Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Eric_Lindsey
Explorer

Exclude files from emulation

We have 1000s of pcs going to a windows update site to download a .cab file.  It crashed our Threat Emulation blade.  We would like to exclude windows updates from threat emulation. I tried making an exclusion rule set to detect only but can not get the rule to match with the traffic.  What would be the correct url string in our application /Site group to bypass all windowsupdate.com files?  We have 77.30 take 302

0 Kudos
3 Replies
Vladimir
Champion
Champion

Hmm.. why on earth do you have 1000s of PCs using Windows Update site instead of a single WSUS?

Could it be a campus environment where you do not control the endpoints? If that's the case, perhaps caching proxy would be a better solution.

0 Kudos
Eric_Lindsey
Explorer

I agree with you on that one.  For whatever reason the Microsoft team is allowing this traffic to go out to the internet.  I just need a way to exclude all the threat emulation hits.  The source in the emulation log says "Trusted Source" so I do not think we are actually sending the file out to the cloud for emulation. 

0 Kudos
Vladimir
Champion
Champion

Yep:

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events