Hi guys,

Problem : I have clean images and I like to keep these images up-to-date without going online to avoid any possible infection from the internet.
"Windows Update" requires an internet connection and I'm looking for an alternative.
Please no nLite-solution, I know nLite already.

I have "Windows XP Professional Service Pack 2" 32-bit - English

Possible solution :
Can I use this as an alternative for Windows Update ? I'm not familiar with this at all. Is this really the same as "Windows Update" or am I missing something ? Does it update my Windows completely ?
Any additional info is also welcome and to make it easier for readers, I provided all the links regarding this alternative.

http://support.microsoft.com/kb/913086
http://www.microsoft.com/downloads/details.aspx?FamilyId=04670B1A-7801-4074-8E40-CAB74D586A6C&displaylang=en

Maybe I didn't read far enough or missed it somewhere in there, but are these ISOs simply that particular months' updates? If so, that would seem to be a huge pain to download all that and add them to your image one by one. However, if you have all the others and just want to start doing it this way, I can see that being a lot easier.

I assume of course you don't mind going online to get these ISOs (I'm guessing doing it from a different system). Though unless I'm missing something, isn't the risk of getting a virus the same whether you go online to download the ISO or use Windows Update for your image? In either case, the risk of a virus via either method, provided that website that hosts the ISO, or the Windows Update website is pretty slim if they are the only two places you go.

The updates run about 1 to 2 weeks behind the MS release but THIS (http://www.belarc.com/free_download.html) will give you links to all security related Windows updates.

I download the updates i believe are necessary from http://www.softwarepatch.com/

I give them a scan and if alls clear i burn them to disk for safe storage.

The chances of being infected when connected to Microsoft surely must be negligable???
Unless you have a friend download the updates on your behalf in whatever form, ISO or otherwise,someone has to go online and use the internet ,obviously at some stage!!

I believe the SP3 updates are available from Microsoft as a CD-just buy that.
SP3 works well

AutoPatcher (http://www.autopatcher.com/)
Update Windows with Offline Update (http://www.ghacks.net/2008/01/21/update-windows-with-offline-update/)

Maybe MBSA 2.1 from MS can do this ?

http://technet.microsoft.com/en-us/security/cc184924.aspx

I use it on a XPpro guest in VMware Server

Lamehand

-{ Quote: "
I assume of course you don't mind going online to get these ISOs (I'm guessing doing it from a different system). Though unless I'm missing something, isn't the risk of getting a virus the same whether you go online to download the ISO or use Windows Update for your image? In either case, the risk of a virus via either method, provided that website that hosts the ISO, or the Windows Update website is pretty slim if they are the only two places you go." }-
Yes, you are missing something, because you assume that I have only ONE system partition, an actual system partition, like most users have.
I have a CLEAN system partition = image and an ACTUAL system partition = harddisk[C:].
I do my downloadings in my actual system partition, not in my clean system partition.
Each time I upgrade my clean system partition, I replace my actual system partition with my upgraded clean system partition.
I don't backup my actual system partition anymore, it might be infected, because it has been online too long.

-{ Quote: "AutoPatcher (http://www.autopatcher.com/)
Update Windows with Offline Update (http://www.ghacks.net/2008/01/21/update-windows-with-offline-update/)" }-
Microsoft forced Autopatcher to stop their activities and I assume that Autopatcher won't be the last one, like RyanVM, nLite, vLite and others. It's just a matter of time. Duplicating Windows Installation CD's isn't really good for M$.

-{ Quote: "Maybe MBSA 2.1 from MS can do this ?

http://technet.microsoft.com/en-us/security/cc184924.aspx

I use it on a XPpro guest in VMware Server

Lamehand" }-
I will try this one, just to see what it is. Never heard of it, but that is normal for me. LOL. Thanks.

ErikAlbert,

Here is a suggestion that might work for you:
Install Microsoft Baseline Security Analyzer (http://technet.microsoft.com/en-us/security/cc184924.aspx).
Let is run and find missing updates.
Click on the solution, which usually is a separate download of the missing hotfix (without going to the Microsoft Update site)
Store all the hotfixes in a safe place.

Reboot into a "clean offline installation" and run the stored updates.

The free Personal Secunia Inspector (https://psi.secunia.com/) is another option to accomplish the updates check. It also looks for missing updates of third party software.

If you install Windows XP Service pack 3 for your language, you do skip 90+ mandated hotfixes! Install it with the option /nobackup to save space.

Paul Thurrott (http://www.winsupersite.com/showcase/xpsp3_slipstream.asp) explains here how to slipstream SP3 into your CD without nLite. (meaning without making any alternations behind your back)

I tried some of the above mentioned tools but disliked them. They either had a lag on updates notifications or were too intrusive for my taste. For example, BelArc installs a driver (it needs to, as it does more than checking for updates) which I don't need. MBSA otoh will not run if "Server" service is disabled, starting it will open a port (I have no need for "Server" service, and will not have it running because of MBSA) . I also tried SecuniaPSI, I can't remember exactly why, but it was the worst of all (a hog?).
So I do everything manually. It's not so tedious (there are few updates these days). You just need to do a search for the exact KB###### and you'll find your updates in no time. By doing it this way, you also have a chance to read (on the download page) release notes for each update and to decide whether you need it or not. Download exes and execute them.

You certainly do not need to download the whole ISO just because of few MBs of updates. ISOs are mutilingual - hence the size.

Cheers,.

-{ Quote: "ErikAlbert,

Here is a suggestion that might work for you:
Install Microsoft Baseline Security Analyzer (http://technet.microsoft.com/en-us/security/cc184924.aspx).
Let is run and find missing updates.
Click on the solution, which usually is a separate download of the missing hotfix (without going to the Microsoft Update site)
Store all the hotfixes in a safe place.

Reboot into a "clean offline installation" and run the stored updates.
" }-
Yes, I'm investigating this at the moment along with Belarc Advisor.
Although I keep my system unchanged and malware-free, it won't hurt me to install some security patches (81 are missing already).
I think installing SP3 is the shortest way to install ALL updates, but I will look at the rest also to find a complete solution that will work in the future. ;D

by removing all changes at reboot. by having out of date applications with secuirty holes you alot more likely to be infected. sure the changes are gone at reboot but your confidental data could be stolen then you reboot and all the evidence goes with it.

-{ Quote: "by removing all changes at reboot. by having out of date applications with secuirty holes you alot more likely to be infected." }-
No, I'm not infected, but it takes too long to explain it in full detail and defending myself is usually a waste of time.
My boot-to-restore is just a daily protection, I have something much better in the background.

-{ Quote: "No, I'm not infected, but it takes too long to explain it in full detail and defending myself is usually a waste of time.
My boot-to-restore is just a daily protection, I have something much better in the background." }-
i never said you was infected.
i was saying by having out of date applications you more likely to be hit by the security exploits because they havent updated them. so you could get hit someone could then nick information then you reboot and evidence that it happerned goes at reboot.
im here to listen.
im sure it doesnt take that long to explain.
at some points your to paranoid but it still seems you leave your system to open.
so what else do you use along side your daily boot to restore?

-{ Quote: "i never said you was infected.
i was saying by having out of date applications you more likely to be hit by the security exploits because they havent updated them. so you could get hit someone could then nick information then you reboot and evidence that it happerned goes at reboot.
im here to listen.
im sure it doesnt take that long to explain.
at some points your to paranoid but it still seems you leave your system to open.
so what else do you use along side your daily boot to restore?" }-
Not paranoid, I'm doing things in the right sequence, not the classical sequence. Paranoia is a mental disease, I'm not crazy.
In my setup an infection is in the worst case scenario a temporary one, never a permanent one. I read enough posts to know I'm doing much better than other users.
But don't worry, I will take care of Windows Update, it wasn't my priority #1. I'm just polishing my approach, the final touch. ;D

-{ Quote: "
I think installing SP3 is the shortest way to install ALL updates, but I will look at the rest also to find a complete solution that will work in the future. ;D" }-

Unfortunately even with SP3 installed, you still won't get all the critical updates after installation. You will still need to get the post SP3 updates from microsoft. But hey, if your set up atm works fine for you, why bother? :)

-{ Quote: "Yes, I'm investigating this at the moment along with Belarc Advisor." }-
At first I was fond of Belarc, but I discovered that they are not up to date with the security hotfixes. Which means that Belarc doesn't show missing hotfixes from this month. (at least not when I used it after June's "update Tuesday")

-{ Quote: "I think installing SP3 is the shortest way to install ALL updates. " }-
To be more specific: All updates which were available on release date of SP3, excluding Internet Explorer 7, Adobe Flash Player and Media Player 11 plus their own updates.

-{ Quote: "Unfortunately even with SP3 installed, you still won't get all the critical updates after installation. You will still need to get the post SP3 updates from microsoft. But hey, if your set up atm works fine for you, why bother? :)" }-
It only shows how much you can trust M$. The website says clearly that all previous updates are included in SP3, probably not true. But it doesn't really matter. I live almost 2 years with an unpatched Windows.
Tomorrow I will see what needs to be done. :)

-{ Quote: "It only shows how much you can trust M$. The website says clearly that all previous updates are included in SP3, probably not true. But it doesn't really matter. I live almost 2 years with an unpatched Windows.
Tomorrow I will see what needs to be done. :)" }-
I think he is talking about the updates released AFTER SP3
-{ Quote: "You will still need to get the post SP3 updates from microsoft." }-
I think all updates released prior to SP3 is included.

I have to agree with lodore. Regardless of whether you are borderline paranoid or not (I'm no doctor :dry: ): it's a bit odd you choose to go for a solution where you choose not to patch all the known security holes in Windows.

I know you have a good security solution that enables you to reboot to the "original" state but I still think you would benefit from a patched OS. Either by MS updates or by manual fixes (that is the "hardening"-part). I don't know if all known exploits can be manually fixed. If you don't plan on altering the code yourself you will have to rely on MS updated or 3rd party apps/fixes if you want a secure OS.

I hope you will find a solution that you can trust, I really do, but IMO it seems you have set your security standards very close to what is practically impossible.

Prettig weekend - Proost ;)
/T

This is my new BEFORE/AFTER game ;)

Belarc Advisor BEFORE installing SP3 :
1. CIS Benchmark Score : 0.63 of 10
2. Virus Protection : Unknown
3. Microsoft Security Updates : 81 missing

Belarc Advisor AFTER installing SP3 :
1. CIS Benchmark Score : 1.88 of 10
2. Virus Protection : Unknown
3. Microsoft Security Updates : 5 missing

Current status:

200665

200666

-{ Quote: "Current status:

200665

200666" }-
LOL. I have now 2 advisors to ski with me through my white as snow computer.
1. Belarc Advisor v7.2x
2. Microsoft Baseline Security Analyzer v2.1
It's a bit of fun too and it might give me new ideas. Thanks again for the links.

You could also try the blink vulnerability assessment, which scans your system and lists all known vulnerabilities it finds. It does require installing blink personal but it definitely can be helpful.

-{ Quote: "You could also try the blink vulnerability assessment, which scans your system and lists all known vulnerabilities it finds. It does require installing blink personal but it definitely can be helpful." }-
I will try that too. I'm already downloading it. Thanks. :)

EDIT:
Well, Blink was very usefull.

The "Blink Endpoint Vulnerability Assessment Report" was very scaring : a sky-high red bar of high risk vulnerabilities and a printer out of inkt.

However the "Blink Virus and Spyware Scan Report" said "No malware has been detected!".

So I'm vulnerable, but I'm malware-free. It's very confusing. :blink:

-{ Quote: "I will try that too. I'm already downloading it. Thanks. :)

EDIT:
Well, Blink was very usefull.

The "Blink Endpoint Vulnerability Assessment Report" was very scaring : a sky-high red bar of high risk vulnerabilities and a printer out of inkt.

However the "Blink Virus and Spyware Scan Report" said "No malware has been detected!".

So I'm vulnerable, but I'm malware-free. It's very confusing. :blink:" }-
I think a lot of the vulnerabilities may have more to do with the corporate environment and may not be such a risk for a home user. I definitely had a lot vulnerabilities when i scanned my system and i had to do a bit of research to figure out what the heck they were talking about for many of them lol!

Microsoft Baseline Security Analyzer is indeed better than Belarc Advisor, because MBSA reported 1 missing security update, while BA told me I was "up-to-date", which wasn't true.

MBSA's report was positive, except for one thing : automatic Windows Update feature is DISABLED on my computer, which is necessary in my frozen system.

IMO something is wrong with BA regarding "Services". I have the right settings for "Services" and I still get red crosses.
BA isn't really userfriendly either and doesn't always tell what users have to do exactly to get rid of the red crosses. BA has still alot to learn and I know this software already from the beginning 2 years ago. Never paid attention to it, until now. :)

I am not sure but when Blink Personal find a flaw it adds a rule for it. I haven't used it that long but looks good for the price. Wonder how much better the Pro version is. It actualy also found a trojan in my firefox cash LOL

-{ Quote: "
IMO something is wrong with BA regarding "Services". I have the right settings for "Services" and I still get red crosses." }-

I have the same problem with the "telnet" service, but i know it's off, so it's no big deal.

Lamehand

-{ Quote: "I have the same problem with the "telnet" service, but i know it's off, so it's no big deal.

Lamehand" }-
Belarc Advisor can't be trusted or it has bugs or it isn't efficient enough. I'm using it already more than a week and I don't like it and it doesn't help me either due to bad analyse. I'm going to ditch it and keep MBSA until I find something better.
Blink is a security suite and it has indeed a function to find vulnerabilities, but then I have to install Blink. I don't want scanners on my computer.

@Controler
I put Firefox in its original "unused" state during each reboot, including its cache and that means that no malware can survive in Firefox itself or in its cache.
Also DefenseWall considers Firefox Cache as "untrusted", which is enough to save the period between two reboots.

Just a quick note, about another option to check your security updates:
Microsoft Qfecheck.exe (http://support.microsoft.com/kb/282784).

It works the robust way, though (command line)

201454

-{ Quote: "Just a quick note, about another option to check your security updates:
Microsoft Qfecheck.exe (http://support.microsoft.com/kb/282784).

It works the robust way, though (command line)

201454" }-

What happens if this checker finds 'missing' updates?
Can one then download and install the missing KBxxxxx?