Re: Windows Update

[Über GuidoZ <uberguidoz () gmail com>]

Be happy to discuss it Jason. =) FYI: Be sure to "reply all" when
replying (or change the "to" address) so that your replies goto the
list. I've quoted your original below...

I'll respond to your question/comment in a few ways. (All that I'm
about to mentioned is in regards to Windows boxes.) In my early days,
I was a strong Norton Antivirus user. (In fact, syamntec in general.)
Then, I got smarter. While it's a perfectly good AV for most
home/corporate environments, I didn't like the footprint it left on
systems. Too much memory use! I eventually changed to AVG Free Edition
and loved it. Very small computer footprint, did all I needed it to
do, and updated daily from the desktop. (With Norton you have to
manually download the daily updates from their website if you're a
home user.) With AVG, I just schedule it to ruin at like 4am and it
was all good. I'm currently testing out NOD32 and like it quite a bit.
It's a bit more "user friendly" than AVG, plus it has a number of more
features. It's not free however, but not as expensive as Norton.

So we'll talk about those three. Norton, AVG, NOD32. I agree with you
on AVG - when you use the auto-update feature, it grabs program
updates and definition updates. I wouldn't use, nor recommend, this in
a corporate environment though. Norton, I'll argue against. It's
entirely possible it's changed since I last used it frequently (2003),
however at that time the automatic updates were virus definitions
ONLY. (Proof: When there are program updates, it will flash the
LiveUpdate icon in the Task Bar, alerting you that there were program
updates that needed to be downloaded. Running LiveUpdate then
downloads/installs them.) It will not download program updates since
they all require a reboot of the PC to load. It waits for user
intervention first.

NOD32 seems to be the same way. I haven't done much testing with it,
plus I'm away from a Windows box at the moment so I can't pop on and
check. It may grab program updates automatically, however I haven't
noticed this. But again, like AVG, I wouldn't recommend this program
in a corporate environment. I'm rather fond of Norton AV Corporate in
such a place, over many of the competitors. Maybe it goes back to my
old Symantec roots (even beta testing). Maybe it's because I find it
easy to use and support. (McAfee is a different story. Yikes. In my
shop McAfee seems to be the culprit of a surprising amount of
conflicts.)

Of course there are others that deserve mention. Panda is another
example of a good AV solution that could be used in the corporate
world. I don't have a lot of expereince with it, so I won't argue
either or. The actual solution you choose depends on the setup. I've
administered networks that use client AV solutions only. I've been on
networks where they use a mail-server solution only. And everything in
between.

I've always been under the impression (at least in my expereince) that
when auto-updates are run, they only grab the virus definitions. I've
always done program updates seperately, both through the LiveUpdate
(or equivalent) aspect, or through manual downloads from the
manufacturer website. This goes for both Home and Corporate users,
although I think we all agree this is really only a big issue in a
corporate environment.

Thoughts are most welcome by anyone. Thanks for your insight Jason -
looking forward to possibly learning something new. =)

--
Peace. ~G

On Wed, 25 Aug 2004 01:24:30 +0000 GMT, Jason Coombs PivX Solutions
<jcoombs () pivx com> wrote:
> > I DID say I only allow virus definition files
> > to auto-update, not program updates.
>
> Show me an anti-virus program that does auto-update of "virus definitions" and I will show you one that does program 
> updates, too, under the false pretense of doing only virus definition updates.
>
> From what I have seen, you are mistaken in your belief that you are only getting data in your A/V updates.
>
> Tell me which product you are using and I will see if I can show you in detail what I mean.
>
> Most Secure Regards,
>
> Jason Coombs
> Jcoombs () PivX com 
>
> -----Original Message-----
> From: Über GuidoZ <uberguidoz () gmail com>
> Date: Tue, 24 Aug 2004 18:12:38
> To:joe <mvp () joeware net>
> Cc:FD <full-disclosure () netsys com>
> Subject: Re: [Full-disclosure] Windows Update
>
> A very valid point Joe, thanks for briging it up. I DID say I only
> allow virus definition files to auto-update, not program updates. Are
> the definition file updates the ones causing the problems you speak
> of, or the program updates to the scanning engine?
>
> Besides that, If you can't trust the definitions updates to go
> properly, then you seriously need to think about changing AV products.
> ;)
>
> Reading further down the conversation, I see discussion on the
> Auto-Update service. Some good points were mentioned here too. Just
> because it is enabled it doesn't mean you have to let them INSTALL. In
> fact, you can do an advanced install method to pick and choose which
> patches to install from the downloaded updates. A nice feature indeed
> - I hope this hasn't been altered in post SP2. (I never checked.) My
> point was to argue against the automated downloading and installing of
> updates, which I believe IS the default after SP2 is installed.
>
> ~G
>
> On Sun, 22 Aug 2004 09:01:54 -0400, joe <mvp () joeware net> wrote:
> > If that is your stance, you should probably have it for AV updates as well.
> > There have been various AV updates that have been known to break
> > functionality and blue screen boxes. I recall one update for one of my
> > customers that had blown up a good many web servers and local site file and
> > print servers (hundreds of servers) and this is with an AV Update that was
> > approved by and placed on the distribution server by central security.
> >
> > Anyway, versus completely shutting down WU, you can configure to automatic
> > download without installation.
> >
> > All that being said, actively professionally maintained servers are in a
> > different boat than most machines that will be running WU. In a large
> > properly firewalled and protected corporate environment, I don't think the
> > client support group would really depend on automatic updates from outside
> > the company, they would use SUS or some other deployment mechanism. If using
> > some other deployment mechanism, WU would be off. Either way, patches would
> > be tested before being deployed, it wouldn't be automatic.
> >
> > That being said, once you get to x machines with x being a function of your
> > resources available to do testing, the number of LOB apps you have running,
> > and how bad the hole is being plugged you will run into occasion where you
> > can not test everything and simply have to release. One would hope that this
> > will be less frequent if you have XP SP2 deployed and have the firewall up
> > and running without turning it into swiss cheese but until we see the next
> > worm type attack and see if XP SP2 is safer we can't for sure say anything.
> > If the biggest issues end up requiring some sort of people interaction, then
> > that is quite a win in and of itself.
> >
> >   joe
> >
> >
> >
> >
> > -----Original Message-----
> > From: full-disclosure-admin () lists netsys com
> > [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Über GuidoZ
> > Sent: Saturday, August 21, 2004 7:56 PM
> > To: FD
> > Subject: Re: [Full-disclosure] Windows Update
> >
> > Umm, hold on a sec here...
> >
> > (snip from "James Tucker"):
> > > There really should be no reason why you would want to disable the
> > > Automatic Updates service anyway, unless you are rolling out updates
> > > using a centralised distribution system, in which case you would not
> > > need it anyway.
> >
> > I believe you are missing one fundamental point: SPs and updates are
> > notorious for breaking something else. (Especially from Microsoft.) Granted,
> > if fixing a security weakness breaks something you're using, then that
> > aspect could have been written better. However, that still doesn't fix it
> > when an entire business network goes down and YOU are the one responsible. I
> > do not allow ANY automatic updates (except for virus definitions) to run on
> > ANY networks I am in charge of. I take the time (like every good sysadmin
> > should) to look over each update before applying it so I know three things:
> >
> > 1. What it's fixing/patching
> > 2. Why it's fixing/patching it
> > 3. What will be the end result of the fix/patch
> >
> > If you would simply allow updates and SPs to have free reign over your
> > system(s) without taking any time to look over those updates, you're going
> > to be one busy and irritated sysadmin. That is, if you still have a job
> > after a little bit.
> >
> > ~G
> >
> > P.S. Don't take my word for it. Look here:
> >  - http://www.infoworld.com/article/04/08/12/HNdisablesp2_1.html
> >  - http://www.pcworld.idg.com.au/index.php/id;1183008015;fp;2;fpid;1
> >  - http://www.integratedmar.com/ecl-usa/story.cfm?item=18619
> >  - http://www.vnunet.com/news/1157279
> >  - Or, find the other 200+ articles by searching Google News
> >     for "disable automatic update sp2"  =)
> >
> > On Sat, 21 Aug 2004 18:51:40 -0300, James Tucker <jftucker () gmail com> wrote:
> > > Here I found that I can have BITS and Automatic Updates in "manual",
> > > Windows Update works fine here. It may be a good idea to refresh the
> > > MMC console page, as you will probably find that at time the service
> > > had shut down if and when BITS was stopped prematurely (i.e. when it
> > > was in use).
> > >
> > > There really should be no reason why you would want to disable the
> > > Automatic Updates service anyway, unless you are rolling out updates
> > > using a centralised distribution system, in which case you would not
> > > need it anyway.
> > >
> > > If you are worried about system resources, you should look into how
> > > much the service really uses; the effect is negligable, in fact there
> > > is more impact if you select (scroll over) a large number of
> > > application shortcuts (due to the caching system) than if you leave
> > > Automatic Updates on. If you are worried about your privacy and you
> > > dont believe that the data sent back and forth has not been checked
> > > before, then you surely dont want to run Windows Updates ever. If you
> > > want to cull some real system resources and have not already done so,
> > > turn the Help and Support service to manual, that will save ~30mb on
> > > boot, up until the first use of XP help; this will stop help links
> > > from programs from forwarding to the correct page, until the service
> > > has loaded once.
> > >
> > > As for worry over using bandwidth on your internet service, again, you
> > > want to check this out as its a trickle service, not a flood. BITS
> > > does not stand for Bloody Idiots Trashing Service; it means what it
> > > says on the tin.
> > >
> > > On Fri, 20 Aug 2004 14:30:22 -0700, David Vincent
> > >
> > >
> > > <support () sleepdeprived ca> wrote:
> > > > joe wrote:
> > > >
> > > > > Yep, this is how it works now.
> > > > >
> > > > > You control whether Windows Update is updating or not via the
> > > > > security panel in the control panel applets (wscui.cpl).
> > > > To eb complete, I should have mentioned I have Automatic Updates
> > > > turned off in the control panel.  I also had the service disabled
> > > > before applying SP2 and venturing to Windows Update v5.
> > > >
> > > > > Of course if you aren't using automatic update you could always
> > > > > disable the service and just reenable when you go to do the update,
> > > > > or don't use windows update at all and just pull the downloads
> > > > > separately. We are talking about a single command line to reenable
> > > > > that service
> > > > Yep.
> > > >
> > > > > Is it a pain? Yes, for those who like to run minimal services. Is
> > > > > it a security issue or life threatening, probably not.
> > > > Agreed.
> > > >
> > > > -d


-- 
Peace. ~G

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html