Articoli tecnici ID:
KB76457
Ultima modifica: 2/10/2021
Ambiente
McAfee Application Control (MAC) 6.x
Riepilogo
Recent updates to this article
Date
Update
February 11, 2021
Added MACC-10527 under 6.4.x known issues.
December 8, 2020
Added 6.4.12 General Availability(GA) release details.
Added reference MACC-10497.
November 6, 2020
Added 6.4.11 General Availability release details.
Added reference MACC-10408 to the 6.4.x known issues section.
September 30, 2020
Added 6.4.9 General Availability release details.
August 28, 2020
Fixed broken release notes links.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
To view all available General Availability (GA) release notes, and other documentation, visit the Enterprise Product Documentation site:
For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.
For Release To Support (RTS) release notes, contact Technical Support.
Version
Release Date
6.4.12.125 (GA)
December 8, 2020
6.4.11.128 (GA)
November 5, 2020
6.4.9.107 (GA)
September 29, 2020
6.4.8.101 (RTS)
August 11, 2020
6.4.7.105
July 21, 2020
6.4.5
May 12, 2020
6.4.4
April 14, 2020
6.4.2.206
February 11, 2020
6.4.1.135
December 10, 2019
6.4.0.132
October 17, 2019
6.3.0.794
August 13, 2019
6.3.0.724 (Linux only)
July 2, 2019
6.3.0.503 (Linux only)
April 9, 2019
6.3.0.418 (Linux only)
March 12, 2019
6.3.0.299 (Linux only)
February 12, 2019
6.3.0.242 (Linux only)
January 8, 2019
6.3.0.180 (Linux only)
November 13, 2018
6.3.0 (Linux only)
October 9, 2018
6.2.0
April 9, 2015
6.1.7 (Linux only)
April 7, 2015
6.1.4 (Linux/UNIX only)
June 16, 2014
6.1.3
April 16, 2014
6.1.2
December 24, 2013
6.1.1
August 30, 2013
6.1.0
February 12, 2013
Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, visit the Product Downloads site at https://www.mcafee.com/enterprise/en-us/downloads/my-products.html.
Critical: There are currently no known critical issues.
Non-critical:
Linux:
Reference
Related
Article
Found in Version
Resolved in Version
Description
MACC-10527
6.4.12
6.4.13
Issue: After reboot, the SCSRVC service authentication fails to initialize. Workaround: [Non Windows] SCSRVC doesn't start on reboot of system, but does after running SCSRVC -d.
MACC-10497
6.4.12
Issue: On XFS File system, MACC Inventory is not updated intermittently when you rename unsolidified files in Update and via the updater process.
Workaround:
In the Standalone deployment, run sadmin check -r or sadmin so <file path>
In ePO managed, run check -r or so <file path> from the SC: Run Command client task.
Issue: MVEDR collectors are blocked from running on Linux with McAfee Application control enabled.
Workaround: Configure /opt/McAfee/mvedr/mfemvedr as an updater under Application Control Rules (Unix).
MACC-9369
6.4.x
Issue: Monitoring rules do not work unless a change control rule is in place.
Workaround:
Create a dummy change control (write-protect) rule and apply it to the system.
MACC-9633
6.4.2-206
6.4.3-109
Issue: When SC: Enable client task is executed after Application Control for Linux is upgraded from version 6.2.0-463 to 6.4.2-206, Application Control changes to Update mode instead of Enable mode.
MACC-8763
6.4.2-206
6.4.3-109
Issue: When the Disable Task command is executed from ePO, inconsistency is observed in the Solidcore Client Task Log.
MACC-8764
6.4.2-206
6.4.3-109
Issue: When the Enable Task command is executed from ePO, inconsistency is observed in the Solidcore Client Task Log.
MACC-8888
6.4.2-206
6.4.3-109
Issue: When Enable Task is executed from ePO, inconsistency is observed in the Solidcore Client Task Log.
MACC-8889
6.4.2-206
6.4.3-109
Issue: When Disable is executed in the Update Mode, Solidcore Client task events are not displayed.
1260084
6.3.0-180
-
Issue: When MACC 6.3.0.180 is installed in the standalone mode in CentOS 7, it displays an error message.
1263554
6.3.0-242
-
Issue: A bash script can be solidified even when the script auth feature is disabled.
MACC-7307
6.3.0-794
-
Issue: Sanity validation fails with an error message. Also, the product can't be enabled when the redirfs module is installed on a system.
MACC-7216
6.3.0-794
6.4.3-109
Issue: You are unable to create a user when MACC is in the Update Mode on RHEL8 with SSSD version 2.0.0-43 installed.
Issue: Removal of MACC for Linux 6.3.0.794 after you upgrade from 6.3.0.724 in LEL5 32 bits, LEL6 32 bits, and LSES11 32 bits fails. Workaround: To perform the removal in this case, you must uninstall the previous version. If you are updating from 6.3.0.724 to 6.3.0.794, the workaround to uninstall the product is:
Run "/opt/bitrock/solidcoreS3-6.3.0-724/helperBinaryUninstall"
Run "rpm -e solidcoreS3-6.3.0-794.i386 --noscripts"
Run "rpm -e solidcoreS3-kmod-6.3.0-794.i386 --noscripts"
Issue: Upgrade to 6.3.0-794 from 6.3.0-724 in LEL5 32 bits, LEL6 32 bits, and LSES11 32 bits leaves system Disabled and Unsolidified. Workaround: Add a license, solidify if MAC, and enable.
MACC - 8248
6.4.0.132
-
Issue: The FILE_UNSOLIDIFIED event is not generated for checksum as updater rule in LEL7.
MACC - 8331
6.4.0.132
6.4.2-206
Issue: [Exploratory] sadmin help auth information does not contain how to run remove option.
MACC - 8334
6.4.0.132
6.4.1.135
Issue: [Security] Blackduck scan: Operational risk factor for OpenSSL.
MACC - 8346
6.4.0.132
6.4.1.135
Issue: [Interop] After you upgrade Endpoint Security for Linux from version 10.6.5 to 10.6.6 on SUSE12 MACC, BVT execution hangs. Workaround: Add the following ProcPassThruList items to solidcore.conf:
/opt/McAfee/ens/tp/bin/mfetpd
/opt/McAfee/ens/tp/bin/mfetpcli
/opt/McAfee/ens/esp/bin/mfeespd
/opt/McAfee/ens/fw/bin/mfefwd
/opt/McAfee/ens/fw/bin/mfefwcli
MACC - 8355
6.4.0.132
6.4.1.135
Issue: The scsrvc crashes when flushing auth cache (SIGSEGV).
MACC - 8643
6.4.1.135
6.4.2-206
Issue: Default configuration change is needed to generate Core dump info during kernel panic on Red Hat* 8.
Critical: There are currently no known critical issues.
Non-critical:
Linux:
Reference
Related
Article
Found in Version
Resolved in Version
Description
1255502
6.3.0-134
6.3.0-242
Issue: After you run load.java tool, the "/home" file system becomes "Untrusted". Workaround: Restart the Solidcore service.
1260084
6.3.0-180
6.3.0-242
Issue: An error message is encountered when you install MACC 6.3.0.180 in standalone mode in a CentOS 7 environment.
1261348
6.3.0-180
Issue: Execution denied events for a script are duplicated on solidcore.log.
1263206
6.3.0-242
6.3.0-299
Issue: After you upgrade from 6.3.0-180, a permission denied message is shown for /usr/bin/xauth. Workaround:
Edit the /etc/mcafee/solidcore/solidcore.conf file, set RTEModeOnReboot = 0x0, and reboot the system.
After restart, run the command sadmin check -ror sadmin so.
After check or so finishes, run sadmin enable and restart the service.
1263207
6.3.0-242
Issue: After you upgrade from 6.3.0-180, ssh service can't be restarted. Workaround:
Edit the /etc/mcafee/solidcore/solidcore.conf file, set RTEModeOnReboot = 0x0, and reboot the system.
After restart, run the command sadmin check -rorsadmin so.
After check or so finishes, run sadmin enable and restart the service.
1263208
6.3.0-242
6.3.0-299
Issue: After you upgrade from 6.3.0-180, sadmin check fails on LUBT12 (AMD64 and x86). Workaround:
Edit the /etc/mcafee/solidcore/solidcore.conf file, set RTEModeOnReboot = 0x0, and reboot the system.
After restart, run the command sadmin check -r or sadmin so.
After check or so finishes, run sadmin enable and restart the service.
1263552
6.3.0-242
Issue: Error in locking authority file in Ubuntu 16.
1263553
6.3.0-242
Issue: [Exploratory] Warning message shown when you successfully remove attr rule.
1263554
6.3.0-242
Will not fix
Issue: [Exploratory] After you disable the script-auth feature, the scripts are still solidifiable.
1263555
6.3.0-242
6.3.0-418
Issue: [Exploratory] Dash interpreter from Ubuntu is not included on the scripts default list.
1265307
6.3.0-299
6.3.0-418
Issue: Kernel loops in LUBT 14 kernel 4.2.
1265315
6.3.0-299
Issue: Partition /boot is not solidified after you enable with a MACC license from ePO on some Ubuntu 14.04 endpoints.
1265382
6.3.0-299
Issue: MACC LNX in OL7 remains disabled.
1266298
6.3.0-299
Issue: [Exploratory] Write denied observations are not generated when you delete a solidified file in Observe Mode.
1266299
6.3.0-299
Issue: [Exploratory] Log errors in Observe Mode for write denied events.
1266502
6.3.0-299
Issue: Bad behavior in enablement from ePO in Oracle 7.
1268052
6.3.0-418
Issue: No message is shown on the command line when scsrvc service restarts in Ubuntu 16.
1268065
6.3.0-418
Issue: The sadmin check command fails after you remove an interpreter and extension from script auth list in Ubuntu 12.
1269359
6.3.0-503
Issue: Warning message logged in /tmp/solidcoreS3_uninstall.log after solidcore removal.
1269365
6.3.0-503
6.3.0-724
Issue: The Dpkg preinstallation script logs an error after installation with build 6.3.0-503.
1273558
6.3.0-607
Issue: When build target tool fails, some files are not removed from the system. Workaround: Remove the files manually.
1273659
6.3.0-671
Issue: XFS with kernel 4.10 and above is not supported.
Workaround: Technical Support does not recommend that you use MACC 6.3.0 on Red Hat Enterprise Linux Server 8 systems if you have kernel version 4.18 or later and XFS. The recommended file system to use is EXT4. See KB73341 for supported EXT versions.
For systems that experience this issue with:
USE Enterprise Linux Server 12 or SUSE Enterprise Linux Desktop 12 with kernel 4.10 or later installed
And
MACC with XFS in Update mode in use
Then:
Restart the system with a kernel version lower than 4.10 (see KB90947 for supported kernel versions).
Once the system starts, leave update mode. Execute sadmin eu.
Restart system again with kernel version higher than 4.10.
1274416
6.3.0-702
Issue: "orig_user_name" is not correctly reported in events.
MACC-6863
6.3.0-724
Issue: Build target fails to build kernel module in RHEL8.
MACC-7077
6.3.0-724
6.4.1.135
Issue: Self-Kernel support tool does not work for OL7 UEKR5 unsupported UEK kernel.
Issue: User can't be created when MACC is in update mode on RHEL8 with SSSD version 2.0.0-43 installed.
MACC-7240
6.3.0-794
6.4.1.135
Issue: After you upgrade from MACC for Linux 6.3.0-724 to 6.3.0-794, you can't uninstall 6.3.0-794 fail in LEL6 32-bit.
Workaround: Perform the following steps:
Run "/opt/bitrock/solidcoreS3-6.3.0-724/helperBinaryUninstall"
Run "rpm -e solidcoreS3-6.3.0-794.i386 --noscripts""
Run "rpm -e solidcoreS3-kmod-6.3.0-794.i386 --noscripts"
Critical: There are currently no known critical issues.
Non-critical:
Solidcore Extension:
Reference
Related
Article
Found in Version
Resolved in Version
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. Workaround: If an error displays in Internet Explorer 6, use Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. This approach avoids possible network delays.
607452
Issue: ePO 4.6 reports and dashboard entries are not removed after the Solidcore Extension is uninstalled. Workaround: If you uninstall and reinstall the Solidcore Extension, remove the reports and dashboards manually after you uninstall, and before you reinstall.
607517
Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.
608347
Issue: The Solidcore Policy Assignments By System report displays all policies derived from the root, irrespective of the SKUs enabled on the platform.
609304
Issue: It is not possible to export data from the Reporting, Solidcore Events page. Workaround: Use Queries (Reporting, Queries) to export event data.
636769
Issue: If you upgrade from ePO 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table are not migrated to the ePO Events table.
636352
Issue: After you remove the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display garbage data.
607554
Issue: Solidcore policies can't be duplicated with the Policy Details page because the OK button is disabled. Workaround: Use the Policy Catalog page to duplicate policies.
643854
Issue: When you use the Guided Configuration page on the ePO 4.6 console, the Save Policy button is not enabled when changes are made to Solidcore Policies. Workaround: Edit the policy with the Policy Catalog without Guided Configuration.
608374
Issue: When you try to enable an already enabled Solidcore Agent, the error displayed is not translated.
607908
Issue: It is not possible to export more than 50,000 records from any table or report.
608025
Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU is not added.
609911
Issue: Export of rule groups does not work in Internet Explorer when opened from the ePO server. Workaround: Use Internet Explorer from a different computer and export rule groups.
610303
Issue: The Server Task pages in ePO might not work properly if you use Mozilla Firefox version 3.0. Workaround: If you encounter issues, Technical Support recommends that you use Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
608753
Issue: Sometimes, using the user name field of reported events in ePO as a trusted user might not work if the client system is part of an Active Directory (AD) domain. This issue occurs because the domain name reported in the events is not the full AD domain. Workaround: Use the environment variable USERDNSDOMAIN of the AD client as the domain name. Or, review the properties of the My Computer icon and identify the complete user name to specify as the trusted user.
609220
Issue: Save of an Application Control policy that is a copy of the McAfee Default policy is slow. Workaround: Because Application Control policies are multi-slot policies, Technical Support recommends that you create a new blank policy and add new rules to it. Follow this method rather than copying and changing the McAfee Default policy.
656518
Issue: If you install Solidcore Extension 5.1.2 on an existing ePO 4.5 system and then upgrade to ePO version 4.6 FIPS mode, the event parser stops working. Workaround: Run the following command and upgrade the required DLL: https: //<ePO_IP_address: port>/remote/scor.upgradeEventParser.do
607950
Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.
707486
Issue: When you use the ePO 4.6 console, quick navigation through the Events and Inventory pages logs off the user.
714176
Issue: With ePO 4.6 Update 1 or 2, if you add multiple commands to a Run Commands client task while you create the task, you can't later remove the commands from the saved client task.
719796
Issue: Global catalog search for Active Directory (AD) groups is not supported. Workaround: Search for a group in a specific AD server instead of using the Global Catalog.
To add a specific group:
Log on to the ePO 4.x console.
Add the AD server with the group as a Registered Server.
Search for the group. Select the registered AD server. Make sure that the option Use Global Catalog is deselected.
Add the group to a policy as a trusted group.
722045
Issue: Adding new columns, such as Solidcore Status and Solidification Status, for an endpoint by clicking Actions, Choose columns, noncompliant Solidcore Agent might not display values for all endpoints. This issue occurs because the noncompliant Solidcore Agent section includes only noncompliant agent properties. Workaround: When you add new columns for an endpoint: Click Actions, Choose columns, Solidcore Client Properties instead of Actions, Choose columns, noncompliant Solidcore Agent.
