Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 5 answers
  • Subscribers 30 subscribers
  • Views 85875 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I allow Windows Updates / App Updates in Windows 10

StevenGear

When Malware scanning is turned on in my XG430 Firewall, my new Windows 10 workstations grind to a halt, even if I have WSUS server set and the Store Disabled in Group Policy.  I see 100% CPU Utilization on the workstation and it is unusable for days.  If I turn off FTP, HTTP, and HTTPS malware scanning, then the new workstations perform just fine.

What are the best settings to stop this from happening without turning off the Malware Scanning?



This thread was automatically locked due to age.
  • 0

    HI Stevan , 

    I would like to know if Malware scanning is referred as IPS policy or HTTPS SSL Decryption scanning . Now you would need to check if there is any drop in IPS fo your Windows 10 system . Check the log Viewer and Select IPS , filter the logs for your Workstation host address check for Source and Destination , If there is a Drop then check the signature and allow that signature in IPS policy applied on the Firewall rule . 

    Secondly , if there is no drop on the IPS then may check if HTTPS decryption is the cause for your issue . If so then you would need to check the URLs your workstation on the web filter logs and bypass them by creating a Custom category and add in HTTPS scanning exceptions . 

    You may refer the link https://community.sophos.com/kb/en-us/123360 

    You can bypass the scanning of specific websites in the web category, by creating a separate custom web category of that website(s) from Protection > Web Protection > Custom Web Category or Objects > Content > Custom Web Category.

    Hope this would resolve your issue 

    Thanks and Regards 

    Aditya Patel | Network and Security Engineer.

  • 0 in reply to Aditya Patel

    Thanks for your reply.  I am referring to the Malware Scanning section in my default rule that I have created for our organization.

    Policies --> I edit the rule --> Malware Scanning --> Turn off HTTP and FTP (HTTPS is already off)

    The problem with bypassing the "sites" is that I don't know which sites to bypass as there seems to be differing information on the internet as to the source of Windows Update for different versions of the Operating System.  It also seems that Windows 10 contacts other sites in order to update Apps from the Microsoft Store.

    If you have any insight into the sites to bypass I would surely like to know which ones and where to put those bypass rules.

    Thanks!

  • 0 in reply to StevenGear

    HI StevenGear , 

    I have found some useful information that may help you with your issue. Otherwise , you may need to check the Web filter logs for the system during an event for an update to determine the URL used in your Workstation Windows 10.

    To configure the firewall for software updates

    1. Configure the firewall to allow communication for the HTTP and HTTPS ports used by the WSUS server. By default, a WSUS server that is configured for the default Web site uses port 80 for HTTP and port 443 for HTTPS. By default, the WSUS server uses port 8530 for HTTP and port 8531 for HTTPS if it is using the WSUS custom Web site. For more information, see How to Determine the Port Settings Used by WSUS.

    2. If your organization does not allow the ports and protocols used by the WSUS Web site to be open to all addresses, you can restrict access to the following domains so that WSUS and Automatic Updates can communicate with Microsoft Update:

    3. If there is an active Internet-based software update point or if there are child sites with an active software update point, the following addresses also need to be added to any firewall that is between the servers:

    Taken from article https://technet.microsoft.com/en-us/library/bb693717.aspx 

    To determine the Port Settings for WSUS you may refer the Article https://technet.microsoft.com/en-us/library/bb632477.aspx  and https://technet.microsoft.com/en-us/library/bb633246.aspx 

    Hope this would provide the information to resolve your issue. 

    Thanks and Regards 

    Aditya Patel | Network and Security Engineer.

  • 0 in reply to Aditya Patel

    I think this may have been fixed by fixing the other issue I was having with the General Business Category being blocked.  I will re-test and report back here.

  • 0 in reply to Aditya Patel

    Aditya,

     

    I still continue to see our newly imaged computers trying to get windows and store updates have problems.  We do not utilize our WSUS server for these newly imaged machines until they join the domain.  I have also added the FQDN names you listed and that were referenced in the TechNet article.  This only seems to be a problem on our Windows 10 machines which makes me think it might have more to do with App updates from the store than windows updates.  I am unable to find any reliable information on what Windows 10 is trying to do when it is first turned on.  All I know is that behind the firewall they have issues and outside of the firewall they do not.  The only exception so far is if I turn off HTTP/FTP/HTTPS malware scanning in the firewall (which I don't want to do).

     

    I was hoping that the Sophos Firewall would have a Windows Update Category in it that would allow the traffic.  If there is not, I need to find out ALL of the sites I need to bypass for this to work.

  • 0 in reply to StevenGear

    Hi Steven,

    What is the firmware version residing in your XG device? We have a known issue reported under NC-13382 which is unresolved. 

    The workaround is to configure a separate FW rule with destination zone defined with FQDN(s) suggested via Aditya in the previous post.

    Thanks

  • 0 in reply to sachingurung

    We are running 15.01.0 MR3

     

    This is still a problem as I don't know exactly which domains (fqdns) to allow.

  • 0 in reply to StevenGear

    Try to disable "Delivery Optimization" service in Windows 10.

  • 0
     

     

    Hello,
    I created a rule a few months ago to exactly solve this problem:
     
    Rule Name
    Updates MS Office 365 und WSUS
    Action
    AcceptDropReject
     
    Source
    Source Zones
    • LAN
    Add New Item 
    Source Networks and Devices
    • Client_LAN_172
    Add New Item 
     
    During Scheduled Time
    All the Time 
     
    Destination & Services
    Destination Zones
    • WAN
    Add New Item 
    Destination Networks
    • MS WSUS FQDN Group
    Add New Item 
     
    Services
    • HTTP
    • HTTPS
    Add New Item 
     
    Identity
    Match known users


    Malware Scanning
    Scan FTP

    Scan HTTP

    Decrypt & Scan HTTPS
    Advanced
     
     
     
     
     
     
     
    User Applications
    Intrusion Prevention
    None 
    Traffic Shaping Policy
    None 
    Web Policy
    None 
    Apply Web Category based Traffic Shaping Policy
    Application Control
    None 
    Apply Application-based Traffic Shaping Policy
     
     
    You need to create this group:
     
    • MS WSUS FQDN Group : 
    • windowsupdate.com
    • microsoft.com
    • windowsupdate.microsoft.com
    • update.microsoft.com
    • download.windowsupdate.com

    Please add the HTPPS exception  as well:

     

    URL pattern matches
     
      • ^([A-Za-z0-9.-]*\.)?microsoft\.com/
      • ^([A-Za-z0-9.-]*\.)?windowsupdate\.com/
     
    Br,
    Sascha
     
     


  • 0 in reply to SaschaOdenthal

    Thanks, I will try those suggestions and get back to you.