (0xFFB4B000, 0x00000000, 0x80463723, 0x00000000) might be observed after the system is solidified and rebooted.
810072
Issue: While running a 16-bit executable with Self-Approval enabled, file type is listed as script.
819876
Issue: Process doesn't work as Updater is configured as an Updater through auth by checksum.
Workaround: Configure the process as an Updater by name.
888634
Issue: Unclean uninstallation of Adobe Flash Player when pkg-ctrl-allow-uninstall is enabled.
Issue: Unable to install visual studio 2010 ultimate via updater.
887965
Issue: Uninstallation of applications isn't blocked even if the pkg-ctrl-allow-uninstallation feature is disabled.
Workaround: Run the sadmin clg command after each installation of application to block the uninstallation. This command clears out all cached GUIDs from the system.
888878
Issue: Multiple package control prevention events seen while uninstalling and repairing visual studio 2010.
Workaround: Uninstall and repair are successful after adding "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to the trusted path:
Issue: Solidifer upgrade from 6.1.1 fails in Observe Mode.
Workaround: See the related article for details.
910080
Issue: Package Control, if an application has ctor.dll in its uninstall string, another application using ctor.dll isn't installed when pkg-ctrl-allow-uninstall is disabled.
Workaround: As a workaround for mode 1 of package control, the user can make the ctor.dll as the updater using the complete path (for example, C: \Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll). For Package Control modes, see the ACC 6.1.1 Addendum.
916640
Issue: Deny Execution isn't skipped for the drive after removing the skiplist -v flag without reboot.
Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065
Issue: If you're using Application Control in the Enabled mode on the Windows XP SP1 operating system, virtual memory usage increases for most processes.
Workaround: Upgrade to Windows XP Service Pack 2.
793102
Issue: DLL rebasing doesn't work when the complete path to DLL is specified.
809646
Issue: Self-Approval Pop Up might hang while running non-whitelist binaries from Desktop.
844203
Issue: System hangs with Microsoft Security Essentials installed.
Issue: Application Control system crashes on every reboot with BugCheck E0100010 due to inventory corruption.
Windows 2003
Reference
Description
607361
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exeprocess is hijacked.
Workaround: Add javaw.exeto the attributes list with the -n option:
sadmin attr add -n javaw.exe
892432
Issue: Deny-Exec and Deny-Write events seen for .Net files via Windows updates on Windows 2003.
Workaround: Add Netfxupdate.exe as an updater by name with inheritance enabled to successfully install Windows updates for .NET.
832241
Issue: This issue is intermittent, where a Non-Trusted user can execute an unsolidified bat file using runas CLI on Windows 2003 (x64).
Workaround: Use the command below:
sc config wuauserv type= own
Windows 2008 R2 [64-bit]
Reference
Description
608636
Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, you see that Windows installer encounters a validation error for the msiexec.exeand kernelbase.dllfiles.
Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.
Windows 2008 [64-bit]
Reference
Description
609780
Issue: On the Windows 2008 (64-bit) platform, therundll32.exefile crashes if an application is uninstalled by using the Add/Remove Programs, and initially the SetupInstallFromInfSection()function is used to install the application.
Windows 2008/Vista [32-bit and 64-bit], Windows XP/Windows 7/Windows 2008 R2 [64-bit]
Reference
Description
609757
Issue: In Enabled mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.
Windows Vista
Reference
Description
607541
Issue: For Windows Vista and higher platforms, the Solidcore Agent configuration selects a service called Windows Modules Installer (TrustedInstaller.exe) as updater. This action is performed to allow Windows Updates to work properly. This service can both install and remove Windows components even if the pkg-ctrl feature is enabled.
Windows 2012
Reference
Description
911734
Issue: Spurious events occur when configuring AD on 2K12.
913943
Issue: Attr rule for MP NX and MP vasr are applied on Windows 2012.
Windows 2003 IA
Reference
Description
911734
Issue: Solidifier service stops responding on Windows 2003 IA.
Critical:There are currently no known critical issues.
Non-critical:
Solidcore Extension
Reference
Article
Found in Version
Resolved in Version
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow.
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
605369
Issue: When Solidcore Agent installer is run by an agent installer with the /? argument, a series of unwanted dialog boxes appear due to a bug in the third-party packaging software. These dialog boxes can be ignored.
609311
Issue: Manual uninstallation of Solidcore Agent (deployed from ePO) fails on a client computer having MA version 4.0 (or earlier).
Workaround: Contact Technical Support for assistance in case manual uninstallation has already been tried.
Issue: Unsolidified scripts can't be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by the script interpreter configured for that script is denied. This denial generates unauthorized execution events. Such problems can be avoided by performing file operation using Windows Explorer.
594596
594770
595290
Issue: Antivirus software applications generate logs when the Solidcore Agent is enabled.
Workaround: Use appropriate applications as updaters.
594707
Issue: Roaming and Mandatory profiles with code files don't work properly. Copying files from the Central store on a domain controller to a member server and back might fail.
594790
Issue: Solidcore Protection prevents updating of applications, such as Microsoft Office and Office tools after the initial installation. When executing the applications for the first time, we recommend that you run these applications in Update Mode.
596425
Issue: Print server logs errors on Runtime Control module systems with the Solidcore Agent active in Enabled mode.
Workaround: Add the printer share as a trusted share.
601158
Issue: The Runtime Control module uses MP-CASP as the default Memory Protection technique. If you want to enable MP-VASR, contact Technical Support.
607414
Issue: When script interpreters are added to memory protection bypass (casp or mangling-decoying), even after a script is marked as an updater exits, the script interpreter's updater privilege isn't revoked.
608647
Issue: On 64-bit systems, multiple events might get generated when an unauthorized binary file is executed. The Windows operating system tries to run the binary multiple times by using a reducing set of attributes until final failure.
609632
Issue: After the initial scan task completes and the Application Control Initial Scan task is complete and the 'McAfee Application Control is enforced on the system now'message displays, the system is said to be solidified.
608745
Issue: Files that are read-protected by the user (using the 'sadmin read-protect' command) can't be solidified.
624015
Issue: If enabled on a 64-bit computer, the memory protection feature prevents the installation of ActiveX.
Workaround: From the ePO console, complete the following steps to add the Internet Explorer executable (iexplore.exe) to the memory protection bypass list.
Log on to the ePO 4.x console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 5.1.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Click the created policy and click Add.
Enter iexplorer.exeas the file name, select Bypassed from Memory Control,and click OK.
Click Save.
Apply the policy to the appropriate endpoints.
From the endpoint, run ActiveX after adding the Internet Explorer executable (iexplore.exe) to the memory protection bypass list. Use the following command to add the executable to the bypass list.
sadmin attr add –n iexplore.exe
643688
Issue: If you try an ActiveX installation before enabling the ActiveX feature and retry the installation after enabling the ActiveX feature, the ActiveX might not get installed properly.
Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, remove all .cab files in the temporary internet files. Now, install the ActiveX control on the endpoint.
602194
Issue: The package control feature isn't able to stop the installation of some applications, such as Gvim and Winrar.
602929
Issue: If a package-based installer is executed before the package control feature can detect the package change, the deny-exec feature might prevent the execution of the installer.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
616147
Issue: For standalone Solidcore Agent installation (that is, installation not done via ePO) on endpoints where Oracle is installed, finetune.bat must be run manually at the endpoints to apply Oracle-specific rules.
595067
Issue: The system might hang while installing the security hotfix WindowsXP-KB884020-x86-enu.exe.
Workaround: Disable the Solidcore Agent before installing this hotfix.
598286
Issue: Thesystem hangs after installing Citrix MetaFrameXP with feature release 3.0.
Workaround: Add csrss.exeto the bypass list.
599348
Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126
Issue: When copying solidified files to a rewritable CD, although the files are copied successfully, deny-write errors are logged.
601427
Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
609812
Issue: For an ePO-managed endpoint with a valid Application Control license for which the Initial Scan is deferred and that has many executable files installed, the Initial Scan client task after a reboot completes successfully. But, the system remains in Update mode for some time before going to Enabled mode. During this time, sending another client task to the endpoint might fail.
610206
Issue: The pop-up message regarding the completion of the Initial Scan client task sent from ePO doesn't display on remote desktop sessions.
616089
Issue: In the output of the sadmin diagcommand on the Spanish locale, read 'actualizadores agregar' as 'updaters add.'
For example, the following output
Issue: Multiple deny-write events might get generated for a single deny-write action.
Example: On deletion of a file using Windows Explorer, up to eight file deletion events are reported. The reason is because when the application denies deletion of a file, Windows Explorer tries multiple other methods to delete the file, resulting in the generation of an event for each attempt.
724600
Issue: ActiveX alerts aren't generated on 64-bit Windows systems.
Workaround: Complete these steps if you're using the ePO console:
Log on to the ePO 4.x. console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 6.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Open the created policy and click Add.
