Ver. 1.0.614 Definition Update Problems

[John Gruener]

In case it's not clear from all the postings on this
issue, there is definitely a problem with the definition
updates.

After manually updating from 5727 to 5729, the next day
the automatic update says that an update is available (I
have the "Apply new updates without interrupting me"
option unchecked). I click yes to tell it to update, and
it downgrades the definitions to 5727.

I then manually update (File - Check for updates) and it
updates to 5729 again. In fact even after 5729 is
installed, each time I check for updates it
says "Upgrading definitions version 5727 to version 5729".
This occurs even after a reboot.

Next day I'm again notified that an update is available,
and it again downgrades the definitions to 5727.

I see this same problem on several machines, running
Windows XP SP2 and Windows 2000 SP4.

It would be helpful to know if anyone at Microsoft is
aware of this problem and is working on it.

- John

 

[Bill Sanderson]

Microsoft is aware of this issue and interested in your experience.

When you mention that the defs are downgraded--have you in fact looked at
the dates and sizes of the def files and observed whether they change? My
own guess is that the upgrade is, in fact, failing, rather than a downgrade
occurring.

 

[Bill Sanderson]

I should have said more. A number of folks have had success clearing up
this issue by manually downloading the def files from spynet and physically
replacing the current files.

I'd like you first, if possible, to simply try deleting the current
definition files from your system to see what happens.

Here's a KB article that will show which files are involved--although the
quick way to find them is to do dir *.gcd /os in the Microsoft Antispyware
install folder--they are the two largest .GCD files.

http://support.microsoft.com/default.aspx?scid=kb;en-us;892519

In my experience with a similar-appearing issue in the past, this action
cleared the problem up. I've recommended it to some with the current
problem as well, and it hasn't worked for them, but I still think it is
worth trying.

The manual download files can be found here:

http://download.spynet.com/ASDefinitions/gcDeterminationData.gcd
http://download.spynet.com/ASDefinitions/gcThreatAuditScanData.gcd
http://download.spynet.com/ASDefinitions/gcThreatAuditThreatData.gcd

Three files are listed here. I'm unclear about whether the third file is
necessary, since it isn't listed in the KB article. I have seen reports of
a third file replaced during some definition updates, though.

 

[Willem]

Same problem here. Upgraded to .614 on june 27.
After installing it showed 5727 although I was at 5729 in .613.
Updating manually it showed 5729 in Help - About only after
several attempts. But this morning I found it back showing 5727.
The .GCD files are dated june 16 all the time.

System: Win XP Pro Dutch SP2 , limited rights account for normal use.

Willem

 

[Willem]

Microsoft is aware of this issue and interested in your experience.
(...)

You have no signature, but may I conclude from this that you are the oficial
Microsoft spokesman in this group?

Willem

 

[Robin Walker [MVP]]

I then manually update (File - Check for updates) and it
updates to 5729 again. In fact even after 5729 is
installed, each time I check for updates it
says "Upgrading definitions version 5727 to version 5729".

This is symptomatic of web cache problems somewhere.
Please tell us:

1. What browser (e.g. MSIE or Firefox) is the default browser for your
system;
2. Whether your ISP operates a transparent web proxy cache;
3. Whether you have tried emptying your Temporary Internet Files (and/or the
Firefox cache) before running the MSAS definitions update.

 

[Willem]

(...) http://support.microsoft.com/default.aspx?scid=kb;en-us;892519

That article is not of much help anymore, because the table ends at 5725 and
there have been at least 2 updates since then AFAIK.

Willem

 

[Robin Walker [MVP]]

Updating manually it showed 5729 in Help - About only after
several attempts. But this morning I found it back showing 5727.

Pay no attention to the version number in "About AntiSpyware": this is known
to be unreliable except after MSAS has been freshly launched (e.g. after a
Windows restart).

The only reliable way of telling what definitions files you have is to look
at the files themselves.

 

[plun]

Robin Walker [MVP] presented the following explanation :

This is symptomatic of web cache problems somewhere.
Please tell us:

1. What browser (e.g. MSIE or Firefox) is the default browser for your
system;
2. Whether your ISP operates a transparent web proxy cache;
3. Whether you have tried emptying your Temporary Internet Files (and/or the
Firefox cache) before running the MSAS definitions update.

Hi Robin

Do you know if MS using transparent proxies ? In this case then
reversed transparent towards user downloads ?

one hell of a mess it they do so.............. 8-o

 

[Bill Sanderson]

No you can't. I'm the most vocal of the group of volunteers that habitually
speak out here, but I'm not official in any way. Steve Dodson, or anyone
else using [MSFT] after their names are official, although perhaps not here
in a work capacity.

I realize that some statements I make are easily misinterpreted--or open to
question. In this case I know that Steve Dodson is investigating this
issue, and is interested in users who have not resolved this issue yet, and
are posting in these groups.

--

 

[Bill Sanderson]

I know what you mean. However, at least it gives the names of the files
involved, which is the first step.

--

 

[Bill Sanderson]

FWIW, I have also found the Help, About number to be reliable immediately
following a File, Check for update operation, regardless of whether that
operation resulted in an update.

I.E. you may see 5727 in Help, About, then do File, check for update, see no
update take place, but go back to Help, about and see 5729.

 

[Bill Sanderson]

I think what they use is probably somewhat more complex than transparent
proxies--but I don't know how to describe it--and I don't even know if such
a description is publicly available--it may be intentionally a black box
from a security standpoint.

 

[Steve Dodson [MSFT]]

While we are investigating, I am looking for the following:

1) What build you were running before upgrading to 614.
2) Does the problem go away if you uninstall and re-install build 614.

I would like to have a few people try the uninstall and re-install and let
me know if that is working for them.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Karl Yee]

I was running the very latest ver. just before the Beta
refresh. Then upgraded to 614. Tried it both ways, first,
as an upgrade over the existing installation and as a clean
install (even manually removed left over files). Same
problems that everyone here is having w/ def upgrades.

I'm running Windows 2000 SP4

KY

-----Original Message-----
While we are investigating, I am looking for the following:

1) What build you were running before upgrading to 614.
2) Does the problem go away if you uninstall and re-install build 614.

I would like to have a few people try the uninstall and re-install and let
me know if that is working for them.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

Microsoft is aware of this issue and interested in your experience.

When you mention that the defs are downgraded--have you in fact looked at
the dates and sizes of the def files and observed whether they change? My
own guess is that the upgrade is, in fact, failing, rather than a
downgrade occurring.

.

 

[John A. Wolf]

Steve, I was running 613 (I think). The problem does not go away with an
uninstall and reinstall.

--
John A. Wolf
(e-mail address removed)

While we are investigating, I am looking for the following:

1) What build you were running before upgrading to 614.
2) Does the problem go away if you uninstall and re-install build 614.

I would like to have a few people try the uninstall and re-install and let
me know if that is working for them.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

Microsoft is aware of this issue and interested in your experience.

When you mention that the defs are downgraded--have you in fact looked at
the dates and sizes of the def files and observed whether they change?
My own guess is that the upgrade is, in fact, failing, rather than a
downgrade occurring.

 

[Steve Boyce]

Same experience here. Uninstalling and reinstalling did
not help.
Here in the errors.log which I posted below I notice 2
different scenarios.
Scenario 1
91::Object variable or With block variable not
set::Updates:LatestRulesetVersionID::30::01/07/2005
13:11:32
When this happens, the program returns "most recent
definitions" installed even though they are not.
Scenario 2
0:ownloadFileAPI Error -
2146697210::http://download.spynet.com/ASDefinitions/gcThr
eatAuditScanData.gcz::C:\Program Files\Microsoft
AntiSpyware\temp.zip::gcTCPObjLib:HTTPownloadFileAPI::01
/07/2005 13:18:41:XP:1.0.614
0:ownloadFileAPI Error -
2146697210::http://download.spynet.com/ASDefinitions/gcDet
erminationData.gcz::C:\Program Files\Microsoft
AntiSpyware\temp.zip::gcTCPObjLib:HTTPownloadFileAPI::01
/07/2005 13:18:42:XP:1.0.614
When this happens, the program reports that it has
updated the definitions, but in fact it has not.

I further notice that when this happens, if I browse to
http://download.spynet.com/ASDefinitions/gcDeterminationDa
ta.gcz
in IE, I get a 404 - Page not found

It suggests to me a combination of a failure to update
all servers in a round robin scenario, combined with a
failure of the program to correctly handle unexpected
cases.

Hope this helps - Steve

91::Object variable or With block variable not
set::Updates:LatestRulesetVersionID::30::01/07/2005
13:11:32
0:ownloadFileAPI Error -
2146697210::http://download.spynet.com/ASDefinitions/gcThr
eatAuditScanData.gcz::C:\Program Files\Microsoft
AntiSpyware\temp.zip::gcTCPObjLib:HTTPownloadFileAPI::01
/07/2005 13:18:41:XP:1.0.614
0:ownloadFileAPI Error -
2146697210::http://download.spynet.com/ASDefinitions/gcDet
erminationData.gcz::C:\Program Files\Microsoft
AntiSpyware\temp.zip::gcTCPObjLib:HTTPownloadFileAPI::01
/07/2005 13:18:42:XP:1.0.614
0:ownloadFileAPI Error for .cat file -
2146697210::http://download.spynet.com/ASDefinitions/gcThr
eatAuditScanData.cat::C:\Program Files\Microsoft
AntiSpyware\temp.cat::gcTCPObjLib:HTTPownloadFileAPI::01
/07/2005 13:19:05:XP:1.0.614
438::ln 0:Object doesn't support this property or
method::gcasDtServ:modMain:ShutDown::01/07/2005
13:26:58:XP:1.0.614
91::Object variable or With block variable not
set::Updates:LatestRulesetVersionID::30::01/07/2005
13:27:24
91::Object variable or With block variable not
set::Updates:LatestRulesetVersionID::30::01/07/2005
13:27:41
0:ownloadFileAPI Error for .cat file -
2146697210::http://download.spynet.com/ASDefinitions/gcThr
eatAuditThreatData.cat::C:\Program Files\Microsoft
AntiSpyware\temp.cat::gcTCPObjLib:HTTPownloadFileAPI::01
/07/2005 13:28:14:XP:1.0.614

-----Original Message-----
While we are investigating, I am looking for the following:

1) What build you were running before upgrading to 614.
2) Does the problem go away if you uninstall and re- install build 614.

I would like to have a few people try the uninstall and re-install and let
me know if that is working for them.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

Microsoft is aware of this issue and interested in your experience.

When you mention that the defs are downgraded--have you in fact looked at
the dates and sizes of the def files and observed whether they change? My
own guess is that the upgrade is, in fact, failing, rather than a
downgrade occurring.

.

 

[Rob]

"What a difference a day makes.."
Looking at the KB July 1-14:41 CDT and all files to 5729 are shown.

FWIW - my experience with this debacle;
Installed (upgraded to 613) - 05/06/24
Installed (upgraded to 614) - 05/06/25 (after a lot of confusion)
Def = 5727 05/06/16
Updated Definitions (manually) to 5729 on 05/06/29
"About" = 5729.
Today, after reading about the problems;
Checked the two .GCD files against the KB article.
Found that the dates and (approx) file sizes matched 5727
(not sure why the sizes differ slightly-assume some overhead included in the "Properties"
size)
Went and changed the Autoupdate time from 5pm to 2pm.
Checked the "About" and it reverted back to 5727 (which are the actual definition files on
the sys.)

Sighed, took a Tylenol, and wrote this epistle.

 

[Bill Sanderson]

Your experience mirrors that of a number of users, but not all by any means.
I haven't seen this issue on any machine, and I've been watching for it.

My current understanding of the issue is that it is a server-side issue, and
that Microsoft is working on it. However, I'm not sure whether resolving
the server issues fixes a machine which has already "stuck."

I'd recommend using the fix of manually replacing the definition files.

--

 

[John Gruener]

Steve,

I was running 1.0.509, then updated to 1.0.613 for one
day, then 1.0.614.

Just after today's "downgrade" occurred I checked the
files. The two files (gcThreatAuditThreatData.gcd and
gcDeterminationData.gcd) are indeed 5727 files, dated 6-26-
05, with the sizes corresponding to 5727 as listed here:
http://support.microsoft.com/default.aspx?scid=kb;en-
us;892519

I then did the "File - Check for updates" and it said it
was updating to 5731, but the only file that was updated
was gcUserData.gcd. The DeterminationData and ThreatData
files are still 5727, even though "Help - About" says I've
got 5731.

I disabled my Anti-Virus (McAfee) and software firewall
(ZoneAlarm) with the same results.

I'm running Windows 2000 SP4 and IE 6.0 SP1, with all
critical updates applied. No proxy server. This worked OK
in previous versions, and I've made no changes to
connectivity in many months.

Of course I could manually download the files and replace
them, but this would not help Microsoft diagnose the
problem. Let me know what you'd like me to try.

- John
(e-mail address removed) (remove the 2 'z's)

-----Original Message-----
While we are investigating, I am looking for the following:

1) What build you were running before upgrading to 614.
2) Does the problem go away if you uninstall and re- install build 614.

I would like to have a few people try the uninstall and re-install and let
me know if that is working for them.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

Microsoft is aware of this issue and interested in your experience.

When you mention that the defs are downgraded--have you in fact looked at
the dates and sizes of the def files and observed whether they change? My
own guess is that the upgrade is, in fact, failing, rather than a
downgrade occurring.

.