S3so Win Ug RTC

Solidcore for APTRA
S3 Control Solidifier for Windows

Runtime Control User’s Guide
Documentation for Solidcore for APTRA, Release 01.00.05

Issue 1
June 2008
Confidential and proprietary information of NCR.

Unauthorised use, reproduction and/or distribution is strictly prohibited.
Copyright and Trademark Information
The products described in this document are copyrighted works of NCR Corporation.
NCR and APTRA are trademarks of NCR Corporation.

Microsoft, Windows, Windows NT and Windows Server are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
Solidcore is a trademark of Solidcore Systems, Inc.
All other trademarks are the property of their respective owners.
Disclaimer:
It is the policy of NCR Corporation to improve products as technology, components, software and firmware become
available. NCR therefore reserves the right to change specifications without prior notice.
All features, functions and operations described herein may not be marketed by NCR in all parts of the world. In some
instances, photographs are of equipment prototypes. Therefore, before using this document, consult with your NCR
representative or NCR office for information that is applicable and current.
To maintain the quality of our publications, we need your comments on the accuracy, clarity, organisation and value of
this book.
Address correspondence to:
NCR Financial Solutions Group Ltd

Information Solutions Feedback
Kingsway West
Dundee
Scotland
DD2 3XX
© 2007, 2008
By NCR Corporation
Dayton, Ohio, USA
All Rights Reserved
Confidential and proprietary information of NCR.

Unauthorised use, reproduction and/or distribution is strictly prohibited.
Solidcore Systems, Inc. S3 Control Solidifier for Windows Runtime Control Addendum
S3 Control Solidifier for Windows

Runtime Control User’s Guide
Solidcore Systems, Inc. S3 Control Solidifier for Windows Runtime Control User’s Guide
IMPORTANT NOTICE
This document contains proprietary information of Solidcore Systems, Inc. and its receipt or
possession does not convey any rights to reproduce, disclose its contents, manufacture, use, or
sell anything it may describe. Reproduction, disclosure, or use without Solidcore Systems, Inc.
specific written authorization is strictly forbidden.
Solidcore Systems, Inc. makes no representations or warranties with respect to the contents or
use of this document. It also reserves the right to revise this publication and make changes to the
content at any time without the obligation to notify any person or entity of such revisions or
changes.
Solidcore Systems, Inc.
3408 Hillview Ave, Suite 180
Palo Alto, CA 943041321
Document Version: S3SO_WIN_UG_RTC_1.4
Product Version: 4.6
Publication Date: June 30, 2007
Copyright © 2004 – 2007, Solidcore Systems, Inc. All Rights Reserved. Solidcore is a trademark
of Solidcore Systems, Inc. All other trademarks are the property of their respective owners.
Product information is subject to change without notice.
ii
Table of Contents
INTRODUCTION .................................................................................................................................. 1
ABOUT THIS MANUAL ........................................................................................................................... 1
DOCUMENT OBJECTIVES ....................................................................................................................... 1
AUDIENCE ............................................................................................................................................ 1
DOCUMENT ORGANIZATION .................................................................................................................. 1
DOCUMENT CONVENTIONS .................................................................................................................... 2
THE SOLIDIFIER’S COMMAND SHELL ..................................................................................................... 3
HELP FOR SOLIDIFIER COMMANDS ......................................................................................................... 3
PRODUCT FEEDBACK............................................................................................................................. 3
BACKGROUND..................................................................................................................................... 4
ABOUT SOLIDIFICATION ........................................................................................................................ 4
ABOUT RUN TIME CONTROL ................................................................................................................. 4
ABOUT SOFTWARE UPDATE................................................................................................................... 4
The Update Mode............................................................................................................................. 4
AutoUpdaters.................................................................................................................................. 5
SOLIDIFICATION AND INITIAL CONFIGURATION ..................................................................... 6
SOLIDIFY A SYSTEM .............................................................................................................................. 6
CONFIGURE SOLIDCORECERTIFIED AUTOUPDATERS ............................................................................ 7
Enable the Solidifier......................................................................................................................... 8
Reboot the system............................................................................................................................. 9
CONFIGURE UNCERTIFIED AUTOUPDATERS .......................................................................................... 9
Enter the Update Mode .................................................................................................................... 9
Execute the normal workload ........................................................................................................... 9
End the Update Mode....................................................................................................................... 9
Diagnose the update activity........................................................................................................... 10
ABOUT THE SOLIDIFIER’S DIAGNOSIS MECHANISMS .............................................................................. 10
AutoUpdaters that generate new code ........................................................................................... 10
AutoUpdaters that modify existing code......................................................................................... 11
Applications that stop functioning................................................................................................... 11
ADVANCED CONFIGURATION....................................................................................................... 13
CONFIGURE A STANDARD E VENT DELIVERY DESTINATION ................................................................... 13
Assign an event to a standard destination.................................................................................................... 13
Remove an event from a standard destination ............................................................................................ 13
View event assignments to standard destinations ........................................................................................ 14
CONFIGURE THE EVENT CACHE SIZE.................................................................................................... 14
Modify the Event Cache size...................................................................................................................... 14
Set the high watermark .............................................................................................................................. 14
Set the low watermark ............................................................................................................................... 15
CONTROL INSTALLATION AND UNINSTALLATION OF SOFTWARE ........................................................... 15
MSI Package Control ..................................................................................................................... 15
INF Package Control ..................................................................................................................... 16
Exceptions................................................................................................................................................. 16
CONFIGURE EXECUTION CONTROL FOR ADDITIONAL SCRIPTS .............................................................. 16
CONFIGURE EXECUTION CONTROL FOR REMOTE PROGRAMS ................................................................ 18
Execute solidified files on the remote share..................................................................................... 19
Execute all files on the remote share............................................................................................... 19
CONFIGURE PASSWORD PROTECTION FOR THE CLI............................................................................... 20
Set a password........................................................................................................................................... 20
iii
Delete a password...................................................................................................................................... 20
TAMPERPROOF SOLIDCORE SOFTWARE AND CONFIGURATION ............................................................. 20
MANAGE MASS DEPLOYMENTS AND SYSTEM UPGRADES ..................................................................... 22
Export Configuration Settings ........................................................................................................ 22
Import Configuration Settings ........................................................................................................ 22
ROUTINE MAINTENANCE OF A SOLIDIFIED SYSTEM ............................................................. 24
AUTOMATED UPDATES ........................................................................................................................ 24
Add Authorized Updaters ............................................................................................................... 24
Delete Authorized Updaters............................................................................................................ 25
List Authorized Updaters................................................................................................................ 26
Flush Authorized Updaters............................................................................................................. 26
MANUAL UPDATES ............................................................................................................................. 27
Through an Update Window........................................................................................................... 27
Through Incremental Solidification ................................................................................................ 29
Solidify a File............................................................................................................................................ 29
Solidify a Folder........................................................................................................................................ 29
Solidify a Volume...................................................................................................................................... 29
List Solidified Files ........................................................................................................................ 30
List Unsolidified Files .................................................................................................................... 30
List changes made in an update window ......................................................................................... 30
Best Practice: Check Modification Attempts on Solidified Files....................................................... 31
TROUBLESHOOTING ....................................................................................................................... 32
EVENT LOG MESSAGES ....................................................................................................................... 32
TROUBLESHOOT MICROSOFT WINDOWS RELATED ISSUES ..................................................................... 35
OS limitation: Filter Driver Interactions......................................................................................... 35
Boot failures due to selfmodifying drivers...................................................................................... 35
TROUBLESHOOT SYSTEM CRASHES ....................................................................................................... 35
Log File for Debugging.................................................................................................................. 36
ERROR MESSAGES ............................................................................................................................... 36
LEGITIMATE FAILURES THAT ARE NOT ERRORS ..................................................................................... 37
Only Solidified Programs Can Be Executed .................................................................................... 37
Attempt to execute an unsolidified .exe ...................................................................................................... 37
Attempt to execute an unsolidified .vbs script ............................................................................................. 38
Attempt to install a MSI based package ...................................................................................................... 38
Attempt to uninstall a MSI based package .................................................................................................. 39
Solidified Programs Cannot Be Tampered With.............................................................................. 39
Attempt to rename a solidified file.............................................................................................................. 39
Attempt to move a solidified file ................................................................................................................ 40
Attempt to delete a solidified file................................................................................................................ 40
Attempt to overwrite a solidified file .......................................................................................................... 41
Attempt to add alternate stream for a solidified file ..................................................................................... 41
Attempt to delete alternate stream for a solidified file...................................................................... 42
Attempt to rename a registry key..................................................................................................... 42
Attempt to delete a registry key.................................................................................................................. 42
Vulnerabilities in Solidified Programs Cannot Be Exploited............................................................ 42
APPENDIX 1: COMMAND QUICK REFERENCE........................................................................... 44
APPENDIX 2: DIAGNOSTIC TOOLS ............................................................................................... 47
SCANALYZER ..................................................................................................................................... 47
Manual Review of SCAnalyzer Reports........................................................................................... 48
GATHERINFO ...................................................................................................................................... 48
Usage and Interpretation................................................................................................................ 48
FINETUNE ........................................................................................................................................... 48
iv
Introduction
IT leaders are recognizing that the largest element in the cost of information security is not the
cost of security products, but the operational costs associated with security. One example of such
costs is the cost of patching. Patching is an important riskreduction mechanism. However, to
comply with security policies that require implementing the most critical patches in 48 hours, and
low priority patches within one week, it is often necessary for the operations staff to spend
weekends at the office.
Several operational considerations arise when choosing security products to deploy on
infrastructure endpoints. How much effort is required in scaling up a pilot deployment of a
solution to hundreds and thousands of machines in the field? Is there configuration to be done for
each machine? Does it work well in geographically distributed heterogeneous environments?
Another dimension of the operational problem is the amount of effort and expertise it takes to
maintain the effectiveness of the solution over time, as changes happen to the environment and
the image on the machine itself.
The S3 Control the Solidifier for Windows provides Run Time Control Enforcement for solving

the problem of rising operational costs of security. It employs Solidification™: a fundamentally
new, persistent and deterministic approach that gives security via control, but with low operating
costs. Its genesis is in the best practices that IT departments have followed for years. Operations
administrators want to ensure that their systems are in a known and verified state. Solidification
ensures this by guaranteeing that only authorized code can run; hence their systems in production
are running only the code authorized by them.
About This Manual
This manual discusses how users can implement the Solidifier. It describes the solidification
process, the configuration of the Solidifier during the initial implementation and its ongoing
maintenance. It also describes techniques for resolving problems encountered in the field.
Document Objectives
This document is meant to serve as a comprehensive reference for the initial set up and ongoing
maintenance and administration of a solidified system.
Audience
The intended audience for this guide is the system administrator who will be responsible for
administering the Solidifier. The system administrator is assumed to be familiar with the IT
operations on systems including installation, configuration, etc. of application software and
monitoring system logs. Advanced knowledge of any specific operating system or application is
not required.
Document Organization
This manual is organized as follows:
1
Chapter 1, "Introduction" describes document structure.
Chapter 2, "Background" introduces solidification, runtime control and software updates.
Chapter 3, "Solidification and Initial Configuration" describes solidification, the process for
solidifying a system, configuration changes that are necessary for allowing applications that
update the system at run time to function, and some advanced configuration options.
Chapter 4, “Advanced Configuration” describes advanced configuration options that users may
optionally choose to apply.
Chapter 5, “Routine Maintenance of a Solidified System” describes how the system can be
updated either manually or using program automation during maintenance windows.
Chapter 6, “Troubleshooting” describes techniques for resolving problems encountered in the
field. It also provides a reference for the event messages and common errors.
Appendix 1, “Command Quick Reference” provides a quick reference for the CLI commands
Appendix 2, “Diagnostic Tools” describes several diagnostic tools that are packaged together
with the product.
Document Conventions
The following conventions distinguish different types of text:
· Commands and keywords are in boldface.
· In interactive examples, user input is in boldface.
· CLI command syntax is preceded by the term “S3>”
· In command syntax statements
o Parameters (variables for which a specific value is to be typed) are in italics.
o Optional arguments are in square braces.
o Alternative arguments are separated by vertical bars, and are grouped within
curly braces.
· Names of keys on the keyboard are in square braces, such as the [Tab] key.
· A control key is indicated by a caret preceding a letter: ^A means ControlA.
______________________________________________________________________________
Note Means reader take note. Notes contain helpful suggestions or references to material not
covered in the manual.
____________________________________________________________________________
2
The Solidifier’s Command Shell
The Solidifier’s command interpreter, sadmin, is invoked in Solidcore’s custom command
shell. To invoke this command shell, doubleclick on the Solidcore3 Command Line icon on the
desktop. If such an icon is not found, access it from the Start Menu à All Programs à Solidcore
3 à Solidcore 3 Command Line
Help for Solidifier Commands
Help for the basic Solidifier commands can be obtained in this command shell as follows:
S3> sadmin help
Help for the advanced Solidifier commands can be obtained as follows:
S3> sadmin helpadvanced
Product Feedback
For feedback on the product or documentation, please contact NCR through the Financial Global
Support Centre.
· Email fgsc.fgsc@Scotland.NCR.COM
· Internet www.scotland.ncr.com/ssgsc.
· Fax +44 1382 592164
3
Background
About Solidification
Solidification TM is the name for the mechanism that takes an initial snapshot of the software
implemented on a system, and creates a Solidcore File Inventory (inventory) of program code,
including binary executables (.exe,.dll), and scripts (.bat, .cmd, .vbs). The inventory is
closed, i.e., only the fixed set of software that is allowed to run on the host computer is
enumerated. The members of this inventory are called authorized or solidified program code.
Solidification does not change the files that are listed in the inventory.
About Run Time Control
The Solidifier employs solidification for enforcing the following types of control over program
code in execution, or resident on the disk:
Type of Control Effect
Execution Control Only authorized code can run
Memory Control Vulnerabilities in authorized code that is running cannot be exploited
Tamperproofing Prevent deletion, renaming, overwriting of authorized code
Once a system has been solidified and the Solidifier is enabled, the system is said to be in the
Solidified Mode. In this mode, only programs contained in the inventory are allowed to execute.
Any other programs are considered unauthorized and their execution is prevented, and their
failure to execute is logged. This enforcement prevents unauthorized programs such as worms,
viruses, spyware, etc., which install themselves, from executing illegitimately.
Memory Control protects running processes from malicious attempts to hijack them.
Unauthorized code injected into a running process is trapped, halted and logged. In this fashion,
attempts to gain control of a system through buffer overflow and similar exploits are rendered
ineffective, and logged.
Tamperproofing prevents intentional and unintentional changes to files that are in the inventory
by users or programs.
About Software Update
The Update Mode
Systems managed by IT periodically require the installation of updates to existing software. A
solidified system must be placed in the Update Mode before software maintenance is performed.
The Update Mode allows all update actions to be bracketed within an update window, including
addition, removal or modification of software on the system. It tracks every update action
(change) to automatically update the Solidifier Inventory. It ensures that only those executables
4
that are added or modified during the Update Mode are solidified upon its completion. This
enables the new or modified software to run when the system returns to normal operation. Some
of the files may be changed by patches that are applied. However, as with initial solidification,
the Update Mode does not change any file. It only updates the inventory to include metadata for
the changed files.
AutoUpdaters
The Solidifier’s default configuration may have to be updated to permit AutoUpdaters, which are

applications that update the system at run time, to continue to function. Typical examples are:
· Software provisioning systems that download install and run new code, e.g., Microsoft
software update, Tivoli, custom scripts.
· Self updating applications, e.g., anti virus.
· Applications that create executable code at run time, e.g., anti virus, custom applications.
· Applications that write to existing system or application code on disk (binaries, DLL’s,
scripts etc), e.g., backup agents, anti virus.
5
Solidification and Initial Configuration
The Solidifier installs using a standard commercial installer (InstallShield) or using an alternate
installation kit provided by Solidcore. The user interacts with the Solidifier using the Solidifier’s
command interpreter sadmin, which provides the Command Line Interface (CLI) for
administering a solidified system.
Solidify a system
All local drives on a system are solidified using the command:
S3> sadmin solidify
or in its abbreviated form, simply,
S3> sadmin so
Alternatively, a specific volume is solidified independently. For example, the following command
is used to solidify all the program files on the volume C:
S3> sadmin so c:
The duration for the solidification process can range between a few minutes to an hour,

depending upon the nature of the system – its CPU speed, RAM, installed applications, etc. When
solidification is complete, the following message is displayed.
Solidifying volume c:\
00:04:11: Total files scanned 12265, solidified 6342
Solidification also generates an Application log entry as shown below:
Local Administrator executed command 'sadmin so c:' at Fri Jun 15 2007
17:40:21 (Return status: 0).
The user can view the list of solidified files using the following command:
S3> sadmin listsolidified c:
S3> sadmin ls c:
and the list of unsolidified files using the command:
S3> sadmin listunsolidified c:
6
S3> sadmin lu c:
Note: This command prints out a list of unsolidified files. The user may find it convenient to
redirect its output to a file that can be viewed after the command completes.
The Soldification Process is designed to ensure that a system in daily production use continues to
function as before after it has been solidified. It consists of two distinct configuration phases, at
the end of which the solidified system is ready for production use.
Configuration Phase Activity
Update the default Solidifier configuration, to permit Commercial

Solidcorecertified
OffTheShelf (COTS) AutoUpdaters certified by Solidcore to
AutoUpdaters
continue to function.
All other Discover and review other AutoUpdaters. Updates the Solidifier
AutoUpdaters configuration to permit them to continue to function.
Configure Solidcorecertified AutoUpdaters
This phase involves the following activities:
· Commercial OffTheShelf (COTS) Autoupdater applications certified by Solidcore are
added to the Solidifier Configuration
· The Solidifier is enabled
The default system configuration is updated to permit selected COTS software, typically found in

a customer’s environment, as AutoUpdaters so that they can perform updates at run time. This
configuration change is achieved using the finetune utility, which utilizes a knowledge base
incorporating the applications certified by Solidcore. The utility is implemented as a batch file,
named finetune.bat, and is available in the folder where the Solidcore software is installed.
A user can get help for the commands and options supported by finetune by executing it on

the sadmin command line without providing any parameters as shown below:
7
For example, when either McAfee or ETrust or Norton Antivirus software is installed on a
system, they are added as AutoUpdaters in the Solidifier’s configuration as follows:
finetune.bat add AMcAfee
finetune.bat add AETrust
finetune.bat add ANAV
Enable the Solidifier
The Solidifier is enabled using the following command.
8
S3> sadmin enable
The execution of this command causes the following message to be displayed.
Solidcore control will be enabled on next reboot.
The log entry is also generated as follows:
Local Administrator executed command 'sadmin enable' at Fri Jun 15 2007
Reboot the system
After the system is rebooted, the Solidcore Service is started; the system (OS plus applications) is
solidified and has the following properties:
· Only solidified code can run. Any code that is created or modified at runtime, after the
solidification step completes is considered unauthorized and not allowed to run.
· Authorized code cannot be tampered with. Any OS or application code cannot be deleted,
renamed or otherwise updated in any fashion.
· Vulnerabilities in solidified code cannot be exploited.
Configure Uncertified AutoUpdaters
Enter the Update Mode
The Update Mode allows a user to bracket all update actions including addition, removal or
modification of software on the system. It provides a mechanism to automatically update the
Solidifier Inventory and ensure that only those executables that are added or modified during the
Update Mode are solidified after its completion. This enables the new or modified software to
execute when the system returns to normal operation after the execution of sadmin endupdate
command.
S3> sadmin beginupdate
S3> sadmin bu
Execute the normal workload
The purpose of executing the normal workload is to exercise all applications and let them perform
their normal tasks. During the Update Mode, all the updates performed by them are tracked and
when the Update Mode ends, are recorded in a log file.
End the Update Mode
Upon ending the Update Mode, the Solidifier automatically records all the changes in a private
log file.
9
S3> sadmin endupdate
Diagnose the update activity
The diagnosis for the update activity is provided by the diag command, which determines the
configuration for the Solidifier in the presence of programs that perform updates to the system
when they run.
S3> sadmin diag
The output identifies candidate AutoUpdaters and provides the command syntax for authorizing

such programs to perform updates when they execute. Users are advised to review the candidate
AutoUpdaters to ensure that no critical system processes or programs with generic names, e.g.,
setup.exe, are set as authorized updaters. The output of executing this command displays
configuration rules.
· An exclamation bar, ! , indicates that a configuration for the program already exists. The

existing configuration is shown on the next line within square brackets.
· An asterisk, * , indicates that the configuration is for a restricted program, which may
provide a user with capabilities to change the system. Hence, such programs should have
restricted configuration.
The user can apply the configuration changes diagnosed by executing this command as follows:
S3> sadmin diag fix
To apply configuration changes for restricted program, the user should execute the following
command:
S3> sadmin diag fix –f
Configuration changes may need a system reboot.
About the Solidifier’s diagnosis mechanisms
The Solidifier examines the Event Log and internal logs of changes to identify applications that
are attempting to perform updates, or fail to run when they execute, as described in the following
sections.
AutoUpdaters that generate new code
The Solidifier examines log messages of the following form:
Solidcore prevented unauthorized execution of 'E:\Documents and
Settings\Administrator\Application
Data\Adobe\Acrobat\7.0\Updater\Ac705RdP_efgj.exe' by process E:\Program
Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe (Process Id:
2204, User: STAGE12\Administrator).
10
The keywords prevented unauthorized execution show that the application Adobe Acrobat is
attempting to update Acrobat Reader by executing a new program Ac705RdP_efgj.exe. The fact
that the application AdobeUpdateManager.exe can execute means that it is solidified and
authorized to do so, otherwise the Solidifier would have prevented its execution. Normally, after
the Solidifier is enabled, such an update would be permitted only when the Solidifier is in the
Update Mode. The Solidifier suggests the following configuration change using the diag
command
S3> sadmin diag
updaters add t "DIAG:AdobeUpdateManager.exe" "AdobeUpdateManager.exe"
to explicitly authorize Adobe’s Update manager to perform the update while the Solidifier is in
Enabled Mode.
AutoUpdaters that modify existing code
The Solidifier examines the log message of the following form:
Solidcore prevented an attempt to modify file 'C:\Program
Files\Yahoo!\Messenger\yupdater.exe' by process C:\Program
Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.exe (Process
Id: 2420, User: STAGE12\Administrator).
The keywords prevented an attempt to modify file indicate that Symantec Antivirus’ run time
virus scanner program VPC32.exe, attempted to modify the program yupdater.exe. This update
violates the Solidifier’s tamperproofing protection for programs and is prevented in real time. In
order to permit Antivirus to function, the Solidifier suggests the following configuration change
using the diag command
S3>sadmin diag
updaters add t "DIAG:VPC32.exe" "VPC32.exe"
to explicitly authorize Symantec Antivirus to perform the update while the Solidifier is in
Enabled mode.
Applications that stop functioning
The Solidifier offers very conservative memory protection techniques for preventing exploits

from propagating further. There are some custom and commercial offtheshelf applications that
use nonstandard mechanisms for resolving a function name to its corresponding address, e.g.,
manually walking the program data structures, or jumping to some hardcoded addresses where
they believe the function resides, primarily to make reverse engineering difficult. This proves to
be an unfortunate choice because similar techniques are also used by malicious code with the
intent of exploiting vulnerabilities in legitimate applications. The Solidifier categorically prevents
applications that use such nonstandard means from executing because it does not heuristically
distinguish between "good" and "bad". This behavior manifests itself as an application that fails
to run after the Solidifier is enabled. Finetune and the Solidifier are designed to recommend
configuration changes for several applications.
11
In the event that you encounter an application that fails to run and discover the log entry of the
following form:
Solidcore prevented process E:\Program Files\Adobe\Acrobat
7.0\Reader\AcroRd32.exe, being run by STAGE12\Administrator, from
making unauthorized access to API GetProcAddress (return address
0x08001035, CoolType.dll). The process was terminated.
Note the keywords making unauthorized access to API. This indicates that the Solidifier has
encountered a program that is using a nonstandard mechanism for resolving a function name to
its corresponding address. In order to permit applications that you know are legitimate to execute,
you can bypass these validation checks and permit such applications to run by suggesting the
following configuration change using the diag command:
S3> sadmin attr add –b AcroRd32.exe
Some of the Solidifier's memory protection mechanisms do not always generate log
messages because they trap such exploit code and instantaneously stop the further execution of
any instructions. So, while the mechanisms are deterministic, sometimes, the tradeoff is that
there is no log output. In a situation where a legitimate application does not work with the
Solidifier enabled AND there is no log record to show why the Solidifier prevented its execution,
Solidcore recommends one other test. The test involves disabling the Solidifier's memory
protection and ensuring that the legitimate application works as expected. In this case, the user
can bypass validation checks and permit the application to run by performing the following
configuration change:
S3> sadmin attr add –b applicationname
12
Advanced Configuration
This section introduces advanced configuration topics including
· Configure a Standard Event Delivery Destination
· Configure the Event Cache Size
· Control Installation and Uninstallation of Software
· Configure Execution Control for Additional Scripts
· Configure Execution Control for Remote Programs
· Configure Password Protection for the CLI
· Tamperproof Solidcore Software and Configuration
· Manage Mass Deployments and System Upgrades
Configure a Standard Event Delivery Destination
The Solidifier tracks changes on the system and records events in the operating system log. Each
event records the occurrence of change. The events can be logged at one or more locations called
event sinks. The Solidifier supports three types of event sinks, namely,
· Operating system log (oslog )
· System Controller (sc)
· Debugging output (debuglog).
Assign an event to a standard destination
To log all the events onto the System Controller, issue the following command:
> sadmin event sink a ALL sc
The following Event Log entry is generated:
Local Administrator executed command 'sadmin event sink a ALL sc' at
Wed May 23 2007 14:59:35 (Return status: 0).
Remove an event from a standard destination
The following command ensures that none of the events are logged onto the System Controller.
> sadmin event sink r ALL sc
Local Administrator executed command 'sadmin event sink r ALL sc' at
Wed May 23 2007 15:01:42 (Return status: 0).
13
View event assignments to standard destinations
To view the list of events along with their sink configuration, execute the following command:
> sadmin event sink
Local Administrator executed command 'sadmin event sink' at Wed May 23
2007 15:03:11 (Return status: 0).
Configure the Event Cache Size
The change events are buffered on the Solidifier to deal with network outrage, etc. The default
event buffer size on the Solidifier is 2MB. When the buffer limits are about to be reached, then an
event is logged in the system log stating that the cache is about to overflow. When the buffer
limits are exceeded, then the new events are dropped until the number of events in the buffer falls
below its high watermark. The upper and lower watermark levels are configurable through the
EventCacheWMHigh and EventCacheWMLow parameters respectively. The input value of the
parameter EventCacheWMHigh should range between 50 to 100 and the input value of the
parameter EventCacheWMLow should be configured above 20 and should be less than the
EventCacheWMHigh.
While configuring these paramenters, ensure that the value of the lower watermark level should
always be less than the value of the upper watermark level and viceversa.
Modify the Event Cache size
To set the event cache size to the specified value, execute the following command:
> sadmin config set EventCacheSize=<no>
The following message is displayed upon the completion of this command:
Parameter ‘EventCacheSize’ has been successfully set to <no> (0x32)
The following Event Log entry is also generated in the operating system logs:
Local Administrator executed command 'sadmin config set EventCacheSize=<no>' at Thu May

24 2007 10:41:50 (Return status: 0).
Set the high watermark
To set the upper watermark level, execute the following command:
> sadmin config set EventCacheWMHigh=<no>
Parameter ‘EventCacheWMHigh’ has been successfully set to <no> (0x64).
14
Local Administrator executed command 'sadmin config set EventCacheWMHigh=<no>' at Thu

May 24 2007 10:46:50 (Return status: 0).
Set the low watermark
To set the lower watermark level, execute the following command:
> sadmin config set EventCacheWMLow=<no>
Parameter ‘EventCacheWMLow’ has been successfully set to <no> (0x32).
Local Administrator executed command 'sadmin config set EventCacheWMLow=<no>' at Thu