Enter iexplore.exeas the file name, select Bypassed from Memory Control,and click OK.
Click Add.
Enter ieinstal.exeas the file name, select Bypassed from Memory Control,and click OK.
Click Save.
Apply the policy to the endpoints.
Complete these steps from the endpoint if you're using the product in Standalone mode.
Execute the following commands to define the required memory-protection bypass rules.
Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c:\program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.
695246
Issue: Although the Solidcore NX protection is based on system DEP, it's possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663
Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes on the ePO console, the change isn't reflected on the endpoints.
723624
Issue: Execution-Denied events might be generated for some DLL files with searchprotocolhost.exeas the process name. These events have no functionality impact.
Workaround: If many events are generated, create an AEF rule to prune the events.
725204
Issue: For 6.0 release, the Yahoo, Adobe Acrobat, CuteFTP, and WinZip rule groups have been removed from the default Application Control policy because of their security implications. Also, when you upgrade, these rule groups are removed from the default policies. If needed, you need to add these rule groups to policies manually.
702580
Issue: For Application Control-related internal files (such as finetune.bat and gatherinfo.bat), version details including binary version, vendor, application name, and application version aren't available.
713989
Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
685124
Issue: If you're running VSE 8.8 with the Access Protection Level set to Maximum on an endpoint, you can't deploy Solidcore on the endpoint.
652602
Issue: If you disable the deny-exec-exesfeature on any Windows (64-bit) operating system, change the extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. You can change the file extension to dll and run the file even if the deny-exex-dlls feature is enabled.
713011
Issue: Observations are erroneously generated for 64-bit binary files that aren't supported on 32-bit platforms.
607574
Issue: On opening a network share (for systems running Windows Vista, Windows 7, Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. The events are generated because Windows Explorer tries to fetch the icons for the files stored on the network share.
726020
Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a 'Msg not found'error.
Workaround: Restart the endpoint to make sure that all commands added or changed in the 6.0 release work correctly.
608868
Issue: On the Windows 2008, Windows 7, and Windows Vista operating systems, you might receive the 'An unauthorized change made to the Windows' error.
Workaround: Disable the MP-CASPfeature.
768708
Issue: Unable to set flag fs-passthru 'p'and flag vasr forced reloc 'v'together with extra info flag 'o' in the attr command.
770362
Issue: Unable to set more than one dll to bypass from VASR forced reloc.
770524
Issue: Scormcpl.dlldisplays an older version in the inventory after it's upgraded.
794445
Issue: Solidified batch files when copied using another batch file fail.
803731
Issue: With network tracking disabled, Self-Approval function doesn't work for network shares.
803948
Issue: Deny-Exec on Script file is reported if Network tracking is disabled on 64-bit architecture.
808857
Issue: Self-Approval pop-up shows up if files are opened with the execute flag even if file isn't executed.
808964
Issue: Auth rule for a process making file changes doesn't get added correctly if allowed through Self-Approval.
812964
Issue: If the updater flag for a certificate rule is removed, the certificate is still listed as an updater on the endpoint.
816108
Issue: A file, authorized by checksum, is denied for execution when run from a network share.
656298
Issue: Upgrade via hotfix build might fail in Update Mode when run through Product Update Task.
603318
Issue: Crash with bug check 0x00000050 (0xFFB4B000, 0x00000000, 0x80463723, 0x00000000) might be observed after the system is solidified and rebooted.
810072
Issue: While running a 16-bit executable with Self-Approval enabled, the file type is listed as script.
819876
Issue: Theprocess that doesn't work as an Updater is configured as an Updater through auth by checksum.
Workaround: Configure the process as an Updater by name.
888634
Issue: Unclean uninstallation of Adobe Flash Player when pkg-ctrl-allow-uninstall is enabled.
Issue: Unable to install Visual Studio 2010 ultimate via updater.
887965
Issue: Uninstallation of applications isn't blocked even if the pkg-ctrl-allow-uninstallation feature is disabled.
Workaround: Run the sadmin clg command after each installation of application to block the uninstallation. This command clears out all cached GUIDs from the system.
888878
Issue: Multiple package control prevention events seen while uninstalling and repairing Visual Studio 2010.
Workaround: Uninstall and repair are successful after adding "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to the trusted path:
Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065
Issue: If you're using Application Control in the Enabled mode on the Windows XP SP1 operating system, virtual memory usage increases for most processes.
Workaround: Upgrade to Windows XP Service Pack 2.
793102
Issue: DLL rebasing doesn't work when the complete path to DLL is specified.
