Jump to content

Microsoft security essentials and Windows XP


ND22

Recommended Posts

6 minutes ago, heinoganda said:

Well, up to version 4.6.305.0 does the trick. Have times in the version 4.8.204.0 with a HEX editor the chain between service and user interface via the Registry key EndOfLifeState affected with the result that although there is a certain time in the green, but at the latest after an update of the virus definition is again all red.:crazy:

:)

Will you create an installer for it? Some might find it useful or a workaround for the nag. Thanks 

Link to comment
Share on other sites


On 5/3/2016 at 11:40 PM, mo832 said:

Well, they claimed they were going to end definition updates on 7/14/15. Clearly, they did not. Also, they said that the antimalware SERVICE would cease to work on that date as well. Why do you suppose they left that alone, and is it likely that will remain functional as long as the defs continue to be updated?

Many companies continue to pay for extended custom support on XP and Server 2003. Continuing definitions may have been part of the deal.

The other possibility is that keeping the updating mechanism and infrastructure intact is a trivial thing to do. Both of my hypothetical answers are purely speculative, but seem reasonable.

Link to comment
Share on other sites

Thanks heinoganda for combining the solutions for 4.6. You have made some people very happy. I'll try to looking into the nag screen for 4.7 if you don't beat me to the punch.

Edited by PROBLEMCHYLD
Link to comment
Share on other sites

The trick was to me already known at an earlier date, but it was also important that it comes to no impairment of MSE and made some tests this reason, with under with the EICAR test virus without problems during the search or while attempting to download was found. (Of what use is, if the MSE is green, but no longer responds correctly)

On the subject of MSE definition updater I have meantime corrected some minor errors and will soon officially once more a newer version upload (In the version available at the present time, the problem with the version detection is now solved, which had as to out the newer updates not were recognized correctly). For suggestions and error messages I would be grateful.

Update:

The joy is greater with version 4.8, I'm just the test he will remain green, no more messages in the event log that is no longer supported by the operating system and not lose any in its functionalities.

If interested, please PM.

 

As far as I completed my tests, with the result that MSE 4.8 insofar works flawlessly!mse48_1.jpg

What interested me once, were the potential vulgarities of MSE. (EndofLiveState)

mse48_3.jpg

mse48_4.jpg

mse48_5.jpg

Note:
The last status does not look very friendly!


Have released version 1.2 of Microsoft Security Essentials Updater.

 

been added:

1. Option to reset the antivirus update engine of MSE. (only in Startmenu)

2. If the option is Only Download in usage, are at the option "update the virus definition for MSE",
   simultaneously updates the definition for Only Download.

3. Optimised installation of the MSE-Definition.

debugging:

1. When comparing the existing and new version of the MSE-Definition
   despite recent updates was the message "No update aviable!" displayed.

2. By Only download the time is shortened considerably to determine the version.

:)

Edited by heinoganda
Link to comment
Share on other sites

Strong stuff must admit that I have turned off this alert for me and it is not noticed, I watch also equal at times. At the moment I'm still a fine-tuning under various scenarios, especially since the issue is the case of a detection (EICAR) this version a kind of start test has where a service is downloaded and executed in addition as a service. And I have a problem is detected when you restart the XP is frozen, well the MSE service must wait until the encryption service and the driver for the file protection (MpFilter) was loaded and then the problem was solved. Another problem is the currently the user interface (msseces.exe) every now and then in these circumstances hangs (stays in offline mode even though the MSE service to work properly). But I have just a delayed start of 2 seconds added thus no longer have this problem. I just when creating the new edition, then send just again a PM if that's okay.

:)

Edited by heinoganda
Link to comment
Share on other sites

The manual method for updating Windows Defender (not MSE), involving the download of the mpas-fe.exe file, unzipping its components, and then running MPSigStub.exe -- seems to have stopped working for me. Am I forgetting a step somewhere?

It might be necessary to start using one of the automated methods.

Another possibility: I have one XP system where the POS hack was applied. Defender on that one is staying up to date by itself. :dubbio:Maybe applying the hack to the other XP machines will fix Defender updates for them, too?

--JorgeA

Link to comment
Share on other sites

@JorgeA

Have there ever tested in my VM, downloaded definition, unpacked package and run MpSigStub.exe. Works flawlessly.

Spoiler

----------------------------------------------------------------------------------
Command:    "C:\Dokumente und Einstellungen\Testi\Desktop\mpas-fe\MPSigStub.exe" 
Start time: 15.05.2016 22:20 (version 1.1.12745.0)

================================= CacheMpSigStub =================================

Copied MpSigStub.exe to C:\WINDOWS\system32\MpSigStub.exe

=================================== ProductSearch ==================================

Failed to get MpTriggerErrorHeartbeatReport address for product WD. (error 0x8007007f).
Failed to get MpManagerOpen address for product WD. (error 0x8007007f).
Failed to get MpHandleClose address for product WD. (error 0x8007007f).
             Microsoft Windows Defender (downlevel):
        Status: Active                                 
      Product: 1.1.1593.0                             
       Engine: 1.1.2204.0                             
 Signatures: 1.0.0.0                                

================================ PackageDiscovery ================================

Package files discovered:
C:\Dokumente und Einstellungen\Testi\Desktop\mpas-fe\mpasbase.vdm (1.219.0.0)
C:\Dokumente und Einstellungen\Testi\Desktop\mpas-fe\mpasdlta.vdm (1.219.1912.0)
C:\Dokumente und Einstellungen\Testi\Desktop\mpas-fe\mpengine.dll (1.1.12706.0)

             AS FE:      
            Engine: 1.1.12706.0 
  AS base VDM: 1.219.0.0   
  AV base VDM: Not included
 AS delta VDM: 1.219.1912.0
 AV delta VDM: Not included

================================= MpUpdateEngine =================================

Package files for the engine update:
C:\Dokumente und Einstellungen\Testi\Desktop\mpas-fe\mpasbase.vdm (1.219.0.0)
C:\Dokumente und Einstellungen\Testi\Desktop\mpas-fe\mpasdlta.vdm (1.219.1912.0)
C:\Dokumente und Einstellungen\Testi\Desktop\mpas-fe\mpengine.dll (1.1.12706.0)

Updated from C:\Dokumente und Einstellungen\Testi\Desktop\mpas-fe (0x0)

================================= ValidateUpdate =================================

MpSigStub successfully updated Microsoft Windows Defender (downlevel) using the AS FE package.

                       Original:     Updated to: 
           Engine: 1.1.2204.0  1.1.12706.0 
 AS base VDM: 1.0.0.0        1.219.0.0   
 AS delta VDM: 1.0.0.0        1.219.1912.0

Set DeltaUpdateFailure to 0
Set BddUpdateFailure to 0
Deleted C:\Dokumente und Einstellungen\Testi\Desktop\mpas-fe\mpasbase.vdm
Deleted C:\Dokumente und Einstellungen\Testi\Desktop\mpas-fe\mpasdlta.vdm
Deleted C:\Dokumente und Einstellungen\Testi\Desktop\mpas-fe\mpengine.dll
End time: 15.05.2016 22:20
----------------------------------------------------------------------------------

:)

Edited by heinoganda
Link to comment
Share on other sites

1 hour ago, heinoganda said:
  Hide contents

Copied MpSigStub.exe to C:\WINDOWS\system32\MpSigStub.exe

Maybe that's the step that I missed -- copying MPSigStub.exe over to System32 ?  :unsure:

I'll try copying the EXE file over first, and report back on what happens then.

Thanks!

--JorgeA

Link to comment
Share on other sites

@JorgeA

Sorry, my fault would probably have to write to the it is an extract from the log file.

No, this is an excerpt from the log file under "%windir%\TEMP\MpSigStub.log" that is created when you run the MpSigStub.exe. As I wrote, I like you unzipped the definition file and run MpSigStub.exe. The best times the last part of your log file provide for inspection (from the date where the problems occurred), because the reason why updating the definition fails should be seen.

Note:
Incidentally at the moment the regular way of updating the Difinition also on Defender works again!

:)

Edited by heinoganda
Link to comment
Share on other sites

Thanks for the information, heinoganda.

Based on what you said, I went into the log file and found many entries similar to the following example:

Spoiler

----------------------------------------------------------------------------------
Command:    MpSigStub.exe /program "C:\WINDOWS\SoftwareDistribution\Download\Install\mpas-fe.exe" WD /q
Start time: 5/16/2016 12:24 AM (version 1.1.12745.0)

================================= CacheMpSigStub =================================

Copied MpSigStub.exe to C:\WINDOWS\system32\MpSigStub.exe

=================================== ProductSearch ==================================

Failed to get MpTriggerErrorHeartbeatReport address for product WD. (error 0x8007007f).
Failed to get MpManagerOpen address for product WD. (error 0x8007007f).
Failed to get MpHandleClose address for product WD. (error 0x8007007f).
             Microsoft Windows Defender (downlevel):
     Status: Active                                 
    Product: 1.1.1593.0                             
     Engine: 1.1.12603.0                            
 Signatures: 1.217.2157.0                           

