Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Windows 8 application store updates getting blocked

Windows 8 application store updates getting blocked

Version
7.0.1

 

 

Issue

While the Microsoft Windows 8 store applies updates, application blocks occur on .tmp filenames starting with appx.

 

 

Symptoms

Events can show something similar, File 'c:\windows\temp\appx.aczj9eqn7bg8q21aakz9wybwp.tmp' was blocked because it was unapproved.

 

 

Cause
There are some situations where vendors may modify their updaters in such a way causing us to modify our updater(s) accordingly.

 

 

Solution
Implement the following agent configuration.

  1. On the Bit9 console within the browser address bar, add agent_config.php to the end of the Bit9 server address, https://<parity_server>/agent_config.php
  2. Select 'Add Agent Config' button
  3. Add the following for the properties listed:

      Property Name: Ignore Temp App Store files
    

       Host ID: 0
      Value: kernelFileOpExclusions=*appx.*.tmp:3199
      Platforms: Windows
      Status: Enabled

     4.    Select the 'Save' button

 

Note: You can verify this was sent to the agent by matching up the CL Version between the server and the agent.  This can be performed by going on the console and selecting: Assets > Computers.  Add the 'CL Version' as a column and compare.  Another approach could be to use Dascli command to review the list of properties.  Using the command prompt navigate to the Parity Agent installation directory (i.e. c:\program files (x86)\Bit9\Parity Agent.  From here you can run the following:

dascli password <cli password>

(The cli password is retrieved from the computers detail page on the console: Assets > Computers > Computer Name > Parity Agent tab)

dascli configprops | findstr /I appx

 

Internal Notes

https://community.bit9.com/docs/DOC-3739

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎12-21-2015
Views:
527