809646
Issue: Self-Approval Pop Up might hang while running non-whitelist binaries from Desktop.
Windows 2003
Reference
Description
607361
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exeprocess is hijacked.
Workaround: Add javaw.exeto the attributes list with the -n option:
sadmin attr add -n javaw.exe
892432
Issue: Deny-Exec and Deny-Write events are seen for .Net files via a Windows update on Windows 2003.
Workaround: Add Netfxupdate.exe as an updater by name with inheritance enabled to successfully install a Windows update for .Net.
832241
Issue: This issue is intermittent, where a Non-Trusted user can execute an unsolidified bat file using runas CLIon Windows 2003 (x64).
Workaround: Use the command below:
sc config wuauserv type= own
Windows 2008 R2 [64-bit]
Reference
Description
608636
Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, the Windows installer encountered a validation error displays for the msiexec.exeand kernelbase.dllfiles.
Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.
Windows 2008 [64-bit]
Reference
Description
609780
Issue: On the Windows 2008 (64-bit) platform, therundll32.exefile crashes if an application is uninstalled by using the Add/Remove Programs, and initially, the SetupInstallFromInfSection()function is used to install the application.
Windows 2008/Vista [32-bit and 64-bit], Windows XP/Windows 7/Windows 2008 R2 [64-bit]
Reference
Description
609757
Issue: In Enabled mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.
Windows Vista
Reference
Description
607541
Issue: For Windows Vista and higher platforms, the Solidcore Agent configuration selects a service called Windows Modules Installer (TrustedInstaller.exe) as updater. This action is done to allow Windows Update to work properly. This service can both install and remove Windows components even if the pkg-ctrlfeature is enabled.
Critical:There are currently no known critical issues.
Non-critical:
Solidcore Clients (all OS) and Extension
Reference
Article
Found in Version
Resolved in Version
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow.
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
605369
Issue: When Solidcore Agent installer is run by an agent installer with the /? Argument, a series of unwanted dialog boxes appears due to a bug in the third-party packaging software. These dialog boxes can be ignored.
609311
Issue: Manual uninstallation of Solidcore Agent (deployed from ePO) fails on a client computer having MA version 4.0 (or earlier).
Workaround: Contact Technical Support for assistance in case manual uninstallation has already been tried.
Issue: Unsolidified scripts can't be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by a script interpreter configured for that script is denied. This denial generates unauthorized execution events. Such problems can be avoided by performing file operation using Windows Explorer.
594596
594770
595290
Issue: Antivirus software applications generate logs when the Solidcore Agent is enabled.
Workaround: Use appropriate applications as updaters.
594707
Issue: Roaming and Mandatory profiles with code files don't work properly. Copying files from the Central store on a domain controller to a member server and back might fail.
594790
Issue: Solidcore Protection prevents updating of applications, such as Microsoft Office and Office tools after the initial installation. When executing the applications for the first time, we recommend that you run these applications in the Update Mode.
596425
Issue: Print server logs errors on Runtime Control module systems with the Solidcore Agent active in the Enabled mode.
Workaround: Add the printer share as a trusted share.
601158
Issue: The Runtime Control module uses MP-CASP as the default Memory Protection technique. If you want to enable MP-VASR, contact Technical Support.
607414
Issue: When script interpreters are added to memory protection bypass (casp or mangling-decoying), even after a script marked as an updater exits, the script interpreter's updater privilege isn't revoked.
608647
Issue: On 64-bit systems, multiple events might get generated when an unauthorized binary file is executed. The Windows operating system tries to run the binary multiple times by using a reducing set of attributes until final failure.
609632
Issue: After the initial scan task completes and the Application Control Initial Scan task is complete and the 'McAfee Application Control is enforced on the system now'message displays, the system is said to be solidified.
608745
Issue: Files that are read-protected by the user (using the 'sadmin read-protect' command) can't be solidified.
624015
Issue: If enabled on a 64-bit computer, the memory protection feature prevents the installation of ActiveX.
Workaround: From the ePO console, complete the following steps to add the Internet Explorer executable (iexplore.exe) to the memory protection bypass list.
Log on to the ePO 4.x console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 5.1.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Click the created policy and click Add.
Enter iexplorer.exeas the file name, select Bypassed from Memory Control,and click OK.
Click Save.
Apply the policy to the appropriate endpoints.
From the endpoint, run ActiveX after adding the Internet Explorer executable (iexplore.exe) to the memory protection bypass list. Use the following command to add the executable to the bypass list.
sadmin attr add –n iexplore.exe
643688
Issue: If you try an ActiveX installation before you enable the ActiveX feature, and retry the installation after you enable the ActiveX feature, the ActiveX might not install properly.
Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, remove all .cab files in the temporary internet files. Now, install the ActiveX control on the endpoint.
602194
Issue: The package control feature isn't able to stop the installation of some applications, such as Gvimand Winrar.
602929
Issue: If a package-based installer is executed before the package control feature can detect the package change, thedeny-execfeature might prevent the execution of the installer.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
616147
Issue: For standalone Solidcore Agent installation on endpoints where Oracle is installed, finetune.bat must be run manually at the endpoints to apply Oracle-specific rules. (A standalone Solidcore Agent installation implies one that's not done via ePO.)
595067
Issue: The system might hang while installing the security hotfix WindowsXP-KB884020-x86-enu.exe.
Workaround: Disable the Solidcore Agent before installing this hotfix.
598286
Issue: System hangs after installing Citrix MetaFrameXP with feature release 3.0.
Workaround: Add csrss.exeto the bypass list.
599348
Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126
Issue: When copying solidified files to a rewritable CD, although the files are copied successfully, deny-write errors are logged.
601427
Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
609812
Issue: For an ePO-managed endpoint with a valid Application Control license for which the Initial Scan is deferred and that has many executable files installed, the Initial Scan client task after a reboot completes successfully. But, the system remains in Update mode for some time before going to Enabled mode. During this time, sending another client task to the endpoint might fail.
610206
Issue: The pop-up message regarding the completion of the Initial Scan client task sent from ePO doesn't display on remote desktop sessions.
616089
Issue: In the output of the sadmin diagcommand on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, the following output
Issue: Multiple deny-write events might get generated for a single deny-write action.
Example: On deletion of a file using Windows Explorer, up to eight file-deletion events are reported. The reason is that when the application denies deletion of a file, Windows Explorer tries multiple other methods to delete the file, which results in the generation of an event for each attempt.
724600
Issue: ActiveX alerts aren't generated on 64-bit Windows systems.
Workaround: Complete these steps if you're using the ePO console:
Log on to the ePO 4.x. console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 6.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Open the created policy and click Add.
Enter iexplore.exeas the file name, select Bypassed from Memory Control,and click OK.
Click Add.
Enter ieinstal.exe as the file name, select Bypassed from Memory Control,and click OK.
Click Save.
Apply the policy to the endpoints.
Complete these steps from the endpoint if you're using the product in Standalone mode.
Execute the following commands to define the required memory-protection bypass rules.
Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c:\program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.
695246
Issue: Although the Solidcore NX protection is based on system DEP, it's possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663
Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes on the ePO console, the change isn't reflected on the endpoints.
723624
Issue: Execution Denied events might be generated for some DLL files with searchprotocolhost.exeas the process name. These events have no function impact.
Workaround: If many events are generated, create an AEF rule to prune the events.
725204
Issue: For the 6.0 release, the Yahoo, Adobe Acrobat, CuteFTP, and WinZip rule groups are removed from the default Application Control policy because of their security implications. Also, when you upgrade, these rule groups are removed from the default policies. If needed, you have to add these rule groups to policies manually.
702580
Issue: For Application Control-related internal files (such as finetune.bat and gatherinfo.bat), version details including the binary version, vendor, application name, and application version aren't available.
713989
Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
685124
Issue: If you're running VSE 8.8 with the Access Protection Level set to Maximum on an endpoint, you can't deploy Solidcore on the endpoint.
652602
Issue: If you disable the deny-exec-exesfeature on any Windows (64-bit) operating system, change the extension of exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. You can change the file extension to dll and run the file even if the deny-exex-dlls feature is enabled.
713011
Issue: Observations are erroneously generated for 64-bit binary files that aren't supported on 32-bit platforms.
607574
Issue: On opening a network share (for systems running Windows Vista, Windows 7, Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. The events are generated because Windows Explorer tries to fetch the icons for the files stored on the network share.
726020
Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a 'Msg not found'error.
Workaround: Restart the endpoint to make sure that all commands added or changed in the 6.0 release work correctly.
608868
Issue: On the Windows 2008, Windows 7, and Windows Vista operating systems, you might receive the 'An unauthorized change made to the Windows' error.
Workaround: Disable the MP-CASP feature.
768708
Issue: Unable to set flag fs-passthru 'p' and flag vasr forced reloc 'v' together with extra info flag 'o' in the attr command.
770362
Issue: Unable to set more than one dll to bypass from VASR forced reloc.
770524
Issue: Scormcpl.dll displays an older version in the inventory after it's upgraded.
794445
Issue: Solidified batch files when copied using another batch file fail.
803731
Issue: With network tracking disabled, Self-Approval function doesn't work for network shares.
803948
Issue: Deny-Exec on Script file is reported if Network tracking is disabled on 64-bit architecture.
808857
Issue: Self-Approval pop-up shows up if files are opened with the execute flag even if the file isn't executed.
808964
Issue: Auth rule for a process making file changes doesn't get added correctly if allowed through Self-Approval.
812964
Issue: If the updater flag for a certificate rule is removed, the certificate is still listed as an updater on the endpoint.
816108
Issue: A file, authorized by checksum, is denied for execution when run from a network share.
656298
Issue: Upgrade via a hotfix build might fail in Update Mode when run through Product Update Task.
603318
Issue: Crash with bug check 0x00000050 (0xFFB4B000, 0x00000000, 0x80463723, 0x00000000) might be observed after the system is solidified and rebooted.
810072
Issue: While running a 16-bit executable with Self-Approval enabled, the file type is listed as script.
819876
Issue: Process doesn't work as the Updater is configured as an Updater through auth by checksum.
Workaround: Configure the process as an Updater by name.
888634
Issue: Unclean uninstallation of Adobe Flash Player when pkg-ctrl-allow-uninstall is enabled.
Issue: Unable to install Visual Studio 2010 Ultimate via updater.
887965
Issue: Uninstallation of applications isn't blocked even if the pkg-ctrl-allow-uninstallation feature is disabled.
Workaround: Run the sadmin clg command after each installation of application to block the uninstallation. This command clears out all cached GUIDs from the system.
888878
Issue: Multiple package control prevention events are seen while uninstalling and repairing Visual Studio 2010.
Workaround: Uninstall and repair are successful after adding "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to the trusted path:
Issue: Recovering local CLI fails, and a long cmd auth from ePO is already running (after upgrading Application Control to a newer version).
955770
6.1
Issue: A whitelisted file is denied from execution if Hibernate Once/Resume Many (HORM) is enabled.
977062
6.1.0
6.1.3.380
Issue: In a rare scenario, an unsolidified (not in the allow list) driver is loaded with Application Control enabled.
6.1.0
Won't fix
Issue: 1208 error occurs when trying to install Solidcore.
Solution: Change the ANSI code page that you're currently using through the Windows Regional and Language options. See the Microsoft documentation for instructions for your version of Windows.
Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065
Issue: If you're using Application Control in the Enabled mode on the Windows XP SP1 operating system, virtual memory usage increases for most processes.
Workaround: Upgrade to Windows XP Service Pack 2.
793102
Issue: DLL rebasing doesn't work when the complete path to DLL is specified.
809646
Issue: Self-Approval Pop Up might hang while running non-whitelist binaries from Desktop.
Windows 2003
Reference
Description
607361
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exeprocess is hijacked.
Workaround: Add javaw.exeto the attributes list with the -n option:
sadmin attr add -n javaw.exe
892432
Issue: Deny-Exec and Deny-Write events are seen for .Net files via a Windows update on Windows 2003.
Workaround: Add Netfxupdate.exe as an updater by name with inheritance enabled to successfully install a Windows update for .Net.
832241
Issue: This issue is intermittent, wherein a Non-Trusted user can execute an unsolidified bat file using runas CLIon Windows 2003 (x64).
Workaround: Use the command below:
sc config wuauserv type= own
Windows 2008 R2 [64-bit]
Reference
Description
608636
Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, 'Windows installer encountered a validation error' displays for the msiexec.exeand kernelbase.dllfiles.
Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.
Windows 2008 [64-bit]
Reference
Description
609780
Issue: On the Windows 2008 (64-bit) platform, therundll32.exefile crashes if an application is uninstalled with Add/Remove Programs, but was initially installed with the SetupInstallFromInfSection()function.
Windows 2008/Vista [32-bit and 64-bit], Windows XP/Windows 7/Windows 2008 R2 [64-bit]
Reference
Description
609757
Issue: In Enabled mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.
Windows Vista
Reference
Description
607541
Issue: For Windows Vista and higher platforms, the Solidcore Agent configuration selects a service called Windows Modules Installer (TrustedInstaller.exe) as updater. This action is performed to allow Windows Updates to work properly. This service can both install and remove Windows components even if the pkg-ctrlfeature is enabled.