Block USB drive using solidcore

Purpose: Disable usb flash drives from loading using solidcore.

Instructions
Step 1. Log into EPO

Step 2. Create a new rule group under Application Control

Step 3.

I like to name my rules starting with a . so user rules stay at the top

Step 4.

Edit the created rule

Step 5. 

Click the Binary tab and add 

Enter usbstor.sys as rule name and Name select Ban radio button and click ok

Click ok

Step 6. add this newly created rule to an existing policy that is being applied

Disable Solidcore

Running solidcore you may run into a problem where you have to disable it with out using epo or the local CLI

Here are the steps.

Step 1.

Boot computer into Safe Mode(Press F5 before windows boot screen)

Step 2.

Open Registry (Start->Run->regedit)

Step 3.

Navigate to:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swin\Parameters]

Step 4.

Double-click DWORD RTEMode and change value to 0

Double-click DWORD RTEModeOnReboot and change value to 0

Reboot the computer and the agent should now be disabled.
Note:
Doing this will send out alerts to the central server.

ATTR attributes for Solidcore 5

These are not listed in the documentation I had to get this information from development.


Attr command can be used to configured the required files to behave corresponding the solidifier.

-a  Always authorized attribute
     This attribute allows the user to configure a supported file as always authorized to execute.
      File configured under this attribute will be allowed to execute whether solidified or not.


-b  Bypassed from memory control attribute
      This attribute allows user to configure a process to run bypassed from MP-mangking and MP-decoying.
      This is one of the memory protection technique provided by solidifier but it is disabled by default.


-c  Bypassed from Critical Address Space Protection attribute
     Critical Address Space Protection is the latest and most effective memory protection technique provided by Solidifier. It is enabled by default.


     -c attribute configures a process to run bypassed from MP-CASP.


-d  Bypassed from process stack randomization attribute

    This comes under MP-VASR which is enabled only on special request from customer.


-e  Rebase dll attribute
    Changing the base address of the dll.


-r  Bypassed from dll relocation attribute
     -d, -e and -r attributes belong to VASR memory protection technique. This feature is disabled by default as CASP
     is enabled.


-f  Full crawl attribute
     -f attribute belongs the MP-mangling and MP-decoying memory protection. This feature is disable by default.
 
-i  Bypassed from installer detection attribute
    -i belongs to pkg-ctrl feature which tracks for the installation and uninstallation of MSI based packages...


-u  Always unauthorized attribute
    block the file from execution even if solidified.

-o  Process Context registry bypass:

Solidifier will not track any registry operations for the process configured under this attribute. All the registry operations in context of the configured process will be bypassed from solidifier.


-n Bypassed from DEP:
DEP is the Data Execution Prevention provided by Solidifier for 64-bit Machines. It is  a Memory protection technique provided by solidifier for 64 bit machines.Memory protection check will not apply  on the process configured as ‘Bypassed from DEP’.

-l Anti-Debugging Bypass:


Anti-debugging feature is there to prevent any process to access Memory space of the solidifier product. This is usually done by the debuggers to debug the application.

Any process bypassed from Anti-debugging  feature shall be able to access the solidifier address space in the kernel.

-p Process Context File Operations Bypass

Solidifier will not track any file operations for the process configured under this attribute. All the file operations in context of the configured process will be bypassed from solidifier.