Loading...

Knowledge Center


Installer Detection bypass option is Deprecated for endpoints running version 6.1.1 and later (Package Control in relation to the architecture rules for the attr -i command)
Technical Articles ID:   KB87257
Last Modified:  7/16/2018

Environment

McAfee Application Control (MAC) 7.0.x, 6.2.x, 6.1.x
McAfee ePolicy Orchestrator 5.x

Problem

The Installer Detection bypass option is Deprecated for endpoints running version 6.1.1 and later.

Cause

The installer bypass rule (attr -i) for binaries has been removed from the following MAC rule groups:

Norton
  • Rtvscan.exe
  • ccSetMgr.exe
  • SNDSrvc.exe
  • NSCSRVCE.EXE
  • NAV_2011.exe
Windows Component
  • termsrv.exe
  • wmplayer.exe
  • conf.exe
VNC Server
  • winvnc4.exe
  • vncviewer.exe
Default List
  • ClusSvc.exe
NOTE: If you are running Application Control earlier than version 6.1.1, managed by 7.0.1, the extension will not apply these rules.

Solution

To add these rules manually and assign these policies to a group or system in an enterprise:

Option 1:
  1. Download the file attached to this article and extract DuplicateRuleGroup+NORTON+DEFAULT LIST+VNC SERVER+WINDOWS COMPONENT.xml.
  2. Log on to ePO with Global Admin credentials.
  3. Select Menu, Configuration, Solidcore Rules.
  4. Verify:
    •  Type = Application Control
    •  Platform = Windows
       
  5. Click Import.
  6. Click Browse and select the DuplicateRuleGroup+NORTON+DEFAULT LIST+VNC SERVER+WINDOWS COMPONENT.xml file.
  7. Click OK. You will see a dialog box informing you of import success or failure.
    • To view a list of imported rule groups select Menu, Automation, Server Task Log.
    • Alternatively, to view imported rule groups (and for further details of those groups) select task name Import Solidcore Rule Groups.
       
    If you experience an issue importing the file, open a support case with Technical Support.

  8. Verify the imported rule groups are present in MACC:
    Select Menu, Configuration, Solidcore Rules.
Option 2:
  1. Open a web browser.
  2. Navigate to the following URL.

    NOTE:  Replace <ePO-Name> with the real ePO Server name or IP address.

    https://<ePO-Name>/SOLIDCORE_META/updateInternalConfiguration.do

  3. Log on with Global Admin credentials.
    • For Config Property Name, enter showAdvancedSkipListOptions (case-sensitive).
    • For Config Property Value, enter true.
     
  4. Click Update Property Value.
    The message Configuration successfully updated is displayed.
     
  5. Select the Exclusion Tab and navigate to Deprecated options. You see the new option Do not detect a binary as an installer (for endpoints earlier than 6.1.1) displayed.
NOTE: You will see errors in the logs if these rules are applied to an endpoint version later than 6.1.1.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.