cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kaleem78686
Level 8
Report Inappropriate Content
Message 1 of 12
‎01-21-2023 02:15 AM

Mcafee Solidcore Change Control

Jump to solution

Thread Event showing :

Registry Created Event ID 20750

Registry Deleted Event ID 20751

Registry Modified Event ID 20800

How to troubleshoot, Daily 800 log events are generating.

ePO:5.10, ENS: 10.7.0.3299, Solidcore:8.3.3.129

0 Kudos
Reply
4 Solutions

Accepted Solutions
kaleem78686
Level 8
Report Inappropriate Content
Message 5 of 12
‎01-23-2023 08:56 PM

Re: Mcafee Solidcore Change Control

Jump to solution

Kindly find attached images.

 

3.PNG

View solution in original post

0 Kudos
Reply
Pravas
Employee
Employee
Report Inappropriate Content
Message 6 of 12
‎01-23-2023 10:09 PM

Re: Mcafee Solidcore Change Control

Jump to solution

Hi Kaleem,

The screenshot which you've shared is from Threat Event Log

It appears you've Integrity Monitoring enabled for the system. Because operations like Registry Create, Registry Deleted, Registry Modified falls under Registry Monitoring.

You're either using a Blank Template or Minimal System Monitoring policy for policy (Integrity Monitoring Rules (Windows) ). Blank template tends to generate all events.

As operations by NT\Authority is considered a system operation. These can be filtered out in the policy. 

Here's a screenshot for reference.

Integrity Monitoring.png

 

 

 

 

 

Please refer the product guide below.

https://docs.trellix.com/bundle/change-control-8.0.0-product-guide-epolicy-orchestrator/page/GUID-19...

Hope it helps.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

Reply
ktankink
Employee
Employee
Report Inappropriate Content
Message 8 of 12
‎01-24-2023 07:36 AM

Re: Mcafee Solidcore Change Control

Jump to solution

Hi @kaleem78686 

To add, I'm not sure what Integrity Control policies you are using, but the \REGISTRY\A events are likely generated from your assigned policies NOT having certain default exclusions.  See the "McAfee Default" policies (see attached) showing these default exclusions.

 

View solution in original post

Reply
Pravas
Employee
Employee
Report Inappropriate Content
Message 12 of 12
‎01-28-2023 04:59 PM

Re: Mcafee Solidcore Change Control

Jump to solution

Hi @kaleem78686 ,

The key difference between Filter & Exclude are as follows.

Filter - Monitors the path but hides in Solidcore events.

Exclude - Doesn't monitor the path and hence do not appear in Solidcore events.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

Reply
11 Replies
Pravas
Employee
Employee
Report Inappropriate Content
Message 2 of 12
‎01-21-2023 07:11 PM

Re: Mcafee Solidcore Change Control

Jump to solution

Hi @kaleem78686 ,

Solidcore monitors for any unauthorized changes. If found it logs as an event.

Some of these events may be related to NT\Authority or other system account.

These events can be either ignored or filtered out (ePO > SolidCore Events)

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
kaleem78686
Level 8
Report Inappropriate Content
Message 3 of 12
‎01-23-2023 08:09 PM

Re: Mcafee Solidcore Change Control

Jump to solution

My concerned is how to stop these event logs and why these events are generating. How to troubleshoot to stop.

On end client windows event viewer is showing Solidcore detected.

0 Kudos
Reply
Pravas
Employee
Employee
Report Inappropriate Content
Message 4 of 12
‎01-23-2023 08:20 PM

Re: Mcafee Solidcore Change Control

Jump to solution

Hi @kaleem78686 ,

We would need to see details of an event. Navigate to SolidCore Events page on ePO. Open an event and take a screenshot. 

Please ensure to hide any Personal Identifiable Information like System or User names.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
kaleem78686
Level 8
Report Inappropriate Content
Message 5 of 12
‎01-23-2023 08:56 PM

Re: Mcafee Solidcore Change Control

Jump to solution

Kindly find attached images.

 

3.PNG

0 Kudos
Reply
Pravas
Employee
Employee
Report Inappropriate Content
Message 6 of 12
‎01-23-2023 10:09 PM

Re: Mcafee Solidcore Change Control

Jump to solution

Hi Kaleem,

The screenshot which you've shared is from Threat Event Log

It appears you've Integrity Monitoring enabled for the system. Because operations like Registry Create, Registry Deleted, Registry Modified falls under Registry Monitoring.

You're either using a Blank Template or Minimal System Monitoring policy for policy (Integrity Monitoring Rules (Windows) ). Blank template tends to generate all events.

As operations by NT\Authority is considered a system operation. These can be filtered out in the policy. 

Here's a screenshot for reference.

Integrity Monitoring.png

 

 

 

 

 

Please refer the product guide below.

https://docs.trellix.com/bundle/change-control-8.0.0-product-guide-epolicy-orchestrator/page/GUID-19...

Hope it helps.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Reply
kaleem78686
Level 8
Report Inappropriate Content
Message 7 of 12
‎01-24-2023 09:34 PM

Re: Mcafee Solidcore Change Control

Jump to solution

Dear Pravas,

I have applied settings which you have told and monitor. But still same event logs are receiving. 

0 Kudos
Reply
ktankink
Employee
Employee
Report Inappropriate Content
Message 8 of 12
‎01-24-2023 07:36 AM

Re: Mcafee Solidcore Change Control

Jump to solution

Hi @kaleem78686 

To add, I'm not sure what Integrity Control policies you are using, but the \REGISTRY\A events are likely generated from your assigned policies NOT having certain default exclusions.  See the "McAfee Default" policies (see attached) showing these default exclusions.

 

Reply
kaleem78686
Level 8
Report Inappropriate Content
Message 9 of 12
‎01-24-2023 09:46 PM

Re: Mcafee Solidcore Change Control

Jump to solution

Dear Ktankink,

We are using only important definitions to be monitor which is not related to windows files. 

then why its monitoring registry and giving event logs.

0 Kudos
Reply
Pravas
Employee
Employee
Report Inappropriate Content
Message 10 of 12
‎01-26-2023 02:19 AM

Re: Mcafee Solidcore Change Control

Jump to solution

Hi @kaleem78686 ,

Please send a full screenshot of the policy page that's in use.

Thanks

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC