I agree as well. The tuning process is pretty much trial and error (even in a production environment) for us. Basically, after our "learning period" we create all necessary exceptions. Once we figure we have seen all legitimate processes, we lock the agent down. Occasionally, there is a process that is irregular that gets blocked, so we have to make an additional exception. In your case, this process is associated with auto updates. I would not recommend making an exception for this traffic.

By naming convention for changes do you mean the names of policies? Can you give me an example?

A naming convention would be employed for all changes you make to rules themselves, either direct edits of the canned rules or via exceptions through the wizard.

I always include a date, a 3 letter acronym for the company who owns the CSA MC or the department that manages the box, and a brief descriptive phrase of what the change regards. For instance, (Forsythe Solutions Group) FSG15jan07_Antivirus_exception.

If more than one group manages the box, that is, groups with different functional responsibilities like servers and desktops, it is essential that these groups agree on the convention to be used. In this way troubleshooting can be conducted without spending alot of time determining who made the changes. A quick glance at the name of the change to the rule should be all it takes.

I also have whomever makes a change include their initials and the date in the description field.

Hope this helps. It takes some upfront work to get it right but it's well worth it in the long run.

Nice system Paul, if only I had that kind of discipline.... maybe with 5.2...

Tom

How did you exempt WSUS?

We have Windows Update application class that is allowed to run All applications. Also all applications are allowed to run Windows Update application class. Finally Windows Update application class is allowed to be downloaded and attempted to execute.

What should be included in the Windows Update application class?

Right now it includes common WSUS executables.

The desktop team are piloting Windows Auto Update SUS/WSUS and we started receiving these CSA events even after creating the exemptions:

The program 'C:\WINNT\SoftwareDistribution\Download\S-1-5-18\89eac72c57853ef9bba7565ec92a0e74\update\update.exe' was recently downloaded and attempted to execute. The user was queried whether to allow this operation. The user chose 'Terminate'.

The current application 'C:\WINNT\System32\svchost.exe' (as user) tried to execute the new application 'C:\WINNT\SoftwareDistribution\Download\S-1-5-18\7013138e8ed23434f5f702bf739c3fdf\WindowsInstaller-KB893803-v2-x86. exe' and the user was queried. The user responded by choosing 'No (as default)'.

Any thoughts?

You need to allow Svchost.exe to execute your WSUS app class.

You also need to exempt your app class from the Trojan Detection rule section "Downloading and invoking executable files"

Your app class for WSUS should include this:

@windows\SoftwareDistribution\**\*.exe

This will cover the updates as they download and execute.

Tom

Thanks Tom,

The info you provided it very helpful.

currently WSUS inclueds

@system\wuaclt.exe

@system\wuaclt1.exe

@system\wupdmgr.exe

@system\wuauclt*.exe

**\update\update.exe <- but "@windows\SoftwareDistribution\**\*.exe

" is better and more restrictive.

I found that these WSUS events accured on systems with CSA agents that does not have the latest policies. Particlarly new or re-imaged machines with old agent kits.

Thanks again for your help

Glad to hear it, have fun!

You know, I just noticed that the first three variables on your list are not needed.

@wuauclt*.exe and @windows\SoftwareDistribution\**\*.exe

should be all you need.

@system\Wupdmgr.exe is not needed for WSUS, it's used to access the Windows Update site.

That should make for a leaner app class.

Sorry I didn't notice sooner,

Tom

That would help.

Thanks Tom

Cheers,

Faisal