Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Windows Update Delay and Timeouts

App Control: Windows Update Delay and Timeouts

Environment

  • App Control Console: All Supported Versions
  • App Control Windows Agent: All Supported Versions

Symptoms

  • Windows Updates taking an extended time to install.
  • Windows Update failing to install due to timeout.

Cause

Large volumes of files being introduced to the endpoint at once

Resolution

  1. Verify the endpoint is using the latest Agent version.
  2. Verify the steps for a Trusted Directory approval of WIM files has been enabled & configured.
  3. Verify the Agent Exclusions are added to any other antivirus or security product (including Windows Defender)
  4. Verify existing Updaters (such as Windows Defender) are enabled in the Console > Rules > Software Rules > Updaters.
  5. Login to the Console and navigate to https://ServerAddress/agent_config.php
  6. Add an Agent Config to ignore file operations on inst*.tmp files used during the Windows Update process:
    Property Name: Windows Update Performance
    Host ID: 0
    Value: kernelFileOpExclusions=*\Windows\SoftwareDistribution\Download\*\inst*.tmp:4192127
    Platform: Windows
    Status: Enabled
  7. Save
  8. Add an Agent Config to limit the type of activity done during the USN Journal Check:
    Property Name: USN Journal Flag
    Host ID: 0
    Value: usn_journal_flags=5634
    Platform: Windows
    Status: Enabled
  9. Save
  10. Add an Agent Config to increase the default threshold of new files required before Cache Analysis
    Property Name: USN Journal Max CC
    Host ID: 0
    Value: usn_journal_max_analysis_messages_before_cc=10000
    Platform: Windows
    Status: Enabled
  11. Save

If excessive upgrade times are still observed after applying these changes, please collect the following information and open a case with Support:
  1. How are the patches being deployed (Windows Update Server, SCCM, 3rd party, etc)?
  2. How can the test be reproduced (snapshotted virtual machine, anecdotal, etc)?
  3. What is the time difference with the Agent installed/uninstalled to complete patching?

Additional Notes

  • Values for Agent Configs are case sensitive and should not begin or end with a space.
  • Each configuration can be set for either one host, or limited to specific Policies.
  • The default usn_journal_flags value will resubmit both new and existing (i.e. files the Agent already knows about) appearing in the journal for re-analysis.
  • The new usn_journal_flags value above will instruct the Agent to:
    • Initiate a CC2 if the current USN Change Journal is new.
    • Generate an Event if a file was discovered, modified, or removed via USN Scan.
    • Verify known files that were modified still match the known hash.
    • Stop processing if the file's timestamp is after the Agent running time.

Related Content


Labels (1)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-04-2020
Views:
4975
Contributors