Environment

• App Control Agent: All Supported Versions
• App Control Console: All Supported Versions
• Microsoft Windows: All Supported Versions

Symptoms

• Windows Defender Updater (Rules > Software Rules > Updaters > Windows Defender) is already enabled.
• New Unapproved File Events similar to:

  Computer computer discovered new file c:\windows\temp\....mpcommu\mpam-fe_bd.exe [753c....e863]. DiscoveredBy[Kernel:Rename]

• Block Events similar to:

  File c:\windows\temp\....mpcommu\mpam-fe_bd.exe [753c....e863] was blocked because it was unapproved.

Cause

Resolution

1. Log in to the Console and navigate to Rules > Software Rules > Publishers > Microsoft Windows
2. Set the Publisher's State to Approved.

1. Log in to the Console and navigate to Rules > Software Rules > Custom > Add Custom Rule.
2.  Use the following details:
   • Rule Name: Temp - Defender Updater
   • Description: Workaround during EA-24458
   • Status: Enabled
   • Platform: Windows
   • Rule Type: File Creation Control
   • Write Action: Approve as installer
   • Path:

     <Windows>\temp\mpam*.exe
     

   • Process: 

     <CommonAppData>\Microsoft\Windows Defender\Platform\*mpcmdrun.exe

   • User or Group: Local System
   • Policies: Choose relevant Policies
3. Click Save & Exit

Additional Notes

• In some instances the update paths can be managed via GPO and the path of the new files may differ slightly from the above. 
• Using the Saved View, New Files (All) in Reports > Events may assist in confirming expected File Paths.
• File Creation Control Rules require the Agent to observe the Process specified writing files that match the Path specified.
• Existing files will need to either be rewritten or manually issued a Local or Global Approval.

Related Content