Loading...

Knowledge Center


File Write Denied events recorded when modification of the edb.log file is attempted
Technical Articles ID:   KB90849
Last Modified:  9/2/2018
Rated:


Environment

McAfee Application and Change Control (MACC) 8.x.x, 7.x.x, 6.x.x

Microsoft Windows (All Versions)

Problem

Modification of the edb.log file results in the following being recorded in the s3diag.log file and the Solidcore.log file:

s3diag.log

<WRITE_DENIED  file_name="C:\WINDOWS\Security\Database\edb.log" pid="976" process_name="c:\windows\system32\services.exe" ppid="896" parent_process_name="c:\windows\system32\wininit.exe" event_time="1534227106927" event_time_utc="Aug 14 2018:06:11:46" is_system_file="false" deny_reason="File-solidified" user_name="NT Authority\System" />

Solidcore.log

U.3304.3704: Aug 15 2018:10:19:41.654:   ERROR: evt.c       : 1256: McAfee Solidifier prevented an attempt to modify file 'C:\WINDOWS\Security\Database\edb.log' by process/script C:\Windows\System32\services.exe (sha1: 3dc7889dd4fce098f026876e75131839c6918a32, md5: 8207db785c4a1a8c901154d12df6e38e) (Process Id: 984, User: NT AUTHORITY\SYSTEM).

Cause

Supported file types for MACC are:
  • PE32
  • PE64
  • 16-bit DOS executable
The edb.log file has a 16-bit DOS header. With the header being 16-bit DOS, the file is solidified when solidification occurs.

Solution

MACC is working as intended and this behavior is considered to be normal.

Workaround

The following workaround is provided to help with whitelisting the edb.log file and stop the events from being generated:
  1. Log on to the ePO Console.
  2. Open an existing Solidcore Rule Group or create a new rule group specifically for Application Control.
  3. Edit the existing or new rule group.
  4. Select the Exclusions tab and click Add.
  5. Expand Advanced options.
  6. Enable Exclude local path and all its contained files and sub-directories from the whitelist.
  7. Enter "C:\Windows\security\database\edb.log" for the path.
  8. Save the rule group.
  9. Perform a Wake Up Call to all agents and push the new rule to clients.

Attachment

PEViewScreenshot.zip
40K • < 1 minute @ broadband


Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.