May 24 2007 10:50:43 (Return status: 0).
Control Installation and Uninstallation of Software
The capability to control installation and uninstllation of software is called Package Control and
is enabled using the command
S3> sadmin features enable pkgctrl
Once Package Control is enabled, software cannot be installed using standard commercial
installers except within an Update Windows.
Note: Package Control is disabled by default.
MSI Package Control
The MSI Package Control enables an administrator to control the installation or uninstallation of
MSI based packages on a system. works. It is enabled using the command,
S3> sadmin features enable pkgctrlmsi
Once this capability has been enabled on the system, it prevents unauthorized
installation/uninstallation of the MSI based packages. Any unauthorized attempt to
install/uninstall the MSI package is stopped and an event is generated in the Event log.
The MSI based installer is allowed to install/uninstall only through one of the following
mechanisms:
· The MSI file has been marked as an updater using the sadmin updaters command.
· The installation/uninstallation of MSI based installer can also be carried out in the update
mode.
15
INF Package Control
The INF Package Control enables an administrator to control the installation or uninstallation of
of Windows optional components and INFbased installers on a system. It is enabled using the
command,
S3> sadmin features enable pkgctrlinf
Once this capability has been enabled on the system, it prevents unauthorized
installation/uninstallation of the INF based packages. Any unauthorized attempt to
install/uninstall the INF package is stopped and an event is generated in the Event log. The INF
Package Control enforces the following scenarios:
· All Windows optional components are blocked from installation/uninstallation.
· The INF based installers are blocked from installation. All INF files when right clicked
give install option. Installation is blocked by this option.
· There are some INF files which can also be installed using certain exported functions
from setupapi.dll or advpack.dll. These installations are also blocked.
· Only those drivers that use INF files are blocked from installing.
Note: The installation/uninstallation of Windows optional components and INF based installers
can be carried out only in update mode.
Exceptions
This section enumerates exceptional behaviors caused by interactions with Windows that are
documented here for the reader’s benefit.
· The following behavior is specific to some Windows optional components, particularly
games. When an administrator attempts to uninstall a Windows optional component
while the INF Package Control is in effect, the uninstallation seems to succeed. The Add
or Remove Programs screen shows that the component is no longer installed. However,
the component remains installed and is executable.
· When the 'Next' or 'Cancel' button is clicked on the Windows Components Wizard
window, even without making any changes to the selected components, the following
error message appears: "Solidcore prevented unauthorised modification of Windows
Optional Components."
· Some utilities like WinDriver tools (wdreg.exe) can bypass this mechanism and
install/uninstall .INF files.
· Some optional Windows components can be installed using standard Windows tool like
secedit and gpupdate. By default, installation/uninstallation from these tools is not
prevented.
Configure Execution Control for Additional Scripts
The Solidifier supports the standard script interpreters that are bundled with the Windows OS,
namely, the batch files (.bat), the command interpreter (.cmd) and Visual Basic (.vbs),
16
by default. However, customers may wish to explicitly enable Execution Control for other
interpreters on a selective basis. The Solidifier permits custom associations to be defined between
fileextensions and the interpreters that interpret the content of such files.
S3> sadmin scripts add extension interpreter1 [ interpreter2 ]...
Once this association is established, these files become supported file types and are required to be

solidified. All files having that extension can only be executed by those interpreters and by none
others. For example,
S3> sadmin scripts add .vbs wscript.exe cscript.exe
will cause the Solidifier to enforce that only wscript.exe and cscript.exe can execute

any .vbs script. Execution control is enabled and effective immediately for all new interpreter
instances that are initiated after the completion of this command. Another interpreter can be
added later on to augment this list as shown below:
S3> sadmin scripts add .vbs zscript.exe
If a user attempts to add an interpreter that already exists on this list, then the attempt will be
ignored.
There is special legacy support for 16bit binaries. The Solidifier supports a special tag '16Bit' as
a synthetic extension for such programs.
S3> sadmin scripts add 16Bit wowexec.exe
S3> sadmin scripts add 16Bit ntvdm.exe
The user can list all the interpreters for which Execution Control is enabled and in effect as
shown below:
S3> sadmin scripts list
This command will list down the extension and the associated interpreter list.
.vbs wscript.exe cscript.exe
16Bit wowexec.exe ntvdm.exe
The user may remove specific interpreters or the entire list for the extension using the following
command:
S3> sadmin scripts remove extension
[ interpreter1 [ interpreter2 ] ] ...
If an interpreter does not exist in the current list for the extension, it will be ignored. If no
interpreter list is provided, the whole list for that extension shall be removed. The files having the
extension for which the rule has just been removed will stay solidified until the check command
is specifically run on them.
17
File extension Default Interpreter/extension list
.vbs "wscript.exe" "cscript.exe"
.vbe "wscript.exe" "cscript.exe"
.cmd "cmd.exe"
.bat "cmd.exe"
16Bit "wowexec.exe" "ntvdm.exe"
Configure Execution Control for Remote Programs
The Solidified Server A can run a remote program file, for instance, C:\LotusStartup\init.exe
located on Server B as shown in the following figure:
Servers A and C run program file
\\ServerB\LotusStartup\init.exe
mapped from Server B
Folder that is
shared by other
servers:
C:\LotusStartup
\init.exe
ServerA Server B unsol.exe
Solidified Host File Share
Server C
UnSolidified Host
Network shares are not solidified or trusted by default. An administrator on Server A has to
explicitly solidify them to run remote files when the Solidifier is enabled. Solidification can be
done on a UNC path as well as mapped network drive. For example, if Z: is mapped to
\\ServerB\LotusStartup on Server A, as the command to solidify is as follows:
S3> sadmin solidify \\ServerB\LotusStartup
or
18
S3> sadmin solidify Z:
Note: On Windows NT 4.0, the Net Logon Service must be running.
The share being solidified (\\serverB\LotusStartup) should have write permissions so that the
Solidcore inventory can be written to the remote disk. If this is not possible from Server A, some
other machine that has the write permission to the share should be used.
The share must be trusted for the solidified file on a remote share to execute.
Runtime Behavior
The solidified executable, \\serverB\LotusStartup\init.exe or Z:\init.exe will be allowed to
execute on the solidified client. Once the Solidifier is enabled on Server A, the program file,
init.exe can be launched manually by simply doubleclicking on the file listed in the shared
network folder.
An unsolidified program file \\serverB\LotusStartup\unsol.exe or Z:\folder3\unsol.exe will not be
allowed to execute on the solidified client.
Execution of files from any network share will not be allowed if it is not marked as trusted.
If the solidfier is executing on the client side, such as on Server A, the client itself maintains an
inmemory copy of the Solidifier inventory, whereas the diskbased inventory resides only on the
Server B. A client's copy of the server’s inventory may get out of sync with the server's on disk
inventory or the server's file system. The client side inventory can be brought in sync with the
server's ondisk inventory, by issuing the following command at the client side:
S3> sadmin refresh UNCpathnameforshare
or
S3> sadmin refresh mappeddrivename
Execute solidified files on the remote share
To execute solidified files on the remote share, establish the network share as a Trusted share
using the following command:
S3> sadmin trusted include \\ServerB\LotusStartup\
S3> sadmin so \\ServerB\Lotusstartup\init.exe
Execute the file located on the remote location using the same path with which it is added in the
trusted list.
Execute all files on the remote share
To execute any file whether solidified or nonsolidified on the remote share, establish the network
share as a Trusted share using the following command:
19
S3> sadmin trusted include –a \\ServerB\LotusStartup\
After execution of this command, the following message appears on the screen:
Rule added successfully for ‘ServerB\LotusStartup\’.
Execute the file located on the remote location.
Configure Password Protection for the CLI
The password protection feature of the Solidifier restricts the usage of critical sadmin commands
by individuals only to the sadmin administrator. Once the password has been set, password
protection is enabled, all critical commands are password protected and can be accessed only
after supplying the password.
Set a password
Password protection is set using the following command:
S3> sadmin passwd
This command is used to set the password. It prompts for the old password (if password is set)
and then for the confirmation of the new password twice.
Delete a password
An existing password can be deleted using the following command:
S3> sadmin passwd d
Tamperproof Solidcore Software and Configuration
There are a class of Solidifier implementations where there are
· Very stringent security requirements, such as those for meeting audit compliance
standards or Federal Defense Agencies, or,
· There is the business requirement to ensure that the Solidcore software is not overwritten
to gain control over the system, such as for ATM machines and devices that flow through
a multistage OEM channel.
The Solidifier supports the Product Integrity for tamperproofing its software and registry key
entries.. When enabled, it permits the Solidifier code to run even when its components are not in
the inventory. This is to ensure that the product does not become unusable from accidental or
malicious unsolidification of Solidcore’s software components. Product Integrity maintains the
integrity of the following files:
20
File Control Settings
Authorized to execute unconditionally
<installation path>\sadmin.exe
Tamperproofing enabled
<installation path>\scsrvc.exe
<installation path>\SCSgnDcd.exe
The passwd file stores the encrypted password
<installation path>\passwd using SHA1, which is a significantly strong
encryption technique. The file is protected by
product integrity.
<System32 folder>\drivers\swin.sys
Tamperproofing enabled for existing files.
All files in <root volume>\solidcore Files added afterwards can only be modified by
the Solidifier.
The authority to execute unconditionally implies that there is no validation check for file’s
existence is the inventory. To facilitate Solidcore upgrades, product integrity is disabled in update
mode even if the feature is shown as enabled.
Only the Solidifier is permitted to change the values for the following registry keys:
· HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\swin
· HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\scsrvc
· HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventL
og\Application\System Solidifier
Modifications through the keys HKEY_LOCAL_MACHINE\System\ControlSetXXX
are also prevented, since they are links to the
HKEY_LOCAL_MACHINE\System\CurrentControlSet registry keys.
However the following, sub keys are not protected because their presence is not essential for the
Solidifier’s correct functioning.
· HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\swin\E
num
21
· HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\scsrvc
\Enum
Note: The authorized updaters have been provided with the capability to override Product
Integrity. With Product Integrity enabled, the modifications to Solidcore protected files and
registries can be done through the updaters command and the changes are also tracked by logging
events in the Event log.
Manage Mass Deployments and System Upgrades
The Configuration Migration feature of the Solidifier provides a way to extract and store all
identified configuration items in an exportable format. This exported configuration can then be
imported to any other installation or to permit an upgrade of the OS, or the Solidcore software, on
the same system, or on other systems where there is no variation in images.
The user can add, delete or modify the contents of an exported file and import the modified
configuration file to affect new parameters. For some parameters, module specific rules are
displayed. Hence, modifying such lists is not straight forward and is not recommended. Such
parameters include Monitoring Rules List, Capability Rules List, Bypass List, Updaters List etc.
Export Configuration Settings
Export the configuration to a file using the following command:
S3> sadmin config export C:\adgoldbuild.txt
The following message appears on the screen upon the successful execution of this command:
The export configuration operation completed successfully.
An Event Log entry is also generated as shown:
Local Administrator executed command 'sadmin config export C:\adgold
build.txt' at Wed Mar 14 2007 17:51:36 (Return status: 0).
Import Configuration Settings
This command is usable only when the Solidifier is either in the Disable or Update Mode. Before
importing the configuration settings, check the current status of the Solidifier using the following
command:
S3> sadmin status
If the status is not as shown below,
Solidcore Conrol: Disabled
Solidcore Control on reboot: Disabled
then disable the Solidifier and reboot the system. Import the Solidifier configuration from a file
that contains a previously exported configuration using the following command:
22
S3> sadmin config import C:\adgoldbuild.txt
The following message appears on the screen upon the successful execution of this command:
The import configuration operation completed successfully.
An Event Log entry is also generated as shown:
Local Administrator executed command 'sadmin config import C:\adgold
build.txt' at Wed Mar 14 2007 17:52:28 (Return status: 0).
Enable the Solidcore Control and reboot to reuse the imported configuration.
S3> sadmin enable
23
Routine Maintenance of a Solidified System
This chapter contains the following topics:
· Automated Updates
· Error! Reference source not found.
· Manual Updates
Automated Updates
The Solidifier prevents the modification of solidified executable files and also controls the
unauthorized installation/uninstallation of MSI based installers without entering the update mode.
The Solidifier provides the updaters command to unconditionally authorize legitimate
programs to update software on a solidified system.
Note: A reboot is not required after adding MSI files to the updaters list.
Add Authorized Updaters
Any executable file can be added to the updaters list by using the following command:
S3> sadmin updaters add WindowsInstallerKB893803v2x86.exe
The above example unconditionally authorizes the Windows Installer for a HotFix, KB893803, to
perform updates on protected files or registry keys. After this command completes successfully,
the following message is displayed at the command prompt:
Rule added successfully.
The following log entry is also generated:
Local Administrator executed command 'sadmin updaters add
WindowsInstallerKB893803v2x86.exe' at Fri Jun 15 2007 17:53:52
(Return status: 0).
Any MSI file can be added to the updaters list by using the following command:
S3> sadmin updaters add Ica32Pkg.msi
The above example unconditionally authorizes the Windows Installer for an MSI file,

