Bypassing Windows Updates from ICAP scanning
search cancel

Bypassing Windows Updates from ICAP scanning

book

Article ID: 165435

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Windows Updates can cause a bottleneck on some ICAP services when patches are deployed. Administrators wishing to bypass these patches can do so using the method described below.

Resolution

Although there is risk involved with bypassing URLs from ICAP scanning, they need to be weighed against the benefits. Patches released during the same time period may not take full advantage of caching before being pushed to clients. This can cause a bottleneck on the ICAP service. Most update packages also decompress into much larger packages, increasing the time it takes to scan them. Microsoft never recommends bypassing any files, however Windows Update can be considered a trusted source as all patches go through strict quality control before being published. More details from Microsoft can be found here: http://support.microsoft.com/kb/822158.

Microsoft Update/Windows Update Overview

Microsoft Update/Windows Update is a standardized method of updating both Microsoft Windows and all other Microsoft products detected on a computer. On any Microsoft-based system, it can be accessed via Internet Explorer using http://update.microsoft.com/microsoftupdate.
 
Windows XP clients and older Internet Explorer versions may link to http://windowsupdate.microsoft.com (redirects to the one above).
 
Windows Vista and Windows 7 will load Windows Update via the Control Panel, and depending on what products are installed on the local computer, will attempt to connect to http://download.windowsupdate.com, http://download.microsoft.com and http://update.microsoft.com. These URLs are accessed via HTTP and HTTPS.
 
Now customers main stream of the Windows OS is Windows 10 and will attempt to connect to various servers. Please refer this URL.

Downloading of Updates

 
Windows Update favors HTTP to download normal updates. These are typically served by http://download.windowsupdate.com. Windows XP uses a Microsoft-based download application known as Background Intelligent Transfer which has a user-agent of "Microsoft BITS/x.x" (the version number may vary).
 
Windows Update will also rely on http://crl.microsoft.com to verify the locally installed certificates placed by Microsoft to ensure they are still valid.

Bypassing these Updates

These URLs can be bypassed using the following local policy. (See 000010101 for details on how to install local policy.)

define condition WindowsUpdate
  url.domain=update.microsoft.com
  url.domain=windowsupdate.microsoft.com
  url.domain=download.windowsupdate.com
  url.domain=download.microsoft.com
  url.domain=dl.delivery.mp.microsoft.com

end


condition=WindowsUpdate response.icap_service(no)

Installing this policy will prevent these URLs from being subject to ICAP scanning.

Powered by Wolken Software