In this section

• Home
• Support
• Knowledgebase
• Articles

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

Sophos Client Firewall: how to add a rule to allow Windows updates

Issue
How to add a rule to the Sophos Client Firewall to allow Windows updates.

The component of Windows that manages updates is svchost.exe, which actually launches wuauclt.exe as a hidden process. This is why it is wuauclt.exe that must be added to the 'Checksums', and 'Applications' lists.

Note : As there are security implications to allowing hidden processes, access is restricted to the three Windows update URLs.

Sophos product and version
Client Firewall

Operating systems
Windows 2000+
Windows Server 2000+

What to do

Add hidden process

1. Open the 'Sophos Client Firewall Configuration Editor'
2. Click the 'Processes' tab
3. Click the top 'Add' button - the 'Open' dialog opens
4. Navigate to (one of the following) :
   • C:\WINDOWS\system32 - for Windows XP (etc.)
   • C:\WINNT\system32 - for Windows 2000 (etc.)
5. Locate and double-click svchost.exe - it will be added to the list of Windows components allowed to launch hidden processes

Add checksum

1. Click the 'Checksums' tab
2. Click the 'Add' button - the 'Open' dialog opens
3. Navigate to (one of the following) :
   • C:\WINDOWS\system32 - for Windows XP (etc.)
   • C:\WINNT\system32 - for Windows 2000 (etc.)
4. Locate and double-click wuauclt.exe - it will be added to the list of Windows components the 'Firewall Client' recognises by their checksums

Add application rule

1. Click the 'Applications' tab
2. Double-click wuauclt.exe - the 'Application Rules' dialog opens
3. Click the 'Add' button
4. In field 1 (rule name) - type svchost.exe
5. In field 2 (events) - check the 'Where the direction is' checkbox
6. In field 4 (rule description) - click the 'Undefined' link - the 'Direction' dialog opens
7. In the 'Direction' dialog - check the 'Outbound' checkbox
8. In field 2 (events) - check the 'Where the remote address is' checkbox
9. In field 4 (rule description) - click the 'Undefined' link - the 'Select Address' dialog opens
10. Click 'Domain name'
11. In the upper field - type update.microsoft.com
12. Click the 'Add' button
13. In the upper field - type download.microsoftupdates.com
14. Click the 'Add' button
15. In the upper field - type windowsupdate.microsoft.com
16. Click the 'Add' button
17. Click the 'OK' button - the 'Select Address' dialog closes
18. In the 'Add Rule' dialog - click the 'OK' button - the 'Add Rule' dialog closes
19. In the 'Application Rules' dialog - click the 'OK' button - the 'Application Rules' dialog closes

Technical information
The built rule will appear (more or less) as follows in the 'Application Rules' dialog :

Where the protocol is TCP
  and the direction is outbound
  and the remote address is
    update.microsoft.com,
    download.microsoftupdates.com,
    windowsupdate.microsoft.com
Allow it

If you need more information or guidance, then please contact technical support.

• Article ID: 17444
• Created: 10 Oct 2006
• Last updated: 9 Oct 2008

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement