Description: |
Most systems are getting similar events this event "NT AUTHORITY\SYSTEM ran SourceFilePath\GOOGLEUPDATESETUP.EXE, which tried to access C:\PROGRAM FILES (X86)\GOOGLE\TEMP\GUME681.TMP, violating the rule "Creating new executable files in the Program Files folder", and was blocked. For information on how to respond to this event, see KB85494" the name of the tmp file changes constantly How do I create an exclusion in the "Creating new executable files in the Program Files folder" rule to allow chrome to auto update without error. excluding GOOGLEUPDATE.EXE and GOOGLEUPDATESETUP.EXE does not work nor does adding in the signer " C=US, S=CALIFORNIA, L=MOUNTAIN VIEW, O=GOOGLE LLC, CN=GOOGLE LLC" |
Hi @JadedbyMcafee,
Thank you for your post. I don't think I have a straight solution to the problem but I may have a useful method to figure out the cause here.
So Access protection works by controlling or working on processes and hence your approach here is perfect! You have tried to exclude the process or processes signed by Google's Cert. However, Since this is a Chrome update, There may be more than GOOGLEUPDATE.EXE and GOOGLEUPDATESETUP.EXE in the works when Chrome browser is going through an update. possible msiexec.exe for example! The best way to isolate is to first apply the known processes like GOOGLEUPDATE.EXE and GOOGLEUPDATESETUP.EXE under exclusions and then wait for the rule to be triggered when running Chrome update again.
This time, the same rule might end up blocking your chrome update, however the process caught must be different. if it is still pointing to an excluded process, then the issue is that the policy has not been applied properly. Otherwise, using this method, we should be able to identify the executables we need to exclude in order to achieve this.
Please let me know your observations on following this.
as per my original post I have already created exclusions for GOOGLEUPDATE.EXE and GOOGLEUPDATESETUP.EXE
the event is still triggered
The exclusions for both exes and the signing were placed at the specific rule level "creating new executable files in the Program Files folder"
The exclusions are confirmed to be on the clients (along with other exclusions that do work)
Hi @JadedbyMcafee,
Thank you for your time. So, I just tried to re produce this in a test environment, removed chrome from the machine, took an older version (Chrome 78) and tried to install it with the Access Protection Rule "creating new executable files in the Program Files folder" checked and set to report.
Installation failed as expected owing to this rule in place. verified the same with events.
Then applied all 3 exclusions, 2 with just filenames GoogleUpdate.exe and GoogleUpdateSetup.exe and 1 Certificate exclusion and the installation went through fine.
Also from 78, I was able to initiate an auto update of Chrome that successfully installed newer build as well!
However, I found a major difference between your exclusion and mine with respect to Signer cert. Can you try adding the cert exclusion as given below and try again please?
C=US, S=ca, L=Mountain View, O=Google LLC, CN=Google LLC
Please let me know how this goes.
To add to what @AdithyanT has just responded to you with.
Within ENS you can only create exclusions based on SOURCE and not TARGET. You would need to add an exclusion for GOOGLEUPDATESETUP.EXE for it to work, which sounds like you already tried that.
Where exactly did you add the exclusion? Did you add it within the rule itself or under the general exclusions on the main Access Protection page?
If that's what and where you've added the exclusion then I'd recommend checking locally on a machine to ensure that the policy has been correctly applied.
Also be careful that you aren't looking at old events - if many events have been created, these could be coming through in batches - check the event generated time.
I'm not looking at old events .. I have 600 events from the PC estate this morning
The exclusions for both exes and the signing were placed at the specific rule level "creating new executable files in the Program Files folder"
The exclusions are confirmed to be on the clients (along with other exclusions that do work)
Thank you for checking the mentioned items. I would recommend giving our Technical Support team a call so we can investigate the issue on a remote with you.
If possible can you attach a screenshot to quick check how you have defined the executable in exclusion to see if can spot anything in here.
The exclusion is created correctly. Can only suggest to try by adding exclusion under the general exclusions on the main Access Protection page instead of the rule(If Include and Exclude processes are added to the rule. Test with only Exclude process in rule). Still call our Technical Support team so we can investigate the issue on a remote with you.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA