Jump to content

Microsoft security essentials and Windows XP

ND22

By ND22
in Windows XP

 Share

Recommended Posts


egrabrych

egrabrych

Posted
Posted (edited)

Please correct me if I'm wrong.

Heinoganda MSE Definition Updater v. 1.7 does not use MpSigStub.exe (used by Updater v. 1.0 - 1.5). It caused the necessity of introducing the "indicator" of the moment when the updating of the MSE definition will end; The "indicator" is the "disappearance" of the *.vdm and *.dll files from the %MSEDEFUPDPATH% folder, detected in the code loop:

: WAITUPD(n)
sleep.exe 5 >NUL
IF EXIST "%MSEDEFUPDPATH%\*.vdm" GOTO WAITUPD(n)
IF EXIST "%MSEDEFUPDPATH%\*.dll" GOTO WAITUPD(n)

where (n) - successively: 1, 2, 3, 4, 5, in five different places of the script.

I do not know if this is for you, but in my computer, even after successfully updated MSE definitions, these files can stay in the %MSEDEFUPDPATH% folder, which results in Updater v. 1.7 still working, circling the above loop endlessly. The solution - in the case of automatic work initiated by the Task Scheduler, is to force the end of the program after the set number of minutes has elapsed, and in the manual mode - to close the program window.

The above obstruction is not fortunately critical and Updater v. 1.7 fulfills its "mission", effectively updating the definitions of MSE - for which I thank its Author!

Finally, let me mention one more issue: by experimenting with the program, I was able to bring a situation in which the file with a strange name appeared in the MSE_DEFINITION_DOWNLOAD folder: with the multiple extension .old . Would not it be wise to clean up the MSE_DEFINITION_DOWNLOAD folder from all files at the beginning of the Updater work? If the version of the MSE definition there is already installed, its presence in the MSE_DEFINITION_DOWNLOAD folder no longer influences the type of file downloaded: full or delta (at least when the *.vdm files are still in the %MSEDEFUPDPATH% folder).

Edited by egrabrych
Link to comment
Share on other sites
TuMaGoNx

TuMaGoNx

Posted
Posted

Just a thought, my understanding is Microsoft periodically dispose definition that patched Windows already immune with, which why mpam-fe.exe filesize fluctuate so much.
So for XP isn't it shoud be 1.291.2489.0 + whatever latest working. What do you guys think?
disclaimer : Im no fans of AV, well I kind of miss MRT though
 

Link to comment
Share on other sites
heinoganda

heinoganda

Posted
Posted (edited)

@egrabrych

The folder "MSE_DEFINITION_DOWNLOAD" is sometimes used to hold definition files offline (does not have to be used). I've made some adjustments in the meantime as the engine queries differ between the installed version (1.1.15800.1, last working in XP) and the current definition engine. Downloading from a delta definition requires the version value from the current engine, which requires customization. In a previous post I already pointed out the possibility that a definition update without MpSigStub.exe is possible (https://msfn.org/board/topic/175514-microsoft-security-essentials-and-windows-xp/?do=findComment&comment=1137429).
The MpSigStub.exe file (where a copy is installed in "%windir%\system32", will be deleted after an update with the current MSE Updater v1.7) will check the existing definition, resulting in an error message or error propagation because of the engine version (1.1.15800.1, last working in XP) can not be refreshed. Only the definition files (.vdm) are updated.

The definition updates still offered by AU/MU (if POSReady 2009 key is entered in registry) should not be installed anymore, unless a definition file is published again where the engine works under Windows XP again (which is unlikely to happen). Therefore, AU should be disabled and no definition updates should be installed when searching for updates (MU) in IE. The fact is that no newer features or security updates on the Engine for MSE are possible anymore.

:)

 

Edited by heinoganda
Link to comment
Share on other sites
Ben Markson

Ben Markson

Posted
Posted

Very long time lurker and roll-my-own-updates MSE user. :ph34r:

In case it's of any help to someone it is still possible to fetch the mpam-d.exe file that can be executed as is (i.e. MpSigStub.exe is executed). To do this you must first have established the two 'base' signature files for the 15900 engine: mpasbase.vdm and mpavbase.vdm - as already described in this thread.

Thereafter you can use a URL as if you are using the 15900 engine version (even though we are still using the 15800 engine): 

http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094&eng=1.1.15900.4&avdelta=1.293.312.0&asdelta=1.293.312.0

...where you supply the delta values according to what you have installed so far.

From there you can just execute mpam-d.exe and it will update the delta signature files: mpasdlta.vdm and mpavdlta.vdm - this should work until the engine version changes again.

Ben.
 

Link to comment
Share on other sites
egrabrych

egrabrych

Posted
Posted
1 hour ago, heinoganda said:

@egrabrych

In a previous post I already pointed out the possibility that a definition update without MpSigStub.exe is possible (https://msfn.org/board/topic/175514-microsoft-security-essentials-and-windows-xp/?do=findComment&comment=1137429).

 

Mea culpa :)  I used to use MSE Definition Updater v. 1.2 when there were problems updating the MSE definition by WU / MU. When these problems ceased, I turned off this task in the Task Scheduler and until recently I was not interested in this issue too much - that's why for me not using MpSigStub.exe is new.

I would like to add that for subjective reasons I use MSE in version 2.1.1116.0 - maybe that's why the update of the definition goes to me as I wrote. But this is not a problem; This morning, once again, there was an automatic update via MSE Definition Updater v. 1.7 and the definitions are now in version 1.293.362.0. Many thanks for your program :thumbup

Greetings!

Link to comment
Share on other sites
DrWho3000

DrWho3000

Posted
Posted (edited)

@heinoganda

In the mse antimalware folder i seem to have a file(s) called offreg.3416.dll  in my other PC it is offreg.3068.dll

C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF4ECBC1-A885-4A52-AE58-72C12130D7E9}

what is this file

I dare not delete is in case it is needed

I noticed only 2 of 4 files actually have updated  ....  mpasdlta.vdm ...  ....mpavdlta.vdm .....

I did use option 1 in the updater 1.7

Edited by DrWho3000
edit
Link to comment
Share on other sites
heinoganda

heinoganda

Posted
Posted (edited)
2 hours ago, Ben Markson said:

Very long time lurker and roll-my-own-updates MSE user. :ph34r:

It is up to you whether you create the suitable link manually for each download before. There are users who just want to keep the definition of MSE up-to-date and no complicated procedures.
This is done by the MSE Updater, not only the complete definition is loaded, also different updates (delta updates).

42 minutes ago, DrWho3000 said:

n the mse antimalware folder i seem to have a file(s) called offreg.3416.dll  in my other PC it is offreg.3068.dll

C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CF4ECBC1-A885-4A52-AE58-72C12130D7E9}

what is this file

Here you should not delete any files, this file (offreg.3416.dll) will appear after scanning and will run as a service temporarily.

 

:)

Edited by heinoganda
Link to comment
Share on other sites
mo832

mo832

Posted
Posted

@heinoganda

I sent you a pm. I am having a relapse of the same issue from 2017 regarding the HTTPDL.exe error. We had a discussion on pm back then which it was fixed. There is also some comment about it in this forum on page 18. Please see what you can do.

Link to comment
Share on other sites
heinoganda

heinoganda

Posted
Posted (edited)

@mo832

There are approvals to the current situation, since the last working engine (1.1.15800.1) of MSE under Windows XP would result in the queries during the download according to the current definition to an undesirable result or the comparison of the existing definition files in the folder MSE_DEFINITION_DOWNLOAD to the Installed Definition in MSE, otherwise they would be completely reinstalled during an update.
Finally only adjustments so that the MSE Definition Updater does what the version 1.5 could do.

:)

Edited by heinoganda
Link to comment
Share on other sites
dencorso

dencorso

Posted
Posted
1 hour ago, Dave-H said:

Is there any way of stopping MSE doing its own definition update checks?
It's now writing loads of error messages into my Windows logs all the time.

I´m getting 'em galore, too! Both on the system and on the application logs, usually in threes. I've started to look for a way to at least suppress those errors, but haven't got anywhere yet. It should be something like deregistering some events... but then: which ones? Any advice much welcome, of course.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...