Ive been having this issue for awhile (A few months) but just got around to trying to fix it. So, it began when aepdu.dll (In system32) showed up in the unrecognized files menu. I left it alone, and it was moved into trusted files. However, since then, CIS has been logging blocked intrusions from aepdu.dll. The flag is always “Modify File”, and the target is always ether “C:\windows\TEMP\CompatTelemetryLogs\setuprr.log” or “C:\windows\appcompat\programs\FullCompatReport.xml”.
I did some research, and it seems aepdu.dll is a safe windows file that is involved with the program compatibility layer? The entries get logged around the same time everyday (About noon), and while its not a big issue, its just a bit annoying having my log filled up with these entries.
Can you post a screenshot of the defense+ logs showing the intrusion, its weird that a dll file is performing any action on its own as dll’s can not be executed by themselves and are loaded within applications.
This may seem strange but try removing it from the trusted files, press ok then close the settings, then re-add it to the list. If that doesnt work then last resort would be create a hips rule for that dll and give it the allowed application ruleset preset.
Ok, that didn’t fix the problem. Although, i removed it from the list, and closed the settings window, and it was automatically added back to the trusted files list.
What version of CIS do you have, try updating to the newest verion? What is HIPS mode set to? What does your HIPS rules look like, do you happen to have a HIPS rule defined for the file?
I’m using version 8.1.0.4426, i think its the latest version. HIPS is set to safe mode, bellow is a link to a screenshot of my settings. Yeah, there is a HIPS rule for the file, should i remove it?
Ok, i removed the rule, i will wait and see if that fixes it. Do you have to completely remove CIS and reinstall it to get the update? Its showing its up to date for me.
