Currently running Solarwinds 2019.4 and McAfee ePO 10.6. The applications themselves are hosted on different servers but ePO monitors all of the servers.
This error started Monday, 1/27. Any attempt to change an existing node to use Agent polling or to add a new node utilizing agent polling will produce an error in McAfee at the time that the attempt to deploy the agent is made. The solution proposed in the Exploit Prevention Signature 6148 documentation from McAfee (section 4.1) was implemented (exclusions added to ePO for this path and file). Unfortunately this did not correct the issue. The SOLARWINDS.BUSINESSLAYERHOSTX64.EXE file has a date of 10/10/2019 so it has been on this system for some time prior to this issue occurring. Currently the version of McAfee Endpoint Security installed is 10.6. It has been verified that when McAfee is not running the Agent can be deployed.
Other than how to fix this issue I also have the following questions:
• What does the SOLARWINDS.BUSINESSLAYERHOSTX64.EXE file that is causing this error due?
• What is this file attempting to access?
• Is there anything not listed in this error message that this file may also be attempting to access?
• Does Solarwinds have a known solution for this?
• What other functionality is this file used for?
Error received in both McAfee and the Window's Event Log:
NT AUTHORITY\SYSTEM ran SOLARWINDS.BUSINESSLAYERHOSTX64.EXE, which tried to access C:\PROGRAMDATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\KEYREMOVEDFROMPOST\ , violating the rule "Malware Behavior : Windows EFS abuse", and was blocked. For information about how to respond to this event, see KB85494.
