Technical Tip: Windows Updates downloads are flagged as 'Suspicious'

Most of the Windows updates make changes to the operating system files. It is for this reason that heuristic scanning flags these files as suspicious.

Windows updates are flagged as 'suspicious' due to heuristic scanning, which can be adjusted by modifying Antivirus heuristics or enabling URL filtering to exempt update URLs.

Modify Antivirus heuristics:

Change the operating mode for Antivirus heuristic scanning to be scanned and pass, or turn it off entirely using the CLI. 

config antivirus heuristic
    set mode disable

end

Of the two options, changing the operating mode of heuristic scanning to disable is recommended. Enable Web Filter URL Filtering and configure the following entries to exempt the Windows downloads from being inspected.

To configure the URL filtering

1. Go to Web Filter -> URL Filter.
2. Select Create New to create an entry for each of the following exempt rules.

• URL:.*update\.microsoft\.com.*
  Type: regex
  Action: exempt

• URL:.*download\.windowsupdate\.com.*
  Type: regex
  Action: exempt

• URL:.*\.microsoft\.com.*
  Type: regex
  Action: exempt

For v7.0 and above, heuristic settings are not kept. Instead, a machine-learning-detection setting is used. See the AI-based malware detection for more information.