[Solved] CIS flags aepdu.dll for modifying file

Hi all!

Ive been having this issue for awhile (A few months) but just got around to trying to fix it. So, it began when aepdu.dll (In system32) showed up in the unrecognized files menu. I left it alone, and it was moved into trusted files. However, since then, CIS has been logging blocked intrusions from aepdu.dll. The flag is always “Modify File”, and the target is always ether “C:\windows\TEMP\CompatTelemetryLogs\setuprr.log” or “C:\windows\appcompat\programs\FullCompatReport.xml”.

I did some research, and it seems aepdu.dll is a safe windows file that is involved with the program compatibility layer? The entries get logged around the same time everyday (About noon), and while its not a big issue, its just a bit annoying having my log filled up with these entries.

Do you know any way to stop this? Thanks :slight_smile:

Can you post a screenshot of the defense+ logs showing the intrusion, its weird that a dll file is performing any action on its own as dll’s can not be executed by themselves and are loaded within applications.

Sure, here is the link:

Ok just make sure that dll is listed in the trusted files list and cis should stop logging intrusions.

That’s the odd thing, it’s in the trusted files list, but its still getting logged. ???

This may seem strange but try removing it from the trusted files, press ok then close the settings, then re-add it to the list. If that doesnt work then last resort would be create a hips rule for that dll and give it the allowed application ruleset preset.

Ok, i will try that and report back if it works.

Ok, that didn’t fix the problem. Although, i removed it from the list, and closed the settings window, and it was automatically added back to the trusted files list.

Do you have any other ideas on what to try?

What version of CIS do you have, try updating to the newest verion? What is HIPS mode set to? What does your HIPS rules look like, do you happen to have a HIPS rule defined for the file?

I’m using version, i think its the latest version. HIPS is set to safe mode, bellow is a link to a screenshot of my settings. Yeah, there is a HIPS rule for the file, should i remove it?

Thanks vary much for your help :smiley:

Link to my HIPS settings: Dropbox - File Deleted

The newest version is and yes either remove the hips rule for the file or apply the allowed application ruleset.

Ok, i removed the rule, i will wait and see if that fixes it. Do you have to completely remove CIS and reinstall it to get the update? Its showing its up to date for me.

You can if you want to but

you will get the update by the end of the month.

Ok, it appears that removing the HIPS rule fixed the problem. Thanks vary much for all of your help :slight_smile: