Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Cb Protection - Tamper Protection Preventing Windows 10 Upgrades

Cb Protection - Tamper Protection Preventing Windows 10 Upgrades

Environment

  • Cb Protection 8.0.0.2562 (Patch 6)
  • Windows 10 (All builds and versions)

Symptoms

  • Tamper Protection appears to block various aspects of Windows 10 upgrades.
  • Endpoint will suffer a BSOD.
  • Error messages in logs can include:
    • \registry\machine\sp_hive_load_alias_software\microsoft\cryptography\oid\encodingtype 0\cryptsipdllcreateindirectdata\{000c10f1-0000-0000-c000-000000000046}\' by 'NT AUTHORITY\SYSTEM' was blocked.
    • \registry\machine\software\wow6432node\microsoft\windows\currentversion\uninstall\{da971ca3-73aa-4a57-afb4-8155e72ceb96}\sestimatedsize2' by 'NT AUTHORITY\SYSTEM' was blocked because of Tamper Protection.

  • Windows 10 upgrade will display "upgrade failed" error.

Cause

"Windows Hardening" Rapid Config has been changed to add a new section for blocking modifications to the registry keys that control which dll's are used to verify file signatures.

Resolution

  1. Verify that version 24 or later of the Rapid Config is running in the environment.

         a. From the Cb Protection console, go to "Rules" > "Software Rules" > "Rapid Config" and edit "Windows Hardening". Ensure "Version" is at 24 or higher.

        

  1. Add "?:\$windows.~bt\sources\setuphost.exe" to the "Processes allowed to modify these registry keys" list.

Additional Notes

A permanent fix for this issue will be released in a later version of Cb Protection.

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎02-01-2018
Views:
2345
Contributors