Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Enterprise Protection - Windows 10 Issues

Carbon Black Enterprise Protection - Windows 10 Issues

Updated August 19, 2016

We have released 7.2.3 P2 that addresses an issue with the GA release of Windows 10 Anniversary Update. We discovered new behavior in the Win 10 AE GA released version as compared to beta version. This has been addressed in 7.2.3 P2.

Updated July 19, 2016

Note: This only applies to Carbon Black Enterprise Protection (formerly Bit9 Platform) and does not apply to Carbon Black Enterprise Response (formerly Carbon Black)

We are aware of four issues involving Cb Enterprise Protection deployed on Windows 10 systems:

1) Windows requests that the agent be uninstalled - RESOLVED IN 7.2.3
Large Windows 10 updates are flagged as a major upgrade. When this happens, Windows stops the upgrade process so that Cb Enterprise Protection can be uninstalled. This behavior is expected when going from major versions like 7 to 8 or 8 to 10, however this should not occur when performing a Windows 10 to Windows 10 upgrade.

     a) Workaround

          i) Install all the latest Windows 10 updates prior to installing the Cb Enterprise Protection agent

          ii) If the agent is already deployed and a major Windows update is required, uninstall the agent when prompted to by the OS and reinstall after the upgrade is complete

     b) Resolution

          i) A solution for this will be available in 7.2.3. See this Pre-release announcement for more details.

          ii) Updated July 18 - This issue is resolved in 7.2.3 which is now available. See this announcement for more details.

2) Some system files are not approved after Windows 10 update - RESOLVED IN 7.2.3 P2
Due to a change in Windows 10 that alters how system updates are applied, some files written during the update do not get approved.

     a) Workaround

          i) We have developed an Updater that is delivered via Carbon Black Threat Intel (formerly SRS). More information can be found here.

     b) Resolution

          i) A permanent solution for this is currently in development and will be available in an upcoming release

          ii) Updated July 18 August 19 - This issue is resolved in 7.2.3 P2 which is now available. See this announcement for more details.

3) Windows Automatic Updates hang - RESOLVED IN 7.2.3
During install, Cb Enterprise Protection reconfigures two services involved with Windows updates. In Windows 10, the OS assumes that these two services are running in the same shared process which causes automated Windows updates to fail.

     a) Workaround

          i) See this post: https://community.carbonblack.com/thread/2888

          ii) Run the standalone Windows update installer manually or push it through SCCM (or other distribution system)

     b) Resolution

          i) Updated July 19 - This issue is resolved in 7.2.3 which is now available. See this announcement for more details..

4) Windows App Store application updates are blocked
Currently Windows App Store files (appx packages) are not tracked as interesting files by Cb Enterprise Protection and as such are not reported upon or approved by the agent. Additionally the Cb Enterprise Protection agent's built-in mechanism to approve Windows updates doesn't consider Microsoft’s own apps as part of the operating system. As such, alternate approval mechanisms are needed to approve these files.

     a) Workaround

Create two custom rules to approve files written by a specific Windows process to app paths that you want to approve.

***IMPORTANT***

You must enable ShowHiddenCustomRules whenever you edit or enable the “Approve writes of Win10 apps” rule.

Step 1: Enable ShowHiddenCustomRules

Go to shepherd_config.php on your server. For example, https://cb.yourdomain.com/shepherd_config.php and select the defined property ShowHiddenCustomRules and set its property value to true. Then save the change.

Step 2: Import the Attached Rules

Download the WindowsAppStoreRules.rules file from this page. Go to the Custom Rules page within the Console and click the Import Rules button. In the import dialog, click Choose File, select the rules file to upload, select both rules to import and then click Import.

Both rules will appear in the Custom Rules list.

Step 3: Enable the “Classify svchost for Win10 App Approvals

Edit the “Classify svchost for Win10 App approvals” and enable it.

Step 4: Customize and enable “Approve writes of Win10 apps”

Approve writes of Win10 apps” is a File Creation Control rule that comes with a default approval path of <programfiles>\windowsapps\microsoft.*. This will approve any Apps written to this directory by the specific svchost that we classified in the previous rule.

You will likely want to approve specific paths for individual apps. Simply alter the Path Or File field, entering any additional Windows App paths.

IMPORTANT: If you attempt to edit or enable either of these rules without having the ShowHiddenCustomRules parameter set to true, the rule will approve any process writing to the specified directory. This would open a large security hole.

Step 5: Disable ShowHiddenCustomRules

Go to shepherd_config.php on your server. For example, https://cb.yourdomain.com/shepherd_config.php and select the defined property ShowHiddenCustomRules and set its property value to false. Then save the change.

You can leave ShowHiddenCustomRules enabled, however, the Custom Rules page will be filled with many hidden rules.

     b) Resolution

          i) Tracking of appx files by the CB Enterprise Protection agent will be added to a future release

If you encounter these or other issues for which we have not offered a workaround, please contact technical support.

Attachments
Comments

The Updater that we're developing for issue #2 (Some system files are not approved after Windows 10 update) will not be released today (4/1/16). It is going through the QA process. We will have an update next week.

Today (April 7, 2016) we have released the Updater to resolve issue #2 (Some system files are not approved after Windows 10 update). To enable this Updater go to the Updater section in your Cb Enterprise Protection (formerly Bit9) console and enable the Windows 8, 10, and Server 2012 updater. Note that this Updater was previously available as Windows 8 and Server 2012 Updates.

Additional details can be found here.

So far, my clients who have installed v7.2.1 patch 13 have had good success with item #3: "Windows Automatic Update Hang".  If anyone is having issues, please contact us, but so far it looks like a solid fix.

Matt Larsen

Carbon Black Solutions Architect

FYI we have had mixed results here, Matt.  Behavior is different depending on whether install is via automatic updater from console or a fresh de novo install.  (posted for public awareness, already communicated details to product management and support)

Yes, Automatic Updates will be fixed in 7.2.3 (previously we were calling 7.2.2 p3) which should be available mid-July.

With release of 7.2.3, issues 1 and 2 above are resolved. Please review the discussion at Pre-Release Announcement of Cb Enterprise Protection 7.2.3 (previously described as 7.2.2 P3)​for more information.

Hi Michael, on June 23rd, in the other thread, you indicated item 3 would also be remedied in this patch.  Is that not the case?

3) Windows Automatic Updates hang
During install, Cb Enterprise Protection reconfigures two services involved with Windows updates. In Windows 10, the OS assumes that these two services are running in the same shared process which causes automated Windows updates to fail.

     a) Workaround

          i) See this post: https://community.carbonblack.com/thread/2888

          ii) Run the standalone Windows update installer manually or push it through SCCM (or other distribution system)

     b) Resolution

          i) This issue has been addressed in 7.2.1 Patch 13 available now.
          UPDATE 6/6/2016: It has come to our attention that the issue was not effectively addressed in the previous patch. Please continue to use the workaround described above until the release of 7.2.2 P3.

Good catch, thank you for that. Yes, item 3 is also resolved with 7.2.3. The initial post above has been updated to reflect this.

Thanks again!

For the "Approve writes of Win10 Apps" rule in #4, it's set to just "Ignore" on File Creation, rather than "Approve"?  Is this correct?  It seems like the rule should be set to Approve the files written.

Also, how can I verify that the svchost process is getting classified properly?

I'm digging into this because we have a ton of windowsapps\microsoft.* files getting blocked (unapproved), some by svchost.exe as the process.  I also have a support ticket open for the issue, but exploring the community's ideas here too.

Thanks!

Hi JNielson,

First a plug for version 8.0.
In version 8.0 there is a "Window App Store" Rapid Config that you can use to approve app store updates to paths you specify.

As to your questions:

Yes, the rule should be an approve rule rather than an ignore rule.

The following page contains two sets of rules to import for app store approvals - one if you are on version  7.2.1 and the other if on version  7.2.2 and later.

https://community.carbonblack.com/docs/DOC-4596

You may want to try re-importing from the appropriate exported rules there.

I'm worried that if the approve rule is incorrect that the classification rule may be incorrect also.

To see the classifications for a particular process you'd need the PID for the process.

If you have the PID you can use an authenticated dascli command to get information about the process, including the classifications.

dascli process <pid>

At the end of the listing for the process you should see something like the following listing the classifications.

UClassifications[*\svchost.exe,Bit9:ATI:WinSuspiciousBasedonParent:svchostParents,\device\harddiskvolume2\windows\system32\*,\device\harddiskvolume2\windows\system32\svchost.exe]

If the rules are working correctly, the classifications would include the the classification from your rule.

I hope that helps,

Mark

Thanks Mark for the response!  Just wanted to say that after implementing the updated rules from the other link, we're seeing good results.

However, there are a few dll's still being blocked:

microsoft.richmedia.ink.controls.dll

microsoft.photos.edit.services.dll

calculator.exe (seriously?)

lumia.viewerpluginproxy.dll

I have a support ticket open, but are there simple best practices for all these Windows 10 blocks?  It's hard to put these folks into high enforcement when basic, simple standard apps are constantly popping up with blocks.

Hi JNielson,

I'm glad things have improved.

Without looking at the data, it is hard for me to know why those files are blocking.

I can say that when I've looking into these types of blocks previously, usually the blocked files were written before the App Store rules were created/enabled. 
Once those files were approved manually, there would no longer be blocks as subsequently created files would be approved.

Of course, I don't know if that's the case here.

Do you know the case number for the support ticket you opened and have you provided diagnostics for the case?
If so I'll take a look at the data.

Thanks,

Mark

Ah, good call on when the files were first on the endpoint.  I had assumed these were new files, but they were on there before the rule got fixed.

Let me run with this a few more days... Thanks!

Article Information
Author:
Creation Date:
‎03-23-2016
Views:
9001