Installer Detection bypass option is Deprecated for endpoints running version 6.1.1 and later

Technical Articles ID: KB87257
Last Modified: 12/20/2019

Environment

McAfee Application and Change Control (MACC) 7.0.x, 6.2.x, 6.1.x
McAfee ePolicy Orchestrator 5.x

Problem

The Installer Detection bypass option is Deprecated for endpoints running version 6.1.1 and later.

Cause

The attr -i installer bypass rule for binaries has been removed from the following MAC rule groups:

Norton

Rtvscan.exe
ccSetMgr.exe
SNDSrvc.exe
NSCSRVCE.EXE
NAV_2011.exe

Windows Component

termsrv.exe
wmplayer.exe
conf.exe

VNC Server

winvnc4.exe
vncviewer.exe

Default List

ClusSvc.exe

NOTE: The extension does not apply these rules if you are running Application Control earlier than version 6.1.1, and it is managed by version 7.0.1.

Solution

To add these rules manually and assign these policies to a group or system in an enterprise:

Option 1:

Download the file attached to this article and extract DuplicateRuleGroup+NORTON+DEFAULT LIST+VNC SERVER+WINDOWS COMPONENT.xml.
Log on to ePO with Global Admin credentials.
Select Menu, Configuration, Solidcore Rules.
Verify:
- Type = Application Control
- Platform = Windows
Click Import.
Click Browse and select the DuplicateRuleGroup+NORTON+DEFAULT LIST+VNC SERVER+WINDOWS COMPONENT.xml file.
Click OK. A dialog box appears informing you of import success or failure.
- To view a list of imported rule groups select Menu, Automation, Server Task Log.
- To view imported rule groups, and for more information about those groups, select task name Import Solidcore Rule Groups.
If you experience an issue importing the file, open a Service Request with Technical Support.

Verify that the imported rule groups are present in MACC by selecting Menu, Configuration, Solidcore Rules.

Option 2:

Open a web browser.
Navigate to the following URL:

NOTE: Replace <ePO-Name> with the real ePO Server name or IP address.

https://<ePO-Name>/SOLIDCORE_META/updateInternalConfiguration.do

Log on with Global Admin credentials.
- For Config Property Name, enter showAdvancedSkipListOptions. This name is case sensitive.
- For Config Property Value, enter true.
Click Update Property Value.
The message Configuration successfully updated is displayed.
Select the Exclusion tab and navigate to Deprecated options. You see the new option Do not detect a binary as an installer (for endpoints earlier than 6.1.1) displayed.

NOTE: You see errors in the logs if these rules are applied to an endpoint version later than 6.1.1.

Related Information

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:

If you are a registered user, type your User Id and Password, and then click Log In.
If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Attachment

DuplicateRuleGroup+NORTON+DEFAULT LIST+VNC SERVER+WINDOWS COMPONENT.zip
3K • < 1 minute @ broadband

Affected Products

Application and Change Control 7.0.x
Application and Change Control 6.2.x
Application and Change Control 6.1

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Installer Detection bypass option is Deprecated for endpoints running version 6.1.1 and later

Environment

Problem

Cause

Solution

Related Information

Attachment

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions:Draft for New Nav

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

Installer Detection bypass option is Deprecated for endpoints running version 6.1.1 and later

Environment

Problem

Cause

Solution

Related Information

Attachment

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title