812003
Issue: The Self-Approval page displays a link for .MSI based applications, which displays an empty list when you drill down.
890978
Issue: The GTI cloud server entry is not removed from ePO after the Solidcore Extension is uninstalled.
926122
Issue: File Deviation details are missing in an exported file from the Image Deviation page.
950063
Issue: A few Strings are not properly localized in languages other than English.
1033281
Issue: Upgrade to Solidcore Extension 6.2.0 might fail immediately after extension restart while you perform an upgrade from a version older than 6.1.2.
985336
Issue: The event pages in ePO might not work properly if you use Mozilla Firefox version 3.5. Workaround: If you encounter issues, Technical Support recommends that you use Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
939528
Issue: Systems with a large inventory fail to send inventory data to the ePO server and a corresponding log entry is made in the Server Task Log after 6 hours.
987715
Issue: For the Application Control Options (Windows) policy, an import of a policy from Extensions earlier than 6.2.0 causes the Inventory AEF tab to populate with its default value. Default values are not saved in the policy until you make some change and save the policy.
1043052
Issue: You can't upgrade Solidcore help extension from previous versions to 6.2. Workaround: Uninstall the old help extension and install the new one.
1050955
Issue: With ePO 5.x, GTI communication with Kerberos authentication fails when you use a proxy server.
Issue: An upgrade of the extension for Application Control 6.2.0 and later takes a long time to complete. Solution: See KB on how to troubleshoot issue.
Issue: Application Control denies the execution of .zip files when run in context of Java process such as java.exe or javaw.exe. Workaround: See the related article for details.
801531
Issue: If Driver Verifier (verifier.exe) is enabled, MACC might not function as expected.
608418
Issue: The Original Usernamereported in events is the same as the Username.
600805
Issue: While you open a write-protected network share in Windows File Explorer, a few deny-write errors are observed.
603747
Issue: The trusted, solidified, and write-protect features do not work correctly for folder-mounted volumes. Workaround: Contact Technical Support for assistance if the setup uses folder-mounted volumes.
608036
Issue: Mapped drive names can't be used in commands issued by remote users/ePO.
Issue: Unsolidified scripts can't be copied with the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by a script interpreter configured for that script is denied. It also generates unauthorized execution events. Such problems can be avoided when you perform the file operation with Windows Explorer.
608647
Issue: On 64-bit systems, multiple events might be generated when an unauthorized binary file is executed. The events are generated because the Windows operating system tries to run the binary multiple times using a reduced set of attributes until final failure.
608745
Issue: Files that the user read-protects (with the sadmin read-protect command) can't be solidified.
643688
Issue: If you try an ActiveX installation before you enable the ActiveX feature, and retry the installation after you enable the ActiveX feature, ActiveX might not install properly. Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, and remove all .cab files in the temporary internet files. Then, install the ActiveX control on the endpoint.
616147
Issue: For standalone Solidcore Agent installation on endpoints where Oracle is installed, you must run finetune.bat manually at the endpoints to apply Oracle-specific rules. (A standalone Solidcore Agent installation means one not done via ePO.)
599348
Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126
Issue: When you copy solidified files to a rewritable CD, although the files are copied successfully, deny-write errors are logged.
601427
Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
616089
Issue: In the output of the sadmin diag command on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, the following output:
Issue: Multiple deny write events might be generated for a single deny write action. For example, on deletion of a file with Windows Explorer, up to 8 file deletion events are reported. When the application denies deletion of a file, Windows Explorer tries multiple methods to delete the file, which results in an event for each attempt.
695246
Issue: Although the Solidcore NX protection is based on system DEP, it is possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to the Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663
Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes in the ePO console, the change is not reflected on the endpoints.
713989
Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
652602
Issue: If you disable the deny-exec-exesfeature on any Windows (64-bit) operating system, change the extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. If you change the file extension to dll, you can run the file even if the deny-exex-dlls feature is enabled.
607574
Issue: When you open a network share (for systems running Windows Vista, Windows 7, and Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. These events are generated because Windows Explorer tries to fetch the icons for the files stored on the network share.
768708
Issue: You are unable to set the flag fs-passthru 'p'and the flagvasr forced reloc 'v'together with the extra information flag'o' in the attrcommand.
770362
Issue: You are unable to set more than one dll to bypass from VASR forced reloc.
794445
Issue: Solidified batch files, when copied using another batch file, fail.
803731
Issue: With network tracking disabled, Self-Approval function does not work for network shares.
803948
Issue: Deny-Exec on a Script file is reported if Network tracking is disabled on a 64-bit architecture.
808857
Issue: A Self-Approval pop-up display if a file is opened with the execute flag even if the file is not executed.
808964
Issue: An Auth rule for a process making file changes is not added correctly if allowed through Self-Approval.
812964
Issue: If you remove the Updater flag for a certificate rule, the certificate is still listed as an Updater on the endpoint.
816108
Issue: A file, authorized by checksum, is denied for execution when run from a network share.
810072
Issue: While you run a 16-bit executable with Self-Approval enabled, the file type is listing as script.
819876
Issue: A process that does not work as an Updater is configured as an Updater through auth by checksum. Workaround: Configure the process as an Updater by name.
888634
Issue: An unclean removal of Adobe Flash Player occurs when pkg-ctrl-allow-uninstall is enabled. Workaround: sadmin Updaters add "C: \WINDOWS\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe".
888632
Issue: A repair of .NET 3.5 fails. Workaround: Add the below Updater rules:
Issue: You are unable to install Visual Studio 2010 Ultimate via Updater. Workaround: See the related article for details.
887965
Issue: Uninstallation of applications is not blocked even if the pkg-ctrl-allow-uninstallation feature is disabled. Workaround: Run the sadmin clg command after each installation of an application to block the removal. This command removes all cached GUIDs from the system.
888878
Issue: Multiple package control prevention events are seen while you uninstall and repair Visual Studio 2010. Workaround: Add "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to trusted path: "sadmin trusted -u "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin".
884396
Issue: You are unable to install Adobe Flash Player 11 when the pkg-ctrl-bypass feature is enabled. Workaround: The sadmin updaters add InstallAX_11_6_602_180.exe.
883381
Issue: Self-Approval pop-ups for a user session are displayed on a console session instead of a user session. Workaround: Run the following Solidcore commands from the command line:
Issue: McAfee Solidifer upgrade from 6.1.1 to 6.1.2 fails in Observe mode. Workaround: See the related article for details.
910080
Issue: Package Control, if an application has ctor.dll in its uninstall string, another application using ctor.dll is not installed when pkg-ctrl-allow-uninstall is disabled. Workaround: As a workaround for mode 1 of package control, the user can make the ctor.dll an Updater using the complete path (for example, C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll). For Package Control modes, see the Application and Change Control 6.1.1 Addendum.
916640
Issue: Deny Execution is not skipped for a drive after you remove the skiplist -v flag without a reboot. Workaround: A reboot is required to make it work.
Issue: Package Control uninstallation of an application fails when you use Add/Remove Programs if an application is installed for a particular user. Workaround: See the related article for details.
901147
Issue: Installer (Auto-IT), first shown as script type, shows as pe32-exe after it's copied to some other location.
911678
Issue: Package Control is unable to repair Visual Studio 2010 Ultimate if installed in Update mode.
903914
Issue: File Write Denied events are seen when some exe, selected as an Updater, are run by double-clicking them.
Issue: The upgrade version is not updated on the ePO server and the McTray About box after an endpoint upgrade. Workaround: See the related article for details.
940286
Issue: A Pkg-modification-prevented event is raised during a MAC upgrade.
948349
Issue: Multiple deny-write events for a Self-Approval pop-up forputty.exeare recorded when execution is done after you download the file from the internet.
Issue: Application Control inventory generation can take longer than 24 hours to resume after reaching the throttling threshold limit. Workaround: See the related article for details.
Issue: You are unable to apply an Application Control policy with a trusted path that contains an environment variable. Workaround: See the related article for details.
1045414
Issue: In the system Event Viewer logs, a "Microsoft-Windows-Kernel-General" error message is logged while writing to the registry during start.
Issue: McAfee has identified an incompatibility between MACC and McAfee products that use SysCore 15.4.0.622.9 or later. Solution: See KB for versions with Conflict.
Issue: The Windows kernel paged pool is consumed by a growing inventory file size and, when the kernel paged pool is depleted, one of the following issues is observed:
System crash
System hangs
Application failure
Low memory condition
NOTE:These issues occur on 32-bit systems where kernel pool resources are scarce and might run out quickly.
Solution:
As mentioned above, this issue can occur when many files are added to the inventory. To resolve the issue:
In Disable mode, delete the file <drive>\solidcore\scinv from all drives.
Resolidify the system:
For standalone deployments, start Solidification and switch to Observe mode or Enable mode.
For ePO managed deployments, run the SC: Enable task.
Issue: Modification of the edb.log file results in the following being recorded in the s3diag.log file and the Solidcore.log file Solution: MACC is working as intended and this behavior is considered to be normal. Workaround:
The following workaround is provided to help with allow listing the edb.log file and stop the events from being generated:
Log on to the ePO Console.
Open an existing Solidcore Rule Group or create a rule group specifically for Application Control.
Edit the existing or new rule group.
Select the Exclusions tab and click Add.
Expand Advanced options.
Enable Exclude local path and all its contained files and subdirectories from the allow list.
Enter "C:\Windows\security\database\edb.log" for the path.
Save the rule group.
Perform a Wake Up Call to all agents and push the new rule to clients.
Issue: The following error appears in the Orion.log file when you try to purge Application and Change Control events from the ePO database:
The DELETE statement conflicted with the REFERENCE constraint "SCOR_EVENTS_EPO_EVENTS".
The conflict occurred in database "", table "dbo.SCOR_EVENTS", column 'EPO_EVENT_AUTO_ID'.
Solution:
Drop the constraint and re-create the constrained AUTO_IDs. Run the following command against the ePO database:
alter table [dbo].[SCOR_EVENTS] drop constraint SCOR_EVENTS_EPO_EVENTS;
alter table [dbo].[SCOR_EVENTS] add constraint SCOR_EVENTS_EPO_EVENTS
foreign key (EPO_EVENT_AUTO_ID) references [dbo].[EpoEvents] ON DELETE
CASCADE ON UPDATE CASCADE;
Issue: Users are duplicated in client policy when synchronizing the Trusted Users group in ePO with Active Directory. Solution: There is no issue as this behavior is by design. MACC supports legacy operating systems and is required to pull both Netbios\user and UPN\SAM accounts.
Issue: Server task "Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server" runs indefinitely Workaround:
The purpose of the Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server task is to improve the product and is not a function of the product. If you disable this feature, it does not affect the functionality of MACC. Inventory feedback data is not being used for analytics, which means that you can safely disable this feature on the extension side. When the data is used and the back-end processing issues are fixed, re-enable this feature.
Steps to disable the Solidcore:
Send Policy and Inventory Feedback to McAfee GTI Server task:
Go to https://<ePO-IP>/remote/core.reload-plugin.do?name=SOLIDCORE_META.
Go to Server Tasks, Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server.
Click Edit, and then select the Actions tab.
Deselect the option Inventory: Sends detailed information for files, such as SHA-1, base name, embedded application name, and embedded application version.
Click Save.
Go to Server Tasks and run Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server task.
Verify whether the issue is resolved.
NOTE:The hung task is logged in the server task log as progress(0%), which indicates that the task is not running. A cleanup of the string from the user interface is required, but functionality is not affected.
Issue: Could not validate file name OR file name is invalid (file operations in Application and Change Control fail if the file path length exceeds 256 characters.) Solution: Fixed in newer builds Workaround:
For standalone deployments, run the following command from the CLI:
sadmin features disable network-tracking
For ePO managed deployments, create a run command client task with the argument features disable network-tracking and push the task to clients.
Issue: You might observe the following issues with a Distributed File System (DFS) network share that is accessing files from a system with Application Control enabled. Solution: Fixed in 6.2.0.507.
Issue: High event flow in the SCOR_FD_Data_Channel temporary table causes a deadlock. As a result, events stack up. Workaround:See the KB for a workaround
Issue: Self-Approval Client pop-up text field limitations within Application Control Solution:
The Self-Approval Client pop-up text field has a maximum character limitation of 296 characters. The text field for Self-Approval within ePO has a maximum character limitation of 300 characters. Because of the fixed nature of the text field, scrolling of text within the pop-up field on the client is not allowed.
Issue: Stale records appear on the Inventory page when a Purge System Inventory task is run immediately after a client has been removed from ePolicy Orchestrator Solution: See the KB for the solution to delete queries against the DB.
Issue: System slows or stops responding while accessing files over the network Solution:
Standalone:
Recover the Solidifier command line interface (CLI).
Run the command:
If 8.2.1.114 or earlier: sadmin config set SrvThreadBypassConfig=1
If 8.2.143 or later: sadmin config set RemoteFileModificationBypassConfig=1
ePO managed:
Create a run command client task with the argument:
If 8.2.1.114 or earlier: sadmin config set SrvThreadBypassConfig=1
If 8.2.143 or later: sadmin config set RemoteFileModificationBypassConfig=1
Push the task to one or more clients.
All Versions
Issue: High CPU usage occurs in MASVC.EXE with Solidcore installed, despite Solidcore being correctly added to the virus scanner exclusions list. Solution: Update McAfee Agent to version 5.0.5
Issue: Installation of plan failed. FatalIOException: Unable to create file (vSphere fails to load when Application Control is installed)
Solution:
To resolve this issue, upgrade to Application and Change Control 7.0 and configure the following sadmin feature to prevent long path lengths from being incorrectly blocked.
Open a MAC command-line session and type sadmin recover and press Enter.
Type the ePolicy Orchestrator (ePO) password to recover the Solidcore command-line session.
Type sadmin config set SkipValidateFileLength=1and press Enter.
Put the system back into lockdown mode to continue being managed by ePO:
Type sadmin lockdownand press Enter.
IMPORTANT: If you do not lock down the Solidcore command-line, ePO is not able to manage Solidcore.
You can also perform the following steps through ePO to push this change out to several systems at once.
Open the ePO manager.
Create a Client task.
Select the Solidcore Command-line task.
Paste the following command into the task: sadmin config set SkipValidateFileLength=1
Issue:ERROR: fshooks.c : 687: Could not validate file name OR file name is invalid: (DFS replication fails with Application and Change Control installed) Solution:
To resolve this issue, upgrade to Application and Change Control 7.0 and configure the following sadmin feature to prevent long path lengths from being incorrectly blocked.
Open a Solidcore command-line session and type sadmin recover and press Enter.
Type the ePolicy Orchestrator password to recover the Solidcore command-line session.
Type sadmin config set SkipValidateFileLength=1and press Enter.
Put the system back into lockdown mode to continue being managed by ePolicy Orchestrator: Type sadmin lockdownand press Enter.
IMPORTANT: If you do not lock down the Solidcore command-line, ePolicy Orchestrator is not able to manage Solidcore.
You can also perform the same steps through ePolicy Orchestrator to push this change out to several systems at once.
Open the ePO manager.
Create a Client task.
Select the Solidcore Command-line task.
Paste the following command into the task: sadmin config set SkipValidateFileLength=1
Issue: Performance issues on Application Control endpoints when Global Threat Intelligence and Threat Intelligence Exchange communication fails Solution: Turn off reputation checking of binaries using the TIE server or GTI service if the errors described in this article are frequently logged in the Solidcore.log. By default, a policy to enable reputation-based execution is applied to all endpoints running the Solidcore client. The settings in the policy indicate how endpoints communicate with the configured reputation sources.
All Versions
Issue: deny_reason="File-cksum-mismatch" (generated when executables are configured as updaters in Application Control)
Workaround:
Verify InvMergeTimeout in (Swin\parameters Reg), or by running the command sadmin config show | findstr -i InvMergeTimout from a command prompt or ePO run command.
NOTE: If it is anything other than 1800, reset to Default by running the command sadmin config set InvMergeTimeout=1800 from a command prompt or ePO run command.
Run check -r from an ePO run command or Solidcore CLI.
Attempt to reproduce the issue.
If the issue still exists, use the ePO run command or Solidcore CLI and resolidify the drive:
Put client in Update mode or Disable mode. NOTE:Disable requires you to restart the client.
Run the clean solidification command: sadmin clean <driveletter>
NOTE: This command only works if you place MACC in Disable mode. This step can be skipped if you put MACC into Update mode.
Issue: Third-party services that use Java might not start properly after enabling Application Control and Change Control Solution: To resolve this issue, Technical Support recommends that you modify the Java memory space for the third-party application (JvmMs and JvmMx values) to use less than the maximum values. This change usually allows the services for the application to start properly.
Issue: Installer Detection bypass option is Deprecated for endpoints running version 6.1.1 and later (Package Control in relation to the architecture rules for the attr -i command)
Solution: See KB for solution.
Issue: Application Control and Change Control might not switch the protection mode with Windows FBWF installed Solution: Run the following command to add the config folder as an FBWF exclusion:
Issue: System hangs while shutting down when Application Control is enabled Solution: The issue does not occur if you bypass searchprotocolhost.exe from MAC's memory-protection feature.
For ePO managed deployments, make sure that default list under Solidcore Rules in the ePO console is imported to the policy and applied to the systems.
For standalone deployments, add the following rules using the MAC command line:
Issue: Installation or upgrade of SCCM client might fail with Application Control enabled Solution: Make sure that you have the default MAC rules for SCCM and SMS applied.
Issue: Uninstallation of applications fails and causes your client to stop responding when Symantec Endpoint Protection 12.1 is installed alongside Application Control.
Issue: Installer Detection bypass option is Deprecated for endpoints running version 6.1.1 and later (Package Control in relation to the architecture rules for the attr -i command).
Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065
Issue: If you are using Application Control in the Enable mode on the Windows XP SP1 operating system, virtual memory use increases for most processes. Workaround: Upgrade to Windows XP Service Pack 2.
793102
Issue: DLL rebasing does not work when a complete path to the DLL is specified.
809646
Issue: A Self-Approval pop-up might hang while running non-whitelist binaries from the Desktop.
Windows 2003
Microsoft ended extended support for Windows Server 2003 SP2 on July 14, 2015. As of the end of 2015, the only McAfee product supported with Windows Server 2003 SP2 is Application and Change Control.
Reference
Related Article
Found in Version
Resolved in Version
Description
607361
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exeprocess was hijacked. Workaround: Add javaw.exeto the attributes list with the-n option:
sadmin attr add -n javaw.exe
832241
Issue: A Non-Trusted user can execute an unsolidified bat file using runas CLI on Windows 2003 (x64). The issue is intermittent. Workaround: Use the following command:
Windows 2000 could not start because the following file is missing or corrupt:
\WINNT\SYSTEM32\CONFIG\SYSTEM.ced startup options for Windows 2000, Press F8
On system boot, the screen shows:
Windows 2000 could not start because the following file is missing or corrupt: \WINNT\System32\Drivers\Ntfs.sys
The system boots successfully but Solidcore driver “swin.sys” is not loaded. A quick way to check that this issue is output of “sadmin status” command. If the Solidcore driver is not loaded, with Solidcore Enabled, it shows the driver status as Unattached for system volume.
Cause: This issue is not an Application Control/Change Control issue but a limitation on the size of the "system hive" in Windows. The system hive is limited to about 10.3 megabytes (MB) in size in Windows 2000 Server. The reason is because the system hive and the Windows kernel files must fit below 16 MB when Windows starts. If the system hive is close to its limit, installation of MAC/MCC or any other product that starts at system boot can cause this behavior.
Solution: Apply the suggestions described in the Microsoft article: System might not start when creating many logical units and volumes http://support.microsoft.com/kb/277222.
Windows 2008 R2 (64-bit)
Reference
Description
608636
Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, you see that Windows installer encountered a validation error for the msiexec.exe and kernelbase.dll files. Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.
Windows 2008 (64-bit)
Reference
Description
609780
Issue: On the Windows 2008 (64-bit) platform, the rundll32.exe file crashes if an application is uninstalled with Add/Remove Programs but the SetupInstallFromInfSection() function was initially used to install the application.
Windows 2008/Vista (32-bit and 64-bit), Windows XP/Windows 7/Windows 2008 R2 (64-bit)
Reference
Description
609757
Issue: In Enable mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.
Windows Vista
Reference
Description
607541
Issue: For Windows Vista and later platforms, the Solidcore Agent configuration selects a service called Windows Modules Installer (TrustedInstaller.exe) as an Updater. It is selected as such to allow Windows Update to work properly. This service can both install and remove Windows components even if the pkg-ctrl feature is enabled.
Linux
Reference
Article
Found in Version
Resolved in Version
Description
1253820
6.2.0-463
Issue: MACC 6.2.0-463 does not communicate with MA 5.6.0.
1253953
6.2.0-463
Issue: Inventory is not successfully fetched on CentOS 5 x64 endpoint.
1249593
6.2.0-419
6.2.0-463
Issue: "/home" partition labeled like Untrusted after fresh install in CentOS 7 Workaround: This issue only happens when any partition does not contain binary files or script files to solidify. If any script file or binary file is added later on that partition, you must run "service scsrvc restart" or "reboot" to completely enable your system.
1249280
6.2.0-419
6.2.0-463
Issue: After installing MACC and enabling it in standalone mode, status is Solidified - Untrusted CentOS5 Kernel 2.6.18-430.el5 Workaround:
To work around this issue reboot the system or to avoid rebooting the system, run the following commands:
sadmin disable
service scsrvc restart
sadmin enable
1247986
6.2.0-419
6.2.0-463
Issue: The file system status displays as Solidified - Untrusted after installing MACC 6.2.0-419 (standalone mode) with the MACC-Unlimited license and solidifying the system.
1243884
6.2.0-347
Issue: Gnome UI not responding on CentOS 7 after installing solidcore
Workaround: Add Gnome shell process as updater.
1243879
6.2.0-347
Issue: On Ubuntu endpoints, the file events expected for some tests are not the ones generated.
1243874
6.2.0-347
Issue: Events are not generated on RHEL 6 endpoint with solidcore installed and enabled.
1243872
6.2.0-347
Issue: Some endpoints are in Disabled* after installation from ePO.
1240825
6.2.0-347
Issue: Java file is executed without getting blocked.
1243019
6.2.0-337
Issue: Wrong transition from update mode to Disabled* (Global Pass-through)
1238936
6.2.0-236
6.2.0-347
Issue: Bad behavior with write-protected files in observe mode.
1239252
6.2.0-236
Issue: In SUSE 11 x86, "touch" binary as updater is not working properly.
1238336
6.2.0-236
Issue: "No such a process" message shown when trying to restart scsrvc service.
1236431
6.2.0-187
Issue: Remove a process from updaters list when added from its full path.
1235599
6.2.0-179
Will not fix
Issue: Script gets unsolidified when editing with "vim" in Observe mode.
Issue: After disabled AC without a system reboot, AC 6.1.7-674 enters a partially disabled and the system is allowed to execute.
1214591
6.1.7-673
Will not fix
Issue: Docker 1.13 containers fail to run in enabled mode with Docker as Updater.
1205485
6.1.7-504
Will not fix
Issue: Linux Desktop Timeout with Root login/logoff when Solidcore is Enabled/Updated. Workaround: Create the file /etc/X11/xinit/xinitrc.d/00-gvfs-disable-fuse.sh with the following contents:
GVFS_DISABLE_FUSE=1
export GVFS_DISABLE_FUSE
This script disables fuse's daemon running in the background, so fuse filesystem is not mounted. Restart the system so the changes can take effect.
UNIX (All Versions)
Reference
Article
Found in Version
Resolved in Version
Description
1203232
6.1.7-540
Issue: Solomon automated test tool can't verify some events.
1202241
6.1.7-504
Issue: The events are not generated in RHEL 6 x86.
818828
6.1.0-9463
Issue: With VirusScan Enterprise for Linux (VSEL) 1.7 installed, the VSEL service stops with errors on the CLI.
797363
6.1.0-9323
Issue: The sadmin Xray command does not list the attr specific configurations for the running process.
607014
4.9.0-238
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to unexpected behavior.
1053355
6.1.7-192
Will not fix
Issue: If you erroneously try to stop the Solidcore service by using the systemctl command in Enabled mode, a subsequent attempt to stop the service in Disabled mode might fail. Workaround: To stop the service in Disabled mode, use the following commands:
Issue: Installation of Solidifier should not occur in a symbolic link path.
812578
6.1.0-9437
Will not fix
Issue: On some kernels, error messages related to scdrv are displayed in the console during system boot.
811983
6.1.0-9434
Will not fix
Issue: Property collection on ePO and the endpoint might show different versions of Solidifier if the system is not rebooted after upgrade.
807180
6.1.0-9402
Will not fix
Issue: Installation on a non pre-compiled kernel fails if you run the installer from a Windows share that is mounted using CIFS.
798843
6.1.0-9323
Will not fix
Issue: You might observe unexpected behavior if a process exits without closing the modified files.
797291
6.1.0-9323
Will not fix
Issue: After Dynamic Kernel Module compilation, an empty file named 2 gets created in the dksdirectory.
762449
6.1.0-9301
Will not fix
Issue: Events are generated if a special device file is renamed.
616089
5.1.0-6817
Will not fix
Issue: Localized strings not consistent. Partial localization occurs in some events and messages.
610254
5.0.1-1
Will not fix
Issue: When you run the Debug Info client task for a UNIX system, the name of the generated file is suffixed with the host name and time stamp. For example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz. (This result occurs even though the log states that the gatherinfo.tar.ga file is generated.)
607024
4.0.0-5920
Will not fix
Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent, but is effective only after the deny-read feature is enabled on the Solidcore Agent.
604604
4.8.3-164
Issue: Write/read protection does not work on files added via cachefs/lofs.
Critical: There are currently no known critical issues.
Non-critical:
Solidcore Extension:
Reference
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
607452
Issue: ePO 4.6 reports and dashboard entries are not removed after the Solidcore Extension is uninstalled. Workaround: If you are uninstalling and reinstalling the Solidcore Extension, remove the reports and dashboards manually after uninstalling, and before reinstalling.
607517
Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.
608347
Issue: The Solidcore Policies Applied on Hosts report displays all policies derived from the root, regardless of the SKUs enabled on the platform.
609304
Issue: It is not possible to export data from the Reporting, Solidcore Events page. Workaround: Use Queries (Reporting, Queries) to export event data.
636769
Issue: If you upgrade from Solidcore 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table are not migrated to the ePO Events table.
636352
Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display erroneous data.
607554
Issue: Solidcore policies can't be duplicated by using the Policy Details page because the OK button is disabled. Workaround: Use the Policy Catalog page to duplicate policies.
643854
Issue: When you use the Guided Configuration page on the ePO 4.6 console, the Save Policy button is not enabled when changes are made to Solidcore Policies. Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.
608374
Issue: When you try to enable an already enabled Solidcore Agent, the error displayed is not translated.
607908
Issue: It is not possible to export more than 50,000 records from any table or report.
608025
Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU is not added.
609911
Issue: Export of rule groups does not work in Internet Explorer when opened from the ePO server. Workaround: Use Internet Explorer from a different computer and export the rule groups.
610303
Issue: The Server Task pages on ePO might not work properly if you use Mozilla Firefox version 3.0. Workaround: McAfee recommends using Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
608753
Issue: Sometimes, using the user name field of reported events on the ePO server as a trusted user might not work if the client system is part of an Active Directory domain. The domain name reported in the events is not the full AD domain and might prevent this method from working. Workaround: Use the environment variable USERDNSDOMAIN as the domain name for AD clients. Or, review the properties of the My Computer icon to identify the complete user name to specify as the trusted user.
609220
Issue: Saving an Application Control policy that is a copy of the McAfee Default policy is slow. Workaround: Because Application Control policies are multi-slot policies, McAfee recommends that you create a new blank policy and add new rules to it instead of copying and changing the McAfee Default policy.
656518
Issue: If you install Solidcore Extension 5.1.2 (or later) on an existing ePO 4.5 system and then upgrade to ePO 4.6 FIPS mode, the event parser stops working. Workaround: Run the following command and upgrade the required DLL: https://<ePO_IP_address: port>/remote/scor.upgradeEventParser.do
607950
Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.
707486
Issue: When using the ePO 4.6 console, navigating quickly through the Events and Inventory pages logs off the user.
714176
Issue: On ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while creating the task, you can't later remove the commands from the saved client task.
719796
Issue: Global catalog search for Active Directory (AD) groups is not supported. Workaround: Search for a group in a specific AD server instead of using the Global Catalog.
To add a specific group:
Log on to the ePO 4.x console.
Add the AD server with the group as a Registered Server.
Search for the group by selecting the registered AD server. Make sure that the Global Catalog Search option is deselected.
Add the group to a policy as a trusted group.
722045
Issue: Adding new columns, such as Solidcore Status and Solidification Status, for an endpoint by clicking Actions, Choose columns, noncompliant Solidcore Agent might not display values for all endpoints. This issue is because the noncompliant Solidcore Agent section includes only noncompliant agent properties. Workaround: When adding new columns for an endpoint, click Actions, Choose columns, Solidcore Client Properties instead of Actions, Choose columns, noncompliant Solidcore Agent.
812003
Issue: The Self-Approval page displays a link for .MSI-based applications, which displays an empty list when drilling down.
890978
Issue: The GTI cloud server entry is not removed from ePO after the Solidcore Extension is uninstalled.
937037
Issue: You can't upgrade the Solidcore help extension from a previous release. Workaround: Uninstall the old help extension and install the new one.
926122
Issue: File Deviation details are missing in an exported file from the Image Deviation page.
950063
Issue: A few strings are not properly localized in languages other than English.
Issue: MAC/MCC 6.1.7 are not compatible with VirusScan Enterprise for Linux (VSEL) 2.0.
900761
Issue: When MAC is placed in a Disabled state and the endpoint is not rebooted, upgrading MAC will not successfully complete. This issue is because the driver is not unloaded. Workaround: Reboot the endpoint after disabling MAC, and perform the upgrade task again.
608671
Issue: If Solidcore Agent is installed in a non-default path, upgrading via ePO is not supported. Such an upgrade might leave the Solidcore Agent in an inconsistent state. McAfee recommends that you uninstall the existing version and then install the new version using ePO
608737
Issue: If the partition with the/opt/McAfee/cmadirectory has insufficient space, events might not be generated and a Failed to generate event xml error message is added to the solidcore.logfile. Free up space in the partition with the /opt/McAfee/cma directory.
601728
Issue: According to the NFS protocol, if a file present on the NFS share is opened once on the NFS client, it can't be reopened until the file attributes are changed. As a result, if a read-protected file is opened on a client-side NFS share in Update mode, the file can be read on the client. The file remains in a readable state even after entering Enabled mode from Update mode. The file remains readable until the attributes are changed on the server.
601734
Issue: Changing a hard link might cause the name of the link or program to display in events.
601914
Issue: For daemon processes, the reported user name and original user name are the same.
602653
Issue: A write-protected file can be changed through its hard link if the hard link has already been created.
602772
Issue: Scripts without the#!tag can't act as updaters.
Issue: For loopback file systems, some features, such as updater and monitoring, do not work correctly when the loopback path is used instead of the physical path in the sadmin commands. For instance, if/optis mounted as a loopback file system at/mnt, to add/mnt/abcas an updater, you must add the path/opt/abcas an updater.
606674
Issue: A write-protected file can be changed or deleted if the file system is mounted to a different directory.
602990
Issue: Some features, such as updaters and mon-proc-exec, do not work properly for unsupported file formats. Only executable binaries and#!scripts are supported file formats.
603462
Issue: The BOOTING_ENABLEDand BOOTING_UPDATE_MODEevents are not added to the system log. Workaround: At boot time, start the syslog service before the Solidcore Agent service.
603490
Issue: You observe the following issues when an updater calls another updater:
If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.
604780
Issue: For processes that are not directly associated with a terminal, the original_user field is the same as the user field. For example, when you run a script through Runlevel/init scripts, original_user is the same as the user.
605062
Issue: The mmap system call at the NFS client does not work if the file is read-protected.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to unexpected behavior.
607024
Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.
607245
Issue: No events are generated for changes to a file with the string solidcore.log in its name, for example, mysolidcore.log.
601763
Issue: Process information can't be determined for those processes that are invoked before the Solidcore Agent driver is loaded. This fact has the following implications:
If such a process makes file changes, these changes might not be reported.
For processes that started before the driver was loaded, only the partial program names are reported.
For NFS, for the changes made by the client, the change events displaying on the server have only the relative name for the NFS daemon (in other words, nfsd or nfsktcpd).
No Process Start and Process Stop events are generated for already running processes.
On only the AIX platform, Change Tracking / Prevention on file systems mounted by such processes might or might not work because system calls executed by already running processes can't be trapped. The running processes can't be trapped because of differences in the way system calls are implemented for the AIX platform. As a workaround, you can restart such processes.
604604
Issue: Write/read protection does not work on files added via cachefs/lofs.
613214
Issue: If the installation path is a mount point, forcibly unmounting (for example, using the umount –fcommand) might lead to non-deterministic behavior.
603386
Issue: The Solidcore Agent can't be installed, upgraded, or uninstalled through init scripts that run at system boot time. Workaround: Add the following two statements in the init script before invoking the installer:
HOME=""/"" export HOME
610254
Issue: When you run the Debug Info client task for a UNIX system, the log states that the gatherinfo.tar.gzfile is generated. The actual name of the generated file is suffixed with the host name and time stamp. For example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz.
616089
Issue: Localized strings are not consistent. Partial localization occurs in some events and messages.
774493
Issue: Change of binary in Update mode does not change/update the corresponding hard-link in allow list.
797291
Issue: After Dynamic Kernel Module compilation, an empty file named 2 gets created in the dksdirectory.
797363
Issue: The sadmin xraycommand does not list the attr-specific configurations for the running process.
798843
Issue: You might observe unexpected behavior if a process exits without closing the changed files.
802433
Issue: If the volume is unsolidified, it is not listed as unsolidified in the output of sadmin status.
807180
Issue: Installation on a non pre-compiled kernel fails if you run the installer from a Windows share that is mounted using CIFS. Workaround: Mount the Windows share using NFS.
811983
Issue: Property collection on ePO and the endpoint might show different versions of Solidifier if the system is not rebooted after upgrade.
812578
Issue: On some kernels, error messages related to scdrv are displayed in the console during system boot.
818828
Issue: With VirusScan Enterprise for Linux (VSEL) 1.7 and later version installed, the VSEL service stops with errors on the CLI.
989865
Issue: Installation of Solidifier should not occur in a symbolic link path.
Issue:After upgrading to MAC 6.1.7, new advanced exclusion filters (AEF)/updaters and attr rules are not added as default rules.
1049005
Issue:When uninstalling in Enabled mode, an incorrect message stating Unable to initialize installer is added to the /tmp/solidcoreS3_uninstall.log file.
1144705
Issue: The Scripts command is not supported on SUSE10 x86.
1143376
Issue:Script-auth fails if the interpreter is a symlink with a name different from the target.
Workaround: Add a rule with the target in your scripts. For example, if python is added as the interpreter in scripts and python is a symlink of python2.6 /usr/bin/python->python2.6, then add a rule for python 2.6.
053355
Issue:If you erroneously try to stop the Solidcore service by using the systemctlcommand in Enabled mode, an attempt to stop the service in Disabled mode might fail. Workaround: To stop the service in Disabled mode, use the following commands:
Issue: Upgrading to McAfee Agent 5.0.0 is not supported on Linux operating systems with Application Control installed Solution: For versions earlier than 6.1.7, a fresh installation of MA 5.0.0 is supported with MAC.
Issue: When you log on to a solidified system using Telnet as a non-root user, the original_user name displays as root.
1009579
Issue: On a protected system running Red Hat Enterprise Linux (RHEL) 5 with kernel 2.6.18-308.EL5 or later, the deny-read feature does not work on an NFSv4 mounted partition.
1211104
Issue: After running automated testing tool (Solomon), there is a crash in UBUNTU 16.04 x86 platform with kernel 4.4.0-47-generic.
1205485
Issue: Linux Desktop Timeout with Root login/logoff when Solidcore is Enabled/Updated. Workaround: Create the file /etc/X11/xinit/xinitrc.d/00-gvfs-disable-fuse.sh with the following contents:
GVFS_DISABLE_FUSE=1
export GVFS_DISABLE_FUSE
This script disables fuse's daemon running in the background, so fuse filesystem is not mounted. Restart the system so the changes can take effect.
1214591
Issue: Docker 1.13 containers fail to run in enabled mode with Docker as Updater.
1219099
Issue: Unsolidified bash script can show executed event when script-auth is enabled Workaround: Reboot endpoint and script-auth works as expected.
1224787
Issue: MACC service stops working after running the command sadmin disable and restarting the Solidcore service. Workaround: Reboot the system and complete entering disabled mode. After rebooting the system, it operates as expected.
Issue: Incompatibility between VirusScan Enterprise For Linux 2.0.2 and Application Control 6.1
Solution:
Do not install MAC 6.1 and VSEL 2.0.2 on the same system.
If you have already installed MAC 6.1 and VSEL 2.0.2 on the same system, you must uninstall one, then install a different version not affected by this issue.
Critical: There are currently no known critical issues.
Non-critical:
Solidcore Extension:
Reference
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
607452
Issue: ePO 4.6 reports and dashboard entries are not removed after the Solidcore Extension is uninstalled. Workaround: If you are uninstalling and reinstalling the Solidcore Extension, remove the reports and dashboards manually after uninstalling, and before reinstalling.
607517
Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.
608347
Issue: The Solidcore Policies Applied on Hosts report displays all policies derived from the root, irrespective of the SKUs enabled on the platform.
609304
Issue: It is not possible to export data from the Reporting, Solidcore Events page. Workaround: Use Queries (Reporting, Queries) to export event data.
636769
Issue: If you upgrade from Solidcore 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table are not migrated to the ePO Events table.
636352
Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display erroneous data.
607554
Issue: Solidcore policies can't be duplicated by using the Policy Details page because the OK button is disabled. Workaround: Use the Policy Catalog page to duplicate policies.
643854
Issue: When you use the Guided Configuration page on the ePO 4.6 console, the Save Policy button is not enabled when changes are made to Solidcore Policies. Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.
608374
Issue: When you try to enable an already enabled Solidcore Agent, the error displayed is not translated.
607908
Issue: It is not possible to export more than 50,000 records from any table or report.
608025
Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU is not added.
609911
Issue: Export of rule groups does not work in Internet Explorer when opened from the ePO server. Workaround: Use Internet Explorer from a different computer and the export rule groups.
610303
Issue: The Server Task pages on ePO might not work properly if you use Mozilla Firefox version 3.0. Workaround: Technical Support recommends using Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
608753
Issue: Sometimes, using the user name field of reported events on the ePO server as a trusted user might not work if the client system is part of an Active Directory domain. The reason is because the domain name reported in the events is not the full AD domain. Workaround: Use the environment variable USERDNSDOMAIN as the domain name for AD clients. You can review the properties of the My Computer icon to identify the complete user name and specify as the trusted user as well.
608759
Issue: If ePO is installed on the Japanese version of Windows, exporting the dashboard data to HTML format fails if the generated HTML file name contains digits.
609220
Issue: Saving an Application Control policy that is a copy of the McAfee Default policy is slow. Workaround: Because Application Control policies are multi-slot policies, Technical Support recommends that you create a new blank policy and add new rules to it instead of copying and changing the McAfee Default policy.
656518
Issue: If you install Solidcore Extension 5.1.2 on an existing ePO 4.5 system and then upgrade to ePO version 4.6 FIPS mode, the event parser stops working. Workaround: Run the following command and upgrade the required DLL: https://<ePO_IP_address: port>/remote/scor.upgradeEventParser.do
607950
Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.
707486
Issue: When using the ePO 4.6 console, navigating quickly through the Events and Inventory pages logs off the user.
714176
Issue: On ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while creating the task, you can't later remove the commands from the saved client task.
719796
Issue: Global catalog search for Active Directory (AD) groups is not supported. Workaround: Search for a group in a specific AD server instead of using the Global Catalog.
To add a specific group:
Log on to the ePO 4.x console.
Add the AD server with the group as a Registered Server.
Search for the group by selecting the registered AD server. Make sure that the Global Catalog Search option is deselected.
Add the group to a policy as a trusted group.
722045
Issue: Adding new columns, such as Solidcore Status and Solidification Status,for an endpoint by clicking Actions, Choose columns, noncompliant Solidcore Agent might not display values for all endpoints. The reason is because the noncompliant Solidcore Agent section includes only noncompliant agent properties. Workaround: When adding new columns for an endpoint, click Actions, Choose columns, Solidcore Client Properties instead of Actions, Choose columns, noncompliant Solidcore Agent.
812003
Issue: The Self-Approval page displays a link for .MSI based applications, which displays an empty list when drilling down.
890978
Issue: The GTI cloud server entry is not removed from ePO after the Solidcore Extension is uninstalled.
937037
Issue: You can't upgrade the Solidcore help extension from a previous release to 6.1.2.020. Workaround: Uninstall the old help extension and install the new one.
926122
Issue: File Deviation details are missing in an exported file from the Image Deviation page.
950063
Issue: A few strings are not properly localized in languages other than English.
Issue: For an unsupported kernel, the Build property of the endpoint on the ePO properties screen displays as Compiled.
944538
Issue: MAC/MCC 6.1.4 are not compatible with VSEL 2.0.
900761
Issue: When the endpoint is Disabled and not rebooted, the product upgrade is not successful. The reason is because the driver is not unloaded. Workaround: Reboot the endpoint system and perform the upgrade task again.
The following issues are from the MAC 6.1.0 Linux/UNIX release
608671
Issue: If Solidcore Agent is installed in a non-default path, upgrading via ePO is not supported. Such an upgrade can leave the Solidcore Agent in an inconsistent state. Technical Support recommends that you uninstall the existing version and then install the new version using ePO.
608737
Issue: If the partition with the /opt/McAfee/cma directory has insufficient space, events might not be generated and a Failed to generate event xml error message is added to the solidcore.logfile. Free up space on the partition with the /opt/McAfee/cma directory.
601728
Issue: According to NFS protocol, if a file present on the NFS share is opened once on the NFS client, it can't be reopened until the file attributes are changed. As a result, if a read-protected file on an NFS share is opened on the client side in update mode, the user could read it on the client. The file could read it even in enable mode (after coming out of the update mode) until the file attributes are changed on the server.
601734
Issue: Changing a hard link might cause the name of the link or program to display in events.
601914
Issue: For daemon processes, the reported user name and original user name are the same.
602653
Issue: A write-protected file can be changed through its hard link if the hard link has already been created.
602772
Issue: Scripts without the#!tag can't act as updaters.
602977
Issue: For loopback file systems, some features, such as updater and monitoring, do not work correctly when the loopback path is used instead of the physical path in the sadmin commands. For instance, if/optis mounted as a loopback file system at/mnt, to add/mnt/abcas an updater, you must add the path/opt/abcas an updater.
602990
Issue: Some features, such as updaters and mon-proc-exec, do not work properly for unsupported file formats. Only executable binaries and #! scripts are supported file formats.
603462
Issue: The BOOTING_ENABLEDand BOOTING_UPDATE_MODEevents are not added to the system log. Workaround: At boot time, start the syslog service before the Solidcore Agent service.
603490
Issue: The following issues are observed when an updater calls another updater:
If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.
604780
Issue: For processes that are not directly associated with a terminal, the original_user field is the same as the user field. For example, when you run a script through Runlevel/init scripts, original_user is the same as the user.
605062
Issue: The mmap system call at the NFS client does not work if the file is read-protected.
606674
Issue: A write-protected file can be changed or deleted if the file system is mounted to a different directory.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) can lead to unexpected behavior.
607024
Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.
607245
Issue: No events are generated for changes to a file with the string solidcore.log in its name, for example, mysolidcore.log.
601763
Issue: Process information can't be determined for those processes that are invoked before the Solidcore Agent driver is loaded. This issue has the following implications:
If such a process makes file changes, these changes might not be reported.
For processes that started before the driver was loaded, only the partial program names are reported.
For NFS, for the changes done by the client, the change events displaying on the server have only the relative name for the NFS daemon (in other words, nfsd or nfsktcpd).
No Process Start and Process Stop events are generated for already running processes.
On only the AIX platform, Change Tracking / Prevention on file systems mounted by such processes might or might not work. System calls executed by already running processes can't be trapped due to differences in the way system calls are implemented for the AIX platform. As a workaround, you can restart such processes.
604604
Issue: Write/read protection does not work on files added via cachefs/lofs.
613214
Issue: If the installation path is a mount point, forcibly unmounting (for example, using the umount –fcommand) might lead to non-deterministic behavior.
603386
Issue: The Solidcore Agent can't be installed, upgraded, or uninstalled through init scripts that run at system boot time. Workaround: Add the following two statements in the init script before invoking the installer:
HOME=""/"" export HOME
610254
Issue: When you run the Debug Info client task for a UNIX system, the log states that the gatherinfo.tar.gzfile is generated. The name of the generated file is suffixed with the host name and time stamp. For example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz.
616089
Issue: Localized strings are not consistent. Partial localization occurs in some events and messages.
708279
Issue: For RHEL5/RHEL6 (Kernel less than 2.6.32-220) and kernels of SLES 10/SUSE11 (excluding SLES11 SP2), FILE_CREATEDevents are incorrectly reported as FILE_ATTR_MODIFIEDover an NFSv4 partition.
762449
Issue: Events are generated if a special device file is renamed.
774493
Issue: Change of a binary in Update mode does not change/update the corresponding hard-link in allow list.
797291
Issue: After Dynamic Kernel Module compilation, an empty file named 2 gets created in the dks directory.
797363
Issue: The sadmin xraycommand does not list the attr specific configurations for the running process.
798843
Issue: Unexpected behavior might be observed if a process exits without closing one or more changed files.
802433
Issue: If the volume is unsolidified, it is not listed as unsolidified in the output of sadmin status.
807180
Issue: Installation on a non pre-compiled kernel fails if you run the installer from a Windows share that is mounted using CIFS. Workaround: Mount the Windows share using NFS.
811983
Issue: Property collection on ePO and the endpoint might show different versions of Solidifier if the system is not rebooted after upgrade.
812578
Issue: On some kernels, error messages related to scdrv are displayed in the console during system boot.
818828
Issue: With VirusScan Enterprise for Linux (VSEL) 1.7 installed, the VSEL service stops with errors on the CLI.
989865
Issue: Installation of Solidifier occurs in a symbolic link path.
Issue: When you log on to a solidified system using Telnet as a non-root user, the original_user name displays as root.
1009579
Issue: On a protected system running Red Hat Enterprise Linux 5 with kernel 2.6.18-308.EL5 or later, the deny-read feature does not work on an NFSv4 mounted partition.
Critical: There are currently no known critical issues.
Non-critical:
Solidcore Extension:
Reference
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
607452
Issue: ePO 4.6 reports and dashboard entries are not removed after the Solidcore Extension is uninstalled. Workaround: If you are uninstalling and reinstalling the Solidcore extension, remove the reports and dashboards manually after uninstalling, and before reinstalling.
607517
Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.
608347
Issue: The Solidcore Policies Applied on Hosts report displays all policies derived from the root, irrespective of the SKUs enabled on the platform.
609304
Issue: It is not possible to export data from the Reporting, Solidcore Events page. Workaround: Use Queries (Reporting, Queries) to export event data.
636769
Issue: If you upgrade from 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table are not migrated to the ePO Events table.
636352
Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display garbage data.
607554
Issue: Solidcore policies can't be duplicated by using the Policy Details page because the OK button is disabled. Workaround: Use the Policy Catalog page to duplicate policies.
643854
Issue: When using the Guided Configuration page on the ePO 4.6 console, the Save Policy button is not enabled when changes are made to Solidcore Policies. Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.
608374
Issue: When trying to enable an already enabled Solidcore Agent, the error displayed is not translated.
607908
Issue: It is not possible to export more than 50,000 records from any table or report.
608025
Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU is not added.
609911
Issue: Export of rule groups does not work in Internet Explorer when opened from the ePO server. Workaround: Use Internet Explorer from a different computer and export rule groups.
610303
Issue: The Server Task pages on ePO might not work properly if you are using Mozilla Firefox version 3.0. Workaround: If you encounter issues, Technical Support recommends that you use Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
608753
Issue: Sometimes, using the user name field of reported events on the ePO as a trusted user might not work if the client system is part of an AD domain. The reason is because the domain name reported in the events is not the full AD domain. Workaround: Use the environment variable USERDNSDOMAIN of the AD client as the domain name. You can review the properties of MyComputer, identify the complete user name, and specify it as the trusted user as well.
608759
Issue: If ePO is installed on Japanese Windows, exporting the dashboard data to HTML format fails if the generated HTML file name contains digits.
609220
Issue: Saving an Application Control policy that is a copy of the McAfee Default policy is slow. Workaround: Because Application Control policies are multi-slot policies, we recommend that you create a new blank policy and add new rules to it instead of copying and changing the McAfee Default policy.
656518
Issue: If you install Solidcore Extension 5.1.2 on an existing ePO 4.5 system and then upgrade to ePO version 4.6 FIPS mode, the event parser stops working. Workaround: Run the following command and upgrade the required DLL: https: //<ePO IP address: port>/remote/scor.upgradeEventParser.do
607950
Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.
707486
Issue: When using the ePO 4.6 console, navigating quickly through the Events and Inventory pages logs off the user.
714176
Issue: On ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while creating the task, you can't later remove the commands from the saved client task.
719796
Issue: Global catalog search for Active Directory (AD) groups is not supported. Workaround: Search for a group in a specific AD server instead of using the Global Catalog.
To add a specific group:
Log on to the ePO 4.x console.
Add the AD server with the group as a Registered Server.
Search for the group by selecting the registered AD server. Make sure that the Global Catalog Search option is deselected.
Add the group to a policy as a trusted group.
722045
Issue: Adding new columns, such as Solidcore Status and Solidification Status for an endpoint by clicking Actions, Choose columns, noncompliant Solidcore Agent might not display values for all endpoints. The reason is because the noncompliant Solidcore Agent section includes only noncompliant agent properties. Workaround: When adding new columns for an endpoint: Click Actions, Choose columns, Solidcore Client Properties instead of Actions, Choose columns, noncompliant Solidcore Agent.
812003
Issue: The Self-Approval page displays a link for .MSI based applications, which displays an empty list when drilling down.
890978
Issue: The GTI cloud server entry is not removed from ePO after Solidcore extension is uninstalled.
937037
Issue: You can't upgrade Solidcore help extension from a previous release to 6.1.2.020. Workaround: Uninstall the old help extension and install the new one.
926122
Issue: File Deviation details are missing in an exported file from the Image Deviation page.
950063
Issue: A few Strings are not properly localized in languages other than English.
Issue: If Solidcore Agent is installed on the non-default path, upgrade from ePO is not supported. Such an upgrade might leave Solidcore Agent in an inconsistent state. Technical Support recommends that you uninstall the existing version and then install the new version using ePO.
608737
Issue: If the partition with the /opt/McAfee/cma directory has insufficient space, events might not be generated and the Failed to generate event xml error message is added to the solidcore.log file. Free up space in the partition with the /opt/McAfee/cma directory.
601728
Issue: According to the NFS protocol, if a file present on the NFS share is opened once on the NFS client, it can't be reopened until the file attributes are changed. As a result, if a read-protected file in an NFS share is opened on the client side in Update mode, the user could read it on the client. This issue occurs in Enable mode (after coming out of the Update mode) until the file attributes are changed on the server.
601734
Issue: Changing a hard link might cause the name of the link or program to display in events.
601914
Issue: For daemon processes, the reported user name and original user name are the same.
602653
Issue: A write-protected file can be changed through its hard link if the hard link has already been created.
602772
Issue: Scripts without the#!tag can't act as updaters.
602977
Issue: For loopback file systems, some features such as updater and monitoring do not work correctly when the loopback path is used instead of the physical path in the sadmin commands. For instance, if/optis mounted as a loopback file system at/mnt, to add/mnt/abcas an updater you must add the path/opt/abcas an updater.
602990
Issue: Some features like updaters and mon-proc-exec do not work properly for unsupported file formats. Only executable binaries and #! scripts are supported file formats.
603462
Issue: The BOOTING_ENABLED and BOOTING_UPDATE_MODEevents are not added to the system log. Workaround: At boot time, start the syslog service before the Solidcore Agent service.
603490
Issue: The following issues are observed when an updater calls another updater:
If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.
604780
Issue: For processes that are not directly associated with a terminal, the original_user field is a replica of the user field. For example, when you run a script through Runlevel/init scripts, original_user is the same as the user.
605062
Issue: The mmapsystem call at the NFS client does not work if the file is read-protected.
606674
Issue: A write-protected file can be changed or deleted if the file system is mounted to a different directory.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
607024
Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.
607245
Issue: No events are generated for changes to a file with the string “solidcore.log” in its name, for example, mysolidcore.log.
601763
Issue: Process information can't be determined for those processes that are invoked before the Solidcore Agent driver is loaded. This issue has the following implications:
If such a process makes file changes then these changes might not be reported.
For processes that started before the driver was loaded, only the partial program names are reported.
For NFS, for the changes done by the client, the change events displaying on the server have only the relative name for the NFS daemon (in other words, nfsd or nfsktcpd).
No Process Start and Process Stop events are generated for already running processes.
On only the AIX platform, Change Tracking / Prevention on file systems mounted by such processes might or might not work. The reason is that system calls executed by already running processes can't be trapped because of a difference in the way system calls are implemented under the AIX platform. As a workaround, you can restart such processes.
604604
Issue: Write/read protection does not work on files added via cachefs/lofs.
613214
Issue: If the install path is a mount point, forcibly unmounting (Example: Using the umount –f command) might lead to non-deterministic behavior.
603386
Issue: The Solidcore Agent can't be installed, upgraded, or uninstalled through init scripts that run at system boot time. Workaround: Add the following two statements in the init script before invoking the installer:
HOME=""/"" export HOME
610254
Issue: When you run the Collect debug information client task for a UNIX system, the log states that the gatherinfo.tar.gzfile is generated. The name of the generated file is suffixed with the host name and time stamp, for example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz.
616089
Issue: Localized strings are not consistent. Partial localization occurs in some events and messages.
708279
Issue: For RHEL5/RHEL6 (Kernel less than 2.6.32-220) and kernels of SLES 10/SUSE11 (excluding SLES11 SP2), FILE_CREATED events are being incorrectly reported as FILE_ATTR_MODIFIED over an NFSv4 partition.
762449
Issue: Events are generated if a special device file is renamed.
774493
Issue: Change of binary in Update mode does not change/update the corresponding hard-link in allow list.
797291
Issue: During Dynamic Kernel Module compilation, an empty file named 2 gets created in the dks directory.
797363
Issue: The sadmin xraycommand does not list the attr specific configurations for the running process.
798843
Issue: Unexpected behavior might be observed if a process exits without closing the changed file.
802433
Issue: If the volume is unsolidified, it is not listed as unsolidified in the output of sadmin status.
807180
Issue: Installation on a non pre-compiled kernel fails if the installer is run from a Windows share that is mounted using CIFS. Workaround: Mount the Windows share using NFS.
811983
Issue: Property collection on ePO and the endpoint might show different versions of solidifier if the system is not rebooted after upgrade.
812578
Issue: On a few Kernels, error messages related to scdrv might show up on the console while the system is starting.
818828
Issue: With VSEL 1.7 installed, the VSEL service stops with errors on the CLI.
Issue: Application Control denies the execution of .zip files when run in context of Java process such as java.exe or javaw.exe. Workaround: See the Knowledge Base article for details.
Issue: The trusted, solidified, and write-protect features do not work correctly for folder-mounted volumes. Workaround: Contact Technical Support for assistance if the setup uses folder-mounted volumes.
604153
Issue: Post install script customization is not available during upgrades. It can be used only during a fresh installation of the Solidcore Agent.
608036
Issue: Mapped drive names can't be used in commands issued by remote users/ePO.
609249
Issue: You can't perform upgrades in UI mode for existing 5.0.0 deployments (that were done manually and not via ePO). Use the following methods to upgrade such standalone deployments:
UI -> Silent
Silent -> Silent
634733
Issue: If the database tables are corrupted, upgrade of the Solidcore Agent fails and you see the following error message:
""Database: . Could not load table 'Control' in SQL query: SELECT `Control`,
`Type`, `X`, `Y`, `Width`, `Height`, `Attributes`, `Property`, `Text`,
`Control_Next`, `Help` FROM `Control` WHERE `Dialog_`=?"""
Workaround: Use silent installation instead of UI mode installation.
605369
Issue: When the Solidcore Agent installer is run by an agent installer with the /? argument, a series of unwanted dialog boxes appear due to a bug in the third-party packaging software. These dialog boxes can be ignored.
609311
Issue: Manual uninstallation of Solidcore Agent (deployed from ePO) fails on a client computer having McAfee Agent version 4.0 (or earlier). Workaround: Contact Technical Support for assistance if manual uninstallation has already been tried.
Issue: Unsolidified scripts can't be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by script interpreter configured for that script, is denied. This fact generates unauthorized execution events. Such problems can be avoided by performing the file operation using Windows Explorer.
594596
594770
595290
Issue: Antivirus software applications generate logs when the Solidcore Agent is enabled. Workaround: Use appropriate applications as updaters.
594707
Issue: Roaming and Mandatory profiles with code files do not work properly. Copying files from a Central store on a domain controller to a member server and back might fail.
594790
Issue: Solidcore Protection prevents updating of applications, such as Microsoft Office and Office tools,after the initial installation. When executing the applications for the first time, Technical Support recommends that you run these applications in the Update mode.
596425
Issue: Print server logs errors on Runtime Control module systems with the Solidcore Agent active in the Enable mode. Workaround: Add the printer share as a trusted share.
601158
Issue: The Runtime Control module uses MP-CASPas the default Memory Protection technique. If you want to enable MP-VASR, contact Technical Support.
607414
Issue: When script interpreters are added to memory protection bypass (casp or mangling-decoying), even after a script selected as an updater exits, the script interpreter’s updater privilege is not revoked.
608647
Issue: On 64-bit systems, multiple events might get generated when an unauthorized binary file is executed. The Windows operating system tries to run the binary multiple times by using a reduced set of attributes until final failure.
609632
Issue: After the initial scan task completes, the MAC Initial Scan task is complete, and the McAfee Application Control is enforced on the system now message displays, the system is said to be solidified.
608745
Issue: Files that are read-protected by the user (using 'sadmin read-protect' command) can't be solidified.
624015
Issue: If enabled on a 64-bit computer, the memory protection feature prevents the installation of ActiveX. Workaround: From the ePO console, complete the following steps to add the Internet Explorer executable (iexplore.exe) to the memory protection bypass list.
Log on to the ePO 4.x console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 5.1.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Click the created policy and click Add.
Enter iexplorer.exe as the file name, select Bypassed from Memory Control,and click OK.
Click Save.
Apply the policy to the appropriate endpoints.
From the endpoint, run ActiveX after adding the Internet Explorer executable (iexplore.exe) to the memory protection bypass list. Use the following command to add the executable to the bypass list.
sadmin attr add –n iexplore.exe
643688
Issue: If you try an ActiveX installation before enabling the ActiveX feature and retry the installation after enabling the ActiveX feature, ActiveX might not get installed properly. Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, and remove all .cab files in the temporary internet files. Now, install the ActiveX control on the endpoint.
602194
Issue: The package control feature is not able to stop the installation of some applications, such as Gvim and Winrar.
602929
Issue: If a package-based installer is executed before the package control feature can detect the package change, the deny-exec feature might prevent the execution of the installer.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
616147
Issue: For standalone Solidcore Agent installation (in other words, installation not done via ePO) on endpoints where Oracle is installed, finetune.bat must be run manually at the endpoints to apply Oracle-specific rules.
595067
Issue: The system might hang while installing the security hotfix WindowsXP-KB884020-x86-enu.exe. Workaround: Disable the Solidcore Agent before installing this hotfix.
598286
Issue: The system hangs after installing Citrix MetaFrameXP with feature release 3.0. Workaround: Add csrss.exeto the bypass list.
599348
Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126
Issue: When copying solidified files to a rewritable CD, although the files are copied successfully, deny-write errors are logged.
601427
Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
609812
Issue: For an ePO managed endpoint with a valid Application Control license for which the Initial Scan was deferred and that has many executable files installed, the Initial Scan client task after a reboot completes successfully. But, the system remains in Update mode for some time before going to Enable mode. During this time, another client task sent to the endpoint might fail.
610206
Issue: The pop-up message regarding the completion of the Initial Scan client task sent from ePO does not display on remote desktop sessions.
616089
Issue: In the output of the sadmin diagcommand on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, the following output:
Issue: Multiple deny write events might get generated for a single deny write action. Example: On deletion of a file using Windows Explorer, up to 8 file deletion events are reported. The reason is because when the application denies deletion of a file, Windows Explorer tries multiple other methods to delete the file, resulting in the generation of an event for each attempt.
724600
Issue: ActiveX alerts are not generated on 64-bit Windows systems. Workaround: Complete these steps if you are using the ePO console:
Log on to the ePO 4.x. console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 6.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Open the created policy and click Add.
Enter iexplore.exe as the file name, select Bypassed from Memory Control,and click OK.
Click Add.
Type ieinstal.exe as the file name, select Bypassed from Memory Control, and click OK.
Click Save.
Apply the policy to the endpoints.
Complete these steps from the endpoint if you are using the product in Standalone mode.
Execute the following commands to define the required memory-protection bypass rules.
Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c:\program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.
695246
Issue: Although the Solidcore NX protection is based on system DEP, it is possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to the Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663
Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes on the ePO console, the change is not reflected on the endpoints.
723624
Issue: Execution Denied events might be generated for some DLL files with searchprotocolhost.exe as the process name. These events have no functionality impact. Workaround: If many events are generated, create an AEF rule to prune the events.
725204
Issue: For the 6.0 release, the Yahoo, Adobe Acrobat, CuteFTP, and WinZip rule groups have been removed from the default Application Control policy because of their security implications. Also, when you upgrade, these rule groups are removed from the default policies. If needed, you need to add these rule groups to policies manually.
702580
Issue: For Application Control-related internal files (such as finetune.bat and gatherinfo.bat), version details including binary version, vendor, application name, and application version are not available.
713989
Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
652602
Issue: If you disable the deny-exec-exesfeature on any Windows (64-bit) operating system, change the extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. If you change the file extension to dll, you can run the file even if the deny-exex-dlls feature is enabled.
713011
Issue: Observations are erroneously generated for 64-bit binary files that are not supported on 32-bit platforms.
607574
Issue: On opening a network share (for systems running Windows Vista, Windows 7, and Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. This issue occurs because Windows Explorer tries to fetch the icons for the files stored on the network share.
726020
Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a Msg not found error. Workaround: Restart the endpoint to make sure that all commands added or changed in the 6.0 release work correctly.
608868
Issue: On the Windows 2008, Windows 7, and Windows Vista operating systems, you might receive an An unauthorized change made to the Windows error. Workaround: Disable the MP-CASP feature.
768708
Issue: You are unable to set the flag fs-passthru 'p'and the flag vasr forced reloc 'v' together with the extra information flag 'o' in the attr command.
770362
Issue: You are unable to set more than one dll to bypass from VASR forced reloc.
770524
Issue: The Scormcpl.dlldisplays an older version in inventory after it is upgraded.
794445
Issue: Solidified batch files, when copied using another batch file, fail.
803731
Issue: With network tracking disabled, Self-Approval function does not work for network shares.
803948
Issue: Deny-Exec on a Script file is reported if Network tracking is disabled on a 64-bit architecture.
808857
Issue: A Self-Approval pop-up window displays if a file is opened with the execute flag even if the file is not executed.
808964
Issue: An Auth rule for a process making file changes does not get added correctly if allowed through Self-Approval.
812964
Issue: If the updater flag for a certificate rule is removed, the certificate is still listed as an updater on the endpoint.
816108
Issue: A file, authorized by checksum, is denied for execution when run from a network share.
656298
Issue: Upgrade via a hotfix build might fail in Update mode when run through Product Update Task.
603318
Issue: A blue screen error with bug check 0x00000050 (0xFFB4B000, 0x00000000, 0x80463723, 0x00000000) might be observed after the system is solidified and rebooted.
810072
Issue: While running a 16-bit executable with Self-Approval enabled, the file type is listing as script.
819876
Issue: A process that does not work as Updater is configured as an Updater through auth by checksum. Workaround: Configure the process as an Updater by name.
888634
Issue: An unclean uninstallation of Adobe Flash Player occurs when pkg-ctrl-allow-uninstall is enabled. Workaround: sadmin updaters add "C: \WINDOWS\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe".
888632
Issue: A repair of .NET 3.5 fails. Workaround: Add the below updater rules:
Issue: You are unable to install Visual Studio 2010 Ultimate via updater.
887965
Issue: Uninstallation of applications is not be blocked even if the pkg-ctrl-allow-uninstallation feature is disabled. Workaround: Run the sadmin clg command after each installation of an application to block the uninstallation. This command clears out all cached GUIDs from the system.
888878
Issue: Multiple package control prevention events are seen while uninstalling and repairing Visual Studio 2010. Workaround: Add "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to trusted path: "sadmin trusted -u "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin".
884396
Issue: You are unable to install Adobe Flash Player 11 when the pkg-ctrl-bypass feature is enabled. Workaround: sadmin updaters add InstallAX_11_6_602_180.exe.
883381
Issue: Self-Approval pop-ups for a user session are displayed on a console session instead of a user session. Workaround: Run the following Solidcore commands from the command line:
Issue: Application crashes occur when Solidcore DEP is enabled. Workaround: Run the following Solidcore commands from the command line to bypass the process that is crashing with Solidcore DEP:
Issue: McAfee Solidifer upgrade from 6.1.1 to 6.1.2 fails in Observe mode. Workaround: See the Knowledge Base article for details.
910080
Issue: Package Control, if an application has ctor.dll in its uninstall string, another application using ctor.dll, is not installed when pkg-ctrl-allow-uninstall is disabled. Workaround: As a workaround for mode 1 of package control, the user can make the ctor.dll as updater using the complete path (for example, C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll). For Package Control modes, see the Application and Change Control 6.1.1 Addendum.
916640
Issue: Deny Execution is not skipped for a drive after removing the skiplist -v flag without a reboot. Workaround: A reboot is required to make it work.
Issue: Package Control, uninstallation of an application fails using Add/Remove Programs, if an application is installed for a particular user. Workaround: See the Knowledge Base article for details.
901147
Issue: Installer (Auto-IT), first shown as script type, after copying to some other location, is showing as pe32-exe.
911678
Issue: Package Control, unable to repair Visual Studio 2010 Ultimate if installed in Update mode.
903914
Issue: File Write Denied events are seen when some exe, marked as updater, are run by double-clicking it.
918113
Issue: Observations from Network share are not supported.
905783
Issue: Batch files are executing (through cmd.exe) from a network path when network tracking is disabled.
922297
Issue: In Enable mode, if the installer invokes multiple MSI internally, multiple observations are raised.
919300
Issue: A Trusted Path operation fails if the operation is performed on a local share mounted as a network share locally.
923302
Issue: In Enable mode, multiple observations are generated for files that got copied on the system after initial whitelisting.
Issue: The upgrade version is not updated on the ePO server and the McTray About box after an endpoint upgrade.
941675
Issue: Any changes to predefined rules for skiplist and Script-Auth are not applied for upgrades.
940921
Issue: Write-Denied events are seen for sadmin.exe and Instaconfig.exe by the process csrss.exe.
940286
Issue: A Pkg-modification-prevented event is raised during a MAC upgrade.
948349
Issue: Multiple deny-write events for a self-approval pop-up forputty.exeare recorded when execution is done after downloading the file from the internet.
961454
Issue: An older version of the deployment task runs even though a newer version is installed and replaces a few .DLL files on the new version.
Issue: You are unable to install an MSI-based package on x86 in Update or Enable mode.
947775
Issue: The Windows Start screen icons disappear with solidifier installed on 32-bit systems.
946092
Issue: sadmin commands might become unresponsive on Windows Embedded 8 64-bit platforms with the vsepflt driver.
Windows XP
Reference
Article
Description
604834
Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065
Issue: If you are using Application Control in the Enable mode on the Windows XP SP1 operating system, virtual memory use increases for most processes. Workaround: Upgrade to Windows XP Service Pack 2.
793102
Issue: DLL rebasing does not work when a complete path to the DLL is specified.
809646
Issue: A Self-Approval pop-up might hang while running non-whitelist binaries from the Desktop.
Issue: The system hangs with Microsoft Security Essentials installed.
Windows 2003
Reference
Description
607361
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exeprocess was hijacked. Workaround: Add javaw.exeto the attributes list with the-n option:
sadmin attr add -n javaw.exe
892432
Issue: Deny-Exec and Deny-Write events are seen for .Net files via Windows update on Windows 2003. Workaround: Add Netfxupdate.exe as an updater by name with inheritance enabled to successfully install Windows update for .NET.
832241
Issue: A Non-Trusted user can execute an unsolidified bat file using runas CLIon Windows 2003 (x64). This issue is intermittent. Workaround: Use the following command:
sc config wuauserv type= own
Windows 2008 R2 (64-bit)
Reference
Description
608636
Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, you see that Windows installer encountered a validation error for the msiexec.exeand kernelbase.dllfiles. Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.
Windows 2008 (64-bit)
Reference
Description
609780
Issue: On the Windows 2008 (64-bit) platform, therundll32.exefile crashes if an application is uninstalled by using Add/Remove Programs and initially the SetupInstallFromInfSection()function was used to install the application.
Windows 2008/Vista (32-bit and 64-bit), Windows XP/Windows 7/Windows 2008 R2 (64-bit)
Reference
Description
609757
Issue: In Enable mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.
Windows Vista
Reference
Description
607541
Issue: For Windows Vista and later platforms, the Solidcore Agent configuration selects a service called Windows Modules Installer (TrustedInstaller.exe) as updater. This action is done to allow Windows Update to work properly. This service can both install and remove Windows components even if the pkg-ctrlfeature is enabled.
Windows 2012
Reference
Description
911734
Issue: Spurious events are generated when configuring AD on Windows 2012.
913943
Issue:Attr rules for MP NX and MP vasr are getting applied on Windows 2012.
1045414
Issue: In the system Event Viewer logs, a "Microsoft-Windows-Kernel-General" error message is logged while writing to the registry during start.
Windows 2003 IA
Reference
Description
911734
Issue: The Solidifier service stops responding on Windows 2003 IA.
Critical: There are currently no known critical issues.
Non-critical:
Solidcore Extension:
Reference
Article
Found in Version
Resolved in Version
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
605369
Issue: When Solidcore Agent installer is run by an agent installer with the /? argument, a series of unwanted dialog boxes appear due to a bug in the third-party packaging software. These dialog boxes can be ignored.
609311
Issue: Manual uninstallation of Solidcore Agent (deployed from ePO) fails on a client computer having McAfee Agent version 4.0 (or earlier). Workaround: Contact Technical Support for assistance in case manual uninstallation has already been tried.
Issue: Unsolidified scripts can't be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by script interpreter configured for that script is denied. This denial generates unauthorized execution events. Such problems can be avoided by performing file operation using Windows Explorer.
594596
594770
595290
Issue: Antivirus software applications generate logs when the Solidcore Agent is enabled. Workaround: Use appropriate applications as updaters.
594707
Issue: Roaming and Mandatory profiles with code files do not work properly. Copying files from Central store on domain controller to member server and back might fail.
594790
Issue: Solidcore Protection prevents updating of applications, such as Microsoft Office and Office tools after the initial installation. When executing the applications for the first time, Technical Support recommends that you run these applications in the Update Mode.
596425
Issue: Print server logs errors on Runtime Control module systems with the Solidcore Agent active in the Enabled mode. Workaround: Add the printer share as a trusted share.
601158
Issue: The Runtime Control module uses MP-CASP as the default Memory Protection technique. If you want to enable MP-VASR, contact Technical Support.
607414
Issue: When script interpreters are added to memory protection bypass (casp or mangling-decoying), even after a script marked as an updater exits, the script interpreter’s updater privilege is not revoked.
608647
Issue: On 64-bit systems, multiple events might get generated when an unauthorized binary file is executed. The Windows operating system tries to run the binary multiple times by using reducing set of attributes until final failure.
609632
Issue: After the initial scan task completes and MAC Initial Scan task is complete and McAfee Application Control is enforced on the system now message displays, the system is said to be solidified.
608745
Issue: Files that are read-protected by the user (using 'sadmin read-protect' command) can't be solidified.
624015
Issue: If enabled on a 64-bit computer, the memory protection feature prevents the installation of ActiveX. Workaround: From the ePO console, complete the following steps to add the Internet Explorer executable (iexplore.exe) to the memory protection bypass list.
Log on to the ePO 4.x console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 5.1.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Click the created policy and click Add.
Enter iexplorer.exe as the file name, select Bypassed from Memory Control,and click OK.
Click Save.
Apply the policy to the appropriate endpoints.
From the endpoint, run ActiveX after adding the Internet Explorer executable (iexplore.exe) to the memory protection bypass list. Use the following command to add the executable to the bypass list.
sadmin attr add –n iexplore.exe
643688
Issue: If you try an ActiveX installation before enabling the ActiveX feature and retry the installation after enabling the ActiveX feature, the ActiveX might not get installed properly. Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, remove all .cab files in the temporary internet files. Now, install the ActiveX control on the endpoint.
602194
Issue: The package control feature is not able to stop the installation of some applications, such as Gvim and Winrar.
602929
Issue: If a package-based installer is executed before the package control feature can detect the package change, the deny-exec feature might prevent the execution of the installer.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
616147
Issue: For standalone Solidcore Agent installation (in other words, installation not done via ePO) on endpoints where Oracle is installed, finetune.bat must be run manually at the endpoints to apply Oracle-specific rules.
595067
Issue: The system might hang while installing the security hotfix WindowsXP-KB884020-x86-enu.exe. Workaround: Disable the Solidcore Agent before installing this hotfix.
598286
Issue: System hangs after installing Citrix MetaFrameXP with feature release 3.0. Workaround: Add csrss.exeto bypass list.
599348
Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126
Issue: When copying solidified files to a rewritable CD, although the files are copied successfully deny-write errors are logged.
601427
Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
609812
Issue: For an ePO managed endpoint with a valid Application Control license for which the Initial Scan was deferred and that has many executable files installed, the Initial Scan client task after a reboot completes successfully. But, the system remains in Update mode for some time before going to Enabled mode. During this time, sending another client task to the endpoint might fail.
610206
Issue: The pop-up message regarding the completion of Initial Scan client task sent from ePO does not display on remote desktop sessions.
616089
Issue: In the output of sadmin diagcommand on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, in the following output:
Issue: Multiple deny write events might get generated for a single deny write action. Example: On deletion of a file using Windows Explorer, up to 8 file deletion events are reported. The reason is because when the application denies deletion of a file, Windows Explorer tries multiple other methods to delete the file, resulting in the generation of an event for each attempt.
724600
Issue: ActiveX alerts are not generated on 64-bit Windows systems. Workaround: Complete these steps if you are using the ePO console:
Log on to the ePO 4.x. console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 6.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Open the created policy and click Add.
Enter iexplore.exe as the file name, select Bypassed from Memory Control,and click OK.
Click Add.
Type ieinstal.exe as the file name, select Bypassed from Memory Control and click OK.
Click Save.
Apply the policy to the endpoints.
Complete these steps from the endpoint if you are using the product in Standalone mode.
Execute the following commands to define the required memory-protection bypass rules.
Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c: \program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.
695246
Issue: Although the Solidcore NX protection is based on system DEP, it is possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663
Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes on the ePO console, the change is not reflected on the endpoints.
