Hello! I am seeking advice on an issue in our Windows 10 environment, where we use Trellix/McAfee Solidcore (Application and Change Control). Recently, we have been receiving thousands of daily alerts related to file write denied operations on known Windows files. These actions are blocked by design, as the files are protected by Solidcore. However, I need to determine if processes should be allowed to write to these files.
Files affected by NT AUTHORITY\SYSTEM via Services.exe:
C:\Windows\System32\dfrgui.exe
C:\Windows\System32\subst.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\wmic.exe
C:\Windows\System32\cleanmgr.exe
C:\Windows\System32\net1.exe
C:\Windows\SysWow64\net1.exe
Files affected by NT AUTHORITY\LOCAL SERVICE via svchost.exe:
C:\Windows\System32\SRU\SRU.chk
C:\Windows\System32\SRU\SRUDB.dat
I want to understand what Services.exe and svchost.exe are trying to do to these files. Should I remove write protection from these files, or is this unnecessary? Filtering the alerts might prevent them from displaying but will not prevent the database from growing. Any advice would be greatly appreciated.
Many thanks
Files affected by NT AUTHORITY\SYSTEM via Services.exe:
C:\Windows\System32\dfrgui.exe
C:\Windows\System32\subst.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\wmic.exe
C:\Windows\System32\cleanmgr.exe
C:\Windows\System32\net1.exe
C:\Windows\SysWow64\net1.exe
Files affected by NT AUTHORITY\LOCAL SERVICE via svchost.exe:
C:\Windows\System32\SRU\SRU.chk
C:\Windows\System32\SRU\SRUDB.dat
I want to understand what Services.exe and svchost.exe are trying to do to these files. Should I remove write protection from these files, or is this unnecessary? Filtering the alerts might prevent them from displaying but will not prevent the database from growing. Any advice would be greatly appreciated.
Many thanks