Defender Updater Not Working
search cancel

Defender Updater Not Working

book

Article ID: 286565

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Windows Defender Updater (Rules > Software Rules > Updaters > Windows Defender) is already enabled.
  • New Unapproved File Events similar to: 
    Computer computer discovered new file c:\windows\temp\....mpcommu\mpam-fe_bd.exe [753c....e863]. DiscoveredBy[Kernel:Rename]
  • Block Events similar to: 
    File c:\windows\temp\....mpcommu\mpam-fe_bd.exe [753c....e863] was blocked because it was unapproved.

Environment

  • App Control Agent: All Supported Versions
  • App Control Console: All Supported Versions
  • Microsoft Windows: All Supported Versions

Cause

The file path for Windows Defender update files has changed.

Resolution

This issue was tracked under EPCB-20743 and resolved with the release of Rules Installer 1.28. Upgrading to Rules Installer 1.28 (or higher) and verifying the Defender Updater is Enabled will prevent future files being written as Unapproved.

In the meantime, the following workarounds are available:

Issue a Publisher Approval:

  1. Log in to the Console and navigate to Rules > Software Rules > Publishers > Microsoft Windows
  2. Set the Publisher's State to Approved.


Create a File Creation Control Rule:

  1. Log in to the Console and navigate to Rules > Software Rules > Custom > Add Custom Rule.
  2.  Use the following details:
    • Rule Name: Temp - Defender Updater
    • Description: Workaround during EA-24458
    • Status: Enabled
    • Platform: Windows
    • Rule Type: File Creation Control
    • Write Action: Approve as installer
    • Path: 
      <Windows>\temp\mpam*.exe
    • Process:  
      <CommonAppData>\Microsoft\Windows Defender\Platform\*mpcmdrun.exe
    • User or Group: Local System
    • Policies: Choose relevant Policies
  3. Click Save & Exit

Additional Information

  • In some instances the update paths can be managed via GPO and the path of the new files may differ slightly from the above. 
  • Using the Saved View, New Files (All) in Reports > Events may assist in confirming expected File Paths.
  • File Creation Control Rules require the Agent to observe the Process specified writing files that match the Path specified.
  • Existing files will need to either be rewritten or manually issued a Local or Global Approval.
Powered by Wolken Software