strange signature dates - hijaked or error?

[citizenDAK]

Two computers have conflicting signature version
information, it appears? Both state they are "up to date"
when I check for updates. (Notice that the one with the
higher version number, has an earlier date???)

A Win2000 machine says this:

Microsoft AntiSpyware Version: 1.0.509
This version expires on: 7/31/2005
Spyware Definition Version: 5687 (2/24/2005 10:04:02 AM)

And a WinXP machine says this:

Microsoft AntiSpyware Version: 1.0.509
This version expires on: 7/31/2005
Spyware Definition Version: 5691 (2/22/2005 6:35:50 PM)

 

[citizenDAK]

p.s., this is all happening at 10:30 AM, Eastern Standard Time.

 

[Bill Sanderson]

On both machines, go to File, Check for updates.

Observer carefully whether or not you see extra lines of output indicating
that an actual update happens--my bet is that you won't.

After that completes, go to Help, about on both and compare. See what's
changed.

This is a bug--but it is an appearance bug, rather than an actual problem
with having older sigs in place. You can also verify this by looking at the
actual files involved. Although this KB article hasn't been updated, it
will show you the files to look at:

Information about update files and how to determine whether you are on the
latest (technical)
http://support.microsoft.com/default.aspx?scid=kb;en-us;892519

 

[citizenDAK]

Thank you for the reply... (see responses below)

On both machines, go to File, Check for updates.
Observer carefully whether or not you see extra lines of
output indicating that an actual update happens--my bet is
that you won't.

Correct, it did NOT acually update.

After that completes, go to Help, about on both and
compare. See what's changed.

Not changed.

This is a bug--but it is an appearance bug, rather than an actual problem
with having older sigs in place. You can also verify this by looking at the
actual files involved. Although this KB article hasn't been updated, it
will show you the files to look at:

Information about update files and how to determine whether you are on the
latest (technical)
http://support.microsoft.com/default.aspx?scid=kb;en-us;892519

Results of using the kb article info:

On the WinXP machine, the two definition files are the
newer version 5691 (Feb.17th).

On the Win2000 machine, the two files are the older version
5687a (Feb.5th)! (I even verified the MD5 checksums.)
This date does NOT match the displayed version from
help->about, but the version number "5687" does.


Is there more diagnostic information you need?

 

[Bill Sanderson]

Thank you for the reply... (see responses below)

responses below as well

Correct, it did NOT acually update.

so far so good, but...

Not changed.

Not what I'd expected. One machine isn't updating.

Results of using the kb article info:

On the WinXP machine, the two definition files are the
newer version 5691 (Feb.17th).

On the Win2000 machine, the two files are the older version
5687a (Feb.5th)! (I even verified the MD5 checksums.)
This date does NOT match the displayed version from
help->about, but the version number "5687" does.

I think that the Help, about date is the actual date and time the update was
received on the machine.

Is there more diagnostic information you need?

On the Windows 2000 machine--what happens if you go to start, programs,
Microsoft Antispyware, Microsoft Antispyware Update?

Will that bring in the update?

 

[citizenDAK]

No, I see the same thing as when choosing file->check for
updates... It says it's up to date. Still have the files
dated 2/5 afterwords.


btw: One difference in the way the two machines had MSAS
installed:

The XP machine had the original January beta (which never
updated its sigs even when the new version was available),
then had 1.0.509 installed on top of it. After the upgrade
was installed, the 'check for updates' worked.

The Win2k (sp4 + all Windows Updates) is a new clean OS
installation. I installed only the newer Feb. beta
(1.0.509). Not sure whether this has any impact.

The XP machine had SpyBot-S&D w/ teatimer, and
SpywareBlaster on it before adding MSAS. (Still has them.)
The 2k machine does not. Both machines have Symantec
Antivirus Corp-ed 9.0.2.1000.

 

[Bill Sanderson]

I don't know of any conflicts with that list--but I don't have a solid list
of such conflicts--just what I can remember from reading posts here.

Something is broken about the Windows 2000 install. I suspect that if Steve
Dodson were reading this, he'd recommend logging in as an administrator on
the local machine, and doing a start, control panel, add/remove programs,
Microsoft Antispyware, change, update

(i.e. repair install)

 

[citizenDAK]

Just tried that... No improvement. Still same files and
same version information in help-about.

 

[Bill Sanderson]

I'm stuck. No firewall, right--not even some old pieces left lying around
from a previous install? And no error messages from either update process?

According to the current build's help (search on firewall ports) port 80 is
all that is needed. I'm somewhat suspicious of this--I could swear that
HTTPS is still involved--perhaps in firing off the suspect spyware reports,
perhaps in pulling in definitions......but it sure isn't mentioned, and I
believe it was.

The Release Notes section of the help has most if not all of the gotchas and
Microsoft's recommended fixes for them so far. I hadn't been through this
and it has changed significantly from the previous build, I think.

 

[citizenDAK]

There is a hardware firewall between our LAN and the
Internet. However, BOTH PC's are connected to the same
LAN. One updated fine and one failed. Go figure?

No error messages, correct.


Other software present on both: RealVNC 4.0, Firefox 1.0
(MOOX M3 build), Office2k, Copernic Desktop Search,
FileBack PC, WinZip, 7-zip, etc...

Problem Win2k machine is a desktop P-4 w/ H.T. enabled.
Good WinXP machine is a laptop (Dell Inspiron 8200) w/out HT.

 

[citizenDAK]

Uninstalled. Zipped, then deleted the program folder.
Reinstalled the Feb. release. Checked for updates (didn't
seem to get anything). Here's the help-about info, shows
WRONG DEF VERSION, with timestamp from when it was
installed three minutes ago:

Microsoft AntiSpyware Version: 1.0.509
This version expires on: 7/31/2005
Spyware Definition Version: 5687 (2/25/2005 10:26:07 AM)

 

[Bill Sanderson]

Actually - I think this is correct. 5687 is the def set packaged with .509
as of this writing

If you have an install with 5691 in place already, and upgrade that from
..501 to 509, the newer defs are not overwritten.

You could actually move the defs from the good machine to the bad one I
think--I've never tried this yet--here's which files:

http://support.microsoft.com/default.aspx?scid=kb;en-us;892519