Critical Updates.

[Ben]

White installing the critical updates this afternoon the
MS AS window popped up asking me to accept or reject a
change to a start-up program. I accepted because I knew
what it was. Shortly after the window came up again
telling me that a change to a start-up program was made
since the change had been passed or OK'd previously(or
something to that effect).
When I was having some problems updating the MS AS
definitions earlier tonight I thought that the critical
updates might be responsible for the glitch. On the 3rd
attempt everything went fine.
I now think that the two are unrelated and that MS AS was
doing its job well this afternoon. What do you think?
Thanks.


(e-mail: no vowels in meets)

 

[Bill Sanderson]

I've spent the evening checking a couple dozen machines in two remote
offices--updating antivirus, antispam, antispyware, and
antiwindowsecurityetc patches!

Today there are important Office patches as well--so you need to remember to
visit OfficeUpdate as well.

I'm not sure I have seen Microsoft Antispyware alert as part of the security
patch installs. I've definitely seen it as part of a Norton update.

I've had no trouble with the antispyware updates on any machine so far, and
I haven't tracked the order of things--windowsupdate vs antispywareupdate,
but I think I've done it both ways.

So--I think everything is working fine, except that others have mentioned
having trouble getting to the Antispyware defs--and I think there were some
lags at the server end in getting those out.

 

[Max Burke]

Bill Sanderson scribbled:

I'm not sure I have seen Microsoft Antispyware alert as part of the
security patch installs. I've definitely seen it as part of a Norton
update.

Heres what my GRR log (GRR is a freeware/shareware registry protection
utility) says about this MSAS pop up that I got as well...

The MSAS pop up's were for KB867282 and KB891781

===========
Wed Feb 09 2005 10:54:17 WARNING: A Session Manager entry has changed.
This change was accepted by the foreground user.

The BootExecute entry specifies native-mode programs to run before the GUI
is loaded. The PendingFileRenameOperations entry is used by NT to replace
files at boot time that were previously locked. This is the normal way for
Microsoft service packs and many install programs to upgrade system files.
However, some malicious programs could use this method to replace your
system files without your knowledge or consent. Be wary if you see that
system files are set to be replaced. The session Manager key is located in
the HKEY_LOCAL_MACHINE hive:

System
CurrentControlSet
Control
Session Manager

--Original Settings-----------------
BootExecute:
autocheck autochk *

PendingFileRenameOperations:

--New Settings----------------------
BootExecute:
autocheck autochk *

PendingFileRenameOperations:

\??\C:\WINDOWS\system32\SET11.tmp
!\??\C:\WINDOWS\system32\wininet.dll

\??\C:\WINDOWS\system32\SET12.tmp
!\??\C:\WINDOWS\system32\urlmon.dll

\??\C:\WINDOWS\system32\SET13.tmp
!\??\C:\WINDOWS\system32\shlwapi.dll

\??\C:\WINDOWS\system32\SET14.tmp
!\??\C:\WINDOWS\system32\shdocvw.dll

\??\C:\WINDOWS\system32\SET15.tmp
!\??\C:\WINDOWS\system32\mshtml.dll

\??\C:\WINDOWS\system32\SET19.tmp
!\??\C:\WINDOWS\system32\browseui.dll
====================================

Wed Feb 09 2005 10:56:07 INFO: Service started.
Wed Feb 09 2005 10:59:03 WARNING: A Session Manager entry has changed.
This change was accepted by the foreground user.
=============

All updates (12 for me) were installed successfully...

However I think I may have found a problem/bug in gcasServ.exe (an
executeable in MSAS)

I have to check and test my system some more, but when a scheduled scan runs
gcasServ.exe starts hogging the CPU at the end of the scheduled scan and can
only be terminated throught XP's task manager/kill process screen.

This problem doesnt happen at all with a manual scan, only with scheduled
scans.

PS, I got today's MSAS definitions update OK. No delays downloading,
etc....

 

[Bill Sanderson]

Thanks - that does ring a bell, in terms of the alert information. I sure
didn't see it on every machine though--I'd have remembered--hmm....

I've rechecked my machines and they are up to date as far as patches as
measured by HFNETCHKpro, anyway.

The scheduled scan issue is interesting, but I don't know what to do with
it--Is the scheduled scan different from the manual scan in terms of full vs
intelligent, or the partitions covered--or maybe the user logged on? Does
the error log grow fast when the CPU usage is maxed?

 

[Ben]

Hi Bill & Max.

I ran 3 scheduled deep scans and 3 manual quick scans
this morning. Everything went through fine...no problems
at all.

Here are some results...
Quick Scheduled
scan full scan
------ --------
Memory locations scanned 39 1013
Files checked 19040 31206
Registry locations checked 8368 8368
Average time for each scan 3.5 min. 12 min.

Errors.log file is 2KB ...a dozen or so entries.

CPU usage showed 99% during memory locations and also 99%
duing registry locations scans.
Files checked varied 30 to 60% with sharp occasional
high and low spikes.

I hope the above is of some use.

Max...
Checked images...Fantastic...
Took me back to my young days when I had a Brownie box
camera and I developed and printed my B&W pics. (Yes, I
am that old). I have a very soft spot for Black & white
photography. I wasn't good at it .. only family snaps and
the like but a lot of fun.


(e-mail: no vowels in meets)

 

[Bill Sanderson]

Thanks - I'll have to watch the meter during a scan. I normally have a
cpu-sharing app running which keeps the CPU meter maxed anyway, but i have
scans starting at 11:11 pm, and work through them looking at messages here
mostly, and don't find it really tedious, although it is noticeably slower.