• In the Standalone deployment, run sadmin check -r or sadmin so <file path>
• In ePO managed, run check -r or so <file path> from the SC: Run Command client task.

• /opt/McAfee/ens/tp/bin/mfetpd
• /opt/McAfee/ens/tp/bin/mfetpcli
• /opt/McAfee/ens/esp/bin/mfeespd
• /opt/McAfee/ens/fw/bin/mfefwd
• /opt/McAfee/ens/fw/bin/mfefwcli

• SUSE Enterprise Linux Server 12 or SUSE Enterprise Linux Desktop 12 with kernel 4.10 or higher installed
• ACC with XFS in Update mode in use

1. Restart the system with a kernel version lower than 4.10 (see KB90947 for supported kernel versions).
2. When the system starts, leave the update mode by executing sadmin eu.
3. Restart the system again with kernel version higher than 4.10.

1. Run "/opt/bitrock/solidcoreS3-6.3.0-724/helperBinaryUninstall"
2. Run "rpm -e solidcoreS3-6.3.0-794.i386 --noscripts"
3. Run "rpm -e solidcoreS3-kmod-6.3.0-794.i386 --noscripts"

1. Log on to the ePO 4.x console.
2. Add the AD server with the group as a Registered Server.
3. Search for the group by selecting the registered AD server. Make sure that the Global Catalog Search option is deselected.
4. Add the group to a policy as a trusted group.

• If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
• If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.

• If such a process makes file changes, these changes might not be reported.
• For processes that start before the driver is loaded, only the partial program names are reported.
• For NFS, the changes made by the client, and the change events displaying on the server have only the relative name for the NFS daemon (in other words, nfsd or nfsktcpd).
• No Process Start and Process Stop events are generated for already running processes.
• On only the AIX platform, Change Tracking or Prevention on file systems mounted by such processes might or might not work. System calls executed by already running processes can't be trapped because of differences in the way system calls are implemented for the AIX platform. As a workaround, you can restart such processes.

systemctl start scsrvc.service
systemctl stop scsrvc.service

1. Log on to the ePO 4.x console.
2. Add the AD server with the group as a registered server.
3. Search for the group by selecting the registered AD server. Make sure that the Global Catalog Search option is deselected.
4. Add the group to a policy as a trusted group.

""Database: . Could not load table 'Control' in SQL query: SELECT `Control`, 
`Type`, `X`, `Y`, `Width`, `Height`, `Attributes`, `Property`, `Text`, 
`Control_Next`, `Help` FROM `Control` WHERE `Dialog_`=?"""

920568

941675

940921

• If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
• If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.

• If these processes make file changes then the changes might not be reported.
• For processes that started before the driver was loaded, only the partial program names are reported.
• For NFS, the changes done by the client and the change events displayed on the server have only the relative name for the NFS daemon (in other words, nfsd or nfsktcpd).
• No Process Start and Process Stop events are generated for already running processes.
• On only the AIX platform: Change Tracking or Prevention on file systems mounted by these processes might or might not work. System calls executed by already running processes can't be trapped owing to differences in the way system calls are implemented. As a workaround, you can restart such processes.

HOME=""/"" 
export HOME

• Events have /? at the beginning of the path.
• rp/wp doesn't work on such files.

1. Stop the CMA service using the /usr/sbin/cma stop command.
2. Uncompress the SOLIDCOR511-7505_AIX.zip file.
3. Execute the slibclean command.
4. Execute mapkg_install.sh (sh mapkg_install.sh) from the output directory of the .zip file.
5. Complete one of the following steps:
    
   • If upgraded in Update mode, restart the system.
   • If upgraded in Disabled mode, start the CMA service (/usr/sbin/cma start).

608618

607452

Issue: ePO4.6 - Reports and dashboard entries aren't removed after the Solidcore Extension is uninstalled.

Workaround: If you're uninstalling and reinstalling the Solidcore extension, remove the reports and dashboards manually after uninstalling and before reinstalling.

607517

Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.

608347

Issue: The Solidcore Policies Applied on Hosts report displays all policies derived from the root, regardless of the SKUs enabled on the platform.

609304

Issue: It's not possible to export data from the Reporting, Solidcore Events page. 

Workaround: Use Queries (Reporting, Queries) to export event data.

636769

Issue: If you upgrade from Solidcore 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table aren't migrated to the ePO Events table.

636352

Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display erroneous data.

607554

Issue: Solidcore policies can't be duplicated by using the Policy Details page because the OK button is disabled.

Workaround: Use the Policy Catalog page to duplicate policies.

643854

Issue: When you use the Guided Configuration page on the ePO 4.6 console, the Save Policy button isn't enabled when changes are made to Solidcore Policies. 

Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.

608374

Issue: When you try to enable an already enabled Solidcore Agent, the error displayed isn't translated.

607908

Issue: It's not possible to export more than 50,000 records from any table or report.

608025

Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU isn't added.

609911

Issue: Export of rule groups doesn't work in Internet Explorer when opened from the ePO Server.

Workaround: Use Internet Explorer from a different computer to export rule groups.

610303

Issue: The Server Task pages on ePO might not work properly if you use Mozilla Firefox version 3.0.

Workaround: Technical Support recommends the use of Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).

608753

Issue: Sometimes, using the username field of reported events on the ePO as a trusted user might not work if the client system is part of an AD domain. The reason is because the domain name reported in the events isn't the full AD domain. 

Workaround: Use the environment variable USERDNSDOMAIN as the domain name for AD clients. You can also review the properties of the My Computer icon to identify the complete username to specify as the trusted user.

608759

Issue: If ePO is installed on a Japanese version of Windows, exporting the dashboard data to HTML format fails if the generated HTML file name contains digits.

608390

Issue: When viewing an Integrity Monitor policy, the My Rules tab isn't translated.

669563

Issue: If you run reconciliation on a setup with millions of unauthorized changes (for about 5000 hosts), the Systems with Unauthorized changes page doesn't open. When you select the Systems with Unauthorized changes link (on the Risk and Compliance, Change Control Reconciliation page), the page times out and user is logged off the ePO console.

656518

Issue: If you install Solidcore Extension 5.1.2 (or later) on an existing ePO 4.5 system and then upgrade to ePO version 4.6 FIPS mode, the event parser stops working.

Workaround: Upgrade the required DLL with the following command:

https://[ePO IP address:port]/remote/scor.upgradeEventParser.do 

661203

Issue: If you're using reconciliation with Solidcore Extension 5.1.1 (or earlier) and upgrade to Solidcore Extension 5.1.2 (or later), you can't access the older reconciliation data.

607950

Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.

707486

Issue: When using the ePO 4.6 console, navigating quickly through the Events pages logs off the user.

714176

Issue: On ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while creating the task, you can't later remove the commands from the saved client task.

719796

Issue: Global catalog search for AD groups isn't supported.

Workaround: Search for a group in a specific AD server instead of using the Global Catalog. To add a specific group, perform the steps below:

1. Log on to the ePO 4.x console.
2. Add the AD server with the group as a registered server.
3. Search for the group by selecting the registered AD server. Make sure that the Global Catalog Search option is deselected.
4. Add the group to a policy as a trusted group.

722045

Issue: Adding new columns, such as Solidcore Status and Solidification Status for an endpoint by clicking Actions, Choose columns, noncompliant Solidcore Agent might not display values for all endpoints. The reason is because the noncompliant Solidcore Agent section includes only noncompliant agent properties.

Workaround: When adding new columns for an endpoint, click Actions, Choose columns, Solidcore Client Properties instead of Actions, Choose columns, noncompliant Solidcore Agent.

695769

Issue: Under Content Change Tracking feature, the view file page goes blank for a file size of around 1 MB.

800014

Issue: Additional events are reconciled when manual reconciliation is done from custom queries.

Workaround: To perform the manual reconciliation for multiple events by selecting either All in this page or Select All in all pages, open the Solidcore events page. Navigate to Menu, Reporting, Solidcore Events.

NOTE: This option doesn't work well if you reach Solidcore Events by drilling down from a Query page.

882821

Issue: Sorting isn't supported on the Last Modification Time column on the Content Change Tracking page.

1. Click Menu, Configuration.
2. Click Solidcore Rules, Rule Groups Page.

Workaround: Perform this action using other browsers (Example: Firefox, Chrome).

Workaround: Uninstall the old help extension and install the new one.

608418

Issue: Original username reported in events is the same as username.

595051

Issue: Multiple operating systems on the same computer aren't supported. Product features work only on the operating system that it's installed on.

599812

Issue: Uninstallation fails if the uninstallation process is canceled before it completes.

600805

Issue: While opening a write-protected network share in Windows Explorer, few deny-write errors are observed.

603747

Issue: The trusted, solidified, and write-protect features don't work correctly for folder-mounted volumes.

Workaround: Contact Technical Support for assistance if the setup uses folder-mounted volumes.

604153

Issue: Post install script customization isn't available during upgrades. It can only be used during fresh installation of the Solidcore Agent.

608036

Issue: Mapped drive names can't be used in commands issued by remote users or ePO.

634733

Issue: If the database tables are corrupted, the Solidcore Agent upgrade fails and you see the following error message:

""Database: . Could not load table 'Control' in SQL query: SELECT `Control`, 
`Type`, `X`, `Y`, `Width`, `Height`, `Attributes`, `Property`, `Text`, 
`Control_Next`, `Help` FROM `Control` WHERE `Dialog_`=?"""

Workaround: Use silent installation instead of UI mode installation.

605369

Issue: When an agent installer runs the Solidcore Agent installer with the /? argument, a series of unwanted dialog boxes display due to a bug in the third-party packaging software. You can ignore these dialog boxes.

609311

Issue: Manual uninstallation of the Solidcore Agent (deployed from ePO) fails on a client computer with MA version 4.0 (or earlier).

Workaround: Contact Technical Support for assistance if you've already tried manual uninstallation.

598002

Issue: Registry key protection doesn't work for all registry key hives, it works only for HKEY_LOCAL_MACHINE.

599240

Issue: A subkey registry doesn't get added to a protected registry key when using the reg command.

601500

Issue: Creating a shortcut in a read-protected directory isn't allowed.

602122

Issue: Any file operation performed on a read-protected file generates deny-read events that correspond to the file even when the file operation is allowed.

603032

Issue: Changes to folder-mounted volumes that don't have an associated drive letter can't be monitored.

Workaround: Assign a drive letter to a volume before mounting it on any other folder.

603628

Issue: On 64-bit platforms, ACL change events aren't generated when the update mechanism supersedes the deny-write policies for registries.

605371

Issue: When you try to read a read-protected file with certain file flags set through Windows Explorer, read-denied events might not be written to the event viewer. The events are recorded in the Solidcore Agent log file.

606496

Issue: Only full long names are supported with commands that accept file or folder names. For example, Names such as c:\myPackages\SETUP-~1.EXE aren't supported.

606532

Issue: Virtual drive paths aren't supported as path values in Solidcore Agent commands, such as write-protect, read-protect, and monitor.

607024

Issue: The deny-read feature is disabled by default. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.

600748

Issue: Multiple deny-write events might be generated for a single deny-write action. For example, on deletion of a file using Windows Explorer, up to eight file deletion events are reported. When the application denies deletion of a file, Windows Explorer tries multiple methods to delete the file, resulting in an event for each attempt.

608639

Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c:\program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.

691196

Issue: For a file where you're tracking content changes, you receive an unknown error if connectivity issues occur while sending metadata for the file from the endpoint to the ePO console.

Workaround: When network connectivity resumes, the next change to the file is reflected accurately on the ePO console.

685124

Issue: If you're running VSE 8.8 with the Access Protection Level set to Maximum, you can't deploy Solidcore on the endpoint.

724796

Issue: Although you can track content changes for a read-protected file, you can't view the actual changes. The reason is because the read protection rule prevents the software from fetching file contents from the endpoint.

726020

Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a Msg not found error. 

Workaround: Restart the endpoint to make sure that all commands added or changed in the 6.0 release work correctly.

770524

Issue: The scormcpl.dll displays an older version in the inventory after it's upgraded.

799559

Issue: If you exclude the .bat extension from monitoring, events for batch file operations are generated.

812964

Issue: If the Updater flag is removed for a cert rule over ePO, the certificate is listed as updater on the endpoint.

656298

Issue: Upgrade via hotfix build fails in Update Mode if initiated through an ePO Product Update Task.

876430

Issue: For monitoring and change control rules with '*', the 'longest path' rule isn't given precedence for conflicting rules.

881480

Issue: Revisions aren't reported for Content Change tracking if user events are filtered using the filter rules.

Workaround: Exclude the user from event filtering and apply advanced filters for the user for exclusion of unwanted events for files and directories. 

894237

Issue: For a directory-based Content Change Tracking rule, renaming of the directory or its subdirectory generates spurious monitor events.

919290

Issue: The Registry Names in mon events are inconsistent.

920568

Issue: Endpoint version isn't updated on the ePO server and the McTray About box after an endpoint upgrade.

708226

Issue: Change Control is functionally incompatible with Avecto Privilege guard.

608671

Issue: If Solidcore Agent is installed in a non-default path, upgrading via ePO isn't supported. Such an upgrade might leave the Solidcore Agent in an inconsistent state. Technical Support recommends that you uninstall the existing version and then install the new version using ePO.

608737

Issue: If the partition with the /opt/McAfee/cma directory has insufficient space, events might not be generated and the Failed to generate event xml error message is added to the solidcore.log file. Free up space in partition with the /opt/McAfee/cma directory.

601728

Issue: According to NFS protocol, if a file present on the NFS share is opened once on the NFS client, it can't be reopened until the file attributes are changed. A read-protected file, on an NFS share, opened on the client side in update mode can be read on the client. It can be read even in enable mode (after coming out of the update mode) until the file attributes are changed on the server.

601734

Issue: Changing a hard link might cause the name of the link or program to be displayed in events.

601914

Issue: For daemon processes, the reported username and original username are the same.

602653

Issue: A write-protected file can be changed through its hard link if the hard link has already been created.

602772

Issue: Scripts without a #! tag can't act as updaters.

602977

Issue: For loopback file systems, some features such as updater and monitoring don't work correctly when the loopback path is used instead of a physical path in the sadmin commands. For instance, if /opt is mounted as a loopback file system at /mnt, to add /mnt/abc as an updater, you must add the path /opt/abc as an updater.

602990

Issue: Some features like updaters and mon-proc-exec don't work properly for unsupported file formats. Only executable binaries and #! scripts are supported file formats.

603462

Issue: The BOOTING_ENABLED and BOOTING_UPDATE_MODE events aren't added to the system log.

Workaround: At boot time, start the syslog service before the Solidcore Agent service.

603490

Issue: The following issues are observed when an updater calls another updater:

• If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
• If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.

604780

Issue: For processes that aren't directly associated with a terminal, the original_user field is the same as the user field. 

For example, when you run a script through Runlevel/init scripts, original_user is same as the user.

605062

Issue: The mmap system call at the nfs client doesn't work if the file is read-protected.

606674

Issue: A write-protected file can be changed or deleted if the file system is mounted to a different directory.

607014

Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to unexpected behavior.

607024

Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.

607245

Issue: No events are generated for changes to a file with the string “solidcore.log” in its name. For example, mysolidcore.log.

601763

Issue: Process information can't be determined for processes that are invoked before the Solidcore Agent driver is loaded. This fact has the following implications:

• If these processes make file changes then the changes might not be reported.
• For processes that start before the driver is loaded, only the partial program names are reported.
• For NFS, the changes made by the client, and the change events displayed on the server have only the relative name for the NFS daemon (in other words, nfsd or nfsktcpd).
• No Process Start and Process Stop events are generated for already running processes.
• On only the AIX platform: Change Tracking or Prevention on file systems mounted by these processes might or might not work. System calls executed by already running processes can't be trapped because of differences in the way system calls are implemented. As a workaround, you can restart such processes.

604604

Issue: Write or read protection doesn't work on files added via cachefs/lofs.

613214

Issue: If the install path is a mount point, forcibly unmounting (Example: Using the umount –f command) might lead to non-deterministic behavior.

603386

Issue: The Solidcore Agent can't be installed, upgraded, or uninstalled through init scripts that run at system boot time.

Workaround: Add the following two statements in the init script before invoking the installer:

HOME=""/"" 

export HOME

613205

Issue: For a file with multiple hard links, the change event contains the name of any one of the hard links as the file name. For instance, if a file named test has test1 and test2 as hard links, the event generated when the file is changed can contain any of the three names by which the file is known.

613213

Issue: Because of NFS protocol behavior, a large write request to the NFS client goes to the NFS server in the form of multiple RPC calls, and multiple FILE_MODIFIED events are generated at the NFS server.

610254

Issue: When you run the Debug Info client task for a UNIX system, the log states that the gatherinfo.tar.gz file is generated. The name of the generated file is suffixed with the host name and time stamp. For example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz.

616089

Issue: Localized strings aren't consistent. Partial localization is seen in some events and messages.

708279

Issue: For RHEL5 or RHEL6 (kernel less than 2.6.32-220) and kernels of SLES 10 or SUSE11 (excluding SLES11 SP2), FILE_CREATED events are incorrectly reported as FILE_ATTR_MODIFIED over NFSv4 partition.

762449

Issue: Events are generated if a special device file is renamed.

797291

Issue: During Dynamic Kernel Module compilation, an empty file named 2 is created in the dks directory.

797363

Issue: The Sadmin Xray command doesn't list the attr specific configurations for the running process.

798843

Issue: Unexpected behavior might be observed if a process exits without closing one or more changed files.

802433

Issue: If the volume is unsolidified, it's not listed as unsolidified in the output of ‘sadmin status’.

807180

Issue: Installation on a non pre-compiled kernel fails if the installer runs from a Windows share that's mounted using CIFS. 

Workaround: Mount the Windows share using NFS.

811983

Issue: Property collection on ePO and endpoint might show different versions of solidifier if the system isn't rebooted after Upgrade.

812578

Issue: On some kernels, you see error messages related to scdrv in the console during system boot.

• Events have /? at the beginning of the path.
• rp/wp doesn't work on such files.

1. Stop the CMA service using the following command: /usr/sbin/cma stop
2. Uncompress the SOLIDCOR511-7505_AIX.zip file.
3. Execute the slibclean command.
4. Execute mapkg_install.sh (sh mapkg_install.sh) from the output directory of the .zip file.
5. Complete one of the following steps:
    
   • If upgraded in update mode, restart the system.
   • If upgraded in disabled mode, start the CMA service (/usr/sbin/cma start).

608618

607452

Issue: Reports and dashboard entries aren't removed after the Solidcore Extension is uninstalled.

Workaround: If you're uninstalling and reinstalling the Solidcore extension, remove the reports and dashboards manually after uninstalling and before reinstalling.

607517

Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.

608347

Issue: The Solidcore Policies Applied on Hosts report displays all policies derived from the root, regardless of the SKUs enabled on the platform.

609304

Issue: It's not possible to export data from the Reporting, Solidcore Events page.
 
Workaround: Use Queries (Reporting, Queries) to export event data.

636769

Issue: If you upgrade from Solidcore 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table aren't migrated to the ePO Events table.

636352

Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display erroneous data.

607554

Issue: Solidcore policies can't be duplicated by using the Policy Details page because the OK button is disabled.

Workaround: Use the Policy Catalog page to duplicate policies.

643854

Issue: When you use the Guided Configuration page on the ePO 4.6 console, the Save Policy button isn't enabled when changes are made to Solidcore Policies. 

Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.

608374

Issue: When you try to enable an already enabled Solidcore Agent, the error displayed isn't translated.

607908

Issue: It's not possible to export more than 50,000 records from any table or report.

608017

Issue: The Configuration page allows users to create a group with the name My Rules.

608025

Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU isn't added.

609911

Issue: Export of rule groups doesn't work in Internet Explorer when opened from the ePO Server.

Workaround: Use Internet Explorer from a different computer to export rule groups.

610303

Issue: The Server Task pages on ePO might not work properly if you use Mozilla Firefox version 3.0.

Workaround: McAfee recommends the use of Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).

608753

Issue: Sometimes, using the username field of reported events on the ePO as a trusted user might not work if the client system is part of an AD domain. The reason is because the domain name reported in the events isn't the full AD domain. 

Workaround: Use the environment variable USERDNSDOMAIN as the domain name for AD clients. You can also review the properties of the My Computer icon to identify the complete user name to specify as the trusted user.

608759

Issue: If ePO is installed on a Japanese version of Windows, exporting the dashboard data to HTML format fails if the generated HTML file name contains digits.

608390

Issue: When viewing an Integrity Monitor policy, the My Rules tab isn't translated.

669563

Issue: If you run reconciliation on a setup with millions of unauthorized changes (for about 5000 hosts), the Systems with Unauthorized changes page doesn't open. When you select the Systems with Unauthorized changes link (on the Risk and Compliance, Change Control Reconciliation page), the page times out and user is logged off the ePO console.

656518

Issue: If you install Solidcore Extension 5.1.2 (or later) on an existing ePO 4.5 system and then upgrade to ePO version 4.6 FIPS mode, the event parser stops working.

Workaround: Upgrade the required DLL with the following command:  

https://[ePO IP address:port]/remote/scor.upgradeEventParser.do 

661203

Issue: If you're using reconciliation with Solidcore Extension 5.1.1 (or earlier) and upgrade to Solidcore Extension 5.1.2 (or later), you can't access the older reconciliation data.

607950

Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.

707486

Issue: When using the ePO 4.6 console, navigating quickly through the Events pages logs off the user.

714176

Issue: On ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while creating the task, you can't remove the commands from the saved client task later.

719796

Issue: Global catalog search for AD groups isn't supported.

Workaround: Search for a group in a specific AD server instead of using the Global Catalog. To add a specific group, perform the steps below:

1. Log on to the ePO 4.x console.
2. Add the AD server with the group as a registered server.
3. Search for the group by selecting the registered AD server. Make sure that the Global Catalog Search option is deselected.
4. Add the group to a policy as a trusted group.

722045

Issue: Adding new columns, such as Solidcore Status and Solidification Status for an endpoint by clicking Actions, Choose columns, noncompliant Solidcore Agent might not display values for all endpoints. The reason is because the noncompliant Solidcore Agent section includes only noncompliant agent properties.

Workaround: When adding new columns for an endpoint, click Actions, Choose columns, Solidcore Client Properties instead of Actions, Choose columns, noncompliant Solidcore Agent.

695769

Issue: Under Content Change Tracking feature, the view file page goes blank for a file size of around 1 MB.

800014

Issue: Extra events are reconciled when manual reconciliation done from custom queries.

Workaround: To perform the manual reconciliation for multiple events by selecting either All in this page or Select All in all pages, open the Solidcore events page. Navigate to Menu, Reporting, Solidcore Events.

NOTE: This option doesn't work well if you reach Solidcore Events by drilling down from a Query page.

882821

Issue: Sorting isn't supported on Last Modification Time column on the Content Change Tracking page.

608418

Issue: Original username reported in events is the same as username.

595051

Issue: Multiple operating systems on the same computer aren't supported. Product features work only on the operating system that it's installed on.

599812

Issue: Uninstallation fails if the uninstallation process is canceled before it completes.

600805

Issue: While opening a write-protected network share in Windows Explorer, few deny-write errors are observed.

603747

Issue: The trusted, solidified, and write-protect features don't work correctly for folder-mounted volumes.

Workaround: Contact Technical Support for assistance if the setup uses folder-mounted volumes.

604153

Issue: Post install script customization isn't available during upgrades. It can only be used during fresh installation of the Solidcore Agent.

608036

Issue: Mapped drive names can't be used in commands issued by remote users or ePO.

634733

Issue: If the database tables are corrupted, the Solidcore Agent upgrade fails and the following error message is displayed:

""Database: . Could not load table 'Control' in SQL query: SELECT `Control`, 
`Type`, `X`, `Y`, `Width`, `Height`, `Attributes`, `Property`, `Text`, 
`Control_Next`, `Help` FROM `Control` WHERE `Dialog_`=?"""

Workaround: Use silent installation instead of UI mode installation.

605369

Issue: When an agent installer runs the Solidcore Agent installer with the /? argument, a series of unwanted dialog boxes display due to a bug in the third-party packaging software. You can ignore these dialog boxes.

609311

Issue: Manual uninstallation of the Solidcore Agent (deployed from ePO) fails on a client computer with MA version 4.0 (or earlier).

Workaround: Contact Technical Support for assistance if you've already tried manual uninstallation.

598002

Issue: Registry key protection doesn't work for all registry key hives, it works only for HKEY_LOCAL_MACHINE.

599240

Issue: A subkey registry doesn't get added to a protected registry key when using the reg command.

601500

Issue: Creating a shortcut in a read-protected directory isn't allowed.

602122

Issue: Any file operation performed on a read-protected file generate deny-read events that correspond to the file even when the file operation is allowed.

603032

Issue: Changes to folder-mounted volumes that don't have an associated drive letter can't be monitored.

Workaround: Assign a drive letter to a volume before mounting it on any other folder.

603628

Issue: On 64-bit platforms, ACL change events aren't generated when the update mechanism supersedes the deny-write policies for registries.

605371

Issue: When you try to read a read-protected file with certain file flags set through Windows Explorer, read-denied events might not be written to the event viewer. The events are recorded in the Solidcore Agent log file.

606496

Issue: Only full long names are supported with commands that accept file or folder names. For example, Names such as c:\myPackages\SETUP-~1.EXE aren't supported.

606532

Issue: Virtual drive paths aren't supported as path values in Solidcore Agent commands, such as write-protect, read-protect, and monitor.

607024

Issue: The deny-read feature is disabled by default. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.

600748

Issue: Multiple deny-write events might be generated for a single deny-write action. For example, on deletion of a file using Windows Explorer, up to eight file deletion events are reported. When the application denies deletion of a file, Windows Explorer tries multiple methods to delete the file, resulting in an event for each attempt.

608639

Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c:\program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.

691196

Issue: For a file where you are tracking content changes, you receive an unknown error if connectivity issues occur while sending metadata for the file from the endpoint to the ePO console.

Workaround: When network connectivity resumes, the next change to the file is reflected accurately on the ePO console.

685124

Issue: If you're running VSE 8.8 with the Access Protection Level set to Maximum, you can't deploy Solidcore on the endpoint.

724796

Issue: Although you can track content changes for a read-protected file, you can't view the actual changes. The reason is because the read protection rule prevents the software from fetching file contents from the endpoint.

726020

Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a Msg not found error. 

Workaround: Restart the endpoint to make sure that all commands added or changed in the 6.0 release work correctly.

770524

Issue: The scormcpl.dll displays an older version in the inventory after it's upgraded.

799559

Issue: If you exclude the .bat extension from monitoring, events for batch file operations are generated.

812964

Issue: If the Updater flag is removed for a cert rule over ePO, the certificate is listed as an updater on the endpoint.

656298

Issue: Upgrade via a hotfix build fails in Update Mode if initiated through an ePO Product Update Task.

876430

Issue: For monitoring and change control rules with '*', the 'longest path' rule isn't given precedence for conflicting rules.

881480

Issue: Revisions aren't reported for Content Change tracking if user events are filtered using the filter rules.

Workaround: Exclude the user from event filtering and apply advanced filters for the user for exclusion of unwanted events for files and directories. 

894237

Issue: For a directory-based Content Change Tracking rule, renaming of the directory or its subdirectory generates spurious monitor events.

708226

Issue: Change Control is functionally incompatible with Avecto Privilege guard.

608671

Issue: If Solidcore Agent is installed in a non-default path, upgrading via ePO isn't supported. Such an upgrade might leave the Solidcore Agent in an inconsistent state. We recommend that you uninstall the existing version and then install the new version using ePO.

608737

Issue: If the partition with the /opt/McAfee/cma directory has insufficient space, events might not be generated and the Failed to generate event xml error message is added to the solidcore.log file. Free up space in partition with the /opt/McAfee/cma directory.

601728

Issue: According to NFS protocol, if a file present on the NFS share is opened once on the NFS client, it can't be reopened until the file attributes are changed. A read-protected file, on an NFS share, opened on the client side in update mode, can be read on the client. It can be read in enable mode (after coming out of the update mode) until the file attributes are changed on the server.

601734

Issue: Changing a hard link might cause the name of the link or program to display in events.

601914

Issue: For daemon processes, the reported username and original username are the same.

602653

Issue: A write-protected file can be changed through its hard link if the hard link has already been created.

602772

Issue: Scripts without a #! tag can't act as updaters.

602977

Issue: For loopback file systems, some features such as updater and monitoring don't work correctly when the loopback path is used instead of a physical path in the sadmin commands. For instance, if /opt is mounted as a loopback file system at /mnt, to add /mnt/abc as an updater, you must add the path /opt/abc as an updater.

602990

Issue: Some features like updaters and mon-proc-exec don't work properly for unsupported file formats. Only executable binaries and #! scripts are supported file formats.

603462

Issue: The BOOTING_ENABLED and BOOTING_UPDATE_MODE events aren't added to the system log.

Workaround: At boot time, start the syslog service before the Solidcore Agent service.

603490

Issue: The following issues are observed when an updater calls another updater:

• If the child process is added as an updater, the non-inheritable option (-d) of the parent process is overridden.
• If the parent process is added as an updater, the non-inheritable option (-d) of the child is overridden.

604780

Issue: For processes that aren't directly associated with a terminal, the original_user field is the same as the user field. 

For example, when you run a script through Runlevel/init scripts, original_user is same as the user.

605062

Issue: The mmap system call at the nfs client doesn't work if the file is read-protected.

606674

Issue: A write-protected file can be changed or deleted if the file system is mounted to a different directory.

607014

Issue: Adding a script as an updater twice (once on its own and again with its parent) might lead to unexpected behavior.

607024

Issue: By default, the deny-read feature is disabled. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.

607245

Issue: No events are generated for changes to a file with the string "solidcore.log" in its name. For example, mysolidcore.log.

601763

Issue: Process information can't be determined for processes that are invoked before the Solidcore Agent driver is loaded. This issue has the following implications:

• If these processes make file changes, the changes might not be reported.
• For processes that start before the driver is loaded, only the partial program names are reported.
• For NFS, the changes done by the client, and the change events displayed on the server have only the relative name for the NFS daemon (that is, nfsd or nfsktcpd).
• No Process Start and Process Stop events are generated for already running processes.
• On only the AIX platform: Change Tracking or Prevention on file systems mounted by these processes might or might not work. System calls executed by already running processes can't be trapped owing to differences in the way system calls are implemented. As a workaround, you can restart such processes.

604604

Issue: Write or read protection doesn't work on files added via cachefs/lofs.

613214

Issue: If the install path is a mount point, forcibly unmounting (Example: Using the umount –f command) might lead to non-deterministic behavior.

603386

Issue: The Solidcore Agent can't be installed, upgraded, or uninstalled through init scripts that run at system boot time.

Workaround: Add the following two statements in the init script before invoking the installer:

HOME=""/"" 

export HOME

613205

Issue: For a file with multiple hard links, the change event contains the name of any one of the hard links as the file name. For instance, if a file named test has test1 and test2 as hard links, the event generated when the file is changed can contain any of the three names by which the file is known.

613213

Issue: Because of NFS protocol behavior, a large write request to the NFS client goes to the NFS server in the form of multiple RPC calls, and multiple FILE_MODIFIED events are generated at the NFS server.

610254

Issue: When you run the Debug Info client task for a UNIX system, the log states that the gatherinfo.tar.gz file is generated. The name of the generated file is suffixed with the host name and time stamp. For example, gatherinfo-hpj-03-07-08-10_14-37-45.tar.gz.

616089

Issue: Localized strings aren't consistent. Partial localization is seen in some events and messages.

708279

Issue: For RHEL5 or RHEL6 (kernel less than 2.6.32-220) and kernels of SLES 10 or SUSE11 (excluding SLES11 SP2), FILE_CREATED events are incorrectly reported as FILE_ATTR_MODIFIED over NFSv4 partition.

762449

Issue: Events are generated if a special device file is renamed.

797291

Issue: During Dynamic Kernel Module compilation, an empty file named 2 is created in the dks directory.

797363

Issue: The Sadmin Xray command doesn't list the attr specific configurations for the running process.

798843

Issue: Unexpected behavior might be observed if a process exits without closing one or more changed files.

802433

Issue: If the volume is unsolidified, it's not listed as unsolidified in the output of 'sadmin status.'

807180

Issue: Installation on a non pre-compiled kernel fails if the installer runs from a Windows share that's mounted using CIFS. 

Workaround: Mount the Windows share using NFS.

811983

Issue: Property collection on ePO and endpoint might show different versions of the solidifier if the system isn't rebooted after Upgrade.

812578

Issue: On some kernels, error messages related to scdrv are displayed in the console during system boot.

• Events have /? at the beginning of the path.
• rp/wp doesn't work on such files.

1. Stop the CMA service using the following command: /usr/sbin/cma stop
2. Uncompress the SOLIDCOR511-7505_AIX.zip file.
3. Execute the slibclean command.
4. Execute mapkg_install.sh (sh mapkg_install.sh) from the output directory of the .zip file.
5. Complete one of the following steps:
    
   • If upgraded in update mode, restart the system.
   • If upgraded in disabled mode, start the CMA service (/usr/sbin/cma start).

608556
608557

608618

607452

Issue: Reports and dashboard entries aren't removed after the Solidcore Extension is uninstalled.

Workaround: If you're uninstalling and reinstalling the Solidcore extension, remove the reports and dashboards manually after uninstalling and before reinstalling.

607517

Issue: PDF reports have minor data display and formatting issues if more than 50,000 records are reported.

608347

Issue: The Solidcore Policies Applied on Hosts report displays all policies derived from the root, regardless of the SKUs enabled on the platform.

609304

Issue: It's not possible to export data from the Reporting, Solidcore Events page. 

Workaround: Use Queries (Reporting, Queries) to export event data.

636769

Issue: If you upgrade from Solidcore 5.1.0 to 5.1.1 (or later), existing Solidcore events in the Solidcore Events table aren't migrated to the ePO Events table.

636352

Issue: After removing the Solidcore Extension, all Solidcore-related events are retained in the ePO table. When you view the events in the Threat Event Log, some fields might display erroneous data.

607554

Issue: Solidcore policies can't be duplicated by using the Policy Details page because the OK button is disabled.

Workaround: Use the Policy Catalog page to duplicate policies.

643854

Issue: When you use the Guided Configuration page on the ePO 4.6 console, the Save Policy button isn't enabled when changes are made to Solidcore Policies. 

Workaround: Edit the policy by using the Policy Catalog without using Guided Configuration.

608374

Issue: When you try to enable an already enabled Solidcore Agent, the error displayed isn't translated.

607908

Issue: It's not possible to export more than 50,000 records from any table or report.

607963

Issue: An incorrect message (Monitor Failure) displays in ePO 4.5 when a user without the required permissions tries to access a dashboard.

608017

Issue: The Configuration page allows users to create a group with the name My Rules.

608025

Issue: Reports, tasks, and policies for all SKUs are listed even if the license for that SKU isn't added.

609911

Issue: Export of rule groups doesn't work in Internet Explorer when opened from the ePO Server.

Workaround: Use Internet Explorer from a different computer to export rule groups.

610303

Issue: The Server Task pages on ePO might not work properly if you use Mozilla Firefox version 3.0.

Workaround: Technical Support recommends Mozilla Firefox version 3.6 (or later) or Internet Explorer 6.0 (or later).

608753

Issue: Sometimes, using the username field of reported events on the ePO as a trusted user might not work if the client system is part of an AD domain. The reason is because the domain name reported in the events isn't the full AD domain. 

Workaround: Use the environment variable USERDNSDOMAIN as the domain name for AD clients. You can also review the properties of the My Computer icon to identify the complete username to specify as the trusted user.

608759

Issue: If ePO is installed on a Japanese version of Windows, exporting the dashboard data to HTML format fails if the generated HTML file name contains digits.

608390

Issue: When viewing an Integrity Monitor policy, the My Rules tab isn't translated.

669563

Issue: If you run reconciliation on a setup with millions of unauthorized changes (for about 5000 hosts), the Systems with Unauthorized changes page doesn't open. When you select the Systems with Unauthorized changes link (on the Risk and Compliance, Change Control Reconciliation page), the page times out and the user is logged off the ePO console.

656518

Issue: If you install Solidcore Extension 5.1.2 (or later) on an existing ePO 4.5 system and then upgrade to ePO version 4.6 FIPS mode, the event parser stops working.

Workaround: Upgrade the required DLL with the following command: https://[ePO IP address:port]/remote/scor.upgradeEventParser.do 

661203

Issue: If you're using reconciliation with Solidcore Extension 5.1.1 (or earlier) and upgrade to Solidcore Extension 5.1.2 (or later), you can't access the older reconciliation data.

607950

Issue: User-defined system variables in policies are resolved at the endpoint only after the endpoint is restarted.

707486

Issue: When using the ePO 4.6 console, navigating quickly through the Events pages logs off the user.

714176

Issue: On ePO 4.6 Update 1 or Update 2, if you add multiple commands to a Run Commands client task while creating the task, you can't remove the commands from the saved client task later.

719796

Issue: Global catalog search for AD groups isn't supported.

Workaround: Search for a group in a specific AD server instead of using the Global Catalog. To add a specific group, perform the steps below:

1. Log on to the ePO 4.x console.
2. Add the AD server with the group as a registered server.
3. Search for the group by selecting the registered AD server. Make sure that the Global Catalog Search option is deselected.
4. Add the group to a policy as a trusted group.

722365

Issue: If a non-administrative user changes the displayed columns for an endpoint and adds any new columns, other endpoints (on which Change Control or Application Control is not installed) might be removed from the System Tree.

722045

Issue: Adding new columns, such as Solidcore Status and Solidification Status for an endpoint by clicking Actions, Choose columns, noncompliant Solidcore Agent might not display values for all endpoints. The reason is because the noncompliant Solidcore Agent section includes only noncompliant agent properties.

Workaround: When adding new columns for an endpoint: Click Actions, Choose columns, Solidcore Client Properties instead of Actions, Choose columns, noncompliant Solidcore Agent.

695769

Issue: Under Content Change Tracking feature, the view file page goes blank for a file size of around 1 MB.

800014

Issue: Extra events are reconciled when manual reconciliation is done from custom queries.

Workaround: To perform the manual reconciliation for multiple events by selecting either All in this page or Select All in all pages, open the Solidcore events page. Navigate to Menu, Reporting, Solidcore Events.

NOTE: This option doesn't work well if you reach Solidcore Events by drilling down from a Query page.

608418

Issue: Original username reported in events is the same as username.

595051

Issue: Multiple operating systems on the same computer aren't supported. Product features work only on the operating system that it's installed on.

599812

Issue: Uninstallation fails if the uninstallation process is canceled before it completes.

600805

Issue: While opening a write-protected network share in Windows Explorer, few deny-write errors are observed.

603747

Issue: The trusted, solidified, and write-protect features don't work correctly for folder-mounted volumes.

Workaround: Contact Technical Support for assistance if the setup uses folder-mounted volumes.

604153

Issue: Post install script customization isn't available during upgrades. It can only be used during fresh installation of the Solidcore Agent.

608036

Issue: Mapped drive names can't be used in commands issued by remote users or ePO.

634733

Issue: If the database tables are corrupted, the Solidcore Agent upgrade fails and the following error message is displayed:

""Database: . Could not load table 'Control' in SQL query: SELECT `Control`, 
`Type`, `X`, `Y`, `Width`, `Height`, `Attributes`, `Property`, `Text`, 
`Control_Next`, `Help` FROM `Control` WHERE `Dialog_`=?"""

Workaround: Use silent installation instead of UI mode installation.

605369

Issue: When an agent installer runs the Solidcore Agent installer with the /? argument, a series of unwanted dialog boxes display due to a bug in the third-party packaging software. You can ignore these dialog boxes.

609311

Issue: Manual uninstallation of the Solidcore Agent (deployed from ePO) fails on a client computer with MA version 4.0 (or earlier).

Workaround: Contact Technical Support for assistance if you've already tried manual uninstallation.

598002

Issue: Registry key protection doesn't work for all registry key hives, it works only for HKEY_LOCAL_MACHINE.

599240

Issue: A subkey registry doesn't get added to a protected registry key when using the reg command.

601500

Issue: Creating a shortcut in a read-protected directory isn't allowed.

602122

Issue: Any file operation performed on a read-protected file generates deny-read events that correspond to the file even when the file operation is allowed.

603032

Issue: Changes to folder-mounted volumes that don't have an associated drive letter can't be monitored.

Workaround: Assign a drive letter to a volume before mounting it on any other folder.

603628

Issue: On 64-bit platforms, ACL change events aren't generated when the update mechanism supersedes the deny-write policies for registries.

605371

Issue: When you try to read a read-protected file with certain file flags set through Windows Explorer, read-denied events might not be written to the event viewer. The events are recorded in the Solidcore Agent log file.

606496

Issue: Only full long names are supported with commands that accept file or folder names. For example, Names such as c:\myPackages\SETUP-~1.EXE aren't supported.

606532

Issue: Virtual drive paths aren't supported as path values in Solidcore Agent commands, such as write-protect, read-protect, and monitor.

607024

Issue: The deny-read feature is disabled by default. A read-protect rule is immediately applied to Solidcore Agent but is effective only after the deny-read feature is enabled on the Solidcore Agent.

600748

Issue: Multiple deny-write events might be generated for a single deny-write action. For example, on deletion of a file using Windows Explorer, up to eight file deletion events are reported. When the application denies deletion of a file, Windows Explorer tries multiple methods to delete the file, resulting in an event for each attempt.

608639

Issue: After you uninstall the Solidcore client from the Windows (64-bit) operating system, the Solidcore folder (c:\program files(x86)\solidcore) and Registry link (HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates) remain on the endpoint.

691196

Issue: For a file where you're tracking content changes, you receive an unknown error if connectivity issues occur while sending metadata for the file from the endpoint to the ePO console.

Workaround: When network connectivity resumes, the next change to the file is reflected accurately on the ePO console.

685124

Issue: If you're running VSE 8.8 with the Access Protection Level set to Maximum, you can't deploy Solidcore on the endpoint.

724796

Issue: Although you can track content changes for a read-protected file, you can't view the actual changes. The reason is because the read protection rule prevents the software from fetching file contents from the endpoint.

726020

Issue: If you upgrade from an older release to the 6.0 release and use a command added or changed in the 6.0 release without restarting the endpoint, you might receive a Msg not found error. 

Workaround: Restart the endpoint to make sure that all commands added or changed in the 6.0 release work correctly.

770524

Issue: The scormcpl.dll displays an older version in the inventory after it's upgraded.

799559

Issue: If you exclude the .bat extension from monitoring, events for batch file operations are generated.

812964

Issue: If the Updater flag is removed for a cert rule over ePO, the certificate is listed as an updater on the endpoint.

656298

Issue: Upgrade via hotfix build fails in Update Mode if initiated through an ePO Product Update Task.

708226

Issue: Change Control is functionally incompatible with Avecto Privilege guard.

608671

Issue: If Solidcore Agent is installed in a non-default path, upgrading via ePO isn't supported. Such an upgrade might leave the Solidcore Agent in an inconsistent state. Technical Support recommends that you uninstall the existing version and then install the new version using ePO.

608737

Issue: If the partition with the /opt/McAfee/cma directory has insufficient space, events might not be generated and the Failed to generate event xml error message is added to the solidcore.log file. Free up space in partition with the /opt/McAfee/cma directory.

601728

Issue: According to the NFS protocol, if a file present on the NFS share is opened once on the NFS client, it can't be reopened until the file attributes are changed. A read-protected file on an NFS share, opened on the client side in update mode, can be read on the client. It can be read in enable mode (after coming out of the update mode) until the file attributes are changed on the server.

601734

Issue: Changing a hard link might cause the name of the link or program to display in events.

601914

Issue: For daemon processes, the reported username and original username are the same.

602653

Issue: A write-protected file can be changed through its hard link if the hard link has already been created.

602772

Issue: Scripts without a #! tag can't act as updaters.

602977

Issue: For loopback file systems, some features such as updater and monitoring don't work correctly when the loopback path is used instead of a physical path in the sadmin commands. For instance, if /opt is mounted as a loopback file system at /mnt, to add /mnt/abc as an updater you must add the path /opt/abc as an updater.

602990

Issue: Some features like updaters and mon-proc-exec don't work properly for unsupported file formats. Only executable binaries and #! scripts are supported file formats.

603462

Issue: The BOOTING_ENABLED and BOOTING_UPDATE_MODE events aren't added to the system log.

Workaround: At boot time, start the syslog service before the Solidcore Agent service.