User Group Security & Compliance Deutschland

 View Only

  • 1.  WSUS-deployed Updates blocked by SEP-Client?

    Posted Feb 11, 2010 11:10 AM

    Hello, everbody,

    I discovered a strange issue on some machines, where WSUS-deployed patches are blocked by SEP´s proactive thread scan ("CoHo" component).

    Based on my researches, only those patches are affected, that touches the windows kernel, just like the following patches in February:

    MS 10-015 (KB 977165)
    MS 10-006 (KB 978251)

    WSUS always gives 0x8007054f (internal error) for the failed installation on the WSUS-Client.

    Manual installation of such bulletins failed, too! The only way to resolve that, is to disable proactive thread scan during manual installation.

    Normaly, all patches will be installed automaticaly, as indecated in the gpo settings on the WSUS-client.

    Another thing I noticed is, that not all client machines are affected in the same infrastructure, with the same bulletins and the same SEP-Settings. It´s always 2 or 3 of the whole bunch.

    We can´t make any exeption for windows kernel, can´t we?!? :=)

    The question is: What is wrong? Do I have any configuration error, that I do not see?

    By the way: We´re working currently with XP SP3, WSUS 3 SP2 and SEP11 RU5.

    regards from Germany,


    Rolf

     



  • 2.  RE: WSUS-deployed Updates blocked by SEP-Client?

    Posted Feb 11, 2010 11:19 AM
     The Application and Device Control feature of SEP (sysfer.dll )sits just above the kernel monitoring everything that goes in and comes out.
    We cannot change anything in WIndows kernel if we could it would have been free like other Open Source Operating Systems.

    Coming back to the issue
    Its possible that Pending Restart would have been blocking the install or do you have any App & Dev Control Policy applied on the clients.

    I haven't about this issue yet. But Application and Device Control has always had problems with some applications that go that deep.


  • 3.  RE: WSUS-deployed Updates blocked by SEP-Client?

    Posted Feb 11, 2010 12:14 PM
    Hello, Vikram Kumar-SAV to SEP,

    there were some missunderstandings here:

    First, I didn´t want you to change the kernel. I meant, that it would be senseless to make scanning exceptions in the SEPM for kernel-files, as it would be a security hole.

    Secondly, it´s not a matter of "Application and Device Control feature", but a matter of the SONAR-component, that wants to secure the windows kernel.

    Remember, that I wrote, that disableing SONAR on the SEP-Client resolves the problem. (I know, that I use the Norton-Terminology, but the engines are nearly the same and I want to clearify my request)

    That makes also clear, that it has nothing to do with pending restarts. That would be a different WSUS-error.

    By the way, sometimes the affected machines install such bulletins with the second attempt, based on my WSUS logs.

    Kind regards,



    Rolf