cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
avilt
Level 9
Report Inappropriate Content
Message 1 of 10
‎12-14-2020 11:04 PM

Solidcore Evet ID 50

I have SC installed in standalone mode on Windows. I am getting several errors as shown even after adding the exe file under skiplist.

cqmghost.exe is a HP management software. I have added it under skiplist with the following path.
"C:\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe"

Still the error appears.

One more error is also attached, how can I whitelist this file?

>>

The description for Event ID 50 from source McAfee Solidifier cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swin
C:\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe

0 Kudos
Reply
9 Replies
yaz
Employee
Employee
Report Inappropriate Content
Message 2 of 10
‎12-15-2020 01:04 AM

Re: Solidcore Evet ID 50

Hi @avilt 

Thank you for reaching out to community. 

Can you confirm if the policies are applied on the machine and still you see issue?

The reason is if Solidcore is in recover mode, then MA policies does not apply. 

When pushing from ePO, it needs to be always in lockdown state locally. 

Kindly write back and I look forward to hear from you.

Was my reply helpful?

If yes, Give me a Kudo. If this answers your query, kindly mark this as solution and we both together help other community members. 

 

0 Kudos
Reply
avilt
Level 9
Report Inappropriate Content
Message 3 of 10
‎12-15-2020 02:35 AM

Re: Solidcore Evet ID 50

Solidcore is not managed by ePO, standalone and in Enable mode.

0 Kudos
Reply
yaz
Employee
Employee
Report Inappropriate Content
Message 4 of 10
‎12-15-2020 02:48 AM

Re: Solidcore Evet ID 50

Hi @avilt 

Thanks for replying back. 

Is that possible for you to share Solidcore logs?

Otherwise, I request you to enable Gatherinfo logs and log an SR with us. 

 

0 Kudos
Reply
Kenchee_etf
Employee
Employee
Report Inappropriate Content
Message 5 of 10
‎12-15-2020 05:14 AM

Re: Solidcore Evet ID 50

Hello @avilt 

What you see there is MACC preventing process to modify registry key as part of MACC functionality.

More about event and its meaning you may find on this link:

*** McAfee Application Control 8.2.0 - Windows Product Guide (List of events in standalone mode)
https://docs.mcafee.com/bundle/application-control-8.2.0-product-guide-windows/page/GUID-80FA892F-AC...

Event ID (on systems) -> 50
Threat event ID (on McAfee ePO) -> 20749 (irrelevant for you because you don't use ePO to manage MACC)
Event name -> REG_KEY_WRITE_DENIED
Severity -> Major
Description -> McAfee Solidifier prevented an attempt to change Registry key '<string>' by process <string> (Process Id: <string>, User: <string>)

I hope this helps.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
0 Kudos
Reply
avilt
Level 9
Report Inappropriate Content
Message 6 of 10
‎12-15-2020 05:29 AM

Re: Solidcore Evet ID 50

How can I allow this operation?

I have added it under skiplist but no luck

0 Kudos
Reply
avilt
Level 9
Report Inappropriate Content
Message 7 of 10
‎12-15-2020 06:27 AM

Re: Solidcore Evet ID 50

Following is the log from solidcore.log. How can I allow this operation?

K.4124.4188: Dec 15 2020:14:54:56.962: SYSTEM: cctl_kern.c : 2636: Process '\Device\HarddiskVolume1\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe' tried to write on REGISTRY: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\scsrvc' and has been DENIED ACCESS.
K.4124.4188: Dec 15 2020:14:54:56.963: SYSTEM: reghooks.c : 266: Denying open for regkey \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\scsrvc. Permissions requested 0x38308
K.4124.4188: Dec 15 2020:14:54:56.965: SYSTEM: cctl_kern.c : 2636: Process '\Device\HarddiskVolume1\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe' tried to write on REGISTRY: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swin' and has been DENIED ACCESS.
K.4124.4188: Dec 15 2020:14:54:56.965: SYSTEM: reghooks.c : 266: Denying open for regkey \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\swin. Permissions requested 0x38308
K.4124.4188: Dec 15 2020:14:54:56.990: SYSTEM: cctl_kern.c : 2636: Process '\Device\HarddiskVolume1\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe' tried to write on REGISTRY: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\scsrvc' and has been DENIED ACCESS.
K.4124.4188: Dec 15 2020:14:54:56.990: SYSTEM: reghooks.c : 266: Denying open for regkey \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\scsrvc. Permissions requested 0x38308
K.4124.4188: Dec 15 2020:14:54:56.992: SYSTEM: cctl_kern.c : 2636: Process '\Device\HarddiskVolume1\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe' tried to write on REGISTRY: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swin' and has been DENIED ACCESS.
K.4124.4188: Dec 15 2020:14:54:56.992: SYSTEM: reghooks.c : 266: Denying open for regkey \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\swin. Permissions requested 0x38308
K.4124.4188: Dec 15 2020:14:54:57.015: SYSTEM: cctl_kern.c : 2636: Process '\Device\HarddiskVolume1\Windows\System32\CpqMgmt\cqmghost\cqmghost.exe' tried to write on REGISTRY: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\scsrvc' and has been DENIED ACCESS.
K.4124.4188: Dec 15 2020:14:54:57.015: SYSTEM: reghooks.c : 266: Denying open for regkey \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\scsrvc. Permissions requested 0x38308

0 Kudos
Reply
Kenchee_etf
Employee
Employee
Report Inappropriate Content
Message 8 of 10
‎12-15-2020 08:14 AM

Re: Solidcore Evet ID 50

Hello @avilt 

What cqmghost.exe is trying to do is it is trying to modify MACC registries, scsrvc, and that will not be allowed due to MACC selfprotection. The issue is similar to:

*** The HP Insight Foundation Agents process cqmghost.exe is blocked by Access Protection
https://kc.mcafee.com/corporate/index?page=content&id=KB87659

As you may see in KB provided, same cqmghost.exe is violating McAfee VirusScan Enterprise's keys so my suggestion here for MACC will be the same like the one from KB:

Contact HP for assistance with configuring HP Insight Foundation Agents to avoid the previously listed registry keys:
https://www.hpe.com/us/en/support.html

I hope this helps.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
0 Kudos
Reply
avilt
Level 9
Report Inappropriate Content
Message 9 of 10
‎12-15-2020 10:33 PM

Re: Solidcore Evet ID 50

Thank you.

Is it not possible to whitelist this exe file?

0 Kudos
Reply
Kenchee_etf
Employee
Employee
Report Inappropriate Content
Message 10 of 10
‎12-16-2020 05:24 AM

Re: Solidcore Evet ID 50

Hello @avilt 

This is not whitelisting issue where MACC is preventing cqmghost.exe from running or doing some other actions unrelated to us, based on logs.

This is specifically self-protection issue, where HP's cqmghost.exe is prevented to modify McAfee MACC registries hence MACC is working as designed. Allowing anything to modify our file/folder/registries would defeat the purpose aka how MACC is going to protect machine if something is allowed to modify or delete registry keys linked of MACC service.

The question why cqmghost.exe is trying to perform some actions against the registry entries that they are not theirs is the question for HP.

I hope this helps.

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC