Loading...

Knowledge Center


Application Control 6.x Known Issues
Technical Articles ID:   KB84047
Last Modified:  9/12/2019
Rated:


Environment

McAfee Application Control (MAC) 6.x

Summary

Recent updates to this article
Date Update
September 12, 2019 Formatting changes. No content updates.
August 13, 2019 Added Application Control 6.3.0-794 release information and known issues.
Updated release notes to known issues with KBs already created in system.
July 8, 2019 Changed (corrected) Application Control version release number from 6.3.0-714 to 6.3.0-724 and updated known issues.
July 2, 2019 Updated Application Control 6.3.0-714 release information.
June 20, 2019 Added Application Control 6.3.0-714 known issues and release information.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.


Contents
Click to expand the section you want to view:

Version General Availability (GA) Release Notes
6.3.0-794 August 13, 2019 PD28450
6.3.0-724 (Linux only) July 2, 2019 PD28392
6.3.0-503 (Linux only) April 9, 2019 PD28310
6.3.0-418 (Linux only) March 12, 2019 PD28266
6.3.0-299 (Linux only) February 12, 2019 PD28213
6.3.0-242 (Linux only) January 8, 2019 PD28165
6.3.0-180 (Linux only) November 13, 2018 PD28094
6.3.0 (Linux only) October 9, 2018 PD28051
6.2.0 April 9, 2015 PD25626
6.1.7 (Linux only) April 7, 2015 PD25891
6.1.4 (Linux/UNIX only) June 16, 2014 PD25243
6.1.3 April 16, 2014 PD25160
6.1.2 December 24, 2013 PD24893
6.1.1 August 30, 2013 PD24584
6.1.0 February 12, 2013 PD24180

Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, visit the Product Downloads site at http://www.mcafee.com/us/downloads/downloads.aspx.
Critical: There are currently no known critical issues.

Non-critical: 

Linux:
Reference Article Found in Version Resolved in Version Description
1255502   6.3.0-134 6.3.0-242 Issue: After you run load.java tool, the "/home" file system becomes "Untrusted".
Workaround: Restart the Solidcore service.
1260084   6.3.0-180 6.3.0-242 Issue: An error message is encountered when installing MACC 6.3.0.180 in standalone mode in a CentOS 7 environment.
1261348   6.3.0-180   Issue: Execution denied events for a script are duplicated on solidcore.log.
1263206   6.3.0-242 6.3.0-299 Issue: After upgrading from 6.3.0-180, a permission denied message is shown for /usr/bin/xauth.
Workaround:
  1. Edit the /etc/mcafee/solidcore/solidcore.conf file, set RTEModeOnReboot = 0x0, and reboot the system.
  2. After restart, run the command sadmin check -r or sadmin so.
  3. After check or so finishes, run sadmin enable and restart the service.
1263207   6.3.0-242   Issue: After upgrading from 6.3.0-180, ssh service cannot be restarted.
Workaround:
  1. Edit the /etc/mcafee/solidcore/solidcore.conf file, set RTEModeOnReboot = 0x0, and reboot the system.
  2. After restart, run the command sadmin check -r or sadmin so.
  3. After check or so finishes, run sadmin enable and restart the service.
1263208   6.3.0-242 6.3.0-299 Issue: After upgrading from 6.3.0-180, sadmin check is failing on LUBT12 (AMD64 and x86).
Workaround:
  1. Edit the /etc/mcafee/solidcore/solidcore.conf file, set RTEModeOnReboot = 0x0, and reboot the system.
  2. After restart, run the command sadmin check -r or sadmin so.
  3. After check or so finishes, run sadmin enable and restart the service.
1263552   6.3.0-242   Issue: Error in locking authority file in Ubuntu 16.
1263553   6.3.0-242   Issue: [Exploratory] Warning message shown when successfully removing attr rule.
1263554   6.3.0-242   Issue: [Exploratory] After disabling the script-auth feature, the scripts are still solidifiable.
1263555   6.3.0-242 6.3.0-418 Issue: [Exploratory] Dash interpreter from Ubuntu is not included on the scripts default list.
1265307   6.3.0-299 6.3.0-418 Issue: Kernel loops in LUBT 14 kernel 4.2.
1265315   6.3.0-299   Issue: Partition /boot is not solidified after you enable with a MACC license from ePO on some Ubuntu 14.04 endpoints.
1265382   6.3.0-299   Issue: MACC LNX in OL7 remains in disable.
1266298   6.3.0-299   Issue: [Exploratory] Write denied observations are not generated when deleting solidified file in Observe Mode.
1266299   6.3.0-299   Issue: [Exploratory] Log errors in Observe Mode for write denied events.
1266502   6.3.0-299   Issue: Bad behavior in enablement from ePO in Oracle 7.
1268052   6.3.0-418   Issue: No message is shown on the command line when restarting scsrvc service in Ubuntu 16.
1268065   6.3.0-418   Issue: Sadmin check command fails after removing an interpreter and extension from script auth list in Ubuntu 12.
1269359   6.3.0-503   Issue: Warning message logged in /tmp/solidcoreS3_uninstall.log after solidcore uninstallation.
1269365   6.3.0-503 6.3.0-724 Issue: Dpkg preinstallation script logs an error after installation with build 6.3.0-503.
1273558   6.3.0-607   Issue: When build target tool fails, some files are not removed from the system.
Workaround: Remove the files manually.
1273659   6.3.0-671   Issue: XFS with kernel 4.10 and above is not supported.
Workaround: Technical Support does not recommend that you use MACC 6.3.0 on Red Hat Enterprise Linux Server 8 systems if you have kernel version 4.18 or higher and XFS. The recommended filesystem to use is EXT4. See KB73341 for supported EXT versions.

For systems that experience this issue with SUSE Enterprise Linux Server 12 or SUSE Enterprise Linux Desktop 12 with kernel 4.10 or higher installed and MACC with XFS in Update mode in use, you can:
  1. Restart the system with a kernel version lower than 4.10 (see KB90947 for supported kernel versions).
  2. Once the system starts, leave update mode by executing “sadmin eu”.
  3. Restart system again with kernel version higher than 4.10.
1274416   6.3.0-702   Issue: "orig_user_name" is not correctly reported in events.
MACC-6863   6.3.0-724   Issue: Build target fails to build kernel module in RHEL8.
MACC-7077   6.3.0-724   Issue: Self kernel support tool does not work for OL7 UEKR5 unsupported UEK kernel.
MACC-7216   6.3.0-794   Issue: User cannot be created when MACC is in update mode on RHEL8 with SSSD version 2.0.0-43 installed.
MACC-7240   6.3.0-794   Issue: After you upgrade from MACC for Linux 6.3.0-724 to 6.3.0-794, attempts to uninstall 6.3.0-794 fail in LEL6 32-bit.
Workaround: Perform the following steps:
  1. Run ""/opt/bitrock/solidcoreS3-6.3.0-724/helperBinaryUninstall""
  2. Run ""rpm -e solidcoreS3-6.3.0-794.i386 --noscripts""
  3. Run ""rpm -e solidcoreS3-kmod-6.3.0-794.i386 --noscripts""
Critical: There are currently no known critical issues.

Non-critical: 

Solidcore Extension: 
Reference Article Found in Version Resolved in Version Description
608618       Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. 
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
607452       Issue: ePO 4.6 reports and dashboard entries are not removed after the Solidcore Extension is uninstalled.
Workaround: If you are uninstalling and reinstalling the Solidcore Extension, remove the reports and dashboards manually after uninstalling, and before reinstalling.
607517       Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.
608347       Issue: The Solidcore Policy Assignments By System report displays all policies derived from the root, irrespective of the SKUs enabled on the platform.
609304       Issue: It is not possible to export data from the ReportingSolidcore Events page. 
Workaround: Use Queries (ReportingQueries) to export event data.
636769       Issue: If you upgrade from ePO 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table are not migrated to the ePO Events table.
636352       Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display garbage data.
607554       Issue: Solidcore policies cannot be duplicated by using the Policy Details page because the OK button is disabled.
Workaround: Use the Policy Catalog page to duplicate policies.
643854       Issue: When using the Guided Configuration page on the ePO 4.6 console, the Save Policy button is not enabled when changes are made to Solidcore Policies. 
Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.
608374       Issue: When trying to enable an already enabled Solidcore Agent, the error displayed is not translated.
607908       Issue: It is not possible to export more than 50,000 records from any table or report.
608025       Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU is not added.
609911       Issue: Export of rule groups does not work in Internet Explorer when opened from the ePO server.
Workaround: Use Internet Explorer from a different computer and export rule groups.
610303       Issue: The Server Task pages in ePO might not work properly if you are using Mozilla Firefox version 3.0.
Workaround: If you encounter issues, Technical Support recommends that you use Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
608753       Issue: Sometimes, using the user name field of reported events in ePO as a trusted user might not work if the client system is part of an AD domain. This issue occurs because the domain name reported in the events is not the full AD domain. 
Workaround: Use the environment variable USERDNSDOMAIN of the AD client as the domain name. Or, review the properties of the My Computer icon and identify the complete user name to specify as the trusted user.
609220       Issue: Saving an Application Control policy that is a copy of the McAfee Default policy is slow.
Workaround: Because Application Control policies are multi-slot policies, Technical Support recommends that you create a new blank policy and add new rules to it. Follow this method rather than copying and changing the McAfee Default policy.
656518       Issue: If you install Solidcore Extension 5.1.2 on an existing ePO 4.5 system and then upgrade to ePO version 4.6 FIPS mode, the event parser stops working.
Workaround: Run the following command and upgrade the required DLL: https: //<ePO_IP_address: port>/remote/scor.upgradeEventParser.do
607950       Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.
707486       Issue: When using the ePO 4.6 console, navigating quickly through the Events and Inventory pages logs off the user.
714176       Issue: With ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while you create the task, you cannot later remove the commands from the saved client task.
719796      
Issue: Global catalog search for Active Directory (AD) groups is not supported.
Workaround: Search for a group in a specific AD server instead of using the Global Catalog.

To add a specific group:
  1. Log on to the ePO 4.x console.
  2. Add the AD server with the group as a Registered Server.
  3. Search for the group by selecting the registered AD server. Make sure that the option Use Global Catalog is deselected.
  4. Add the group to a policy as a trusted group.
722045       Issue: Adding new columns, such as Solidcore Status and Solidification Status, for an endpoint by clicking ActionsChoose columnsNon Compliant Solidcore Agent might not display values for all endpoints. This issue occurs because the Non Compliant Solidcore Agent section includes only noncompliant agent properties.
Workaround: When adding new columns for an endpoint: Click ActionsChoose columnsSolidcore Client Properties instead of Actions, Choose columns, Non Compliant Solidcore Agent.
812003       Issue: The Self Approval page displays a link for .MSI based applications, which displays an empty list when drilling down.
890978       Issue: The GTI cloud server entry is not removed from ePO after the Solidcore Extension is uninstalled.
926122       Issue: File Deviation details are missing in an exported file from the Image Deviation page.
950063       Issue: A few Strings are not properly localized in languages other than English.
1033281       Issue: Upgrade to Solidcore Extension 6.2.0 might fail immediately after extension restart while performing an upgrade from a version older than 6.1.2.
985336       Issue: The event pages in ePO might not work properly if you are using Mozilla Firefox version 3.5.
Workaround: If you encounter issues, Technical Support recommends that you use Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
939528       Issue: Systems with a large inventory fail to send inventory data to the ePO server and a corresponding log entry is made in the Server Task Log after 6 hours.
987715       Issue: For the Application Control Options (Windows) policy, an import of a policy from Extensions earlier than 6.2.0 causes the Inventory AEF tab to populate with its default value. Default values are not saved in the policy until you make some change and save the policy.
1043052       Issue: You cannot upgrade Solidcore help extension from previous versions to 6.2.
Workaround: Uninstall the old help extension and install the new one.
1050955       Issue: With ePO 5.x, GTI communication using Kerberos authentication fails when using a proxy server.
  KB84651 6.x, 7.x 8.x Issue: Upgrading the extension for Application Control 6.2.0 and later takes a long time to complete
Solution: See KB on how to troubleshoot issue.
  KB89430 All Versions Will not Fix Issue: Application Control events are reported back to the ePO server from a client that only has Change Control enabled
 
  KB89430 All versions   Issue: Skiplist exclusion filters with asterisk in the path cannot be saved
915885 KB81304 All Versions   Issue: Application Control endpoint inventory parsing might cause the SCOR_DATA_CHANNEL table to grow quickly in the ePolicy Orchestrator database
  KB84339 6.x   Issue: Failed server task "Fetch Binary Details from Application Control GTI Cloud Server"
  KB87461 6.x   Issue: You see inconsistent results after you add Application Control related columns to the System Tree,Threat Event pages, or both
1186364 KB89430 6.x   Issue: Application Control events are reported back to the ePO server from a client that only has Change Control enabled


Back to top

Windows (all versions)
 
Reference Article Found in Version Resolved in Version Description
  KB88091 6.2.x   Issue: The following Windows error event occurs when a new USB disk is connected to a solidfied client:
McAfee Solidifier prevented an attempt to modify file C:\windows\system32\drivers\USBSTOR.SYS
Solution:  sadmin updaters add -t DrvInst1 -p svchost.exe drvinst.exe
  KB86758     Issue: Application Control denies the execution of .zip files when run in context of Java process such as java.exe or javaw.exe.
Workaround: See the Knowledge Base article for details.
801531       Issue: If Driver Verifier (verifier.exe) is enabled, MACC might not function as expected.
608418       Issue: The Original Username reported in events is the same as the Username.
600805       Issue: While opening a write-protected network share in Windows File Explorer, a few deny-write errors are observed.
603747       Issue: The trusted, solidified, and write-protect features do not work correctly for folder-mounted volumes.
Workaround: Contact Technical Support for assistance if the setup uses folder-mounted volumes.
608036       Issue: Mapped drive names cannot be used in commands issued by remote users/ePO.

595570
595025
595511
595615
597243
598406
595043
607434
607899
611229

      Issue: The following applications are incompatible with the Solidcore Agent for Windows. Contact Technical Support for further assistance.
  • Panda Titanium antivirus 2005
  • Spyware Doctor
  • BlackIce
  • Trojan Hunter
  • BitDefender
  • BufferZone
  • Twister Anti-Trojan Virus 2005
  • Trend Micro OfficeScan 8.0, Trend Micro antivirus 2008
  • Double-Take
  • Cisco Security Agent

594579

      Issue: Unsolidified scripts cannot be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by a script interpreter configured for that script is denied. It also generates unauthorized execution events. Such problems can be avoided by performing the file operation using Windows Explorer.
608647       Issue: On 64-bit systems, multiple events might be generated when an unauthorized binary file is executed. The events are generated because the Windows operating system tries to run the binary multiple times using a reduced set of attributes until final failure.
608745       Issue: Files that are read-protected by the user (using the 'sadmin read-protect' command) cannot be solidified.

643688

      Issue: If you try an ActiveX installation before you enable the ActiveX feature, and retry the installation after you enable the ActiveX feature, ActiveX might not install properly.
Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, and remove all .cab files in the temporary Internet files. Then, install the ActiveX control on the endpoint.
616147       Issue: For standalone Solidcore Agent installation on endpoints where Oracle is installed, you must run finetune.bat manually at the endpoints to apply Oracle-specific rules. (A standalone Solidcore Agent installation means one not done via ePO.)
599348       Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126       Issue: When you copy solidified files to a rewritable CD, although the files are copied successfully, deny-write errors are logged.
601427       Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
616089       Issue: In the output of the sadmin diag command on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, the following output:

* actualizadores agregar -t DIAG: cmd.exe -p explorer.exe ""cmd.exe""

Should be read as:

* updaters add -t DIAG: cmd.exe -p explorer.exe ""cmd.exe""

600748       Issue: Multiple deny write events might be generated for a single deny write action. For example, on deletion of a file using Windows Explorer, up to 8 file deletion events are reported. When the application denies deletion of a file, Windows Explorer tries multiple methods to delete the file, resulting in an event for each attempt.
695246       Issue: Although the Solidcore NX protection is based on system DEP, it is possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to the Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663       Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes in the ePO console, the change is not reflected on the endpoints.
713989       Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
652602       Issue: If you disable the deny-exec-exes feature on any Windows (64-bit) operating system, change the extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. If you change the file extension to dll, you can run the file even if the deny-exex-dlls feature is enabled.
607574       Issue: On opening a network share (for systems running Windows Vista, Windows 7, and Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. These events are generated because Windows Explorer tries to fetch the icons for the files stored on the network share.
768708       Issue: You are unable to set the flag fs-passthru 'p' and the flag vasr forced reloc 'v' together with the extra information flag 'o' in the attr command.
770362       Issue: You are unable to set more than one dll to bypass from VASR forced reloc.
794445       Issue: Solidified batch files, when copied using another batch file, fail.
803731       Issue: With network tracking disabled, Self Approval functionality does not work for network shares.
803948       Issue: Deny-Exec on a Script file is reported if Network tracking is disabled on a 64-bit architecture.
808857       Issue: A Self Approval pop-up displays if a file is opened with the execute flag even if the file is not executed.
808964       Issue: An Auth rule for a process making file changes does not get added correctly if allowed through Self Approval.
812964       Issue: If you remove the Updater flag for a certificate rule, the certificate is still listed as an Updater on the endpoint.
816108       Issue: A file, authorized by checksum, is denied for execution when run from a network share.
810072       Issue: While running a 16-bit executable with Self Approval enabled, the file type is listing as script.
819876       Issue: A process that does not work as an Updater is configured as an Updater through auth by checksum.
Workaround: Configure the process as an Updater by name.

888634

      Issue: An unclean uninstallation of Adobe Flash Player occurs when pkg-ctrl-allow-uninstall is enabled.
Workaround: sadmin updaters add "C: \WINDOWS\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe".

888632

      Issue: A repair of .NET 3.5 fails.
Workaround: Add the below Updater rules:
  • C: \WINDOWS\system32\msiexec.exe 
  • C: \WINDOWS\syswow64\msiexec.exe 

885091

 KB78642     Issue: You are unable to install Visual Studio 2010 Ultimate via Updater.
Workaround: See the Knowledge Base article for details.

887965

      Issue: Uninstallation of applications is not blocked even if the pkg-ctrl-allow-uninstallation feature is disabled.
Workaround: Run the sadmin clg command after each installation of an application to block the uninstallation. This command removes all cached GUIDs from the system. 

888878

      Issue: Multiple package control prevention events are seen while uninstalling and repairing Visual Studio 2010.
Workaround: Add "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to trusted path: "sadmin trusted -u "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin".

884396

      Issue: You are unable to install Adobe Flash Player 11 when the pkg-ctrl-bypass feature is enabled.
Workaround: sadmin updaters add InstallAX_11_6_602_180.exe.

883381

      Issue: Self Approval pop-ups for a user session are displayed on a console session instead of a user session.
Workaround: Run the following Solidcore commands from the command line:

sc config AeLookupSvc type= own
sadmin updaters add –l aelupsvc.dll svchost.ex

915562

 KB79517 6.x 7.x Issue: McAfee Solidifer upgrade from 6.1.1 to 6.1.2 fails in Observe mode.
Workaround: See the Knowledge Base article for details.

910080

      Issue: Package Control, if an application has ctor.dll in its uninstall string, another application using ctor.dll is not installed when pkg-ctrl-allow-uninstall is disabled.
Workaround: As a workaround for mode 1 of package control, the user can make the ctor.dll an Updater using the complete path (for example, C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll). For Package Control modes, see PD24669.

916640

      Issue: Deny Execution is not skipped for a drive after you remove the skiplist -v flag without a reboot.
Workaround: A reboot is required to make it work.

910485

 KB79658     Issue: Package Control uninstallation of an application fails using Add/Remove Programs if an application is installed for a particular user.
Workaround: See the Knowledge Base article for details.

901147


    Issue: Installer (Auto-IT), first shown as script type, after copying to some other location, is showing as pe32-exe.

911678

      Issue: Package Control is unable to repair Visual Studio 2010 Ultimate if installed in Update mode.

903914

      Issue: File Write Denied events are seen when some exe, marked as an Updater, are run by double-clicking them.

919300

      Issue: A Trusted Path operation fails if the operation is performed on a local share mounted as a network share locally.

920568

 KB79987 6.x 8.x Issue: The upgrade version is not updated on the ePO server and the McTray About box after an endpoint upgrade.
Workaround: See the Knowledge Base article for details.

940286

      Issue: A Pkg-modification-prevented event is raised during a MAC upgrade.

948349

      Issue: Multiple deny-write events for a Self Approval pop-up for putty.exe are recorded when execution is done after downloading the file from the Internet.
940085  KB73484     Issue: There is a known incompatibility between McAfee Application Control and SafeNet ProtectFile: File Encryption and Protection software.
953257       Issue: Script files can execute from the unsolidified drive on the system.
1020973      
Issue: Adobe32 stops working with MPCompat.
Workaround: To resolve this issue, use one of the following workarounds:
  • (Recommended) Disable VSE BOP or put adobe32 in the escape list of VSE BOP.
  • Disable MP CASP and MP VASR for Adobe32.
  • Disable Adobe32 protection mode.

1027687

 KB84043 6.x   Issue: Upgrade to Application Control or Change Control 6.2 fails for endpoints.
Workaround: See the Knowledge Base article for details.

988624

 KB84044     Issue: Application Control inventory generation can take longer than 24 hours to resume after reaching the throttling threshold limit.
Workaround: See the Knowledge Base article for details.

1026279

 KB84045 All Versions   Issue: Another rule is required to run Perl with Application Control.
Workaround: See the Knowledge Base article for details.

1017933

 KB84046     Issue: You are unable to apply an Application Control policy with a trusted path that contains an environment variable.
Workaround: See the Knowledge Base article for details.
1045414       Issue: In the system Event Viewer logs, a "Microsoft-Windows-Kernel-General" error message is logged while writing to the registry during start.
  KB86141 All versions   Issue: McAfee has identified an incompatibility between MACC and McAfee products that use Syscore 15.4.0.622.9 or later.
Solution: See KB for versions with Conflict.

 
  KB85849 6.2.x, 6.1.x 6.2.2.105 Issue: The Windows kernel paged pool is consumed by a growing inventory file size and, when the kernel paged pool is depleted, one of the following issues is observed:
  • System crash
  • System hangs
  • Application failure
  • Low memory condition
NOTE: These issues occur on 32-bit systems where kernel pool resources are scarce and might run out quickly.

Solution:
As mentioned above, this issue can occur when many files are added to the inventory. To resolve the issue:
In Disable mode, delete the file <drive>\solidcore\scinv from all drives.
Resolidify the system:
  • For standalone deployments, start Solidification and switch to Observe mode or Enable mode.
  • For ePO managed deployments, run the SC: Enable task.
  KB90849 All versions Will Not Fix Issue: Modification of the edb.log file results in the following being recorded in the s3diag.log file and the Solidcore.log file
Solution: MACC is working as intended and this behavior is considered to be normal.
Workaround:
The following workaround is provided to help with whitelisting the edb.log file and stop the events from being generated:Log on to the ePO Console.
  1. Open an existing Solidcore Rule Group or create a new rule group specifically for Application Control.
  2. Edit the existing or new rule group.
  3. Select the Exclusions tab and click Add.
  4. Expand Advanced options.
  5. Enable Exclude local path and all its contained files and subdirectories from the whitelist.
  6. Enter "C:\Windows\security\database\edb.log" for the path.
  7. Save the rule group.
  8. Perform a Wake Up Call to all agents and push the new rule to clients.
  KB87648 6.x and 7.x   Issue: The following error appears in the Orion.log file when you try to purge Application and Change Control events from the ePO database:
 
 The DELETE statement conflicted with the REFERENCE constraint "SCOR_EVENTS_EPO_EVENTS".
 The conflict occurred in database "", table "dbo.SCOR_EVENTS", column 'EPO_EVENT_AUTO_ID'.


Solution:
Run the following command against the ePO database to drop the constraint and re-create the constrained AUTO_IDs:

alter table [dbo].[SCOR_EVENTS] drop constraint SCOR_EVENTS_EPO_EVENTS;
alter table [dbo].[SCOR_EVENTS] add constraint SCOR_EVENTS_EPO_EVENTS
foreign key (EPO_EVENT_AUTO_ID) references  [dbo].[EpoEvents] ON DELETE
CASCADE ON UPDATE CASCADE;

 
  KB90787 All versions   Issue: Users are duplicated in client policy when synchronizing the Trusted Users group in ePO with Active Directory.
Solution: There is no issue as this behavior is by design. MACC supports legacy operating systems and is required to pull both Netbios\user and UPN\SAM accounts.
  KB90779 All versions 8.2.x. extensions Issue: Application Control Policy Discovery events missing when extension 8.1.0.129 or 8.1.1.103 are installed
Solution: Fixed in 8.2 extensions.
  KB91532 All Versions   Issue: Server task "Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server" runs indefinitely
Workaround:
The purpose of the Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server task is to improve the product and is not a function of the product. If you disable this feature, it does not affect the functionality of MACC. Inventory feedback data is not being used for analytics, which means that you can safely disable this feature on the extension side. When the data is used and the back-end processing issues are fixed, re-enable this feature.

Steps to disable the Solidcore:
  1. Send Policy and Inventory Feedback to McAfee GTI Server task:Go to https://<ePO-IP>/remote/core.reload-plugin.do?name=SOLIDCORE_META.
  2. Go to Server Tasks, Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server.
  3. Click Edit, and then select the Actions tab.
  4. Deselect the option Inventory: Sends detailed information for files, such as SHA-1, base name, embedded application name, and embedded application version.
  5. Click Save.
  6. Go to Server Tasks and run Solidcore: Send Policy and Inventory Feedback to McAfee GTI Server task.
  7. Verify whether the issue is resolved. 
NOTE: The hung task is logged in the server task log as progress(0%), which indicates that the task is not running. A cleanup of the string from the user interface is required, but functionality is not affected.
1065785 KB86476 6.2.X 6.2.0-530
7.0.0-666
Issue: Could not validate filename OR filename is invalid (file operations in Application and Change Control fail if the file path length exceeds 256 characters)
Solution: Fixed in newer builds
Workaround:
  • For standalone deployments, run the following command from the CLI:
     
    sadmin features disable network-tracking
     
  • For ePO managed deployments, create a run command client task with the argument features disable network-tracking and push the task to clients.
  KB86401 6.2.505 and below 6.2.0.507 Issue: You might observe the following issues with a Distributed File System (DFS) network share that is accessing files from a system with Application Control enabled.
Solution: Fixed in 6.2.0.507
  KB90818 All versions   Issue: High event flow in the SCOR_FD_Data_Channel temporary table causes a deadlock. As a result, events stack up.
Workaround: See KB for workaround
  KB85430 6.2.458 and below 6.2.0.476 Issue: File shows as unsolidified after an application or patch is installed or upgraded through an Updater channel
Solution: Fixed in 6.2.0.476
  KB87977 6.2.0.446 and below
6.1.3.410and below
6.2.0.458
6.1.3.419
Issue: Signed file or application might fail to run when trusted or authorized by its certificate
Resolved: Fixed in 6.1.3.419 and 6.2.0.458
  KB88255 All Versions   Issue: Self Approval Client pop-up text field limitations within Application Control
Solution:
The Self Approval Client pop-up text field has a maximum character limitation of 296 characters. The text field for Self Approval within ePO has a maximum character limitation of 300 characters. Because of the fixed nature of the text field, scrolling of text within the pop-up field on the client is not allowed.
 
  KB88248 All Versions   Issue: Stale records appear on the Inventory page when a Purge System Inventory task is run immediately after a client has been removed from ePolicy Orchestrator
Solution: See the KB for the solution to delete queries against the DB.
  KB85156 All Versions
6.1.3.419 or later
6.2.0.458 or later
7.0.0.666 or later
8.0.0.651 or later
Issue: System slows or stops responding while accessing files over the network
Solution:
  • Standalone:
    1. Recover the Solidifier command line interface (CLI).
    2. Run the command:
If 8.2.1.114 or earlier: sadmin config set SrvThreadBypassConfig=1
If 8.2.143 or later: sadmin config set RemoteFileModificationBypassConfig=1
  • ePO managed:
    1. Create a run command client task with the argument:
If 8.2.1.114 or earlier: "sadmin config set SrvThreadBypassConfig=1
If 8.2.143 or later: sadmin config set RemoteFileModificationBypassConfig=1
  1. ​​​Push the task to one or more clients.
  KB89012 All Versions   Issue: High CPU usage occurs in MASVC.EXE with Solidcore installed, despite Solidcore being correctly added to the virus scanner exclusions list.
Solution: Update McAfee Agent to version 5.0.5
  KB86847 6.x 7.0 Issue: Installation of plan failed. FatalIOException: Unable to create file (Vsphere fails to load when Application Control is installed)
Solution:
To resolve this issue, upgrade to Application and Change Control 7.0 and configure the following sadmin feature to prevent long path lengths from being incorrectly blocked.
  1. Open a MAC command-line session and type sadmin recover and press ENTER.
  2. Type the ePolicy Orchestrator (ePO) password to recover the Solidcore command-line session.
  3. Type sadmin config set SkipValidateFileLength=1 and press ENTER.
  4. Put the system back into lockdown mode to continue being managed by ePO:
    Type sadmin lockdown and press ENTER.
     
    IMPORTANT: If you do not lock down the Solidcore command-line, ePO is not able to manage Solidcore.
You can also perform the following steps through ePO to push this change out to several systems at once.
  1. Open the ePO manager.
  2. Create a Client task.
  3. Select the Solidcore Command-line task.
  4. Paste the following command into the task:
    sadmin config set SkipValidateFileLength=1
  5. Push the task to the clients.
  KB86846 6.x 7.0 Issue: ERROR: fshooks.c : 687: Could not validate filename OR filename is invalid: (DFS replication fails with Application and Change Control installed)
Solution:
To resolve this issue, upgrade to Application and Change Control 7.0 and configure the following sadmin feature to prevent long path lengths from being incorrectly blocked.
  1. Open a Solidcore command-line session and type sadmin recover and press ENTER.
  2. Type the ePolicy Orchestrator password to recover the Solidcore command-line session.
  3. Type sadmin config set SkipValidateFileLength=1 and press ENTER.
  4. Put the system back into lockdown mode to continue being managed by ePolicy Orchestrator: Type sadmin lockdown and press ENTER.
     
    IMPORTANT: If you do not lock down the Solidcore command-line, ePolicy Orchestrator is not able to manage Solidcore.
You can also perform the same steps through ePolicy Orchestrator to push this change out to several systems at once.
  1. Open the ePO manager.
  2. Create a Client task.
  3. Select the Solidcore Command-line task.
  4. Paste the following command into the task:
    sadmin config set SkipValidateFileLength=1
  5. Push the task to the clients.
  KB86653 6.x, 7.x   Issue: Delay while starting installers with ESET Anti-Virus and Application Control installed
Solution:
Use either of the following configurations to resolve the issue:
  • Exclude .msi.msp, and .mst file extensions from ESET scanning. See http://support.eset.com/kb3453/?viewlocale=en_US for exact steps to exclude the extensions.
  • Bypass ekrn.exe from Process Context File Operations tracking in Application Control as follows and then reboot the system:
    • For standalone deployments, run the following command: sadmin attr add -p ekrn.exe
    • For ePO managed deployments, configure a process-context-file-operation exception rule for ekrn.exe in the Application Control policy.

 
  KB86638 All Versions Will Not Fix Issue: Performance issues on Application Control endpoints when Global Threat Intelligence and Threat Intelligence Exchange communication fails
Solution: Turn off reputation checking of binaries using the TIE server or GTI service if the errors described in this article are frequently logged in the Solidcore.log. By default, a policy to enable reputation-based execution is applied to all endpoints running the Solidcore client. The settings in the policy indicate how endpoints communicate with the configured reputation sources.
  KB88756 All Versions   Issue: deny_reason="File-cksum-mismatch" (generated when executables are configured as updaters in Application Control)

Workaround:
  1. Verify InvMergeTimeout in (Swin\parameters Reg), or by running the command sadmin config show | findstr -i InvMergeTimout from a command prompt or ePO run command.
NOTE: If it is anything other than 1800, reset to Default by running the command sadmin config set InvMergeTimeout=1800 from a command prompt or ePO run command. 
  1. Run check -r from an ePO run command or Solidcore CLI.
  2. Attempt to reproduce the issue.
If the issue still exists, use the ePO run command or Solidcore CLI and resolidify the drive:
  1. Put client in Update mode or Disable mode.
    NOTE: Disable requires you to restart the client.
  2. Run the clean solidification command:
    sadmin clean <driveletter>
NOTE: This command only works if you place MACC in Disable mode. This step can be skipped if you put MACC into Update mode.
  1. Run the solidify command:
    sadmin so <driveletter>
  2. Place the client in Enable mode.
  KB85321 6.x Will Not Fix Issue: Third-party services that use Java might not start properly after enabling Application Control and Change Control
Solution: To resolve this issue, Technical Support recommends that you modify the Java memory space for the third-party application (JvmMs and JvmMx values) to use less than the maximum values. This change usually allows the services for the application to start properly.
  KB87257 7.x, 6.x 6.1.1 Issue: Installer Detection bypass option is Deprecated for endpoints running version 6.1.1 and later (Package Control in relation to the architecture rules for the attr -i command)
Solution: See KB for solution.
  KB77610 All Versions   Issue: Application Control and Change Control might not switch the protection mode with Windows FBWF installed
Solution:
Run the following command to add the config folder as an FBWF exclusion:

Fbwfmgr /addexclusion <system drive>\windows\system32\config
  KB81993 6.x   Issue: oledlg.dll is missing (system error with Application Control installed on Windows Server Core)
  KB83457     Issue: System hangs while shutting down when Application Control is enabled
Solution:
The issue will not occur if you bypass searchprotocolhost.exe from MAC's memory-protection feature.
  • For ePO managed deployments, ensure that default list under Solidcore Rules in the ePO console is imported to the policy and applied to the systems.
  • For standalone deployments, add the following rules using the MAC command line:

    sadmin attr add -c searchprotocolhost.exe 
    sadmin attr add -v searchprotocolhost.exe
  KB84679 6.2.x 6.2.2.105 Issue: Large number of registry modification events for the path \REGISTRY\A on Windows 7 endpoints with Change Control
  KB84741 ALL Versions   Issue: Installation or upgrade of SCCM client might fail with Application Control enabled
Solution: Ensure that you have the default MAC rules for SCCM and SMS applied.
  KB85321 6.x   Issue: Third-party services that use Java might not start properly after enabling Application Control and Change Control
1090044 KB85591 6.x 6.2.0-480 Issue: Unsupported files are added to the whitelist during solidification
  KB86141 6.x 6.2.0.505 Issue: Incompatibility between Application and Change Control and McAfee products that use Syscore 15.4.0.622.9 or later
  KB87144 6.x   Issue: Uninstallation of applications fails and causes your client to stop responding when Symantec Endpoint Protection 12.1 is installed alongside Application Control
  KB87257 6.1.1 Will Not Fix Issue: Installer Detection bypass option is Deprecated for endpoints running version 6.1.1 and later (Package Control in relation to the architecture rules for the attr -i command)
  KB88747 All Versions   Issue: Web MER.exe blocked on client while Application Control is in enabled mode
  KB89866 7.x, 6.x   Issue: Installation of Application and Change Control fails when running a batch file containing the /qb+ switch on Windows Vista clients
1267369 KB91328 6.2.2.105, 6.2.1.197   Issue: New code-signing certificate for Application Control 6.2.2-105 and 6.2.1-197
  KB79201 All versions   How to Allow Jar File execution using scripts list in 6.1.1 and above


Back to top

Windows 8
 
Reference Article Found in Version Resolved in Version Description
946092       Issue: sadmin commands might become unresponsive on Windows Embedded 8 64-bit platforms with the vsepflt driver.


Windows XP
Microsoft ended extended support for Windows XP SP3 on April 8, 2014. For best results and optimal security, upgrade to a supported operating system. See KB78434 for details.

 
Reference Article Found in Version Resolved in Version Description
604834       Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065       Issue: If you are using Application Control in the Enable mode on the Windows XP SP1 operating system, virtual memory use increases for most processes.
Workaround: Upgrade to Windows XP Service Pack 2.
793102       Issue: DLL rebasing does not work when a complete path to the DLL is specified.
809646       Issue: A Self Approval pop-up might hang while running non-whitelist binaries from the Desktop.


Windows 2003
Microsoft ended extended support for Windows Server 2003 SP2 on July 14, 2015. As of the end of 2015, the only McAfee product supported with Windows Server 2003 SP2 is Application and Change Control. See KB81563 for details. 

 
Reference Article Found in Version Resolved in Version Description
607361      
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exe process was hijacked.
Workaround: Add javaw.exe to the attributes list with the -n option:

sadmin attr add -n javaw.exe
832241      
Issue: A Non-Trusted user can execute an unsolidified bat file using runas CLI on Windows 2003 (x64). The issue is intermittent.
Workaround: Use the following command:

sc config wuauserv type= own
  KB73734 6.x Will Not Fix Issue:
  • On system boot, the screen shows:

Windows 2000 could not start because the following file is missing or corrupt:
\WINNT\SYSTEM32\CONFIG\SYSTEM.ced startup options for Windows 2000, Press F8
 

  • On system boot, the screen shows:

Windows 2000 could not start because the following file is missing or corrupt: \WINNT\System32\Drivers\Ntfs.sys         
 

  • The system boots successfully but Solidcore driver “swin.sys” is not loaded. A quick way to check this issue is output of “sadmin status” command. If the Solidcore driver is not loaded, with Solidcore Enabled, it shows the driver status as Unattached for system volume.

 

McAfee Solidier: Enabled
  [fstype]                   [status]                 [driver status]   [volume]
* NTFS                  Solidified                 Unattached        C:\  

Cause:

This issue is not an Application Control/Change Control issue but a limitation on the size of the "system hive" in Windows. The system hive is limited to about 10.3 megabytes (MB) in size in Windows 2000 Server. The reason is because the system hive and the Windows kernel files must fit below 16 MB when Windows starts. If the system hive is close to its limit, installation of MAC/MCC or any other product that starts at system boot can cause this behavior.


Solution:

Apply the suggestions described in the Microsoft article: System might not start when creating many logical units and volumes http://support.microsoft.com/kb/277222.



Windows 2008 R2 (64-bit)
 
Reference Article Found in Version Resolved in Version Description
608636       Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, you see that Windows installer encountered a validation error for the msiexec.exe and kernelbase.dll files.
Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.


Windows 2008 (64-bit)
 
Reference Article Found in Version Resolved in Version Description
609780       Issue: On the Windows 2008 (64-bit) platform, the rundll32.exe file crashes if an application is uninstalled with Add/Remove Programs but the SetupInstallFromInfSection() function was initially used to install the application.


Windows 2008/Vista (32-bit and 64-bit), Windows XP/Windows 7/Windows 2008 R2 (64-bit)
 
Reference Article Found in version Resolved in Version Description
609757       Issue: In Enable mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.


Windows Vista
 
Reference Article Found in Version Resolved in Version Description
607541       Issue: For Windows Vista and later platforms, the Solidcore Agent configuration marks a service called Windows Modules Installer (TrustedInstaller.exe) as an Updater. It is marked as such to allow Windows Update to work properly. This service can both install and remove Windows components even if the pkg-ctrl feature is enabled.

Linux
 
Reference Article Found in Version Resolved in Version Description
1253820   6.2.0-463   Issue: MACC 6.2.0-463 does not communicate with MA 5.6.0.
1253953   6.2.0-463   Issue: Inventory is not successfully fetched on CentOS 5 x64 endpoint.
1249593   6.2.0-419 6.2.0-463 Issue: "/home" partition labeled like Untrusted after fresh install in CentOS 7
Workaround: This issue only happens when any partition does not contain binary files or script files to solidify. If any script file or binary file is added later on that partition, you must run "service scsrvc restart" or "reboot" to completely enable your system.
1249280   6.2.0-419 6.2.0-463 Issue: After installing MACC and enabling it in standalone mode, status is Solidified - Untrusted CentOS5 Kernel 2.6.18-430.el5
Workaround: 
To work around this issue reboot the system or to avoid rebooting the system, run the following commands:
  1. sadmin disable
  2. service scsrvc restart
  3. sadmin enable
1247986   6.2.0-419 6.2.0-463 Issue: The file system status displays as Solidified - Untrusted after installing MACC 6.2.0-419 (standalone mode) with the MACC Unlimited license and solidifying the system.
1243884   6.2.0-347   Issue: Gnome UI not responding on CentOS7 after installing solidcore
Workaround: Add Gnome shell process as updater.
1243879   6.2.0-347   Issue: On Ubuntu endpoints, the file events expected for some tests are not the ones generated.
1243874   6.2.0-347   Issue: Events are not generated on Rhel 6 endpoint with solidcore installed and enabled.
1243872   6.2.0-347   Issue: Some endpoints are in Disabled* after installation from ePO.
1240825   6.2.0-347   Issue: Java file is executed without getting blocked.
1243019   6.2.0-337   Issue: Wrong transition from update mode to Disabled* (Global Pass-through)
1238936   6.2.0-236 6.2.0-347 Issue: Bad behavior with write-protected files in observe mode.
1239252   6.2.0-236   Issue: In SUSE 11 x86, "touch" binary as updater is not working properly.
1238336   6.2.0-236   Issue: "No such a process" message shown when trying to restart scsrvc service.
1236431   6.2.0-187   Issue: Remove a process from updaters list when added from its full path.
1235599 KB90472 6.2.0-179 Will not fix Issue: Script gets unsolidified when editing with "vim" in Observe mode.
1234313   6.2.0-158   Issue: Wrong message in Change of State
1233059   6.2.0-158   Issue: MACC 6.2.0 don't block scripts in SMB network directories (Samba).
1233067   6.2.0-158   Issue: Wrong message is displayed when blocking a .class file (Java).
1230625   6.2.0-154   Issue: Solidcore client task log is not refreshed correctly.
1230623   6.2.0-154 6.2.0-236 Issue: Solidcore version is shown in incorrect format under Products tab.
1230621   6.2.0-154   Issue: ePO tasks are not reflecting endpoint status correctly.
1230613   6.2.0-154   Issue: After upgrading endpoint from 6.1.7 to 6.2.0 from ePO, status is unmanaged.
1230464   6.2.0-154 6.2.0-236 Issue: Files copied in update mode from file manager are not added to the inventory.
1230835   6.2.0-154 6.2.0-158 Issue: Monitoring events are raised in observe mode.
1225663   6.2.0-114   Issue: MACC is unmanaged after installing build 6.2.0-114 from EPO
1223580   6.2.0-100   Issue: Execution Denied events for a script are duplicated
1218213 KB90069 6.1.7-674 Will not fix Issue: After disabled AC without a system reboot, AC 6.1.7-674 enters a partially disabled and the system is allowed to execute.
1214591   6.1.7-673 Will not fix Issue: Docker 1.13 containers fail to run in enabled mode with Docker as Updater.
1205485   6.1.7-504 Will not fix Issue: Linux Desktop Timeout with Root login/logoff when Solidcore is Enabled/Updated.
Workaround: Create the file /etc/X11/xinit/xinitrc.d/00-gvfs-disable-fuse.sh with the following contents:

GVFS_DISABLE_FUSE=1
export GVFS_DISABLE_FUSE

This script disables fuse's daemon running in the background, so fuse filesystem is not mounted. Restart the system so the changes can take effect.

UNIX (All Versions)
 
Reference Article Found in Version Resolved in Version Description
1203232   6.1.7-540   Issue: Solomon automated test tool can't verify some events.
1202241   6.1.7-504   Issue: The events are not generated in RHEL 6 x86.
818828   6.1.0-9463   Issue: With VirusScan Enterprise for Linux (VSEL) 1.7 installed, the VSEL service stops with errors on the CLI.
797363   6.1.0-9323   Issue: The Sadmin Xray command does not list the attr specific configurations for the running process.
607014   4.9.0-238   Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to unexpected behavior.
1053355   6.1.7-192 Will not fix Issue: If you erroneously try to stop the Solidcore service by using the systemctl command in Enabled mode, a subsequent attempt to stop the service in Disabled mode might fail.
Workaround: To stop the service in Disabled mode, use the following commands:

systemctl start scsrvc.service
systemctl stop scsrvc.service
989865   6.1.5-224 Will not fix Issue: Installation of Solidifier should not occur in a symbolic link path.
812578   6.1.0-9437 Will not fix Issue: On some kernels, error messages related to scdrv are displayed in the console during system boot.
811983   6.1.0-9434 Will not fix Issue: Property collection on ePO and the endpoint might show different versions of Solidifier if the system is not rebooted after upgrade.
807180   6.1.0-9402 Will not fix Issue: Installation on a non pre-compiled kernel fails if you run the installer from a Windows share that is mounted using CIFS.
798843   6.1.0-9323 Will not fix Issue: You might observe unexpected behavior if a process exits without closing the modified files.
797291   6.1.0-9323 Will not fix Issue: After Dynamic Kernel Module compilation, an empty file named 2 gets created in the dksdirectory.
762449   6.1.0-9301 Will not fix Issue: Events are generated if a special device file is renamed.
616089   5.1.0-6817 Will not fix Issue: Localized strings not consistent. Partial localization occurs in some events and messages.
610254   5.0.1-1 Will not fix Issue: When you run the Debug Info client task for a UNIX system, the name of the generated file is suffixed with the host name and time stamp. For example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz. (This result occurs even though the log states that the gatherinfo.tar.ga file is generated.)
607024   4.0.0-5920 Will not fix Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent, but is effective only after the deny-read feature is enabled on the Solidcore Agent.
604604   4.8.3-164   Issue: Write/read protection does not work on files added via cachefs/lofs.


Back to top
Critical: There are currently no known critical issues.

Non-critical:

Solidcore Extension:
 
Reference Article Found in Version Resolved in Version Description
608618       Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. 
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
607452       Issue: ePO 4.6 reports and dashboard entries are not removed after the Solidcore Extension is uninstalled.
Workaround: If you are uninstalling and reinstalling the Solidcore Extension, remove the reports and dashboards manually after uninstalling, and before reinstalling.
607517       Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.
608347       Issue: The Solidcore Policies Applied on Hosts report displays all policies derived from the root, regardless of the SKUs enabled on the platform.
609304       Issue: It is not possible to export data from the Reporting, Solidcore Events page.
Workaround: Use Queries (Reporting, Queries) to export event data.
636769       Issue: If you upgrade from Solidcore 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table are not migrated to the ePO Events table.
636352       Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display erroneous data.
607554       Issue: Solidcore policies cannot be duplicated by using the Policy Details page because the OK button is disabled.
Workaround: Use the Policy Catalog page to duplicate policies.
643854       Issue: When you use the Guided Configuration page on the ePO 4.6 console, the Save Policy button is not enabled when changes are made to Solidcore Policies.
Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.
608374       Issue: When you try to enable an already enabled Solidcore Agent, the error displayed is not translated.
607908       Issue: It is not possible to export more than 50,000 records from any table or report.
608025       Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU is not added.
609911       Issue: Export of rule groups does not work in Internet Explorer when opened from the ePO server.
Workaround: Use Internet Explorer from a different computer and export the rule groups.
610303       Issue: The Server Task pages on ePO might not work properly if you use Mozilla Firefox version 3.0.
Workaround: McAfee recommends using Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
608753       Issue: Sometimes, using the user name field of reported events on the ePO server as a trusted user might not work if the client system is part of an Active Directory domain. The domain name reported in the events is not the full AD domain and might prevent this method from working.
Workaround: Use the environment variable USERDNSDOMAIN as the domain name for AD clients. Or, review the properties of the My Computer icon to identify the complete user name to specify as the trusted user.
609220       Issue: Saving an Application Control policy that is a copy of the McAfee Default policy is slow.
Workaround: Because Application Control policies are multi-slot policies, McAfee recommends that you create a new blank policy and add new rules to it instead of copying and changing the McAfee Default policy.
656518       Issue: If you install Solidcore Extension 5.1.2 (or later) on an existing ePO 4.5 system and then upgrade to ePO 4.6 FIPS mode, the event parser stops working.
Workaround: Run the following command and upgrade the required DLL: https://<ePO_IP_address: port>/remote/scor.upgradeEventParser.do
607950       Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.
707486       Issue: When using the ePO 4.6 console, navigating quickly through the Events and Inventory pages logs off the user.
714176       Issue: On ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while creating the task, you cannot later remove the commands from the saved client task.
719796      
Issue: Global catalog search for Active Directory (AD) groups is not supported.
Workaround: Search for a group in a specific AD server instead of using the Global Catalog.

To add a specific group:
  1. Log on to the ePO 4.x console.
  2. Add the AD server with the group as a Registered Server.
  3. Search for the group by selecting the registered AD server. Ensure that the Global Catalog Search option is deselected.
  4. Add the group to a policy as a trusted group.
722045       Issue: Adding new columns, such as Solidcore Status and Solidification Status, for an endpoint by clicking Actions, Choose columns, noncompliant Solidcore Agent might not display values for all endpoints. This issue is because the noncompliant Solidcore Agent section includes only noncompliant agent properties.
Workaround: When adding new columns for an endpoint, click Actions, Choose columns, Solidcore Client Properties instead of Actions, Choose columns, noncompliant Solidcore Agent.
812003       Issue: The Self-Approval page displays a link for .MSI-based applications, which displays an empty list when drilling down.
890978       Issue: The GTI cloud server entry is not removed from ePO after the Solidcore Extension is uninstalled.
937037       Issue: You cannot upgrade the Solidcore help extension from a previous release.
Workaround: Uninstall the old help extension and install the new one.
926122       Issue: File Deviation details are missing in an exported file from the Image Deviation page.
950063       Issue: A few strings are not properly localized in languages other than English.


Back to top

Solidcore Agent:
UNIX (all versions)

 
Reference Article Found in Version Resolved in Version Description
944538       Issue: MAC/MCC 6.1.7 are not compatible with VirusScan Enterprise for Linux (VSEL) 2.0.
900761       Issue: When MAC is placed in a Disabled state and the endpoint is not rebooted, upgrading MAC will not successfully complete. This issue is because the driver is not unloaded.
Workaround: Reboot the endpoint after disabling MAC, and perform the upgrade task again.
608671       Issue: If Solidcore Agent is installed in a non-default path, upgrading via ePO is not supported. Such an upgrade might leave the Solidcore Agent in an inconsistent state. McAfee recommends that you uninstall the existing version and then install the new version using ePO
608737       Issue: If the partition with the /opt/McAfee/cma directory has insufficient space, events might not be generated and a Failed to generate event xml error message is added to the solidcore.log file. Free up space in the partition with the /opt/McAfee/cma directory.
601728       Issue: According to the NFS protocol, if a file present on the NFS share is opened once on the NFS client, it cannot be reopened until the file attributes are changed. As a result, if a read-protected file is opened on a client-side NFS share in Update mode, the file can be read on the client. The file remains in a readable state even after entering Enabled mode from Update mode. The file remains readable until the attributes are changed on the server.
601734
 
   
Issue: Changing a hard link might cause the name of the link or program to display in events.
601914
 
   
Issue: For daemon processes, the reported user name and original user name are the same.
602653
 
   
Issue: A write-protected file can be changed through its hard link if the hard link has already been created.
602772
 
   
Issue: Scripts without the #! tag cannot act as updaters.
602977
 
   
Issue: For loopback file systems, some features, such as updater and monitoring, do not work correctly when the loopback path is used instead of the physical path in the sadmin commands. For instance, if /opt is mounted as a loopback file system at /mnt, to add /mnt/abc as an updater, you must add the path /opt/abc as an updater.
602990
 
   
Issue: Some features, such as updaters and mon-proc-exec, do not work properly for unsupported file formats. Only executable binaries and #! scripts are supported file formats.
603462
 
   
Issue: The BOOTING_ENABLED and BOOTING_UPDATE_MODE events are not added to the system log.
Workaround: At boot time, start the syslog service before the Solidcore Agent service.
603490       Issue: You observe the following issues when an updater calls another updater:
  • If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
  • If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.
604780       Issue: For processes that are not directly associated with a terminal, the original_user field is the same as the user field. For example, when you run a script through Runlevel/init scripts, original_user is the same as the user.
605062       Issue: The mmap system call at the NFS client does not work if the file is read-protected.
606674
 
   
Issue: A write-protected file can be changed or deleted if the file system is mounted to a different directory.
607014
 
   
Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to unexpected behavior.
607024
 
   
Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.
607245
 
   
Issue: No events are generated for changes to a file with the string solidcore.log in its name, for example, mysolidcore.log.
601763
 
   
Issue: Process information cannot be determined for those processes that are invoked before the Solidcore Agent driver is loaded. This fact has the following implications:
  • If such a process makes file changes, these changes might not be reported.
  • For processes that started before the driver was loaded, only the partial program names are reported.
  • For NFS, for the changes made by the client, the change events displaying on the server have only the relative name for the NFS daemon (in other words, nfsd or nfsktcpd).
  • No Process Start and Process Stop events are generated for already running processes.
  • On only the AIX platform, Change Tracking / Prevention on file systems mounted by such processes might or might not work because system calls executed by already running processes cannot be trapped. The running processes cannot be trapped because of differences in the way system calls are implemented for the AIX platform. As a workaround, you can restart such processes.
604604
 
   
Issue: Write/read protection does not work on files added via cachefs/lofs.
613214
 
   
Issue: If the installation path is a mount point, forcibly unmounting (for example, using the umount –f command) might lead to non-deterministic behavior.
603386
 
   
Issue: The Solidcore Agent cannot be installed, upgraded, or uninstalled through init scripts that run at system boot time.
Workaround: Add the following two statements in the init script before invoking the installer:
HOME=""/""
export HOME
610254
 
   
Issue: When you run the Debug Info client task for a UNIX system, the log states that the gatherinfo.tar.gz file is generated. The actual name of the generated file is suffixed with the host name and time stamp. For example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz.
616089
 
   
Issue: Localized strings are not consistent. Partial localization occurs in some events and messages.
774493
 
   
Issue: Change of binary in Update mode does not change/update the corresponding hard-link in whitelist.
797291
 
   
Issue: After Dynamic Kernel Module compilation, an empty file named 2 gets created in the dks directory.
797363
 
   
Issue: The sadmin xray command does not list the attr-specific configurations for the running process.
798843
 
   
Issue: You might observe unexpected behavior if a process exits without closing the changed files.
802433
 
   
Issue: If the volume is unsolidified, it is not listed as unsolidified in the output of sadmin status.
807180
 
   
Issue: Installation on a non pre-compiled kernel fails if you run the installer from a Windows share that is mounted using CIFS.
Workaround: Mount the Windows share using NFS.
811983
 
   
Issue: Property collection on ePO and the endpoint might show different versions of Solidifier if the system is not rebooted after upgrade.
812578
 
   
Issue: On some kernels, error messages related to scdrv are displayed in the console during system boot.
818828       Issue: With VirusScan Enterprise for Linux (VSEL) 1.7 and later version installed, the VSEL service stops with errors on the CLI.
989865       Issue: Installation of Solidifier should not occur in a symbolic link path.
991605 KB82820    
Issue: After upgrading to MAC 6.1.7, new advanced exclusion filters (AEF)/updaters and attr rules are not added as default rules.
1049005      
Issue: When uninstalling in Enabled mode, an incorrect message stating Unable to initialize installer is added to the /tmp/solidcoreS3_uninstall.log file.
1144705      
Issue: The Scripts command is not supported on SUSE10 x86.
1143376      
Issue: Script-auth fails if the interpreter is a symlink with a name different from the target.
Workaround: Add a rule with the target in your scripts. For example, if python is added as the interpreter in scripts and python is a symlink of python2.6 /usr/bin/python->python2.6, then add a rule for python 2.6.
053355      
Issue: If you erroneously try to stop the Solidcore service by using the systemctl command in Enabled mode, an attempt to stop the service in Disabled mode might fail.
Workaround: To
stop the service in Disabled mode, use the following commands:

systemctl start scsrvc.service
systemctl stop scsrvc.service

1202241       Issue: The events are not generated in RHEL 6 x86
1203232       Issue: Solomon automated test tool can't verify some events.
1221729       Issue: Symbolic link creation message shown after installation
Workaround: Delete symbolic link manually after uninstallation process.
1221724       Issue: MACC crashes on LSES11 x86 with kernel 3.0.101-108.10-default
1009608 KB83177 6.1.7 6.1.7 Issue: Upgrading to McAfee Agent 5.0.0 is not supported on Linux operating systems with Application Control installed
Solution: For versions earlier than 6.1.7, a fresh installation of MA 5.0.0 is supported with MAC.


Back to top

Linux
 
Reference Article Found in Version Resolved in Version Description
602174       Issue: When you log on to a solidified system using Telnet as a non-root user, the original_user name displays as root.
1009579       Issue: On a protected system running Red Hat Enterprise Linux (RHEL) 5 with kernel 2.6.18-308.EL5 or later, the deny-read feature does not work on an NFSv4 mounted partition.
1211104       Issue: After running automated testing tool (Solomon), there is a crash in UBUNTU 16.04 x86 platform with kernel 4.4.0-47-generic.
1205485       Issue: Linux Desktop Timeout with Root login/logoff when Solidcore is Enabled/Updated.
Workaround: Create the file /etc/X11/xinit/xinitrc.d/00-gvfs-disable-fuse.sh with the following contents:

GVFS_DISABLE_FUSE=1
export GVFS_DISABLE_FUSE

This script disables fuse's daemon running in the background, so fuse filesystem is not mounted. Restart the system so the changes can take effect.
1214591       Issue: Docker 1.13 containers fail to run in enabled mode with Docker as Updater.
1219099       Issue: Unsolidified bash script can show executed event when script-auth is enabled
Workaround: Reboot endpoint and script-auth works as expected.
1224787       Issue: MACC service stops working after running the command sadmin disable and restarting the Solidcore service.
Workaround: Reboot the system and complete entering disabled mode. After rebooting the system, it operates as expected.
  KB86606 6.1.x Will not Fix Issue: Incompatibility between VirusScan Enterprise For Linux 2.0.2 and Application Control 6.1
Solution:
Do not install MAC 6.1 and VSEL 2.0.2 on the same system.

If you have already installed MAC 6.1 and VSEL 2.0.2 on the same system, you must uninstall one, then install a different version not affected by this issue.
  KB90239 6.1.7   Issue: Content Change Tracking for Linux only reports file change events and no directory change events
122207 KB90484 6.1.7.417 6.1.7.716 Issue: Kernel panic observed on Red Hat 7.3 systems running Application Control


Back to top
Critical: There are currently no known critical issues.

Non-critical:

Solidcore Extension:
 
Reference Article Found in Version Resolved in Version Description
608618       Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. 
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
607452       Issue: ePO 4.6 reports and dashboard entries are not removed after the Solidcore Extension is uninstalled.
Workaround: If you are uninstalling and reinstalling the Solidcore Extension, remove the reports and dashboards manually after uninstalling, and before reinstalling.
607517       Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.
608347       Issue: The Solidcore Policies Applied on Hosts report displays all policies derived from the root, irrespective of the SKUs enabled on the platform.
609304       Issue: It is not possible to export data from the ReportingSolidcore Events page.
Workaround: Use Queries (Reporting, Queries) to export event data.
636769       Issue: If you upgrade from Solidcore 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table are not migrated to the ePO Events table.
636352       Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display erroneous data.
607554       Issue: Solidcore policies cannot be duplicated by using the Policy Details page because the OK button is disabled.
Workaround: Use the Policy Catalog page to duplicate policies.
643854       Issue: When you use the Guided Configuration page on the ePO 4.6 console, the Save Policy button is not enabled when changes are made to Solidcore Policies.
Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.
608374       Issue: When you try to enable an already enabled Solidcore Agent, the error displayed is not translated.
607908       Issue: It is not possible to export more than 50,000 records from any table or report.
608025       Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU is not added.
609911       Issue: Export of rule groups does not work in Internet Explorer when opened from the ePO server.
Workaround: Use Internet Explorer from a different computer and the export rule groups.
610303       Issue: The Server Task pages on ePO might not work properly if you use Mozilla Firefox version 3.0.
Workaround: Technical Support recommends using Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
608753       Issue: Sometimes, using the user name field of reported events on the ePO server as a trusted user might not work if the client system is part of an Active Directory domain. The reason is because the domain name reported in the events is not the full AD domain. 
Workaround: Use the environment variable USERDNSDOMAIN as the domain name for AD clients. You can review the properties of the My Computer icon to identify the complete user name and specify as the trusted user as well.
608759       Issue: If ePO is installed on the Japanese version of Windows, exporting the dashboard data to HTML format fails if the generated HTML file name contains digits.
609220       Issue: Saving an Application Control policy that is a copy of the McAfee Default policy is slow.
Workaround: Because Application Control policies are multi-slot policies, Technical Support recommends that you create a new blank policy and add new rules to it instead of copying and changing the McAfee Default policy.
656518       Issue: If you install Solidcore Extension 5.1.2 on an existing ePO 4.5 system and then upgrade to ePO version 4.6 FIPS mode, the event parser stops working.
Workaround: Run the following command and upgrade the required DLL: https://<ePO_IP_address: port>/remote/scor.upgradeEventParser.do
607950       Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.
707486       Issue: When using the ePO 4.6 console, navigating quickly through the Events and Inventory pages logs off the user.
714176       Issue: On ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while creating the task, you cannot later remove the commands from the saved client task.
719796      
Issue: Global catalog search for Active Directory (AD) groups is not supported.
Workaround: Search for a group in a specific AD server instead of using the Global Catalog.

To add a specific group:
  1. Log on to the ePO 4.x console.
  2. Add the AD server with the group as a Registered Server.
  3. Search for the group by selecting the registered AD server. Ensure that the Global Catalog Search option is deselected.
  4. Add the group to a policy as a trusted group.
722045       Issue: Adding new columns, such as Solidcore Status and Solidification Status, for an endpoint by clicking ActionsChoose columnsNon Compliant Solidcore Agent might not display values for all endpoints. The reason is because the Non Compliant Solidcore Agent section includes only noncompliant agent properties.
Workaround: When adding new columns for an endpoint, click ActionsChoose columnsSolidcore Client Properties instead of Actions, Choose columns, Non Compliant Solidcore Agent.
812003       Issue: The Self-Approval page displays a link for .MSI based applications, which displays an empty list when drilling down.
890978       Issue: The GTI cloud server entry is not removed from ePO after the Solidcore Extension is uninstalled.
937037       Issue: You cannot upgrade the Solidcore help extension from a previous release to 6.1.2.020.
Workaround: Uninstall the old help extension and install the new one.
926122       Issue: File Deviation details are missing in an exported file from the Image Deviation page.
950063       Issue: A few strings are not properly localized in languages other than English.


Back to top

Solidcore Agent:
UNIX (all versions)

 
Reference
Article
Found in Version Resolved in Version
Description
969846       Issue: For an unsupported kernel, the Build property of the endpoint on the ePO properties screen displays as Compiled.
944538       Issue: MAC/MCC 6.1.4 are not compatible with VSEL 2.0.
900761       Issue: When the endpoint is Disabled and not rebooted, the product upgrade is not successful. The reason is because the driver is not unloaded.
Workaround: Reboot the endpoint system and perform the upgrade task again.
       

The following issues are from the MAC 6.1.0 Linux/UNIX release
608671       Issue: If Solidcore Agent is installed in a non-default path, upgrading via ePO is not supported. Such an upgrade can leave the Solidcore Agent in an inconsistent state. Technical Support recommends that you uninstall the existing version and then install the new version using ePO.
608737
 
   
Issue: If the partition with the /opt/McAfee/cma directory has insufficient space, events might not be generated and a Failed to generate event xml error message is added to the solidcore.log file. Free up space on the partition with the /opt/McAfee/cma directory.
601728
 
   
Issue: According to NFS protocol, if a file present on the NFS share is opened once on the NFS client, it cannot be reopened until the file attributes are changed. As a result, if a read-protected file on an NFS share is opened on the client side in update mode, the user could read it on the client. The file could read it even in enable mode (after coming out of the update mode) until the file attributes are changed on the server.
601734
 
   
Issue: Changing a hard link might cause the name of the link or program to display in events.
601914
 
   
Issue: For daemon processes, the reported user name and original user name are the same.
602653
 
   
Issue: A write-protected file can be changed through its hard link if the hard link has already been created.
602772
 
   
Issue: Scripts without the #! tag cannot act as updaters.
602977
 
   
Issue: For loopback file systems, some features, such as updater and monitoring, do not work correctly when the loopback path is used instead of the physical path in the sadmin commands. For instance, if /opt is mounted as a loopback file system at /mnt, to add /mnt/abc as an updater, you must add the path /opt/abc as an updater.
602990
 
   
Issue: Some features, such as updaters and mon-proc-exec, do not work properly for unsupported file formats. Only executable binaries and #! scripts are supported file formats.
603462
 
   
Issue: The BOOTING_ENABLED and BOOTING_UPDATE_MODE events are not added to the system log.
Workaround: At boot time, start the syslog service before the Solidcore Agent service.
603490
 
   
Issue: The following issues are observed when an updater calls another updater:
  • If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
  • If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.
604780
 
   
Issue: For processes that are not directly associated with a terminal, the original_user field is the same as the user field. For example, when you run a script through Runlevel/init scripts, original_user is the same as the user.
605062
 
   
Issue: The mmap system call at the NFS client does not work if the file is read-protected.
606674
 
   
Issue: A write-protected file can be changed or deleted if the file system is mounted to a different directory.
607014
 
   
Issue: Adding a script as an updater twice (once on its own and again with its parent) can lead to unexpected behavior.
607024
 
   
Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.
607245
 
   
Issue: No events are generated for changes to a file with the string solidcore.log in its name, for example, mysolidcore.log.
601763
 
   
Issue: Process information cannot be determined for those processes that are invoked before the Solidcore Agent driver is loaded. This issue has the following implications:
  • If such a process makes file changes, these changes might not be reported.
  • For processes that started before the driver was loaded, only the partial program names are reported.
  • For NFS, for the changes done by the client, the change events displaying on the server have only the relative name for the NFS daemon (in other words, nfsd or nfsktcpd).
  • No Process Start and Process Stop events are generated for already running processes.
  • On only the AIX platform, Change Tracking / Prevention on file systems mounted by such processes might or might not work. System calls executed by already running processes cannot be trapped due to differences in the way system calls are implemented for the AIX platform. As a workaround, you can restart such processes.
     
604604
 
   
Issue: Write/read protection does not work on files added via cachefs/lofs.
613214
 
   
Issue: If the installation path is a mount point, forcibly unmounting (for example, using the umount –f command) might lead to non-deterministic behavior.
603386
 
   
Issue: The Solidcore Agent cannot be installed, upgraded, or uninstalled through init scripts that run at system boot time.
Workaround: Add the following two statements in the init script before invoking the installer:
HOME=""/""
export HOME
610254
 
   
Issue: When you run the Debug Info client task for a UNIX system, the log states that the gatherinfo.tar.gz file is generated. The name of the generated file is suffixed with the host name and time stamp. For example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz.
616089
 
   
Issue: Localized strings are not consistent. Partial localization occurs in some events and messages.
708279
 
   
Issue: For RHEL5/RHEL6 (Kernel less than 2.6.32-220) and kernels of SLES 10/SUSE11 (excluding SLES11 SP2), FILE_CREATED events are incorrectly reported as FILE_ATTR_MODIFIED over an NFSv4 partition.
762449
 
   
Issue: Events are generated if a special device file is renamed.
774493
 
   
Issue: Change of a binary in Update mode does not change/update the corresponding hard-link in whitelist.
797291
 
   
Issue: After Dynamic Kernel Module compilation, an empty file named 2 gets created in the dks directory.
797363
 
   
Issue: The sadmin xray command does not list the attr specific configurations for the running process.
798843
 
   
Issue: Unexpected behavior might be observed if a process exits without closing one or more changed files.
802433
 
   
Issue: If the volume is unsolidified, it is not listed as unsolidified in the output of sadmin status.
807180
 
   
Issue: Installation on a non pre-compiled kernel fails if you run the installer from a Windows share that is mounted using CIFS.
Workaround: Mount the Windows share using NFS.
811983
 
   
Issue: Property collection on ePO and the endpoint might show different versions of Solidifier if the system is not rebooted after upgrade.
812578
 
   
Issue: On some kernels, error messages related to scdrv are displayed in the console during system boot.
818828       Issue: With VirusScan Enterprise for Linux (VSEL) 1.7 installed, the VSEL service stops with errors on the CLI.
989865       Issue: Installation of Solidifier occurs in a symbolic link path.
991605  KB82820    
Issue: After upgrading to MAC 6.1.4, new advanced exclusion filters (AEF)/updaters and attr rules are not added as default rules.


Back to top

Linux
 
Reference Article Found in Version Resolved in Version Description
602174       Issue: When you log on to a solidified system using Telnet as a non-root user, the original_user name displays as root.
1009579       Issue: On a protected system running Red Hat Enterprise Linux 5 with kernel 2.6.18-308.EL5 or later, the deny-read feature does not work on an NFSv4 mounted partition.


Back to top
Critical: There are currently no known critical issues.

Non-critical:

Solidcore Extension:
 
Reference Article Found in Version Resolved in Version Description
608618       Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. 
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
607452       Issue: ePO 4.6 reports and dashboard entries are not removed after the Solidcore Extension is uninstalled.
Workaround: If you are uninstalling and reinstalling the Solidcore extension, remove the reports and dashboards manually after uninstalling, and before reinstalling.
607517       Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.
608347       Issue: The Solidcore Policies Applied on Hosts report displays all policies derived from the root, irrespective of the SKUs enabled on the platform.
609304       Issue: It is not possible to export data from the ReportingSolidcore Events page.
Workaround: Use Queries (Reporting, Queries) to export event data.
636769       Issue: If you upgrade from 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table are not migrated to the ePO Events table.
636352       Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display garbage data.
607554       Issue: Solidcore policies cannot be duplicated by using the Policy Details page because the OK button is disabled.
Workaround: Use the Policy Catalog page to duplicate policies.
643854       Issue: When using the Guided Configuration page on the ePO 4.6 console, the Save Policy button is not enabled when changes are made to Solidcore Policies.
Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.
608374       Issue: When trying to enable an already enabled Solidcore Agent, the error displayed is not translated.
607908       Issue: It is not possible to export more than 50,000 records from any table or report.
608025       Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU is not added.
609911       Issue: Export of rule groups does not work in Internet Explorer when opened from the ePO server.
Workaround: Use Internet Explorer from a different computer and export rule groups.
610303       Issue: The Server Task pages on ePO might not work properly if you are using Mozilla Firefox version 3.0.
Workaround: If you encounter issues, Technical Support recommends that you use Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).
608753       Issue: Sometimes, using the user name field of reported events on the ePO as a trusted user might not work if the client system is part of an AD domain. The reason is because the domain name reported in the events is not the full AD domain.
Workaround: Use the environment variable USERDNSDOMAIN of the AD client as the domain name. You can review the properties of MyComputer, identify the complete user name, and specify it as the trusted user as well.
608759       Issue: If ePO is installed on Japanese Windows, exporting the dashboard data to HTML format fails if the generated HTML file name contains digits.
609220       Issue: Saving an Application Control policy that is a copy of the McAfee Default policy is slow.
Workaround: Because Application Control policies are multi-slot policies, we recommend that you create a new blank policy and add new rules to it instead of copying and changing the McAfee Default policy.
656518       Issue: If you install Solidcore Extension 5.1.2 on an existing ePO 4.5 system and then upgrade to ePO version 4.6 FIPS mode, the event parser stops working.
Workaround: Run the following command and upgrade the required DLL: https: //<ePO IP address: port>/remote/scor.upgradeEventParser.do
607950       Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.
707486       Issue: When using the ePO 4.6 console, navigating quickly through the Events and Inventory pages logs off the user.
714176       Issue: On ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while creating the task, you cannot later remove the commands from the saved client task.
719796      
Issue: Global catalog search for Active Directory (AD) groups is not supported.
Workaround: Search for a group in a specific AD server instead of using the Global Catalog.

To add a specific group:
  1. Log on to the ePO 4.x console.
  2. Add the AD server with the group as a Registered Server.
  3. Search for the group by selecting the registered AD server. Make sure that the Global Catalog Search option is deselected.
  4. Add the group to a policy as a trusted group.
722045       Issue: Adding new columns, such as Solidcore Status and Solidification Status for an endpoint by clicking ActionsChoose columnsNon Compliant Solidcore Agent might not display values for all endpoints. The reason is because the Non Compliant Solidcore Agent section includes only noncompliant agent properties.
Workaround: When adding new columns for an endpoint: Click ActionsChoose columnsSolidcore Client Properties instead of Actions, Choose columns, Non Compliant Solidcore Agent.
812003       Issue: The Self-Approval page displays a link for .MSI based applications, which displays an empty list when drilling down.
890978       Issue: The GTI cloud server entry is not removed from ePO after Solidcore extension is uninstalled.
937037       Issue: You cannot upgrade Solidcore help extension from a previous release to 6.1.2.020.
Workaround: Uninstall the old help extension and install the new one.
926122       Issue: File Deviation details are missing in an exported file from the Image Deviation page.
950063       Issue: A few Strings are not properly localized in languages other than English.


Back to top

Solidcore Agent
UNIX (all versions):

 

Reference

Article Found in Version Resolved in Version Description

608671

 

   

Issue: If Solidcore Agent is installed on the non-default path, upgrade from ePO is not supported. Such an upgrade might leave Solidcore Agent in an inconsistent state. Technical Support recommends that you uninstall the existing version and then install the new version using ePO.

608737

      Issue: If the partition with the /opt/McAfee/cma directory has insufficient space, events might not be generated and the Failed to generate event xml error message is added to the solidcore.log file. Free up space in the partition with the /opt/McAfee/cma directory.
601728       Issue: According to the NFS protocol, if a file present on the NFS share is opened once on the NFS client, it cannot be reopened until the file attributes are changed. As a result, if a read-protected file in an NFS share is opened on the client side in Update mode, the user could read it on the client. This issue occurs in Enable mode (after coming out of the Update mode) until the file attributes are changed on the server.
601734       Issue: Changing a hard link might cause the name of the link or program to display in events.
601914       Issue: For daemon processes, the reported user name and original user name are the same.
602653       Issue: A write-protected file can be changed through its hard link if the hard link has already been created.
602772       Issue: Scripts without the #! tag cannot act as updaters.
602977       Issue: For loopback file systems, some features such as updater and monitoring do not work correctly when the loopback path is used instead of the physical path in the sadmin commands. For instance, if /opt is mounted as a loopback file system at /mnt, to add /mnt/abc as an updater you must add the path /opt/abc as an updater.
602990       Issue: Some features like updaters and mon-proc-exec do not work properly for unsupported file formats. Only executable binaries and #! scripts are supported file formats.
603462       Issue: The BOOTING_ENABLED and BOOTING_UPDATE_MODE events are not added to the system log.
Workaround: At boot time, start the syslog service before the Solidcore Agent service.

603490

      Issue: The following issues are observed when an updater calls another updater:
  • If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
  • If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.

604780

      Issue: For processes that are not directly associated with a terminal, the original_user field is a replica of the user field. For example, when you run a script through Runlevel/init scripts, original_user is the same as the user.
605062       Issue: The mmap system call at the NFS client does not work if the file is read-protected.
606674       Issue: A write-protected file can be changed or deleted if the file system is mounted to a different directory.
607014       Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
607024       Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.
607245       Issue: No events are generated for changes to a file with the string “solidcore.log” in its name, for example, mysolidcore.log.

601763

      Issue: Process information cannot be determined for those processes that are invoked before the Solidcore Agent driver is loaded. This issue has the following implications:
  • If such a process makes file changes then these changes might not be reported.
  • For processes that started before the driver was loaded, only the partial program names are reported.
  • For NFS, for the changes done by the client, the change events displaying on the server have only the relative name for the NFS daemon (in other words, nfsd or nfsktcpd).
  • No Process Start and Process Stop events are generated for already running processes.
  • On only the AIX platform, Change Tracking / Prevention on file systems mounted by such processes might or might not work. The reason is that system calls executed by already running processes cannot be trapped because of a difference in the way system calls are implemented under the AIX platform. As a workaround, you can restart such processes.

604604

      Issue: Write/read protection does not work on files added via cachefs/lofs.
613214       Issue: If the install path is a mount point, forcibly unmounting (Example: Using the umount –f command) might lead to non-deterministic behavior.
603386       Issue: The Solidcore Agent cannot be installed, upgraded, or uninstalled through init scripts that run at system boot time.
Workaround: Add the following two statements in the init script before invoking the installer:

HOME=""/"" 
export HOME

610254

      Issue: When you run the Collect debug information client task for a UNIX system, the log states that the gatherinfo.tar.gz file is generated. The name of the generated file is suffixed with the host name and time stamp, for example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz.
616089       Issue: Localized strings are not consistent. Partial localization occurs in some events and messages.
708279       Issue: For RHEL5/RHEL6 (Kernel less than 2.6.32-220) and kernels of SLES 10/SUSE11 (excluding SLES11 SP2), FILE_CREATED events are being incorrectly reported as FILE_ATTR_MODIFIED over an NFSv4 partition.
762449       Issue: Events are generated if a special device file is renamed.
774493       Issue: Change of binary in Update mode does not change/update the corresponding hard-link in whitelist.
797291       Issue: During Dynamic Kernel Module compilation, an empty file named 2 gets created in the dks directory.
797363       Issue: The sadmin xray command does not list the attr specific configurations for the running process.
798843       Issue: Unexpected behavior might be observed if a process exits without closing the changed file.
802433       Issue: If the volume is unsolidified, it is not listed as unsolidified in the output of sadmin status.
807180       Issue: Installation on a non pre-compiled kernel fails if the installer is run from a Windows share that is mounted using CIFS. 
Workaround: Mount the Windows share using NFS.
811983       Issue: Property collection on ePO and the endpoint might show different versions of solidifier if the system is not rebooted after upgrade.
812578       Issue: On a few Kernels, error messages related to scdrv might show up on the console while the system is starting.
818828       Issue: With VSEL 1.7 installed, the VSEL service stops with errors on the CLI.


Back to top

Linux
 
Reference Article Found in Version Resolved in Version Description
602174       Issue: When you log on to a solidified system using Telnet as a non-root user, the original_user name displays as root.


Windows (all versions)
 
Reference Article Found in Version Resolved in Version Description
  KB79200     Issue: In MAC 6.1.1, the size and the logfile numbers of s3diag and solidcore log files (in the solidcore log directory) can be controlled.
  KB86758     Issue: Application Control denies the execution of .zip files when run in context of Java process such as java.exe or javaw.exe.
Workaround: See the Knowledge Base article for details.
833864
833396
KB77179     Issue: Adobe Reader/Google Chrome might fail to work as expected with the MP feature enabled.

801531

      Issue: If Driver Verifier (verifier.exe) is enabled, MAC / MCC might not function as expected.

608418

      Issue: Original Username reported in events is the same as Username.
595051       Issue: Multiple operating systems on the same computer are not supported. Product features work only on the operating system it is installed on.
599812       Issue: Uninstallation fails if the uninstallation process is canceled midway.
600037       Issue: Changes done by msiexec.exe in Update mode are recorded with workflow ID UPDATER: msiexec instead of the Update mode workflow ID.
600805       Issue: While opening a write-protected network share in File Explorer, a few deny-write errors are observed.
603747       Issue: The trusted, solidified, and write-protect features do not work correctly for folder-mounted volumes.
Workaround: Contact Technical Support for assistance if the setup uses folder-mounted volumes.
604153       Issue: Post install script customization is not available during upgrades. It can be used only during a fresh installation of the Solidcore Agent.
608036       Issue: Mapped drive names cannot be used in commands issued by remote users/ePO.
609249       Issue: You cannot perform upgrades in UI mode for existing 5.0.0 deployments (that were done manually and not via ePO). Use the following methods to upgrade such standalone deployments:
  • UI -> Silent
  • Silent -> Silent

634733

      Issue: If the database tables are corrupted, upgrade of the Solidcore Agent fails and you see the following error message:

""Database: . Could not load table 'Control' in SQL query: SELECT `Control`, 
`Type`, `X`, `Y`, `Width`, `Height`, `Attributes`, `Property`, `Text`, 
`Control_Next`, `Help` FROM `Control` WHERE `Dialog_`=?"""

Workaround: Use silent installation instead of UI mode installation.
605369       Issue: When the Solidcore Agent installer is run by an agent installer with the /? argument, a series of unwanted dialog boxes appear due to a bug in the third-party packaging software. These dialog boxes can be ignored.
609311       Issue: Manual uninstallation of Solidcore Agent (deployed from ePO) fails on a client computer having McAfee Agent version 4.0 (or earlier).
Workaround: Contact Technical Support for assistance if manual uninstallation has already been tried.

595570
595025
595511
595615
597243
598406
595043
607434
607899
611229

      Issue: The following applications are incompatible with the Solidcore Agent for Windows. Contact Technical Support for further assistance.
  • Panda Titanium anti-virus 2005
  • Spyware Doctor
  • BlackIce
  • Trojan Hunter
  • BitDefender
  • BufferZone
  • Twister Anti-Trojan Virus 2005
  • Trend Micro OfficeScan 8.0, Trend Micro anti-virus 2008
  • Double-Take
  • Cisco Security Agent

594579

      Issue: Unsolidified scripts cannot be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by script interpreter configured for that script, is denied. This fact generates unauthorized execution events. Such problems can be avoided by performing the file operation using Windows Explorer.
594596
594770
595290
      Issue: Antivirus software applications generate logs when the Solidcore Agent is enabled.
Workaround: Use appropriate applications as updaters.
594707       Issue: Roaming and Mandatory profiles with code files do not work properly. Copying files from a Central store on a domain controller to a member server and back might fail.
594790       Issue: Solidcore Protection prevents updating of applications, such as Microsoft Office and Office tools, after the initial installation. When executing the applications for the first time, Technical Support recommends that you run these applications in the Update mode.
596425       Issue: Print server logs errors on Runtime Control module systems with the Solidcore Agent active in the Enable mode.
Workaround: Add the printer share as a trusted share.
601158       Issue: The Runtime Control module uses MP-CASP as the default Memory Protection technique. If you want to enable MP-VASR, contact Technical Support.
607414       Issue: When script interpreters are added to memory protection bypass (casp or mangling-decoying), even after a script marked as an updater exits, the script interpreter’s updater privilege is not revoked.
608647       Issue: On 64-bit systems, multiple events might get generated when an unauthorized binary file is executed. The Windows operating system tries to run the binary multiple times by using a reduced set of attributes until final failure.
609632       Issue: After the initial scan task completes, the MAC Initial Scan task is complete, and the McAfee Application Control is enforced on the system now message displays, the system is said to be solidified.
608745       Issue: Files that are read-protected by the user (using 'sadmin read-protect' command) cannot be solidified.

624015

      Issue: If enabled on a 64-bit computer, the memory protection feature prevents the installation of ActiveX.
Workaround: From the ePO console, complete the following steps to add the Internet Explorer executable (iexplore.exe) to the memory protection bypass list.
  1. Log on to the ePO 4.x console.
  2. Click MenuPolicyPolicy Catalog.
  3. Select the Solidcore 5.1.0 General entry from the Product drop-down.
  4. Select Exception Rules (Windows).
  5. Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
  6. Click the created policy and click Add.
  7. Enter iexplorer.exe as the file name, select Bypassed from Memory Control, and click OK.
  8. Click Save.
  9. Apply the policy to the appropriate endpoints. 
  10. From the endpoint, run ActiveX after adding the Internet Explorer executable (iexplore.exe) to the memory protection bypass list. Use the following command to add the executable to the bypass list. 

    sadmin attr add –n iexplore.exe

643688

      Issue: If you try an ActiveX installation before enabling the ActiveX feature and retry the installation after enabling the ActiveX feature, ActiveX might not get installed properly.
Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, and remove all .cab files in the temporary Internet files. Now, install the ActiveX control on the endpoint.
602194       Issue: The package control feature is not able to stop the installation of some applications, such as Gvim and Winrar.
602929       Issue: If a package-based installer is executed before the package control feature can detect the package change, the deny-exec feature might prevent the execution of the installer.
607014       Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
616147       Issue: For standalone Solidcore Agent installation (in other words, installation not done via ePO) on endpoints where Oracle is installed, finetune.bat must be run manually at the endpoints to apply Oracle-specific rules.
595067       Issue: The system might hang while installing the security hotfix WindowsXP-KB884020-x86-enu.exe.
Workaround: Disable the Solidcore Agent before installing this hotfix.

598286

      Issue: The system hangs after installing Citrix MetaFrameXP with feature release 3.0.
Workaround: Add csrss.exe to the bypass list.
599348       Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126       Issue: When copying solidified files to a rewritable CD, although the files are copied successfully, deny-write errors are logged.
601427       Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
609812       Issue: For an ePO managed endpoint with a valid Application Control license for which the Initial Scan was deferred and that has many executable files installed, the Initial Scan client task after a reboot completes successfully. But, the system remains in Update mode for some time before going to Enable mode. During this time, another client task sent to the endpoint might fail.
610206       Issue: The pop-up message regarding the completion of the Initial Scan client task sent from ePO does not display on remote desktop sessions.
616089       Issue: In the output of the sadmin diag command on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, the following output:

* actualizadores agregar -t DIAG: cmd.exe -p explorer.exe ""cmd.exe""

Should be read as:

* updaters add -t DIAG: cmd.exe -p explorer.exe ""cmd.exe""

600748       Issue: Multiple deny write events might get generated for a single deny write action. 
Example: On deletion of a file using Windows Explorer, up to 8 file deletion events are reported. The reason is because when the application denies deletion of a file, Windows Explorer tries multiple other methods to delete the file, resulting in the generation of an event for each attempt.

724600

      Issue: ActiveX alerts are not generated on 64-bit Windows systems.
Workaround: Complete these steps if you are using the ePO console:
  1. Log on to the ePO 4.x. console.
  2. Click Menu, PolicyPolicy Catalog.
  3. Select the Solidcore 6.0 General entry from the Product drop-down.
  4. Select Exception Rules (Windows).
  5. Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
  6. Open the created policy and click Add.
  7. Enter iexplore.exe as the file name, select Bypassed from Memory Control, and click OK.
  8. Click Add.
  9. Type ieinstal.exe as the file name, select Bypassed from Memory Control, and click OK.
  10. Click Save.
  11. Apply the policy to the endpoints.
Complete these steps from the endpoint if you are using the product in Standalone mode.
  1. Execute the following commands to define the required memory-protection bypass rules.

    sadmin attr add –n iexplore.exe
    sadmin attr add –n ieinstal.exe
  2. Run ActiveX controls.

608639

      Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c:\program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.
695246       Issue: Although the Solidcore NX protection is based on system DEP, it is possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to the Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663       Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes on the ePO console, the change is not reflected on the endpoints.
723624       Issue: Execution Denied events might be generated for some DLL files with searchprotocolhost.exe as the process name. These events have no functionality impact.
Workaround: If many events are generated, create an AEF rule to prune the events.
725204       Issue: For the 6.0 release, the Yahoo, Adobe Acrobat, CuteFTP, and WinZip rule groups have been removed from the default Application Control policy because of their security implications. Also, when you upgrade, these rule groups are removed from the default policies. If needed, you need to add these rule groups to policies manually.
702580       Issue: For Application Control-related internal files (such as finetune.bat and gatherinfo.bat), version details including binary version, vendor, application name, and application version are not available.
713989       Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
652602       Issue: If you disable the deny-exec-exes feature on any Windows (64-bit) operating system, change the extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. If you change the file extension to dll, you can run the file even if the deny-exex-dlls feature is enabled.
713011       Issue: Observations are erroneously generated for 64-bit binary files that are not supported on 32-bit platforms.
607574       Issue: On opening a network share (for systems running Windows Vista, Windows 7, and Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. This issue occurs because Windows Explorer tries to fetch the icons for the files stored on the network share.
726020       Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a Msg not found error. 
Workaround: Restart the endpoint to ensure that all commands added or changed in the 6.0 release work correctly.

608868

      Issue: On the Windows 2008, Windows 7, and Windows Vista operating systems, you might receive an An unauthorized change made to the Windows error. 
Workaround: Disable the MP-CASP feature.
768708       Issue: You are unable to set the flag fs-passthru 'p' and the flag vasr forced reloc 'v' together with the extra information flag 'o' in the attr command.
770362       Issue: You are unable to set more than one dll to bypass from VASR forced reloc.
770524       Issue: Scormcpl.dll displays an older version in inventory after it is upgraded.
794445       Issue: Solidified batch files, when copied using another batch file, fail.
803731       Issue: With network tracking disabled, Self-Approval functionality does not work for network shares.
803948       Issue: Deny-Exec on a Script file is reported if Network tracking is disabled on a 64-bit architecture.
808857       Issue: A Self-Approval pop-up window displays if a file is opened with the execute flag even if the file is not executed.
808964       Issue: An Auth rule for a process making file changes does not get added correctly if allowed through Self-Approval.
812964       Issue: If the updater flag for a certificate rule is removed, the certificate is still listed as an updater on the endpoint.
816108       Issue: A file, authorized by checksum, is denied for execution when run from a network share.
656298       Issue: Upgrade via a hotfix build might fail in Update mode when run through Product Update Task.
603318       Issue: A blue screen error with bug check 0x00000050 (0xFFB4B000,0x00000000,0x80463723,0x00000000) might be observed after the system is solidified and rebooted.
810072       Issue: While running a 16-bit executable with Self-Approval enabled, the file type is listing as script.
819876       Issue: A process that does not work as Updater is configured as an Updater through auth by checksum.
Workaround: Configure the process as an Updater by name.

888634

      Issue: An unclean uninstallation of Adobe Flash Player occurs when pkg-ctrl-allow-uninstall is enabled.
Workaround: sadmin updaters add "C: \WINDOWS\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe".

888632

      Issue: A repair of .NET 3.5 fails.
Workaround: Add the below updater rules:
  • C: \WINDOWS\system32\msiexec.exe 
  • C: \WINDOWS\syswow64\msiexec.exe 

885091

 KB78642     Issue: You are unable to install Visual Studio 2010 Ultimate via updater.

887965

      Issue: Uninstallation of applications is not be blocked even if the pkg-ctrl-allow-uninstallation feature is disabled.
Workaround: Run the sadmin clg command after each installation of an application to block the uninstallation. This command clears out all cached GUIDs from the system. 

888878

 

 

    Issue: Multiple package control prevention events are seen while uninstalling and repairing Visual Studio 2010.
Workaround: Add "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to trusted path: "sadmin trusted -u "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin".

884396

      Issue: You are unable to install Adobe Flash Player 11 when the pkg-ctrl-bypass feature is enabled.
Workaround: sadmin updaters add InstallAX_11_6_602_180.exe.

883381

      Issue: Self Approval pop-ups for a user session are displayed on a console session instead of a user session.
Workaround: Run the following Solidcore commands from the command line:

sc config AeLookupSvc type= own
sadmin updaters add –l aelupsvc.dll svchost.ex

846136

      Issue: Application crashes occur when Solidcore DEP is enabled.
Workaround: Run the following Solidcore commands from the command line to bypass the process that is crashing with Solidcore DEP:

sadmin attr add -n

915562

 KB79517     Issue: McAfee Solidifer upgrade from 6.1.1 to 6.1.2 fails in Observe mode.
Workaround: See the Knowledge Base article for details.

910080

      Issue: Package Control, if an application has ctor.dll in its uninstall string, another application using ctor.dll, is not installed when pkg-ctrl-allow-uninstall is disabled.
Workaround: As a workaround for mode 1 of package control, the user can make the ctor.dll as updater using the complete path (for example, C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll). For Package Control modes, see PD24669.

916640

      Issue: Deny Execution is not skipped for a drive after removing the skiplist -v flag without a reboot.
Workaround: A reboot is required to make it work.

910485

 KB79658     Issue: Package Control, uninstallation of an application fails using Add/Remove Programs, if an application is installed for a particular user.
Workaround: See the Knowledge Base article for details.

901147

      Issue: Installer (Auto-IT), first shown as script type, after copying to some other location, is showing as pe32-exe.

911678

      Issue: Package Control, unable to repair Visual Studio 2010 Ultimate if installed in Update mode.

903914

      Issue: File Write Denied events are seen when some exe, marked as updater, are run by double-clicking it.

918113

      Issue: Observations from Network share are not supported.

905783

      Issue: Batch files are executing (through cmd.exe) from a network path when network tracking is disabled.

922297

      Issue: In Enable mode, if the installer invokes multiple MSI internally, multiple observations are raised.

919300

      Issue: A Trusted Path operation fails if the operation is performed on a local share mounted as a network share locally.

923302

      Issue: In Enable mode, multiple observations are generated for files that got copied on the system after initial whitelisting.

920568

 KB79987     Issue: The upgrade version is not updated on the ePO server and the McTray About box after an endpoint upgrade.

941675

      Issue: Any changes to predefined rules for skiplist and Script-Auth are not applied for upgrades.

940921

      Issue: Write-Denied events are seen for sadmin.exe and Instaconfig.exe by the process csrss.exe.

940286

      Issue: A Pkg-modification-prevented event is raised during a MAC upgrade.

948349

      Issue: Multiple deny-write events for a self-approval pop-up for putty.exe are recorded when execution is done after downloading the file from the Internet.

961454

      Issue: An older version of the deployment task runs even though a newer version is installed and replaces a few .DLL files on the new version.
940085  KB73484    
Issue: There is a known incompatibility between McAfee Application Control and SafeNet ProtectFile: File Encryption and Protection software.
1149129       Issue: Unsolidified dll getting loaded in a rare scenario. This issue is fixed in 6.2.0 and later versions.
  KB83710 6.1.3   Issue: Windows paging file message appears after the system is solidified and rebooted to enable Application Control
Workaround:
There are two ways to avoid this issue:
  • Reboot the system again after the initial reboot is performed to enable MAC.
  • Add the following configuration before the system is solidified:
    • sadmin skiplist add -s <system drive>\pagefile.sys
    • sadmin skiplist add -i \pagefile.sys
980146 KB82357 6.1.3 6.1.3.380 Issue: McAfee Solidifier service does not install/register if the operating system is installed in a folder other than Windows
974538 KB82401 6.1.3 6.1.3.387 Issue: System crash (blue screen) Bugcheck 0x18 REFERENCE_BY_POINTER (observed on Windows 8 and Server 2012)
  KB82607 6.1.1 6.1.3 Issue: Installation of applications takes longer and leads to system slowness when Symantec Endpoint Protection is installed with MAC

Solution:

Exclude the following McAfee folders from Symantec antivirus scanning:
c:\program files\mcafee
c:\programdata\mcafee
1020827 KB83355 6.1.3 6.1.3.393 Issue: Application Control and Change Control installation fails if the "Documents and Settings" folder exists on a non-system drive
1050409 KB84198 6.1.3 6.2.0.458 Issue: Applications stop responding or system fails to shut down with Application Control enabled

Back to top

Windows 8
 
Reference Article Found in Version Resolved in version Description
959413      
Issue: You are unable to install an MSI-based package on x86 in Update or Enable mode.

947775

      Issue: The Windows Start screen icons disappear with solidifier installed on 32-bit systems.
946092      
Issue: sadmin commands might become unresponsive on Windows Embedded 8 64-bit platforms with the vsepflt driver.


Windows XP
 

Reference

Article Found in Version Resolved in Version Description
604834       Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065       Issue: If you are using Application Control in the Enable mode on the Windows XP SP1 operating system, virtual memory use increases for most processes.
Workaround: Upgrade to Windows XP Service Pack 2.
793102       Issue: DLL rebasing does not work when a complete path to the DLL is specified.
809646       Issue: A Self Approval pop-up might hang while running non-whitelist binaries from the Desktop.
844203  KB81621     Issue: The system hangs with Microsoft Security Essentials installed.


Windows 2003
 
Reference Article Found in Version Resolved in Version Description
607361      
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exe process was hijacked.
Workaround: Add javaw.exe to the attributes list with the -n option:

sadmin attr add -n javaw.exe

892432

      Issue: Deny-Exec and Deny-Write events are seen for .Net files via Windows update on Windows 2003.
Workaround: Add Netfxupdate.exe as an updater by name with inheritance enabled to successfully install Windows update for .NET.
832241      
Issue: A Non-Trusted user can execute an unsolidified bat file using runas CLI on Windows 2003 (x64). This issue is intermittent.
Workaround: Use the following command:

sc config wuauserv type= own


Windows 2008 R2 (64-bit)
 
Reference Article Found in Version Resolved in Version Description
608636       Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, you see that Windows installer encountered a validation error for the msiexec.exe and kernelbase.dll files.
Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.


Windows 2008 (64-bit)
 
Reference Article Found in Version Resolved in version Description
609780       Issue: On the Windows 2008 (64-bit) platform, the rundll32.exe file crashes if an application is uninstalled by using Add/Remove Programs and initially the SetupInstallFromInfSection() function was used to install the application.


Windows 2008/Vista (32-bit and 64-bit), Windows XP/Windows 7/Windows 2008 R2 (64-bit)
 
Reference Article Found in Version Resolved in Version  Description
609757       Issue: In Enable mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.


Windows Vista
 
Reference Article Found in Version Resolved in Version Description
607541       Issue: For Windows Vista and later platforms, the Solidcore Agent configuration marks a service called Windows Modules Installer (TrustedInstaller.exe) as updater. This action is done to allow Windows Update to work properly. This service can both install and remove Windows components even if the pkg-ctrl feature is enabled.


Windows 2012
 
Reference Article Found in Version Resolved in Version Description
911734       Issue: Spurious events are generated when configuring AD on Windows 2012.
913943       Issue: Attr rules for MP NX and MP vasr are getting applied on Windows 2012.
1045414       Issue: In the system Event Viewer logs, a "Microsoft-Windows-Kernel-General" error message is logged while writing to the registry during start.


Windows 2003 IA
 
Reference Article Found in Version Resolved in Version Description
911734       Issue: The Solidifier service stops responding on Windows 2003 IA.


Back to top
Critical: There are currently no known critical issues.

Non-critical:

Solidcore Extension:
 
Reference Article Found in Version Resolved in Version Description
608618       Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. 
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.

605369

 

   

Issue: When Solidcore Agent installer is run by an agent installer with the /? argument, a series of unwanted dialog boxes appear due to a bug in the third-party packaging software. These dialog boxes can be ignored.

609311

 

   

Issue: Manual uninstallation of Solidcore Agent (deployed from ePO) fails on a client computer having McAfee Agent version 4.0 (or earlier).
Workaround: Contact Technical Support for assistance in case manual uninstallation has already been tried.

595570
595025
595511
595615
597243
598406
595043
607434
607899
611229

 

   

Issue: The following applications are incompatible with the Solidcore Agent for Windows. Contact Technical Support for further assistance.

  • Panda Titanium anti-virus 2005
  • Spyware Doctor
  • BlackIce
  • Trojan Hunter
  • BitDefender
  • BufferZone
  • Twister Anti-Trojan Virus 2005
  • Trend Micro OfficeScan 8.0, Trend Micro anti-virus 2008
  • Double-Take
  • Cisco Security Agent

594579

 

   

Issue: Unsolidified scripts cannot be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by script interpreter configured for that script is denied. This denial generates unauthorized execution events. Such problems can be avoided by performing file operation using Windows Explorer.

594596
594770
595290

 

   

Issue: Antivirus software applications generate logs when the Solidcore Agent is enabled.
Workaround: Use appropriate applications as updaters.

594707

 

   

Issue: Roaming and Mandatory profiles with code files do not work properly. Copying files from Central store on domain controller to member server and back might fail.

594790

 

   

Issue: Solidcore Protection prevents updating of applications, such as Microsoft Office and Office tools after the initial installation. When executing the applications for the first time, Technical Support recommends that you run these applications in the Update Mode.

596425

 

   

Issue: Print server logs errors on Runtime Control module systems with the Solidcore Agent active in the Enabled mode.
Workaround: Add the printer share as a trusted share.

601158

 

   

Issue: The Runtime Control module uses MP-CASP as the default Memory Protection technique. If you want to enable MP-VASR, contact Technical Support.

607414

 

   

Issue: When script interpreters are added to memory protection bypass (casp or mangling-decoying), even after a script marked as an updater exits, the script interpreter’s updater privilege is not revoked.

608647

 

   

Issue: On 64-bit systems, multiple events might get generated when an unauthorized binary file is executed. The Windows operating system tries to run the binary multiple times by using reducing set of attributes until final failure.

609632

 

   

Issue: After the initial scan task completes and MAC Initial Scan task is complete and McAfee Application Control is enforced on the system now message displays, the system is said to be solidified.

608745

 

   

Issue: Files that are read-protected by the user (using 'sadmin read-protect' command) cannot be solidified.

624015

 

   

Issue: If enabled on a 64-bit computer, the memory protection feature prevents the installation of ActiveX.
Workaround: From the ePO console, complete the following steps to add the Internet Explorer executable (iexplore.exe) to the memory protection bypass list.

  1. Log on to the ePO 4.x console.
  2. Click MenuPolicyPolicy Catalog.
  3. Select the Solidcore 5.1.0 General entry from the Product drop-down.
  4. Select Exception Rules (Windows).
  5. Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
  6. Click the created policy and click Add.
  7. Enter iexplorer.exe as the file name, select Bypassed from Memory Control, and click OK.
  8. Click Save.
  9. Apply the policy to the appropriate endpoints. 
  10. From the endpoint, run ActiveX after adding the Internet Explorer executable (iexplore.exe) to the memory protection bypass list. Use the following command to add the executable to the bypass list. 

    sadmin attr add –n iexplore.exe

643688

 

   

Issue: If you try an ActiveX installation before enabling the ActiveX feature and retry the installation after enabling the ActiveX feature, the ActiveX might not get installed properly.
Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, remove all .cab files in the temporary Internet files. Now, install the ActiveX control on the endpoint.

602194

 

   

Issue: The package control feature is not able to stop the installation of some applications, such as Gvim and Winrar.

602929

 

   

Issue: If a package-based installer is executed before the package control feature can detect the package change, the deny-exec feature might prevent the execution of the installer.

607014

 

   

Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.

616147

 

   

Issue: For standalone Solidcore Agent installation (in other words, installation not done via ePO) on endpoints where Oracle is installed, finetune.bat must be run manually at the endpoints to apply Oracle-specific rules.

595067

 

   

Issue: The system might hang while installing the security hotfix WindowsXP-KB884020-x86-enu.exe.
Workaround: Disable the Solidcore Agent before installing this hotfix.

598286

 

   

Issue: System hangs after installing Citrix MetaFrameXP with feature release 3.0.
Workaround: Add csrss.exe to bypass list.

599348

 

   

Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.

601126

 

   

Issue: When copying solidified files to a rewritable CD, although the files are copied successfully deny-write errors are logged.

601427

 

   

Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.

609812

 

   

Issue: For an ePO managed endpoint with a valid Application Control license for which the Initial Scan was deferred and that has many executable files installed, the Initial Scan client task after a reboot completes successfully. But, the system remains in Update mode for some time before going to Enabled mode. During this time, sending another client task to the endpoint might fail.

610206

 

   

Issue: The pop-up message regarding the completion of Initial Scan client task sent from ePO does not display on remote desktop sessions.

616089

 

   

Issue: In the output of sadmin diag command on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, in the following output:

* actualizadores agregar -t DIAG: cmd.exe -p explorer.exe ""cmd.exe""

Should be read as:

* updaters add -t DIAG: cmd.exe -p explorer.exe ""cmd.exe""

600748

 

   

Issue: Multiple deny write events might get generated for a single deny write action. 
Example: On deletion of a file using Windows Explorer, up to 8 file deletion events are reported. The reason is because when the application denies deletion of a file, Windows Explorer tries multiple other methods to delete the file, resulting in the generation of an event for each attempt.

724600

 

   

Issue: ActiveX alerts are not generated on 64-bit Windows systems.
Workaround: Complete these steps if you are using the ePO console:

  1. Log on to the ePO 4.x. console.
  2. Click Menu, PolicyPolicy Catalog.
  3. Select the Solidcore 6.0 General entry from the Product drop-down.
  4. Select Exception Rules (Windows).
  5. Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
  6. Open the created policy and click Add.
  7. Enter iexplore.exe as the file name, select Bypassed from Memory Control, and click OK.
  8. Click Add.
  9. Type ieinstal.exe as the file name, select Bypassed from Memory Control and click OK.
  10. Click Save.
  11. Apply the policy to the endpoints.

Complete these steps from the endpoint if you are using the product in Standalone mode.

  1. Execute the following commands to define the required memory-protection bypass rules.

    sadmin attr add –n iexplore.exe
    sadmin attr add –n ieinstal.exe
  2. Run ActiveX controls.

608639

 

   

Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c: \program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.

695246

 

   

Issue: Although the Solidcore NX protection is based on system DEP, it is possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to Solidcore NX bypass list, the system DEP protection is enabled for the processes.

720663

 

   

Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes on the ePO console, the change is not reflected on the endpoints.

723624

 

   

Issue: Execution Denied events might be generated for some DLL files with searchprotocolhost.exe as the process name. These events have no functionality impact.
Workaround: If many events are generated, create an AEF rule to prune the events.

725204

 

   

Issue: For 6.0 release, the Yahoo, Adobe Acrobat, CuteFTP, and WinZip rule groups have been removed from the default Application Control policy because of their security implications. Also, when you upgrade, these rule groups are removed from the default policies. If needed, you need to add these rule groups to policies manually.

702580

 

   

Issue: For Application Control-related internal files (such as finetune.bat and gatherinfo.bat), version details including binary version, vendor, application name, and application version are not available.

713989

 

   

Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.

685124

 

   

Issue: If you are running VirusScan Enterprise (VSE) 8.8 with the Access Protection Level set to Maximum on an endpoint, you cannot deploy Solidcore on the endpoint.

652602

 

   

Issue: If you disable the deny-exec-exes feature on any Windows (64-bit) operating system, change extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. You can change the file extension to dll to run the file even if the deny-exex-dlls feature is enabled as well.

713011

 

   

Issue: Observations are erroneously generated for 64-bit binary files that are not supported on 32-bit platforms.

607574

 

   

Issue: On opening a network share (for systems running Windows Vista, Windows 7, Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. The events are generated because Windows Explorer tries to fetch the icons for the files stored on the network share.

726020

 

   

Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a Msg not found error. 
Workaround: Restart the endpoint to ensure that all commands added or changed in the 6.0 release work correctly.

608868

 

   

Issue: On the Windows 2008, Windows 7, and Windows Vista operating systems, you might receive the An unauthorized change made to the Windows error. 
Workaround: Disable the MP-CASP feature.

768708

     

Issue: Unable to set flag fs-passthru 'p' and flag vasr forced reloc 'v' together with extra info flag 'o' in the attr command.

770362

     

Issue: Unable to set more than one dll to bypass from VASR forced reloc.

770524

     

Issue: Scormcpl.dll displays an older version in inventory after it is upgraded.

794445

     

Issue: Solidified batch files when copied using another batch file fails.

803731

     

Issue: With network tracking disabled, Self-Approval functionality does not work for network shares.

803948

     

Issue: Deny-Exec on Script file is reported if Network tracking is disabled on 64-bit architecture.

808857

     

Issue: Self-Approval pop-up shows up if files are opened with execute flag even if file is not executed.

808964

     

Issue: Auth rule for a process making file changes does not get added correctly if allowed through Self-Approval.

812964

     

Issue: If updater flag for a certificate rule is removed, certificate is still listed as updater on endpoint.

816108       Issue: A file, authorized by checksum, is denied for execution when run from network share.

656298

      Issue: Upgrade via hotfix build might fail in Update Mode when run through Product Update Task.

603318

     

Issue: Crash with bug check 0x00000050 (0xFFB4B000,0x00000000,0x80463723,0x00000000) might be observed after system is solidified and rebooted.

810072      

Issue: While running a 16-bit executable with Self-Approval enabled, file type is listing as script.

819876       Issue: Process does not work as Updater is configured as an Updater through auth by checksum.
Workaround: Configure the process as an Updater by name.

888634

 

   

Issue: Unclean uninstallation of Adobe Flash Player when pkg-ctrl-allow-uninstall is enabled.
Workaround: Sadmin updaters add "C: \WINDOWS\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe".

888632

 

   

Issue: Repair of dot-net 3.5 fails.
Workaround: Add the below updater rules:

  • C: \WINDOWS\system32\msiexec.exe 
  • C: \WINDOWS\syswow64\msiexec.exe 

885091

KB78642

   

Issue: Unable to install visual studio 2010 ultimate via updater.

887965

 

   

Issue: Uninstallation of applications is not be blocked even if the pkg-ctrl-allow-uninstallation feature is disabled.
Workaround: Run the sadmin clg command after each installation of application to block the uninstallation. This command clears out all cached GUIDs from the system. 

888878

 

   

Issue: Multiple package control prevention events seen while uninstalling and repairing visual studio 2010.
Workaround: Uninstall and repair were successful after adding "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to trusted path:

  • "sadmin trusted -u "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" 

884396

 

   

Issue: Unable to install Adobe Flash Player 11 when pkg-ctrl-bypass feature is enabled.
Workaround: sadmin updaters add InstallAX_11_6_602_180.exe.

883381

 

   

Issue: Self Approval pop-ups for a user session are shown on console session instead of user session.
Workaround: Run following Solidcore commands from command line:

sc config AeLookupSvc type= own
sadmin updaters add –l aelupsvc.dll svchost.ex

846136

 

   

Issue: Application crashes when Solidcore DEP is enabled.
Workaround: Run following Solidcore commands from command line to bypass the process that is crashing with Solidcore DEP:

sadmin attr add -n

915562

KB79517

   

Issue: McAfee Solidifer upgrade from 6.1.1 fails in Observe Mode.
Workaround: See the Knowledge Base article for details.

910080

 

   

Issue: Package Control, if an application has ctor.dll in its uninstall string, another application using ctor.dll is not installed when pkg-ctrl-allow-uninstall is disabled.
Workaround: As a workaround for mode 1 of package control, user can make the ctor.dll as updater using complete path(for example, C: \Program Files (x86)\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll). For Package Control modes, see PD24669.

916640

 

   

Issue: Deny Execution is not skipped for drive after removing skiplist -v flag without reboot.
Workaround: A reboot is required to make it work.

910485

KB79658

   

Issue: Package Control, uninstallation of an application fails using add/remove program, if an application is installed for a particular user.
Workaround: See the Knowledge Base article for details.

901147

 

   

Issue: Installer (Auto-IT) first shown as script type and copying to some other location it is showing as pe32-exe.

911678

 

   

Issue: Package Control, unable to repair Visual studio ultimate 2010 if installed in update mode.

903914

 

   

Issue: File Write Denied events seen when some exe, marked as updater, are run by double-clicking it.

918113

 

   

Issue: Observations from Network share not supported.

905783

 

   

Issue: Batch files are executing (through cmd.exe) from network path when network tracking is disabled.

922297

 

   

Issue: In enable mode, if the installer invokes multiple MSI internally, multiple observations are raised.

919300

 

   

Issue: Trusted Path operation failed if operation performed on local share mounted as network share locally.

923302

 

   

Issue: In enable mode multiple observations are generated for files, that got copied on system after initial whitelisting.

920568

KB79987

   

Issue: Endpoint version is not updated on the ePO server and the McTray About box after an endpoint upgrade.

988737 KB78135 6.1.2.111 6.1.3.381 Issue: System crash when executing an Alternate Data Stream in Application Control Observe mode
902631 KB79173 6.1.2   Issue:  Application Control (Solidcore) inventory is not present in ePO 5.x
944384 KB81528 6.1.2.367 6.1.2.394 Issue: Err 1012 (0x3f4): The environment is incorrect (seen in logs with system slowness and blue screen errors)
958391 KB81714 6.1.2 6.1.3.357 Issue: Write denied events for the "Uninstall" registry key with Change Control 6.1.2 installed
976772 KB82222 6.1.2 6.1.3 Issue: McAfee Application Control service is taking large memory on the endpoint
987782 KB83104 6.1.3 and below 6.1.3 HF6 Issue: New code-signing certificate for Application Control 6.1.x
  KB83203 6.1.2 6.1.3.392 Issue: System crashes with Application Control BugCheck E0100010 on every bootup
1016834 KB83357 6.1.2 6.1.3 Issue: Slow performance with the ePO console on the Server Task and Policy Catalog pages


Back to top

Windows XP
 

Reference

Article

Found in Version Resolved in Version

Description

604834

 

   

Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.

701065

 

   

Issue: If you are using Application Control in the Enabled mode on the Windows XP SP1 operating system, virtual memory use increases for most processes.
Workaround: Upgrade to Windows XP Service Pack 2.

793102

     

Issue: DLL rebasing does not work when complete path to DLL is specified.

809646

     

Issue: Self Approval Pop Up might hang while running non-whitelist binaries from Desktop.

844203

 

   

Issue: System hangs with Microsoft Security Essentials installed.

945448 KB81218 6.1.2 6.1.2.379 Issue: Blue screen error showing BugCheck 0x19 while accessing a .PST file through Microsoft Outlook
1013715 KB83287 6.1.2 and below 6.1.3-392 Issue: Application Control system crashes on every reboot with BugCheck E0100010 due to inventory corruption


Windows 2003
 
Reference Article Found in Version Resolved in Version Description
607361      
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exe process was hijacked.
Workaround: Add javaw.exe to the attributes list with the -n option:

sadmin attr add -n javaw.exe

892432

 

   

Issue: Deny-Exec and Deny-Write events seen for .Net files via windows update on Windows 2003.
Workaround: Add Netfxupdate.exe as an updater by name with inheritance enabled to successfully install windows update for .NET.

832241      
Issue: This issue is intermittent, where a Non-Trusted user can execute an unsolidified bat file using runas CLI on Windows 2003 (x64).
Workaround: Use the command:

sc config wuauserv type= own


Windows 2008 R2 [64-bit]
 
Reference Article Found in Version Resolved in Version Description
608636       Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, you see that Windows installer encountered a validation error for the msiexec.exe and kernelbase.dll files.
Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.


Windows 2008 [64-bit]
 
Reference Article Found in Version Resolved in Version Description
609780       Issue: On the Windows 2008 (64-bit) platform, the rundll32.exe file crashes if an application is uninstalled by using the Add/Remove Programs and initially SetupInstallFromInfSection() function was used to install the application.


Windows 2008/Vista [32-bit and 64-bit], Windows XP/Windows 7/Windows 2008 R2 [64-bit]
 
Reference Article Found in Version Resolved in Version Description
609757       Issue: In Enabled mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.


Windows Vista
 
Reference Article Found in Version Resolved in Version Description
607541       Issue: For Windows Vista and higher platforms, the Solidcore Agent configuration marks a service called Windows Modules Installer (TrustedInstaller.exe) as updater. This action is done to allow Windows Update to work properly. This service can both install and remove Windows components even if pkg-ctrl feature is enabled.


Windows 2012
 
Reference Article Found in Version Resolved in Version Description
911734       Issue: Spurious events when configuring AD on 2K12.
913943       Issue: Attr rule for MP NX and MP vasr getting applied on Windows 2012.


Windows 2003 IA
 
Reference Article Found in Version Resolved in Version Description
911734       Issue: Solidifier service stops responding on Windows 2003 IA.


Back to top
Critical: There are currently no known critical issues.

Non-critical:

Solidcore Extension:
 
Reference Article Found in Version Resolved in Version Description
608618       Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. 
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
605369       Issue: When Solidcore Agent installer is run by an agent installer with the /? argument, a series of unwanted dialog boxes appear due to a bug in the third-party packaging software. These dialog boxes can be ignored.
609311       Issue: Manual uninstallation of Solidcore Agent (deployed from ePO) fails on a client computer having McAfee Agent version 4.0 (or earlier).
Workaround: Contact Technical Support for assistance in case manual uninstallation has already been tried.
595570
595025
595511
595615
597243
598406
595043
607434
607899
611229
 
      Issue: The following applications are incompatible with the Solidcore Agent for Windows. Contact Technical Support for further assistance.
  • Panda Titanium anti-virus 2005
  • Spyware Doctor
  • BlackIce
  • Trojan Hunter
  • BitDefender
  • BufferZone
  • Twister Anti-Trojan Virus 2005
  • Trend Micro OfficeScan 8.0, Trend Micro anti-virus 2008
  • Double-Take
  • Cisco Security Agent
594579       Issue: Unsolidified scripts cannot be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by script interpreter configured for that script, is denied. This denial generates unauthorized execution events. Such problems can be avoided by performing file operation using Windows Explorer.
594596
594770
595290
      Issue: Antivirus software applications generate logs when the Solidcore Agent is enabled.
Workaround: Use appropriate applications as updaters.
594707       Issue: Roaming and Mandatory profiles with code files do not work properly. Copying files from Central store on domain controller to member server and back might fail.
594790       Issue: Solidcore Protection prevents updating of applications, such as Microsoft Office and Office tools after the initial installation. When executing the applications for the first time, McAfee recommends that you run these applications in the Update Mode.
596425       Issue: Print server logs errors on Runtime Control module systems with the Solidcore Agent active in the Enabled mode.
Workaround: Add the printer share as a trusted share.
601158       Issue: The Runtime Control module uses MP-CASP as the default Memory Protection technique. If you want to enable MP-VASR, contact Technical Support.
607414       Issue: When script interpreters are added to memory protection bypass (casp or mangling-decoying), even after a script marked as an updater exits, the script interpreter’s updater privilege is not revoked.
608647       Issue: On 64-bit systems, multiple events might get generated when an unauthorized binary file is executed. The Windows operating system tries to run the binary multiple times by using reducing set of attributes until final failure.
609632       Issue: After the initial scan task completes and MAC Initial Scan task is complete and McAfee Application Control is enforced on the system now message displays, the system is said to be solidified.
608745       Issue: Files that are read-protected by the user (using 'sadmin read-protect' command) cannot be solidified.
624015       Issue: If enabled on a 64-bit computer, the memory protection feature prevents the installation of ActiveX.
Workaround: From the ePO console, complete the following steps to add the Internet Explorer executable (iexplore.exe) to the memory protection bypass list.
  1. Log on to the ePO 4.x console.
  2. Click MenuPolicyPolicy Catalog.
  3. Select the Solidcore 5.1.0 General entry from the Product drop-down.
  4. Select Exception Rules (Windows).
  5. Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
  6. Click the created policy and click Add.
  7. Enter iexplorer.exe as the file name, select Bypassed from Memory Control, and click OK.
  8. Click Save.
  9. Apply the policy to the appropriate endpoints. 
  10. From the endpoint, run ActiveX after adding the Internet Explorer executable (iexplore.exe) to the memory protection bypass list. Use the following command to add the executable to the bypass list. 

    sadmin attr add –n iexplore.exe
643688       Issue: If you try an ActiveX installation before enabling the ActiveX feature and retry the installation after enabling the ActiveX feature, the ActiveX might not get installed properly.
Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, remove all .cab files in the temporary Internet files. Now, install the ActiveX control on the endpoint.
602194       Issue: The package control feature is not able to stop the installation of some applications, such as Gvim and Winrar.
602929       Issue: If a package-based installer is executed before the package control feature can detect the package change, the deny-exec feature might prevent the execution of the installer.
607014       Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
616147       Issue: For standalone Solidcore Agent installation (that is, installation not done via ePO) on endpoints where Oracle is installed, finetune.bat must be run manually at the endpoints to apply Oracle-specific rules.
595067       Issue: The system might hang while installing the security hotfix WindowsXP-KB884020-x86-enu.exe.
Workaround: Disable the Solidcore Agent before installing this hotfix.
598286       Issue: System hangs after installing Citrix MetaFrameXP with feature release 3.0.
Workaround: Add csrss.exe to bypass list.
599348       Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126       Issue: When copying solidified files to a rewritable CD, although the files are copied successfully deny-write errors are logged.
601427       Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
609812       Issue: For an ePO managed endpoint with a valid Application Control license for which the Initial Scan was deferred and that has many executable files installed, the Initial Scan client task after a reboot completes successfully. But, the system remains in Update mode for some time before going to Enabled mode. During this time, sending another client task to the endpoint might fail.
610206       Issue: The pop-up message regarding the completion of Initial Scan client task sent from ePO does not display on remote desktop sessions.
616089       Issue: In the output of sadmin diag command on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, in the following output:

* actualizadores agregar -t DIAG:cmd.exe -p explorer.exe ""cmd.exe""

Should be read as:

* updaters add -t DIAG:cmd.exe -p explorer.exe ""cmd.exe""

600748       Issue: Multiple deny write events might get generated for a single deny write action. 
Example: On deletion of a file using Windows Explorer, up to 8 file deletion events are reported. The reason is because when the application denies deletion of a file, Windows Explorer tries multiple other methods to delete the file, resulting in the generation of an event for each attempt.
724600       Issue: ActiveX alerts are not generated on 64-bit Windows systems.
Workaround: Complete these steps if you are using the ePO console:
  1. Log on to the ePO 4.x. console.
  2. Click Menu, PolicyPolicy Catalog.
  3. Select the Solidcore 6.0 General entry from the Product drop-down.
  4. Select Exception Rules (Windows).
  5. Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
  6. Open the created policy and click Add.
  7. Enter iexplore.exe as the file name, select Bypassed from Memory Control, and click OK.
  8. Click Add.
  9. Enter ieinstal.exe as the file name, select Bypassed from Memory Control, and click OK.
  10. Click Save.
  11. Apply the policy to the endpoints.
Complete these steps from the endpoint if you are using the product in Standalone mode.
  1. Execute the following commands to define the required memory-protection bypass rules.

    sadmin attr add –n iexplore.exe
    sadmin attr add –n ieinstal.exe
  2. Run ActiveX controls.
608639       Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c:\program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.
695246       Issue: Although the Solidcore NX protection is based on system DEP, it is possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663       Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes on the ePO console, the change is not reflected on the endpoints.
723624       Issue: Execution Denied events might be generated for some DLL files with searchprotocolhost.exe as the process name. These events have no functionality impact.
Workaround: If many events are generated, create an AEF rule to prune the events.
725204       Issue: For 6.0 release, the Yahoo, Adobe Acrobat, CuteFTP, and WinZip rule groups have been removed from the default Application Control policy because of their security implications. Also, when you upgrade, these rule groups are removed from the default policies. If needed, you need to add these rule groups to policies manually.
702580       Issue: For Application Control-related internal files (such as finetune.bat and gatherinfo.bat), version details including binary version, vendor, application name, and application version are not available.
713989       Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
685124       Issue: If you are running VirusScan Enterprise (VSE) 8.8 with the Access Protection Level set to Maximum on an endpoint, you cannot deploy Solidcore on the endpoint.
652602       Issue: If you disable the deny-exec-exes feature on any Windows (64-bit) operating system, change extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. You can change the file extension to dll and run the file even if the deny-exex-dlls feature is enabled as well.
713011       Issue: Observations are erroneously generated for 64-bit binary files that are not supported on 32-bit platforms.
607574       Issue: On opening a network share (for systems running Windows Vista, Windows 7, Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. The events are generated because Windows Explorer tries to fetch the icons for the files stored on the network share.
726020       Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a Msg not found error. 
Workaround: Restart the endpoint to ensure that all commands added or changed in the 6.0 release work correctly.
608868       Issue: On the Windows 2008, Windows 7, and Windows Vista operating systems, you might receive the An unauthorized change made to the Windows error. 
Workaround: Disable the MP-CASP feature.
768708       Issue: Unable to set flag fs-passthru 'p' and flag vasr forced reloc 'v' together with extra info flag 'o' in the attr command.
770362       Issue: Unable to set more than one dll to bypass from VASR forced reloc.
770524       Issue: Scormcpl.dll displays an older version in inventory after it is upgraded.
794445       Issue: Solidified batch files when copied using another batch file fails.
803731       Issue: With network tracking disabled, Self-Approval functionality does not work for network shares.
803948       Issue: Deny-Exec on Script file is reported if Network tracking is disabled on 64-bit architecture.
808857       Issue: Self-Approval pop-up shows up if files are opened with execute flag even if file is not executed.
808964       Issue: Auth rule for a process making file changes does not get added correctly if allowed through Self-Approval
812964       Issue: If updater flag for a certificate rule is removed, certificate is still listed as updater on endpoint.
816108       Issue: A file, authorized by checksum, is denied for execution when run from network share.
656298       Issue: Upgrade via hotfix build might fail in Update Mode when run through Product Update Task.
603318       Issue: Crash with bug check 0x00000050 (0xFFB4B000,0x00000000,0x80463723,0x00000000) might be observed after system is solidified and rebooted.
810072       Issue: While running a 16-bit executable with Self-Approval enabled, file type is listing as script.
819876       Issue: Process does not work as Updater is configured as an Updater through auth by checksum.
Workaround: Configure the process as an Updater by name.
888634       Issue: Unclean uninstallation of Adobe Flash Player when pkg-ctrl-allow-uninstall is enabled.
Workaround: Sadmin updaters add "C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe".
888632       Issue: Repair of dot-net 3.5 fails.
Workaround: Add the below updater rules:
  • C:\WINDOWS\system32\msiexec.exe 
  • C:\WINDOWS\syswow64\msiexec.exe 
885091  KB78642     Issue: Unable to install visual studio 2010 ultimate via updater.
887965       Issue: Uninstallation of applications is not blocked even if the pkg-ctrl-allow-uninstallation feature is disabled.
Workaround: Run the sadmin clg command after each installation of application to block the uninstallation. This command clears out all cached GUIDs from the system. 
888878  

 

    Issue: Multiple package control prevention events seen while uninstalling and repairing visual studio 2010.
Workaround: Uninstall and repair are successful after adding "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to trusted path:
  • "sadmin trusted -u "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" 
884396       Issue: Unable to install Adobe Flash Player 11 when pkg-ctrl-bypass feature is enabled.
Workaround: sadmin updaters add InstallAX_11_6_602_180.exe.
883381       Issue: Self Approval pop-ups for a user session are shown on console session instead of user session.
Workaround: Run following Solidcore commands from command line:

sc config AeLookupSvc type= own
sadmin updaters add –l aelupsvc.dll svchost.ex

846136       Issue: Application crashes when Solidcore DEP is enabled.
Workaround: Run following Solidcore commands from command line to bypass the process that is crashing with Solidcore DEP:

sadmin attr add -n  

  KB75495 6.1.1 6.1.2 Issue: Application Control 6.x observations generate in large numbers causing ePO performance and database size issues

Solution: fixed in 6.1.2
  KB79345 6.1.1 6.1.2 Issue: cmd.exe fails to run with VMware ViewAgent installed on systems with Application Control or Change Control
917074 KB79475 6.1.1.369 6.1.1 HF2 Issue: Execution denials for .JAR files in Application Control and Change Control 6.1
922327 KB79684 6.1.1 6.1.3 Issue: Computer stops responding with Application Control/Change Control and other security products enabled
  KB79793 6.1.1 6.1.1.379 Issue: The Windows "Run" registry key gets deleted if Application Control / Change Control 6.1.1 is uninstalled
927545 KB79809 6.1.1.369 6.1.3 Issue: ePO could install an earlier version of Application Control and Change Control when 6.1.2 is already installed
  KB79815 6.1.1 6.1.2 Issue: Inventory upgrade is in progress (issue: sadmin commands could not be executed)
947036 KB81531 6.1.1 6.1.2.394 Issue: File might execute from DVD-RAM disk that is FAT formatted
  KB81592 6.1.1 6.1.2.368 Issue: Blue screen observed while deploying an image created through Windows Preinstallation Environment
  KB82153 6.1.1 6.1.3.353 Issue: High memory usage or memory leak for non-paged memory pool with Application Control/Change Control 6.1 enabled


Back to top

Windows XP
 
Reference Article Found in Version Resolved in Version Description
604834       Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065       Issue: If you are using Application Control in the Enabled mode on the Windows XP SP1 operating system, virtual memory use increases for most processes.
Workaround: Upgrade to Windows XP Service Pack 2.
793102       Issue: DLL rebasing does not work when complete path to DLL is specified.
809646       Issue: Self Approval Pop Up might hang while running non-whitelist binaries from Desktop.


