Application Control and Change Control driver issues (Windows Update)
Last Modified: 2023-12-19 12:45:41 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Application Control and Change Control driver issues (Windows Update)
Technical Articles ID:
KB91257
Last Modified: 2023-12-19 12:45:41 Etc/GMT Environment
Application and Change Control (ACC) 7.x and later Microsoft Windows - all versions Problem
You might experience one or more of the following issues when you use an ACC 7.0.x and later Windows agent:
NOTE: Customers in Update / Observe mode might not experience issues until they move to the Enabled (Blocking) mode.
For more information, see the related articles below: CauseThe issues described in this article are a direct result of changes that have been made to the ACC architecture.
Issues with When code is introduced to all hard links of a file, and when all entries in the inventory are updated, checking of Solution
Apply the correct update for your version of ACC:
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
IMPORTANT:
To resolidify a system: Create a Client Task (Run Commands) using the following commands (bu config set SoPriority=2 config set MaplCommLostRestart=0 so C:\ config set MaplCommLostRestart=5 config set SoPriority=1 eu NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision. Workaround
If the solution above doesn't work on Update 5:
Name: PreshutdownTimeout Type: REG_DWORD Data: 36ee80 (3600000 millisecond)
Related Information
Hard links A hard link is the Windows file system representation of a file by which more than one path references a single file in the same volume. This approach is now used for Microsoft Windows 10 February updates. The management of hard links by ACC causes checksum mismatches and other issues during the Microsoft Windows 10 update installations. This issue also occurs with ACC 7.0.x and 8.0.x. Currently, when modifying the hard links content, the inventory information (checksum, status) is updated only for the current path modified. By default, all files have at least one hard link. The file change event doesn't include the list of hard links associated with that file. Because the inventory information isn't updated for all paths at the same time, executing the same file from a different path results in a Microsoft Windows binaries can be catalog-signed or can have an embedded signature. ACC uses specific code to extract embedded certificates. The certificates can be extracted in kernel space or user-space. Extraction of embedded certificates occurs quickly and is the only type of signing supported with ACC up until the 7.0.x release. In ACC 7.0.x, support for reputation-based execution is introduced. In one of the workflows, you can allow or block a file by the reputation of its certificate. Because several files in Microsoft Windows are actually catalog-signed, this feature requires extraction of catalog signatures. Microsoft have provided APIs to extract the catalog certificates for binaries. These APIs are used by ACC. These APIs are slow and significantly affect performance. To mitigate this effect, ACC stores certificates in the inventory, so that once extracted, they can be reused. Storing them in the inventory means that during the inventory merge time, certificates must be extracted once. When an upgrade is run, files are changed, the inventory is merged, and the catalog certificate extraction occurs. If all reputation is disabled, there's no need to extract the catalog certificates. You must re-enable this feature by using the Run Command in ePO. Create a Client Task (Run Command) using the following commands: ( config set SoPriority=2 config set MaplCommLostRestart=0 so config set MaplCommLostRestart=5 config set SoPriority=1 eu Affected ProductsLanguages:This article is available in the following languages: |
|