Why definition updates fail: possible reason

[Robin Walker [MVP]]

These groups are full of complaints that MSAS definition updates sometimes
repeatedly try to download the same updates, and so on. Or updates that are
available to one poster appear not to be available when another poster
tries. These problems seem to occur only to some users: others have no
trouble at all. The users that do have trouble seem to have trouble
repeatedly.

I believe that these problems are caused by web caching of one sort or
another.

When Microsoft update their definition files, they do not change the URL of
the files to be fetched. Also, when they serve the files, there are no HTTP
headers which mark the content as non-cachable. All they do is send an HTTP
"ETag", which is a code that changes if the content changes for the same
URL.

Many ISPs operate a system of transparent web proxy caches. These are set
up to keep cached copies within the ISP's network of the content of HTTP
documents fetched from outside the ISP's network. Some ISP proxy web-caches
do not recognise the "ETag" HTTP header as anything special. These proxy
caches will not notice when Microsoft update the MSAS definitions on the MS
spynet server, and these proxy caches will continue to serve stale content
(previous versions) of MSAS definitions to the end-users of that ISP.

End-users on such ISPs will find that MSAS appears to repeatedly revert to
out-of-date versions of the definition files. Interestingly, when MSAS
requests the latest definition version number from the spynet server, it
sends that HTTP request "no-cache" so that it always gets the latest true
response from the spynet server, unaffected by any intervening cache. It is
when it comes to fetch the definitions files themselves that it is liable to
be served stale content by an ISP's web proxy cache.

There is very little that an end-user can do to extricate themselves from
this problem, other than wait for the ISP's proxy web cache to time-out the
stale content copy, and fetch fresh copies from the spynet server. [End
users that understand how to circumvent ISP's transparent web proxy caches
by configuring an explicit HTTP proxy on a port other than 80 may try that
technique to see if that solves their MSAS problem: this is not recommended
for non-expert users].

Microsoft could help ease this situation if, when serving the MSAS
definition files, they used HTTP headers other than just "ETag" to limit the
extent to which MSAS definition files are held cached in ISPs' proxy caches.

Related issue #1:
Tests here show that MSAS uses the HTTP fetch mechanism of the user's web
browser, rather than making HTTP requests itself. After the definition
files have been downloaded, they are held in the browser's web cache as
*.gcz files. I would have expected Microsoft to have ensured that MSIE
honours the "ETag" when deciding whether to use a local cached copy rather
than fetch it, but there is always the possibility of some problem in this
area. So if users are having difficulties with outdated files, it might
help to clear the browser's local cache (Temporary Internet Files).

Related Issue #2:
Do not rely on the definitions version number shown in the "About Microsoft
Windows AntiSpyware" dialogue panel, unless you have just shutdown and
relaunched MSAS. It can, for instance, display the wrong version number
after a definitions update, thus misleading you as to what is going on. It
shows the correct version number when MSAS has just been newly launched
(e.g. after a Windows restart).

 

[plun]

It happens that Robin Walker [MVP] formulated :

These groups are full of complaints that MSAS definition updates sometimes
repeatedly try to download the same updates, and so on. Or updates that are
available to one poster appear not to be available when another poster tries.
These problems seem to occur only to some users: others have no trouble at
all. The users that do have trouble seem to have trouble repeatedly.

I believe that these problems are caused by web caching of one sort or
another.

Hi

I believe that ALL users running 1.0.614 have this problem but only a
handful
sees it beacuse this bug is really ugly.

And I cannot understand why this suddenly occurs now with a new build ?

It must be a bug within MSAS updater function which is totally corrupt
and leading to this update loop with no update.

 

[Leo Feret]

Robin's suppositional musings have theoretical merit but I think they
have nothing to do with the 1.0.614 fiasco. Many average skill people
have this problem without knowing it - I suspect 100s of 1000s of people
are not as protected as they think they are.

It happens that Robin Walker [MVP] formulated :

Hi

I believe that ALL users running 1.0.614 have this problem but only a
handful
sees it beacuse this bug is really ugly.

And I cannot understand why this suddenly occurs now with a new build
?
It must be a bug within MSAS updater function which is totally corrupt
and leading to this update loop with no update.

--
--
Leo Feret - "I'm not always at the keyboard;
·|Ô¿Ô¬|· sometimes I use the trackball."
____________________________________________
"Nature has placed in our minds an insatiable longing to see the truth."
- Marcus Tullius Cicero (106BC-43BC)

 

[plun]

Leo Feret formulated on tisdag :

Robin's suppositional musings have theoretical merit but I think they have
nothing to do with the 1.0.614 fiasco. Many average skill people have this
problem without knowing it - I suspect 100s of 1000s of people are not as
protected as they think they are.

Well, my TIF is always nearly empty, it is set to max 1MB to avoid
"junkyard".

For several years ago all major ISPs in my country closed all proxy
servers
, webtraffic nowadays is small compared to p2p traffic.
And these proxies cannot handle todays much larger broadband traffic
and rapidly changes in new versions for all software and webpages.

So I have direct link with no proxy and nothing in my TIF to Spynet.

So I suspect that 990 of 1000 dont see this bug and believe that they
are
running latest defs.

 

[alan]

I have the same problem with release 614 which is resolved by returning to
613. However, 613 gives me a strange problem with Zonealarm firewall.
Zonealarm warns me that MS Antispyware needs to access the internet
continually, despite the fact that it has been given permission previously
(I have been using Zonealarm for 3 years and have never had a similar
problem).

So, in order to correct this problem I have returned to ver 509 which I have
been using without problem since its release. Now I get the looping update
problem again with signature update 5729. This is really strange and may
indicate a problem with the signature file itself.

NOTE: In order to install ver 509 I uninstalled ver 613, removed all
registry entries and deleted the MA Antispyware folder. It can't be some
residual component of 613 causing the problem, I feel.

Alan

| Leo Feret formulated on tisdag :
| > Robin's suppositional musings have theoretical merit but I think they
have
| > nothing to do with the 1.0.614 fiasco. Many average skill people have
this
| > problem without knowing it - I suspect 100s of 1000s of people are not
as
| > protected as they think they are.
|
| Well, my TIF is always nearly empty, it is set to max 1MB to avoid
| "junkyard".
|
| For several years ago all major ISPs in my country closed all proxy
| servers
| , webtraffic nowadays is small compared to p2p traffic.
| And these proxies cannot handle todays much larger broadband traffic
| and rapidly changes in new versions for all software and webpages.
|
| So I have direct link with no proxy and nothing in my TIF to Spynet.
|
| So I suspect that 990 of 1000 dont see this bug and believe that they
| are
| running latest defs.
|
| --
| plun
|
|

 

[plun]

Hi

Well maybe "double-trouble" for you, Zone Alarm have problem also

http://forum.zonelabs.org/zonelabs/board?board.id=gen

Really angry users............

And this MSAS problem will for sure be solved

 

[Anonymous Bob]

Hi

Well maybe "double-trouble" for you, Zone Alarm have problem also

http://forum.zonelabs.org/zonelabs/board?board.id=gen

Really angry users............

Waaaay too much coffee<g>

Bob Vanderveen

 

[-Dan-]

[]
|
| I believe that these problems are caused by web caching of one sort or
| another.
|
| When Microsoft update their definition files, they do not change the URL
of
| the files to be fetched. Also, when they serve the files, there are no
HTTP
| headers which mark the content as non-cachable. All they do is send an
HTTP
| "ETag", which is a code that changes if the content changes for the same
| URL.
|
| Many ISPs operate a system of transparent web proxy caches.
[]
|

Robin,

This rung my bell... thanks... as in local browser caching.

I have been plagued with the repeated downloading syndrome. So, I dumped
the browser cache, then went on over to the Advanced Tab and set it to dump
the cache on browser close. This is, IHMO, just a bandaid patch; but it is
working. Now, I will have to open and close my browser pretty often, at
least once after each update. I know this is a workaround because the def
file should cause MSAS flags to be updated, and 5729 doesn't.

 

[TaxMan]

-----Original Message-----
These groups are full of complaints that MSAS definition updates sometimes
repeatedly try to download the same updates, and so on.

Interesting, but if it were a proxy caching problem, then
how does it explain why direct download the the update
files fixes the problem? I would expect direct download,
bypassing the program would also download the cached
definition.

Since the problem surfaced with the 416 update, dozens of
people have fixed the endless update loop, by getting the
current definitions via their browser and installing them
manually. As far as I know, this method has not failed for
anybody who followed the directions properly.

I would like to emphasize the point made by plun, that this
is a problem unlikely to be noticed by most users who are
blissfully unaware that they are running outdated definitions.

The symptoms indicate that something is seriously broken in
the current build which cannot be blamed on stale files in
the user's TIF or caching proxy servers at the user end.