Event: execution_denied
File (Full Path): C:\windows\system32\drivers\awon4hcv.sys
Program (Full Path): System
Registry Key:
System Name: LAPTOP10
User: NT AUTHORITY\SYSTEM
I have tried to figure out what is causing this by looking in the windows event log. After all, I would think an application that tries to update my drivers would normally log an error if it fails to do so.... Guess what: no events besides the mcafee ones:
McAfee Solidifier prevented an attempt to modify file 'C:\windows\system32\driverstore\infstrng.dat' by process C:\Windows\System32\services.exe (Process Id: 564, User: NT AUTHORITY\SYSTEM).
Basically something has updated a driver and tries to store the information in de driverstore, I assume. A pitty though that I cannot figure out what is causing this driver update. I (once again) assume it is Windows Update, as I have just ran the .lnk emergency update that came from windows update yesterday. The update itself is allowed because Windows Update is trusted, however I think the procedures that come afterwards don't.
I might want to create an extra exception for this, or maybe simply make sure I do "sadmin bu" before I run the update.
In a corporate network you could implement a workflow to centrally schedule the "sadmin bu" when whatever Maintenance Window is planned.
Conclusion: using application control == implement maintenance windows
I tried to run the command and it gives me error :
ReplyDeleteLocal Access has been locked down. This command is not allowed.