Carbon Black Enterprise Protection - Windows 10 Issues
Updated August 19, 2016
We have released 7.2.3 P2 that addresses an issue with the GA release of Windows 10 Anniversary Update. We discovered new behavior in the Win 10 AE GA released version as compared to beta version. This has been addressed in 7.2.3 P2.
Updated July 19, 2016
Note: This only applies to Carbon Black Enterprise Protection (formerly Bit9 Platform) and does not apply to Carbon Black Enterprise Response (formerly Carbon Black)
We are aware of four issues involving Cb Enterprise Protection deployed on Windows 10 systems:
1) Windows requests that the agent be uninstalled - RESOLVED IN 7.2.3 Large Windows 10 updates are flagged as a major upgrade. When this happens, Windows stops the upgrade process so that Cb Enterprise Protection can be uninstalled. This behavior is expected when going from major versions like 7 to 8 or 8 to 10, however this should not occur when performing a Windows 10 to Windows 10 upgrade.
i) Install all the latest Windows 10 updates prior to installing the Cb Enterprise Protection agent
ii) If the agent is already deployed and a major Windows update is required, uninstall the agent when prompted to by the OS and reinstall after the upgrade is complete
ii) Updated July 18 - This issue is resolved in 7.2.3 which is now available. See this announcement for more details.
2) Some system files are not approved after Windows 10 update - RESOLVED IN 7.2.3 P2 Due to a change in Windows 10 that alters how system updates are applied, some files written during the update do not get approved.
i) We have developed an Updater that is delivered via Carbon Black Threat Intel (formerly SRS). More information can be found here.
i) A permanent solution for this is currently in development and will be available in an upcoming release
ii) Updated July 18August 19 - This issue is resolved in 7.2.3 P2 which is now available. See this announcement for more details.
3) Windows Automatic Updates hang - RESOLVED IN 7.2.3 During install, Cb Enterprise Protection reconfigures two services involved with Windows updates. In Windows 10, the OS assumes that these two services are running in the same shared process which causes automated Windows updates to fail.
ii) Run the standalone Windows update installer manually or push it through SCCM (or other distribution system)
i) Updated July 19 - This issue is resolved in 7.2.3 which is now available. See this announcementfor more details..
4) Windows App Store application updates are blocked Currently Windows App Store files (appx packages) are not tracked as interesting files by Cb Enterprise Protection and as such are not reported upon or approved by the agent. Additionally the Cb Enterprise Protection agent's built-in mechanism to approve Windows updates doesn't consider Microsoft’s own apps as part of the operating system. As such, alternate approval mechanisms are needed to approve these files.
Create two custom rules to approve files written by a specific Windows process to app paths that you want to approve.
You must enable ShowHiddenCustomRules whenever you edit or enable the “Approve writes of Win10 apps” rule.
Download the WindowsAppStoreRules.rules file from this page. Go to the Custom Rules page within the Console and click the Import Rules button. In the import dialog, click Choose File, select the rules file to upload, select both rules to import and then click Import.
Both rules will appear in the Custom Rules list.
Step 3: Enable the “Classify svchost for Win10 App Approvals”
Edit the “Classify svchost for Win10 App approvals” and enable it.
Step 4: Customize and enable “Approve writes of Win10 apps”
“Approve writes of Win10 apps” is a File Creation Control rule that comes with a default approval path of <programfiles>\windowsapps\microsoft.*. This will approve any Apps written to this directory by the specific svchost that we classified in the previous rule.
You will likely want to approve specific paths for individual apps. Simply alter the Path Or File field, entering any additional Windows App paths.
IMPORTANT: If you attempt to edit or enable either of these rules without having the ShowHiddenCustomRules parameter set to true, the rule will approve any process writing to the specified directory. This would open a large security hole.