723624
Issue: Execution Denied events might be generated for some DLL files with searchprotocolhost.exeas the process name. These events have no functionality impact. Workaround: If many events are generated, create an AEF rule to prune the events.
725204
Issue: For 6.0 release, the Yahoo, Adobe Acrobat, CuteFTP, and WinZip rule groups have been removed from the default Application Control policy because of their security implications. Also, when you upgrade, these rule groups are removed from the default policies. If needed, you need to add these rule groups to policies manually.
702580
Issue: For Application Control-related internal files (such as finetune.bat and gatherinfo.bat), version details including binary version, vendor, application name, and application version are not available.
713989
Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
685124
Issue: If you are running VirusScan Enterprise (VSE) 8.8 with the Access Protection Level set to Maximum on an endpoint, you can't deploy Solidcore on the endpoint.
652602
Issue: If you disable the deny-exec-exesfeature on any Windows (64-bit) operating system, change extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. You can change the file extension to dll to run the file even if the deny-exex-dlls feature is enabled as well.
713011
Issue: Observations are erroneously generated for 64-bit binary files that are not supported on 32-bit platforms.
607574
Issue: On opening a network share (for systems running Windows Vista, Windows 7, Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. The events are generated because Windows Explorer tries to fetch the icons for the files stored on the network share.
726020
Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a Msg not found error. Workaround: Restart the endpoint to make sure that all commands added or changed in the 6.0 release work correctly.
608868
Issue: On the Windows 2008, Windows 7, and Windows Vista operating systems, you might receive the An unauthorized change made to the Windows error. Workaround: Disable the MP-CASPfeature.
768708
Issue: Unable to set flag fs-passthru 'p'and flag vasr forced reloc 'v'together with extra info flag 'o' in the attr command.
770362
Issue: Unable to set more than one dll to bypass from VASR forced reloc.
770524
Issue: The Scormcpl.dlldisplays an older version in inventory after it is upgraded.
794445
Issue: Solidified batch files when copied using another batch file fails.
803731
Issue: With network tracking disabled, Self-Approval function does not work for network shares.
803948
Issue: Deny-Exec on Script file is reported if Network tracking is disabled on 64-bit architecture.
808857
Issue: Self-Approval pop-up shows up if files are opened with execute flag even if file is not executed.
808964
Issue: Auth rule for a process making file changes does not get added correctly if allowed through Self-Approval.
812964
Issue: If updater flag for a certificate rule is removed, certificate is still listed as updater on endpoint.
816108
Issue: A file, authorized by checksum, is denied for execution when run from network share.
656298
Issue: Upgrade via hotfix build might fail in Update Mode when run through Product Update Task.
603318
Issue: Crash with bug check 0x00000050 (0xFFB4B000, 0x00000000, 0x80463723, 0x00000000) might be observed after system is solidified and rebooted.
810072
Issue: While running a 16-bit executable with Self-Approval enabled, file type is listing as script.
819876
Issue: Process does not work as Updater is configured as an Updater through auth by checksum. Workaround: Configure the process as an Updater by name.
888634
Issue: Unclean uninstallation of Adobe Flash Player when pkg-ctrl-allow-uninstall is enabled. Workaround: Sadmin updaters add "C: \WINDOWS\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe".
888632
Issue: Repair of dot-net 3.5 fails. Workaround: Add the below updater rules:
Issue: Unable to install visual studio 2010 ultimate via updater.
887965
Issue: Uninstallation of applications is not be blocked even if the pkg-ctrl-allow-uninstallation feature is disabled. Workaround: Run the sadmin clg command after each installation of application to block the uninstallation. This command clears out all cached GUIDs from the system.
888878
Issue: Multiple package control prevention events seen while uninstalling and repairing visual studio 2010. Workaround: Uninstall and repair were successful after adding "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to trusted path:
Issue: Unable to install Adobe Flash Player 11 when pkg-ctrl-bypass feature is enabled. Workaround: sadmin updaters add InstallAX_11_6_602_180.exe.
883381
Issue: Self-Approval pop-ups for a user session are shown on console session instead of user session. Workaround: Run following Solidcore commands from command line:
Issue: Application crashes when Solidcore DEP is enabled. Workaround: Run following Solidcore commands from command line to bypass the process that is crashing with Solidcore DEP:
Issue: McAfee Solidifer upgrade from 6.1.1 fails in Observe Mode. Workaround: See the Knowledge Base article for details.
910080
Issue: Package Control, if an application has ctor.dll in its uninstall string, another application using ctor.dll is not installed when pkg-ctrl-allow-uninstall is disabled. Workaround: As a workaround for mode 1 of package control, user can make the ctor.dll as updater using complete path(for example, C: \Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll). For Package Control modes, see the Application and Change Control 6.1.1 Addendum.
916640
Issue: Deny Execution is not skipped for drive after removing skiplist -v flag without reboot. Workaround: A reboot is required to make it work.
Issue: Package Control, uninstallation of an application fails using add/remove program, if an application is installed for a particular user. Workaround: See the Knowledge Base article for details.
901147
Issue: Installer (Auto-IT) first shown as script type and copying to some other location it is showing as pe32-exe.
911678
Issue: Package Control, unable to repair Visual studio ultimate 2010 if installed in update mode.
903914
Issue: File Write Denied events seen when some exe, marked as updater, are run by double-clicking it.
918113
Issue: Observations from Network share not supported.
905783
Issue: Batch files are executing (through cmd.exe) from network path when network tracking is disabled.
922297
Issue: In enable mode, if the installer invokes multiple MSI internally, multiple observations are raised.
919300
Issue: Trusted Path operation failed if operation performed on local share mounted as network share locally.
923302
Issue: In enable mode multiple observations are generated for files, that got copied on system after initial whitelisting.
Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065
Issue: If you are using Application Control in the Enabled mode on the Windows XP SP1 operating system, virtual memory use increases for most processes. Workaround: Upgrade to Windows XP Service Pack 2.
793102
Issue: DLL rebasing does not work when complete path to DLL is specified.
809646
Issue: Self-Approval Pop Up might hang while running non-whitelist binaries from Desktop.
844203
Issue: System hangs with Microsoft Security Essentials installed.
Issue: Application Control system crashes on every reboot with BugCheck E0100010 due to inventory corruption
Windows 2003
Reference
Description
607361
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exeprocess was hijacked. Workaround: Add javaw.exeto the attributes list with the -n option:
sadmin attr add -n javaw.exe
892432
Issue: Deny-Exec and Deny-Write events seen for .Net files via windows update on Windows 2003. Workaround: Add Netfxupdate.exe as an updater by name with inheritance enabled to successfully install windows update for .NET.
832241
Issue: This issue is intermittent, where a Non-Trusted user can execute an unsolidified bat file using runas CLI on Windows 2003 (x64). Workaround: Use the command:
sc config wuauserv type= own
Windows 2008 R2 [64-bit]
Reference
Description
608636
Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, you see that Windows installer encountered a validation error for the msiexec.exe and kernelbase.dll files. Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.
Windows 2008 [64-bit]
Reference
Description
609780
Issue: On the Windows 2008 (64-bit) platform, therundll32.exefile crashes if an application is uninstalled by using the Add/Remove Programs and initially SetupInstallFromInfSection()function was used to install the application.
Windows 2008/Vista [32-bit and 64-bit], Windows XP/Windows 7/Windows 2008 R2 [64-bit]
Reference
Description
609757
Issue: In Enabled mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.
Windows Vista
Reference
Description
607541
Issue: For Windows Vista and higher platforms, the Solidcore Agent configuration selects a service called Windows Modules Installer (TrustedInstaller.exe) as updater. This action is done to allow Windows Update to work properly. This service can both install and remove Windows components even if pkg-ctrl feature is enabled.
Windows 2012
Reference
Description
911734
Issue: Spurious events when configuring AD on 2K12.
913943
Issue: Attr rule for MP NX and MP vasr getting applied on Windows 2012.
Windows 2003 IA
Reference
Description
911734
Issue: Solidifier service stops responding on Windows 2003 IA.
Critical: There are currently no known critical issues.
Non-critical:
Solidcore Extension:
Reference
Article
Found in Version
Resolved in Version
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
605369
Issue: When Solidcore Agent installer is run by an agent installer with the /? argument, a series of unwanted dialog boxes appear due to a bug in the third-party packaging software. These dialog boxes can be ignored.
609311
Issue: Manual uninstallation of Solidcore Agent (deployed from ePO) fails on a client computer having McAfee Agent version 4.0 (or earlier). Workaround: Contact Technical Support for assistance in case manual uninstallation has already been tried.
Issue: Unsolidified scripts can't be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by script interpreter configured for that script, is denied. This denial generates unauthorized execution events. Such problems can be avoided by performing file operation using Windows Explorer.
594596
594770
595290
Issue: Antivirus software applications generate logs when the Solidcore Agent is enabled. Workaround: Use appropriate applications as updaters.
594707
Issue: Roaming and Mandatory profiles with code files do not work properly. Copying files from Central store on domain controller to member server and back might fail.
594790
Issue: Solidcore Protection prevents updating of applications, such as Microsoft Office and Office tools after the initial installation. When executing the applications for the first time, McAfee recommends that you run these applications in the Update Mode.
596425
Issue: Print server logs errors on Runtime Control module systems with the Solidcore Agent active in the Enabled mode. Workaround: Add the printer share as a trusted share.
601158
Issue: The Runtime Control module uses MP-CASP as the default Memory Protection technique. If you want to enable MP-VASR, contact Technical Support.
607414
Issue: When script interpreters are added to memory protection bypass (casp or mangling-decoying), even after a script marked as an updater exits, the script interpreter’s updater privilege is not revoked.
608647
Issue: On 64-bit systems, multiple events might get generated when an unauthorized binary file is executed. The Windows operating system tries to run the binary multiple times by using reducing set of attributes until final failure.
609632
Issue: After the initial scan task completes and MAC Initial Scan task is complete and McAfee Application Control is enforced on the system now message displays, the system is said to be solidified.
608745
Issue: Files that are read-protected by the user (using 'sadmin read-protect' command) can't be solidified.
624015
Issue: If enabled on a 64-bit computer, the memory protection feature prevents the installation of ActiveX. Workaround: From the ePO console, complete the following steps to add the Internet Explorer executable (iexplore.exe) to the memory protection bypass list.
Log on to the ePO 4.x console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 5.1.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Click the created policy and click Add.
Enter iexplorer.exe as the file name, select Bypassed from Memory Control,and click OK.
Click Save.
Apply the policy to the appropriate endpoints.
From the endpoint, run ActiveX after adding the Internet Explorer executable (iexplore.exe) to the memory protection bypass list. Use the following command to add the executable to the bypass list.
sadmin attr add –n iexplore.exe
643688
Issue: If you try an ActiveX installation before enabling the ActiveX feature and retry the installation after enabling the ActiveX feature, the ActiveX might not get installed properly. Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, remove all .cab files in the temporary internet files. Now, install the ActiveX control on the endpoint.
602194
Issue: The package control feature is not able to stop the installation of some applications, such as Gvim and Winrar.
602929
Issue: If a package-based installer is executed before the package control feature can detect the package change, the deny-exec feature might prevent the execution of the installer.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
616147
Issue: For standalone Solidcore Agent installation (that is, installation not done via ePO) on endpoints where Oracle is installed, finetune.bat must be run manually at the endpoints to apply Oracle-specific rules.
595067
Issue: The system might hang while installing the security hotfix WindowsXP-KB884020-x86-enu.exe. Workaround: Disable the Solidcore Agent before installing this hotfix.
598286
Issue: System hangs after installing Citrix MetaFrameXP with feature release 3.0. Workaround: Add csrss.exeto bypass list.
599348
Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126
Issue: When copying solidified files to a rewritable CD, although the files are copied successfully deny-write errors are logged.
601427
Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
609812
Issue: For an ePO managed endpoint with a valid Application Control license for which the Initial Scan was deferred and that has many executable files installed, the Initial Scan client task after a reboot completes successfully. But, the system remains in Update mode for some time before going to Enabled mode. During this time, sending another client task to the endpoint might fail.
610206
Issue: The pop-up message regarding the completion of Initial Scan client task sent from ePO does not display on remote desktop sessions.
616089
Issue: In the output of sadmin diagcommand on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, in the following output:
Issue: Multiple deny write events might get generated for a single deny write action. Example: On deletion of a file using Windows Explorer, up to 8 file deletion events are reported. The reason is because when the application denies deletion of a file, Windows Explorer tries multiple other methods to delete the file, resulting in the generation of an event for each attempt.
724600
Issue: ActiveX alerts are not generated on 64-bit Windows systems. Workaround: Complete these steps if you are using the ePO console:
Log on to the ePO 4.x. console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 6.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Open the created policy and click Add.
Enter iexplore.exe as the file name, select Bypassed from Memory Control,and click OK.
Click Add.
Enter ieinstal.exeas the file name, select Bypassed from Memory Control,and click OK.
Click Save.
Apply the policy to the endpoints.
Complete these steps from the endpoint if you are using the product in Standalone mode.
Execute the following commands to define the required memory-protection bypass rules.
Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c:\program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.
695246
Issue: Although the Solidcore NX protection is based on system DEP, it is possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663
Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes on the ePO console, the change is not reflected on the endpoints.
723624
Issue: Execution Denied events might be generated for some DLL files with searchprotocolhost.exeas the process name. These events have no functionality impact. Workaround: If many events are generated, create an AEF rule to prune the events.
725204
Issue: For 6.0 release, the Yahoo, Adobe Acrobat, CuteFTP, and WinZip rule groups have been removed from the default Application Control policy because of their security implications. Also, when you upgrade, these rule groups are removed from the default policies. If needed, you need to add these rule groups to policies manually.
702580
Issue: For Application Control-related internal files (such as finetune.bat and gatherinfo.bat), version details including binary version, vendor, application name, and application version are not available.
713989
Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
685124
Issue: If you are running VirusScan Enterprise (VSE) 8.8 with the Access Protection Level set to Maximum on an endpoint, you can't deploy Solidcore on the endpoint.
652602
Issue: If you disable the deny-exec-exesfeature on any Windows (64-bit) operating system, change extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. You can change the file extension to dll and run the file even if the deny-exex-dlls feature is enabled as well.
713011
Issue: Observations are erroneously generated for 64-bit binary files that are not supported on 32-bit platforms.
607574
Issue: On opening a network share (for systems running Windows Vista, Windows 7, Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. The events are generated because Windows Explorer tries to fetch the icons for the files stored on the network share.
726020
Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a Msg not found error. Workaround: Restart the endpoint to make sure that all commands added or changed in the 6.0 release work correctly.
608868
Issue: On the Windows 2008, Windows 7, and Windows Vista operating systems, you might receive the An unauthorized change made to the Windows error. Workaround: Disable the MP-CASPfeature.
768708
Issue: Unable to set flag fs-passthru 'p'and flag vasr forced reloc 'v'together with extra info flag 'o' in the attr command.
770362
Issue: Unable to set more than one dll to bypass from VASR forced reloc.
770524
Issue: Scormcpl.dll displays an older version in inventory after it is upgraded.
794445
Issue: Solidified batch files when copied using another batch file fails.
803731
Issue: With network tracking disabled, Self-Approval function does not work for network shares.
803948
Issue: Deny-Exec on Script file is reported if Network tracking is disabled on 64-bit architecture.
808857
Issue: Self-Approval pop-up shows up if files are opened with execute flag even if file is not executed.
