App Control: User specific rules not applying to MSIExec on Windows 10
search cancel

App Control: User specific rules not applying to MSIExec on Windows 10

book

Article ID: 286926

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Rules applied to a specific user do not allow an MSI to run
  • Block events show the user as NT Authority\System

Environment

  • App Control Agent: 8.0+
  • Windows 10

Cause

Due to a change in how Microsoft Windows 10 handles MSIExec, the installation is handed off from the user listed to the NT Authority\System account. User rules without this system account listed do not apply, as the execution of the file is done through this account.

Resolution

As this is now default behavior a few things can be done:

  • Add the NT Authority\System account to the rule to allow the file
  • Apply the rule to all users
  • Approve the hash of the file, instead of using a user approval rule
Powered by Wolken Software