================================ PackageDiscovery ================================

Package files discovered:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\93775572-22bb-4b08-8448-20e565724314\mpasbase.vdm (1.219.0.0)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\93775572-22bb-4b08-8448-20e565724314\mpasdlta.vdm (1.219.1665.0)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\93775572-22bb-4b08-8448-20e565724314\mpengine.dll (1.1.12706.0)

               AS FE:      
       Engine: 1.1.12706.0
  AS base VDM: 1.219.0.0   
  AV base VDM: Not included
 AS delta VDM: 1.219.1665.0
 AV delta VDM: Not included

================================= MpUpdateEngine =================================

Package files for the engine update:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\93775572-22bb-4b08-8448-20e565724314\mpasbase.vdm (1.219.0.0)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\93775572-22bb-4b08-8448-20e565724314\mpasdlta.vdm (1.219.1665.0)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\93775572-22bb-4b08-8448-20e565724314\mpengine.dll (1.1.12706.0)

ERROR 0x80070005 : MpUpdateEngine(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\93775572-22bb-4b08-8448-20e565724314)
ERROR 0x80070005 : IProduct->UpdateEngine

================================= ValidateUpdate =================================

mpengine.dll version in package is 1.1.12706.0, but after update machine has older version 1.1.12603.0
mpasbase.vdm version in package is 1.219.0.0, but after update machine has older version 1.217.0.0
mpasdlta.vdm version in package is 1.219.1665.0, but after update machine has older version 1.217.2157.0

                         Watson Report:                          Position:
                HRESULT: 0x80070005                              P1       
         FailedFunction: MpUpdateEngine                          P2       
              Operation: AS FE                                   P3       
 SourceComponentVersion: 1.1.12745.0                             P4       
    SourceComponentName: mpsigstub.exe                           P5       
         ProductVersion: 1.1.1593.0                              P6       
            ProductName: Microsoft Windows Defender (downlevel)  P7       


                 Unsent Error Heartbeat Report:        
    ProductName: Microsoft Windows Defender (downlevel)
        HRESULT: 0x80070005                            
 FailedFunction: MpUpdateEngine                        
        Details: 0.0.0.0                               

ERROR 0x80070005 : One or more of the packages found failed to update for Microsoft Windows Defender (downlevel).
ERROR 0x80070005 : One or more of the products found failed to update; returning this error
Deleted C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\93775572-22bb-4b08-8448-20e565724314\mpasbase.vdm
Deleted C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\93775572-22bb-4b08-8448-20e565724314\mpasdlta.vdm
Deleted C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\93775572-22bb-4b08-8448-20e565724314\mpengine.dll
ERROR 0x80070005 : MpSigStubMain
End time: 5/16/2016 12:24 AM
----------------------------------------------------------------------------------

I have highlighted the lines that I think may be most relevant in this entry.

What do you think?

BTW, I just tried, once again, to update Defender the regular way, and once again it failed.

--JorgeA

Edited by JorgeA
change font in spoiler text for readability
Link to comment
Share on other sites

First, the issue is not with the definition update itself. It can be different problems based.

Preliminary thus ensure the file system is correct.  Insert following code into a new text file, save, rename in check.bat and this run.

@echo off
chkdsk %SystemDrive% /F

When asked to restart System Yes.

Are there other antivirus or anti-malware programs installed? Insert Otherwise first following code into a new text file, save, rename in repair.bat and this run. (updated Code, only for Users of Windows Defender on Windows XP x86)

@echo off
(FOR /F "tokens=2* delims=	" %%a IN ('REG QUERY "HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates" /v "SignatureLocation"') DO SET "SignatureLocation=%%b") >NUL 2>&1
SET "SignatureLocationBackup=%SignatureLocation:~,-39%\Backup"
DEL "%SignatureLocationBackup%\*.*" /F /Q >NUL 2>&1
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate

If that did not work, it could be the the system is infected with malicious software. These should be a second program, such as Malwarebytes Anti-Malware be consulted and use it to perform a complete scan. (Save logfile, if here no malicious software has been found should Malwarebytes Anti-malware again be Uninstalled) If present here also no problem, is to reinstall Windows Defender still and / or maybe a permissions issue exists.

Note:
When Windows Defender draws the definition update itself is outdated, Stand 05/13/2016! As for now remains only the manual download!

:)

Edited by heinoganda
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...