Documentation & Downloads

 View Only

Carbon Black Enterprise Protection - Windows 10 Issues

By Tim Smith posted Mar 23, 2016 07:16 PM

  

Updated August 19, 2016

We have released 7.2.3 P2 that addresses an issue with the GA release of Windows 10 Anniversary Update. We discovered new behavior in the Win 10 AE GA released version as compared to beta version. This has been addressed in 7.2.3 P2.

Updated July 19, 2016

Note: This only applies to Carbon Black Enterprise Protection (formerly Bit9 Platform) and does not apply to Carbon Black Enterprise Response (formerly Carbon Black)

We are aware of four issues involving Cb Enterprise Protection deployed on Windows 10 systems:

1) Windows requests that the agent be uninstalled - RESOLVED IN 7.2.3
Large Windows 10 updates are flagged as a major upgrade. When this happens, Windows stops the upgrade process so that Cb Enterprise Protection can be uninstalled. This behavior is expected when going from major versions like 7 to 8 or 8 to 10, however this should not occur when performing a Windows 10 to Windows 10 upgrade.

     a) Workaround

          i) Install all the latest Windows 10 updates prior to installing the Cb Enterprise Protection agent

          ii) If the agent is already deployed and a major Windows update is required, uninstall the agent when prompted to by the OS and reinstall after the upgrade is complete

     b) Resolution

          i) A solution for this will be available in 7.2.3. See this Pre-release announcement for more details.

          ii) Updated July 18 - This issue is resolved in 7.2.3 which is now available. See this announcement for more details.

2) Some system files are not approved after Windows 10 update - RESOLVED IN 7.2.3 P2
Due to a change in Windows 10 that alters how system updates are applied, some files written during the update do not get approved.

     a) Workaround

          i) We have developed an Updater that is delivered via Carbon Black Threat Intel (formerly SRS). More information can be found here.

     b) Resolution

          i) A permanent solution for this is currently in development and will be available in an upcoming release

          ii) Updated July 18 August 19 - This issue is resolved in 7.2.3 P2 which is now available. See this announcement for more details.

3) Windows Automatic Updates hang - RESOLVED IN 7.2.3
During install, Cb Enterprise Protection reconfigures two services involved with Windows updates. In Windows 10, the OS assumes that these two services are running in the same shared process which causes automated Windows updates to fail.

     a) Workaround

          i) See this post: https://community.carbonblack.com/thread/2888

          ii) Run the standalone Windows update installer manually or push it through SCCM (or other distribution system)

     b) Resolution

          i) Updated July 19 - This issue is resolved in 7.2.3 which is now available. See this announcement for more details..

4) Windows App Store application updates are blocked
Currently Windows App Store files (appx packages) are not tracked as interesting files by Cb Enterprise Protection and as such are not reported upon or approved by the agent. Additionally the Cb Enterprise Protection agent's built-in mechanism to approve Windows updates doesn't consider Microsoft’s own apps as part of the operating system. As such, alternate approval mechanisms are needed to approve these files.

     a) Workaround

Create two custom rules to approve files written by a specific Windows process to app paths that you want to approve.

***IMPORTANT***

You must enable ShowHiddenCustomRules whenever you edit or enable the “Approve writes of Win10 apps” rule.

Step 1: Enable ShowHiddenCustomRules

Go to shepherd_config.php on your server. For example, https://cb.yourdomain.com/shepherd_config.php and select the defined property ShowHiddenCustomRules and set its property value to true. Then save the change.

Step 2: Import the Attached Rules

Download the WindowsAppStoreRules.rules file from this page. Go to the Custom Rules page within the Console and click the Import Rules button. In the import dialog, click Choose File, select the rules file to upload, select both rules to import and then click Import.

Both rules will appear in the Custom Rules list.

Step 3: Enable the “Classify svchost for Win10 App Approvals

Edit the “Classify svchost for Win10 App approvals” and enable it.

Step 4: Customize and enable “Approve writes of Win10 apps”

Approve writes of Win10 apps” is a File Creation Control rule that comes with a default approval path of <programfiles>\windowsapps\microsoft.*. This will approve any Apps written to this directory by the specific svchost that we classified in the previous rule.

You will likely want to approve specific paths for individual apps. Simply alter the Path Or File field, entering any additional Windows App paths.

IMPORTANT: If you attempt to edit or enable either of these rules without having the ShowHiddenCustomRules parameter set to true, the rule will approve any process writing to the specified directory. This would open a large security hole.

Step 5: Disable ShowHiddenCustomRules

Go to shepherd_config.php on your server. For example, https://cb.yourdomain.com/shepherd_config.php and select the defined property ShowHiddenCustomRules and set its property value to false. Then save the change.

You can leave ShowHiddenCustomRules enabled, however, the Custom Rules page will be filled with many hidden rules.

     b) Resolution

          i) Tracking of appx files by the CB Enterprise Protection agent will be added to a future release

If you encounter these or other issues for which we have not offered a workaround, please contact technical support.


Attachment(s): 4157_WindowsAppStoreRules.rules.zip
13 comments
0 views

Permalink