Re: CSA - Rules to allow all Windows Updates?

Mason7730 · ‎08-11-2004

I'm new to CSA, and I'm trying to create an exception policy that will allow all future Windows Updates to install without prompting our users.

Our remote users are getting all Microsoft updates directly from the Windows Update Site.

Forgive me if this has already been asked, but I wasn't able to find a clear solution in any other threads.

tsteger1 · ‎08-11-2004

We did this successfully with SUS by creating an app class for SUS updates with the executable @system\wuauclt.exe allowed to download and execute all files with the .exe extension from the directory *:\Program Files\WindowsUpdates\**.

You could do something similar for Windows Update using the folder **\wutemp (I think that's the folder) and wupdmgr.exe.

We added it as an exception to the Trojan Detection rule for processes executing downloaded content.

Mason7730 · ‎08-11-2004

I struggled with this all day today and couldn't get it to work.

I can't seem to find any resources that will help me find a solution to this.

I'll post some extra details in case anyone wants to take the time to try to help.

I can't help but doubt this process since I never see wupdmgr.exe mentioned in any of the events.

---------Rule Changes-------

Created an Application class "Wupdmgr.exe":

---> c:\winnt\system32\wupdmgr.exe

---> Changed checkbox from "Only This process" to "This process and all its descendents"

Modified (417) Trojan Detection Rule:

---> Selected the App Class "Wupdmgr.exe" under "Downloading and invoking executable files"

Modified (426) Application Control Rule:

---> Allow: Application class "wupdmgr.exe" to run new applications from "" (also tried )

-------Process used to create the events----------

Removed "Windows Media Player Hotfix [See Q808026 for more information]" from Add/Remove Programs.

Rebooted

Installed "Critical Update for Windows Media Player Script Commands (KB828026)" by manually running

"c:\winnt\system32\wupdmgr.exe"

-------Events resulting from the installation of the critical update--------

TESTMODE: The current application 'C:\Program Files\Internet Explorer\IEXPLORE.EXE'

(as user [domain]\[user]) is trying to execute the new application

'C:\WUTemp\com_microsoft.Q828026_MSRC3326_WMP_XP_W2K_W2K3\WindowsMedia-Q828026-x86-ENU.exe'.

The user would have been prompted as to the action to take.

TESTMODE: The program

'C:\WUTemp\com_microsoft.Q828026_MSRC3326_WMP_XP_W2K_W2K3\WindowsMedia-Q828026-x86-ENU.exe'

was downloaded from the network and is now trying to execute. This is an unusual event,

but can happen during automated software installation.

This would normally trigger a user query.

TESTMODE: The current application

'C:\WUTemp\com_microsoft.Q828026_MSRC3326_WMP_XP_W2K_W2K3\WindowsMedia-Q828026-x86-ENU.exe'

(as user [domain]\[user]) is trying to execute the new application

'C:\c01c4c742e95b9b4fd\update\update.exe'.

The user would have been prompted as to the action to take.

nivon · ‎08-20-2004

Well, what I did to make this possible was to create an Application class for the executable update.exe like this:

**\update.exe

without identifying the path, seems like Windows changes it, depending on the patch you install.

And the svchost process always should be allowed.

It works for me, really.