Loading...

Knowledge Center


Web MER.exe blocked on client while Application Control is in enabled mode
Technical Articles ID:   KB88747
Last Modified:  3/8/2017

Environment

McAfee Application and Change Control (MACC) 8.x, 7.x, 6.x
Microsoft Windows 7 x86, x64

Problem

Mer.exe cannot execute when Solidcore status is in Enabled mode.

The Solidcore log records the following message:
 
McAfee Application Control prevented an attempt to modify file C:\Users\Administrator\AppData\Local\Temp\Mc64BitResolver.exe by process C:\Users\Administrator\AppData\Local\Temp\WebMERClient.exe (Process Id: <PID>, User: <user>).

 The s3diag log records the following message:
 
< WRITE_DENIED  file_name="C:\Users\Administrator\AppData\Local\Temp\Mc64BitResolver.exe" pid="4752" process_name="C:\Users\Administrator\AppData\Local\Temp\WebMERClient.exe" ppid="2584" parent_process_name="C:\Users\Administrator\Desktop\MER.exe" event_time="1487091827928" event_time_system="Feb 14 2017:17:03:47" is_system_file="false" deny_reason="File-solidified" user_name="<user>" />
< WRITE_DENIED  file_name="C:\Users\Administrator\AppData\Local\Temp\Mc64BitResolver.exe" pid="4752" process_name="C:\Users\Administrator\AppData\Local\Temp\WebMERClient.exe" ppid="2584" parent_process_name="C:\Users\Administrator\Desktop\MER.exe" event_time="1487091849525" event_time_system="Feb 14 2017:17:04:09" is_system_file="false" deny_reason="File-solidified" user_name="<user>" />

Cause

This issue occurs because the Mer.exe application certificate was recently updated. New certificates are typically included in add-on Extension releases for Application Control.
 

Workaround

Upload an available certificate:
 
Application Control 7.x, 8.x
  1. Log in to the ePO console.
  2. Go to Menu, Configuration,Solidcore Rules.
  3. On the Certificates tab, select Actions, Upload to open the Upload Certificate page.
  4. Browse to and select the certificate file to import, then click Upload.

Application Control 6.2.x

  1. Log in to the ePO console.
  2. Go to Menu, Configuration, Solidcore Rules.
  3. On the Publishers tab, select Actions, Upload to open the Upload Certificate page.
  4. Browse and select the certificate file to import, then click Upload.

Workaround

Add the Mer.exe file to your policy as a Trusted Binary with Updater permissions:
  1. Log in to the ePO console.
  2. Navigate to the Solidcore policy.
  3. Select the Updater Processes tab and click Add.
  4. Specify whether to add the updater based on the file name or SHA-1.

    NOTE: If you add the updater by name, the updater is not authorized automatically. However, when you add the updater by SHA-1, the updater is authorized.
     
  5. Enter the location of the file (when adding by name) or SHA-1 value of the executable or binary file.
  6. Enter a unique identification label for the executable file.

    Example: If you specify WebMER Changes as the identification label for the Mer.exe file, all change events made by Mer.exe are tagged with this label.
     
  7. When adding an updater by name, specify conditions that the binary file must meet to run as an updater.
    1. Select None to allow the binary file to run as an updater without any conditions.
    2. Select Library to allow the binary file to run as an updater only when it has loaded the specified library.

      Example: When configuring Mer.exe as an updater to allow the gathering of diagnostic data, specify wuweb.dll as the library. This makes sure that the iexplore.exe program has updater privileges only until the web control library (wuweb.dll) is loaded.
       
    3. Select Parent to allow the binary file to run as an updater only if it is launched by the specified parent.

      Example: When configuring Mer.exe as an updater to allow diagnostic data gathering, specify WebMERClient.exe as the parent. Using the parent makes sure that only the correct program is allowed to run as an updater.
       
    4. When adding an updater by name, indicate whether to disable inheritance for the updater.

      Example: If Process A (that is set as an updater) starts Process B, disabling inheritance for Process A makes sure that Process B does not become an updater.
       
  8. When adding an updater by name, indicate whether to suppress events generated for the actions performed by the updater. Typically, when an updater changes a protected file, a File Modified event is generated for the file. If you select this option, no events are generated for changes made by the updater.
  9. Click OK.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.