File Reputation Warning

[REDACTED]

My managed pc's frequently receive File Reputation Warnings for Windows Update, like on the image below:



From reading other threads this seems to be normal, but I was wondering if there is a setting in the Business Portal which prevents this from happening.

[Jeff.S]

Hi,

In the portal, network>settings>template you use>advanced
Select customize for the webshield and under the main settings "warn when downloading files with poor reputation".
keep in mind this could open up the possiblity to download an infection. The reputation detections are based off how many users have accepted/trusted the download. After a period of time and enough users allow the file and no detection is made, the file will be removed from the reputation list. This is done to help prevent zero day threats.

Thanks!

Jeff

[REDACTED]

Something about this doesn't sit right for me. 

I'd have thought a true Windows Update would have a Microsoft Signed digital signature, whereas that screenshot does not.  Shouldn't Windows Updates ALWAYS be reputable, regardless of the Webshield warning setting?

[REDACTED]

To me stopping the poor reputation file warning is a bit heavy handed. We used to get the same WU files warnings on our managed WSUS server for "new" updates that just got published and if those were approved for distribution to the clients, the warning was showing also on our end point machines.

Would it not be wiser to just add the Windows Update URLs to the exclusion list?

[Eddy]

The warning will not been shown if more people that are using avast have downloaded the file.

Adding the url's is not a good idea.
Someone with a bit of knowledge can spoof them.
This means you will see no warning at all, but you do receive a file from a non trusted source.

[REDACTED]

Hi Eddy!

Can you clarify your suggestion for addressing the reputation warning concern? I think that adding a DeepScreen exception based on URL is safer than altogether disabling the reputation service, which was the other proposed suggestion. The file scanner would still go over the file. Some files distributed over WU managed services are very rare, they are not only or always the same files as those given to home users as they can be updates to very esoteric and/or old MS products and may never go over the threshold for downloads for being "popular".

Further, wouldn't spoofing a URL require tempering with the DNS service? If the bad guys manage to intercept and/or forge your communication with the DNS service, the battle is already over.

[REDACTED]

I'm starting to see this today as well on version 10.2.2505.  This is concerning me as Windows Update should always be a trusted site and digitally signed.

And "the warning will not been shown if more people that are using avast have downloaded the file..." doesn't make sense here either, as it's Windows Update.  Hundreds of thousands of people (or millions) are downloading the update.

[Eddy]

This is concerning me as Windows Update should always be a trusted site and digitally signed.

Let's see..
1]
Windows updates are not a website.
Those are two different things.

2]
Windows is not signing all their files.
In fact they only sign a real small amount of their files.

And "the warning will not been shown if more people that are using avast have downloaded the file..." doesn't make sense here either, as it's Windows Update.

It does perfectly make sense.
avast checks how many of their users have downloaded that particular update.
Do you really think all 200+ million of avast users are downloading the update within seconds after it has been released?
MS, just as avast and many others, role out updates to people spread out over a certain time period to avoid overload on the servers.
That means that it will take some time that everyone will (or can) get the update.

[REDACTED]

I see your points.  However, when a new Avast update rolls out, I doubt the first few users to receive it have a File Reputation Warning.  The software assumes that an update coming from Avast is okay.  The same should be said for Windows Update.

[midnight]

I got a warning like this last evening many hours after installing win updates.  I was sitting in my office watching TV,  not doing anything with my computer when it popped up.  I didn't take a screenshot but I do remember it saying something about Chrome which I don't and will never use.  I aborted the connection.

[REDACTED]

Now that it's Patch Tuesday, I'm getting users all over my company with file reputation warnings for http://xxxxxxxx.download.windowsupdate.com/x/x/xxxxx   (where x's are different values per user, probably different load balanced servers).

It's very confusing for the users, so I'd like to put an exception in the settings to allow anything from download.windowsupdate.com.  How to I properly format that exclusion?

http://*.download.windowsupdate.com*
or
download.windowsupdate.com*
or
*.download.windowsupdate.com

Thanks!