topic Re: ms-update and MS Internet Explorer root CA in General Topics

ms-update and MS Internet Explorer root CA

mattieub — Mon, 22 Jul 2013 14:46:49 GMT

Hi,

In my company, we explicitely block the application ms-update to control workstations update policy.

But I realized that MS internet explorer tries to update its "root list sequence number" at each HTTPS connection.

The file that MS IE tries to access is at :

www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt

In your opinion, what would be the best approach to block ms-update except this Internet Explorer access ?

Thanks.

Re: ms-update and MS Internet Explorer root CA

Gregoux — Mon, 22 Jul 2013 15:38:41 GMT

You can create a custom application based on the url information.

and create a security rule that allow this application and place it above the rule which deny the windows update.

https://live.paloaltonetworks.com/docs/DOC-1966

Re: ms-update and MS Internet Explorer root CA

mattieub — Tue, 23 Jul 2013 14:51:32 GMT

Hi,

Thanks for the tip. It works as expected.

Re: ms-update and MS Internet Explorer root CA

Phoenix — Thu, 13 Feb 2014 16:13:23 GMT

Hello Mattieb,

Have seen similar issue and I want to share some screenshots in creating a custom app just to make it easy if some one faces the issue.

Steps:

1> Create custom app. 2> Apply in a security rule before the rule which blocks MS-Update APP rule. 3> Clear any existing matching sessions so the new sessions to hit the new app.

Wireshark info: