Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


ND22

Microsoft security essentials and Windows XP

Recommended Posts

On 5/14/2019 at 9:48 PM, Dave-H said:

I did a check today on Microsoft Update just on the off-chance that there might be something offered, and the only thing offered was a definition update for MSE.
I tried installing it and it failed of course, and when I looked in my update history there was a long list of similar update failures.

This is logical because the last working engine v1.1.15800.1 is older than the current engine 1.1.15900.4 in the definition updates, so you will be offered a definition update via MU.

On 5/14/2019 at 10:37 PM, heinoganda said:

You should not update any more about MU/AU Microsoft security essentials.

 

On 5/14/2019 at 9:48 PM, Dave-H said:

Also I'm still getting error messages in my Windows event logs all the time about failed updates and MPSampleSubmissions.

Now the official update has triggered a chain of errors and feedback, with a copy of the file "MPSigStub.exe" to the folder "%windir%\system32", which in turn causes error messages and forwards them to MS. During the update with the MSE definition updater, the file "MPSigStub.exe" will be deleted in the folder "%windir%\system32" in case of a successful update, so that no synchronization with MS can take place anymore because of the validity of the virus definition Engines that would lead to an error message.

Installed offline in my Vituell Machine MSE v4.8, my helpers run the file "no_UPD.bat" and installed online with Microsoft Security Essentials Definition Updater v1.9 the current definition and engine v1.1.15800.1, without a firework of error messages.

One hundred percent I can not guarantee that in between it comes to an error message in the event log!

:yes:

Share this post


Link to post
Share on other sites

2 hours ago, heinoganda said:

This is logical because the last working engine v1.1.15800.1 is older than the current engine 1.1.15900.4 in the definition updates, so you will be offered a definition update via MU.

 

Now the official update has triggered a chain of errors and feedback, with a copy of the file "MPSigStub.exe" to the folder "%windir%\system32", which in turn causes error messages and forwards them to MS. During the update with the MSE definition updater, the file "MPSigStub.exe" will be deleted in the folder "%windir%\system32" in case of a successful update, so that no synchronization with MS can take place anymore because of the validity of the virus definition Engines that would lead to an error message.

Installed offline in my Vituell Machine MSE v4.8, my helpers run the file "no_UPD.bat" and installed online with Microsoft Security Essentials Definition Updater v1.9 the current definition and engine v1.1.15800.1, without a firework of error messages.

One hundred percent I can not guarantee that in between it comes to an error message in the event log!

:yes:

Thanks @heinoganda, that explains it all very well.
I'll keep an eye out and hope that the error messages stay away!
I'm hoping that changing that registry setting will stop MSE from constantly checking with the MS update servers.
:dubbio:

Share this post


Link to post
Share on other sites
Posted (edited)

@Dave-H

Following an excerpt from my log

 

MSETest1.jpgMSETest2.jpgMSETest3.jpg

:)

Edited by heinoganda
  • Upvote 1

Share this post


Link to post
Share on other sites

@heinoganda & @Dave-H: I've noticed if I let the machine on for many days MSE tries to update on its own and fails, populatin the event logs (both system and application). Please observe the errors always happens around the exact same hour, day after day. See attached window-capture below:
Clipboard01.png

Share this post


Link to post
Share on other sites
Posted (edited)

@dencorso

Try to solve this problem with the help of the "helper".

After that, MSE itself can not update anymore.

No update any more about MU for Microsoft security essentials, no AU.

:)

Edited by heinoganda
  • Like 1

Share this post


Link to post
Share on other sites

@Dave-H @dencorso

With MSE I still noticed the download option via the Windows Update Agent. Now I use the POSReady 2009 (HKLM,"SYSTEM\WPA\POSReady",Installed,0x10001,1) entry in the registry only temporarily and as long as this is not available, the Windows Update Agent can not find a more current definition incl. Engine for MSE , Here is also the source of the error because not wanted. The alternative option was removed with the help of the "helper", but the variant via the Windows Update Agent comes into play here, which is apparently implemented in MSE itself. In advance, only removing the POSReady entry in the registry would help. Will still try to find another way, despite some attempts. :dubbio:

:)

  • Like 1

Share this post


Link to post
Share on other sites
4 hours ago, mo832 said:

I just came across this today. Anyone on this thread have any additional advice or comments for xp users?

https://www.wired.com/story/microsoft-windows-xp-patch-very-bad-sign/

They're mostly making an argument similar to @Jody Thornton's: if you have PCs with older, unpatched OSes on a corporate network, an attacker can use those as "anchors" to gain access, then spread malware to other, newer PCs. Therefore keeping those PCs on your network can pose a security risk. In that environment, it would make sense to minimize the number of different Windows versions you're using, so as to reduce opportunities for hackers.

But I found the article's concentration on XP troubling. After all, the same vulnerability is found in Win 7, which is found even more often than XP and is still in support (at least until January). But the article didn't bash Win 7 users; only XP users. I suspect the not-so-secret agenda was to try once again to kill off that 2-3% of the market still running XP with yet another dose of FUD. It hasn't worked so far, but why not give it another try?

Indeed, it's major point seems totally irrelevant: XP is old. So? Software doesn't "age;" in fact, unlike living things, it often gets better with age, as bugs are found and patched. If the bug is particularly serious, as in this case and the Wannacry case, you may even get a patch after the official EoS date.

For individual XP users, though, the time to worry will be the day a major vulnerability is found but not patched. Hmm.... I wonder if the recently-discovered vulnerability exists in Win2K? There's no patch for that OS (although I suppose you could just disable the probably-unneeded Remote Desktop service).

  • Like 1
  • Upvote 1

Share this post


Link to post
Share on other sites

@Dave-H @dencorso

In addition to the "FallbackOrder" key where the entry "MicrosoftUpdateServer | MMPC" is deleted, I have changed the keys "ForceUpdateFromMU" to "0" and "SignatureUpdateInterval" to "0" in the registry "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates" (there is no permission to edit here!). 
For this I can provide you with a helper, unzip file (3 files in a folder) and run the file "no_UPD.bat" (with the file "UPD_Default.bat" the original entry can be restored).

Download:
here

No manual update of MSE may be performed. No definition update for MU in IE if it is offered. No AU. I have not found more options at the moment if the POSReady entry is present in the registry. Currently, the most effective solution is to delete the POSReady key in the registry.

Now it remains to watch if the situation in the event log improves.

:)

Share this post


Link to post
Share on other sites

Thanks @heinoganda, I've applied the new batch file, I'll keep an eye on the event logs and see what happens.
I don't really want to remove the POSReady key, although with the end of updates I'm wondering whether it is really now necessary to keep it!
Cheers, Dave.
:dubbio:

Share this post


Link to post
Share on other sites
Posted (edited)

Sorry guys, trying to understand the current discussion.

 

Does what the 2 of you guys are discussing mean that v1.9 update program no longer works or just that you still get log errors when it tries to do updates itself?

 

Thanks

Edited by prsa01

Share this post


Link to post
Share on other sites

The update program still works fine, the problem is only that MSE is still trying to do its own updates, and is now failing and writing loads of error messages into the Windows Event Logs.
Part of the problem is that it's trying to update the engine, which can now no longer be updated as the current versions are not XP compatible.
:)

Share this post


Link to post
Share on other sites

Great, thank you for the answer.  

Share this post


Link to post
Share on other sites
3 hours ago, Dave-H said:

I don't really want to remove the POSReady key

I have not permanently installed the POSReady key since May 2014. When I search for updates with WU / MU in IE8, I enter the POSReady key before the scan. When updates are found and installed, the POSReady key is deleted before rebooting. I use my own update rollup where the POSReady key is not needed.
Let's see how the changes affect the next time, while I hope the MSE itself no update with the Windows Update Agent performs more.

:)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...