App Control: Defender Updater Not Working

search cancel

book

calendar_today

Carbon Black App Control (formerly Cb Protection)

Windows Defender Updater (Rules > Software Rules > Updaters > Windows Defender) is already enabled.

New Unapproved File Events similar to:

Computer computer discovered new file c:\windows\temp\....mpcommu\mpam-fe_bd.exe [753c....e863]. DiscoveredBy[Kernel:Rename]

Block Events similar to:

File c:\windows\temp\....mpcommu\mpam-fe_bd.exe [753c....e863] was blocked because it was unapproved.

The file path for Windows Defender update files has changed.

This issue is being investigated by Engineering (EA-24458), but in the meantime the following options are available:

Issue a Publisher Approval:

Log in to the Console and navigate to Rules > Software Rules > Publishers > Microsoft Windows
Set the Publisher's State to Approved.

Create a File Creation Control Rule:

Log in to the Console and navigate to Rules > Software Rules > Custom > Add Custom Rule.
Use the following details:
- Rule Name: Temp - Defender Updater
- Description: Workaround during EA-24458
- Status: Enabled
- Platform: Windows
- Rule Type: File Creation Control
- Write Action: Approve as installer
- Path:
```
<Windows>\temp\mpam*.exe
```
- Process:
```
<CommonAppData>\Microsoft\Windows Defender\Platform\*mpcmdrun.exe
```
- User or Group: Local System
- Policies: Choose relevant Policies
Click Save & Exit

In some instances the update paths can be managed via GPO and the path of the new files may differ slightly from the above.
Using the Saved View, New Files (All) in Reports > Events may assist in confirming expected File Paths.
File Creation Control Rules require the Agent to observe the Process specified writing files that match the Path specified.
Existing files will need to either be rewritten or manually issued a Local or Global Approval.

thumb_up Yes

thumb_down No