Ica32Pkg.msi, to perform changes on protected files or registry keys. The new files are placed on
the system and solidified. After this command completes successfully, the following message is
displayed at the command prompt:
Rule added successfully.
The following log entry is also generated:
24
Local Administrator executed command 'sadmin updaters add “C:\Documents
and Settings\Administrator\Desktop\Ica32Pkg.msi” at Fri Jun 15 2007
The following command sets iexplore.exe as an authorized updater only when it is launched by
svchost.exe as its parent
S3> sadmin updaters add p svchost.exe iexplore.exe
The following command sets svchost.exe as an authorized updater only when its loads the library
system32\wuauserv.dll
S3> sadmin updaters add l system32\wuauserv.dll svchost.exe
The following example illustrates the addition of Windows Updaters using a scheduled update.
The –t option causes the associated tag, e.g., Win_up_schedule1 to be written to the log for all
files that are solidified or unsolidified due to this update rule.
sadmin updaters add t Win_up_schedule1 l system32\wuauserv.dll
svchost.exe
sadmin updaters add t Win_up_schedule2 l system32\wuaueng.dll
svchost.exe
sadmin updaters add t Win_up_schedule3 p svchost.exe iexplore.exe
sadmin updaters add t Win_up_schedule4 p svchost.exe wuauclt.exe
sadmin updaters add t Win_up_schedule5 p svchost.exe update.exe
sadmin updaters add t Win_up_schedule6 p svchost.exe
WindowsInstallerKB893803v2x86.exe
sadmin updaters add t Win_up_schedule7 p svchost.exe bitinst.exe
sadmin updaters add d t Win_up_schedule8 winlogon.exe
Note: The user should restart the application or the system after adding authorized updaters
Delete Authorized Updaters
Any protected file can be deleted from the updaters list by using the following command:
S3> sadmin updaters remove pathname and or filename
where pathname and or filename provide the path for the protected program that needs to be
deleted from the authorized updaters list. After this command completes successfully, the
following message id displayed at the command prompt:
Rule removed successfully.
25
The following log entry is generated:
Local Administrator executed command 'sadmin updaters remove pathname'
at Fri Jun 15 2007 17:55:34 (Return status: 0).
The following example illustrates the removal of Windows Updaters for scheduled update:
sadmin updaters remove l system32\wuauserv.dll svchost.exe
sadmin updaters remove l system32\wuaueng.dll svchost.exe
sadmin updaters remove p svchost.exe iexplore.exe
sadmin updaters remove p svchost.exe wuauclt.exe
sadmin updaters remove p svchost.exe update.exe
sadmin updaters remove p svchost.exe WindowsInstallerKB893803v2
x86.exe
sadmin updaters remove p svchost.exe bitinst.exe
sadmin updaters remove winlogon.exe
List Authorized Updaters
The protected files can be listed using the following command:
S3> sadmin updaters list
t Auto_2 luall.exe
Local Administrator executed command 'sadmin updaters list' at Fri Jun
15 2007 17:56:42 (Return status: 0).
Note: A running application should be restarted after adding it as an authorized updater.
Flush Authorized Updaters
To flush the complete list of authorized updaters, enter:
S3> sadmin updaters flush
26
Manual Updates
Through an Update Window
Figure 2 summarizes the steps to implement the Update Mode on a solidified system:
Figure 1: The Manual Update Mode
To perform manual software update in the Update Mode, perform the following steps:
Check the current status of the Solidifier using the following command:
S3> sadmin status
Solidcore control: Enabled
Solidcore control on reboot: Enabled
Begin the Update Mode using the following command:
S3> sadmin bu
Note: The sadmin bu command work only in Enabled Mode.
Entering Update Mode.
27
Local Administrator executed command 'sadmin bu' at Fri Jun 15 2007
The Solidifier status during Update Mode is viewed using the following command:
S3> sadmin status
Solidcore control: Update
Solidcore control on reboot: Update
Now, you can perform software update actions: Add/delete/modify software on the computer.
Doubleclick some program, for example, Windows2000KB822831x86enu.exe to install it on
the computer. Follow the application installation procedures as presented through the setup
wizard. It may include restarting the computer. The code files added during the update windows
can be viewed using the following command:
S3> sadmin lm
Please wait...
AS C:\Documents and Settings\Administrator\Local Settings\Temporary
Internet Files\Content.IE5\4TMVGDAR \windows2000KB822831x86
ENU[1].exe
AS C:\WINNT\$NtUninstallKB822831$\newdev.dll
AS C:\WINNT\$NtUninstallKB822831$\spuninst\spuninst.bat
AS C:\WINNT\$NtUninstallKB822831$\spuninst\spuninst.exe
AS C:\WINNT\System32\Newdev.dll
Local Administrator executed command 'sadmin lm' at Fri Jun 15 2007
End the Update Mode using the following command:
S3> sadmin eu
Please wait ...
28
Exiting Update Mode.
Local Administrator executed command 'sadmin eu' at Fri Jun 15 2007
Check the current status of the Solidifier using the following command:
S3> sadmin status
Solidcore control: Enabled
Solidcore control on reboot: Enabled
Through Incremental Solidification
Solidify a File
To solidify a specific file, for example, Hello.exe, use the following command:
S3> sadmin so c:\Hello.exe
Local Administrator executed command 'sadmin so "C:\Hello.exe"' at Fri
Jun 15 2007 10:23:39 (Return status: 0).
Solidify a Folder
To solidify a specific folder, for example, C:\Program Files, use the following command:
S3> sadmin so "C:\Program Files"
Local Administrator executed command 'sadmin so "C:\Program Files"' at
Fri Jun 15 2007 10:27:07 (Return status: 0).
Solidify a Volume
29
To solidify a specific volume, for example, the C: drive, use the following command:
S3> sadmin so C:
Solidifying volume C:\
Local Administrator executed command 'sadmin so C:\' at Fri Jun 15 2007
List Solidified Files
The following command displays a list of files that have been solidified/writeprotected on the
system:
S3> sadmin listsolidified
List Unsolidified Files
The following command displays a list of files that have not been solidified on the system:
S3> sadmin listunsolidified
This command may take a few minutes to complete and displays the files that have not been
solidified.
List changes made in an update window
The changes made by a user or a program during an update window are visible in the Event Log.
Another method for extracting this information is to follow the steps outlined below:
S3> sadmin lm
The flags that prefix each record indicate the type of the operation that will be performed on each

code file when an endupdate, or eu, is executed.
At the time of end update, run the command
S3> sadmin eu –l
and redirect the output to a text file, e.g., updatelist.txt, which will contain a list of all file system

changes in the Update Mode.
30
Best Practice: Check Modification Attempts on Solidified Files
The check command is particularly useful for detecting and reporting modifications to a solidified
file in the Disabled Mode. The user should execute the check command each time a system is
solidified or updated but before rebooting. If the update procedure is successfully performed, the
check command should not display modified files.
S3> sadmin check
This command displays the files that are solidified and have been modified by the user. The
output is displayed as follows:
Checking volume C:\ ...
Checking volume E:\ ...
Checksum and Filetype mismatch for file 'E:\Documents and
Settings\Administrator\Desktop\Hello.exe'
The check command does not work inside the Update Mode. However, the listmodified
command can be used inside the Update Mode to check the files modified and added during any
software upgrade process.
31
Troubleshooting
Event Log Messages
The Solidifier events can be viewed in the Application Event Logs: (Start menu à Programs à
Administrative Tools à Event Viewer à Application)
Category Key: W for Warning, E for Major Error, C for Critical and I for Informational
Event Name Key Description
BOOTING_DISABLED W Solidcore control is currently disabled.
BOOTING_ENABLED I Solidcore control is currently enabled.
BOOTING_UPDATE_MODE I System is booting in Solidcore update

mode.
ENABLED_DEFERRED I Solidcore control will be enabled on next

reboot.
DISABLED_DEFERRED W Solidcore control will be disabled on next

reboot.
BEGIN_UPDATE I Solidcore is starting update mode on the

system to allow updates (Workflow Id:
workflow_id, Comment: comment).
END_UPDATE I Solidcore is ending update mode on the

system (Workflow Id: workflow_id).
COMMAND_EXECUTED I username executed command command at

end_time (Return status: status).
WRITE_DENIED M Solidcore prevented an attempt to modify
file filename by process processname
(Process Id: PID, User: user_name).
EXECUTION_DENIED M Solidcore prevented unauthorized execution
of filename by process processname
(Process Id: PID, User: user_name).
FILE_SOLIDIFIED I filename was solidified which was created
by program program_name (User:
user_name, Workflow Id: workflow_id).
32
FILE_RESOLIDIFIED I filename was resolidified which was
modified by program program_name (User:
FILE_UNSOLIDIFIED I filename was unsolidified which was

deleted by program program_name (User:
SC_CONNECTED I Connected to Solidcore System Controller
hostname.
SC_DISCONNECTED I Disconnected from Solidcore System
Controller hostname.
PROCESS_TERMINATED_UNAUTH_SYSCA M Solidcore prevented process processname ,
LL being run by user_name, from making
unauthorized syscall syscall_number
(return address return_address). The
process was terminated.
PROCESS_TERMINATED_UNAUTH_API
Solidcore prevented process processname,
M
being run by user_name, from making
unauthorized access to API api_name
(return address return_address). The process
was terminated.
SGN_FILE_VERIFY_FAILURE C Solidcore prevented execution of signed
binary filename as signature verfication
failed (Return status: status).
SGN_SIGNATURE_MISMATCH C Solidcore prevented execution of signed
binary filename as no matching certificate
was found.
SGN_PROCESS_LAUNCH_FAILURE C Signed binary filename could not be

launched (Return status: status).
SGN_PROCESS_LAUNCH_SUCCESS I Solidcore allowed execution of signed
binary filename.
REG_VALUE_WRITE_DENIED M Solidcore prevented an attempt to modify
Registry key registry_keyname with value
value by process processname (Process Id:
PID, User: user_name).
REG_KEY_WRITE_DENIED M Solidcore prevented an attempt to modify
Registry key registry_keyname by process
processname (Process Id: PID, User:
33
user_name).
INVENTORY_CORRUPT C Solidcore detected that its internal inventory
for the volume volumename is corrupt. To
rectify, please delete the inventory and
solidify the volume again.
BOOTING_DISABLED_SAFEMODE W Solidcore control is disabled because

system is in safe mode.
BOOTING_DISABLED_INTERNAL_ERROR C Solidcore control is disabled because of
internal error error.
PROCESS_HIJACKED M Solidcore reporting that process
processname is being tried to be hijacked
from address faulting_address. Few system
call for the thread are blocked now.
ALERT_CACHE_OVERFLOW M Event Cache Watermark Overflowed.
ALERT_CACHE_WM_BREACHED W Event Cache Watermark Breached. Level =
level percent of cache size.
ALERT_CACHE_WM_RECOVERED I Event Cache Watermark Recovered. Level
= level percent of cache size.
PKG_MODIFICATION_PREVENTED C Solidcore prevented package modification
of unauthorized installer: filename.
PKG_MODIFICATION_ALLOWED_UPDATE I Solidcore allowed package modification of
Installer: filename. (Workflow Id:
workflow_id )
PKG_MODIFICATION_ALLOWED_SGN I Solidcore allowed package modification of
Solidcore Signed Installer: filename.
SGN_MSI_SIGNATURE_MISMATCH C Solidcore signature is not verified for
installer: filename.
PKG_TERMINATE_PROC_OCMGR C Solidcore prevented unauthorised
modification of Windows Optional
Components.
34
Troubleshoot Microsoft Windows related issues
OS limitation: Filter Driver Interactions
The Windows NT file system imposes fundamental restrictions on the amount of memory that file
system filter drivers can consume in the kernel. When a system has multiple filter drivers loaded,
e.g., anti virus agents, backup agents, access control agents, system monitoring agents, security
software agents, interactions between them can cause application or system hangs. Such a
situation requires customers to decide which agents are absolute operational necessities and
consider uninstalling the inessential ones. (Note that the uninstallation will require a reboot, since
the inessential filter drivers must be unloaded from the kernel.)
Boot failures due to selfmodifying drivers
There are certain drivers which on being loaded modify their images on disk. If prevented by
Solidcore, they return errors which might lead to a blue screen. Such drivers cannot be
unsolidified, because then they can't be loaded, e.g. clkdrv.sys, the crypt key driver. Solidcore
recommends that such drivers should be solidified and always authorized to execute using the
command
S3> sadmin attr add –a filename
Troubleshoot system crashes
In the rare event that you encounter a system crash when the Solidifier is enabled, you can follow
the steps outlined below for recovering from the crash and getting the system operational once
again.
System crash (Blue Screen) when Solidcore is enabled
Symptom The system will show a blue screen with a bug check number.
The Field Engineer should check that the automatic reboot on BSOD
option is disabled, while trying to reproduce the Bug check. Otherwise, the
system will reboot automatically without showing any bug check number,
when the bug check actually happens.
What should · The bug check number and all the parameters it shows on screen.
you note
down and · The complete memory dump, memory.dmp, which resides in the
report? Windows folder.
What is the · Ensure memory dumps are enabled
recovery
procedure? · Boot the system in safe mode
o Press F8 as the system is booting up
o Select Boot in safe mode.
In Windows 2000, XP and 2003, press "F8" as the system is
booting up. From the menu that appears, select the "Safe mode
35
with networking" option.
In Windows NT, by default the boot menu will show "VGA
boot" and/or "Safe boot" options. Select any one of the two
options.
· Disable Solidcore
o Issue the scsrvc d at the Solidifier command line interface.
o Issue the sadmin disable command.
· Gather diagnostics: Run gatherinfo
The crash dump, if it was enabled before the occurrence of the BSOD,
will be found in the configured path. This is very useful for debugging.
· Reboot the system.
The Field Engineer who observes the symptom first hand, or the Support Engineer who is
responding to a field issue, must ensure that the following information is collected before
contacting Solidcore support:
Information to be collected for debugging
Problem description Provided by person reporting the problem
Diagnostics Information generated using utilities provided by Solidcore
Error messages Observe and record as described below
Device /Appliance image To help recreate the problem
Log File for Debugging
A log file named solidcore.log is created in a temp directory on the system drive.
Error messages
Always ask the person who is reporting an error to record an error message related to the
symptom that is visible. The error message may be
· In a console window, or
· At the Solidifier command line interface, or
· In a popup window from the Operating System or an application, or
· In the event viewer
These error messages provide valuable insight to people who investigate the problem further. If

there are multiple error messages that look similar but are not identical, the user should record the
details of each one as they will be helpful for providing the context surrounding the problem.
36
Command Line Interface Error Messages
When an invalid volume ID is provided to a command such as sadmin so that it accepts volume
ID as parameter, then the following message is displayed on the CLI:
The path [<volume name >:] is on an unsupported volume.
Solution: Provide correct supported volume id.
When sadmin is run from nonadministrative account it fails to connect to the Solidcore Service
and the following message is displayed on the CLI:
Failed to connect to the Solidcore Service: Insufficient privileges.
Solution: Relogin using an account that has administrative privileges.
If you try to run the solidify command on a volume with improper volume name such as non
alphabetic characters or colon ‘:’ is missing after the volume name, then the following message is
displayed on the CLI:
The Path ‘C:\Program Files\Solidcore\S3\<Volume_Name>’ does not exist.
Solution: Provide a proper supported volume name and perform solidification.
Legitimate failures that are not errors
This section introduces the user to the behavior of the Solidifier through examples. Once the
Solidifier is enabled on a solidified system and upholds the following properties:
· Only solidified code can run. Any code that is created or modified at runtime on a
solidified system is not allowed to run, unless explicitly authorized to do so.
· Vulnerabilities in solidified code cannot be exploited
· Authorized code cannot be tampered with. Any OS or application code cannot be deleted,
renamed or otherwise updated in any fashion.
Only Solidified Programs Can Be Executed
The Solidifier ensures that a program file can be executed only if it was solidified. Every time
some code is launched, loaded, or executed from disk, the Solidcore Control checks whether or
not the code has been previously solidified. If so, then the code executes normally, otherwise the
Solidifier prevents its execution.
Attempt to execute an unsolidified .exe
When an attempt is made to execute an unsolidified program putty.exe from a supported volume,

the operation fails and the following popup window is displayed:
37
If putty.exe is executed from the command prompt, the following message is displayed:
Access is denied.
In both cases, the following log entry is generated:
Solidcore prevented unauthorized execution of 'C:\Documents and
Settings\Administrator\Desktop\dbg_x86_6.5.3.8.exe' by process
C:\WINDOWS\system32\CMD.EXE (Process Id: 1580, User:
SOLIDCORE\Administrator).
The Event Log shows that the Solidifier prevented the execution of unauthorized code. An error

message is displayed in the Event Viewer. No user action is required.
Attempt to execute an unsolidified .vbs script
When a user double clicks an unsolidified (unauthorized) .vbs script, its execution fails and the
Windows Script Host displays a popup window as shown:
Solidcore prevented unauthorized execution of "C:\shared\Auth\Auth.vbs'
by process C:\WINDOWSsystem32\wscript.exe (Process Id: 928, User:
Win2K3TSTPOOJ\Administrator).
The Event Log shows that the Solidifier prevented the execution of unauthorized code. An error

message is displayed in the Event Viewer. No user action is required.
Attempt to install a MSI based package
When an attempt is made to install a MSI based package Ica32Pkg.msi, the operation fails and the

following popup window is displayed:
38
Solidcore prevented package modification of unauthorized installer
'C:\Documents and Settings\Administrator\Desktop\Ica32Pkg.msi'.
The log shows that the Solidifier prevented the execution of unauthorized code. An error message

is displayed in the Event Viewer. No user action is required.
Attempt to uninstall a MSI based package
When an attempt is made to uninstall a MSI based package Ica32Pkg.msi, the operation fails and

the following popup window is displayed:
Solidcore prevented package modification of unauthorized installer
'C:\Documents and Settings\Administrator\Desktop\Ica32Pkg.msi'.
The log shows that the Solidifier prevented the execution of unauthorized code. An error message

is displayed in the Event Viewer. No user action is required.
Solidified Programs Cannot Be Tampered With
The Solidifier ensures the integrity of the software installed on a solidified system. During normal
production usage, solidified program files cannot be modified, renamed, or deleted, even with
administrative privileges. Any attempt to modify a solidified file is prevented and an access error
is generated instead. Also, the Solidcore system does not allow you to make changes to its
registry files. Solidcore system protects its Registry files from any changes made to them in the
Enabled Mode.
Attempt to rename a solidified file
The rename operation fails and a popup window is displayed as shown below:
39
Solidcore prevented an attempt to modify file 'C:\rtlrack.exe' by
process E:\WINNT\explorer.exe (Process Id: 2984, User:
The log shows that the Solidifier prevented the rename operation. An error message is displayed

in the Event Viewer. No user action is required.
Attempt to move a solidified file.
The move operation fails and a popup window is displayed as shown below:
Solidcore prevented an attempt to modify file 'C:\rtlrack.exe' by
process C:\WINNT\explorer.exe (Process Id: 2984, User:
The log shows that the Solidifier prevented the move operation. An error message is displayed in

the Event Viewer. No user action is required.
Attempt to delete a solidified file
The delete operation fails and a popup window is displayed as shown below:
40
Solidcore prevented an attempt to modify file 'C:\putty.exe' by process
C:\WINNT\explorer.exe (Process Id: 2984, User:
The log shows that the Solidifier prevented the delete operation. An error message is displayed in

the Event Viewer. No user action is required.
Attempt to overwrite a solidified file
The operation fails and a popup window is displayed as shown below:
Solidcore prevented an attempt to modify file 'C:\putty.exe' by process
C:\WINNT\explorer.exe (Process Id: 2984, User:
The log shows that the Solidifier prevented the overwrite (copy) operation. An error message is

displayed in the Event Viewer. No user action is required.
Attempt to add alternate stream for a solidified file
The operation fails and the following message appears on the sadmin CLI:
Access is denied.
41
Solidcore prevented an attempt to modify file 'C:\virus.exe:hello.exe'
by process C:\WINNT\system32\CMD.EXE ((Process Id: 2984, User:
Attempt to delete alternate stream for a solidified file.
The operation fails but no message is displayed, although a log entry is generated in the Event

Log.
Attempt to rename a registry key
The operation fails and the following popup is displayed.
Attempt to delete a registry key
The operation fails and the following popup is displayed.
Vulnerabilities in Solidified Programs Cannot Be Exploited
The Solidifier ensures the integrity of the running processes using a feature called Memory

Protection. Once a process starts to execute, there may be cases where a software error, such as
lack of bounds checking, creates a vulnerability that can be exploited to inject new code and
cause buffer overflow. In an unprotected system, injected code can execute and take complete
control of the computer. The Solidifier prevents the injected code cannot do so. In cases of code
injection, the attempted injection itself (such as overflowing a buffer and rewriting the stack)
precludes further execution of the authorized code in the process and a log entry is generated for
it. The Solidifier halts the execution of the process before the injected code can damage the
computer, or the damaged code executes in a random and potentially harmful manner. It
generates the following log message:
Solidcore prevented process E:\TestData\Decoy feature\echosrv.exe,
being run by NT AUTHORITY\SYSTEM, from making unauthorized access to
API CreateFileA (return address 0x77f46d88, echosrv.exe). The process
was terminated.
42
When a running process is terminated for illegally making a system call, the Solidifier prevents
the operation and generates the following log message:
Solidcore prevented process F:\INT2E test\test2e.exe, being run by
TEST\Administrator, from making unauthorized syscall 1 (return address
4198569)'. The process was terminated.
Note: Log generation is not guaranteed for all exploits. Event Logs may not be generated for all
such hijacking attempts even though all the exploits will be terminated.
43
Appendix 1: Command Quick Reference
The sadmin utility enables system administrators to perform initialization, maintenance, and
monitoring operations from the Windows command line interface. The usage of the commands is
sadmin command [commandarguments]...
This chapter discusses the syntax and usage of the sadmin commands. The sadmin commands are
divided into two categories: basic sadmin command and advanced sadmin commands.
All basic commands can be viewed using the help command and all advanced commands can be
viewed using the helpadvanced command. The sadmin CLI commands are case insensitive.
The commands can be issued in upper, lower and mixed case.
Table 1: Solidcore Administration Command Reference
Solidcore 3 Command Line (sadmin) Reference
Command Parameters Description and usage note Required Type
server state or
mode to
execute
command
beginupdate sadmin bu [workflow This command starts the Update Enabled Mode Basic

(bu) id [comment]] Mode
disable N/A This command disables Solidcore Enabled Mode Basic
Control
enable N/A This command enables Solidcore Disabled Mode Basic
Control
endupdate (eu) sadmin eu [l] This command ends the Update Update Mode Basic
Mode
help This command displays help for Any Mode

basic commands
helpadvanced This command displays help for Any Mode
advanced commands
license sadmin license add This command adds the license. Disabled Mode Basic

licensekey
passwd sadmin passwd [d] This command sets new password Any Mode Basic
and enables password protection
solidify (so) sadmin solidify [q | v] This command solidifies Enable and Basic
[filename | supported files on all solidified Disabled Mode
directoryname | volumes
volumename]
status sadmin status This status command displays the Any Mode Basic
[volume] current status of the Solidifier
trusted sadmin trusted This command include, exclude, Any Mode Basic

remove, or list trusted volumes
sadmin trusted
include [a]
volumesetname
sadmin trusted
[exclude | remove ]
44
volumesetname
sadmin trusted
remove
sadmin trusted list
sadmin trusted flush
unsolidify sadmin unsolidify This command unsolidifies all Enable and Basic

(unso) filename … supported files Disabled Mode
updaters sadmin updaters add This command enables you to Any Mode Basic
[d] [n] [t ruleid] [l add, list or remove authorized
libraryname] exename updaters
sadmin updaters add
[d] [n] [t ruleid] [p
parentexename]
exename
sadmin updaters list
sadmin updaters
remove [l
libraryname] exename
sadmin updaters
remove [p parentexe
name] exename
sadmin updaters flush
version N/A This command displays the Any Mode Basic

version of the Solidifier
attr sadmin attr add [a | b This command is used to modify Any Mode Advanced
| f | u ] filename ... and list attributes list, which
sadmin attr remove [a maintains files in different file
| b | f | u ] filename ... lists.
sadmin attr list [a | b
| f | u ] [filename ...]
sadmin attr flush [a |
b | f | u ] [filename .. .
check sadmin check [–r] This command checks the Disable and Advanced
[filename|directoryna consistency of the specified file Enabled Mode
me|volumename]… set. If no file set is specified this
command checks all volumes. The
command will check the file on
disk with the stored file checksum,
etc in inventory.
config sadmin config export This command is used to export Any Mode Advanced
filename configuration of the Solidcore
sadmin config import installation to a described disk file
[a] filename or import the configuration from
the described file.
sadmin config set
NAME=VALUE
sadmin config show
diag sadmin diag fix [f] This command determines Enable and Advanced
interoperability configuration for Update Mode
programs on the system.
fix Applies the configuration.
f Force the 'fix' for restricted
programs.
45
event sadmin event sink This command displays the list of Any Mode Advanced

[eventname] events and their sink
sadmin event sink [a| configuration.
r] eventname | ALL
sinkname | ALL
listmodified sadmin listmodified This command displays the list of Update Mode Advanced

(lm) files that were modified during the
Update Mode, till the time the lm
command is executed.
listsolidified sadmin listsolidified [ This command displays the list of Any Mode Advanced

(ls) l] [filename | solidified files. List of all the
directoryname | directories and volumes can also
volumename] ... be displayed using this command.
When no filesets are supplied,
this command will list all the
solidified items in inventory.
listunsolidified sadmin lu [filename | This command displays the list of Any Mode Advanced
(lu) directoryname | unsolidified files.
volumename]…
listwrite sadmin listwrite This command lists the files that Any Mode Advanced
protected (lwp) protected [filename | are writeprotected. Volume,
directoryname | Directory and files can also be
volumename] writeprotected.
lockdown N/A This command disables the Local Any Mode Advanced
CLI.
protect (prot) sadmin protect reg This command enables write Any Mode Advanced
[e | i | r | f] protection on the specified set of
[registrykeyname] ... files
sadmin protect list
sadmin protect flush
recover sadmin recover This command enables a local Any Mode Advanced
administrator to recover the Local
CLI
refresh sadmin refresh This command refreshes solidcore Disable and Advanced

UNCpathname data for the given network share Enabled Mode
sadmin refresh
mappednetwork
drivename
writeprotect sadmin writeprotect This command adds the supplied Disable and Advanced
(wp) [filename | file or directory or a volume to Enabled Mode
directoryname | inventory and writeprotects it.
volumename] ...
writeunprotect sadmin write This command will remove the Disable and Advanced
(wup) unprotect [filename | supplied file or directory from the Enabled Mode
directoryname] Inventory and writeunprotects it.
46
Appendix 2: Diagnostic Tools
Utility name Role
Discover the runtime characterization of a system and whether pre
SCAnalyzer
requisites for deploying the Solidifier are met
Gatherinfo Gather diagnostic data from logs and the Solidifier File Inventory
Update the configuration to permit selected COTS AutoUpdaters to
Finetune
continue to function
These tools are located in the default installation folder for the Solidifier, C:\Program
Files\Solidcore\S3\Tools
SCAnalyzer
SCAnalyzer is a lightweight deployment utility which is used by field engineers, or professional
services personnel, for characterizing a host’s runtime environment, and discovering whether the
host satisfies the prerequisites for installing Solidcore. The runtime characterization includes:
· Operating system version
· Service pack level
· Processor and memory configuration
· Installed applications
· Installed Hot fixes
· Installed services
· System devices
· List of running processes
· List of open network ports It is run once before and once more after S3 is installed to
discover differences in the runtime characterization and address them if necessary.
When Scanalyzer is executed, it compares the software installed on the system with an internal,
prepackaged check list for creating a file named scanalysis.bat, which lists all programs
that AutoUpdaters and exceptions for bypassing the stringent API validation checks. This file
can be edited by the user for further customization. This file should be used for effecting
configuration changes for the Solidifier.
47
Manual Review of SCAnalyzer Reports
· A manual review of the SCAnalyzer report should check the following:
· Check OS Version and Service pack level for supported versions.
· The existence of Hot Fixes that are prerequisites for the Solidifier should be verified,
and applied, when necessary.
· Certain applications such as Anti Virus update their code when they run. The SCAnalyzer
output should be checked for these applications so at the system configuration can be
changed to register them as AutoUpdaters.
· While the SCAnalyzer does not report the driver load order, it is important to understand
this sequence. Some drivers load at an early stage of the boot sequence before the
Solidifier product starts up. The driver load order can sometimes have interactions with
the Solidifier and this sequence should be reviewed carefully.
GatherInfo
This utility gathers information related to log files, inventory, version, system state, etc. needed
by a Technical Support Engineer to troubleshoot field issues. It is shipped as a part of the
Solidifier product and is installed in the Solidcore installation directory.
Usage and Interpretation
To run the tool, issue the following command:
S3> gatherinfo
This will generate gatherinfo.zip which has Solidcore the Solidifier logs. The logs can be

used to identify the most common support issues.
Finetune
Please review Configure Solidcorecertified AutoUpdaters on page 7.
48

S3so Win Ug RTC

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

S3so Win Ug RTC

Uploaded by

Copyright:

Available Formats

Solidcore for APTRA

S3 Control Solidifier for Windows

Documentation for Solidcore for APTRA, Release 01.00.05

Confidential and proprietary information of NCR.

NCR and APTRA are trademarks of NCR Corporation.

Address correspondence to:

NCR Financial Solutions Group Ltd

Confidential and proprietary information of NCR.

S3 Control Solidifier for Windows

The S3 Control the Solidifier for Windows provides Run Time Control Enforcement for solving

Chapter 2, "Background" introduces solidification, runtime control and software updates.

Help for the advanced Solidifier commands can be obtained as follows:

Memory Control Vulnerabilities in authorized code that is running cannot be exploited

The Solidifier’s default configuration may have to be updated to permit Auto­Updaters, which are

The duration for the solidification process can range between a few minutes to an hour,

Configuration Phase Activity

Update the default Solidifier configuration, to permit Commercial­

The default system configuration is updated to permit selected COTS software, typically found in

A user can get help for the commands and options supported by finetune by executing it on

The Solidifier is enabled using the following command.

The execution of this command causes the following message to be displayed.

The output identifies candidate Auto­Updaters and provides the command syntax for authorizing

· An exclamation bar, ! , indicates that a configuration for the program already exists. The

The Solidifier offers very conservative memory protection techniques for preventing exploits

Local Administrator executed command 'sadmin config set EventCacheSize=<no>' at Thu May

Local Administrator executed command 'sadmin config set EventCacheWMHigh=<no>' at Thu

Local Administrator executed command 'sadmin config set EventCacheWMLow=<no>' at Thu

Once this association is established, these files become supported file types and are required to be

will cause the Solidifier to enforce that only wscript.exe and cscript.exe can execute

An existing password can be deleted using the following command:

The following message appears on the screen upon the successful execution of this command:

An Event Log entry is also generated as shown:

The following message appears on the screen upon the successful execution of this command:

An Event Log entry is also generated as shown:

Note: A reboot is not required after adding MSI files to the updaters list.

The above example unconditionally authorizes the Windows Installer for an MSI file,

­t Auto_2 luall.exe

The following log entry is generated:

The flags that prefix each record indicate the type of the operation that will be performed on each

and redirect the output to a text file, e.g., update­list.txt, which will contain a list of all file system

Event Name Key Description

BOOTING_DISABLED W Solidcore control is currently disabled.

BOOTING_ENABLED I Solidcore control is currently enabled.

BOOTING_UPDATE_MODE I System is booting in Solidcore update

ENABLED_DEFERRED I Solidcore control will be enabled on next

DISABLED_DEFERRED W Solidcore control will be disabled on next

BEGIN_UPDATE I Solidcore is starting update mode on the

END_UPDATE I Solidcore is ending update mode on the

COMMAND_EXECUTED I username executed command command at

FILE_UNSOLIDIFIED I filename was unsolidified which was

SGN_PROCESS_LAUNCH_FAILURE C Signed binary filename could not be

BOOTING_DISABLED_SAFEMODE W Solidcore control is disabled because

A log file named solidcore.log is created in a temp directory on the system drive.

These error messages provide valuable insight to people who investigate the problem further. If

Solution: Re­login using an account that has administrative privileges.

When an attempt is made to execute an unsolidified program putty.exe from a supported volume,

The Event Log shows that the Solidifier prevented the execution of unauthorized code. An error

The Event Log shows that the Solidifier prevented the execution of unauthorized code. An error

When an attempt is made to install a MSI based package Ica32Pkg.msi, the operation fails and the

The log shows that the Solidifier prevented the execution of unauthorized code. An error message

When an attempt is made to uninstall a MSI based package Ica32Pkg.msi, the operation fails and

The log shows that the Solidifier prevented the execution of unauthorized code. An error message

The log shows that the Solidifier prevented the rename operation. An error message is displayed

The Solidifier’s default configuration may have to be updated to permit AutoUpdaters, which are

Update the default Solidifier configuration, to permit Commercial

The output identifies candidate AutoUpdaters and provides the command syntax for authorizing

t Auto_2 luall.exe

and redirect the output to a text file, e.g., updatelist.txt, which will contain a list of all file system

Solution: Relogin using an account that has administrative privileges.

The delete operation fails and a popup window is displayed as shown below:

beginupdate sadmin bu [workflow This command starts the Update Enabled Mode Basic

listmodified sadmin listmodified This command displays the list of Update Mode Advanced

listsolidified sadmin listsolidified [ This command displays the list of Any Mode Advanced