Why definition updates fail: another possible reason

[Robin Walker [MVP]]

I have managed to reproduce one problem with MSAS: where it will not update
from definitions 5727 to 5729, and reports that the most recent definitions
are installed (when in fact they are not). I have captured a network trace
of MSAS talking to the spynet servers with the following result:

======= HTTP request starts here ==========

POST /ASService/definitions.asmx HTTP/1.1
Accept: */*
Accept-Language: en-gb
Content-Length: 379
soapaction: "http://tempuri.org/GetLatestRulesetVersion"
Content-Type: text/xml
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.0.3705; .NET CLR 1.1.4322)
Host: service.spynet.com
Connection: Keep-Alive
Cache-Control: no-cache

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetLatestRulesetVersion xmlns="http://tempuri.org/">
<RegKey></RegKey>
<ExtraData></ExtraData></GetLatestRulesetVersion>
</soap:Body>
</soap:Envelope>

====== end of HTTP request, start of HTTP response ===========

HTTP/1.1 503 Service Unavailable
Connection: close
Date: Thu, 30 Jun 2005 10:39:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR
SAMo CNT COM INT NAV ONL PHY PR
Content-Type: text/html

<html><body><h1>Server is too busy</h1></body></html>

=========== end of HTTP response ===========

Note the error messages from the server: yet this is reported by MSAS as
"Most recent spyware defintions installed".

So it is clear that the "Most recent spyware definitions installed" message
cannot be trusted.

And it seems that some of the current problems can be attributed to update
server overload, rather than bugs with the application.

 

[plun]

Robin Walker [MVP] presented the following explanation :

I have managed to reproduce one problem with MSAS: where it will not update
from definitions 5727 to 5729, and reports that the most recent definitions
are installed (when in fact they are not). I have captured a network trace
of MSAS talking to the spynet servers with the following result:

======= HTTP request starts here ==========

POST /ASService/definitions.asmx HTTP/1.1
Accept: */*
Accept-Language: en-gb
Content-Length: 379
soapaction: "http://tempuri.org/GetLatestRulesetVersion"
Content-Type: text/xml
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR
1.0.3705; .NET CLR 1.1.4322)
Host: service.spynet.com
Connection: Keep-Alive
Cache-Control: no-cache

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetLatestRulesetVersion xmlns="http://tempuri.org/">
<RegKey></RegKey>
<ExtraData></ExtraData></GetLatestRulesetVersion>
</soap:Body>
</soap:Envelope>

====== end of HTTP request, start of HTTP response ===========

HTTP/1.1 503 Service Unavailable
Connection: close
Date: Thu, 30 Jun 2005 10:39:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR
SAMo CNT COM INT NAV ONL PHY PR
Content-Type: text/html

<html><body><h1>Server is too busy</h1></body></html>

=========== end of HTTP response ===========

Note the error messages from the server: yet this is reported by MSAS as
"Most recent spyware defintions installed".

So it is clear that the "Most recent spyware definitions installed" message
cannot be trusted.

And it seems that some of the current problems can be attributed to update
server overload, rather than bugs with the application.

Yup confirmed with Ethereal.

http://www.ethereal.com/

POST /ASService/definitions.asmx HTTP/1.1 Accept: */* Accept-Language:
en-us,sv;q=0.5 Content-Length: 379 soapaction:
"http://tempuri.org/GetLatestRulesetVersion" Content-Type: text/xml
Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Host: service.spynet.com
Connection: Keep-Alive Cache-Control: no-cache <?xml version="1.0"
encoding="utf-8"?> <soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body>
<GetLatestRulesetVersion xmlns="http://tempuri.org/"> <RegKey></RegKey>
<ExtraData></ExtraData></GetLatestRulesetVersion> </soap:Body>
</soap:Envelope>HTTP/1.1 100 Continue HTTP/1.1 503 Service Unavailable
Connection: close Date: Thu, 30 Jun 2005 12:13:25 GMT Server:
Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P: CP="ALL IND DSP COR ADM
CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL
PHY PR Content-Type: text/html <html><body><h1>Server is too
busy</h1></body></html>

 

[Bill Sanderson]

This matches my experience with this process. I worked with one machine two
days ago which was less than 5729 in def level. I did one File, Check for
updates, and got two gold stars immediately. I immediately repeated the
operation, and go the expected definition update. Your network trace
explains the first failure.

I don't think that it explains the persistent "stuck" definitions issue,
though--my own thinking is that this is an issue on the local machine, more
likely--but I'm open on the question.

 

[Bill Sanderson]

So hold on, plun--are you saying that on your system, which I believe NEVER
updates--you are getting this server side error on each attempt--it isn't
just transient?

That'd be VERY significant, I think!

 

[plun]

After serious thinking Bill Sanderson wrote :

So hold on, plun--are you saying that on your system, which I believe NEVER
updates--you are getting this server side error on each attempt--it isn't
just transient?

That'd be VERY significant, I think!

Hi

Nope, now i get an "envelope" and it is working

2 hours ago it was "busy sever" and 503 faults as for Robin.
Must uninstall and see if its working now ............


<?xml version="1.0" encoding="utf-8"?><soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetLatestRulesetVersionResponse
xmlns="http://tempuri.org/"><GetLatestRulesetVersionResult>82</GetLatestRulesetVersionResult></GetLatestRulesetVersionResponse></soap:Body></soap:Envelope>POST
/ASService/definitions.asmx HTTP/1.1 Accept: */* Accept-Language:
en-us,sv;q=0.5 Content-Length: 379 soapaction:
"http://tempuri.org/GetLatestRulesetVersion" Content-Type: text/xml
Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Host: service.spynet.com
Connection: Keep-Alive Cache-Control: no-cache <?xml version="1.0"
encoding="utf-8"?> <soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body>
<GetLatestRulesetVersion xmlns="http://tempuri.org/"> <RegKey></RegKey>
<ExtraData></ExtraData></GetLatestRulesetVersion> </soap:Body>
</soap:Envelope>HTTP/1.1 100 Continue HTTP/1.1 200 OK Date: Thu, 30
Jun 2005 13:50:37 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo
OUR SAMo CNT COM INT NAV ONL PHY PR X-AspNet-Version: 1.1.4322
Cache-Control: private, max-age=0 Content-Type: text/xml; charset=utf-8
Content-Length: 406 <?xml version="1.0"
encoding="utf-8"?><soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetLatestRulesetVersionResponse
xmlns="http://tempuri.org/"><GetLatestRulesetVersionResult>82</GetLatestRulesetVersionResult></GetLatestRulesetVersionResponse></soap:Body></soap:Envelope>

 

[plun]

After serious thinking plun wrote :

After serious thinking Bill Sanderson wrote :

Hi

Nope, now i get an "envelope" and it is working

2 hours ago it was "busy sever" and 503 faults as for Robin.
Must uninstall and see if its working now ............

Nope it is not working.............. :-@

I uninstalled MSAS, removed folders and cleaned registry left behinds
with CCleaner.

Clean install version 614.

Check for updates, I can see "Temp.zip" for a short time within MSAS
folder but
no update, definitions 5725 dated June 9.

Must be an application fault within MSAS updater.

 

[Guest]

Similar problem on two machines on my home network-says
it is updating definitions from5727 to 5729, gold star
and in the "about" pull down menu says 5729 installed ,
but upon subsequent update attempts it again says
Updating from 5727 to 5729. Who knows if it is really
updated or not.

The problem is with the new version - never had this
before.

 

[plun]

(e-mail address removed) formulated on fredag :

Similar problem on two machines on my home network-says
it is updating definitions from5727 to 5729, gold star
and in the "about" pull down menu says 5729 installed ,
but upon subsequent update attempts it again says
Updating from 5727 to 5729. Who knows if it is really
updated or not.

The problem is with the new version - never had this
before.

Hi

Right click on MSAS icon within systray and choose shutdown.

Right click and "Save target as..."
http://download.spynet.com/ASDefinitions/gcDeterminationData.gcd

http://download.spynet.com/ASDefinitions/gcThreatAuditScanData.gcd

http://download.spynet.com/ASDefinitions/gcThreatAuditThreatData.gcd

Copy/paste these files to Program files/Microsoft Antispyware

Restart MSAS and "check for updates"

Done until MS realize that this is a bug..............

 

[Bill Sanderson]

FWIW, the KB article showing how to accurately determine the def versions is
now up to date:

http://support.microsoft.com/default.aspx?scid=kb;en-us;892519

 

[plun]

Bill Sanderson pretended :

FWIW, the KB article showing how to accurately determine the def versions is
now up to date:

http://support.microsoft.com/default.aspx?scid=kb;en-us;892519

No it is not Mikolaj presented.............. :')

5731 is out.