Windows 2003
 
Reference Article Found in Version Resolved in Version Description
607361      
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exe process was hijacked.
Workaround: Add javaw.exe to the attributes list with the -n option:

sadmin attr add -n javaw.exe
892432       Issue: Deny-Exec and Deny-Write events seen for .Net files via windows update on Windows 2003.
Workaround: Add Netfxupdate.exe as an updater by name with inheritance enabled to successfully install windows update for .Net.
832241      
Issue: This issue is intermittent, where Non-Trusted user can execute an unsolidified bat file using runas CLI on Windows 2003 (x64).
Workaround: Use the command:

sc config wuauserv type= own


Windows 2008 R2 [64-bit]
 
Reference Article Found in Version Resolved in Version Description
608636       Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, the Windows installer encountered a validation error displays for the msiexec.exe and kernelbase.dll files.
Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.


Windows 2008 [64-bit]
 
Reference Article Found in Version Resolved in Version Description
609780       Issue: On the Windows 2008 (64-bit) platform, the rundll32.exe file crashes if an application is uninstalled by using the Add/Remove Programs and initially SetupInstallFromInfSection() function was used to install the application.


Windows 2008/Vista [32-bit and 64-bit], Windows XP/Windows 7/Windows 2008 R2 [64-bit]
 
Reference Article Found in Version Resolved in Version Description
609757       Issue: In Enabled mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.


Windows Vista
 
Reference Article Found in Version Resolved in Version Description
607541       Issue: For Windows Vista and higher platforms, the Solidcore Agent configuration marks a service called Windows Modules Installer (TrustedInstaller.exe) as updater. This action is done to allow Windows Update to work properly. This service can both install and remove Windows components even if pkg-ctrl feature is enabled.


Back to top
Critical: There are currently no known critical issues.

Non-critical:

Solidcore Clients (all OS) and Extension:
 
Reference Article Found in Version Resolved in Version Description
608618       Issue: When you try to upload the Windows Solidcore Agent Deployment Package (~100 MB) to ePO through Microsoft Internet Explorer, the file upload times out if the network upload speed is slow. 
Workaround: If an error displays in Internet Explorer 6, try using Internet Explorer 7 (or later). If the error occurs in Internet Explorer 7 or later, copy the package to a local directory on the ePO server. Access the ePO console on the ePO server and upload the file from the local path. Doing so avoids possible network delays.
605369       Issue: When Solidcore Agent installer is run by an agent installer with the /? argument, a series of unwanted dialog boxes appear due to a bug in the third-party packaging software. These dialog boxes can be ignored.
609311       Issue: Manual uninstallation of Solidcore Agent (deployed from ePO) fails on a client computer having McAfee Agent version 4.0 (or earlier).
Workaround: Contact Technical Support for assistance in case manual uninstallation has already been tried.
595570
595025
595511
595615
597243
598406
595043
607434
607899
611229
 
      Issue: The following applications are incompatible with the Solidcore Agent for Windows. Contact Technical Support for further assistance.
  • Panda Titanium anti-virus 2005
  • Spyware Doctor
  • BlackIce
  • Trojan Hunter
  • BitDefender
  • BufferZone
  • Twister Anti-Trojan Virus 2005
  • Trend Micro OfficeScan 8.0, Trend Micro anti-virus 2008
  • Double-Take
  • Cisco Security Agent
594579       Issue: Unsolidified scripts cannot be copied using the MS-DOS command prompt on a solidified system. Any read access to unsolidified scripts by script interpreter configured for that script, is denied. This denial generates unauthorized execution events. Such problems can be avoided by performing file operation using Windows Explorer.
594596
594770
595290
      Issue: Antivirus software applications generate logs when the Solidcore Agent is enabled.
Workaround: Use appropriate applications as updaters.
594707       Issue: Roaming and Mandatory profiles with code files do not work properly. Copying files from Central store on domain controller to member server and back might fail.
594790       Issue: Solidcore Protection prevents updating of applications, such as Microsoft Office and Office tools after the initial installation. When executing the applications for the first time, McAfee recommends that you run these applications in the Update Mode.
596425       Issue: Print server logs errors on Runtime Control module systems with the Solidcore Agent active in the Enabled mode.
Workaround: Add the printer share as a trusted share.
601158       Issue: The Runtime Control module uses MP-CASP as the default Memory Protection technique. If you want to enable MP-VASR, contact Technical Support.
607414       Issue: When script interpreters are added to memory protection bypass (casp or mangling-decoying), even after a script marked as an updater exits, the script interpreter’s updater privilege is not revoked.
608647       Issue: On 64-bit systems, multiple events might get generated when an unauthorized binary file is executed. The Windows operating system tries to run the binary multiple times by using reducing set of attributes until final failure.
609632       Issue: After the initial scan task completes and MAC Initial Scan task is complete and McAfee Application Control is enforced on the system now message displays, the system is said to be solidified.
608745       Issue: Files that are read-protected by the user (using 'sadmin read-protect' command) cannot be solidified.
624015       Issue: If enabled on a 64-bit computer, the memory protection feature prevents the installation of ActiveX.
Workaround: From the ePO console, complete the following steps to add the Internet Explorer executable (iexplore.exe) to the memory protection bypass list.
  1. Log on to the ePO 4.x console.
  2. Click MenuPolicyPolicy Catalog.
  3. Select the Solidcore 5.1.0 General entry from the Product drop-down.
  4. Select Exception Rules (Windows).
  5. Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
  6. Click the created policy and click Add.
  7. Enter iexplorer.exe as the file name, select Bypassed from Memory Control, and click OK.
  8. Click Save.
  9. Apply the policy to the appropriate endpoints. 
  10. From the endpoint, run ActiveX after adding the Internet Explorer executable (iexplore.exe) to the memory protection bypass list. Use the following command to add the executable to the bypass list. 

    sadmin attr add –n iexplore.exe
643688       Issue: If you try an ActiveX installation before you enable the ActiveX feature, and retry the installation after you enable the ActiveX feature, the ActiveX might not install properly.
Workaround: If the ActiveX installation fails, delete all files in the <system drive>\windows\downloaded program files directory on the endpoint, remove all .cab files in the temporary Internet files. Now, install the ActiveX control on the endpoint.
602194       Issue: The package control feature is not able to stop the installation of some applications, such as Gvim and Winrar.
602929       Issue: If a package-based installer is executed before the package control feature can detect the package change, the deny-exec feature might prevent the execution of the installer.
607014       Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to ambiguous behavior.
616147       Issue: For standalone Solidcore Agent installation on endpoints where Oracle is installed, finetune.bat must be run manually at the endpoints to apply Oracle-specific rules. (A standalone Solidcore Agent installation means one not done via ePO.)
595067       Issue: The system might hang while installing the security hotfix WindowsXP-KB884020-x86-enu.exe.
Workaround: Disable the Solidcore Agent before installing this hotfix.
598286       Issue: System hangs after installing Citrix MetaFrameXP with feature release 3.0.
Workaround: Add csrss.exe to bypass list.
599348       Issue: On viewing the properties of a file on the local drive, deny-write and deny-exec events are generated for the solidified and unsolidified files, respectively.
601126       Issue: When copying solidified files to a rewritable CD, although the files are copied successfully deny-write errors are logged.
601427       Issue: On 64-bit platforms, Enum or Performance in sub keys is bypassed from Solidcore Agent protection. Thus, when you delete a write-protected registry key with Enum or Performance in sub keys, you might get a partial completion status.
609812       Issue: For an ePO managed endpoint with a valid Application Control license for which the Initial Scan was deferred and that has many executable files installed, the Initial Scan client task after a reboot completes successfully. But, the system remains in Update mode for some time before going to Enabled mode. During this time, sending another client task to the endpoint might fail.
610206       Issue: The pop-up message regarding the completion of Initial Scan client task sent from ePO does not display on remote desktop sessions.
616089       Issue: In the output of sadmin diag command on the Spanish locale, read 'actualizadores agregar' as 'updaters add'.
For example, in the following output:

* actualizadores agregar -t DIAG:cmd.exe -p explorer.exe ""cmd.exe""

Should be read as:

* updaters add -t DIAG:cmd.exe -p explorer.exe ""cmd.exe""

600748       Issue: Multiple deny write events might get generated for a single deny write action. 
Example: On deletion of a file using Windows Explorer, up to 8 file deletion events are reported. The reason is that when the application denies deletion of a file, Windows Explorer tries multiple other methods to delete the file, which results in the generation of an event for each attempt.
724600       Issue: ActiveX alerts are not generated on 64-bit Windows systems.
Workaround: Complete these steps if you are using the ePO console:
  1. Log on to the ePO 4.x. console.
  2. Click Menu, PolicyPolicy Catalog.
  3. Select the Solidcore 6.0 General entry from the Product drop-down.
  4. Select Exception Rules (Windows).
  5. Click Duplicate for the McAfee Default policy, specify the policy name, and click OK.
  6. Open the created policy and click Add.
  7. Enter iexplore.exe as the file name, select Bypassed from Memory Control, and click OK.
  8. Click Add.
  9. Enter ieinstal.exe as the file name, select Bypassed from Memory Control, and click OK.
  10. Click Save.
  11. Apply the policy to the endpoints.
Complete these steps from the endpoint if you are using the product in Standalone mode.
  1. Execute the following commands to define the required memory-protection bypass rules.

    sadmin attr add –n iexplore.exe
    sadmin attr add –n ieinstal.exe
  2. Run ActiveX controls.
608639       Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c:\program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.
695246       Issue: Although the Solidcore NX protection is based on system DEP, it is possible that some applications work with system DEP but not with Solidcore NX. In such cases, if processes are added to Solidcore NX bypass list, the system DEP protection is enabled for the processes.
720663       Issue: Editing the Updater Label for an existing trusted publisher in an Application Control policy fails. Although the label changes on the ePO console, the change is not reflected on the endpoints.
723624       Issue: Execution Denied events might be generated for some DLL files with searchprotocolhost.exe as the process name. These events have no functionality impact.
Workaround: If many events are generated, create an AEF rule to prune the events.
725204       Issue: For 6.0 release, the Yahoo, Adobe Acrobat, CuteFTP, and WinZip rule groups have been removed from the default Application Control policy because of their security implications. Also, when you upgrade, these rule groups are removed from the default policies. If needed, you need to add these rule groups to policies manually.
702580       Issue: For Application Control-related internal files (such as finetune.bat and gatherinfo.bat), version details including binary version, vendor, application name, and application version are not available.
713989       Issue: If Application Control and Spector are installed on an endpoint and MP-CASP is enabled, Internet Explorer crashes.
685124       Issue: If you are running VirusScan Enterprise (VSE) 8.8 with the Access Protection Level set to Maximum on an endpoint, you cannot deploy Solidcore on the endpoint.
652602       Issue: If you disable the deny-exec-exes feature on any Windows (64-bit) operating system, change extension of an exe to .sys, and try to run the .sys file, execution of the .sys file is prevented. You can change the file extension to dll and run the file even if the deny-exex-dlls feature is enabled as well.
713011       Issue: Observations are erroneously generated for 64-bit binary files that are not supported on 32-bit platforms.
607574       Issue: On opening a network share (for systems running Windows Vista, Windows 7, Windows 2008), deny-write and deny-exec events are generated for the binary files present on the network share. The events are generated because Windows Explorer tries to fetch the icons for the files stored on the network share.
726020       Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a Msg not found error. 
Workaround: Restart the endpoint to ensure that all commands added or changed in the 6.0 release work correctly.
608868       Issue: On the Windows 2008, Windows 7, and Windows Vista operating systems, you might receive the An unauthorized change made to the Windows error. 
Workaround: Disable the MP-CASP feature.
768708       Issue: Unable to set flag fs-passthru 'p' and flag vasr forced reloc 'v' together with extra info flag 'o' in the attr command.
770362       Issue: Unable to set more than one dll to bypass from VASR forced reloc.
770524       Issue: Scormcpl.dll displays an older version in inventory after it is upgraded.
794445       Issue: Solidified batch files when copied using another batch file fails.
803731       Issue: With network tracking disabled, Self-Approval functionality does not work for network shares.
803948       Issue: Deny-Exec on Script file is reported if Network tracking is disabled on 64-bit architecture.
808857       Issue: Self-Approval pop-up shows up if files are opened with execute flag even if file is not executed.
808964       Issue: Auth rule for a process making file changes does not get added correctly if allowed through Self-Approval
812964       Issue: If updater flag for a certificate rule is removed, certificate is still listed as updater on endpoint.
816108       Issue: A file, authorized by checksum, is denied for execution when run from network share.
656298       Issue: Upgrade via hotfix build might fail in Update Mode when run through Product Update Task.
603318       Issue: Crash with bug check 0x00000050 (0xFFB4B000,0x00000000,0x80463723,0x00000000) might be observed after system is solidified and rebooted.
810072       Issue: While running a 16-bit executable with Self-Approval enabled, file type is listing as script.
819876       Issue: Process does not work as Updater is configured as an Updater through auth by checksum.
Workaround: Configure the process as an Updater by name.
888634       Issue: Unclean uninstallation of Adobe Flash Player when pkg-ctrl-allow-uninstall is enabled.
Workaround: Sadmin updaters add "C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe".
888632       Issue: Repair of dot-net 3.5 fails.
Workaround: Add the below updater rules:
  • C:\WINDOWS\system32\msiexec.exe 
  • C:\WINDOWS\syswow64\msiexec.exe 
885091  KB78642     Issue: Unable to install visual studio 2010 ultimate via updater.
887965       Issue: Uninstallation of applications is not blocked even if the pkg-ctrl-allow-uninstallation feature is disabled.
Workaround: Run the sadmin clg command after each installation of application to block the uninstallation. This command clears out all cached GUIDs from the system. 
888878  

 

    Issue: Multiple package control prevention events seen while uninstalling and repairing visual studio 2010.
Workaround: Uninstall and repair are successful after adding "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" to trusted path:
  • "sadmin trusted -u "<install-dir>\Microsoft SDKs\Windows\v7.0A\Bin" 
884396       Issue: Unable to install Adobe Flash Player 11 when pkg-ctrl-bypass feature is enabled.
Workaround: sadmin updaters add InstallAX_11_6_602_180.exe.
883381       Issue: Self Approval pop-ups for a user session are shown on console session instead of user session.
Workaround: Run following Solidcore commands from command line:

sc config AeLookupSvc type= own
sadmin updaters add –l aelupsvc.dll svchost.ex

846136       Issue: Application crashes when Solidcore DEP is enabled.
Workaround: Run following Solidcore commands from command line to bypass the process that is crashing with Solidcore DEP:

sadmin attr add -n  

834100 KB77208 6.1.0.648 6.1.0-671 Issue: Peer has shutdown the connection ('sadmin config export' and 'sadmin config import' commands fail)
Solution:
Solved in 6.1.0.671 or later
760726 KB77586 6.0.0.542 6.1.0 Issue: Build Failed; Unable to install extension (Errors while trying to upgrade Solidcore Extension)
Solution: Fixed in 6.1.0 and newer
847500 KB77785 6.1.0.9474 6.1.0.9488 Issue: Solidcore scsrvc service failed to start after successful installation of Solidifier Linux
Solution: Fixed in 6.1.0.9488 and Above
876878 KB78110 6.1.0.689 6.1.1 Issue: Solidcore Local CLI Access Password was not updated or does not exist on client system
Solution: Fixed in 6.1.1 or later
820795 KB78335 6.0.0.9703   Issue: A Windows pop-up error displays while running Sysprep with Application Control enabled
912238 KB79334 6.0.0.340 6.2.0 Issue: Computer stops responding when booting with Junction drives created
  KB81170 6.x   Issue: Recovering local CLI fails, a long cmd auth from ePO is already running (after upgrading Application Control to a newer version)
955770 KB81511 6.1   Issue: Whitelisted file is denied from execution if Hibernate Once/Resume Many (HORM) is enabled
977062 KB82806 6.1.0 6.1.3.380 Issue: In a rare scenario, an un-solidified (not in the whitelist) driver is loaded with MAC enabled
  KB83260 6.1.0 Will not Fix Issue: 1208 error when trying to install Solidcore
Solution: Change the ANSI code page you are currently using through the Windows Regional and Language options. See the Microsoft documentation for instructions for your version of Windows.
1180231 KB89044 6.1.x   Issue: (LINUX) The passwd file cannot be read or write-protected by the integrity feature of Application and Change Control


Back to top

Windows XP
 
Reference Article Found in Version Resolved in Version Description
604834       Issue: On the Windows XP platform, NTFS junction points are supported only when junctions are created for volumes and not for folders.
701065       Issue: If you are using Application Control in the Enabled mode on the Windows XP SP1 operating system, virtual memory use increases for most processes.
Workaround: Upgrade to Windows XP Service Pack 2.
793102       Issue: DLL rebasing does not work when complete path to DLL is specified.
809646       Issue: Self Approval Pop Up might hang while running non-whitelist binaries from Desktop.


Windows 2003
 
Reference Article Found in Version Resolved in Version Description
607361      
Issue: On 64-bit systems, some Java-based applications might fail and the Event Viewer logs show that the javaw.exe process was hijacked.
Workaround: Add javaw.exe to the attributes list with the -n option:

sadmin attr add -n javaw.exe
892432       Issue: Deny-Exec and Deny-Write events seen for .Net files via windows update on Windows 2003.
Workaround: Add Netfxupdate.exe as an updater by name with inheritance enabled to successfully install windows update for .Net.
832241      
Issue: This issue is intermittent, where Non-Trusted user can execute an unsolidified bat file using runas CLI on Windows 2003 (x64).
Workaround: Use the command:

sc config wuauserv type= own


Windows 2008 R2 [64-bit]
 
Reference Article Found in Version Resolved in Version Description
608636       Issue: During manual installation of Solidcore Agent on the Windows 2008 R2 (64-bit) platform, the Windows installer encountered a validation error displays for the msiexec.exe and kernelbase.dll files.
Workaround: Click Ignore once or Ignore always on the error pop-up to continue installation.


Windows 2008 [64-bit]
 
Reference Article Found in Version Resolved in Version Description
609780       Issue: On the Windows 2008 (64-bit) platform, the rundll32.exe file crashes if an application is uninstalled with Add/Remove Programs, but was initially installed with the SetupInstallFromInfSection() function.


Windows 2008/Vista [32-bit and 64-bit], Windows XP/Windows 7/Windows 2008 R2 [64-bit]
 
Reference Article Found in Version Resolved in Version Description
609757       Issue: In Enabled mode, if you try to access a folder with unsolidified files through File Explorer, deny-exec events are raised for the files in the folder.


Windows Vista
 
Reference Article Found in Version Resolved in Version Description
607541       Issue: For Windows Vista and higher platforms, the Solidcore Agent configuration marks a service called Windows Modules Installer (TrustedInstaller.exe) as updater. This action is done to allow Windows Update to work properly. This service can both install and remove Windows components even if pkg-ctrl feature is enabled.


Back to top
 

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.