How do I allow Windows Updates / App Updates in Windows 10

Question

When Malware scanning is turned on in my XG430 Firewall, my new Windows 10 workstations grind to a halt, even if I have WSUS server set and the Store Disabled in Group Policy. I see 100% CPU Utilization on the workstation and it is unusable for days. If I turn off FTP, HTTP, and HTTPS malware scanning, then the new workstations perform just fine. 
 What are the best settings to stop this from happening without turning off the Malware Scanning?

SergiyOliynyk · Accepted Answer

I my case it was not only CPU maxing out, but WAN bandwidth as well. 
 After you disable the service and run initial full Windows Update - workstation behaves as normal.

Aditya Patel · Answer

HI Stevan , 
 I would like to know if Malware scanning is referred as IPS policy or HTTPS SSL Decryption scanning . Now you would need to check if there is any drop in IPS fo your Windows 10 system . Check the log Viewer and Select IPS , filter the logs for your Workstation host address check for Source and Destination , If there is a Drop then check the signature and allow that signature in IPS policy applied on the Firewall rule . 
 Secondly , if there is no drop on the IPS then may check if HTTPS decryption is the cause for your issue . If so then you would need to check the URLs your workstation on the web filter logs and bypass them by creating a Custom category and add in HTTPS scanning exceptions . 
 You may refer the link https://community.sophos.com/kb/en-us/123360 
 You can bypass the scanning of specific websites in the web category, by creating a separate custom web category of that website(s) from Protection > Web Protection > Custom Web Category or Objects > Content > Custom Web Category . 
 Hope this would resolve your issue 
 Thanks and Regards 
 Aditya Patel | Network and Security Engineer.

Aditya Patel · Answer

HI StevenGear , 
 I have found some useful information that may help you with your issue. Otherwise , you may need to check the Web filter logs for the system during an event for an update to determine the URL used in your Workstation Windows 10. To configure the firewall for software updates

Configure the firewall to allow communication for the HTTP and HTTPS ports used by the WSUS server. By default, a WSUS server that is configured for the default Web site uses port 80 for HTTP and port 443 for HTTPS. By default, the WSUS server uses port 8530 for HTTP and port 8531 for HTTPS if it is using the WSUS custom Web site. For more information, see How to Determine the Port Settings Used by WSUS .

If your organization does not allow the ports and protocols used by the WSUS Web site to be open to all addresses, you can restrict access to the following domains so that WSUS and Automatic Updates can communicate with Microsoft Update: 
 
 windowsupdate.microsoft.com 
 http://*.windowsupdate.microsoft.com 
 https://*.windowsupdate.microsoft.com 
 http://*.update.microsoft.com 
 https://*.update.microsoft.com 
 http://*.windowsupdate.com 
 download.windowsupdate.com 
 http://download.microsoft.com 
 http://*.download.windowsupdate.com 
 test.stats.update.microsoft.com 
 ntservicepack.microsoft.com

If there is an active Internet-based software update point or if there are child sites with an active software update point, the following addresses also need to be added to any firewall that is between the servers:

Taken from article https://technet.microsoft.com/en-us/library/bb693717.aspx 
 To determine the Port Settings for WSUS you may refer the Article https://technet.microsoft.com/en-us/library/bb632477.aspx and https://technet.microsoft.com/en-us/library/bb633246.aspx 
 Hope this would provide the information to resolve your issue. 
 Thanks and Regards 
 Aditya Patel | Network and Security Engineer.

sachingurung · Answer

Hi Steven, 
 What is the firmware version residing in your XG device? We have a known issue reported under NC-13382 which is unresolved. 
 The workaround is to configure a separate FW rule with destination zone defined with FQDN(s) suggested via Aditya in the previous post. 
 Thanks

SaschaOdenthal · Answer

Hello, 
 I created a rule a few months ago to exactly solve this problem:

Rule Name 
 Updates MS Office 365 und WSUS

Action 
 AcceptDropReject

Source

Source Zones

LAN 
 
 Add New Item

Source Networks and Devices

Client_LAN_172 
 
 Add New Item

During Scheduled Time

All the Time

Destination & Services

Destination Zones

WAN 
 
 Add New Item

Destination Networks

MS WSUS FQDN Group 
 
 Add New Item

Services

HTTP 
 HTTPS 
 
 Add New Item

Identity

Match known users

Malware Scanning

Scan FTP

Scan HTTP

Decrypt & Scan HTTPS

Advanced

User Applications

Intrusion Prevention

None

Traffic Shaping Policy

None

Web Policy

None

Apply Web Category based Traffic Shaping Policy

Application Control

None

Apply Application-based Traffic Shaping Policy

You need to create this group:

MS WSUS FQDN Group :

windowsupdate.com 
 microsoft.com 
 windowsupdate.microsoft.com 
 update.microsoft.com 
 download.windowsupdate.com 
 
 Please add the HTPPS exception as well:

URL pattern matches

^([A-Za-z0-9.-]*\.)?microsoft\.com/ 
 ^([A-Za-z0-9.-]*\.)?windowsupdate\.com/

Br, 
 Sascha

FabioTerrone · Answer

try to add alsi these website and becarefull that after every firmware upgraded the manual ecpetions are deleted. 
 officecdn.microsoft.com.edgekey.net officecdn.microsoft.com.edgesuite.net officecdn.microsoft.com