Definition file modified date not consistent?

[Guest]

This is very strange. I just noticed that the definition file for the Windows
Defender have different date between the one displayed in the Windows
Defender itself and that of wpas_f.exe. I assume that the wpas_f.exe is the
file that Windows AutoUpdate download for the Windows Defender. The date of
the file (wpas_f.exe) does not match the date on the Windows Defender itself.
So my question is

1) What is the purpose of wpas_f.exe?
2) Some computer have wpas_fe.exe instead of wpas_f.exe. What are the
differences between the two?
3) Why the date stamp of the file (wpas_f.exe) differ from the date
displayed on the Windows Defender?
4) Can someone confirm the date/time of the file wpas_f.exe for the latest
Windows Defender definition files?

I'm really concern now since there are two files (one with a lot of letter
and number) that download at the same time the definition file supposedly got
download.

MM

 

[Guest]

Sorry, I meant mpas_f.exe instead of wpas_f.exe

 

[Bill Sanderson MVP]

What's the nature of your concern?

The text at the bottom of the home page of Windows Defender describes the
creation timestamp--which I believe will be the same for every machine--it
doesn't describe anything about file dates for processes involved in
distributing those definitions.

Mine reads:

1.14.1410.10 created on 4/26/2006 at 2:33 PM.

Those definitions were manually updated by me late yesterday by downloading
this file:

04/29/2006 05:07 PM 1,780,040
mpas-f_f5c9a9f55ebf35ef051321bb78ade9a38419da48.exe

The date and time on that file are the download date and time, and have
nothing to do with the definition creation process.
(I didn't keep the original download, so I had to re-download to show the
name.)

This file is digitally signed, using a Verisign certificate, by Microsoft,
on Thursday, April 27, 2006 at 1:56:33 AM.

 

[Guest]

Thanks. However, in my cases, the update happened automatically so instead of
one file, the machine got two files (mpas-f.exe and
f5c9a9f55ebf35ef051321bb78ade9a38419da48). Both have Modified date/time stamp
on April 27, 2006 at 7:14pm. My understanding is that Modified time stamp
indicate when the file was modified the last time. This doesn't correspond to
any time stamp on the display of Windows Defender. Another thing is that the
mpas-f.exe got deleted upon rebooting.

I would think that, at least, the definition file should have the same
date/time stamp as the one showing in WD display and the time that it was
signed. So I feel suspicious about the mpas-f.exe file. Can someone confirm
that the mpas-f.exe is a legitmate MS program used in the WD updating? I also
concern because some machine have mpas-fe.exe instead of the mpas-f.exe. What
are the differences between the two?

MM

 

[Bill Sanderson MVP]

I can't confirm any details about the update process, nor do I think it
likely that Microsoft will post detailed information, either about
individual updates, or about the process as a whole.

I think your underlying question is quite valid, however, and maybe we can
get some form of answer to it--basically, I'd phrase it as: Why should I
trust the update process for Windows Defender?

I think this really comes down to "Why should I trust AutoUpdate.?"

I've done a little searching for a paper or article that gives some
background here, and not come up with anything immediately--I'm going to
keep searching.
--

 

[Guest]

Hi Bill,

See my post
Subject: Windows Defender Update 1.14.1410.10
4/27/2006 7:07 PM PST
By: Engel
In: microsoft.private.security.spyware.signatures

Maybe the answer from Steve D., apply in this case?

 

[Bill Sanderson MVP]

Perhaps. MM - are you seeing repeated re-offers of the definition updates?

--

 

[Bill Sanderson MVP]

Here's a regularly updated KB article which lists all content pushed via the
update mechanisms:

http://support.microsoft.com/kb/894199

I've looked for a good description of the safeguards in WindowsUpdate and
AutoUpdate, and haven't found one. Paraphrasing another MVP--the important
thing is that 1) the update servers are kept secure--I know of no situation
in which they have been compromised. 2) update code is digitally
signed--and the update mechanisms will not install unless this signature is
valid.

I don't know if these observations help with your question about
updates--let me know.

--