808964
Issue: Auth rule for a process making file changes does not get added correctly if allowed through Self-Approval.
812964
Issue: If updater flag for a certificate rule is removed, certificate is still listed as updater on endpoint.
816108
Issue: A file, authorized by checksum, is denied for execution when run from network share.
656298
Issue: Upgrade via hotfix build might fail in Update Mode when run through Product Update Task.
603318
Issue: Crash with bug check 0x00000050 (0xFFB4B000, 0x00000000, 0x80463723, 0x00000000) might be observed after system is solidified and rebooted.
810072
Issue: While running a 16-bit executable with Self-Approval enabled, file type is listing as script.
819876
Issue: Process does not work as Updater is configured as an Updater through auth by checksum. Workaround: Configure the process as an Updater by name.
888634
Issue: Unclean uninstallation of Adobe Flash Player when pkg-ctrl-allow-uninstall is enabled. Workaround: Sadmin updaters add "C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe".
888632
Issue: Repair of dot-net 3.5 fails. Workaround: Add the below updater rules:
Issue: Unable to install visual studio 2010 ultimate via updater.
887965
Issue: Uninstallation of applications is not blocked even if the pkg-ctrl-allow-uninstallation feature is disabled. Workaround: Run the sadmin clg command after each installation of application to block the uninstallation. This command clears out all cached GUIDs from the system.
888878
Issue: Multiple package control prevention events seen while uninstalling and repairing visual studio 2010. Workaround: Uninstall and repair are successful after adding "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to trusted path:
Issue: Unable to install Adobe Flash Player 11 when pkg-ctrl-bypass feature is enabled. Workaround: sadmin updaters add InstallAX_11_6_602_180.exe.
883381
Issue: Self-Approval pop-ups for a user session are shown on console session instead of user session. Workaround: Run following Solidcore commands from command line:
Issue: Application crashes when Solidcore DEP is enabled. Workaround: Run following Solidcore commands from command line to bypass the process that is crashing with Solidcore DEP:
Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065
Issue: If you are using Application Control in the Enabled mode on the Windows XP SP1 operating system, virtual memory use increases for most processes. Workaround: Upgrade to Windows XP Service Pack 2.
793102
Issue: DLL rebasing does not work when complete path to DLL is specified.
809646
Issue: Self-Approval Pop Up might hang while running non-whitelist binaries from Desktop.
Windows 2003
Reference
Description
607361
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exeprocess was hijacked. Workaround: Add javaw.exeto the attributes list with the -n option:
sadmin attr add -n javaw.exe
892432
Issue: Deny-Exec and Deny-Write events seen for .Net files via windows update on Windows 2003. Workaround: Add Netfxupdate.exe as an updater by name with inheritance enabled to successfully install windows update for .Net.
832241
Issue: This issue is intermittent, where Non-Trusted user can execute an unsolidified bat file using runas CLIon Windows 2003 (x64). Workaround: Use the command:
sc config wuauserv type= own
Windows 2008 R2 [64-bit]
Reference
Description
608636
Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, the Windows installer encountered a validation error displays for the msiexec.exeand kernelbase.dllfiles. Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.
Windows 2008 [64-bit]
Reference
Description
609780
Issue: On the Windows 2008 (64-bit) platform, therundll32.exefile crashes if an application is uninstalled by using the Add/Remove Programs and initially SetupInstallFromInfSection()function was used to install the application.
Windows 2008/Vista [32-bit and 64-bit], Windows XP/Windows 7/Windows 2008 R2 [64-bit]
Reference
Description
609757
Issue: In Enabled mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.
Windows Vista
Reference
Description
607541
Issue: For Windows Vista and higher platforms, the Solidcore Agent configuration selects a service called Windows Modules Installer (TrustedInstaller.exe) as updater. This action is done to allow Windows Update to work properly. This service can both install and remove Windows components even if pkg-ctrlfeature is enabled.
Critical: There are currently no known critical issues.
Non-critical:
Solidcore Clients (all OS) and Extension:
Reference
Article
Found in Version
Resolved in Version
Description
608618
Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
605369
Issue: When Solidcore Agent installer is run by an agent installer with the /? Argument, a series of unwanted dialog boxes appear due to a bug in the third-party packaging software. These dialog boxes can be ignored.
609311
Issue: Manual uninstallation of Solidcore Agent (deployed from ePO) fails on a client computer having McAfee Agent version 4.0 (or earlier). Workaround: Contact Technical Support for assistance in case manual uninstallation has already been tried.
Issue: Unsolidified scripts can't be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by script interpreter configured for that script, is denied. This denial generates unauthorized execution events. Such problems can be avoided by performing file operation using Windows Explorer.
594596
594770
595290
Issue: Antivirus software applications generate logs when the Solidcore Agent is enabled. Workaround: Use appropriate applications as updaters.
594707
Issue: Roaming and Mandatory profiles with code files do not work properly. Copying files from Central store on domain controller to member server and back might fail.
594790
Issue: Solidcore Protection prevents updating of applications, such as Microsoft Office and Office tools after the initial installation. When executing the applications for the first time, McAfee recommends that you run these applications in the Update Mode.
596425
Issue: Print server logs errors on Runtime Control module systems with the Solidcore Agent active in the Enabled mode. Workaround: Add the printer share as a trusted share.
601158
Issue: The Runtime Control module uses MP-CASP as the default Memory Protection technique. If you want to enable MP-VASR, contact Technical Support.
607414
Issue: When script interpreters are added to memory protection bypass (casp or mangling-decoying), even after a script marked as an updater exits, the script interpreter’s updater privilege is not revoked.
608647
Issue: On 64-bit systems, multiple events might get generated when an unauthorized binary file is executed. The Windows operating system tries to run the binary multiple times by using reducing set of attributes until final failure.
609632
Issue: After the initial scan task completes and MAC Initial Scan task is complete and McAfee Application Control is enforced on the system now message displays, the system is said to be solidified.
608745
Issue: Files that are read-protected by the user (using 'sadmin read-protect' command) can't be solidified.
624015
Issue: If enabled on a 64-bit computer, the memory protection feature prevents the installation of ActiveX. Workaround: From the ePO console, complete the following steps to add the Internet Explorer executable (iexplore.exe) to the memory protection bypass list.
Log on to the ePO 4.x console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 5.1.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Click the created policy and click Add.
Enter iexplorer.exe as the file name, select Bypassed from Memory Control,and click OK.
Click Save.
Apply the policy to the appropriate endpoints.
From the endpoint, run ActiveX after adding the Internet Explorer executable (iexplore.exe) to the memory protection bypass list. Use the following command to add the executable to the bypass list.
sadmin attr add –n iexplore.exe
643688
Issue: If you try an ActiveX installation before you enable the ActiveX feature, and retry the installation after you enable the ActiveX feature, the ActiveX might not install properly. Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, remove all .cab files in the temporary internet files. Now, install the ActiveX control on the endpoint.
602194
Issue: The package control feature is not able to stop the installation of some applications, such as Gvimand Winrar.
602929
Issue: If a package-based installer is executed before the package control feature can detect the package change, the deny-exec feature might prevent the execution of the installer.
607014
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
616147
Issue: For standalone Solidcore Agent installation on endpoints where Oracle is installed, finetune.bat must be run manually at the endpoints to apply Oracle-specific rules. (A standalone Solidcore Agent installation means one not done via ePO.)
595067
Issue: The system might hang while installing the security hotfix WindowsXP-KB884020-x86-enu.exe. Workaround: Disable the Solidcore Agent before installing this hotfix.
598286
Issue: System hangs after installing Citrix MetaFrameXP with feature release 3.0. Workaround: Add csrss.exe to bypass list.
599348
Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126
Issue: When copying solidified files to a rewritable CD, although the files are copied successfully deny-write errors are logged.
601427
Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
609812
Issue: For an ePO managed endpoint with a valid Application Control license for which the Initial Scan was deferred and that has many executable files installed, the Initial Scan client task after a reboot completes successfully. But, the system remains in Update mode for some time before going to Enabled mode. During this time, sending another client task to the endpoint might fail.
610206
Issue: The pop-up message regarding the completion of Initial Scan client task sent from ePO does not display on remote desktop sessions.
616089
Issue: In the output of sadmin diag command on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, in the following output:
Issue: Multiple deny write events might get generated for a single deny write action. Example: On deletion of a file using Windows Explorer, up to 8 file deletion events are reported. The reason is that when the application denies deletion of a file, Windows Explorer tries multiple other methods to delete the file, which results in the generation of an event for each attempt.
724600
Issue: ActiveX alerts are not generated on 64-bit Windows systems. Workaround: Complete these steps if you are using the ePO console:
Log on to the ePO 4.x. console.
Click Menu, Policy, Policy Catalog.
Select the Solidcore 6.0 General entry from the Product drop-down.
Select Exception Rules (Windows).
Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
Open the created policy and click Add.
Enter iexplore.exe as the file name, select Bypassed from Memory Control,and click OK.
Click Add.
Enter ieinstal.exe as the file name, select Bypassed from Memory Control,and click OK.
Click Save.
Apply the policy to the endpoints.
Complete these steps from the endpoint if you are using the product in Standalone mode.
Execute the following commands to define the required memory-protection bypass rules.
Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c:\program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.
695246
Issue: Although the Solidcore NX protection is based on system DEP, it is possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663
Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes on the ePO console, the change is not reflected on the endpoints.
723624
Issue: Execution Denied events might be generated for some DLL files with searchprotocolhost.exe as the process name. These events have no function impact. Workaround: If many events are generated, create an AEF rule to prune the events.
725204
Issue: For 6.0 release, the Yahoo, Adobe Acrobat, CuteFTP, and WinZip rule groups have been removed from the default Application Control policy because of their security implications. Also, when you upgrade, these rule groups are removed from the default policies. If needed, you need to add these rule groups to policies manually.
702580
Issue: For Application Control-related internal files (such as finetune.bat and gatherinfo.bat), version details including binary version, vendor, application name, and application version are not available.
713989
Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
685124
Issue: If you are running VirusScan Enterprise (VSE) 8.8 with the Access Protection Level set to Maximum on an endpoint, you can't deploy Solidcore on the endpoint.
652602
Issue: If you disable the deny-exec-exes feature on any Windows (64-bit) operating system, change extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. You can change the file extension to dll and run the file even if the deny-exex-dlls feature is enabled as well.
713011
Issue: Observations are erroneously generated for 64-bit binary files that are not supported on 32-bit platforms.
607574
Issue: On opening a network share (for systems running Windows Vista, Windows 7, Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. The events are generated because Windows Explorer tries to fetch the icons for the files stored on the network share.
726020
Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a Msg not found error. Workaround: Restart the endpoint to make sure that all commands added or changed in the 6.0 release work correctly.
608868
Issue: On the Windows 2008, Windows 7, and Windows Vista operating systems, you might receive the An unauthorized change made to the Windows error. Workaround: Disable the MP-CASP feature.
768708
Issue: Unable to set flag fs-passthru 'p' and flag vasr forced reloc 'v' together with extra info flag 'o' in the attr command.
770362
Issue: Unable to set more than one dll to bypass from VASR forced reloc.
770524
Issue: Scormcpl.dll displays an older version in inventory after it is upgraded.
794445
Issue: Solidified batch files when copied using another batch file fails.
803731
Issue: With network tracking disabled, Self-Approval function does not work for network shares.
803948
Issue: Deny-Exec on Script file is reported if Network tracking is disabled on 64-bit architecture.
808857
Issue: Self-Approval pop-up shows up if files are opened with execute flag even if file is not executed.
808964
Issue: Auth rule for a process making file changes does not get added correctly if allowed through Self-Approval.
812964
Issue: If updater flag for a certificate rule is removed, certificate is still listed as updater on endpoint.
816108
Issue: A file, authorized by checksum, is denied for execution when run from network share.
656298
Issue: Upgrade via hotfix build might fail in Update Mode when run through Product Update Task.
603318
Issue: Crash with bug check 0x00000050 (0xFFB4B000, 0x00000000, 0x80463723, 0x00000000) might be observed after system is solidified and rebooted.
810072
Issue: While running a 16-bit executable with Self-Approval enabled, file type is listing as script.
819876
Issue: Process does not work as Updater is configured as an Updater through auth by checksum. Workaround: Configure the process as an Updater by name.
888634
Issue: Unclean uninstallation of Adobe Flash Player when pkg-ctrl-allow-uninstall is enabled. Workaround: Sadmin updaters add "C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe".
888632
Issue: Repair of dot-net 3.5 fails. Workaround: Add the below updater rules:
Issue: Unable to install visual studio 2010 ultimate via updater.
887965
Issue: Uninstallation of applications is not blocked even if the pkg-ctrl-allow-uninstallation feature is disabled. Workaround: Run the sadmin clg command after each installation of application to block the uninstallation. This command clears out all cached GUIDs from the system.
888878
Issue: Multiple package control prevention events seen while uninstalling and repairing visual studio 2010. Workaround: Uninstall and repair are successful after adding "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to trusted path:
Issue: Unable to install Adobe Flash Player 11 when pkg-ctrl-bypass feature is enabled. Workaround: sadmin updaters add InstallAX_11_6_602_180.exe.
883381
Issue: Self-Approval pop-ups for a user session are shown on console session instead of user session. Workaround: Run following Solidcore commands from command line:
Issue: Application crashes when Solidcore DEP is enabled. Workaround: Run following Solidcore commands from command line to bypass the process that is crashing with Solidcore DEP:
Issue: 1208 error when trying to install Solidcore Solution: Change the ANSI code page you are currently using through the Windows Regional and Language options. See the Microsoft documentation for instructions for your version of Windows.
Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065
Issue: If you are using Application Control in the Enabled mode on the Windows XP SP1 operating system, virtual memory use increases for most processes. Workaround: Upgrade to Windows XP Service Pack 2.
793102
Issue: DLL rebasing does not work when complete path to DLL is specified.
809646
Issue: Self-Approval Pop Up might hang while running non-whitelist binaries from Desktop.
Windows 2003
Reference
Description
607361
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exeprocess was hijacked. Workaround: Add javaw.exe to the attributes list with the -n option:
sadmin attr add -n javaw.exe
892432
Issue: Deny-Exec and Deny-Write events seen for .Net files via windows update on Windows 2003. Workaround: Add Netfxupdate.exe as an updater by name with inheritance enabled to successfully install windows update for .Net.
832241
Issue: This issue is intermittent, where Non-Trusted user can execute an unsolidified bat file using runas CLIon Windows 2003 (x64). Workaround: Use the command:
sc config wuauserv type= own
Windows 2008 R2 [64-bit]
Reference
Description
608636
Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, the Windows installer encountered a validation error displays for the msiexec.exeand kernelbase.dllfiles. Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.
Windows 2008 [64-bit]
Reference
Description
609780
Issue: On the Windows 2008 (64-bit) platform, therundll32.exefile crashes if an application is uninstalled with Add/Remove Programs, but was initially installed with the SetupInstallFromInfSection()function.
Windows 2008/Vista [32-bit and 64-bit], Windows XP/Windows 7/Windows 2008 R2 [64-bit]
Reference
Description
609757
Issue: In Enabled mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.
Windows Vista
Reference
Description
607541
Issue: For Windows Vista and higher platforms, the Solidcore Agent configuration selects a service called Windows Modules Installer (TrustedInstaller.exe) as updater. This action is done to allow Windows Update to work properly. This service can both install and remove Windows components even if pkg-ctrlfeature is enabled.
