Alerts for ICACLS.EXE seen on MID Server hosts - Support and Troubleshooting

Alerts for ICACLS.EXE seen on MID Server hosts Summary .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Antivirus and Endpoint protection software might alert for the use of icacls.exe when a MID Server starts up. This is a false alert, and can be ignored , because the use of icacls is part of the design of this security feature of the MID Server platform: Docs: File permission enforcement for Windows MID Servers

The PowerShell script that runs on startup that implements this check is: agent\bin\scripts\EnforceFilePermissions.psm1

Using the Zurich version as an example, you will see icacls.exe deliberately used several times. The ones in addACLEntry have been seen to cause false alerts:

# before any work can be done, disable inheritance to get the explicit list of effective ACEs Write-Debug "Disabling inheritance and making a copy of the inherited entries" # disable inheritance and copies access control entries (ACEs) so we can make changes icacls "$folder" /inheritancelevel:d > $null

function addACLEntry { param([string] $folder, [string] $entry) Write-Debug "Adding entry for $entry" if ($entry.startsWith("S-1-5")) { $command = " icacls `"$folder`" /grant *${entry}:'(OI)(CI)(F)' " } else { # escape white spaces since icacls doesn't like quotes $entry = $entry.replace(" ", "`` ") # escape literal dollar signs to avoid interpolation for usernames containing them $entry = $entry.replace("`$", "``$") $command = " icacls `"$folder`" /grant ${entry}:'(OI)(CI)(F)' " }

function removeACLEntry { param([string] $folder, [string] $entry) Write-Debug "Removing entry for $entry" if ($entry.startsWith("S-1-5")) { $command = " icacls `"$folder`" /remove *${entry} " } else { # escape white spaces since icacls doesn't like quotes $entry = $entry.replace(" ", "`` ") $command = " icacls `"$folder`" /remove $entry " }

try { # get the ACE for the subfolder $command = " icacls `"$folder`" " $aclOutput = iex $command