WSA Issue with KB2742595

I posted this 3 hours ago on the WSA forums, but have received no responses, so I thought I would post here as well.

I decided this afternoon to do several .NET 4 Framework Windows Updates. I walked away to eat some lunch. When I came back, I saw that one of the updates failed. And, I noticed that WSA had popped up with a PUA.Conduit error.

So, I attempted to install the Windows Update again. WSA popped up again. I saw that for some reason, it was pointing to a file on my external HD (J, so I unplugged it (USB). And, I tried the installation of the Windows Update again. Same message or pop-up with WSA, only this time it's pointing to a setup.exe file on C drive.

As you can tell below, WSA has blocked that file. I'm wondering if I should click "monitor" on that file and try installing the Windows Update again?



Is there a way to have WSA flag this as ok?

 

I have it installed I wonder why it's being detected now? Are you getting it via Windows Update? If you are I would set to Monitor and Submit a Support Ticket and find out why it's being detected and if it does need to be whitelisted then it will Auto Allow!

Also some info here: http://support.microsoft.com/kb/2742595

Daniel

 

I saw another file blocked recently with that same PUA.Conduit detection. Could you write into our support inbox or email me a log file to my username at gmail.com so that I can take a look?

Thanks!

 

I sent an email with the logs to 'report@prevxresearch.com'. I found that address in an older WRData thread. I'll go ahead now and also send them to your email address.

Thank you.

 

Thanks - I received them and have passed it on to our threat research team. The @prevxresearch.com address is not monitored: information like this should ideally just go to the support inbox where our threat researchers are standing by, or I can send it over myself if sent to me directly.

 

Yes, PUA.Conduit. I have the same on a checkpoint digitally signed file. But checkpoint left Conduit several years ago. I have the impression the detection is going too far (.e.g. just read publisher "conduit" and that flag it... ehm, no... does not work like this unless you want to generate a lot of false positives!)

Struggling also to get some kaspersky/checkpoint files whitelisted from support... That they suggested to keep monitoring.. you never know... what?

I have the impression writing to support to get file whitelisted faster does not work anymore or may be I just found a stubborn first line of support.

 

Can you PM me your email address? I'll see where it's assigned and get it moved over if needed.

Thanks!

 

I assume that you were referring to Fax and not my original post?

Support did ask me to download and run wsalogs.exe; which I did. It automatically sent my logs to support, as I understand. I am waiting on a response.

 

Did you let them know after that you uploaded wsalogs? If you did then yes just wait till they reply if not let them know it was uploaded and wait for a reply.

Daniel

 

Just a quick update on this issue:

Support sent me a note today to uninstall WSA, reboot, re-name the WRData folder to WRData1 (but, it no longer existed after the reboot; which they indicated might happen), and then re-install WSA.

I did all that and it went off without a hitch. I haven't, however, re-attempted to download and/or install the Windows Update yet. (I'm kind of paranoid now to even try it.....)

 

I would try again and please let us know and if it continues keep in contact with support until it is corrected.

Daniel

 

I agree with TH - we've corrected the underlying rule so you should be good to go!

 

UPDATE: I finally had some time to 1) do a backup with AX64, and 2) complete my windows updates.

All is well in the Alexhousek household! The windows update did it's thing; downloaded and installed, and it seemed to go just fine.

It was one of those few updates (. NET 4) that didn't require a re-boot. So, I haven't done that yet, but all appears good.

Thanks to the support team at WSA! Great job!

 

Glad to hear it!