cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
JadedbyMcafee
Level 8
Report Inappropriate Content
Message 1 of 11
‎01-02-2020 02:47 AM

How do I create an exclusion ??

 

Description:

Most systems are getting similar events this event

"NT AUTHORITY\SYSTEM ran SourceFilePath\GOOGLEUPDATESETUP.EXE, which tried to access C:\PROGRAM FILES (X86)\GOOGLE\TEMP\GUME681.TMP, violating the rule "Creating new executable files in the Program Files folder", and was blocked. For information on how to respond to this event, see KB85494"

the name of the tmp file changes constantly

How do I create an exclusion in the "Creating new executable files in the Program Files folder" rule to allow chrome to auto update without error.

excluding GOOGLEUPDATE.EXE and GOOGLEUPDATESETUP.EXE does not work nor does adding in the signer " C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=GOOGLE LLC, CN=GOOGLE LLC"

 

0 Kudos
Reply
10 Replies
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 11
‎01-02-2020 02:56 AM

Re: How do I create an exclusion ??

Hi @JadedbyMcafee,

Thank you for your post. I don't think I have a straight solution to the problem but I may have a useful method to figure out the cause here.

So Access protection works by controlling or working on processes and hence your approach here is perfect! You have tried to exclude the process or processes signed by Google's Cert. However, Since this is a Chrome update, There may be more than GOOGLEUPDATE.EXE and GOOGLEUPDATESETUP.EXE in the works when Chrome browser is going through an update. possible msiexec.exe for example! The best way  to isolate is to first apply the known processes like GOOGLEUPDATE.EXE and GOOGLEUPDATESETUP.EXE under exclusions and then wait for the rule to be triggered when running Chrome update again.

This time, the same rule might end up blocking your chrome update, however the process caught must be different. if it is still pointing to an excluded process, then the issue is that the policy has not been applied properly. Otherwise, using this method, we should be able to identify the executables we need to exclude in order to achieve this.

Please let me know your observations on following this.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
JadedbyMcafee
Level 8
Report Inappropriate Content
Message 3 of 11
‎01-02-2020 03:07 AM

Re: How do I create an exclusion ??

as per my original post I have already created exclusions for GOOGLEUPDATE.EXE and GOOGLEUPDATESETUP.EXE 

the event is still triggered

The exclusions for both exes and the signing were placed at the specific rule level "creating new executable files in the Program Files folder"

The exclusions are confirmed to be on the clients (along with other exclusions that do work)

 

0 Kudos
Reply
AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 11
‎01-02-2020 05:50 AM

Re: How do I create an exclusion ??

Hi @JadedbyMcafee,

Thank you for your time. So, I just tried to re produce this in a test environment, removed chrome from the machine, took an older version (Chrome 78) and tried to install it with the Access Protection Rule "creating new executable files in the Program Files folder" checked and set to report.

Installation failed as expected owing to this rule in place. verified the same with events.

Then applied all 3 exclusions, 2 with just filenames GoogleUpdate.exe and GoogleUpdateSetup.exe and 1 Certificate exclusion and the installation went through fine.

Also from 78, I was able to initiate an auto update of Chrome that successfully installed newer build as well!

However, I found a major difference between your exclusion and mine with respect to Signer cert. Can you try adding the cert exclusion as given below and try again please?

C=US, S=ca, L=Mountain View, O=Google LLC, CN=Google LLC

Please let me know how this goes.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 11
‎01-02-2020 03:01 AM

Re: How do I create an exclusion ??

Hi @JadedbyMcafee 

To add to what @AdithyanT has just responded to you with.

Within ENS you can only create exclusions based on SOURCE and not TARGET. You would need to add an exclusion for GOOGLEUPDATESETUP.EXE for it to work, which sounds like you already tried that. 

Where exactly did you add the exclusion? Did you add it within the rule itself or under the general exclusions on the main Access Protection page?

If that's what and where you've added the exclusion then I'd recommend checking locally on a machine to ensure that the policy has been correctly applied.

Also be careful that you aren't looking at old events - if many events have been created, these could be coming through in batches - check the event generated time.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Reply
JadedbyMcafee
Level 8
Report Inappropriate Content
Message 6 of 11
‎01-02-2020 03:09 AM

Re: How do I create an exclusion ??

I'm not looking at old events .. I have 600 events from the PC estate this morning

The exclusions for both exes and the signing were placed at the specific rule level "creating new executable files in the Program Files folder"

The exclusions are confirmed to be on the clients (along with other exclusions that do work)

0 Kudos
Reply
chealey
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 11
‎01-02-2020 03:11 AM

Re: How do I create an exclusion ??

Hi @JadedbyMcafee 

Thank you for checking the mentioned items. I would recommend giving our Technical Support team a call so we can investigate the issue on a remote with you.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Reply
mmuthuga
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 11
‎01-02-2020 03:16 AM

Re: How do I create an exclusion ??

If possible can you attach a screenshot to quick check how you have defined the executable in exclusion to see if can spot anything in here.

0 Kudos
Reply
JadedbyMcafee
Level 8
Report Inappropriate Content
Message 9 of 11
‎01-02-2020 03:24 AM

Re: How do I create an exclusion ??

google.JPG

Reply
mmuthuga
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 11
‎01-02-2020 03:37 AM

Re: How do I create an exclusion ??

The exclusion is created correctly. Can only suggest to try by adding exclusion under the general exclusions on the main Access Protection page instead of the rule(If Include and Exclude processes are added to the rule. Test with only Exclude process in rule). Still call our Technical Support team so we can investigate the issue on a remote with you.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC