Defender Updater Not Working
search cancel

Defender Updater Not Working

book

Article ID: 286565

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Windows Defender Updater (Rules > Software Rules > Updaters > Windows Defender) is already enabled.
  • New Unapproved File Events similar to: 
    Computer computer discovered new file c:\windows\temp\....mpcommu\mpam-fe_bd.exe [753c....e863]. DiscoveredBy[Kernel:Rename]
  • Block Events similar to: 
    File c:\windows\temp\....mpcommu\mpam-fe_bd.exe [753c....e863] was blocked because it was unapproved.

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions
  • Microsoft Windows: All Supported Versions
  • Rules Installer 1.26 and lower

Cause

The file path for Windows Defender update files has changed.

Resolution

Important Notes: 

  • This issue was tracked under EPCB-20743 and resolved with the release of Rules Installer 1.28.
  • Existing files (already written) will need to be retroactively issued a Local Approval.
  • Upgrading to Rules Installer 1.28 (or higher) and verifying the Defender Updater is Enabled will prevent future Defender files from being written as Unapproved.
  • Until the Rules Installer is upgraded the following workarounds will also prevent future Defender files from being written as Unapproved.


Issue a Publisher Approval:

  1. Log in to the Console and navigate to Rules > Software Rules > Publishers > Microsoft Windows
  2. Set the Publisher's State to Approved.


Create a File Creation Control Rule:

  1. Log in to the Console and navigate to Rules > Software Rules > Custom > Add Custom Rule.
  2.  Use the following details:
    • Rule Name: Temp - Defender Updater
    • Description: Workaround during EA-24458
    • Status: Enabled
    • Platform: Windows
    • Rule Type: File Creation Control
    • Write Action: Approve as installer
    • Path: 
      <Windows>\temp\mpam*.exe
    • Process:  
      <CommonAppData>\Microsoft\Windows Defender\Platform\*mpcmdrun.exe
    • User or Group: Local System
    • Policies: Choose relevant Policies
  3. Click Save & Exit

Additional Information

  • In some instances the update paths can be managed via GPO and the path of the new files may differ slightly from the above. 
  • Using the Saved View, New Files (All) in Reports > Events may assist in confirming expected File Paths.
  • File Creation Control Rules require the Agent to observe the Process specified writing files that match the Path specified.
  • Existing files will need to either be rewritten or manually issued a Local or Global Approval.
Powered by Wolken Software