cancel
Showing results for 
Search instead for 
Did you mean: 
epo_user_00
Level 7

HIPS blocking Windows Updates

Jump to solution

We have HIPS 7.0 with Patch 8, and when we set the IPS Options to Maximum Protection (block High, Medium, and Low), Windows Update trips an IPS signature and the updates fail.  The event description is:

C:\WINDOWS\SoftwareDistribution\Download\58656e1248b8e15fcaf07c88694a8cda\update\update.exe running with the privileges of user Username on the system with Agent PC01 attempted to perform the following operation(s) on the registry key \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KB2360131-IE8:

  • create
  • The Event ID is 18000 and the Threat Name is 910.

    We're unable to create an exception, because the long folder name in the above path is randomly assigned each time Windows Update runs.

    This has to be a common problem, and I'm thinking there must be a solution for it.  Anyone know?

    0 Kudos
    1 Solution

    Accepted Solutions
    McAfee Employee

    Re: HIPS blocking Windows Updates

    Jump to solution

    See KB54778- Applying OS Patches when Host Intrusion Prevention agent is enabled in protect mode

    For creating the IPS exceptions, use a wildcard where needed.

    Try:

    C:\WINDOWS\SoftwareDistribution\Download\*\update\update.exe

    0 Kudos
    6 Replies
    McAfee Employee

    Re: HIPS blocking Windows Updates

    Jump to solution

    See KB54778- Applying OS Patches when Host Intrusion Prevention agent is enabled in protect mode

    For creating the IPS exceptions, use a wildcard where needed.

    Try:

    C:\WINDOWS\SoftwareDistribution\Download\*\update\update.exe

    0 Kudos
    epo_user_00
    Level 7

    Re: HIPS blocking Windows Updates

    Jump to solution

    Wow, I guess I should have figured that out for myself.  How could it have been that easy?

    Thank you very much!

    0 Kudos
    epo_user_00
    Level 7

    Re: HIPS blocking Windows Updates

    Jump to solution

    OK, I spoke too soon.  Since making the modification, I now have IPS blocking these processes:

    c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe

    c:\ec42fb8256f5f8695f0849c290\update\update.exe

    I can't very well create an exception for c:\*  What would be the point of that?  I guess I could do c:\*\update\update.exe

    But how many of these exceptions am I going to have to create?

    We're using WSUS, the point of which is to be able to have updates managed automatically.  IPS just doesn't seem to like that idea.

    0 Kudos
    McAfee Employee

    Re: HIPS blocking Windows Updates

    Jump to solution

    You'll have to create as many IPS exceptions as needed.  Also, you can add multiple processes to one IPS exception.  While in LOG mode, determine what all signatures are being violated, and create IPS exceptions (grouping exceptions where applicable) for all violations.

    0 Kudos
    epo_user_00
    Level 7

    Re: HIPS blocking Windows Updates

    Jump to solution

    Thanks.  Will give that a shot.

    0 Kudos
    Namster
    Level 10

    Re: HIPS blocking Windows Updates

    Jump to solution

    instead of c:\*\update\update.exe, you can try *\update\update.exe

    file called update.exe inside a subfolder called update

    Is there a way to control where WSUS deployed the update payload in a different location than the system root?

    0 Kudos